UN OEWG: Joint stakeholder statement

Thank you, Ambassador Gafoor, for your continued commitment to engaging with stakeholders. Given the importance of the issue, we would collectively like to address the Zero Draft and Rev. 1’s section on Additional Elements on Modalities on the Participation of Other Interested Parties and Stakeholders, including Businesses, Non-Governmental Organizations, and Academia in Annex III. 

The scope and extent of non-governmental stakeholder participation in a future permanent mechanism on cybersecurity issues under UN auspices is central to that body’s real-world impact, relevance, and credibility. While this mechanism, like the OEWG, will be a state-led process, it is undeniable that ICTs are inherently multi-stakeholder in nature. Stakeholders play vital roles in the cybersecurity ecosystem, for example, by operating and defending infrastructure, providing practical guidance on the implementation of norms and the application of international law, conducting cyber capacity building activities, gathering and sharing cyber threat intelligence, and amplifying awareness of UN-level discussions by informing their networks about ongoing developments. This was also acknowledged by many Member States during the last OEWG substantive sessions. 

Ensuring meaningful stakeholder participation is primarily for the benefit of UN Member States, also against the backdrop of limited resources and expertise. Leveraging the broad range of stakeholder expertise can support states in advancing an open, secure, stable, accessible, peaceful, and interoperable ICT environment. The annex of this statement includes a list of concrete examples of how the work of our organizations have contributed to previous discussions and can continue to contribute to the future permanent mechanism’s efforts. 

The role of stakeholders in UN processes has been recognized from the very outset – at the San Francisco Conference exactly eighty years ago. It brought together not only official state delegations but also non-state “consultants.” The role of non-governmental organizations is also recognized in Article 71 of the UN Charter. 

As states wish to continue benefiting from the expertise and experience of stakeholders, it is essential that the rules and procedures of the new mechanism are favorable to their participation, predictable, and guided by principles of openness, inclusivity, and transparency.

Unfortunately, the text contained in the Zero Draft and Rev. 1 falls short of providing for stakeholder involvement in a “systematic, sustained, and substantive manner” (paragraph 17a)). Additional steps are needed to ensure that stakeholders can effectively add their voice to the discussions.  

This includes: 

1. First, eliminating as a priority the veto power of individual states in accrediting non-ECOSOC-accredited organizations in favour of a more transparent and inclusive accreditation process (relates to paragraphs 17e) and f)). The envisioned informal consultations of the Chair with objecting states, as outlined in paragraph 17f), will require the Chair’s time and resources, but are highly unlikely to result in any meaningful changes to the current status quo. They also do not provide an incentive to refrain from unsubstantiated vetoes. The suggested language by Canada and Chile in their latest working paper, supported by a cross-regional group of now 41 states, offers a constructive way forward by introducing a “last resort” procedural decision by majority vote if consensus cannot be reached. 

2. Second, also relating to paragraph 17f), greater transparency around objections is needed. Your proposal, Mr. Chair, is for the future Chair to disseminate a list of who vetoed who to Member States. However, objected stakeholders and the general public should also be informed, for instance, through a letter published on the website of the future mechanism. Moreover, states’ rationales to object to a stakeholder’s accreditation should be mandatory rather than voluntary, and specific rather than general. 

3. Third, the modalities should be predictable and specify clear timelines. Currently, there is no clear deadline for when stakeholders are informed of the outcome of their accreditation requests. This carries the risk of effectively barring stakeholders from the substantive plenary sessions and dedicated thematic working group meetings held in close temporal proximity since informal consultations may still be ongoing after those meetings have already taken place. In addition, the absence of language on clear timelines does not ensure that stakeholders have sufficient time to arrange travel and visas if accredited, or to make alternative plans if not. Therefore, there should be a definitive update on stakeholder accreditation at least six weeks prior to the substantive plenary sessions to ensure that the annual accreditation process concludes before each substantive plenary session begins. If reports by the Chair on informal consultations are presented only at the next substantive plenary session, as foreseen in paragraph 17f), this risks stalling the process and turning accreditation into an unnecessarily prolonged issue. To enable sustained stakeholder engagement, stakeholder accreditation, once granted, should be valid for five years – rather than being tied to the duration of a five-year cycle as outlined in paragraph 17c), which may shorten the accreditation period if granted late in the cycle.

4. Fourth, unless states agree to introduce a fallback mechanism to the current veto power of individual states (see Point 1), the paragraph on provisional stakeholder participation during informal consultations – originally included in your January discussion paper, Mr. Chair – should be urgently reintroduced in Rev. 2 of the final report. Under this status, stakeholders may attend substantive plenary sessions and review conferences but cannot make statements. When reintroduced, the wording should also clarify that provisional participation applies at least until the Chair reports back on the informal consultations at the next substantive plenary session.

