On Friday March 12, 2021, the United Nations adopted the report of the UN Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. The document was supported by consensus and, since all member states were able to take part in the OEWG, we can say that it reflects the views of most of the international community. The report marks the culmination of the OEWG’s two years of work on introducing a new format for negotiations on security in cyberspace launched in 2018 at the initiative of Russia. The successful completion of the group’s work suggests that demand for such a platform exists. This is particularly important, given that the OEWG will continue its activities in the new convocation for 2021–2025.
The OEWG participants agree that there is a growing risk of ICT being used in inter-state conflicts and see an increase in the malicious use of ICT both by state and non-state actors as an alarming trend. The report notes the potentially devasting consequences of attacks on critical information infrastructure (CII). Specifically, the COVID-19 pandemic has highlighted the importance of protecting the healthcare infrastructure. Inter-state interaction, as well as interaction between the state and the private sector, is important.
The fact that the report was adopted by consensus does not mean that the participants in the negotiations have overcome the differences in their approaches to security in cyberspace. Rather, they have agreed to put fundamental issues on the back burner. Michele Markoff, U.S. cybersecurity negotiator, conceded in her Explanation of Position at the Conclusion of the UN Open-Ended Working Group that the report was “not perfect,” noting that the United States had reservations about the need for a new OEWG to convene. She also stated that the United States could not subscribe to calls for new legal obligations in cyberspace, citing non-compliance on the part of certain states with the existing regulations. That notwithstanding, the United States sees the report as a step forward.
Success or failure of future negotiations in the OEWG will depend on three main components. First, the relations between the key players will define how productive the talks actually are.
The second factor is related to the competition between the negotiating platforms. The OEWG has the advantage that is enjoys broad support among UN members, and its mandate has been written into the respective Resolution of the General Assembly. That said, the GGE format is also widely supported within the United Nations, and the “Russian” resolution received fewer votes in the First Committee of the United Nations General Assembly last year than it had in 2018, while the “American” resolution actually received more. What is more, the United Nations does not have a monopoly when it comes to negotiating platforms on cybersecurity, as a number of non-governmental initiatives on cyberspace regulation have appeared in recent years.
The third and final factor has to do with preserving the gap between the practical side of ensuring information security and the international discussion surrounding it. Tech companies face cyberthreats on a daily basis, but their expertise in dealing with these challenges is not in demand at these negotiating platforms. The OEWG report talks about the need for public-private partnerships in order to protect the CII. However, the OEWG could take this one step further by examining the lessons of the responses of the business world to large-scale cyberattacks and by speaking their minds when it comes to assessing the efforts of technology leaders to advance rules and norms in cyberspace. The OEWG has the potential to bridge this gap (the new group’s mandate allows it to work with business and other stakeholders), but it has not been exploited to the full thus far. The most active player in the first convocation from the business world was Microsoft, while Trend Micro, Huawei, Fujitsu and others have also taken part in informal consultations. Kaspersky Lab is the only Russian company involved in the discussions. Russia’s Ministry of Foreign Affairs believes it is necessary “to create conditions for attracting the business world to the negotiation process on international information security (IIS), thus giving the public-private partnership an institutional character.” Two problems will first need to be resolved for this to happen: 1) how to motivate Russian businesses to take part in the negotiations; and 2) how to organize the interaction of different stakeholders in the OEWG in the most effective manner. Otherwise, the efforts of all sides will continue to lack the much-needed link to practical experience in this area.
On Friday March 12, 2021, the United Nations adopted the report of the UN Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. The document was supported by consensus and, since all member states were able to take part in the OEWG, we can say that it reflects the views of most of the international community. The report marks the culmination of the OEWG’s two years of work on introducing a new format for negotiations on security in cyberspace launched in 2018 at the initiative of Russia. The successful completion of the group’s work suggests that demand for such a platform exists. This is particularly important, given that the OEWG will continue its activities in the new convocation for 2021–2025.
A Victory for Diplomacy
Andrey Krutskikh, Special Representative of the President of the Russian Federation on Issues of International Cooperation in the Field of Information Security, called the adoption of the report “a triumphant success for the Russian diplomacy,” while the Ministry of Foreign Affairs lauded the significance of the moment in its official commentary.
To better understand why the adoption of the report has exactly seen such a success, we need to take a trip into the recent past. The issue of information security was included in the UN agenda in 1998, after Russia presented its draft resolution “Achievements in the Field of Information and Telecommunications in the Context of International Security” to the First Committee of the United Nations General Assembly. Negotiations have been ongoing since 2004 in the form of closed discussions in Groups of Government Experts (GGEs) involving between 15 and 25 states (the seventh composition of the GGE is expected to conclude its work in May 2021).
