The UN’s Permanent Process on Cybersecurity Faces an Uphill Battle

In July, the United Nations Open-Ended Working Group on security of and in the use of information and communications technologies (ICTs) reached consensus on a permanent mechanism to address responsible state behavior in cyberspace. Following six rounds of time-bound groups of governmental experts (GGEs) and two open-ended working groups (OEWGs), this new process under the First Committee—addressing disarmament and international security—will commence in March 2026 with an organizational session at the UN headquarters in New York.

The single-track “Global Mechanism” was agreed upon with relative ease after no delegation broke consensus on the third draft presented by the chair as a compromise package. The swift decision reached in the morning of July 11 stood in sharp contrast to several years of last-minute suspense preceding each interim report, created by Iran and Russia’s insistence that their views be featured more prominently.

At first glance, multilateralism defied the odds on the cybersecurity issue amid a challenging geopolitical situation. The surprise agreement recalled a similar moment less than a year ago, in which the Ad Hoc Committee successfully negotiated the first UN cybercrime convention.

Consensus agreements, though, come at a price. The underlying friction, caused by two competing proposals—the Programme of Action, led by France, and Russia’s call for a binding cybersecurity treaty—was largely left unresolved. The official name of the permanent mechanism is the “Global Mechanism on developments in the field of ICTs in the context of international security and advancing responsible State behaviour in the use of ICTs”—a mouthful even for senior diplomats. Similarly, the UN Convention against Cybercrime has an addition to its name: “strengthening international cooperation for combating certain crimes committed by means of ICT systems and for the sharing of evidence in electronic form of serious crime.” These verbose titles are not accidental. Today, consensus-based decision-making at the UN arises not from a shared vision or reasonable compromise but, rather, from the accommodation of opposing views—often reflected in lengthy titles—that make the implementation of agreed commitments difficult, if not impossible.

The Global Mechanism

The Global Mechanism will assume the mandate to negotiate and advance the framework of responsible state behavior in cyberspace, addressing cyber norms, application of international law in cyberspace, confidence-building measures, and capacity building, with a few important changes. The process will be organized around a plenary substantive session and dedicated thematic groups, each taking place for five days per year.

This is a considerable contraction from the previously agreed-upon three weeks of OEWG sessions. States have been calling for less negotiating time and more hybrid formats for several years; engaging in extensive discussions in New York is a burden to limited budgets and already stretched subject matter negotiators, especially for developing countries. While the plenary session appears to be a repeat of the OEWG formula—a seemingly interminable string of member-state statements on each of the core pillars, with little opportunity for real debate—the informal and hybrid thematic group format may allow for more engagement, greater participation, and more action-oriented results.

However, the two agreed-upon, broadly scoped working groups are hardly conducive to thorough deliberation of the many issues on the Global Mechanism’s agenda—and it is unclear how they will inform the plenary discussions or lead to meaningful deliverables. Initially, several Western countries proposed crosscutting topics in the thematic groups to better fit the dynamic nature of cyber threats. The French took an early lead on this issue, requesting groups focused on building resilience of cyber ecosystems and critical infrastructure, cooperating in the management of ICT-related incidents, and preventing conflict and increasing stability in cyberspace to provide concrete recommendations for states. In the end, only two working groups were agreed to—the first a somewhat amorphous amalgamation of all the issues, and the second focused on capacity building.

A key attribute of the Global Mechanism is that, like the OEWG, it is a consensus-based undertaking in terms of both process and substance. This is not surprising since neither the Western like-minded states nor the Russia and China-aligned countries want to risk a vote that they may lose. Nevertheless, the stark divisions between the two camps that previously locked the OEWG in stagnation will continue to hamper any tangible progress on core elements—voluntary nonbinding norms and international law—in the new mechanism, as long as consensus is the only principle used to make decisions. This is a recipe for failure that hands a strategic victory to Russia, China, and their ilk.

Norms and International Law

While UN member states agreed on the norms of responsible state behavior and the applicability of international law in cyberspace as early as 2015, progress on these issues has been sporadic and has even regressed in some respects. The adequacy of existing cyber norms was challenged by a small group of countries led by Russia, and supported by Belarus, Iran, Nicaragua, Venezuela, Cuba, and a few others. The same countries blocked the chair’s checklist on cyber norms, which others viewed as a welcome step in advancing practical implementation. Instead, Russia has argued that the UN should start a new negotiation on legally binding commitments, as opposed to the current politically binding norms, and proposed draft text for a new convention.

