Cybersecurity and artificial intelligence were among the key topics at the 79th UN General Assembly (UNGA). UNGA’s 1st Committee, responsible for disarmament and international security, concluded its negotiations in mid-November 2024. It discussed the 3rd Annual Progress Report (APR) of the Open-Ended Working Group (OEWG) and adopted a resolution that recommends, inter alia, the establishment of a new permanent cybersecurity mechanism within the UN system. Furthermore, it adopted two resolutions on autonomous weapon systems (AWS). And UNGAs 3rd Committee gave the green light for the signature of the new UN Cybercrime Convention (UNCC) without a formal vote.

A new UN Committee for Cybersecurity?

Cybersecurity has been on the UN agenda for more than 25 years. Until 2020, the topic was discussed in a small “Group of Governmental Experts” (GGE) consisting of 15, later of 25 states. The GGE agreed that international law, as defined in the Charter of the United Nations, also applies to virtual cyberspace. In 2015, an agreement was reached on eleven principles for responsible behavior of states in cyberspace. Since then, the eleven principles have been considered “the global framework for international cybersecurity.” However, the principles are not legally binding.

In 2020, the GGE was replaced by an “Open Ended Working Group” (OEWG), which is open to all 193 UN members. The OEWG mandate included clarifying how international law is to be applied in cyberspace. It was also to develop recommendations for confidence- and capacity-building measures. The OEWG mandate was limited to 2025.

The main point of contention was the question of whether, how and when a UN cybersecurity treaty, binding under international law, should be negotiated. Russia wanted to translate the eleven GGE principles into a formal, legally binding treaty with new principles. The Western states, on the other hand, proposed a so-called “Program of Action” (PoA). This PoA should first examine how states implement the eleven non-binding cybersecurity principles, before starting negotiations on a new treaty and adding new principles.

The 3rd Annual Progress Report (APR), which the OEWG chairman, Singapore’s ambassador Barton Gafoor, presented to the 1st Committee in October 2024, avoided taking a clear position. He proposed that the envisaged new UN mechanism for cybersecurity should deal with this. However, the status and the design of such a “Permanent Mechanism” is controversial. In his report, Gafoor attached a paper with key points for a new UN cybersecurity body (Elements for the Open-Ended Action Oriented Permanent Mechanism on ICT Security in the Context of International Security).

The 1st Committee postponed a decision and sent the issue back to the OEWG. However, Gafoor’s paper was accepted as the basis for further negotiations. The objective is to ensure a smooth transition from the OEWG to a future “permanent mechanism.” Dateline is December 2025. Whether at the end of the day we will have a new “UN Cybersecurity Committee” or just an “Action Plan” remains open. The two final OEWG meetings have to find a compromise. They are scheduled for December 2024 and July 2025.

Decisions have also to be made on how non-governmental stakeholders from business, science, civil society and the technical community will be involved in the future work of the new “permanent mechanism”. The OEWG chairman has repeatedly endeavored to give non-governmental stakeholders the opportunity to contribute to OEWG issues in informal consultations, intersessional meetings and as silent onlookers in formal OEWG sessions. However, quite a few governments are critical of the “multi-stakeholder approach” or reject it altogether, such as Russia.

The new OEWG resolution also approved confidence- and capacity-building measures. In May 2024, the OEWG finally agreed on a “Global Point of Contact Directory” (PoC). This mechanism obliges governments to establish a contact point that can be contacted by another government in the event of a cyberattack. The PoC mechanism is intended to function like the “red telephone” between the nuclear powers. The “Global Roundtable on ICT Security Capacity Building” was established also in May 2024. In the first meeting, which took place in New York, non-state actors participated on equal footing. The roundtable is intended to help developing countries, in particular, to develop capacities more quickly in order to be better prepared against cyber attacks.

