Q3/2019 - UN Cybersecurity Groups (OEWG & UNGGE)

Open Ended Working Group (OEWG), New York, 10 – 14 September 2019

The first meeting of the new UN Open Ended Working Group on Developments in the Field of Information and Telecommunication in the Context of International Security (OEWG) was attended by over 100 governments and numerous NGOs. The OEWG is chaired by the Swiss diplomat Jürg Lauber. After a general opening round, five topics were discussed[1].

The overall atmosphere at the meeting was friendly. Most governments refrained from attacks or accusations against other states. There was general consensus that cyberspace had become a space relevant to peace and international security and that, in the face of growing threats, there was an obligation to take joint action. The majority of governments expressed their hope that the OEWG would yield practical and constructive results that would strengthen stability and security in cyberspace. The attendants also agreed that the results of the 2010, 2013 and 2015 UNGEs, which include the statement that international law in its entirety applies both offline and online, were the basis and the starting point for the work of the OEWG.

Controversial discussions were triggered in particular by the following issues: :

  • Shall the OEWG work out new norms or focus primarily on the implementation of the norms and confidence-building measures already agreed by the UNGEE 2010, 2013 and 2015;

  • Shall the norms be binding under international law – perhaps in form of a separate convention – or rather be considered as political recommendations that are not legally binding;

  • Shall attacks on states in cyberspace be rated as use of force in terms of Article 2.4 of the UN Charter (which would legitimise the right of self-defence stipulated in Article 51 of the UN Charter – which in cyberspace would be a hack back) or do cyber attacks not present a violation of the prohibition under international law to threaten or use force;

  • Is the attribution of attacks primarily a technical or a political problem;

  • Is a neutral international organisation (similar to the IAEA in the nuclear field) required for the attribution of cyber attacks or is their attribution a sovereign affair of each individual state.

The European Union had set out its priorities in a joint position paper. They include the recognition of international law as the basis for norms in cyberspace, the focus on confidence-building and capacity-building measures and support for the multi-stakeholder model for Internet governance, i.e. close and meaningful involvement of business, science, civil society and the technical community in the negotiations[2]. Australia, Iran, Mexico and the United Kingdom also submitted position papers. The USA did not present any position paper.
The Russian representative Andrej Krutskich, who has accompanied the UNGGE negotiations since 2000, gave a moderate and constructive speech. He called for a return to a "consensus approach" and committed work for a "successful outcome of this truly historical forum under the UN auspices". Krutskich described OEWG and UNGGE as two "independent mechanisms" that work in parallel and complement each other, but should not be played off against each other.

Iran's Ambassador Majid Takht-Ravanchi called Iran the first victim of a cyber attack. The 2010 Stuxnet attack was the first "Cyber Hiroshima", he said. He requested that states that support cyber attacks must be held accountable and advocated the development of internationally binding norms for state behaviour in cyberspace.

The most comprehensive position paper came from China. China refers to the proposal already made in 2011 by the Shanghai Cooperation Organisation (SCO) to draw up a Code of Conduct for government action in cyberspace. The Chinese paper proposes seven basic principles, including the principle of "state sovereignty in cyberspace"[3]. This principle is defined very broadly and includes the full control of a state over any Internet-based activities within its respective national jurisdiction. Part of this broad definition is also the postulated right of states to participate in the "management and distribution of international Internet resources on an equal footing". This demand includes the possibility to challenge the current system of domain name and IP address management as practiced by the so-called "Empowered Community" of ICANN after the IANA transition (2016) and to trigger a new debate on Internet governance.

Open is also what shall be the relationship between the OEWG and UNGGE. Like the OEWG, the 6th UNGGE was founded by the 73rd UN General Assembly in December 2018 and was assigned a very similar mandate. The 6th UNGGE will start its work in December 2019. Many governments stressed that unlike UNGGE, which has only 25 members, the OEWG was open to all states. The issue of cyber security had long ceased to be a special issue that only a few developed countries care about, they said. Many governments of developing countries made it clear that they gave priority to the OEWG format over UNGGE. The majority of the statements pleaded for close cooperation between OEWG and UNGGE in order to avoid duplication and overlap and to benefit from possible synergies.

