Are global agreements between opposing camps still possible in today’s polarized world full of conflicts? In some parts of the digital world, this is obviously the case. In the last six months, UN’s cyber diplomacy has achieved three notable successes:

• In May 2024, states agreed to set up an international reporting system for cyber attacks. This so-called “Point of Contact” mechanism (PoC) is intended to function like the “red telephone” between the nuclear powers.
• In August 2024, the 193 UN states adopted the text of an “UN Convention against Cybercrime.”
• And on September 23, 2024, at the UN Future Summit in New York, the heads of state and government signed a “Global Digital Compact” that describes a “digital future for all” on 17 pages.

The consensus, reached after years of negotiations, is remarkable. It signals that, despite all geo-strategic confrontation, there are ways to agree on common guidelines for global problems, problems that do not recognize the boundaries of time and space. However, the consensus also raises questions about the resilience of the compromises. The agreed rules are often vaguely formulated and allow for very different interpretations, and only time will tell whether they contribute to a safer and more peaceful world.

The digital “red telephone”

The least problematic is the PoC mechanism. In fact, this is not a new idea. Such a procedure, whereby a government that discovers a cyber attack has a contact person with a telephone number in the country that could be the starting point of the attack, has been practiced within the OSCE for years. It has basically proven itself. But the OSCE has 53 members. This new system now includes all 193 UN member states. It is also linked to so-called “capacity-building measures” that are intended to help developing countries, particularly developing the instruments necessary for effective cyber defense.

The PoC mechanism was developed by an “Open Ended Working Group” (OEWG). Since 2020, the OEWG has been dealing with the application of international law in cyberspace under the umbrella of the 1st Committee of the UN General Assembly (UNGA), which is responsible for international security issues.

The OEWG mandate expires in 2025. The upcoming 79th UNGA has various proposals on the table as to how the issue of cybersecurity should be dealt with within the UN in the coming years. But here, new difficulties and controversies are on the table. Russia and China want a new permanent institution, something like a “UN Cybersecurity Committee” under the “UN Office for Disarmament Affairs” (UNDA). The Western countries want to have a “Programm of Action” (PoA). Their argument is that implementation of the eleven principles of cybersecurity, adopted in 2015, should have priority before creating new bureaucracies.

Another controversial issue in the OEWG is the inclusion of non-state actors in cybersecurity policy development. There is a broad consensus now that Internet-related policy issues should be handled on the basis of a multistakeholder approach. But for many governments, this commitment is just lip service. Although the private sector manages the majority of the networks and there is a lot of knowledge and wisdom in the technical community, in civil society and academia, some governments do not like to sit next to non-state actors. For autocratic governments, it is the government that has to play the central and only role.

Convention against Cybercrime

The negotiations on the UN Convention against Cybercrime were more complicated. The idea goes back to a proposal from Russia in 2019. Since then, an “Ad Hoc Committee” (AHC) under the 3rd Committee of the UNGA, which is responsible for human rights issues, has been negotiating such an agreement, alternately in Vienna and New York. The annual damage caused by cyber criminals runs into the hundreds of billions of dollars. Every year! It is clear to everyone that something has to be done. However, it is also clear that no country can do this alone in borderless cyberspace.

Western countries originally proposed that all UN members join the Budapest Convention against Cybercrime. This treaty was negotiated by the Council of Europe in 2001 and is open to all UN member states. It regulates quite precisely what constitutes a crime in cyberspace and how law enforcement authorities can work together across national borders.

Countries in the global south, such as India and South Africa, however, complained that they were not involved in the drafting of the Budapest Convention. They, therefore, supported the Russian proposal to develop a universal UN instrument. The Budapest Convention now has over 70 members, including African and Latin American states such as Brazil. However, that is only a third of the UN members. Indirectly an invitation to cyber criminals to seek “safe havens.”

The contentious points of the AHC negotiations from the outset were the definition of crimes in cyberspace and the safeguarding of legal procedures in cross-border criminal prosecutions, based on the rule of law.

Russia and China wanted to expand the catalog of crimes beyond the intrusion and manipulation of networks and, for example, introduce the dissemination of terrorist and illegal information on the Internet as a cybercrime. The West, on the other hand, rejected a blanket criminalization of the distribution of information content on the Internet.

In the prosecution proceedings, the West was primarily concerned with incorporating safeguards to protect human rights into the treaty. The fight against cybercriminals must not lead to the undermining of fundamental freedoms and human rights, such as the right to freedom of expression or the protection of privacy. Whistleblowers, journalists and academics, the so-called “white hackers” who check networks and databases for vulnerabilities and then report them, thus increasing cybersecurity, should also be protected.

