23 Mar 2023

Stalemate or incremental progress: notes from the fourth OEWG session

Earlier this month, we were in New York for the fourth session of the Open-Ended Working Group (OEWG), where all areas of the mandate (norms, capacity building, international law, confidence building measures and regular institutional dialogue) were on the agenda.This meeting comes at a time when the negative effects of state behaviour in cyberspace on international peace and security are commanding ever more attention (see, for example, the aggravating impacts of cyber attacks on the civilian population in the war in Ukraine).The meeting was significant in this regard because it focused on gathering states’ views ahead of the development of the next annual progress report, which has the potential to further build consensus and promote joint action. For example, it could help foster a shared understanding of how international law (and specifically international humanitarian and international human rights law) apply in cyberspace, and commit states to capacity and confidence building measures to implement the agreed framework on responsible state behaviour in a human-centric and rights-respecting way.As we reported from the last session, the overriding mood of the meeting was one of inertia, with incremental progress on discrete topics. Heightened geopolitical tensions resulting from Russia’s invasion of Ukraine have led to impasse in critical areas of the mandate. In this context, it is difficult to see how progress can be made at the next session—scheduled for July—where a draft of the annual progress report will be debated among states.A few headline takeaways from the session:

 

1. The Points of Contact Directory dominated discussions, but the road to operationalisation will be rocky

At this meeting, one of the key areas of progress envisioned by the Chair was the development of the Points of Contact Directory (PoC Directory)—a “one-stop shop” to help reduce tension among states, particularly during times of conflict. For context, PoC Directories are a classic confidence building mechanism (CBM), drawn from the Cold War, where the US and Russia established a hotline in cases of escalating tension that could have led to the use of nuclear weapons.

The Chair has shared multiple versions of a concept note for the Directory (see the latest version here). But, although there seem to be some areas of broad agreement (e.g that the Directory should include both technical and policy contacts), there remain many areas where agreement hasn’t been reached: scope, inclusion of other stakeholders, like non-governmental CERTs; and roles and responsibilities, including where it should be hosted and who should maintain it. There was some agreement that it should be informed by examples elsewhere, including from regional organisations. One lesson learned—which seems to be reflected in a proposal from a group of states, including Germany, Israel, Brazil and Canada—is that the PoC Directory should not be seen as a panacea, and is unlikely to be effective unless accompanied by other trust building mechanisms.

From a human rights perspective, questions remain about the PoC Directory. What sort of information will be shared and stored by states on cyber incidents? What will count as sensitive, and what will not? What data protection laws and standards will be applied, and who will ensure that they are adequately enforced?

At the end of the session, the Chair outlined a possible roadmap to the finalisation of the PoC Directory by next year—ambitious, by his own admission. For it to be operational by next year, states would need to agree on all aspects of the PoC Directory before the next meeting in July, and the proposal would need to be submitted to the General Assembly by the upcoming session of the First Committee in October/November. Considering all the areas of disagreement, this seems unlikely.

 

2. There was both blockage and progress on international law

On the topic of international law, there seems to be both blockage and progress. There was a marked increase in the number of states who not only restated that international law applies to cyberspace but provided more substantive input on their positions on how international law applies. We also heard more states referring to human rights in their statements on international law, as well as to the need for human-centric and rights-respecting approaches. This ranged from those states who have more frequently and consistently made such references (like Canada, Chile, New Zealand, Estonia, Switzerland and the Netherlands) to those more recently offering their perspectives (the Dominican Republic, Fiji).

A few countries (Belgium, Czechia, Ireland) shared that they are in the process of developing national positions on how international law applies in cyberspace, adding to the growing number of states that have already done so (see here for a database of all national positions). We are likely to see this trend continue and more states publishing their positions. It is critical that these positions are rights-respecting—which is why we recently published a guide for states and civil society on ensuring their national positions reflect a human-centric and rights-respecting approach.

