The UN groups operating in the Field of Information and Telecommunications in the Context of International Security — the Open-Ended Working Group (OEWG) and the UN Governmental Group of Experts (GGE) — have concluded their current missions in March and May 2021, respectively, and published their final reports (here and here). This article sheds light on the context of the work of these parallel groups and presents initial thoughts about the dual process and its outcomes, while questioning the approach that positions consensus as the be-all and end-all factor in establishing a framework to ensure security, and stability in cyberspace, and proposing a new direction of action.

From a Single Track to Parallel Tracks

Until 2019, the only authoritative track for assessing and recommending to the international community how to address the legal, technological, and political challenges of cyberspace in the context of international security was the GGE, operating under the auspices of the United Nations. Between 2004 and 2016, the UN General Assembly (UNGA) established five GGEs, which consisted of experts representing 15 to 25 UN member states, including the five permanent members of the Security Council (the P-5). The other representatives for each group were selected according to the UN equitable geographical distribution formula. Each GGE was required to reach consensus and submit its final report to the UNGA to serve as the basis for the next GGE.

The fourth GGE, in 2015, succeeded in extending the consensus reached by its two predecessor groups (2010, 2013) about the applicability of international law, in particular the UN Charter, to cyberspace. Its Final Report also included a list of eleven voluntary, non-binding norms of responsible state-behavior in cyberspace and explicit reference to four principles of international law (humanity, necessity, proportionality, and distinction) as applicable to state conduct in cyberspace. Although these principles are part of international humanitarian law (IHL), the term IHL was precluded from the final report at the interest of reaching consensus.

The fifth GGE, in 2017, held discussions against a background of intensifying disruptive and destructive cyber operations, such as Russia’s interference in the 2016 U.S. presidential elections, WannaCry and other state-sponsored cyberattacks directed against infrastructure facilities in the Gulf, Ukraine and other places. Based on the positive momentum achieved in the previous groups, the 2017 GGE was expected to further extend the international consensus and make explicit reference to specific fields of international law, such as IHL, the right of self-defense, state responsibility, and countermeasures, as also applicable to cyberspace.

By June 2017, however, the group failed to reach a consensus and the proceedings before it collapsed. In the absence of any attempt to revive the process during the 72nd Session of the UNGA, it seemed as if the GGE mechanism had completely exhausted itself.

Still, cyber powers and great power competitors such as the United States and the United Kingdom (UK) on one side, and Russia and China on the other, did not stop defending their strategic interests in cyberspace by promoting their particular legal and political views among UN Member States, while striving to reject or at least restrain the counterefforts of their political rivals. Russia was the first among the P-5 to propose in 2018 a substitute for the GGE – an Open-Ended Working Group (OEWG). Like the GGE, the OEWG operated on the basis of consensus, but unlike it, it was open to all UN Member States and even allowed any interested party from the private sector, academia, and civil society organizations to participate in the proceedings and express views on the relevant issues discussed. The OEWG’s mandate as described in article 5 of the UNGA Resolution was mainly:

to continue, as a priority, to further develop the rules, norms and principles of responsible behaviour of States…and the ways for their implementation; if necessary, to introduce changes to them or elaborate additional rules of behaviour; … and to continue to study, with a view to promoting common understandings, existing and potential threats… possible cooperative measures to address them and how international law applies to the use of information and communications technologies by States, as well as confidence-building measures and capacity-building….

The United States responded by proposing the resumption of the GGE, i.e., establishing the sixth GGE, comprised of 25 member states based on the UN equitable geographical distribution formula. Unlike the previous GGEs, the UNGA Resolution establishing the sixth group aimed for a more inclusive process: it instructed the GGE to hold consultation meetings and collaborate with relevant regional organizations and any member state who wishes to share its views with the group (without becoming a full member of the group). Although the resolution does not include a clear demand for consensus, it was perceived as placing the sixth group on the same old tracks, implying an expectation for consensus. Indeed, the final report – the advance copy of the GGE of 2021 – was consensus-based.

