Statement on the first annual progress report of the UN Open-Ended Working Group (OEWG)

Resolution 75/240 mandates the OEWG to submit, for adoption by consensus, annual progress reports to the United Nations General Assembly. In accordance with this obligation, the Chair published a Zero Draft of the first annual progress report of the Open-Ended Working Group (OEWG) on 22 June 2020 ^[1]UNODA, “Letter from the OEWG Chair,” June 22, 2022, https://documents.unoda.org/wp-content/uploads/2022/06/Letter-from-the-OEWG-Chair-22-June-2022.pdf as a starting point for the discussions, and a revised draft (Rev.1) on 20 July 2022 reflecting  preliminary views expressed by Member States. ^[2] UNODA, “Letter from the OEWG Chair,” July 20, 2022, available from:  https://documents.unoda.org/wp-content/uploads/2022/07/Letter-from-the-OEWG-Chair-20-July-2022.pdf  

Two consecutive versions were released in the course of the negotiations at the third substantive session of the OEWG held from 25 to 29 July 2022 – on 27 July (Rev.2) ^[3]UNODA, “Letter from the OEWG Chair,” July 27, 2022, available from:  https://documents.unoda.org/wp-content/uploads/2022/07/Letter-from-OEWG-Chair-27-July-2022.pdf.pdf and on 28 July 2022 (Final Rev.) ^[4]UNODA, “Letter from the OEWG Chair,” July 28, 2022, available from:  https://documents.unoda.org/wp-content/uploads/2022/07/Letter-from-the-OEWG-Chair-20-July-2022.pdf which considered the exchange of views during the session and aimed to draw countries closer to an agreement. The final annual progress report was adopted by consensus on 29 July 2022, and is intended to keep advancing the process  by confirming a shared understanding on priority areas as well as recommending the next steps to be taken in the upcoming sessions. A compendium of “Explanations of Positions” (EOPs) was attached to the final report, allowing States to outline their views on the adopted report. 

The CyberPeace Institute previously offered points for consideration on the draft reports ^[5] See the full statement here: CyberPeace Institute, “The OEWG First Annual Progress Report,” July 25, 2022, https://cyberpeaceinstitute.org/news/the-oewg-first-annual-progress-report/, outlining recommendations for the priority areas covered by the OEWG. These comments remain valid and relevant for the adopted annual progress report. In response to the consensus text, the following recommendations are put forward for consideration in forthcoming discussions:

1. Recognizing the value of multistakeholderism to the OEWG process 

The CyberPeace Institute welcomes the first annual progress report’s acknowledgment of the role of stakeholders in the OEWG process, including businesses, non-governmental organizations, and academia. However, the foreseen involvement of stakeholders remains limited in regard to the group’s areas of work. The text fails to recognise and capture the full scope and depth of contributions by different non-state actors in implementing the responsible state behaviour framework.  

The annual progress report includes references to stakeholders’ involvement in confidence-building measures (CBMs) and capacity building. On CBMs, the text outlines that “States could strengthen coordination and cooperation between States and interested stakeholders, including businesses, non-governmental organizations and academia.” It further adds that “States noted that stakeholders are already playing an important role through partnerships with States for the purposes of training, research, and facilitating access to internet and digital services.” This is an important acknowledgement as the group’s work on CBMs indicates progress and is foreseen to be further advanced through inter-sessional meetings. 

The report also outlines stakeholders’ involvement in capacity building, noting that “stakeholders are already playing an important role through partnerships with States for the purposes of training, research, and facilitating access to internet and digital services”. The document also states that the coordination and cooperation between States and interested stakeholders could be strengthened. However, this commitment is not reflected in the recommended next steps, despite stakeholders’ work towards an effective and sustainable capacity building process. A stronger commitment in support of multistakeholder engagement in this area is therefore needed. 

Disappointingly, the adopted version omits the reference to stakeholders’ contributions to addressing existing and emerging threats which was present in earlier drafts. The cyber threat landscape is rapidly changing and evolving with a rise in the frequency, sophistication, and intensity of attacks. These challenges need to be addressed in cooperation between all relevant actors. States can benefit from the research and operational expertise of the multistakeholder community. A range of stakeholders, comprising civil society organizations, industry actors, academia, and experts already play a role in exchanging technical information on the threat landscape, providing knowledge of how threats impact people’s human rights and security, and thus contributing to the understanding of the differentiated impacts of cyber threats. To illustrate this point, the CyberPeace Institute has been studying attacks against the healthcare sector ^[6]Cyber Incident Tracer #HEALTH,” CyberPeace Institute, accessed October 5, 2022, https://cit.cyberpeaceinstitute.org/ and humanitarian and development NGOs ^[7]CyberPeace Institute, “Submission on the Protection of the Humanitarian Sector,” July 13, 2022, … Continue reading that can inform discussions in this area. 