5. Fifth, referring to paragraph 17d), it would be desirable to specify that dedicated stakeholders will be able to attend substantive plenary sessions, meetings of dedicated thematic working groups, and review conferences.

6. Sixth, relating to paragraph 17d) addressing the participation of stakeholders in formal meetings, for stakeholder engagement to be truly effective, it is desirable that stakeholder interventions are not limited to dedicated stakeholder sessions, which only allow stakeholders to speak once during the week, often requiring them to focus their remarks on a specific pillar of the framework designated in advance. Rather than a single dedicated stakeholder session, a stakeholder segment should be included for each listed agenda item, with the opportunity for stakeholders to speak after states, while ensuring due consideration for the overall meeting time.

7. Lastly, accredited stakeholders should be able to make their interventions remotely, thereby alleviating financial or other barriers to participating in-person in New York. To support broad participation, these opportunities should be provided at rotating time slots to accommodate stakeholders based in different geographical regions. To allow stakeholders participating remotely to follow the ongoing discussion, it should be also ensured that all substantive sessions will be live-streamed via UN WebTV. 

In this spirit, we call on states to ensure stakeholder participation in an inclusive, meaningful, and resource-preserving manner in the future permanent mechanism. 

Thank you very much, Mr. Chair. We look forward to continuing the conversation on these important issues this week, and we hope that states will reach consensus on language that goes beyond the current text, which falls far short of reflecting the value stakeholders can bring to support intergovernmental deliberations on cybersecurity issues.

Supporting organizations (in alphabetical order):

1. Academia Mexicana de Ciberseguridad y Derecho Digital (AMCID)

2. Access Now

3. Centre for Humanitarian Dialogue, Geneva

4. CREST

5. Cybersecurity Policy and Resilience Program, interface

6. Cybersecurity Tech Accord

7. CyberPeace Institute

8. EU Cyber Direct – EU Cyber Diplomacy Initiative, European Union Institute for Security Studies (EUISS)

9. Forum of Incident Response and Security Teams (FIRST)

10. Global Cyber Alliance (GCA)

11. Global Partners Digital

12. ICT4Peace Foundation

13. KICTANet

14. Microsoft

15. R3D: Red en Defensa de los Derechos Digitales

16. SafePC Solutions

17. The Shadowserver Foundation

Supporting experts (in alphabetical order):

1. Ágnes Kasper, Head of Law Branch, NATO Cooperative Cyber Defence Centre of Excellence, Senior Lecturer of Technology Law, Department of Law, Tallinn University of Technology

2. Alexandra Paulus, Researcher, German Institute for International and Security Affairs (SWP)

3. Allison Pytlak, Senior Fellow and Cyber Program Director, Stimson Center

4. Chris Painter

5. Elaine Korzak, Research Scholar, Berkeley Risk and Security Lab, UC Berkeley

6. Jeffrey D. Bean, Program Manager, Technology Policy, ORF America

7. Klara Marland, Advisor and Lead of the Women in International Security and Cyberspace (WiC) Fellowship, Global Forum on Cyber Expertise (GFCE)

8. Pavlina Pavlova, Alliance of NGOs on Crime Prevention and Criminal Justice

9. Valentin Weber, Senior Research Fellow, German Council on Foreign Relations (DGAP)

Annex: Non-exhaustive examples of work by supporting organizations relevant to discussions in the OEWG and any future permanent mechanism under UN auspices discussing the security of ICTs

Academia Mexicana de Ciberseguridad y Derecho Digital (AMCID)

• Supporting regional capacity-building efforts by organizing workshops and training programs on digital rights, privacy, and cybersecurity, tailored to underrepresented communities with gender and intercultural sensitivity.

• Developing human rights-based governance tools, including templates for Human Rights Impact Assessments (HRIAs), to help states and stakeholders evaluate the risks of digital policies and technologies.

• Contributing to global research on neurotechnologies through a dedicated expert group that produces legal, ethical, and cybersecurity guidance on brain-computer interfaces and neuro-AI, with experience in international forums like the AI for Good Summit.

Access Now

• Provides digital security assistance through a Helpline for civil society - including human rights defenders and journalists - via 24/7 incident response, education and community assistance, and a security research analyst function.

• Monitors developments and produces policy guidance on human rights respecting approaches to ensuring systemic cybersecurity for policymakers at national, regional, and intergovernmental levels.

• Aids with dialogue and capacity building between different stakeholders groups via the RightsCon human rights and technology summit series.

Centre for Humanitarian Dialogue

• Pioneer of discreet, impartial and independent conflict mediation with a Digital Conflict Programme that draws on and feeds into broader multilateral initiatives to create a global framework for cyber stability.

• Engaging with a range of countries possessing advanced cyber capabilities to  foster  bilateral and regional dialogue and develop confidence-building measures.

