The 78th UN General Assembly (UNGA) addressed the issue of cybersecurity again at one of its last meetings in December 2023. It included the adoption of four resolutions on the Open-Ended Working Group (OEWG), a “Program of Action” (POA), and autonomous weapon systems. The texts of the four draft resolutions were negotiated in UNGA’s 1st committee, responsible for international security issues, in October and November 2023.

OEWG and the Future of Cybersecurity Negotiations in the UN<

The OEWG was founded in 2020. It deals with “developments in the field of information and telecommunications in the context of international security.” Essentially, this is about responsible behavior by states in cyberspace based on international law. Preparatory work for the OEWG, in which all 193 UN states are involved, was carried out by several so-called “Groups of Governmental Experts” (GGEs) in the 2010s. In 2015, one of the six GGEs agreed on eleven norms, which later received the full support of the UNGA. The eleven norms include, among other things, the obligation not to carry out cyber attacks against critical infrastructure. Since then, these eleven norms, which are not legally binding, have been considered something like the “universal framework for global cybersecurity.”

In addition to the application of international law in cyberspace, the mandate of the OEWG also includes the development of recommendations for confidence and capacity-building measures and the creation of a permanent negotiating mechanism on cybersecurity under the auspices of the UN. The OEWG is initially mandated until 2025.

The discussion about what will happen to the OEWG in the long term has already begun at the 78th UNGA in 2023. It is not a surprise, that this discussion reflected the deep division among different political camps along the current geo-strategic conflict lines. While Western countries are pushing to focus on implementing the eleven norms from 2015 through a “Program of Action” (POA), Russia and China want to develop new norms and codify them into a binding treaty under international law. The Western countries do not fundamentally reject the work on further norms, but argue that one should first be clear about how the existing norms are applied in the practice of states. The proposed POA contains multi-layered measures—from regular state implementation reports to review conferences—that are intended to provide a comprehensive picture of the responsible behavior of states in cyberspace in accordance with international law. On this basis, any gaps can then be identified, and the necessity of new norms and their legalization can be discussed.

Both camps had presented resolutions in the 1st Committee, which were ultimately adopted, albeit with a sometimes significant number of dissenting votes. The resolution on the POA introduced by France received 158 votes in favor and 10 against (including China and Russia), with 12 abstentions. The OEWG resolution introduced by Russia received 112 votes in favor and 52 against (including all EU members, the USA, Japan, Australia, Turkey, Great Britain, Ukraine and Albania) with eleven abstentions.

This has no major consequences for the current work of the OEWG in 2024. Its chairman, Singapore’s Ambassador Gafoor, presented his second consensus report on October 24, 2023. He was able to point to an initial, albeit modest, result: the agreement on an intergovernmental mechanism for the establishment of so-called “Points of Contact” (PoC). The PoC mechanism is intended to work like the “red telephone” that was installed between the USA and the former Soviet Union after the Cuban Missile Crisis in the 1960s. In the event of a cyberattack, governments should be given the opportunity to contact the PoC of the suspected government to clarify the situation. A similar mechanism was introduced years ago within the framework of the Organization for Security and Cooperation in Europe (OSCE) and has produced good experiences that are now to be universalized. The PoC mechanism is expected to be operationalized in 2024. The resolution on the OEWG Chairman’s report was passed by consensus without a vote.

However, the decision on the future of the OEWG and the creation of a permanent cybersecurity negotiating mechanism under the UN umbrella remain controversial and have now been postponed to the 79th UNGA, which begins in September 2024. France’s proposal to decide already now to hold a separate UN cybersecurity conference in 2025 with the aim of adopting a POA has been put aside for the time being.