Stakeholders can advise and assist in the implementation of cyber norms by providing information about the gaps in current norms implementation and exchanging knowledge of the potential effects that these norms or their violations may have. The “Compendium of Multistakeholder Perspectives on Protecting the Healthcare Sector from Cyber Harm” ^[8] CyberPeace Institute, “Compendium of Multistakeholder Perspectives,” July 28, 2022, https://cyberpeaceinstitute.org/compendium-of-multistakeholder-perspectives/ prepared in partnership between the Government of the Czech Republic, Microsoft and the CyberPeace Institute presents a practical example of cooperation between States, industry, and civil society on advancing the implementation of UN cyber norms. 

In the same vein, stakeholders bring valuable contributions by informing discussions on the applicability of international law in cyberspace, and through this help to build common understandings of this issue. As an example, the CyberPeace Institute has been mapping and analysing the use of and attacks affecting Information Communication Technology Services (ICTs) and monitoring the harm to civilians from cyberattacks as part of its Cyber Attacks in Times of Conflict Platform #Ukraine ^[9]CyberPeace Institute, “Cyber Attacks in Times of Conflict Platform #Ukraine,” accessed October 5, 2022,  https://cyberconflicts.cyberpeaceinstitute.org . This and many other positive examples from the multistakeholder community illustrate the value of stakeholders’ contributions to the OEWG process. Accordingly, the work and engagement of the multistakeholder community should be reflected across the priority areas and detailed recommended steps for future actions.

2. Focusing on a human-centric approach to achieve peace and security 

There should be a focus on the need for a human-centric approach to peace and security in cyberspace, and a consideration of the disproportionate impact of cyberattacks on vulnerable groups. The text only includes a single reference to human rights, despite their importance being raised by UN Member States and stakeholders throughout the discussions. Particularly in the light of current global challenges, peace and security in cyberspace will require the acknowledgment of a human-centric approach to security of and in the use of ICTs to facilitate a more comprehensive understanding of the impact of cyberattacks on people. 

For example, cyberattacks on the healthcare sector impact the delivery of healthcare and medical services including when the sector has been  under extreme pressure  caused by the COVID-19 pandemic ^[10] CyberPeace Institute, “Addendum to the Strategic Analysis Report ‘Playing with Lives: Cyberattacks on Healthcare are Attacks on People,’” November 12, 2021, … Continue reading. Furthermore, in other vital sectors, such as the humanitarian and development sectors, NGOs are frequently targeted by malicious actors limiting their ability to provide critical services to populations and vulnerable communities ^[11]CyberPeace Institute, “Submission on the Protection of the Humanitarian Sector,” July 13, 2022, … Continue reading. The actions of the international community must aspire to safeguard the peaceful use of ICTs to protect communities and individuals alike, enable enjoyment of their rights and freedoms and guarantee their safety and security. In this regard, stakeholders have acquired a body of knowledge and specific expertise working with diverse communities and can be instrumental in discussions on maintaining international peace and security in cyberspace. 

3. Strengthening  inclusiveness and transparency

Overall, the annual progress report offers broad recommendations that outline the roadmap for future work of the OEWG. Whilst it is important to acknowledge the importance of achieving a consensus that affirms the value of the OEWG and captures the progress made in the discussions so far, States are encouraged to be more ambitious to advance peace and security in cyberspace, and to do so in collaboration with non-state actors. The report reiterates that the OEWG is committed to engaging stakeholders in a systematic, sustained, and substantive manner, in accordance with the adopted modalities. While this stipulation is important and indicative of future work, the OEWG has seen a veto to the participation of more than thirty organizations prior to its third substantive session. 

Procedural modalities shape the substantive discussions and the ways in which States interact with stakeholders. The fact that interested organizations could not participate in the first two sessions in a formalised manner, due to modalities ^[12] UNODA, “Open-ended Working Group on security of and in the use of information and communications technologies: Stakeholder information,” available from: … Continue reading for stakeholder participation, translated into their views and contributions not being fully represented in the report. The inclusion of the multistakeholder community helps to ensure that discussions on protecting secure and stable cyberspace reflect the realities on the ground and gives the process credibility. Meaningful multistakeholder consultation and involvement thereby necessitates a systematic inclusive approach and the need to promote transparency in the process. 

---