The result is a treaty where agreement was reached on the lowest common denominator. Definitions are vague, safeguards are weak, and it has to be seen how the agreed procedures will be used or misused when the convention enters into force, which can take a couple of years.

From the outset, the negotiations were critically monitored by civil society and business. In the eyes of non-governmental observers, the convention would do little to reduce cybercrime but would give authoritarian states the opportunity to legitimize censorship and surveillance by invoking international law. In a statement on September 16, 2024, the Advisory Network of the “Freedom Online Coalition” (FOC), a multistakeholder network with 41 member states, mainly from western countries, recommended rejecting the new treaty. “The mission of the FOC is to promote a rules-based, democratic, and inclusive world where human rights and fundamental freedoms are upheld in online and digital contexts. In order to uphold that mission, we strongly urge the FOC members to coordinate on calling for a vote on the treaty, reach out to other, non-FOC, like-minded governments, and vote against the treaty’s adoption at the UNGA”.

The approval of the final text by Western governments in the August session of the AHC was not least a concession to the states of the global south. Close cooperation with the global south plays a major role in the US international cyber and digital strategy adopted in May 2024. The principle of “digital solidarity” is paramount there. The argument was that these “swing states” must not be driven into the hands of China or Russia on the global stage.

The convention must now be adopted by the upcoming 79th UNGA. If it gets a majority, the convention is open for signatures. It will enter into force after the 40th instrument of ratification has been deposited. Only then it will become clear whether the expectations of this convention to drastically reduce cybercrime will be fulfilled. If not, the Budapest Convention continues to offer an alternative with probably a more effective set of instruments.

Global Digital Compact

The discussion on the “Global Digital Compact” (GDC) was similarly complicated. The idea of drawing up a paper with guidelines for the digital future came from UN Secretary-General Antonio Guterres. At the celebrations for the 75th anniversary of the UN in 2020, he was commissioned to host a world summit for the future of the planet. This future is, of course, digital. In this respect, it was obvious to include digital issues as a key element. “Digital” was seen as so important that the idea emerged to draft a standing “Global Digital Compact” as an annex alongside the “Future Pact”.

The GDC contains 13 guidelines and defines five goals for the digital future. Both the “Pact on the Future” and the “GDC” were adopted by the 193 heads of state and government in New York on September 23, 2024. Like the Future Pact, the GDC is not legally binding but is intended to provide governments with guidance.

The final GDC text contains laudable declarations of intent. The digital divide is to be overcome. The 2.5 billion people who are still offline are to have access to the Internet by 2030. The digitization is to be closely linked to the realization of human rights. Digital transformation has to support the UN’s Sustainable Development Goals (SDGs). There is a need for “data governance” and rules for cross-border data flow. With artificial intelligence, the risks are to be minimized, the opportunities maximized, and a new North-South AI divide is prevented from emerging. There are recommendations on data integrity, cybersecurity and the development of the digital economy.

The problem with the GDC, however, was that most of its topics have been the subject of negotiations for years. In 2005, the UN hosted a World Summit on the Information Society (WSIS), and since then, there has been an agenda with 16 Action Lines that has been gradually implemented. For example, an Internet Governance Forum (IGF) was created for the Internet. There, governments, together with businesses, civil society, and the technical community, discuss solutions to all problems related to the Internet - from the Internet of Things to Internet shutdowns, from broadband access to eCommerce, from cybersecurity to artificial intelligence.

The GDC negotiations were, therefore, viewed with some suspicion by the Internet community. There was a fear that the duplication of processes would reduce resources to make substantial progress in promoting the global digital transformation. There was a fear that the establishment of new institutions would create more bureaucracies and less practical actions. And there was a fear that achievements of the last 20 years, such as the recognition of the multistakeholder principle in the development of global Internet policies, would be undermined.

The multistakeholder principle states that in decisions affecting the Internet, all those affected and involved - governments, businesses, civil society, and the technical community - must be involved in accordance with their respective roles. The concern was that those governments that favor a more state-controlled Internet could use the GDC negotiations to change the balance between governments and non-governmental representatives in Internet governance in favor of governments.

The final text, which is now available after numerous revisions, maintains the balance, albeit with very flowery wording. The GDC calls for an “open, global, interoperable, stable and secure Internet (paragraph 26). The GDC recognizes that “Internet Governance must continue to be global and multistakeholder in nature” (paragraph 27). No new intergovernmental fora for “digital governance” were created, as originally intended. The role of the existing IGF as the “primary multistakeholder platform for discussion of Internet Governance issues” (paragraph 28) was reaffirmed . However, the IGF was not strengthened. It will continue to be dependent from “voluntary contributions” (paragraph 29b). Instead, the UN TechEnovy has now received a new office in New York to support the implementation of the GDC. In other words, more “New York” and less “Geneva”.