The negotiations started to pick up steam in the early 2010s, as three GGE consensus reports have shown. For example, the 2010 GGE report’s recommendations included furthering the dialogue among states on cyber norms, introducing confidence-building measures, exchanging information on national legislation and policies as well as identifying measures to support capacity-building in less developed countries as a means to reduce the risks associated with the use of information and communication technologies (ICT). The 2013 report reflected the OEWG’s conclusion that international law “is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment” (while conceding that a common understanding on the application of these rules needs to be worked out), and that state sovereignty applies to the conduct of ICT-related activities by states. Among other things, the 2015 report sets out the norms, rules or principles of responsible behaviour of states in the context of the ICT use.
The UN negotiating process on cyber threats stalled after 2015. The fifth convocation of the GGE in 2016–2017 failed to accept a consensus report, as the participants disagreed on how international law should be applied to state activities in cyberspace. This led to the United States and Russia putting forward separate initiatives in 2018. The United States and its co-sponsors proposed that the next GGE be convened to continue the discussion in a narrower circle. Meanwhile, Russia called for the negotiating process to be “more democratic, inclusive and transparent.” To this end, Moscow tabled a proposal to create an open-ended working group for all member states interested and hold consultative meetings for all other interested parties, namely business, non-governmental organizations and academia. Two parallel formats were launched as a result – the OEWG and the UN GGE.
The OEWG report is the first tangible result of the UN negotiations on cyber threats since 2015, which was made possible by a number of factors. First, the overwhelming majority of UN member states were interested in such a format (119 nations voted in favour of the Russia-drafted resolution in 2018), as it would avail many of them the opportunity to participate in a GGE for the first time.
Second, those countries that refrained from supporting the OEWG were nevertheless active in its work, and they put no obstacles in the way of adopting the final document. Representatives of 91 states spoke at OEWG meetings during the two years of its work. That is almost half of all UN member states, while one third of them have never been part of the GGE.
Finally, Jürg Lauber, Chairman of the OEWG and Permanent Representative of Switzerland to the UN, was widely praised for the work he did to push the negotiations through. He continued to perform his duties as Chairman even after being transferred from New York to Geneva. It was through Lauber’s chairmanship that an additional link between the OEWG and the GGE was established (one of the criteria for choosing Switzerland was the country’s participation in the closed GGE), which helped avoid competition between the two formats. The coronavirus pandemic posed yet another challenge for the Chairman of the OEWG and its participants. While the original plan was to adopt the OEWG in the summer of 2020, the final session of the Working Group was postponed for several months.
Let the Talks Continue
Content-wise, the report reflects the coordinated assessments of the current situation in cyberspace and, in accordance with the OEWG’s mandate, contains the following topics:
- Existing and Potential Threats
- Rules, Norms and Principles for Responsible State Behaviour
- International Law
- Confidence-Building Measures
- Capacity-Building in ICT
- Regular Institutional Dialogue on ICT
The OEWG participants agree that there is a growing risk of ICT being used in inter-state conflicts and see an increase in the malicious use of ICT both by state and non-state actors as an alarming trend. The report notes the potentially devasting consequences of attacks on critical information infrastructure (CII). Specifically, the COVID-19 pandemic has highlighted the importance of protecting the healthcare infrastructure. Inter-state interaction, as well as interaction between the state and the private sector, is important.
However, the OEWG report does not put forward any practical solutions to a number of information security problems, primarily in inter-state relations. The way international law should be applied in cyberspace largely remains a bone of contention. Despite the successful adoption of the OEWG report, negotiators have yet to find compromises on key issues.
In terms of the regulatory framework, the report essentially reiterates the agreements reached earlier within the framework of the GGE, such as those relating to the applicability of the rules, norms and principles for responsible state behaviour. The OEWG participants conclude the report by stating that additional legally binding obligations may be introduced in the future.
The proposals put forward in the report are, for the most part, of a general nature. States are urged to continue to inform the Secretary-General of their national views on the applicability of international law on the use of ICT in the context of international security, discuss these issues at the United Nations as well as envision confidence- and capacity-building measures.
More practical steps feature the recommendation that states nominate a national Point of Contact responsible for information security at the technical, policy and diplomatic levels who would then be included into a kind of international directory.
A group of over 40 countries led by France and Egypt managed to get an initiative of their own—proposed back in the fall of 2020 and urging to introduce a permanent forum on cybersecurity to replace the OEWG and GGE—included in the recommendations. The initiative, dubbed as the Programme of Action for Advancing Responsible State Behaviour in Cyberspace, appears in one of the paragraphs in the OEWG report, which lends weight to it and serves as the basis for discussions in the next convocation of the group.