The degree of participation of non-state actors in the work of the OEWG was controversial. UN Resolution 73/27 obliges the OEWG to consult with non-state actors. However, the UN resolution does not specify what these consultations should look like in detail. For the first OEWG meeting in September 2019, only NGOs that had already been accredited as NGOs by the UN Economic and Social Council (ECOSOC) were eligible to participate. This exclusion of NGOs not accredited by ECOSOC was criticised by civil society, but also by several governments, including Germany. It also remains unclear to what extent the non-governmental participants will be able to participate in the future discussion. The reduction of their possibilities of involvement to two-minute statements at the end of a meeting day was rated an unacceptable discrimination, reminiscent of the early days of the WSIS process in Geneva in 2002.

The next meeting of the OEWG is scheduled for February 2020 in New York. In between there will be a separate meeting of non-governmental representatives in New York from 2 to 4 December 2019. One of the items on the agenda will be procedural issues, such as how to organise the future participation of non-governmental representatives in the discussions of both OEWG and UNGGE.

The OEWG must submit its final report already to the 75th UN General Assembly in autumn 2020. This means that the OEWG must adopt this report at its 3rd meeting, which is scheduled in New York for the beginning of July 2020. Already now there are voices that regard this timetable as completely unrealistic and call for an extension of the mandate of the OEWG. Some participants see the OEWG as the nucleus of a “Never Ending Working Group”, which could develop into a permanent intergovernmental negotiating platform for all cyber security issues.

[Translate to Englisch:] Group of Governmental Experts (UNGGE), Bratislava, 18. – 19. Juni 2019

The UNGGE has started with the regional consultations to which it is obliged according to the UN Resolution 73/266.

The first of these regional consultations were held on 18 and 19 June 2019 in Bratislava, in the margins of the OSCE conference on cyber security. The OSCE had developed 16 confidence-building measures for cyberspace already in 2014. The OSCE Secretary-General, Thomas Greminger, called regional organisations “incubators for new idea”“ and a field of experimentation for implementing global agreements as they were drafted within the framework of the UNGEE. The Bratislava consultations had been opened by Slovakia’s Deputy Prime Minister Richard Rasi. Slovakia is holding the annually rotating OSCE Presidency in 2019. The newly elected chair of the 6th UNGEE, Brazilian Ambassador Guilherme de Aguiar Patriota, was in charge of the consultations. The participants of the discussions included the OEWG Chair, Ambassador Jürg Lauber, and the UN’s Under-Secretary-General and High Representative for Disarmament Affairs, Izumi Nakamitsu[4].

The regional consultations for Latin America were held on 15 and 16 August 2019 together with the OAS (Organisation of American States) in Washington. Consultations with Africa (Addis Ababa with the African Union) and Asia-Pacific (ASEAN) are scheduled for the 4th quarter of 2019. The first official meeting will be held on 5 to 9 December in New York. For 2020, two meetings in Geneva are on the agenda (March 2020 and August 2020). A concluding meeting is envisaged for May 2021 in New York. The UNGGE must report to the 76th Session of the UN General Assembly in 2021.

