Cyber Peace & Security Monitor, Vol.1, No. 9

The cost of consensus
10 March 2021

Allison Pytlak

Download the full edition in PDF

Throughout this week, Ambassador Lauber, Chair of the UN Open-ended Working Group (OEWG), stressed repeatedly that time is running out. “To illustrate where we are in the process, we have had two substantive sessions in New York and a number of virtual informal session, which brings us, up until today to a grand total of 109 hours of exchanges and negotiations,” he noted on Tuesday morning. “They have been very useful—but we have only eight hours left.”

As the clock runs down on the OEWG and pressure builds to find agreement, this is where states’ red lines become clear and where the costs of consensus become visible. In the pursuit of achieving a final report that is acceptable to all, what compromises must be made and what substance will be left out? 

The red lines

Many of the current disagreements are rooted in long-running debates between states about UN international cyber security fora, broader geopolitical dynamics, or fundamentally different perspectives about “information security” and information and communications technology (ICT).

For instance, some states in the Non-Aligned Movement (NAM) insist that the final report include reference to the possibility of a legally binding instrument or legal framework on international cyber security. This is currently referenced in the section of the draft final report called “Discussions” (section C) which is not being presented as open for negotiation, but rather meant to reflect factually the discussion had during OEWG sessions—as distinct from the “Recommendations and conclusions” section (section B). There is a draft “cyber treaty” that has been circulating within the UN for several years, as tabled by Russia (which is distinct from its parallel effort on cyber crime), but it’s never received sufficient political support to advance and indeed, some of its contents are strongly opposed, including because of potential human rights implications. This history, plus the current political climate, has generated reticence from many, mainly Western states, to pursue any legally binding framework. It also makes how and where this reference would be included and framed in the OEWG report divisive. Some within the NAM like Egypt, and non-member Costa Rica, would just like to see it included within the Conclusions section of the report as a way to reflect that there is fairly wide support for a legal framework, but others like Iran have suggested language that could be read as encouraging of moving toward a legally binding instrument in the near future. Estonia and Japan, among others, have said this would not be acceptable to them.

Another major source of division, historically and now, is whether the applicability of international humanitarian law (IHL) is endorsed within the Conclusions and Recommendations of the OEWG report. This issue was, reportedly, a significant reason why the UN’s fifth Group of Governmental Experts (GGE) could not agree to a consensus report in 2017. 

In the OEWG, a small minority of countries, including China and Cuba, have vocally opposed the recognition that IHL applies to state behaviour in cyberspace. They argue that because IHL is meant to govern conduct in armed conflict, accepting that it applies to cyber operations will legitimise militarisation of cyberspace. Many other countries push back on this, noting that the use of cyber operations in contexts of existing armed conflict is happening more frequently, and IHL is integral to the protection of civilians and critical infrastructure. “As we have stressed previously, the use of cyber operations during armed conflicts is today a reality. Several delegations have also raised concern that an increasing number of States developing military cyber capabilities. Their use is likely to increase in future,” stated the International Committee of the Red Cross (ICRC). “In light of this development and the potential humanitarian consequences that cyber operations can cause, the ICRC pursues the sole objective of protecting civilians against harm. For this purpose, we believe reference to international humanitarian law is vitally important.”

At present, there is only a reference to IHL in the context of the “Discussions” section, and not in the main negotiated part of the report’s “Conclusions and Recommendations”. Different proposals have been made for how to reflect IHL within the negotiated part, but undoubtedly this will be one of the most difficult issues for the member states to come to agreement on. 

For organisations like WILPF, which opposes militarism broadly, it’s perplexing to see states that are widely believed to engage in hostile and malicious cyber operations profess concern about the militarisation or weaponisation of cyberspace. At the same time, several of the countries who assert that IHL should apply are also developing offensive cyber capabilities and doctrines, thus legitimising and widening the practice. It’s become impossible within UN cyber fora to meaningfully address real concerns about the militarisation of cyberspace through the misuse of technology because it’s become so bound up in the debate over IHL applicability. While it is imperative to protect civilians and infrastructure from cyber operations in the context of an armed conflict, it’s equally imperative to challenge policies and doctrines that would give rise to that happening the first place—noting as well, that many of the harms caused by ICT misuse occur in contexts outside of a recognised armed conflict.

The less red lines

Future work and ways forward is a contested issue. To simplify, there are essentially two primary paths forward for regular institutional dialogue within the UN—a possible cyber programme of action (PoA), and the second OEWG that will commence work this year. The PoA was presented as a concept and proposal by France and Egypt in the course of earlier OEWG meetings and has subsequently gained the support of around 50 countries. Cyber PoA supporters will need to get a negotiating mandate from the UN General Assembly (UNGA) to formally initiate that process, but a recommendation from this OEWG could be a helpful endorsement. However, because not all states participating in the OEWG are supportive of the PoA, and it has not been discussed exhaustively, there is opposition to featuring the PoA in the final report in a way that could be construed as a recommendation, or that elevates it above other possible future measures.

The resolution to establish a second OEWG was adopted during the 2020 session of the UNGA First Committee by a vote and amid much pushback from states that felt to establish a second OEWG before the first one concludes its work would prejudge the outcome of this current body. States such as Russia that sponsored both OEWG resolutions want this OEWG’s report to recognise the new one; others have suggested adding text throughout the report that would effectively push current items of discussion from this OEWG into the next one and begin to shape its agenda. This makes some sense, logically and for continuity, but there is not widespread support for the second OEWG—in fact, 50 states voted against its establishment and another 20 abstained. So there is resistance now to ascribing it too large of role for future work.

From statements made on Tuesday afternoon and Wednesday it appears that the states which have been most vocal on the issue of future work are negotiating with one another and are optimistic of finding common ground. Also in the mix on this point was a call to reference China’s “Global Initiative on Data Security”, an outside, non-OEWG initiative, on equal footing with the PoA.