• Providing expert input on UN efforts to build confidence in state use of ICT capabilities that respects international law and norms of responsible State behaviour.

CREST

• Developing standards for technical cyber security services and assessing service providers against them. CREST has accredited 480 member companies working in over 70 countries to give critical infrastructure and other customers confidence in the quality of service they are receiving.

• Developing and assessing the technical cyber security workforce. CREST’s syllabuses define the knowledge and skills required for key roles at progressive proficiency levels, which can be developed through CREST’s training material and educational partners, and tested and assessed through its certifications – which can be taken in over 3,500 exam centres in 158 countries – or its professional licencing on behalf of governments and regulators.

• Working with States to build capacity within the cyber security ecosystem, using its Pathway to accreditation and training capability within CREST CAMP programmes. Recent Australia, EBRD and UK sponsored CREST CAMP programmes have built service provider maturity in 14 countries including Indonesia, Ghana, Kenya, Malaysia, Morocco, Thailand and Vietnam.

CyberPeace Institute

• Promoting a harm-based, victim-centric approach to responsible state behavior through the Harms Methodology, to assess the human, societal, and systemic impact of cyberattacks.

• Tracking cyberattacks on vulnerable sectors via the Cyber Incident Tracer(s), linking incidents to UN norms and making harm data accessible for accountability and norm implementation.

• Providing demand-driven cyber capacity building to under-resourced organizations through tailored support and expert volunteer networks, reinforcing a human rights-based, inclusive approach.

Forum of Incident Response and Security Teams (FIRST)

• Development and delivery of the Toastville Table Top Exercise (TTX) series as part of the Women in International Security and Cyberspace (WiC) Fellowship program to build strong awareness and understanding of incident response and emerging threats, including TTXs on ransomware, DDoS (distributed denial of service), and AI-enabled cybercrime.

• Ongoing formal and informal engagement with policymakers, diplomats, and other decision makers to share insights into operational incident response and good practices, including the potential impacts of policy decisions on incident response, to support more well informed decision making.

• Delivering on the cyber capacity building and confidence building measures highlighted by the OEWG, including support for the establishment of CERT/CSIRTs, maintenance of a global incident response point of contact database, extensive formal and informal incident response mentorship initiatives, fostering of practice incident response communities of practice, and more, as highlighted at https://www.first.org/community.

Global Cyber Alliance

• Providing free cybersecurity toolkits in multiple languages to help build capacity in groups often left behind by existing efforts.

• Collecting and sharing data on global cybersecurity risks, including from malicious domains, malicious traffic, and poor routing practices.

• Establishing the Common Good Cyber Initiative with partners to strengthen the efforts of cybersecurity nonprofits and civil society on behalf of the common good.

Global Partners Digital

• Supporting broader civil society engagement, particularly from the Global Majority, through awareness raising, capacity building, and direct support to attend meetings.

• Assessing states’ positions on the applicability of international law from a human rights perspective, contributing meaningful analysis and insight on international law to foster consensus and give examples of good practice.

• Publishing toolkits and guidance on the development and implementation of the norms, including through the design of national cybersecurity strategies, helping translate agreements into action.

ICT4Peace Foundation

• Developing and operationalizing human rights-based guidance: Through initiatives like the 'Boots to Bytes' Toolkit and regional capacity-building programs, ICT4Peace Foundation provides concrete, practical guidance for states and other actors on how to implement responsible state behavior norms and international law in cyberspace, ensuring human rights are at the core.

• Highlighting human impacts and fostering accountability: Research and advocacy bringing a human-centric perspective to digital governance discussions, shining a light on the real-world impacts and unintended consequences of state cyber activities and policies on affected communities, and providing feedback for improvement.

interface (formerly Stiftung Neue Verantwortung)

• Research and analysis on how governments can implement the UN norms for responsible state behavior. Past outputs include policy papers on the implementation of norm (i) on software supply chain security and norm (j) on vulnerability disclosure. This year, the project examines how cyber capacity-building activities can support states in implementing the UN cyber norms, with a particular focus on enhancing detection capabilities.

• Research and analysis on the status quo of multilateral CBM implementation and the factors that contribute to their effective implementation.

• Awareness-raising of UN-level discussions by informing networks through online OEWG session debriefs, co-organized with the German Council on Foreign Relations (DGAP).

R3D: Red en Defensa de los Derechos Digitales

• Contributing to the operationalization of norms (especially norm 5) through the development of national legal and policy guidance, ensuring a rights-respecting approach.

• Gathering factual evidence on malware and assessing specific cyber risks through a human-centric approach, focusing on threats targeting public interest groups, including journalists and human rights defenders.

• Enhancing the capacity of public interest groups to address emerging cyber threats effectively by conducting digital security workshops. Throughout the OEWG mandate, R3D has provided a Global Majority perspective to emphasise the need for its inclusion in these discussions.