Q1/2020 - UN Cybersecurity Groups (OEWG & UNGGE)

2nd Formal Meeting of the Open Ended Working Group/OEWG, New York, 10 - 14 February 2020

The 2nd formal meeting of the OEWG was held in New York from 10 to 14 February 2020. Discussions were based on the reports of the 1st meeting (September 2019) and the “Informal Intersessional” (December 2019) as well as a number of input papers of individual UN Member States and NGOs.

The meeting was characterised by a constructive climate. There were no politically motivated controversies. As at the 1st formal OEWG meeting, only ECOSOC-accredited NGOs were admitted from the non-governmental sector, which was criticised by both NGOs and many UN member states. However, the input that had been provided by non-state stakeholders during the Informal Intersessional in December 2019, which had been summarised by the Chair of the Informal Intersessional, David Koh, Director of the National Cyber Security Agency in Singapore, in his report to the 2nd OEWG meeting, was positively acknowledged and taken up in substance by many governments in the discussion.

In his dated report of 28 January 2020, David Koh, Chair of the OEWG Informal Intersessional, draws an extremely positive balance for the so-called “experiment” of a multistakeholder meeting on security issues in the UN framework. The experiment is rated a complete success[1]. Regierungen würden enorm vom Input nicht-staatlicher Akteure aus Wirtschaft, Wissenschaft, Zivilgesellschaft und technischer Community profitieren.

Governments would benefit enormously from the input of non-state actors from private sector, academia, civil society and the technical community, said Koh.

Structured in 85 points, Koh's report contains a multitude of proposals from non-governmental stakeholders on the OEWG topics of threats in cyberspace, standards and laws, confidence- and capacity-building measures, and multistakeholderism. Koh mentions proposals for the protection of the public core of the Internet, for the establishment of a Robust Global Attribution Framework, for reporting vulnerabilities in hardware and software (Norm of Reporting Vulnerabilities) and for supply chain integrity of ICT products and services.

The report refers to a wide range of non-state initiatives and recommendations such as the Paris Call for Trust and Security, the Global Commission on Stability in Cyberspace (GCSC), the Global Forum on Cyber Expertise (GFCE), the Tech-Accord (Microsoft), the Charter of Trust (Siemens), the IGF Best Practice Forum on Cybersecurity, FIRST and others. Koh concludes that cyber security can only be shaped by involving the special expertise of the private sector, academia, civil society and the technical community. Moreover, the approach must be multidisciplinary (holistic approach).

Koh also refers to controversial issues, such as proposals to draw up treaties that are binding under international law or to create new institutions such as a kind of IAEA for cyberspace[2].

Against the background of this discussion, the Swiss OEWG Chairman Jürg Lauber presented the first draft of a final report (Initial Pre-Draft) on 11 March 2020. The plan to conduct two further “Intersessionals” at the end of March and the end of May 2020 was thwarted by the COVID-19 crisis. Ambassador Lauber cancelled the March meeting on 16 March 2020 and asked for written comments on his draft by 16 April 2020. At the 3rd formal and final meeting (6 - 10 July 2020 in New York) a consensus report shall be adopted, which will then be forwarded to the 75th UN General Assembly. Lauber's report contains 68 paragraphs and is divided into six sections:

  • Introduction
  • Existing and Potential Threats
  • International Law
  • Rules, Norms and Principles for Responsible State Behaviour
  • Confidence-building Measure
  • Capacity building
  • Regular Institutional Dialogue
  • Conclusions and Recommendations.

The report builds on the eleven norms for responsible state behaviour in cyberspace adopted by the UN General Assembly in 2015 (UN Resolution 70/237). It reaffirms that international law in general is relevant in both the offline and the online world.

In the section on threat scenarios, reference is made, inter alia, to new technological developments that may lead to the militarisation of cyberspace and corresponding risks to international security[3]

The report addresses the controversy whether existing norms in international law are sufficient to deal with the new threats, or whether an “upgrade” or “extended interpretation” of existing standards is necessary, or whether entirely new norms and new international treaties need to be negotiated. Lauber suggests a kind of iterative process, in which legally binding norms should be available for some areas, while legally non-binding recommendations would be sufficient for other areas[4]

Lauber also mentions proposals suggesting to turn to new approaches in creating mechanisms for peaceful resolution of conflicts in cyberspace, and the development of methods for attributing cyber attacks on the technical level[5]

A new chapter is devoted to a regular institutional dialogue. This section investigates options for establishing a new permanent mechanism for discussing cyber security issues under the auspices of the UN, which would build on and complement the existing mechanisms of the UN disarmament architecture and involve non-state stakeholders in the debate without questioning the intergovernmental character of the relevant negotiations[6]

The report repeatedly emphasises the benefit an extended multistakeholder cooperation would bring about in the field of cyber security[7]

The last section of the report, “Conclusions and recommendations”, is rather vague and works with “placeholders”. An additional paper lists further proposals by UN member states that are not initially included in the "Initial Pre-Draft". These comprise proposals from China on Internet governance and cyber sovereignty.