The debate between “multilateralism” and “multistakeholderism,” between “enhanced intergovernmental cooperation” or “enhanced stakeholder cooperation,” and between an “open” or a “closed” Internet, will therefore continue. The review conference of the UN World Summit on the Information Society (WSIS+20) is scheduled for 2025. At WSIS+20, a decision has to be made on the future of the IGF, whose mandate expires in 2025.

An important part of the GDC deals with artificial intelligence. New committees and processes are planned. For example, an “International AI Science Council” is to be founded, based on the model of the UN Climate Council. And a global dialogue on AI governance is to take place twice every year, within the framework of the UN and its specialized agencies such as ITU and UNESCO. The adoption of the GDC coincided with the presentation of the final report of the UN High-Level AI Advisory Body”. Some of the recommendations of this expert group have made it already into the GDC. High speed for UN processes. However, it will take time to see how all this will be implemented. For 2027, the first GDC review conference is envisaged.

It will now depend on the affected and involved stakeholders to use the new instruments, processes, and dialogues to make progress in the right direction. This is again a time for innovation and creativity in digital policymaking. There is no way back into the analog world with its “bordered places.” In the “unbordered cyberspace, everyone is in the same boat. The mutual dependencies will not disappear, even with increasing political and geo-strategic confrontation. Already in 2019, another UN expert group on digital cooperation, the so-called “High Level Panel” (HLP), acknowledged, that we live in the “Age of Cyber-Interdependence”. The GDC is now a call for action every day. If our digital future is not designed and built constructively, it can lead to a dangerous downward spiral.

What next?

The forthcoming 79th UNGA has a broad agenda with cyber and digital issues. The 1st committee will discuss the “Annual Progress Report” (APR) on cybersecurity of the OEWG Chair, Ambassador Burhan Gafoor from Singapur. It will also discuss the future of the OEWG. The 2nd committee has to clarify the plans for the WSIS+20 review conference. And the 3rd committee has reports from the Human Rights Council (HRC) on freedom of expression and privacy as well as the cybercrime convention on its agenda.

But it will be more than “digital business as usual.” There is a growing risk that confrontation in the real world will spill over into cyberspace and go out of control. The GDC says in paragraph 4 that it “sets out the objectives, principles, commitments and actions…in the non-military domain”. But what about the military domain?

Last year, the Austrian government initiated a discussion on autonomous weapon systems (AWS) in the UN. UN Secretary-General Guterres was obliged to produce a report. The report, with opinions from more than 70 UN member states, was delivered in July 2024. The report notes that several States found the targeting of humans by autonomous weapons and, in particular, the “delegation of the decision to take a human life by machines” to be unethical. The use of AWS “could lead to the loss of dignity and dehumanization, which could result in unjustified violence and civilian casualties.” States recommended a legally binding instrument on AWS. The report also says that “time is running out for the international community to take preventive action on this issue.” Guterres wants to have a binding treaty until 2026.

The Austrian government will host a workshop on this issue at the forthcoming IGF in Saudi Arabia in December 2025. The IGF in Riyad is also the first opportunity to discuss GDC outcomes in a multistakeholder environment and ideas on how to structure the WSIS+20 process. And in December 2024, the world will also know the results of the US elections.

When US security adviser Jack Sullivan visited China in August 2024 and met with Foreign Minister Wang, the issue of avoiding an escalation in cyberspace was also on the agenda. President Biden and President Xi may meet in November 2024 on the sidelines of the G20 summit in Rio de Janeiro. At their last meeting in San Francisco in November 2023, they agreed to start bilateral AI consultations. The first round took place in Geneva in May 2024 behind closed doors. Will this continue? And what could be the perspectives if a new administration in the White House has to handle the issue after January 2025?

The small successes of cyber diplomacy in 2024 cannot, of course, hide the fact that the risks of global confrontation have reached cyberspace. In March 2024, the US news magazine “Time” called the war in Ukraine the “1st AI World War” in history. Latest developments in the Middle East have demonstrated that a “cyberwar” can go as far as into the pockets of individuals. And no one knows where an unbridled AWS arms race could lead.

90 years ago, when governments in the League of Nations discussed the role of cross-border communication in world politics in the 1930s, they agreed on a “Convention on the Use of Broadcasting in the Interests of Peace” in Geneva in 1936. In 1936, Germany had already left the League of Nations. The US was never a formal member. However, there was hope among the member states of the League of Nations to contribute with such an agreement to a peaceful future. The Geneva Radio Peace Pact came into force on August 31, 1939. On September 1, 1939, World War II began.