By: Jeffrey D. Bean

On July 11, the United Nations (UN) Open-ended Working Group (OEWG) on security of and in the use of information and communications technologies (ICTs) adopted a final report by consensus. The report will now be submitted to the UN General Assembly for review and possible adoption in September. Given the deep disagreements on this set of issues among different states, achieving consensus represents a significant breakthrough. But the agreement still falls short in specific areas when it comes to delivering tangible implementation on the norms of responsible state behavior in cyberspace, with meaningful language watered down. That said, the agreement reflected at least five positive developments in global cyber governance.

First, one major accomplishment is that states have agreed to take forward a regular institutional dialogue in the form of the Global Mechanism, a single-track process meeting twice per year from March 2026 with a plenary and two dedicated thematic groups. (The full title, Global Mechanism on developments in the field of ICTs in the context of international security and advancing responsible State behavior in the use of ICTs is a wonderfully awkward amalgamation of competing Russian and French proposals for the title.) One dedicated thematic group will be focused on security and geopolitics covering five pillars: emerging threats, norms of responsible state behavior, international law, confidence building measures, and capacity building. A second will work specifically on capacity building efforts. Although details still need to be ironed out, a permanent body in the UN’s first committee will hopefully ameliorate the limitations of past temporarily mandated processes that cyber and ICT security has faced. The thematic working groups will also enable much broader and more cost-effective participation for member states and accredited stakeholders via hybrid and informal convening.

Second, another positive step is the avoidance of negotiations towards a new binding international treaty on the use of ICTs in cyberspace, overcoming a push from a small coalition of states led by Russia. This is critical because states have already repeatedly reached consensus at the UN that international law applies in cyberspace, and the current undertaking is to determine how it applies. In recent years there has been an uptick in states sharing their positions on how international law applies. For example, South Korea and Thailand just recently released their national positions, while New Zealand updated their position. That said, there were significant gaps in the final progress report on the substantive convergence in international law among delegates, which Canada’s representative noted in its closing statement.

Third, the consensus also reflected how states have collectively recognized the deep challenges faced around the globe in cybersecurity capacity and are attempting, through the limited means of UN mechanisms, to address them via capacity building. Quality programs through UNIDIR and the first UN Global Roundtable on ICT Capacity Building in May 2024 are important, but efforts through regional organizations, civil society groups, like-minded states, and especially public-private partnerships remain foundational to meaningful progress in this area, particularly for societies in the Global South. In addition, the report recommended the development of a UN global portal for cyber capacity building, but it still faces concerns from many states and civil society experts over duplication of effort, given the existing UNIDIR cyber policy portal and GFCE-run Cybil Portal. While capacity building features prominently in the report, some states such as India, voiced concern over a lack of concrete emphasis on initiatives and desired even broader consideration for building skills and capacity.

Fourth, the OEWG process included the launching of a global intergovernmental points of contact directory (including successful ping tests), affirmation of eight voluntary global confidence building measures, and reference to a past establishment of a voluntary checklist for norms implementation. References to a voluntary fund for supporting global cyber capacity-building remained in place, but lack specifics, and notable donors, such as the United States, questioned its utility. Additionally, much to the chagrin of civil society, private sector, and academic stakeholders, formal stakeholder participation for non-states in the new Global Mechanism will still be subject to a single state’s anonymous veto, despite efforts from numerous states, including Chile and Canada, to foster consensus for more inclusive modalities.

Finally, the process saw the dramatic increase in women engaged in cyber diplomacy, from what has historically been a male-dominated field. As Australia noted its closing remarks, more than half the interventions at the last two Substantive Sessions were from women. The collective drive of states to support female delegates and programs like the WICS fellows program provided a platform for women from many countries to join and mainstream gender considerations in international cybersecurity.

Despite tangible progress and clear shortfalls, the full weight of the accomplishments of this 2021-2025 OEWG cannot be fully evaluated until the UN General Assembly signs off on the final report and the new Global Mechanism kicks into operation. For now, proponents of multilateral cyber diplomacy notched a clear victory.

Jeffrey D. Bean is the Program Manager for Technology Policy and Editor at ORF America.