At the same time, calls persist for a binding instrument among a minority of states. At this meeting, Russia retabled its proposal for a treaty on international law in cyberspace. Although Russia’s stance—and that of a few others—remains in the minority, this tension will continue to stall efforts to agree to an annual progress report that is substantively different from that agreed last year.

 

3. Despite support for the Programme of Action, fundamental questions remain

At this meeting, much of the discussion around regular institutional dialogue focused on the Cyber Programme of Action (PoA). As reported in our last blog, the PoA proposal has been subsumed into the OEWG; and, while there was support for its establishment, fundamental obstacles to its set-up remain to be overcome. Some countries (Pakistan, Russia, Nicaragua and Cuba) do not support the set-up of a Programme of Action—or only will if it includes reference to the development of a binding instrument (see Russia’s proposal on PoA). But even for those who do support it, critical details—whether, for example, it focuses solely on the implementation of the existing framework, or discusses its expansion; how it engages stakeholders; and whether it succeeds (read: replaces) the OEWG or not—remain contested.

At this point, states have been asked to submit their views on the PoA by mid-April to the Secretary General for a report that will be compiled by UNODA and presented at the next General Assembly. It is critically important that states ensure the PoA is open, transparent and meaningfully inclusive of non-governmental actors. As set out in a recent paper by WILPF, important lessons can be learned from the set up of other PoAs, particularly the UN PoA on small arms and light weapons.

A number of states (Romania and Argentina) called for a dedicated intersessional session to be set up for states to discuss the PoA in greater depth.

 

4. Geopolitical tensions continue to detriment non-governmental participation

The discussion on capacity building was the only time where non-governmental actors were formally invited to contribute their views. In our statement, we recommended that the annual progress report acknowledge the essential role of non-governmental actors in building capacity, and that states integrate the experience and expertise of all actors to better operationalise the responsible state behaviour framework.

There is a continued need to call for the meaningful participation of non-governmental actors, as groups seeking to engage and advocate for human rights perspectives in these discussions have faced many obstacles. The most marked of these has been a veto by some states on the participation of non-governmental actors in meetings. During this meeting, we also heard pushback among a few states to hybrid and virtual modalities which promote open and inclusive participation. But we were pleased to hear certain states echoing civil society groups on the need for open and inclusive modalities in future meetings.

 

A rocky path ahead

Also of note during the meeting was the range of different—at times competing—mechanisms and approaches proposed by member states to advance discussions. There were lots of proposals for the establishment of different repositories, including Kenya’s for a repository of threats, and India’s for a global portal of capacity building efforts.

Other notable faultlines during the meeting: whether there is a need for new norms, or whether focus should be solely on the implementation of existing norms; and the question of what should replace the OEWG as a means of institutional dialogue among states following the end of its mandate in 2025. On this latter point, a number of states expressed support for the establishment of the PoA as the single and permanent mechanism for state discussions on cyberspace following the OEWG, while Russia remains insistent in its calls for a treaty. This debate is likely to loom large in future meetings.

Despite the importance of these discussions—something that was highlighted during the discussion of new and emerging threats, where we heard reference to a much wider range of threats than ever before—the path ahead is confused. To move the needle forward, a lot will depend on what happens outside the OEWG, where there will be much more work and pressure put on states to build upon and adhere to their prior agreements and existing legal obligations. As has been shown elsewhere, civil society has a distinctive role to play in this effort, both by developing a human-centric understanding of cybersecurity, and in implementing human centric approaches to cybersecurity measures—efforts which are all critical to ensuring a peaceful and secure cyberspace.

 

Next steps

At the close of the session, the Chair set out the next steps for the intersessional period (the period prior to the next meeting in July). This includes an “informal meeting” on the PoC directory in late April, and an intersessional meeting in mid-May, the focus of which is yet to be decided, but is likely to be international law—including how it applies and Russia’s proposal for a treaty—as well as threats, capacity-building and regular institutional dialogue.

We’ll continue to engage closely. Subscribe to our monthly Digest for regular updates.