🎯 What is the history of the negotiations and dialogue under the UN?
What are the current and possible future elements of the institutional dialogue?
Issues related to cybersecurity are not new to the UN. In 1998, the Russian Federation introduced the draft resolution Developments in the Field of Information and Telecommunications in the Context of International Security, of the First Committee of the UNGA, which was adopted without a vote.
The increasing cyber armament of states led to the establishment of the UN GGE in 2004, which consisted of experts from several states. The group ended its work without producing a final report, yet the GGE’s mandate was renewed for 2009/10, 2012/13, 2014/15, 2016/17, and 2019–2021 (together referred to as the GGEs).
A breakthrough occurred in 2013 when the final report (adopted by consensus of the, then, 15 countries of the GGE, including all the permanent members of the Security Council – P5) clearly outlined growing trends of cyber militarisation and confirmed that international law applies to cyberspace. The GGE report of 2015 was another breakthrough and resulted in a landmark document – 20 countries, including the P5, specified the voluntary and non-binding normative framework for state behaviour and agreed on a set of voluntary norms, CBMs and capacity-building provisions.
The 2016/17 GGE, which was extended to include 25 countries, was unable to reach consensus on its final report, in particular, due to disagreement over what options states have to respond to cyberattacks. In 2021, however, the GGE managed to again reach a consensus on a final report that has become a cornerstone of the framework of responsible behaviour. It has confirmed the applicability of the IHL during armed conflicts, suggested what should be treated as critical infrastructure, elaborated in greater depth on the previously agreed voluntary norms and CBMs, and set out capacity-building principles.
In 2018, besides a US-sponsored resolution that renewed the GGE for 2018–2020, the UNGA adopted another resolution (A/RES/73/27) sponsored by Russia that set in place a parallel process, the Open-ended Working Group (OEWG), which involved all interested states and allowed inputs from other stakeholders. While the two groups worked in parallel in somewhat different settings, considerable cooperation was established between the chairs of the two groups (Brazil and Switzerland), and most countries expressed an interest in ensuring that both succeed.
Indeed, in March 2021, the OEWG reached consensus, the first UN agreement on cybersecurity in almost six years, since the GGE report of 2015. The OEWG final report confirmed the agreed points from 2015, suggested what should be understood as CI clusters, invited agreement to ensure the integrity of the internet and of the ICT supply chain, asked for prevention of the proliferation of malicious tools and use of harmful hidden functions (aka backdoors), defined additional specific CBMs (such as appointing national points of contact), and set out capacity-building principles. Notably, the report also recommended that regular institutional dialogue should continue under the auspices of the UN, including the 2021–2025 OEWG, with equal state participation, although also opening the door for other types and formats of processes.
The GGE was not renewed in 2021, and the 2021–2025 OEWG remains the only active format of institutional dialogue within the UN.
Reflection point
According to Mr Abdul-Hakeem Ajijola (Chair, African Union Cyber Security Expert Group (AUCSEG) and Commissioner, Global Commission for the Security of Cyberspace), the international community is building norms and these will have consequences for Africa. Therefore, it is crucial for Africa to be at the table, engaging with its partners as an empowered peer. Cyber is only as strong as the weakest link, so it is imperative that Africa will not be that weak link. (From the panel ‘Cyber diplomacy in Africa and digital transformation’, IGF 2021)
How to better engage African countries to take a meaningful part in the institutional dialogue and other related cyber negotiations?
Contribute and engage
Enrol in the Diplo’s online course on Cybersecurity Diplomacy (facilitated small-group tailored learning), with four modules: strategic impact of cyber(in)security, issues on the diplomatic agenda (international law, norms, CBMs and capacity building, critical infrastructure, supply chain, attribution issues, links to human rights and development), roles of different stakeholders, mapping of multilateral and multistakeholder processes, and preparing a state for cyber diplomacy.
Enrol in the UNODA online Cyberdiplomacy Training (self-paced course), with five pillars: existing and emerging threats; international law; norms, rules and principles; confidence-building measures; international cooperation and assistance in capacity building.
Engage your Ministry of Foreign Affairs to take an active part in the institutional dialogue and the other cyber-related processes.
There are, however, different views and positions on what institutional dialogue should look like in future. For instance, there are calls for a long-term process rather than a limited mandate of a few years, as the OEWG currently is. Another open question is the mandate of future dialogue: should it focus on the implementation of the already agreed norms, CBMs, and capacity-building measures, or should it (also) develop new norms and measures? And should it expand the list of topics on the agenda, or remain focused on peace and security issues since the dialogue runs under the First Committee of the UN?
One concrete proposal to address some of those questions is already tabled by France and Egypt, with the support of 40 other states – a proposal for a Programme of Action (PoA) as a long-term and inclusive process. The PoA should create a framework and a political commitment based on the Framework, with regular annual working-level meetings focused on the implementation of the existing framework and periodic review conferences to consider whether additional norms should be developed. The OEWG 2021 final report names PoAs as one possibility for future institutional dialogue(s).
A particularly important question is whether there is a need for a cyber treaty of some kind. Six countries of the Shanghai Cooperation Organisation (SCO) proposed an International Code of Conduct for Information Security to the UN in 2011 and again in 2015. The proposal envisaged that the code of conduct would cover more than just cyber conflict, including provisions about information warfare in cyberspace and other internet governance issues, surveillance, content policy, and sovereignty. The USA, the EU and their partners have strongly resisted such initiatives, arguing that these would introduce greater censorship and internet content control in countries around the world. Since the UN OEWG is inclusive to all states, the question of a binding treaty or convention is getting addressed as part of the discussion on the future institutional dialogue.
It is important to mention, however, another important process that is distinguished from the dialogue related to peace and security, but may influence it indirectly. The UN resolution on countering the use of ICT for criminal purposes, adopted in 2019, established the open-ended ad hoc international committee of experts (known as the Ad hoc committee) under the Third Committee of the UN, tasked with developing a new global cybercrime treaty. The ad hoc committee should provide a draft convention to the UN General Assembly in August 2023. One of the main questions in these negotiations is about the coherence of the possible global convention with the Convention on Cybercrime of the Council of Europe (known as the Budapest Convention) of 2001. Another question is how to preserve human rights while accommodating demands for greater sovereignty of states in cyberspace.
Contribute and engage
To learn more about cybercrime and related issues and processes, as well as the capacity-building opportunities, refer to the Knowledge Module 3.