The Rules of the Road in Cyberspace, 10 Years Later

Cyber operations have become an enduring feature of geopolitical competition, increasingly targeting critical infrastructure and testing the boundaries of international stability. In the past few weeks, Microsoft reported that Chinese state-linked and non-state actors had exploited a zero-day vulnerability affecting on-premises SharePoint servers – including at the US National Nuclear Security Administration, which is responsible for overseeing nuclear weapons. The vulnerabilities were reportedly ‘exploited en masse to intrude hundreds of organizations globally’, spanning governments and critical sectors.

Incidents like this are not exceptional – they are emblematic of a broader pattern: persistent, state-linked cyber operations that exploit systemic vulnerabilities, erode trust and undermine international stability. Against this backdrop, efforts to define how states should behave in cyberspace – what is acceptable and what crosses the line – have become more urgent, but also more contested.

And yet, amidst these tensions – and perhaps paradoxically – 193 states gathered at the United Nations from 7 to 11 July to negotiate precisely that: the rules of the road for state behaviour in cyberspace. This final session of the Open-Ended Working Group (OEWG) on cybersecurity marked the conclusion of a five-year diplomatic process under the UN First Committee on Disarmament and International Security.

The session resulted in the establishment of a Global Mechanism, the approval of a final report that had been significantly watered down, and – somewhat unexpectedly – the early conclusion of negotiations on the final day, avoiding what many anticipated would be a long Friday of talks.

This piece brings together experts who have followed these negotiations from up close. Their reflections trace both the progress and sticking points of the past five years in each of the six thematic areas covered by the OEWG (existing and potential threats, norms, international law, confidence building measures, cyber capacity building and regular institutional dialogue) – and offer insights into what lies ahead.

Cyber Diplomacy Amid Growing Scepticism

Louise Marie Hurel

But first, a note on context and importance for the sceptics who (rightfully so) have and may continue to ask why and how a UN process can help devise concrete responses to growing instability in cyberspace.

Since 2004, the UN has hosted formal negotiations on this issue, beginning with the Group of Governmental Experts (GGE), which reached a milestone in 2015 by reaffirming that international law applies to cyberspace and by proposing 11 non-binding norms for responsible state behaviour. A decade later, those norms and the legal principles they reference have become the cornerstone of the UN Framework for Responsible State Behaviour in Cyberspace. And unlike the more exclusive, time-limited GGEs, the OEWG’s universal format granted all member states a seat at the table and a five-year mandate (2021–2025) to address this evolving security domain.

As I sat in a (thankfully) air-conditioned UN conference room on a scorching Manhattan morning, somewhere between 42nd and 45th Street, I watched states large and small gather to negotiate the final document of this phase: an articulation of shared (and diverging) understandings across the six key topics.

To those outside the room – especially security researchers, private sector companies, or national security practitioners – the idea that the UN could meaningfully shape cyber behaviour may seem overly diplomatic, even naive. After all, in the context of Russia–Ukraine, Israel–Iran, or India–Pakistan, cyber campaigns are no longer blips in armed conflict or crises; they are a feature of it. States are speaking more explicitly about integrating cyber as part of broader deterrence strategies and as a core part of achieving ‘warfighting’ readiness. The US is adopting a full-spectrum operational posture. The UK is integrating cyber and electromagnetic capabilities under one command.

As states exploit the fine lines between crisis and conflict, the strategic imperative remains: without shared understandings – however limited – about what constitutes responsible behaviour in cyberspace, the risk of escalation will only grow.

Yet, experts and states remain divided on the ‘how’. Some believe existing international law is sufficient. Others call for a new treaty. Some focus on attribution and cost-imposition, while others stress resilience and capacity-building. Despite not being mutually exclusive, these debates – between legal obligation and political feasibility, between deterrence and cooperation – leave many stakeholders navigating a fragmented system.

In this context, security experts, operators and most private sector companies might think that the United Nations would not be the first place for them to look at, if seeking progress, less so action, in these areas. The realm of diplomacy plays its strategy in a different tempo from the rapid response cycles of security researchers, and with other gains in mind. Balancing competing strategies while promoting peace and stability in cyberspace is much like a game of chess.

Despite valid criticism of the pace and impact of the norms, we should remember what success looks like for multilateral diplomacy to fairly assess the overall potential gains.

First, the commitment to enhancing stability in cyberspace is certainly the objective, but the prevailing logic of achieving this operates within the mandate of the process – in other words, it focuses on negotiating the document.

Second, diplomacy, especially at the UN, revolves around creating a system of references. The more resolutions use certain terminology or reference each other, the more relevant those terms become. This creates a reference point of international agreement and consensus – ultimately defining what the international community of states has agreed upon. Without an appreciation of this diplomatic logic, scholars and commentators might misjudge the nature of the process and gains within this specific mindset.