However, if past is prologue, it is doubtful that any “binding treaty” or binding obligations would lead to greater compliance by countries; quite the opposite. States that routinely violate political commitments also violate binding treaties—both in the “real world” and in cyberspace—without accountability. Moreover, renegotiating previous agreements on norms and stability in service to a shiny new treaty will only call into question 20 years of cyber diplomacy, allow authoritarian countries to pick and choose what they like, and undermine cyber stability.

The silver lining here is that a new treaty proposal is extremely unlikely to advance in the new consensus mechanism, given strong opposition by many states. (Although that does not preclude Russia from making such a bid in the First Committee or the General Assembly as it did with the Cybercrime Convention.) But, as for now, it appears that most developing and middle-ground states are unwilling to engage in a new treaty negotiation, in part because of their aversion to any multi-track process on these issues.

Progress on the application of international law in the OEWG has been glacial, and it likely will not fare much better in the Global Mechanism thanks to its reliance on consensus-based decision-making. Russia repeatedly undermined the full and automatic applicability of international law to the use of ICTs and called for the creation of a “universal and fair international legal regime” for regulating the information space. Other countries proceeded with joint papers on the application of international humanitarian law, and the final report also acknowledged the growing use of cyber capabilities in current conflicts with negative impacts on civilian infrastructure and populations. Yet the consensus language does not include references to this body of law; China and Russia consistently blocked such references, opining that their mere mention was a way to legitimate state cyberattacks—even though international humanitarian law is designed to protect civilians in conflict, not as a way to sanction those conflicts. Those states’ objections to the applicability of international humanitarian law, human rights law, or any fulsome discussion of international law was frustrating to Switzerland and many others, who appealed to the chair that continuing to endorse international humanitarian law is necessary to address accountability for use of ICTs in armed conflicts and, ultimately, protect civilians.

The Arab Group joined the choir on international law, pointing to multiple recent violations of these principles in the region with harmful consequences. Though the United States endorsed the application of international law, including humanitarian law, it opposed the creation of an international law-focused thematic group in the new mechanism, though other Western states were supportive of this concept. It appears, in part, that the U.S.’s opposition stemmed from a belief that the Russians would use such a group as a predicate for a binding treaty proposal.

One very positive note of progress on international law is that many additional countries have now formulated and published their national positions on its application in cyberspace, with recent articulations of the positions of the European Union and the African Union, followed by national positions of Colombia, New Zealand, Korea, and Thailand. Though international agreement on how international law applies remains distant, national and regional positions substantially help advance the dialogue around and understanding of this issue. 

The application of international law in the cyber domain is one of the most consequential discussions for the future of peace and security. With half of the UN member states having published individual or joint positions on international law, the future mechanism must progress and find areas of convergence and consensus—in spite of the lack of a dedicated thematic group on this issue.

Capacity Building

Although capacity building was a major focus of both this OEWG and its predecessor, India and small island states were disappointed that cybersecurity capacity did not take a more prominent role in the final document, despite its importance to the Global South. Many states came to these negotiations to gain understanding, support, and potentially funds for protecting their critical infrastructure against emerging threats. India also proposed a very broad capacity-building portal administered by the UN Secretariat to serve as a platform to facilitate the sharing of information relating to best practices, among many other purposes. This proposal culminated in the Global ICT Security Cooperation and Capacity-Building Portal (GSCCP), which will be established under the Global Mechanism amid objections that it duplicates existing initiatives by the UN Institute for Disarmament Research (UNIDIR) and the Global Forum for Cyber Expertise (GFCE).

In apparent recognition of the difficulty of creating and maintaining an authoritative portal, it was decided that the platform would be launched incrementally, initially providing a home for the new mechanism and a new global point of contact directory before undertaking more challenging tasks. Hopefully, this gradual approach will allow the new portal to better integrate with and leverage existing portals and other resources and find ways to be comprehensive despite severe resource constraints; a “one-stop shop” is not very helpful if it is not well-resourced and updated. Other suggestions, such as a new voluntary fund for capacity building, were postponed for consideration in the Global Mechanism. And, as noted above, the future process will also create a dedicated thematic group on improving the cybersecurity capacity of least-developed states.

Confidence-Building Measures

There has been modest progress over the past five years on confidence-building measures, though the chair has often expressed his view that the delegation meetings themselves were confidence-building exercises. The fact that the process neither unraveled nor significantly backslid in an era of geopolitical contestation was, in itself, creditable, but insufficient given the concurrent increase in state-backed cyberattacks and the deterioration of trust among states.

