We use Google Analytics to learn more about who is reading the resources on our website. Please read Google Analytics privacy policy for further information. Close

logo_reaching-critical-will

Cyber Peace & Security Monitor, Vol. 1, No. 8

Getting back on track to cross the finish line
7 March 2021

Allison Pytlak

Download the full edition in PDF

A great deal has changed since delegates met in New York a little over one year ago for the second session of the UN’s Open-ended working group (OEWG) on developments in the field of information and telecommunications (ICTs) in the context of international security. When this Monitor published its report of the OEWG’s second substantive session in February 2020 in a pre-pandemic world, it spoke of cyber security as a team sport, a metaphor that had emerged and become popular in the course of the in-person OEWG sessions:

If member states can “play” together as a team through the final stretch and agree on a consensus report with good substance, then everyone wins, because there will be benefits for the international community. If members of the team start missing passes from their teammates, running the other way, or incurring penalties for bad behaviour—then we all lose out.[1]

The costs of losing out have come more sharply into focus during the pandemic. Our dependence on ICTs has never been higher, underscoring the ubiquity and the importance of meaningful access to them. Yet the misuse of technology, whether for criminal, personal, or political reasons, has risen at pace with this reliance, as civil society outlined in a joint statement to the UN First Committee in 2020. Cyber crime has soared. Multiple digital operations targeting medical facilities worldwide have sought to undermine responses to the health crisis, spread misinformation, or exploit our current increased reliance on digital connectivity. Some governments have instituted digital contact tracing applications or other approaches that raise concerns about privacy, surveillance, and human rights, while internet shutdowns have impeded access to updates on health measures and other relevant safety information. Online gender-based violence, including surveillance, increased significantly in this time. A greater number of states have or are exploring offensive cyber strategies and doctrines, while diverse actors are increasingly incorporating ICT use into their strategies for sowing disruption.

Indeed, throughout the UN General Assembly’s (UNGA) 75th high-level debate in 2020, a record number of leaders highlighted digital insecurity and hostile cyber activity as among the key threats facing our world today.[2] All of which makes the work of the OEWG in its final session more urgent than ever.

Know where you’re going

The primary expected output of this third session is the consensus adoption of a final report. In theory, a substantive report from a significant UNGA-mandated body could be a catalyst for a good many things that would further cyber peace and security by addressing the challenges enumerated above. It could call for the establishment of new processes or research; speak out for or against specific behaviours; initiate accountability mechanisms, etc. And certainly, throughout the OEWG process there has been no shortage of substantive ideas and suggestions, as evidenced by the significant number of working papers, guidance documents, and proposals submitted to the OEWG by states and civil society in the hope that the Group would be in a position to action them. The willingness and interest of participating states to really dig into and discuss the OEWG’s thematic topics, supplemented by the contributions and attention of other stakeholders, has been a noticeable characteristic of many OEWG meetings that WILPF has been able to observe.

The “first draft” of the final report that is before states to consider now is the product of several rounds of virtual consultations that took place over the last eight months. Like everything else, the pandemic has thrown many hurdles into the OEWG’s path, not least the possibility of convening an in-person third session. The virtual consultations were an effective way for the OEWG chairperson to advance discussions while awaiting a final formal session to be possible and use the time to refine views to a place where a final report might be that much closer to being adoptable.

The first draft of the final report is currently structured in four parts: a) an introduction that provides context; b) agreed conclusions and recommendations, from across the six thematic areas the OEWG has discussed; c) a reflection of the discussions on these subjects; d) and final observations. The section of conclusions and recommendations is what will mainly be negotiated, although “nothing is agreed until everything is agreed,” as is often said in negotiating rooms.

The draft includes rich content, much of which is found in the “discussions” component of the draft and demonstrates the complex nature of the subject and of OEWG sessions. The Chair has been careful that the report reflects not only areas of convergence but also where other views have been expressed, an approach that has been called for by some states to ensure that their views are captured, even if they do not trigger a recommendation.

However, the draft report could be stronger and more action-oriented. Quite a lot of the conclusions, and some recommendations, relate to the upholding, continuation, or acknowledgement of existing obligations, or recommend engaging in practice that has largely already been recommended by other relevant bodies (although perhaps these reminders and re-affirmations bear repeating!).

Other of the recommendations, such as around information-sharing activities for confidence- and capacity-building, or to survey practice and understanding, are valuable but couched in a lot of qualifying language (“on a voluntary basis” or “as appropriate”) which takes away from the strength of the recommendation. In some instances where the recommendation is less controversial, the report could take the tone of “encouraging” or “calling on states to” follow through on the recommendation. Some recommendations do not have a clearly identified follow-up measure attached to them, which makes their next steps unclear. WILPF would also wish to see stronger calls against aggressive cyber behaviour and clear provisions for accountability mechanisms.

