Q3/2019 - UN Cybersecurity Groups (OEWG & UNGGE)
The first meeting of the new UN Open Ended Working Group on Developments in the Field of Information and Telecommunication in the Context of International Security (OEWG) was attended by over 100 governments and numerous NGOs. The OEWG is chaired by the Swiss diplomat Jürg Lauber. After a general opening round, five topics were discussed.
The overall atmosphere at the meeting was friendly. Most governments refrained from attacks or accusations against other states. There was general consensus that cyberspace had become a space relevant to peace and international security and that, in the face of growing threats, there was an obligation to take joint action. The majority of governments expressed their hope that the OEWG would yield practical and constructive results that would strengthen stability and security in cyberspace. The attendants also agreed that the results of the 2010, 2013 and 2015 UNGEs, which include the statement that international law in its entirety applies both offline and online, were the basis and the starting point for the work of the OEWG.
Controversial discussions were triggered in particular by the following issues: :
Shall the OEWG work out new norms or focus primarily on the implementation of the norms and confidence-building measures already agreed by the UNGEE 2010, 2013 and 2015;
Shall the norms be binding under international law – perhaps in form of a separate convention – or rather be considered as political recommendations that are not legally binding;
Shall attacks on states in cyberspace be rated as use of force in terms of Article 2.4 of the UN Charter (which would legitimise the right of self-defence stipulated in Article 51 of the UN Charter – which in cyberspace would be a hack back) or do cyber attacks not present a violation of the prohibition under international law to threaten or use force;
Is the attribution of attacks primarily a technical or a political problem;
Is a neutral international organisation (similar to the IAEA in the nuclear field) required for the attribution of cyber attacks or is their attribution a sovereign affair of each individual state.
The European Union had set out its priorities in a joint position paper. They include the recognition of international law as the basis for norms in cyberspace, the focus on confidence-building and capacity-building measures and support for the multi-stakeholder model for Internet governance, i.e. close and meaningful involvement of business, science, civil society and the technical community in the negotiations. Australia, Iran, Mexico and the United Kingdom also submitted position papers. The USA did not present any position paper.
The Russian representative Andrej Krutskich, who has accompanied the UNGGE negotiations since 2000, gave a moderate and constructive speech. He called for a return to a "consensus approach" and committed work for a "successful outcome of this truly historical forum under the UN auspices". Krutskich described OEWG and UNGGE as two "independent mechanisms" that work in parallel and complement each other, but should not be played off against each other.
Iran's Ambassador Majid Takht-Ravanchi called Iran the first victim of a cyber attack. The 2010 Stuxnet attack was the first "Cyber Hiroshima", he said. He requested that states that support cyber attacks must be held accountable and advocated the development of internationally binding norms for state behaviour in cyberspace.
The most comprehensive position paper came from China. China refers to the proposal already made in 2011 by the Shanghai Cooperation Organisation (SCO) to draw up a Code of Conduct for government action in cyberspace. The Chinese paper proposes seven basic principles, including the principle of "state sovereignty in cyberspace". This principle is defined very broadly and includes the full control of a state over any Internet-based activities within its respective national jurisdiction. Part of this broad definition is also the postulated right of states to participate in the "management and distribution of international Internet resources on an equal footing". This demand includes the possibility to challenge the current system of domain name and IP address management as practiced by the so-called "Empowered Community" of ICANN after the IANA transition (2016) and to trigger a new debate on Internet governance.
Open is also what shall be the relationship between the OEWG and UNGGE. Like the OEWG, the 6th UNGGE was founded by the 73rd UN General Assembly in December 2018 and was assigned a very similar mandate. The 6th UNGGE will start its work in December 2019. Many governments stressed that unlike UNGGE, which has only 25 members, the OEWG was open to all states. The issue of cyber security had long ceased to be a special issue that only a few developed countries care about, they said. Many governments of developing countries made it clear that they gave priority to the OEWG format over UNGGE. The majority of the statements pleaded for close cooperation between OEWG and UNGGE in order to avoid duplication and overlap and to benefit from possible synergies.
The degree of participation of non-state actors in the work of the OEWG was controversial. UN Resolution 73/27 obliges the OEWG to consult with non-state actors. However, the UN resolution does not specify what these consultations should look like in detail. For the first OEWG meeting in September 2019, only NGOs that had already been accredited as NGOs by the UN Economic and Social Council (ECOSOC) were eligible to participate. This exclusion of NGOs not accredited by ECOSOC was criticised by civil society, but also by several governments, including Germany. It also remains unclear to what extent the non-governmental participants will be able to participate in the future discussion. The reduction of their possibilities of involvement to two-minute statements at the end of a meeting day was rated an unacceptable discrimination, reminiscent of the early days of the WSIS process in Geneva in 2002.
The next meeting of the OEWG is scheduled for February 2020 in New York. In between there will be a separate meeting of non-governmental representatives in New York from 2 to 4 December 2019. One of the items on the agenda will be procedural issues, such as how to organise the future participation of non-governmental representatives in the discussions of both OEWG and UNGGE.
The OEWG must submit its final report already to the 75th UN General Assembly in autumn 2020. This means that the OEWG must adopt this report at its 3rd meeting, which is scheduled in New York for the beginning of July 2020. Already now there are voices that regard this timetable as completely unrealistic and call for an extension of the mandate of the OEWG. Some participants see the OEWG as the nucleus of a “Never Ending Working Group”, which could develop into a permanent intergovernmental negotiating platform for all cyber security issues.
The UNGGE has started with the regional consultations to which it is obliged according to the UN Resolution 73/266.
The first of these regional consultations were held on 18 and 19 June 2019 in Bratislava, in the margins of the OSCE conference on cyber security. The OSCE had developed 16 confidence-building measures for cyberspace already in 2014. The OSCE Secretary-General, Thomas Greminger, called regional organisations “incubators for new idea”“ and a field of experimentation for implementing global agreements as they were drafted within the framework of the UNGEE. The Bratislava consultations had been opened by Slovakia’s Deputy Prime Minister Richard Rasi. Slovakia is holding the annually rotating OSCE Presidency in 2019. The newly elected chair of the 6th UNGEE, Brazilian Ambassador Guilherme de Aguiar Patriota, was in charge of the consultations. The participants of the discussions included the OEWG Chair, Ambassador Jürg Lauber, and the UN’s Under-Secretary-General and High Representative for Disarmament Affairs, Izumi Nakamitsu.
The regional consultations for Latin America were held on 15 and 16 August 2019 together with the OAS (Organisation of American States) in Washington. Consultations with Africa (Addis Ababa with the African Union) and Asia-Pacific (ASEAN) are scheduled for the 4th quarter of 2019. The first official meeting will be held on 5 to 9 December in New York. For 2020, two meetings in Geneva are on the agenda (March 2020 and August 2020). A concluding meeting is envisaged for May 2021 in New York. The UNGGE must report to the 76th Session of the UN General Assembly in 2021.