One of the main reasons why we have not seen any breakthrough agreements in this regard is because of the sheer number of participants in the discussion on information security issues. On the one hand, this has brought new participants into the negotiations—those endorsing the previously agreed points—thus boosting their international clout. On the other hand, many participants demanded that a common denominator be identified, with all the difficult questions taken off the table. The last leg of the negotiations, in particular, saw a non-consensus draft part of the report published in a separate document, the Chair’s Summary.
The fact that the report was adopted by consensus does not mean that the participants in the negotiations have overcome the differences in their approaches to security in cyberspace. Rather, they have agreed to put fundamental issues on the back burner. Michele Markoff, U.S. cybersecurity negotiator, conceded in her Explanation of Position at the Conclusion of the UN Open-Ended Working Group that the report was “not perfect,” noting that the United States had reservations about the need for a new OEWG to convene. She also stated that the United States could not subscribe to calls for new legal obligations in cyberspace, citing non-compliance on the part of certain states with the existing regulations. That notwithstanding, the United States sees the report as a step forward.
Negotiations after Negotiations
Negotiations on cyber threats have now been going on for decades, broth at the United Nations and on other venues, and they are likely to drag on for many years to come. The OEWG report is an important milestone in the process and a reminder of the importance of multilateral efforts. According to Andrey Krutskikh, the successful completion of the group’s work “opens up huge opportunities for ensuring the success” of the current GGE, the Expert Group on Cybercrime—established during negotiations at the United Nations General Assembly Third Committee at the initiative of Russia—and the OEWG, whose mandate for 2021–2025 has been adopted.
Success or failure of future negotiations in the OEWG will depend on three main components. First, the relations between the key players will define how productive the talks actually are. While Russia and the United States may have managed to put their differences aside in order to reach a consensus on the report, the differences themselves have not gone anywhere. The sides still bang heads over such issues as attribution in cyberspace, the possibility of applying the norms of international humanitarian law to cyberattacks, etc. This is made all the worse by the new trend towards using the ICT for military and intelligence purpose as well as by numerous public accusations and threats emanating from both sides. One such example is the recent New York Times article on U.S. preparations for a retaliatory attack on Russian networks following the large-scale hack of U.S. government departments and corporations (known as the SolarWinds hack), which Russia is said to have carried out. Cybersecurity remains a sore point in U.S.–China relations as well. Tensions between major powers need to be reduced if we are to see any real progress in multilateral relations on this issue.
The second factor is related to the competition between the negotiating platforms. The OEWG has the advantage that is enjoys broad support among UN members, and its mandate has been written into the respective Resolution of the General Assembly. That said, the GGE format is also widely supported within the United Nations, and the “Russian” resolution received fewer votes in the First Committee of the United Nations General Assembly last year than it had in 2018, while the “American” resolution actually received more. What is more, the United Nations does not have a monopoly when it comes to negotiating platforms on cybersecurity, as a number of non-governmental initiatives on cyberspace regulation have appeared in recent years. France is actively pushing the Paris Call for Trust and Security in Cyberspace, which has the support of almost 80 nations as well as of many civil society organizations and companies. Six working groups are to be launched under the initiative in order to advance international norms and develop practical cooperation in cybersecurity. The competitive environment will mean that the OEWG will need to produce more tangible results in areas that are important for the participants.
The third and final factor has to do with preserving the gap between the practical side of ensuring information security and the international discussion surrounding it. Tech companies face cyberthreats on a daily basis, but their expertise in dealing with these challenges is not in demand at these negotiating platforms. The OEWG report talks about the need for public-private partnerships in order to protect the CII. However, the OEWG could take this one step further by examining the lessons of the responses of the business world to large-scale cyberattacks and by speaking their minds when it comes to assessing the efforts of technology leaders to advance rules and norms in cyberspace. The OEWG has the potential to bridge this gap (the new group’s mandate allows it to work with business and other stakeholders), but it has not been exploited to the full thus far. The most active player in the first convocation from the business world was Microsoft, while Trend Micro, Huawei, Fujitsu and others have also taken part in informal consultations. Kaspersky Lab is the only Russian company involved in the discussions. Russia’s Ministry of Foreign Affairs believes it is necessary “to create conditions for attracting the business world to the negotiation process on international information security (IIS), thus giving the public-private partnership an institutional character.” Two problems will first need to be resolved for this to happen: 1) how to motivate Russian businesses to take part in the negotiations; and 2) how to organize the interaction of different stakeholders in the OEWG in the most effective manner. Otherwise, the efforts of all sides will continue to lack the much-needed link to practical experience in this area.