Fair play

If the costs of losing out are urgent, then so too is the impetus for states to work as a team and move this process over the finish line.

Consensus in the UN context has over time been interpreted to mean unanimity. This often means that if even one state objects to something, then consensus is seen to be broken—even if all the other member states are in agreement. This usually has the effect of watering down final reports and outcome documents as an effort to find compromise. Moving to a vote is avoided at great cost. If consensus would be applied as it is actually meant—a general agreement—then there would be a greater potential for stronger or more ambitious outcomes in most UN processes.

In the search for OEWG consensus, pre-existing political dynamics will make this challenging. As just one example, the manner in which the establishment of a second OEWG was pushed through the UNGA before this first OEWG can conclude its work did no favours for the country that did the pushing. If anything, its tactics in October 2020—along with other recent manoeuvres in the OEWG—has further contributed to the needless politicisation of this issue in that way that could have blowback.

A reading of written governmental submissions to the zero-draft of the final report may give some indication of what other obstacles are. They also contain a peppering of technical suggestions that would render the language of the report more precise. There appears to still be divergent views about how the applicability of international humanitarian law (IHL) is framed, including how that applicability is seen by some states as serving to militarise cyberspace. There are some differing points in relation to the section on international law. There seems to also still be different understandings or approaches to the norms, and/or their status, established by past UN Groups of Governmental Experts (GGEs)—for instance, a few states would like to more strongly emphasise the potential to develop new norms even as existing ones are being implemented; others are quite firm in their support for the GGE norms as constituting an important shared baseline; and there also diverse points made about whether and how to account for the eleven GGE norms, versus the thirteen that are contained in the UNGA resolution which established he OEWG but not otherwise adopted or agreed to.

It appears that calls from some states and groups of states for the report to include language about offensive capabilities and the weaponisation of cyber space have not been included. There are some specific proposals, such as on practical guidance for norms implementation and a standardised survey of existing implementation, that sound as though they enjoy wide support but have been noted as not integrated into the text, and rather will be annexed to it. A balance may need to be struck between acknowledging the vulnerability of the health sector—as highlighted by cyber operations during the COVID-19 pandemic—but not overlooking other vital critical infrastructure. A few states feel that human rights and gender perspectives do not have a place in the OEWG’s consideration of “international cyber security”. Finally, there is a division as to if, and how, the forthcoming OEWG is referenced in the text vis-à-vis a proposed cyber programme of action.

It is difficult, however, to assess with great accuracy what the tensions and red lines are going into this third and final session, because all of the virtual consultations held in recent months were closed to civil society. We’ve worked successfully with supportive member states and one another to find ways to contribute our views and expertise, as is described elsewhere in this edition. While this has led to some innovative and ultimately positive experiences and collaborations, civil society should not have to continue cultivating alternative methods and meetings in order to be included. The discourse on stakeholder participation must change from “if” to “how” we are involved.

Defining a “win”

Since the OEWG was first convened, there have been a series of what some might describe as “smaller” wins that deserve recognition.

That there has finally been a UN process on international cyber security open to all member states has made critical exchange and open discussion possible; in earlier meetings, several states noted that the OEWG is a confidence-building measure in itself. Even if divergent views remain, the process of needing to formulate more detailed and nuanced cyber-related positions and engaging with others has helped to sharpen understandings and build awareness of not only national and regional priorities, but also existing practice and of needs. As such, the OEWG may also enable better streamlining between existing initiatives and has highlighted gaps. The varied roles played by the diverse civil society groups engaging in the OEWG has been more fully articulated and outlined. Understandings about the gendered impacts of cyber operations have evolved throughout the OEWG, as described elsewhere in this edition. The discourse overall feels somewhat less securitised than it has been, in that concern or acknowledgement about the human costs of cyber operations are more prevalent, although much more needs to be done on this front.

Multilateral and especially UN processes put a high premium on the adoption of final reports by consensus. Certainly, achieving agreement and building shared understanding is important for international cooperation, and the agreement of the report is part of the Group’s mandate. But it’s important to not lose of sight of the bigger picture—we should not prioritise the achievement of the document over action.

We encourage states to be bold as they move into this final round of OEWG talks and go for gold as they cross the finish line. 

[1] Allison Pytlak, “Cyber security—a team sport”, Cyber Peace & Security Monitor, Vol.1, No. 7, 18 February 2020, https://reachingcriticalwill.org/images/documents/Disarmament-fora/other/icts/monitor/CyberMonitor1.7.pdf.

[2] View our UNGA Disarmament Index to learn more: https://reachingcriticalwill.org/disarmament-fora/unga/2020/index.

 

[PDF] ()