Thursday 14 Aug 2025 @ 13:15
RUSI
Printable version

The Rules of the Road in Cyberspace, 10 Years Later

For five years, the Open-Ended Working Group (OEWG) on cybersecurity has negotiated key thematic areas which can undermine international stability. Experts following these negotiations weigh in on the progress, sticking points and future of the themes and goals of the OEWG.

Enduring relevance: the UN framework remains an indispensable pillar in the evolving architecture of global cyber governance. Image: Aimo Studio / Adobe Stock

Cyber operations have become an enduring feature of geopolitical competition, increasingly targeting critical infrastructure and testing the boundaries of international stability. In the past few weeks, Microsoft reported that Chinese state-linked and non-state actors had exploited a zero-day vulnerability affecting on-premises SharePoint servers – including at the US National Nuclear Security Administration, which is responsible for overseeing nuclear weapons. The vulnerabilities were reportedly ‘exploited en masse to intrude hundreds of organizations globally’, spanning governments and critical sectors.

Incidents like this are not exceptional – they are emblematic of a broader pattern: persistent, state-linked cyber operations that exploit systemic vulnerabilities, erode trust and undermine international stability. Against this backdrop, efforts to define how states should behave in cyberspace – what is acceptable and what crosses the line – have become more urgent, but also more contested.

And yet, amidst these tensions – and perhaps paradoxically – 193 states gathered at the United Nations from 7 to 11 July to negotiate precisely that: the rules of the road for state behaviour in cyberspace. This final session of the Open-Ended Working Group (OEWG) on cybersecurity marked the conclusion of a five-year diplomatic process under the UN First Committee on Disarmament and International Security.

The session resulted in the establishment of a Global Mechanism, the approval of a final report that had been significantly watered down, and – somewhat unexpectedly – the early conclusion of negotiations on the final day, avoiding what many anticipated would be a long Friday of talks.

This piece brings together experts who have followed these negotiations from up close. Their reflections trace both the progress and sticking points of the past five years in each of the six thematic areas covered by the OEWG (existing and potential threats, norms, international law, confidence building measures, cyber capacity building and regular institutional dialogue) – and offer insights into what lies ahead.

Cyber Diplomacy Amid Growing Scepticism

Louise Marie Hurel

But first, a note on context and importance for the sceptics who (rightfully so) have and may continue to ask why and how a UN process can help devise concrete responses to growing instability in cyberspace.

Since 2004, the UN has hosted formal negotiations on this issue, beginning with the Group of Governmental Experts (GGE), which reached a milestone in 2015 by reaffirming that international law applies to cyberspace and by proposing 11 non-binding norms for responsible state behaviour. A decade later, those norms and the legal principles they reference have become the cornerstone of the UN Framework for Responsible State Behaviour in Cyberspace. And unlike the more exclusive, time-limited GGEs, the OEWG’s universal format granted all member states a seat at the table and a five-year mandate (2021–2025) to address this evolving security domain.

As I sat in a (thankfully) air-conditioned UN conference room on a scorching Manhattan morning, somewhere between 42nd and 45th Street, I watched states large and small gather to negotiate the final document of this phase: an articulation of shared (and diverging) understandings across the six key topics.

To those outside the room – especially security researchers, private sector companies, or national security practitioners – the idea that the UN could meaningfully shape cyber behaviour may seem overly diplomatic, even naive. After all, in the context of RussiaUkraineIsrael–Iran, or India–Pakistan, cyber campaigns are no longer blips in armed conflict or crises; they are a feature of it. States are speaking more explicitly about integrating cyber as part of broader deterrence strategies and as a core part of achieving ‘warfighting’ readiness. The US is adopting a full-spectrum operational posture. The UK is integrating cyber and electromagnetic capabilities under one command.

As states exploit the fine lines between crisis and conflict, the strategic imperative remains: without shared understandings – however limited – about what constitutes responsible behaviour in cyberspace, the risk of escalation will only grow.

Click here for the full press release

 

Channel website: https://rusi.org

Original article link: https://www.rusi.org/explore-our-research/publications/commentary/rules-road-cyberspace-10-years-later

Share this article

Latest News from
RUSI

RUSI Supports G20 to Advance Multilateral Action on Environmental Crimes

12/12/2025 15:33:00

Commissioned by South Africa's G20 Presidency, RUSI delivered high-level analysis on the need to position environmental crime at the heart of the global agenda, leading to the G20 Cape Town Ministerial Declaration on Crimes that Affect the Environment – hailed as a historic first.

The Trump Corollary to the Monroe Doctrine: Crisis or Opportunity?

12/12/2025 14:25:00

President Trump’s new corollary to the Monroe doctrine will provide more triggers for forceful action in the Western Hemisphere, but the focus on Latin America could motivate the US toward more cooperation.

National Security Marks Chile’s Presidential Runoff

10/12/2025 09:25:00

The vote pits left- and right-wing approaches to tackling crime and redefining the country’s alignment with global partners.

Britain’s Economic and Military Dividend from Supporting Ukraine

09/12/2025 14:25:00

Can Britain afford not to support Ukraine, risking a security environment with a triumphant Russia?

The Government Needs to Send a Wake-Up Call on Research Security

05/12/2025 14:25:00

Without fundamental cultural change among academics, research security will become a box-ticking exercise for universities.

Tragedy of the West: Sacrificing Ukraine and the Rules-Based Order

04/12/2025 14:25:00

The result of Russia's war of aggression is a product of the ambivalence of the West, which by turns supported Ukraine's defence in the conflict and refused to escalate its response to a level consistent with the threat Russia poses. The rules-based order is at stake, and Ukraine stands alone in its defence.

Trump Peace Plan for Ukraine will Consign Europe to Peril and Contempt

03/12/2025 09:15:00

Acquiescence to a bad deal for Ukraine will expose Europe to future security peril and to near-irrelevancy in global foreign affairs. No US backstop can be trusted.

Poland, Ukraine, and Russia’s War on History

02/12/2025 14:25:00

Moscow’s stirring of the tragic past between Poland and Ukraine is a facet of its information campaign against the West, yet understanding that history – and how it is manipulated – can help those confronting Russia.

The Future of UK Counterterrorism: A Case for Integrated Violence Prevention

02/12/2025 09:25:00

Prevent has drifted into a catch-all for unmet safeguarding demand. 

Annual Review 24-25