Mehr zum Thema
  1. [1] Tagesordnung der 1. OEWG-Sitzung, New York, 10. – 14. September 2019, „Discussions on substantive issues contained in paragraph 5 of General Assembly resolution 73/27: (a) To further develop the rules, norms and principles of responsible behaviour of States listed in paragraph 1 of General Assembly resolution 73/27, and the ways for their implementation, and, if necessary, to introduce changes to them or elaborate additional rules of behaviour; (b) To study the possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations; (c) To continue to study, with a view to promoting common understandings, existing and potential threats in the sphere of information security and possible cooperative measures to address them; (d) How international law applies to the use of information and communications technologies by States; (e) Confidence-building measures; (f) Capacity-building and the concepts referred to in paragraph 3 of General Assembly resolution 73/27. Siehe: undocs.org/A/AC.290/2019/1
  2. [2] EU Non-Paper on Capacity Building to advance peace and stability in cyberspace: „In turn, this capacity building approach incorporates a number of key principles. Notably: - the understanding that existing international law and norms apply in cyberspace; - rights-based and gender-sensitive by design, with safeguards to protect fundamental rights and freedoms; - in line with the democratic and efficient multi-stakeholder internet governance model; - supports the principles of open access to the Internet for all, and not undermine the integrity of infrastructure, hardware and services; - supports a shared responsibility approach that entails involvement and partnership across public authorities, the private sector and citizens and promotes international cooperation. Furthermore, wider lessons from development cooperation should be taken into account in external cyber capacity building efforts in order to enhance effectiveness and sustainability. Notably, we aim to: - ensure that partner countries enjoy full ownership of the development priorities in relation to cyber resilience; - focus on sustainable results through the promotion of broader policy, legal and technical reform processes instead of ad-hoc, one-off activities; - ensure that trust, transparency, accountability and shared responsibility are the driving force behind assistance.“ Siehe: www.un.org/disarmament/open-ended-working-group/
  3. [3] China´s Submission to the Open Ended Working Group on Developments on the Field of Information and Telecommunications in the Context of International Security, Mew York, 9. September 2019: „II. Norms, Rules and Principles for the Responsible Behavior of States China supports and has been constructively participating in the efforts of developing universally accepted norms, rules and principles of responsible behavior of States within the framework of UN. With a view to making contribution to the UN discussion, the Shanghai Cooperation Organization Member States submitted to the General Assembly in 2011 “International Code of Conduct for Information Security” and a revised version in 2015. Taking into account the latest developments in ICT environment, the Group should work on the following issues: i) States should pledge not to use ICTs and ICT networks to carry out activities which run counter to the task of maintaining international peace and security. ii) State sovereignty in cyberspace It is widely endorsed by the international community that the principle of sovereignty applies in cyberspace. The Group should enrich and elaborate on the specification of the principle, thus laying solid foundation for the order in cyberspace. -- States should exercise jurisdiction over the ICT infrastructure, resources as well as ICT-related activities within their territories. -- States have the right to make ICT-related public policies consistent with national circumstances to manage their own ICT affairs and protect their citizens’ legitimate interests in cyberspace. -- States should refrain from using ICTs to interfere in internal affairs of other states and undermine their political, economic and social stability. -- States should participate in the management and distribution of international Internet resources on equal footings. iii) Critical infrastructure protection Security of critical infrastructures bears on the economic development, social stability, public interests and national security of all states, which is the common concern of all parties. China proposes the following norms of states' behavior in this regard: -- States have the rights and responsibilities regarding legal protection of their critical ICT infrastructures against damage resulting from threats, interference, attack and sabotage. -- States should be committed to refraining from launching cyber attacks on the critical infrastructures of other states. -- States should not exploit policy and technical advantages to undermine the security and integrity of critical infrastructures of other states. -- States should increase exchanges on standards and best practices with regard to critical infrastructure protection and encourage enterprises to embark on such exchanges. iv) Data security: With the development of digital globalization, states have an increasing demand for the collection, analysis, application and cross-border flow of data, adding more weight to the importance of security. China proposes norms as follows: -- States should take a balanced approach with regard to technical advancement, business development and safeguarding national security and public interests. -- States have the rights and responsibilities to ensure the security of personal information and important data relevant to their national security, public security, economic security and social stability. -- States shall not conduct or support ICT-enabled espionage against other states, including mass surveillance and theft of important data and personal information. -- States should pay equal attention to both development and security, and push for the lawful, orderly and free flow of data. States should facilitate exchanges of