Skip to main content
Image source: Max Pixel, used under CC0 Public Domain licence (
United Nations cybersecurity processes: The OEWG

In 2018, the UN General Assembly’s First Committee, which deals with disarmament and international security, established the Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG). Part of the OEWG’s mandate is to discuss the development of rules, norms and principles of responsible state behaviour in cyberspace and their implementation.

The outcomes of this process may end up having a significant influence on trends and policies in cybersecurity globally, with implications for human rights worldwide. If implemented from a human-centric perspective, the norms could have a positive impact on people’s lives and rights. Conversely, if they are not they not, they could have a negative impact on rights. Recently, the Committee approved a resolution that creates, starting in 2021, a new OEWG.

The OEWG hosted a multistakeholder session in December 2019, which was open to all non-governmental stakeholders and which showcased the wide range of roles and responsibilities of non-governmental stakeholders in supporting a secure and stable cyberspace. Unfortunately, engagement in the substantive sessions has been less open: only ECOSOC-accredited NGOs have been allowed in the room. Yet, as various inputs to the OEWG delivered by civil society have demonstrated (such as key messages to the multistakeholder session, our joint feedback on the OEWG pre-draft and most recently our joint feedback on the OEWG), civil society plays an essential role in supporting a peaceful and secure cyberspace. This includes in implementing the UN Group of Governmental Experts (GGE) norms adopted by the UN General Assembly in 2015.

From 4 to 10 December 2020, a multistakeholder dialogue series will be organised to support the ongoing discussions at the OEWG. This series will seek to collect inputs on the group’s pre-draft report, and create opportunities for deepening dialogue between states and civil society, the technical community and the private sector. One of the sessions, on 7 December at 15:00 UTC, will specifically address rules, norms and principles on cyberspace.

Cybersecurity is a human rights issue. Human rights defenders, groups that are subject to intersectional discrimination, and journalists, among others, rely on the internet and its availability, integrity and confidentiality to exercise their rights. Cybersecurity discussions should be inclusive, whether state-led or otherwise. An open, secure, stable and rights-based internet can only be ensured with the full involvement of all stakeholders.

Below we provide more detail on the overarching key points from our recent joint feedback on the OEWG’s norms proposals.

Background to the joint civil society feedback on the revised non-paper norms proposals

In May 2020, the OEWG published a “non-paper” that includes member states’ proposals for guidance on the 11 agreed norms developed by the GGE that apply to cyberspace. These are non-binding norms for responsible behaviour of states aimed at promoting an open, secure, stable, accessible and peaceful ICT environment. As explained here, norms, in practice, refer to how actors should or should not behave with regard to their use of ICTs.

With the goal of contributing to these discussions, together with a group of other civil society organisations, we proposed changes to the OEWG non-paper with a focus on effective implementation of existing cybersecurity norms from a human-centric approach. Such an approach means putting people at the centre and ensuring that there is trust and security in networks and devices that reinforce, rather than threaten, human security.

Key messages from civil society

Human rights are the whole point: Implementation of cybernorms should promote and protect human rights

Humans are the ones impacted by cyberthreats, incidents and operations. Hence, implementation of norms for responsible state behaviour in cyberspace should take into account the impact on human rights.

States should comply with their international human rights obligations when designing and putting into place cybersecurity initiatives or structures and should refrain from implementing initiatives, policies or legislation that would result in restrictions of rights such as freedom of expression, freedom of assembly and privacy, among others.

States should refrain from the criminalisation of cybersecurity expertise and employing unlawful or arbitrary surveillance techniques, including forms of hacking and malware. The collection of sensitive information by states should be done in full compliance with their obligations under international human rights law. In line with UN Human Rights Council resolutions, states should prohibit measures which intentionally prevent or disrupt access to the internet. Critical infrastructure should also be governed in an inclusive and rights-respecting manner.

Cyberspace is not equal and it is important to recognise this: Cyber incidents have differentiated impacts on people in positions of marginalisation

States should specifically address the differentiated impacts of cyberthreats on people and groups in positions of marginalisation or vulnerability. In particular, we urge states to acknowledge their obligations to the rights of women and people of diverse sexualities and gender expression online, because of the differential impacts of cyberthreats they experience. For instance, women and girls are more often the targets of online violence. The OEWG has addressed these concerns directly in its pre-draft report, stating that gender perspectives should be “mainstreamed into norm implementation,” and we encourage states to build on this by developing further analysis or promotion of the voluntary norms of the 2015 GGE, including their gender dimensions. Gender-sensitivity approaches should be included from the start and built into the beginning of future initiatives to operationalise the norms. There is also a need for gender audits of national and regional cybersecurity policies.

When considering all relevant information related to an ICT incident, states should conduct research into possible gendered impacts, and work inclusively with all stakeholders to understand how the enjoyment of the rights of women and people with diverse sexual orientations and gender identities are affected. All actors involved in cyber incident responses should be equipped to recognise potential gendered impacts of an operation and respond appropriately, as well as conduct further research into those impacts to improve global understanding and knowledge on these issues.

An open, inclusive and transparent approach to maintaining peace and stability in cyberspace is needed

Global cybergovernance, including the protection of a secure and stable cyberspace, is not the work of one actor. We argue that only collectively with non-state actors can governments and multilateral forums address complex and transnational global cyberthreats. Civil society organisations, academia, technical communities and the private sector have a role to play in supporting states to implement cybernorms, based on principles of information sharing and collaboration. Therefore, from civil society, we call for an inclusive approach to maintaining peace and stability in cyberspace.

Implementing cybernorms presents a range of challenges which civil society can help to overcome, so the engagement of all relevant stakeholders is essential. In particular, civil society is a key actor in promoting compliance with human rights with a focus on the impact of compliance or transgressions on specific communities or people.

Civil society also plays a key role in socialising cybernorms, by supporting the implementation of them through research and guidance informed by national contexts; coordinating and convening other stakeholders – including the public sector – to increase their awareness and capacity on the norms and compliance with them; and monitoring the implementation of norms, even if they are not binding, to provide accountability and thereby incentivising norm implementation, among other roles. For these reasons, civil society should be involved at the earliest stage of implementation of cybernorms.