What’s Ahead in the Cyber Norms Debate?

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

Following the creation of two parallel processes by the First Committee of the United Nations General Assembly, the topic of cyber norms has garnered renewed attention. Prospects for substantive progress in either the Open-Ended Working Group (OEWG) or the Group of Governmental Experts (GGE) appear limited, while pressures to broaden cybersecurity discussions have grown. These dynamics reveal the need for the U.S. and like-minded states to articulate an approach that looks past the conclusion of the current processes in 2021.

How Did We Get Here? The Origins of the GGE and OEWG Processes

In 2018, member states of the U.N. voted to create two parallel processes to further decades-long conversations on information and communications technologies security. Previously, one draft resolution sponsored by the Russian Federation had been adopted unanimously by the U.N. membership; however, the collapse of the 2016-2017 GGE prompted a change in this dynamic. In lieu of one consensus resolution, Russia and the United States submitted two competing drafts, both of which were subsequently approved by majority vote.

The resolution sponsored by the U.S. set up a continuation of the GGE process that had dominated the international debate for years. This new iteration of the GGE, consisting of 25 experts, met formally for the first time in December 2019 and is scheduled to conclude its work by May 2021. This provides the current GGE with a slightly longer timeline than the usual one-year duration and ensures that the GGE’s work concludes after that of the new group established by the Russian-sponsored resolution—the OEWG.

In contrast to the GGE, OEWG membership is open to the entire U.N., meaning that any interested U.N. member state can participate in its meetings. Its deliberations are, however, limited in time. The OEWG began its work in the summer of 2019 and is due to conclude by July 2020. Although both the GGE and the OEWG look at a similar set of issues, their mandates differ with regard to scope as well as procedural regulations.

What to Expect

With two processes underway, important questions arise: What outcome is to be expected from each of the processes? And how do the groups and their work relate to each other?

The work of both the OEWG and the GGE is based on consensus, requiring agreement among all the participants in each process to produce an outcome report. As a result, expectations for substantive progress in both forums are naturally limited. The fundamental differences and political divisions that torpedoed the discussions of the 2016-2017 GGE are unlikely to dissipate anytime soon. On the contrary, the existing fractures are likely amplified by the larger number of states participating in the discussions.

In addition, the stacked timeline of the OEWG and the GGE presents further challenges. With the OEWG wrapping up first, one can fairly assume that any room for consensus, including on low-hanging fruit, will be nearly exhausted before the GGE is due to deliver its report. Yet, both groups have to make substantive progress compared to the 2015 GGE report to prove their institutional value.

In this context, the more important question to ask is: What will follow the OEWG and the GGE? In other words, where is the cyber norms debate headed past 2021?

Where Do We Go From Here?

The future direction of negotiations will be influenced by several factors. First, the bifurcation of U.N. processes has revealed significant pressure to open up U.N. negotiations to a broader set of states, as well as nongovernmental stakeholders. The substantive state participation in the OEWG indicates considerable interest in discussing information and communications technologies security in a multilateral forum that is more inclusive than the GGE. Pressure has likewise been increasing to involve nongovernmental stakeholders more directly, as evidenced by the first multistakeholder meeting held in December 2019 as part of the OEWG process and the plethora of norms initiatives that have sprung up outside the U.N.

Second, states have an increasing appetite for a formal, standing discussion forum for cybersecurity. Indeed, the mandate of the OEWG explicitly tasked the group to study the “possibility of establishing regular institutional dialogue with broad participation under the auspices of the United Nations.” States such as China have readily jumped at this opportunity to propose the establishment of “permanent” discussion platforms.

In light of such pressures, the creation of a broader, institutionalized dialogue anchored at the United Nations appears to be increasingly a matter of “when” rather than “if.” Such a development would undoubtedly be in the interests of states such as Russia and China that have long been advocating institutionalized discussions at the U.N. and, ultimately, the negotiation of an international treaty on information security. The U.S. and other like-minded states have always resisted such efforts, preferring the more exclusive and elusive format of GGE discussions to advance the normative framework for responsible state behavior in cyberspace.

However, if international discussions broaden, either in participation or in scope, an effective response will require a proactive approach. This approach must be underpinned by a long-term perspective that looks past the conclusion of the current processes in 2021. The U.S. and its like-minded allies will have to address the pressures mentioned above to articulate a convincing narrative and to shape future institutional arrangements that seek to preserve and develop the acquis of the 2013 and 2015 GGEs. This, above all, will require continuous U.S. engagement and alliance building among and with like-minded states. In this regard, the recent developments in the U.N.’s Third Committee—which established a forum to negotiate an international cybercrime treaty long advocated by the Russian Federation—might serve as a cautionary tale for the absence of U.S. leadership.