best practices and cooperation in this regard. v) Supply chain security Supply chain security is crucial for enhancing users’ confidence and promoting digital economy. China proposes as follows: -- States should not exploit their dominant position in ICTs, including dominance in resources, critical ICT infrastructures and core technologies, ICT goods and services to undermine other states’ right to independent control of ICT goods and services as well as their security. -- States should prohibit ICT goods and services providers from illegal obtainment of users’ data, control and manipulation of users’ devices and systems by installing backdoors in goods. States should also prohibit ICT goods and services providers from seeking illegitimate interests by taking advantage of users’ dependence to their products, or forcing users to upgrade their systems or devices. States should request ICT goods and services providers to make a commitment that their cooperation partners and users would be notic ed in a timely manner if serious vulnerabilities are detected in their products. -- States should be committed to upholding a fair, just and non-discriminatory business environment. States should not use national security as a pretext for restricting development and cooperation of ICTs and limiting the market access for ICT products and the export of high-tech products. vi) Counter-terrorism Terrorist groups’ use of the Internet for promotion and incitement, recruitment, and plan and coordination of attacks is the major source of the current terrorist activities, and jeopardizes the security and stability of all states. The international community has a high degree of consensus on this. The Group should probe into discussions in following norms: -- States should prohibit terrorist organizations from using the Internet to set up websites, online forums and blogs to conduct terrorist activities, including manufacturing, publication, storage, and broadcasting of terrorist audio and video documents, disseminating violent terrorist rhetoric and ideology, fund-raising, recruiting, inciting terrorist activities etc. -- States should conduct intelligence exchanges and law-enforcement cooperation on countering terrorism. For instance, one state should store and collect relevant online data and evidence in a timely manner upon request from other states for cyber-related terrorism cases, provide assistance in investigation and deliver prompt response. -- States should develop cooperative partnership with international organizations, enterprises and citizens in fighting cyber terrorism. -- States should request Internet service providers to cut off the online dissemination channel of terrorist content by closing propaganda websites and accounts and deleting terrorist and violent extremist content. vii) Norms, rules and principles regarding emerging technologies To minimize security risks brought by emerging digital technologies such as IOT, AI, big data, cloud computing and blockchain, at the same time guaranteeing their contribution to economic development, further study is needed on the norms, rules and principles in these realms.“ Siehe: www.un.org/disarmament/open-ended-working-group/
  4. [4] Officials, practitioners and experts gather in Bratislava for OSCE-wide conference on the future of cybersecurity, Bratislava, 19. Juni 2019: „Deputy Prime Minister of Slovakia Richard Raši opened the conference by emphasizing that cyber/ICT can act as “both an incredible opportunity and a major vulnerability.”“Malware and distributed denial-of-service (DDoS) attacks, massive data breaches and misuse of artificial intelligence can all wreak havoc on our lives and economies and threaten critical infrastructure,” he said. “The OSCE, in line with its mandate on conflict prevention and its comprehensive approach to security, has pioneered multilateral co-operation to prevent conflict arising from the use or misuse of cyber/ICT.” OSCE Secretary General Thomas Greminger highlighted the valuable role of regional organizations in contributing to cyber security. “They can be incubators for new ideas and practical efforts that relate to Confidence-Building Measures as well as an implementer of globally accepted agreements,” he said. “The promotion of effective crisis communication channels, international co-operation, especially at the policy level, as well as measures to enhance national and regional cyber/ICT security capacities are core elements of efforts needed to advance cyber security at the national and regional levels.” Among the topics explored at the conference were cyber attacks, the disruption of critical infrastructure, electoral interference, the weaponization of Artificial Intelligence and disinformation campaigns. An interactive scenario-based discussion allowed government participants to better understand the implications and results of an attack on critical infrastructure, and provided hands-on experience in responding to such an incident. While focusing on the OSCE’s role in tackling regional cybersecurity challenges, including through the implementation of its pioneering 16 Confidence-Building Measures related to ICT/cyber security and the efforts of its Informal Working Group, the conference also had a strong global focus. The conference hosted, on its margins, the very first consultations of the newly formed UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications (UN GGE). A panel discussion, including the Chairs of the UN GGE, Ambassador Guilherme de Aguiar Patriota of Brazil; the UN Open-Ended-Working Group, Ambassador Jürg Lauber of Switzerland; and the OSCE Informal Working Group, Ambassador Károly Dán of Hungary, highlighted the complementary nature of the OSCE’s work in the context of ongoing global policy discussions related to cybersecurity. The participation of Izumi Nakamitsu, the UN’s Under-Secretary-General and High Representative for Disarmament Affairs, as well as the Acting Head of the European External Action Service’s Policy Division, Rory Domm, in the conference reflected the need for strong multilateral co-operation in this area.“ Siehe: www.osce.org/chairmanship/423365