The report is planned to be adopted by consensus in July 2020. With its submission, the work of the OEWG would be concluded. However, the OEWG paper will include a recommendation proposing that the 76th UN General Assembly in 2021 shall address the issue of a future permanent institutional dialogue. That could well lead to a renewal or extension of the OEWG's mandate[8].  In 2021, the report of the 6th UNGGE will be available, too.

2nd Substantive Session of the 6th Group of Governmental Experts/UNGGE, Geneva, 24 - 28 February 2020

The 2nd substantive session of the 6th UNGGE took place in Geneva on 24 to 28 February 2020. Sessions of the UNGGE are not public. Non-state representatives are not admitted. There is no reporting on progress. Participants to the negotiations reported a constructive climate and a strong determination of the 25 UNGGE member states[9] to present a constructive final report in 2021. The 5th GGE had failed in 2017 and broken up without having compiled a final report.

Mehr zum Thema
  1. [1] Informal intersessional consultative meeting of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, New York, 2 – 4 December 2019, Chair’s Summary, New York, 28 January 2020: „I found the discussions to be informative, interactive and highly relevant for taking forward the work of the international community in this area. The different perspectives provided by States, industry, civil society and academia were enriching and the concrete ideas put forward were constructive and innovative.“, in: https://www.un.org/disarmament/open-ended-working-group/
  2. [2] Informal intersessional consultative meeting of the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, New York, 2 – 4 December 2019, Chair’s Summary, New York, 28 January 2020: „84. Stakeholders expressed the hope that “Multi-stakeholderism” would not be a ticking of a participation box, but that all stakeholders would have a role in actively shaping policy and decision-making. States have exclusive responsibility for national security but responsible behaviour should be required by all actors“, in: https://www.un.org/disarmament/open-ended-working-group/
  3. [3] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11 March 2020 „14. In their discussions at the OEWG, States expressed concern at the malicious use of ICTs carried out by State actors, including the possible use of proxies. It was also noted that some ICT capabilities previously only available to States were now accessible to non-State actors, including terrorists and criminals.15. States expressed the view that the development or use of offensive ICT capabilities, as well as the stockpiling of vulnerabilities, are contributing to the militarization of the digital space. Pursuit of increasing automation and autonomy in ICT operations was also put forward as a specific concern. States highlighted as a central threat the possibility that ICTs could be used in a manner inconsistent with a State’s obligations under international law. Additional concerns were conveyed regarding interference in the internal affairs of States through the use of ICTs, including by means of information operations and disinformation campaigns. Concerns were also raised about the exploitation of harmful hidden functions and the integrity of global ICT supply chains. 16. States underscored that a lack of awareness, resilience and adequate capacities constitutes a threat in and of itself as all countries are increasingly reliant on digital technologies. 17. It was noted that threats may have a differentiated impact on different actors, including on youth, the elderly, women and men, on vulnerable populations, particular professions, and other categories of actors, as well as on States with different levels of ICT security and resilience.18. States noted significant technological trends, including progress in machine learning, encryption, and quantum computing; the ubiquity of connected devices (”Internet of Things“); new ways to store and access data through distributed ledgers and cloud computing; and the expansion of big data, including digitized personal data. While recognizing the substantial beneficial applications of these innovations, States cautioned that technological advances and new applications may also expand attack surfaces, amplify vulnerabilities in the ICT environment or facilitate novel malicious activities. At the same time, there was broad agreement that measures to promote responsible State behaviour should remain technology-neutral. 19. While States observed that critical infrastructure is defined differently in accordance with national prerogatives and priorities, they emphasized the severity of threats to particular categories of infrastructure, including for instance the health and financial sectors and electoral infrastructure. Transborder and transnational critical infrastructure was highlighted as at risk as was supranational critical information infrastructure, notably those global systems upon which public or financial services rely. In this regard, States underscored that attacks on critical infrastructure pose not only a threat to security, but also to economic development and people’s livelihoods.20. In light of the increasingly concerning digital threat landscape, and recognizing that no State is sheltered from these threats, the OEWG underscored the urgent need for States to further develop, through multilateral forums, cooperative measures to address such threats. It was affirmed that acting together and inclusively would produce more effective and far-reaching results. The positive contributions of the private sector, civil society and academia were also emphasized in this regard.“, in: https://www.un.org/disarmament/open-ended-working-group/