Although the updated name of the sixth GGE referred to “Advancing Responsible State Behavior in Cyberspace in the Context of International Security,” its general mandate is mostly similar to that of the OEWG. The UNGA Resolution described it (in article 3) as:

to continue to study, with a view to promoting common understandings and effective implementation… to address existing and potential threats in the sphere of information security, including norms, rules and principles of responsible behaviour of States, confidence -building measures and capacity-building, as well as how international law applies to the use of information and communications technologies by States, and to submit a report on the results of the study….

The upshot of these developments is that instead of concentrating on improving the GGE track, the UNGA established another track (the OEWG), in parallel to the first. This multiplication of fora was probably motivated by the diplomatic imperative of satisfying all major political actors. The voting results for the two UNGA resolutions support this assumption, since 77 states voted in favor of both resolutions.

The Final Reports – Initial Thoughts

Against that diplomatic backdrop, no one should have held his breath for any landmark breakthrough in the final published reports. Unsurprisingly, none of the reports include such a breakthrough.

Both reports are built on a framework already established in previous GGE reports (2010, 2013, 2015) and subsequent UNGA resolutions approving those reports. This framework relies on four major premises: First, acceptance that international law and in particular the UN Charter and the four principles of humanity, necessity, proportionality, and distinction are applicable to cyberspace and are essential to maintain peace, security, and stability in this domain. Second, all states should adhere to 11 voluntary, non-binding norms of responsible state behavior, recognizing that additional norms could be developed and added over time. Those non-binding norms coincide with international law and could not be implemented inconsistently with the law. Third, specific confidence-building, capacity-building and cooperation measures are recommended. Fourth, the engagement of regional international organizations, the private sector, academia, and civil society organizations is regarded as being of immense importance for developing and implementing appropriate measures to ensure peace and stability in cyberspace.

Despite the wide mandate given to each group – the GGE and OEWG – by the UNGA resolutions that establish them, both reports reveal a cautious approach. They mainly focus on voluntary, non-controversial issues such as encouraging states to enhance their cooperation in capacity building and confidential building measures (CBM) in order to meet the challenges in tackling existing and potential threats. Even more so, with one exception described below regarding a willingness to acknowledge the applicability of IHL, both reports avoid any statement or recommendation about rules, principles, or norms applicable to cyberspace that are not in line with those found in the fourth report (UN-GGE-2015).

Still, the sixth GGE’s final report (advance copy) states in art. 3 that “it sought to provide an additional layer of understanding to the assessments and recommendations of previous GGE reports, in order to provide guidance to support their implementation.” In fact, it appended a commentary to each one of the eleven non-binding norms of responsible State behavior and to other legal topics raised in the previous reports. But to gain consensus, such commentary has not purported to resolve persistent legal difficulties, such as those which Prof. Mike Schmitt skillfully described, but rather called for future studies and determinations. Only one legal issue found in that report appears to be an exception to this approach: IHL.

The fifth GGE (in 2017) failed to reach consensus in its work due to disagreement over the issue of explicitly acknowledging the applicability of IHL. Specifically, a Cuban written objection to a clear reference to IHL in the final report explained it “would legitimize a scenario of war and military actions in the context of ICT [information and communications technologies]” and justify the applicability of unilateral punitive sanctions and forceful action, including military action purporting to realize the right of self-defense. China, Russia, and other states within the same political alliance supported this view. One might have accepted this position as ideologically motivated if the 2015 GGE report had not already unanimously affirmed the applicability of the four principles of IHL (jus in bello) — humanity, necessity, proportionality, and distinction — though as noted above without using the term IHL. It had also specifically referenced the applicability of the UN Charter, which in fact includes basic principles of jus ad bellum – the prohibition on use of force under article 2(4) and the right of self-defense under article 51 — all of which have already been recognized also as reflecting customary international law.

During the sixth GGE, China and Russia softened their objection, accepting this formulation in art. 71(f) to the advance copy:

The Group noted that international humanitarian law applies only in situations of armed conflict. It recalls the established international legal principles including, where applicable, the principles of humanity, necessity, proportionality, and distinction that were noted in the 2015 report. The Group recognized the need for further study on how and when these principles apply to the use of ICTs by States and underscored that recalling these principles by no means legitimizes or encourages conflict.

