WIREDGOV

States have established new Permanent Mechanism at the UN to discuss the rules of the road in cyberspace. Rather than stall, they should not shy away from tough topics.

The conclusion of the UN’s Open Ended Working Group (OEWG) – the process responsible for devising ‘rules of the road’ for responsible state behaviour in cyberspace – finished its work in July 2025, marking the end of a cycle of negotiations on cybersecurity begun 21 years ago. What will take its place remains uncertain and raises issues regarding the future of norms and rules for states in cyberspace.

The Final Report of the OEWG broke little new ground because states did not wish to go beyond the ideas discussed in six earlier Groups of Government Experts (GGE) and two OEWGs. This means the substantive agreements in the 2015 GGE – when states agreed on 11 norms – are the high-water mark of UN cyber negotiations. But it has been over a decade since that agreement and further progress requires states must now transition from the OEWG to a new ‘Permanent Mechanism.’

How Did We Get Here?

GGEs are a UN mechanism to study difficult topics and make recommendations to the Secretary General. The first GGE in 2004 failed to reach consensus because of US opposition. The second GGE (2009-2010) agreed on a brief work program to develop norms, confidence building measures (CBMs) and (at the insistence of the South African expert) capacity building. The 2013 GGE amplified these topics and the 2015 GGE reached the landmark agreement on 11 norms. The 2015 GGE, held during a time of fading international comity, created a global framework for responsible state behaviour in cyberspace.

To continue the work of the GGEs, the General Assembly created an OEWG (the UN uses OEWGs to discuss major issues and involve all member states) to further develop the 2015 GGE’s work. There have been two cyber OEWGS, the first from 2019-2021 and the second from 2021-2025. The second OEWG’s Final Report had four noteworthy results. It solidified the place of the 11 norms first agreed in the 2015 GGE to define responsible state behaviour. It reinforced the applicability of international law to cyberspace. It established regular institutional dialogue (called the ‘Global Mechanism on developments in the field of ICTs in the context of international security and advancing responsible State behaviour in the use of ICTs’). It made capacity building central to UN cyber efforts.

The report lays the foundation for future work on responsible state behaviour using capacity-building and the Global Mechanism. But the GGEs began at the dawn of global connectivity. Their success in placing cyberspace in the context of existing agreements (principally the UN Charter and the corpus of international law) was an essential first step and anchors cybersecurity squarely in the framework of state practice and international relations. The 2021-2025 OEWG usefully continued this and widened the discussion to the entire UN membership. Now, new ideas are needed to strengthen stability and reduce the chance of greater conflict.

Click here for the full press release