Autonomous weapon systems

Autonomous weapon systems (AWS) have only been on the UN agenda since 2023. AWS has been negotiated for more than ten years but outside the UN. It was done by a “Group of Governmental Experts in Lethal Autonomous Weapon Systems” (GGE LAWS) under the umbrella of the “Convention on Certain Conventional Weapons” (CCW). Due to a lack of progress in the GGE LAWS negotiations, Austria took the initiative in 2023 to establish a new negotiating line within the UN General Assembly. UN Secretary-General Antonio Guterres has been calling for a moratorium on “killer robots” for years.

The 2023 AWS Resolution had called on Guterres to first prepare a report with statements from governments and non-governmental organizations. More than 80 governments and 30 NGOs commented. In the report, presented in July 2024, the UN Secretary-General reiterated the urgency of addressing this problem and renewed his proposal to draw up an international treaty by 2026.

The new UN resolution now calls on the GGE LAWS to complete its work by the end of 2025. A two-day “informal consultation” open to both governments and non-state stakeholders will to take place in New York in the first half of 2025. The topic will then be discussed further at the 80th UN General Assembly, which begins in September 2025. Austria has also proposed a Roundtable on the issue during the forthcoming Internet Governance Forum (IGF) in Riyad, which is scheduled for December 16, 2024.

The 2024 AWS Resolution is supplemented by a resolution introduced by Korea on “Artificial Intelligence in the Military Domain”. Although this resolution does not contain any concrete commitments, it calls on all states and non-state actors to draw greater public attention to this topic. It asks UN Secretary-General Guterres to prepare another report until the next UN General Assembly that goes beyond autonomous weapons systems and would include, inter alia, also armed drones (uncrewed aerial vehicles/UAVs), which are playing an increasing role in the current conflicts in Ukraine and the Middle East. States are called upon to observe the “Abu Dhabi Guiding Principles” adopted by the UN Security Council’s Counter-Terrorism Committee in January 2024.

Cybercrime Convention

In early November 2024, the 3rd UNGA Committee gave the green light to prepare a signature ceremony for the UN Cybercrime Convention (UNCC). The UNCC was discussed and negotiated since 2019 within an “Ad Hoc Committee” (AHC) and finalized in a two-week meeting in New York in August 2024. The 3rd Committee did not re-open the text for discussion. However, a number of governments made statements about how they positioned themselves in terms of how they read the convention.

The final text, adopted in August 2024, is a treaty where agreement was reached on the lowest common denominator. Civil society and business representatives were very critical. They argued that the convention would do little to reduce cybercrime but would give authoritarian states the opportunity to legitimize censorship and surveillance by invoking international law. In fact, cybercrime and human rights protection are very vaguely defined in the UNCC and allow for a broad interpretation. Also, six US senators raised concerns. In a letter to the Biden administration (October 2024), they wrote that the US “must not align itself with repressive regimes by supporting a Convention that undermines human rights and U.S. interests” under the guise of improving cybersecurity.

Originally, western governments supported an extension of the Budapest Cybercrime Convention. This convention was adopted by the Council of Europe in 2001, and it is open to all UN member states. However, countries from the “Global South” argued that they had been not involved in the 2001 negotiations and wanted to have a treaty under the UN. The approval of the Western governments was also, not least, a concession to those states from the global South. Close cooperation with the global South plays a major role in the US international cyber and digital strategy adopted in May 2024. The principle of “digital solidarity” is paramount there.

During the discussion in the 3rd UN Committee, representatives of the USA, the EU and Great Britain therefore made statements pointing out weaknesses in the treaty and warning autocratic states against abusing the Convention for unjustified censorship and surveillance and undermining the rule of law.

The 3rd Committee forwarded the UNCC resolution to the plenary of the UN General Assembly without a vote. The next step will be the organization of a signing ceremony, which is scheduled for Hanoi in Vietnam in the 1st half of 2025. After signing the convention by governments, national parliaments have to ratify the convention. After 40 ratifications have been deposited, the convention will enter into force. It will then become clear whether the expectations of this convention to drastically reduce cybercrime will be fulfilled. The continued existence of the Budapest Convention as an effective and alternative legal instrument will not be affected by the UN Convention.