This statement manifested a minuscule change compared to the OEWG final report. The latter does not include the term “International Humanitarian Law,” and like the sixth GGE report, highlights “that certain questions on how international law applies to the use of ICTs have yet to be fully clarified.” But the summary of the OEWG Chair refers explicitly to IHL and includes in article 12 a direct response to the Cuban rejection of June 2017 stating that “…States underscored that international humanitarian law neither encourages militarization nor legitimizes resort to conflict in any domain.”

This outcome may also reinforce the assessment that reaching a final consensus in the parallel tracks has become an important goal of its own. Comparing the statement made by Michele Markoff, the U.S. expert to the GGE, after the collapse of the fifth group with her recent statement substantiates a change in the American expectations and reinforces the same assessment about consensus as a goal. In June 2017, she stated:

Throughout the 2016-2017 GGE, I have sought clear and direct statements on how certain international law applies to States’ use of ICTs,… I sought such statements…, based on my strong conviction that the framework of international law provides States with binding standards of behavior that can help reduce the risk of conflict by creating stable expectations of how States may and may not respond to cyber incidents they face… (emphasis added)

She continued criticizing the draft report, which she argued did not “fulfill the mandate given to this Group by the UN General Assembly to study how international legal rules and principles apply to the use of ICTs.”

Four years later, with consensus on a final report achieved, the message has changed:

…all of you have expressed an extraordinary willingness to bridge differences in order to reach consensus and understand the need to strive for the balance of interests… we now have an intelligent, elegant, and comprehensive document that provides what…we were striving for – “additional layers of understanding” building on a decade of work…. We have reinforced that these recommendations and this framework of responsible state behavior… cannot be fully realized without the essential addition of capacity building….

Such essential capacity building may refer to technological capacity and multinational cooperation. However, a consensus-based comprehensive legal framework responding to the question “how international legal rules and principles apply to the use of ICTs”? (from the 2017 U.S. statement) is also necessary. But was there a real “willingness to bridge differences” in the sixth GGE? And is the final report truly a “comprehensive document”? I do not think so. In the interest of finding consensus, all the difficult legal questions have been postponed for future groups to address. Only one issue was resolved, and it did not move the needle much on substance. The question why the compromise formulation on IHL could be adopted in 2021 and not in 2017 should be addressed to experts in international relations, who may refer, among other things, to differences in the political climate and circumstances, then and now.

As noted, the two-track strategy might have been selected for pleasing the great powers. Relatedly, the consensus-based approach in both tracks, and the participation of the P-5 in each track ensured that they both embrace equally conservative or progressive positions. Indeed, no track substantively achieved more or less than the other and no elements found in their final reports contradict one another. In fact, both reached consensus while glossing over differences of opinion about the state of international law.

In any event, the reports are non-binding in nature, as is manifested in their drafting. The word “should,” for instance, appears 23 times in the OEWG report and 37 times in the sixth GGE report, whereas the word “must” does not appear in the former and appears only 3 times in art. 71 of the advance copy of the latter. This article which includes binding language reiterates statements from 2013 and 2015 which were, and still are, legally impractical: “States must not intervene directly or indirectly in the internal affairs of another State, including by means of ICTs.” “States must meet their international obligations regarding internationally wrongful acts attributable to them under international law” and “States must not use proxies to commit internationally wrongful acts using ICTs….” Ultimately, if the question of how basic rules and principles of international law, such as the rules of attribution, sovereignty and due diligence, apply in cyberspace is still politically and legally unresolved, then broadly-formulated rule-based statements and other norms in the eleven-norm list remain non-enforceable. Their implementation remains in fact subject to the good will of responsible cyber powers.

Instead of grappling with that challenge of converting the 11 non-binding norms or at least some of them into more binding and enforceable norms, the sixth GGE focused as noted on “additional layers of understanding building on a decade of work” (from the U.S. 2021 statement). Thus, despite these additional layers, President Biden has already found himself compelled to warn his Russian counterpart twice in a month, during a meeting at the outset of June and in a phone call on July 9th in the wake of “the largest known ransomware attack to date” (Kaseya) carried out by Russia-based hackers. The President summarized that call phone as follows: “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.” The President also re-affirmed the possibility of generating consequences, presumably, if the warn does not bear the expected fruit. President Biden is the third U.S. president who personally warned Putin about Russian violations of norms included in the eleven-norm list since its creation by the fourth GGE (in 2015).

