Cyber Peace & Security Monitor, Vol. 1, No. 10

A win for diplomacy—questions remain for cyber peace
17 March 2021

Allison Pytlak

Download the full edition in PDF

Applause rang out across multiple conference rooms of the United Nations (UN) headquarters in New York on Friday,12 March, possibly one of few times in many months that this had happened. The source of celebration was the consensus adoption of a final report by the UN’s first-ever Open-ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security (a.k.a. international cyber security).

What made the applause rare was not just the many months of the COVID-19 pandemic, which first shuttered the UN and now has dramatically reduced the number of in-person meetings occurring there—but also a highly challenging global political landscape that has strained disarmament diplomacy and multilateralism to the brink. It was in this same building that, in 2018, UN member states were unable to agree on establishing a single UN process on international cyber security and amid politicisation and acrimony, voted to establish two concurrent and somewhat overlapping processes, to the frustration and disbelief of many.[1] And just last year, member states disagreed over how to best take forward work on cyber issues in before the current round of talks had finished their work.

The adoption by the OEWG of a final report by consensus is being commended by many participants as a significant milestone and accomplishment. Virtually all states acknowledge that the final product is not perfect and reflects much compromise and balance. Yet, it’s evident that they are proud of having found ways to achieve that balance despite many uncertain moments, divergent views, and the challenges of pandemic-era negotiating in which meetings took place in virtual and hybrid formats, with delegates joining meetings in the middle of the night from wherever they are based. As Liechtenstein noted in its explanation of position, “If we are in a position to [agree consensus] today that is primarily to the credit of the Chairperson’s unwavering commitment to bringing our fruitful discussions to a substantive conclusion, against the difficult odds of a pandemic, a heavily polarized political landscape and serious limitations in the intergovernmental mandate.”

Achieving a substantive outcome was particularly important for many states, given that this was the first-ever UN body to debate matters of international cyber security that was open to any and all interested member states. Earlier UN Groups of Government Experts (GGEs) were limited in number and their deliberations closed. The OEWG was also somewhat inclusive of civil society. Numerous delegations stressed in their closing remarks that it was important for their countries to have been able to participate in these discussions for the first time.

How consensus was forged

Earlier in the session, achievement of a substantive final report felt unlikely. Prior versions of the final report consisted of four sections: Introduction; Conclusions and recommendations (which was meant to be the only part open for negotiation); Discussions (meant to reflect where there was not agreement and the spectrum of views); and Final observations.

By Wednesday, it was clear that states were unhappy with various sections of the draft report and that elements of it were hitting their various red lines. Russia, with support from other states, suggested moving the Discussions part of the report into a Chair’s Summary, which would be annexed to the final report but would not subject to approval and adoption by member states. That left a shortened and simplified version of the report up for negotiation in the little time remaining.

The version of the report that was ultimately adopted on Friday was distributed late Wednesday night. By our analysis, some of the key modifications meant to address the more significant concerns of states are outlined in a separate article on page 6 of the Monitor.

Measuring success

Whether the changes made to the final report are “good” or not depends on what one’s positions are.

In their closing remarks on Friday, many states strongly emphasised the significance of the OEWG report affirming the acquis, which is the term that has come to refer to the collective outcomes of the UN’s GGEs on responsible state behaviour in cyber space; in particular, the three Groups that issued consensus reports in 2010, 2013, and 2015. Those reports were later adopted by the UN General Assembly, which means that the entire UN membership has endorsed them, but without all member states having directly participated in developing the content of the reports. “While in the past the affirmation was indirect, in the form of General Assembly resolutions adopted by consensus endorsing GGE reports, this time, the affirmation by all the UN Members is direct,” Japan stated

A core component of the acquis is the affirmation that international law applies to cyberspace. This reaffirmation was widely welcomed, albeit with regret from many that it was more of a blanket statement and that the report does not have greater specificity about which laws, and how, such as appeared in earlier versions of the draft report and in the discussions of the OEWG. Another important component are the 11 norms for state behaviour in cyberspace, articulated in the 2015 report.


What became evident through this OEWG is that despite the UNGA having adopted the GGE’s reports, not all states stand strongly behind the acquis. Some, like Iran and Cuba, pointed out repeatedly that as they had not participated in the GGEs, they do not feel ownership of nor can they endorse the GGE’s findings. Some of these countries are also the strongest proponents of the development of new norms, legal frameworks, and/or instruments.

The loss of a reference to IHL is a significant concession to China, Cuba, Venezuela, and others who are staunchly against IHL applicability. These and other countries have stated that the applicability of IHL to cyber space and action therein would militarise the domain. These countries appear to be in the minority but were firm on this being a red line—removing the IHL reference looks to be among the cost of achieving a consensus report. Many of these same states were also vocal about adding in references to ICT development for military capabilities and calling more strongly for restraint, which were included.