The OEWG agreed on eight new measures during its mandate, and a substantive deliverable was the Global Points of Contact Directory, which is now being implemented. Like other existing regional or specialized directories, this could improve communication and serve as a way to deescalate tensions—but only if states actually provide relevant information and the directory is consistently updated, reliable, and employed by national authorities, particularly in times of tension. Experience from other existing, operational points of contact directories—including the 24/7 Cybercrime Directory, the Council of Europe Cybercrime Directory, and the Organization for Security and Co-operation in Europe (OSCE) Directory—demonstrates that creating and operationalizing such a directory is no easy task and a significant resource burden. Though further implementation of the directory will be undertaken under the new mechanism, the UN Office of Disarmament (UNODA) Secretariat, now charged with its operation, is already encumbered with multiple responsibilities and constrained by a limited budget.

Stakeholders

Over the course of the two OEWGs that occurred in the past six years, stakeholders have demonstrated expertise and made significant contributions across the framework of responsible behavior, as well as provided practical support for building state capacities in cybersecurity. The negotiations have seen state-stakeholder collaboration expand, from joint side events during the sessions to partnerships outside the formal meetings. Still, the lack of openness and inclusivity during the First Committee process was widely criticized, and serious concerns only grew louder over time. Many organizations and technology companies have been blocked or restricted from participating in the main sessions, including Microsoft—which applied for each of the 11 sessions—as well as nongovernmental organizations (NGOs) with a track record of work on cybersecurity and digital rights.

The modalities for stakeholder participation have long been a point of contention. The recently concluded OEWG encountered challenges in initiating substantive discussions due to restrictive rules for stakeholder participation that allowed just one state to block a stakeholder without requiring justification. The so-called transparency principle helped increase the number of accredited organizations from zero to 100 between the first and the second OEWG. Yet, a considerable number of important stakeholders were repeatedly vetoed and could not appeal.

The Canada-Chile proposal, supported by over 40 states, requested that a vote be required for those vetoed by individual countries in the Global Mechanism, creating a procedural-only exception to the consensus rule. This approach served the Ad Hoc Committee on Cybercrime well, where the private sector, NGOs, human rights organizations, and academia informed national positions and even delivered joint statements to push against harmful proposals in the draft cybercrime convention and, ultimately, helped states—which still held the ultimate decision-making authority—to understand potential unintended consequences of various actions or provisions. 

Despite strong cross-regional support, the request for votes was not included in the final agreement due to fierce opposition from Russia and China. Instead, some minor procedural requirements were added that, among other things, prescribe that the chair of the new mechanism attempt to find consensus through consultations. However, the added process on top of the single state veto is weak, and unlikely to change the objecting states’ actions or the end result, meaning that many organizations will again likely be blocked. The thematic working groups offer a more positive outlook. Constituting half of the deliberations, these meetings will be hybrid and, by extension, informal, allowing an array of organizations and experts to participate in principle.

Yet even this modest progress could be undone before the substantive work begins in July 2026. States will meet for an organizational session four months prior to agree on the rules for the process. While the position of this OEWG should be agreed upon as a package deal, delegations can reopen specific organizational provisions. Russia is the usual suspect, known for strategically exploiting the modalities to block stakeholders from UN meetings, and they may try to restrict stakeholder participation even in informal sessions like the working groups. Should this topic be reopened, other countries must be prepared to seek a General Assembly vote on a blanket rule change not only for this process but also across the First Committee that would preclude a single state veto. The leverage of the selected few, or the one, to block more inclusive, transparent, and open engagement with NGOs, technology companies, and academia is possible only because of consensus-based decisions. Settling the issue by a vote would allow the cross-regional majority to give stakeholders a voice in multilateral discussions without further ado. Unfortunately, countries so far have been loath to take this to the First Committee for a vote—even though many believe they may win—for fear of the reopening of sensitive compromises from the existing report and structure.

Next Steps

The Pitfalls

The now-concluded OEWG discussions demonstrated deep concerns about increasingly disruptive and destructive cyberattacks on critical infrastructure, the pre-positioning of malicious cyber capabilities within such systems as a potential precursor to future conflict, and the malicious use of ICT-enabled covert information campaigns to influence the processes, systems, and overall stability of states. Delegations have used the UN fora to voice their grievances and name and shame irresponsible behavior, in addition to advancing protection of critical infrastructure through cooperation.

However, not all agree. Russia opined about the “paradox” of such talks harming national security, comparing them to “being forced to publicly discuss your chess strategy mid-game.” To Russia, discussing critical infrastructure in a multilateral format allows knowledge of vulnerabilities and defensive measures to be transformed into a weapon for malicious actors, especially when touching on malware, evasion techniques, and social engineering methods. The statement went further by calling discussions on critical infrastructure protection politicized, saying that Russia’s sovereign standards are unjustly called “digital authoritarianism,” and taking a shot at public attributions as “groundless accusations”—an issue of joint interest for sanctioned countries.