This remark has not been made as a form of provocation, but rather to underscore the serious impact which the lack of comprehensive and enforceable legal framework has on international stability, especially in situations where cyber powers pursue their own strategic interests at the expense of other cyber powers. It has already been suggested that cyber powers have been employing flexible ambiguity and interrelated political strategies (using international law as an optional policy avenue, pursuing parallel non-legal norms and resorting to gradations in law enforcement – for further elaboration see this article) when operating under conditions of normative uncertainty and lack of effective enforcement mechanisms. This is even more so the case where states have doubts as to what contents of international regulation would best serve their interests in cyberspace.

Such considerations dictate the scope of ambiguity a cyber power embraces in relation to its actual practices and what is considers to be suitable framework for regulation of cyberspace. They may also explain why those superpowers are, thus far, reluctant to clarify how international rules should apply and what would be the legal requirements and measures to substantiate accusations and punish, where appropriate, states, including cyber powers, who participated in establishing the consensus norms but ostensibly do not adhere to them in practice.

Still, some progress can nonetheless be identified in the process before the two UN groups. Aside from the commentary to the 11 non-binding norms, the most important achievement of both groups is the engagement of all relevant players who were ready to collaborate and contribute to the entire process: every UN member state, regional organizations, major players from the private sector, academia, and civil society organizations. Indeed, many of them have contributed by participating and submitting their views about the topics of discussion. Such exchange of views and ideas is essential for developing the kind of international political and legal dialogue that make the consensus framework more practical and effective. Furthermore, encouraging states to exchange views and information and to publicly clarify their stances relating to legal dilemmas as a form of opinio juris, as well as encouraging more transparent state practice, may have significant weight in establishing customary international law in the future.

The Way Ahead

In December 2020, the UNGA adopted Resolution 75/240 renewing the mandate of the “OEWG on security of and in the use of information and communications technologies 2021-2025.” During its upcoming 76th Session, the UNGA is expected to separately adopt each final report and decide on establishing the seventh GGE and approve the plan work of the OEWG for 2021 through 2025.

In parallel the, UNGA may also be required to address a proposal of establishing a Program of Action (PAO) acting on a proposal made to the OEWG by France and 40 states including the EU. It could be advanced as an alternative to both or one of the groups or as an add-on to both. Still, it reflects low expectations from the current tracks.

Such low expectations are not surprising also in light of the recent developments in the related field of countering cybercrime. Back in 2001, the Council of Europe succeeded in establishing the first binding international convention on cybercrime which entered into force in 2004 (The Budapest Convention – as of July 2021 it has 69 member states including the U.S. the U.K. and France and excluding Russia and China). However, 15 years later Russia initiated a controversial process under the auspices of the UNGA to replace this convention by a UN treaty which in general coincides with Russian positions about application of international law in cyberspace. The process is still pending.

The consensus-based approach and the experience with the formats of the new OEWG and the GGE depicted above do not leave much room for optimism about the ability and the will of the major cyber powers to effectively regulate cyberspace. Furthermore, the outcomes of the two UN groups and the lack of trust between these powers reinforce the assessment that the groups are unsuitable to meet the urgent regulatory challenge by resolving substantive differences and setting clear, reasonable and enforceable international rules for cyberspace. Consensus is the optimal way to meet the challenges of lawlessness in cyberspace, but the odds of reaching consensus on binding international rules which restrict the leeway available to cyber powers are minuscule and the time to reach consensus is not and cannot be endless. Evolving technologies along with increasing threats and risks, in scope and seriousness, require a universally agreed upon legally binding framework, however, reaching consensus may be politically impractical, if it proves impossible to bridge differences and resolve hard legal questions, then the alternative of creating a broad-as possible, but short of universal, agreed upon binding international law framework should seriously be considered.

More explicitly, the United States, along with other like-minded Western states, would be well-advised to launch as soon as possible a collective process for mapping all current and would-be differences regarding international cyber law, thoroughly analyzing them, and reaching consensus if and how to resolve each one of them. The outcome of this process could be built upon further and result in more like-minded states joining the agreed upon framework and even in the adoption of a broad- new international convention. The sooner this process takes place the better.