Many of the countries opposing IHL applicability tend to also be encouraging of a future legally binding instrument or framework, along with other countries like Ecuador and Costa Rica who do support IHL applicability. The explicit mention in paragraph 80 of “possible legally binding obligations” may be a “win” for legal instrument supporters. Yet opponents of a legal instrument, including the United States, European Union countries, Israel, and Australia, among others, can also “claim victory”. For these countries, the reaffirmation of the acquis and existing norms was a high priority. Since the first OEWG session in 2019, “not starting from scratch” has become something of a mantra for them.

At the same time, many of these states would have liked for the OEWG to have made more progress in clearly defining how and which legal principles are or should be applied to state behaviour in cyber space. Earlier versions of the report had outlined this in greater specificity than the final version did. Several countries, including the Nordic countries, the Netherlands, Germany, Austria, Slovenia, Argentina, and Chile, among others, regretted the lack of reference to human rights and/or international human rights law. 

Iran had been one of the largest “unknowns” with respect to whether it would accept the adoption of the report or not. Ultimately it did not block consensus (again, because consensus in the UN is taken as unanimity), but it did choose to disassociate itself from “parts of the report that do not match with its principles and positions”. Israel also disassociated itself from any reference to the need for a legally binding instrument.

Quite a few delegations welcomed the sub-sections on confidence- and capacity-building measures (CBMs). There were more critiques of these sections from non-governmental stakeholders, many of whom are already engaged in some of this work practically, as are regional organisations, and are rightfully keen to avoid duplication.  An important component of the sub-section on capacity-building are the principles that have been outlined to guide this work, in ways that would include legal and policy capacity, alongside technical support and a “two-way street” approach. Throughout the OEWG process many states expressed hope that agreement of guiding principles for cyber capacity-building would facilitate a narrowing of the global digital divide.

All states acknowledged that their respective “wish lists”, in the words of the Netherlands, were not accommodated, and some, like Canada and Australia, used the word “uncomfortable” to describe how they felt about certain elements of the report. Yet, from listening to closing statements on Friday, the overwhelming feeling was positive—more positive than one would have expected, given the politicised origins of the OEWG’s establishment. “Diplomacy works, and multilateralism matters,” stated the OEWG’s Chairperson, Ambassador Lauber of Switzerland.

Many participants expressed that what was most significant for them was the openness, inclusivity, and transparency of the process, which was viewed as an historic “first” for this topic within the UN—but did not always extend to civil society, as we’ll cover later. Several noted that the OEWG has helped to build confidence and understanding among all member states on this urgent and very transnational issue. “After all, this OEWG is unprecedented. This is the first time that all UN Member States are deliberating and negotiating together in the same room, physically and virtually,” observed the representative of Malaysia. “My delegation has benefited tremendously from the opportunity to better understand various issues on ICTs and the underlying nuances, by listening directly to the clear articulations of positions and arguments by distinguished delegates.”

From adoption to implementation

Of course, a report in itself does not equal meaningful change. “Ultimately, success depends not on the report but on our collective determination to implement the commitments made today,” noted the representative of the Czech Republic in closing remarks.

We agree. Adopting a report by consensus is a win for multilateralism and diplomacy, but it brings with it commitments that need to be actioned outside the halls of the UN.

There are tangible recommendations contained in the report that may fall short of the accountability many of us had hoped the OEWG would produce, but would aid in building transparency through information sharing—if they are implemented. For instance, all of the recommendations for states to voluntarily submit information toward the annual UNSG’s report is a way to build public understanding about how states are implementing norms or undertaking capacity-building, as well as about how states apply and interpret international law to their use of ICTs. Sharing information about national CBMs with the UN Institute for Disarmament Research (UNIDIR) for its Cyber Policy Portal would likewise help with transparency and build trust.

Beneath these tangibles, however, it should not be overlooked that the report draws directly from the acquis in some of its recommendations to states in ways that clearly set out the do’s and don’ts of cyber behaviour. For example, paragraph 31 reminds that, “States should not conduct or knowingly support ICT activity contrary to their obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public,” which is one of 2015 GGE norms. 

Or, while the language on non-use of proxies may have been relegated to the Chair’s Summary of the report, the 2013 GGE report states clearly that “States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs.” If the acquis is being affirmed by the OEWG, then this recommendation should hold, too.   

Yet, we know that states are using proxy actors, with increasing sophistication and regularity, and that critical infrastructure of various types is being targeted by state-led cyber operations. Which means that bigger and bolder action to stop hostile and aggressive state use of ICTs is needed. This is part of the reason why some states call for a legally binding instrument and why others, and civil society groups, have outlined various accountability mechanisms and frameworks throughout the OEWG process—none of which were ultimately adopted.