Role of Non-State Actors

It is still unclear how non-governmental stakeholders from business, science, civil society and the technical community can be included in the work of the OEWG. Meanwhile, so-called informal consultations between the formal OEWG meetings have become commonplace, thanks to the engagement of the OEWG chair, Burhan Gafoor. At this informal consultation, all stakeholders, regardless of whether they are recognized by ECOSOC as an NGO or not, can raise their voices. This applies, for example, to Internet companies such as Microsoft, academic research institutions such as the Geneva Cyber Peace Institute, or the Global Forum for Cyber expertise (GFCE) based in The Hague.

However, when it comes to participating in regular OEWG meetings, many non-governmental stakeholders are still locked out. The POA resolution introduced by France calls for an inclusive dialogue with “relevant stakeholders.” But the resolution also says that this should only take place when it is “appropriate.” When assessing what constitutes “appropriateness” and which non-state stakeholders can participate, all states have veto power. Russia has put more than a dozen NGOs on the “black list”, including the GFCE and the World Economic Forum (WEF). Ukraine, in turn, has blocked the participation of Russian institutions such as the Moscow Institute of International Relations (MGIMO). To allow excluded non-governmental cybersecurity experts access to the negotiations, some Western governments have included these experts as members of their governmental delegations.

Many countries from the “global south” fundamentally support the idea of discussing international cybersecurity issues more intensively in the UN context and also support the inclusion of the expertise of non-governmental stakeholders. However, like Brazil’s ambassador, they complain that geo-political rivalries are pushing the main thing, the promotion of an “open, secure, stable accessible and peaceful cyberspace,” to the sidelines.

Autonomous Weapon Systems

The resolution on autonomous weapon systems is new in the UN context. These weapon systems have been negotiated for more than ten years in a “Group of Governmental Experts on Lethal Autonomous Weapons Systems” (GGE LAWS). However, the negotiations under the umbrella of the “Convention on Prohibition or Restrictions on the Use of Certain Conventional Weapons (CCW)” have not yet produced any results. The CCW is not a UNGA body.

For years, civil society organizations, in particular, have been calling for the LAWS negotiations to be relocated to the UN in order to give them greater status. They have UN Secretary-General Antonio Guterres on their side, who has been calling for a ban on these weapon systems for years. It was only in July 2023 that Guterres called for an international treaty on autonomous weapon systems (such as an international ban on so-called AI-based “killer robots” that choose their own targets) by 2026 in his “Agenda for Peace.”

In 2022, Austria campaigned to bring the issue to the UN. The draft resolution, which has now been signed by 27 states, was adopted with 164 votes in favor, eight abstentions (including China and Turkey), and five votes against (including Russia, India, and Mali). However, the substance of the resolution is very thin. The resolution states that there is an “urgent need” to address the issue but leaves it completely open as to how this should be done. UN Secretary-General Guterres is first asked to submit a “substantive report” by the next UNGA. UN member states the International Red Cross, which also advocates a ban on these weapon systems, as well as non-governmental stakeholders from civil society, business, science, and the technical community, are invited to contribute to this report. But what the 79th UNGA will do with this report in autumn 2024 remains completely open.

In the meantime, two further GGE LAWS negotiations are scheduled for 2024. But people have been going around in circles there for years. So far, it has not even been possible to define what is meant by autonomous weapon systems and whether we want to have a non-binding recommendation or an instrument that is binding under international law at the end of the negotiations.

This is worrying given the dynamic developments in the field of artificial intelligence and the fact that military aspects are excluded from the AI regulations envisaged within the framework of the European Union and the Council of Europe. The wars in Ukraine and Gaza have now become a testing ground for AI-based weapon systems. Drones are playing an increasingly important role in the Ukraine war. And in the Gaza war, the Israeli army is using AI-generated facial recognition to identify and kill Hamas fighters.

Although warnings about an unbridled AI arms race are becoming louder, the political will to address this through constructive negotiations leaves much to be desired. Whether anything tangible comes from the U.S.-Chinese AI negotiations that Presidents Biden and Xi agreed to at their November 2023 summit in San Francisco remains to be seen.