One of the most important venues for shaping cyber diplomacy in the coming years will be the United Nations (U.N.) First Committee Open-ended Working Group (OEWG) 2021-2025. There, countries who support both multi-stakeholderism and the implementation of norms on responsible behavior in cyberspace have been outpaced by Russian diplomatic initiatives. The Programme of Action (PoA), a proposal initiated by France and Egypt, and supported by EU member states amongst others, represents an opportunity to put forward an alternative approach to state behavior in cyberspace based on multi-stakeholderism, capacity-building, and democratic norms. Nevertheless, the PoA has not advanced significantly since it was publicly announced in Oct. 2020 due to bureaucratic inertia and conceptual vagueness in its founding document.

In order for the PoA to succeed, states which support this initiative will have to outline in far greater detail the substance of the PoA and make a persuasive case why it should be the preeminent body to handle cybersecurity issues at the United Nations. This article aims to clarify important points which could strengthen the PoA and allow it to gain more widespread international acceptance.

Vagueness in the PoA Founding Document

The PoA primarily focuses on the implementation of already-agreed upon norms of responsible state behavior in cyberspace established in the 2015 Group of Governmental Experts (GGE) report. The PoA aims to articulate an alternative vision on responsible state behavior in cyberspace to the Russian-sponsored 2019-2021 OEWG, which passed by a large majority under Resolution 73/27.

In October 2020, 42 countries submitted a short document laying out the PoA. The idea behind the PoA was to institutionalize cybersecurity negotiations at the United Nations. The PoA would “establish…regular institutional dialogue with broad participation under the auspices of the United Nations.” The PoA’s major aim was to advance cybersecurity by going beyond the discussion and into the implementation phase of the 11 voluntary non-binding norms that were agreed upon in 2015 and re-endorsed in 2021, including: norms regarding the protection of national critical infrastructure, state co-operation against cyber attacks, efforts to protect the integrity of supply chains and counter malicious cyber tools and techniques, as well as cybersecurity assistance.

In addition to the core goal of implementing the above-mentioned norms, the PoA document has laid out five objectives, each of which are conceptually vague.

1. Establishing the PoA

Since the publication of the PoA, no visible advancement has been made regarding its aim “to agree the modalities of a “Programme of Action,” and implementation and follow-up measures that could then be endorsed by a U.N. General Assembly resolution.” No modalities have been agreed upon yet. The OEWG and GGE final reports published in 2021 only mention that the PoA should be elaborated on further at the OEWG. Furthermore, it is still unclear what level of support the PoA co-sponsoring countries wish to obtain in the United Nations, if they decided to submit it to the U.N. General Assembly for a vote or when this could potentially be.

2. Working-Level Meetings

The PoA document mentions that the PoA would have working meetings once a year that would be focused on the implementation of norms. The National Survey of Implementation of UNGA Resolution 70/237 “could be used as a tool by States to support their participation in these meetings.” This survey asks countries what measures they have taken to implement the agreed upon 11 norms of responsible state behavior. Fundamentally, it is meant to help countries assess their progress on implementing norms. National surveys should be submitted every three years or parts of the surveys may be submitted on an annual basis.

The problem concerning this section of the PoA document is that it does not specify how member states with limited human resources and capacity will be able to fill out the “national survey,” the proposed basis for the working-level meetings intended to track the progress of norm implementation. It is also not clear whether these meetings should take place under U.N. auspices. Furthermore, it is not specified whether the working-level meeting would only be among co-sponsoring countries or include all countries and non-state stakeholders, nor are the modalities of the proposed meetings clear (i.e. should each meeting focus on one norm only?).

3. Capacity-Building

The third objective of the PoA is that capacity-building should be a core aspect. The PoA should specify, however which capacities specifically are needed and how it will prioritize cybersecurity norms. The PoA document could have stated, for example, that the initial priority would be to establish “Points of Contact”—these are designated personnel, which states can turn toward to engage in information sharing—among U.N. member states “at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts” (paragraph 16.a 2015 GGE report).

4. Review Conferences

Yet another aim of the PoA is to have regular Review Conferences every five years, which should ensure that the PoA continues to reflect evolving threats and needs. In this format, new voluntary non-binding norms could be discussed. The document does not articulate what these norms could be. While it is understandable that PoA-supporting countries want to first focus on the implementation of existing norms, the PoA could nevertheless voice specific voluntary non-binding norms that it could envision emerging in the future. One such voluntary non-binding norm could be increasing the transparency of national cyber attribution frameworks, which would add trust to intergovernmental relations by laying out government decision-making in a more transparent way.