In this regard, the statement in paragraph 24 that notes, “In accordance with General Assembly resolution 70/237, and acknowledging General Assembly resolution 73/27 States were called upon to avoid and refrain from use of ICTs not in line with the norms for responsible State behaviour,” is welcomed. However, it is a step backward from an earlier version of the final report, in which states were “called upon to avoid and refrain from taking any measures not in accordance with the Charter of the United Nations and international law.” Likewise, it’s positive that the report acknowledges that “a number of States are developing ICT capabilities for military purposes”—which was salvaged from the Discussions section and now forms a Conclusion—but merely recalling this fact will do little to stop states from developing such capabilities. Little by little, cyber space will become more militarised and technology more weaponised. The metaphor of a “cyber arms race” can be problematic and is somewhat inaccurate, but it does aptly capture the inherent desire that some governments have for strategic superiority and power, which inevitably leads to violence and weapons proliferation.

A forked road ahead

The language of the final report may have neatly reconciled the different visions about the best ways forward for regular UN dialogue on cyber security, but how that plays out in the real world remains to be seen.

The ongoing sixth GGE will conclude its work within the next few months. It’s not possible for this publication to comment on how its closed deliberations are progressing or what outcomes it may produce, but we can attest to the very strong emphasis that was been placed on the sixth GGE and first OEWG reaching complementary outcomes, back when the two bodies were established in 2018.

Given that more than 50 member states now support the proposal for a cyber PoA, it would not be surprising if a negotiating mandate is sought at the 76th session of the UN General Assembly’s First Committee in 2021.

Meanwhile, the second OEWG will likely commence work in the next few months; current rumours are that it will have an organising meeting in June in order to set its schedule and participation modalities for the five years ahead. Ideally, it should build on and further develop what was agreed to in this first OEWG—and measure progress of outcomes—but remarks delivered from some delegations on Friday made it clear that they have a few specific goals in mind, such as the elaboration of legal obligations, which may not sit right with the full UN membership.

Moreover, while member states may have compromised on core issues like IHL applicability in this round, they may not do so again in future. “In light of the agreed Conclusions on the development of ICT capabilities for military purposes and their potential humanitarian impact, the ICRC believes that discussions on how international humanitarian law limits the use of ICT capabilities during armed conflict need to continue,” observed the International Committee of the Red Cross (ICRC). “We believe that the Chair’s Summary presents important milestones in this regard and can be built on, in particular in any future processes for regular institutional dialogue under the auspices of the United Nations.”

The language of this first OEWG’s report gives space for more discussion and elaboration about the cyber PoA proposal during the second OEWG, but eventually it will need to break off into its own process. Not all states may engage in both. South Africa expressed concern about capacity of some states to be engaged in multiple processes; while Liechtenstein observed the inherent constraints of the OEWG format and decision-making modalities:

The discrepancy between the content of the intergovernmental discussions and the substantive results of the Open-ended Working Group does not reflect a lack of effort. It is rooted in the format of this process and its decision-making modalities which favor containment over progress and minority restraint over majority aspiration. Unfortunately, the intergovernmental mandate for the next iteration of the Open-ended Working Group is even more affected by these flaws, pointing to the conclusion that the process in this form may have outlived its purpose.

Across these various fora, the future of civil society engagement must improve. The exclusion of non-ECOSOC accredited organisations from this OEWG prevented stakeholders with established relevant expertise from joining in formal meetings. While this cultivated innovative collaborations between civil society and supportive members states in organising consultations and input opportunities, this cannot become standard practice. Civil society groups and other stakeholders have had to defend time and again our role in implementing the outcomes that these bodies agree to, or our representation of affected communities, and should therefore have a seat at the table when cyber “rules of the road” are being further developed. The OEWG final report recognised the contributions of other stakeholders in the process, but many governments said in their closing remarks that this could have been stronger and should be improved in the future.

The human cost and humanitarian impact of cyber operations can at times feel like an abstract problem, when juxtaposed with the daily harms caused by bombs, mortars, and guns. While not yet as severe or rampant a problem as posed by those weapons, this is precisely why the international community needs to mobilise for cyber peace and stand up to the weaponisation of ICTs. There is a rare opportunity to be preventive and stop the spread of ICT misuse and the militarisation of cyber space. As a feminist organisation, WILPF views the militarisation of cyber space as an expansion of the patriarchal structures of power that perpetuate violence and repression. This not only overlooks systemic and root causes of violence but sets out to exacerbate and create violence in a new medium where it does not necessarily otherwise occur.

It’s evident that some member states want action-oriented outcomes and strong solutions to the ubiquitous cyber threats we collectively face. It’s equally evident that others are taking advantage of the painstakingly slow pace of diplomacy. At a time when hostile cyber operations are on the rise and becoming ever more integrated into the regular military activities of a growing number of states, the need for cooperation and bold action toward cyber peace has never felt greater.

[1] During the 73rd session of the UN General Assembly (UNGA) First Committee in 2018, states established the OEWG via resolution 73/27 and a sixth Group of Governmental Experts (GGE) on Responsible state behaviour in cyber space, via resolution 73/266.

[PDF] ()