Opposition has been registered against some of the report’s efforts to identify practical follow-up activities to OEWG discussions. These activities include, variously, establishing a global repository of confidence-building measures; developing or expanding on national points-of-contact list for cyber capacity-building; undertaking surveys about existing national practice and interpretation of international law; and encouraging submissions to the UN Secretary-General’s annual report on developments in the field of ICTs in the context of international security. Some of these measures are presented as recommendations while others are only reflected as part of the “Discussion” because they were opposed in earlier rounds of talks. 

Regardless of placement, Iran takes issue with the word “repository” and Russia would not like a reference to the UNSG’s reports. Many others have stressed that all the measures described above are voluntary. Some in civil society, like WILPF, have suggested that some of these measures, like the submissions to the UNSG’s report, should be even more strongly encouraged by the language in the final report. If even such small practical steps toward advancing peace in cyberspace are contested and being watered down, then addressing some of the big challenges highlighted above feels impossible.

Past work is also something of a sticking point in this negotiation, but may not be a red line issue. Some countries are objecting to how the outcomes of the UN’s GGEs on ICTs are presented within the report, arguing that as those bodies were closed, the OEWG “should not be hampered by their outcomes,” as Cuba expressed today. There is also a sixth GGE presently in session, and Brazil, which chairs it, has reminded the OEWG about the importance of complementary outcomes between the two bodies; a point stressed repeatedly by member states in 2018 when the two bodies were established.

Another, possibly minor, point of contention includes language to affirm the “neutrality” of technology, which many states and civil society organisations agree on as important. This would mean that the report recognises that the OEWG is not seeking to ascribe limitations to technology itself but rather to its misuse and related behaviour of states. While this makes sense insofar as technology changes rapidly and can bring socioeconomic benefits, and the OEWG’s focus is on behaviour, there are some technologies designed and sold with the express intent to cause harm. China opposes any reference to technology neutrality in the document and would prefer instead to have “technology for good”.

Over the first three days of the session, there have also been diverse requests to bring back language from earlier versions of the final report or move items from the Discussion section into the Conclusions and Recommendations section. This has included references to specific threats like supply chain security and vulnerability stockpiling; improving references to human rights and fundamental freedoms; the right to self-defence; language on state use of proxy actors; language on due diligence; and the ordering of the report’s sections on law versus that on rules, norms and principles; amongst others. Good points have been made that would refine and make the language more precise and/or legally sound. Several delegations have indicated they are submitting their proposals in written format, which civil society has not had access to. As such it’s difficult for us to assess fully how significant these points are for the states raising them, or if agreement is being worked out behind the scenes—our reporting is based on what we can see and hear online.  

The “secondary” issue

The opening of the third OEWG session coincided with International Women’s Day, as announced by the Chair as he called the meeting to order and called for applause to note the contributions of women within the OEWG, as well as within cyber security more broadly.

We outlined the evolution of gender perspectives within the OEWG in the prior edition of this Monitor. Throughout the first three days of this session, numerous states (as noted in the News in Brief section) spoke in favour of paragraph 11 of the draft final report, which “welcomes the high level of participation of women delegates in its sessions and the prominence of gender perspectives in its discussions.” The paragraph also notes that “The OEWG underscores the importance of narrowing the “gender digital divide” and of promoting the effective and meaningful participation and leadership of women in decision-making processes related to the use of ICTs in the context of international security.”  

While no states went on record as opposing paragraph 7, per our reporting, there has been pushback on it during earlier, closed meetings by some states who believe that considerations of gender, as well as human rights, are beyond the mandate of the OEWG and secondary. As WILPF noted in its submission to the OEWG, language on gendered impacts of weapons, and on women’s participation within international security is increasingly across the UNGA First Committee, underscoring its relevance to the OEWG and the subject of international cyber security.   

During remarks given at an informal civil society segment on Tuesday, both the Association for Progressive Communications (APC) and WILPF welcomed paragraph 7, as well as other gender references found in the Discussion part of the draft report. APC said it would have liked to “the report to address specifically the differentiated impacts of cyber threats on women and people of diverse sexualities and gender expressions, and to have a more action-oriented final outcome with specific recommendations to address this.” This view was echoed in WILPF’s remarks.

The remaining hours

On Wednesday, the Chair sought to bring discussion on the “first draft” of the final report to a close. The plan is to issue an update on Wednesday night which should be the final version tabled ahead of proposed adoption on Friday.

It’s hard to assess will happen in the remaining hours of the third session. Delegates are spread across not just multiple rooms of the UN headquarters, but also around the world and joining virtually at all hours of the day and night. From tuning into the meetings this week, it sounds as though many hybrid and virtual informal consultations are taking place to bridge differences, and that textual suggestions are being submitted in writing to the UN Secretariat and Chair’s team for consideration. Many delegations emphasised the need to be constructive and for compromise, but as New Zealand noted, it may be “a bridge too far” to get consensus about all the outstanding issues at this point, especially those within Section C (“Discussions”) that are not meant to be open to negotiation, but nonetheless have been commented on.

Russia suggested moving this section of the report into a Chair’s summary, which could be annexed to the final report. This is a not unusual diplomatic workaround for when consensus truly is not possible but is not usually a desired outcome. With time running out, it may be the only option forward however. This is the cost of consensus, when it is applied and understood as unanimity and treated as veto, which Mexico warned against today.

Considering the OEWG’s highly politicised origins, it would be a great accomplishment for it to agree a strong and substantive final report, and a credit to the constructive proposals made through it, as well as to its leadership. As Malaysia noted today, “This is a litmus test of how all states can work together”.

[PDF] ()