In a climate where principles established through decades of multilateral negotiations are called into question, it is increasingly difficult for Western like-minded countries to present a positive avenue for cooperation with credible results. The Russian proposal for a cybersecurity treaty has been circulating for years. China has also repeatedly advocated for proposals on international data security to shape internet governance standards that meet its regulatory preferences as an alternative to Western-led initiatives—attempting to move from a multistakeholder internet governance framework to one controlled by governments. The permanent Global Mechanism will undoubtedly face increased pressure to stay relevant amid conflicting visions, risking reduction to a talking forum.

The mechanism will also need to address a growing list of threats. States have raised concerns about the market for commercial cyber intrusion capabilities and the trading of hardware and software vulnerabilities on the dark web, as well as the use of large language models (LLMs) for artificial intelligence-generated malware and deepfakes. A point of contention between regional perspectives were references to the threat of ransomware facilitated in part by the availability of ransomware attacks as a service for hire, opposed mainly by Russia, and those acknowledging cryptocurrency theft and its use for financing illicit and malicious ICT activity, argued against by North Korea and few others. The European Union and many developing countries showed a willingness to prioritize other emerging threats, such as quantum computing and advanced discussions on artificial intelligence. In contrast, the United States and Israel opposed in-depth elaboration of these issues, deeming them outside of the mandate of the Global Mechanism. The list of emerging threats has indeed expanded in recent years, driven by states grappling with the rapid pace of developments.

Much of the fate of the new Global Mechanism will depend on the selection of a chair that is generally accepted by opposing sides and delivers strategic leadership. This is a tall order in the current contentious climate. Finally, it is unlikely that the UN process will compel states that violate political commitments or international law to change their behavior and comply with the precepts they have previously endorsed. Whether by standing in the way of consensus or asserting a veto, transgressing states will likely continue to evade any meaningful consequences in this venue.

The Opportunities

The Global Mechanism generates momentum, but it can fizzle if its outcomes do not extend beyond the plenary. States must show early leadership on issues with relevance, practicality, and cross-regional support. One area that deserves more attention is a remedy framework for victims of irresponsible behavior in cyberspace. Despite the growing impact of cyber operations on states and their citizens, understanding of the extensive harms caused by cyberattacks remains limited. States lack the ability to accurately assess the scope, severity, and nature of inflicted harm, and victim assistance between states and toward civilians is often based on ad hoc and uncoordinated cooperation, resulting in limited effectiveness. The emphasis on victims could help strengthen alignment across the framework by highlighting resilience and recovery, as well as leveraging state-stakeholder cooperation. This approach would benefit resource-constrained countries by enhancing their capacity to restore the most vital and vulnerable services. 

Efforts toward political, normative, and capacity alignment must go hand in hand with addressing the key issue: States are not being held accountable for the vast majority of harmful cyber operations conducted, and consensus-based decision-making will allow them to continue escaping accountability. While cyber norms offer politically binding guidance, international law—including international humanitarian law and human rights law—can help frame expectations and move the needle on much-needed accountability. With a growing number of countries publishing their views, the appetite to make progress on the application of international law in the use of ICTs is palpable, even if not universal. 

While the UN remains an important venue—if for no other reason than its inclusion of all countries and its resulting legitimacy—it is not the only game in town. Notably, the International Criminal Court has intensified efforts to address state cyber operations. The Office of the Prosecutor published a draft policy on cyber-enabled crimes with language about developing international jurisprudence for the prosecution of cyber-enabled crimes that fall under its jurisdiction if they amount to crimes listed in the Rome Statute. This reflects the current reality that progress on cyber stability, including accountability and a host of other issues, is advancing elsewhere. Regional forums, like-minded gatherings, and multi-stakeholder initiatives are particularly well-suited to move quickly. They can and should inform multilateral processes but cannot afford to wait for those deliberations to produce results, especially as the UN is incapacitated by consensus-based decisions.

The recent agreement presents positive signaling for multilateralism, but consensus on process is not the same as consensus on substance. The next phase must move from dialogue to concrete action. As the Global Mechanism prepares to begin work in 2026, the international community faces a new opportunity—and a sobering responsibility. Unless Western like-minded countries demonstrate resolve and leadership to adopt new approaches to advance responsible behavior, they risk ceding the agenda—and with it, the future of international cybersecurity—to authoritarian states, a scenario they have long sought to avoid.