Consensus, Contestations and Silences: Reflections on the Final Session of the OEWG on Information and Communications Technologies

The 11^th and final session of the UN Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies recently concluded in New York, closing a chapter of multilateral discussions marked by growing geopolitical tensions and global cyber insecurities. This blog article reflects on the achievements, contestations, and silences that shape multilateral cyber governance today and what this means for the future permanent UN mechanism.

The 11^th session of the Open-ended Working Group (OEWG) on security of and in the use of information and communications technologies took place in New York from 7 to 11 July, marking the final round of negotiations for the current OEWG mandate (2021-2025). The OEWG has become the central forum for multilateral discussions on the framework of responsible state behavior in cyberspace. This included exchange on existing and potential cyber threats, the eleven voluntary norms of responsible state behavior, the applicability of international law (including international humanitarian and human rights law), confidence building measures and cyber capacity building.

Over the last five years, the eleven OEWG sessions have been characterized by broad and regionally diverse national participation. It is also noteworthy that the OEWG has achieved gender parity since the 5^th session. Both regional and gender representation have been achieved largely with the support of fellowships, in particular the Women in International Security and Cyberspace (WiC) Fellowship, facilitated by the Global Forum on Cyber Expertise (GFCE), or the UN-Singapore Cyber Fellowship (UNSCF). However, this broad participation has not spared the OEWG from recent geopolitical tensions and conflicting positions on the presence and future of global cybersecurity governance that were omnipresent and dominated the process, leading to an outcome that can best be described as the lowest possible common denominator.

This blog article reflects on the outcome of the final session. Drawing on both the substance of the negotiations and the dynamics in the room, it assesses the session’s achievements, points of contention, and notable silences, and what they might signal for the future of global cybersecurity governance.

What is the OEWG and What Topics are on the Agenda?

Established in December 2020 through UNGA resolution A/RES/75/240, the OEWG convenes under the UN First Committee on Disarmament and International Security. Its goal is to find common positions between states on what is allowed in cyberspace and what is not. The basis of this is the already existing body of agreements that is commonly referred to as the framework of responsible state behavior in cyberspace. It encompasses the GGE 2013 report, the GGE 2015 report, the GGE 2021 report and the OEWG I 2021 report, and since last week, also the OEWG II 2025 report. All reports have been adopted by resolutions of the UNGA by consensus and by all states. The final report of this OEWG is still to be adopted by the UNGA.

From 2021 to 2025, the OEWG met eleven times in New York to focus discussions on five thematic and one procedural pillar. These include:

• Existing and potential threats
• Norms, rules, and principles of responsible state behavior on the basis of the eleven voluntary non-binding norms agreed upon in the GGE 2015 and endorsed by consensus through UNGA resolution 70/237
• The applicability of international law, including international humanitarian law and human rights law, to cyberspace
• Confidence building measures
• Cyber capacity building
• Regular institutional dialogue

The group achieved consensus on three annual progress reports (APRS) in 2022, 2023 and 2024. This can be considered a notable success, considering the geopolitical tensions that are also played out in the cyber domain.

However, concrete progress that went beyond discussions and aimed at concrete action has been correspondingly small. Worth mentioning is the agreement on eight confidence building measures, with one being the establishment and implementation of the Point of Contact (POC) Directory. This was achieved with broad participation. Further, an increasingly comprehensive list of existing and potential threats in cyberspace was developed, as well as solid cyber capacity building initiatives implemented. Although state-based security threats remained central, the OEWG formally acknowledged risks to humanitarian organizations and individuals, with growing attention to gendered cyber harms.

Discussions on the other matters were instead tame and characterized by the divergent views of groups of states, which made implementation difficult. Regarding the normative framework, divergences exist between states that want to focus mainly on the implementation of existing norms and those finding it necessary to develop new norms. The discussions were particularly heated around international law and its applicability in cyberspace. Until today, 40 states and two regional organizations, the EU and the African Union, have published positions on the applicability of international law. But there are very different opinions on how exactly is should be applied, especially regarding international humanitarian law and human rights. While many states are in favor of further expanding the understanding of international law in cyberspace (including IHL and HRL) and consider this, as well as the UN Charter, to be sufficient, there are also efforts to initiate a UN convention. Russia in particular has taken up this initiative and, supported by Belarus, the Democratic People’s Republic of Korea, Nicaragua, and the Syrian Arab Republic, submitted a draft for such a convention in 2023, as well as an updated version, which almost prevented the consensual adoption of the second APR at the time. It is argued that existing international law is insufficient and additional legally binding obligations necessary. Experts consider the Russian initiative to be critical, particularly with regard to the risks to human rights and the undermining of transparency. It is also referred to as a “Trojan horse” that is intended to weaken the existing consensus on the use of international law.