  4. [4] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11 March 2020; 26. During the discussion the view was expressed that existing international law, complemented by the voluntary, non-binding norms that reflect consensus among States, is currently sufficient for addressing State use of ICTs. It was noted that efforts should therefore be directed to reaching common understanding on how the already agreed normative framework applies and can be operationalized. 27. At the same time, during the discussion, it was also noted that there may be a need to adapt existing international law or develop a new instrument to address the unique characteristics of ICTs. In particular, it was highlighted that certain questions on how international law applies in the use of ICTs have yet to be fully clarified. Such questions include, inter alia, what kind of ICT-related activity might be interpreted by other States as a threat or use of force (Art. 2(4) of the Charter) or might give a State cause to invoke its inherent right to self-defence (Art. 51 of the Charter). They also include questions relevant to how the principles of international humanitarian law, including the protection of civilians and civilian objects, apply to ICT operations in the context of armed conflict. In this regard, it was noted that the issue of the applicability of international humanitarian law to the use of ICTs by States needed to be handled with prudence. 28. In this context, proposals were made for the development of a legally binding instrument on the use of ICTs by States as the quickly evolving nature of the threat environment and the severity of the risk necessitates a stronger, internationally agreed framework. It was noted that such a binding framework may lead to more effective global implementation of commitments and a stronger basis for holding actors accountable for their actions. 29. It was suggested that while existing bodies of international law do not include specific reference to the use of ICTs in the context of international security, international law can develop progressively in this regard. Developing complementary binding measures concurrently with the implementation of norms was also proposed. A politically binding commitment4 with regular meetings and voluntary State reporting, was also suggested as a possible middle ground approach. 30. States proposed that a first step to further develop common understandings could be increased exchanges on their interpretation of how international law applies to the use of ICTs by States“ in: https://www.un.org/disarmament/open-ended-working-group/
  5. [5] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11 March 2020; 32. From the perspective of maintaining peace and preventing conflict, it was noted that greater focus could be placed on adherence to key Charter principles such as the settlement of disputes by peaceful means and refraining from the threat or use of force. In this context, States recalled existing mechanisms for the settlement of disputes, including the Security Council and the International Court of Justice. It was suggested that developing a common approach to attribution at the technical level could lead to greater accountability, transparency, and could help support legal recourse for those harmed by malicious acts.“, in: https://www.un.org/disarmament/open-ended-working-group/
  6. [6] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11 March 2020; 62. A variety of proposals were made to take forward regular institutional dialogue. It was noted that the GGE process since 2004 has been a form of regular dialogue. It was also suggested that the format of the OEWG, with its inclusive membership and transparent discussions, should become the standard for discussion and therefore the renewal of its mandate was called for. It was highlighted that there was value in having the sixth Group of Governmental Experts meeting in parallel to the OEWG, stressing their complementarity and the opportunity to capitalize on the unique features of each process. Looking beyond the mandates of the OEWG and sixth GGE, a further suggestion was that regular institutional dialogue could be the follow-up mechanism to a politically binding instrument.12 Another possibility raised was that an inter-governmental specialized agency could be established“ in: https://www.un.org/disarmament/open-ended-working-group/
  7. [7] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11 March 2020. „64. The OEWG’s mandate provided for the possibility of holding intersessional consultative meetings with other stakeholders, including the private sector, non-governmental organizations and academia. The three-day informal consultative meeting of the OEWG held in December 2019 produced a rich exchange between States and other stakeholders. The OEWG also heard interventions from non-governmental organizations during an informal multi-stakeholder segment at its first and second sessions. In order to further inform their engagement with the OEWG, some States noted that they have conducted domestic multi-stakeholder consultations or calls for submissions. 65. It was recalled that States hold primary responsibility for national security, public safety and rule of law. It was also noted that regular dialogue should be primarily intergovernmental in nature, and an appropriate mechanism to leverage the experience and knowledge of other stakeholder groups would need to be found. In their interventions, States acknowledged that building a more resilient and secure ICT environment necessitates multi-stakeholder cooperation and partnerships. While recognizing the unique role and responsibility of States in relation to security, there was growing appreciation that States may benefit from the expertise in non-governmental communities and that responsible behaviour of other actors makes an essential contribution to this environment“ in: https://www.un.org/disarmament/open-ended-working-group/
  8. [8] Initial “Pre-draft” of the report of the OEWG on developments in the field of information and telecommunications in the context of international security, New York, 11. Mäerz 2020. „The OEWG recommends that the 76th session of the General Assembly of the United Nations convene a new open-ended working group of the General Assembly acting on a consensus basis to continue the consideration of developments in the field of information and telecommunications in the context of international security.“, in: https://www.un.org/disarmament/open-ended-working-group/
  9. [9] Members of the 6th UN-GGE sind: Australia, Brazil, China, Estonia, France, Germany, India, Indonesia, Japan, Jordan, Kasachstan, Kenya, Mauritius, Mexico, Marokko, Netherlands, Norway, Rumania, Russia, Singapore, South-Africa, Switzerland, Great-Brittain, USA, Uruguay, in: https://www.un.org/disarmament/group-of-governmental-experts//