5. Multi-stakeholderism

The PoA also mentions the intent to prioritize engagement with all stakeholders, including civil society, NGOs, regional organizations, private companies, and representatives of other U.N. processes. Given the difficulties of including multiple stakeholders at the OEWG 2021-2025, a clear proposal of how stakeholders (e.g., the Global Forum on Cyber Expertise also known as GFCE) could be engaged and how current stalemates could be overcome is lacking. Supported of the PoA should clarify, for example, the role that stakeholders will play in the process.

Nothing New on the PoA During the First Substantive Session of the OEWG 2021-2025

This December, during the first substantive session of the OEWG 2021-2025, the PoA was mentioned several times. The Netherlands indicated that the group of co-sponsors has risen from 42 to 54. However, this list of countries has not been released publicly for unspecified reasons.

Interestingly, China has also voiced its support for the PoA during the discussions, but in the context that the PoA could eventually facilitate the creation of a legally binding instrument. The initial co-sponsoring countries of the PoA, however, have asserted that existing international law is sufficient and that the norms established in the 2015 GGE report, which would form the basis of discussion on implementation in the new PoA, should remain voluntary and non-binding. In short, as it stands, the lack of further information about what the PoA entails makes it easy for authoritarian-leaning states to exploit the idea for other purposes.

Other countries have emphasized regional action-oriented initiatives. Both Thailand and Brunei Darussalam (on behalf of Association of Southeast Asian Nations (ASEAN) countries) have promoted ASEAN’s plan of action on the implementation of norms of responsible state behavior in cyberspace. Others have referred to measures taken at the Organization for Security and Co-operation in Europe (OSCE). It is unclear how the PoA would relate to such regional initiatives. One of the 16 OSCE Confidence-Building Measures (CBMs), for example, states that participating countries should exchange information on capacity-building. Here, the OSCE’s CBM would potentially overlap with the PoA’s tracking of capacity-building and norm implementation through the National Survey of Implementation.

For its part, Israel mentions that it supports action-oriented proposals, but, at the same time, the country remains skeptical to the abstract nature of the PoA:

“As to the proposal of France and Egypt on a program of action for advancing responsible state behavior in cyberspace, Israel thinks the idea is interesting and merits a serious consideration. At this stage, however, Israel feels it is premature to adopt a position on this proposal, since the modalities and characteristics of such a mechanism are not clear yet and need to be elaborated.”

Other countries in the December meeting that raised the PoA were Colombia, Estonia, Finland (on behalf of the Nordic countries), the Netherlands, the UK, and many others, but none added any new details as to what the PoA would entail.

How to Strengthen the PoA

If information on the PoA continues to surface at this pace, the initiative will not represent a serious alternative to the OEWG or other cyber diplomacy initiatives that may arise in the next year or two. To move forward, PoA-supporting countries must be more transparent and specific about their goals by implementing the following steps:

  • The PoA should be established under U.N. auspices to demonstrate its potential to replace the OEWG, which also takes places within the U.N. institutional framework, and the inclusiveness of the process.
  • The PoA will work toward integrating the ASEAN action plan, and potential other initiatives, such as OSCE CBMs, GFCE outputs in a coherent way into the PoA workings.
  • The primary focus of the PoA will be on the yearly working-level meetings (i.e., the implementation of norms, capacity-building). The development of new voluntary non-binding norms will not be reduced in importance by being discussed only every five years during the Review Conferences. Instead, such discussions will be included at the end of each working-level meeting. By giving the discussion of new norms a more central role, it might be easier for the PoA to replace the OEWG and GGE, whose primary missions have been to define new norms.
  • Furthermore, it should be clearly stated that the National Survey of Implementation will be fundamental to the norm implementation goals of the PoA insofar as the survey will serve as the basis for discussion on the PoA and later on for the content of working-level meetings.
  • The challenges of norm implementation and the expertise required for it will further strain the capacity of diplomats of participating in U.N. meetings. The PoA will ensure that filling out the survey will not further divest resources from disadvantaged UN member states who already have difficulty deploying diplomats to forums such as the OEWG. Cyber capacity-building assistance will be provided to those countries that require support with the completion of national surveys.
  • The PoA co-sponsoring countries are aware of the challenge of including multi-stakeholders. The aim will be to take on board states who may not share all of the same values as the current co-sponsoring countries. A compromise may be found if multi-stakeholders are thematically clustered per topic (e.g. cybersecurity, human rights) and then invited to provide their opinion on state consultations. The creation of clusters of multi-stakeholders may make it more difficult for authoritarian-leaning countries to write-off multi-stakeholder participation entirely and allow them to focus on topical areas that they might find engagement useful (e.g. the cybersecurity of national critical infrastructure).

Acknowledgements: The author would like to thank Isabella Brunner for her insightful comments that significantly contributed to this article.

Image: 3D rendering of cyber security (via Getty Images).