Another key convergence from the beginning were the modalities for stakeholder participation. The current modalities of the OEWG are based on a non-objection basis. States that issue a veto do not have to disclose any information about the reasons, and a veto cannot be appealed. Russia and China, among others, argue for less stakeholder participation, constantly vetoing stakeholders and aiming for restricting the process to delegations only. PRIF itself was also affected by this strategy in the run-up to the eleventh session which resulted in the author’s having to take part in the OEWG as part of the German delegation. Others see great value in the inclusion of the multistakeholder community including civil society, academia, tech communities and the private sectors, as a holistic and technically sound cybersecurity is not achievable without expert knowledge from different areas. Russia’s actions have led to a number of countries, coordinated by Canada and Chile, making vital commitment to more inclusive and transparent stakeholder modalities and introducing concrete proposals for future adjustments into the process, as part of a working paper.

The topic of gender mainstreaming and gender parity was noticeably present throughout the process, not least due to the WiC fellowship and the broad and regionally diverse representation of women that it enabled. The WiC donor states (Australia, Canada, Germany, the Netherlands, New Zealand, United Kingdom, and the US until Trump’s second term), like-minded states as well as the fellows themselves consistently contributed positions on the impact and importance of women’s participation and gender mainstreaming, particularly in capacity building. These perspectives where successfully incorporated into the APRs – albeit not as strongly as demanded in the interventions due to reservations by others – and led to a working paper on gender mainstreaming for the future mechanism, introduced at the 10^th session of the OEWG in February 2025.

The 11^th and Final Session: Outcomes, Disagreements and Silences

The 11^th session concluded the work of the OEWG, summarizing progress and outlining the future permanent mechanism. The session culminated in the adoption of the OEWG’s final report and a resolution to establish a future and single track “Global Mechanism on Developments in the Field of ICTs in the Context of International Security and Advancing Responsible State Behavior.” This rather unwieldy name is the result of competing proposals for a title by Russia – supported by its small group of like-minded states – and France, with broad participation from EU countries as well as others. While the report was adopted by consensus, the process revealed deep constatations, particularly on issues of international law, gender, human rights, and stakeholder inclusion.

In terms of international law, the final report only marginally reflects the depth of discussions of the past years, especially on human rights law and humanitarian law. References to the humanitarian impact of cyber operations, including the ICRC resolution on “Protecting civilians and other protected persons and objects against the potential human cost of ICT activities during armed conflict”, were dropped. The references to the possibility of negotiating a legally binding obligations within the global mechanism were toned down but are still present. Although the ‘zero draft’ was already weak in terms of human-centered perspectives and only emphasized these specifically in dealing with ransomware, these were removed in the final version, silencing human rights issues all together. The ‘zero draft’ contained the idea of a dedicated thematic working group on international law in the future mechanism, which was highly supported by many states, especially a lot of middle ground states. However, it became clear that setting up such a group would have been a red line for the US, due to concerns that this could be used as a launch pad for Russia to negotiate a legally binding instrument.

References on the participation of women, on gender mainstreaming, and gender-sensitive approaches to capacity building, as well as acknowledging the WiC-Fellowship as a best practice, all made it into the report, despite pushback from states such as Russia, Argentina and the United States. The US even dissociated from all paragraphs that mentioned gender or the Sustainable Development Goals (SDGs). In response, a cross-regional coalition of states issued a strong statement on gender inclusion, read out by Fiji. In this context, the inclusion of gender language can be seen as a modest success, especially in the context of the current developments in terms of anti-feminist backlash. Still, the report does not do justice to the lived realities of diverse individuals and communities. This would have required a sound human-centered and intersectional approach to cyber harms. Furthermore, and considering the lack of human rights obligations and human-centered perspectives in the final report, it becomes clear once again that state and geopolitical interests are prioritized by those in power to the detriment of human security.

In terms of stakeholder participation, the final report contains the non-objections-based modalities, again making it possible for states to abuse their veto power against stakeholders in the global mechanism. At least the modalities have not been toned down like the like-minded group around Russia suggested. Russia even demanded for ECOSOC accredited organizations and their participation to be reviewed. Despite being unsuccessful, the strong support for more inclusive and transparent stakeholder modalities was nevertheless greatly valued by the multistakeholder community.

What is Next? The Future Global Mechanism and Open Questions

In summary, states expressed their satisfaction that consensus has been reached and welcomed the inclusive nature of the OEWG, which also allowed small and island states to participate and actively engage in the debates.

However, most states expressed their dissatisfaction with the outcome and illustrated the compromise they made and what they had to give up in return. The strong divergences in terms of international law, stakeholder modalities, and gender and human-centered perspectives give a taste of the challenging process ahead. What is already agreed upon is the broad structure of the Global Mechanism. Next to plenary sessions, two – instead of the previously suggested three – dedicated thematic working groups will be established. One will be based on the five thematic OEWG pillars, with another focused on cyber capacity building to cater for in-depth discussions. Additionally, the establishment of ad-hoc groups or roundtables is foreseen if deemed necessary. Every five years, a review conference will be held.

The organizational meeting of the future Global Mechanism will be held in March 2026 at the latest and will determine what states will make out of the compromise they achieved. Pressing questions remain, including how states aim to overcome their divergent views on norms and international law, how the Global Mechanism will integrate human-centered approaches and gender perspectives, and how to ensured that the broad and regional diverse representation of states can be sustained in the future.