States use the framework in different ways. France has referred to violations of norms as part of its first attribution. Czechia has done the same.

Ultimately, the UN framework provides a vital common language and foundation for states to articulate and enforce expectations. Even if imperfect, it remains an indispensable pillar in the evolving architecture of global cyber governance.

Views on the Six Pillars

A New Global Mechanism for International Cybersecurity

Christina Rupp

Since the first OEWG began its work in 2019, continued by the 2021–2025 OEWG II, member states have wrestled with how to move beyond ad hoc mandates and institutionalise cybersecurity discussions in a permanent UN forum. The chair of the second OEWG aptly described this moment as a once-in-a-generation opportunity.

Various proposals were made over the years to set up this permanent forum: the France-led and EU-backed Program of Action (PoA), Russia et al.’s permanent OEWG, and China’s somewhat hybrid model combining substantive and dedicated plenary sessions. After nearly seven years of discussions (2019–2021 and 2021–2025 OEWG), member states reached an agreement on establishing the ‘Global Mechanism on developments in the field of [information and communications technologies] in the context of international security and advancing responsible State behaviour in the use of ICTs.’

This mechanism retains the OEWG’s themes for plenary sessions – threats, norms, international law, confidence-building measures and cyber capacity-building – while also introducing dedicated thematic groups (DTGs) (a key component of the PoA proposal). These were designed to enable more cross-cutting and targeted discussions across pillars. Agreement on DTGs, however, proved contentious. States ultimately endorsed two groups for the mechanism’s first five years: a broad DTG 1 covering all framework pillars and a focused DTG 2 on cyber capacity-building. Additional DTGs may be added at a later stage, subject to consensus.

Another area of disagreement was stakeholder participation. The second OEWG’s practice of accrediting non-ECOSOC-accredited organisations on a non-objection basis, thereby allowing a single state to exclude organisations without providing a rationale, remained a key issue. A cross-regional group led by Canada and Chile, echoed by a joint multi-stakeholder statement, proposed reforms for greater inclusivity and transparency. The final report made only modest improvements, including informal consultations between the chair and objecting states. The unilateral veto, however, remains intact.

Still, the agreement marks a major milestone, representing a shared commitment to a single, sustained multilateral process on cyber stability. In a tense geopolitical environment, the OEWG avoided the fragmentation that could have resulted from rival parallel processes – a real risk, given the overlapping OEWG and GGE efforts from 2019 to 2021.

But the establishment of the Global Mechanism will depend on member states adopting a single resolution on it in the UN General Assembly later this year. To be tabled by Singapore, the resolution will incorporate the elements agreed upon by the OEWG. As the mechanism prepares to launch by March 2026, member states should begin defining agenda priorities, particularly for DTG 1, to prevent it from evolving into a mere extension – or worse, duplication – of the plenary.

Existing and Potential Threats

Louise Marie Hurel

On 17 February 2025, the US took the floor for its opening statement of the OEWG’s penultimate session. ‘We condemn China’s wide-scale pre-positioning on the operational networks of critical infrastructure systems in the U.S. and around the world . . . Their aim is to use harm against civilians by depriving them of critical infrastructure services to deter U.S. action, induce societal panic and interfere with governmental decision-making.’ This prompted a request for a ‘right for reply’ from China: ‘could you please make a commitment to the world that the US has never launched any pre-positioning of critical infrastructure of the entire world?’

Rather than being detached from reality, discussion on threats is one of the most dynamic areas of the OEWG, often mirroring real-world tensions.

But as Costa Rica faced an unprecedented ransomware attack in 2022 – crippling government ministries and prompting the declaration of a national emergency – followed by what was later dubbed a global ‘ransomware epidemic’, states included ransomware in the 2023 Annual Progress Report (APR). While there were differing views on how prominently it should feature in the final report, its inclusion is far from trivial. It marks a reference point: states now recognise that ransomware is an international peace and security issue.

States gradually built consensus through these reports, also adding references to broadly-named ‘commercially-available ICT intrusion capabilities’. The inclusion of this in the 2024 APR came a few months after the launch of the Pall Mall Process – an initiative to discuss the proliferation and irresponsible use of such tools. The flow of this reference, from a minilateral forum into the multilateral negotiation, is significant. It reflects a strategy to make certain threats and shared understandings of irresponsible cyber activity mainstream. Consensus is being built incrementally.

Another set of ‘new’ threat references have been included towards the end of the process, such as: AI security and safety, subsea cables, quantum computing and cryptocurrency theft. Some of these threats, such as subsea cable sabotage, are not cyber threats per se, but rather reflect growing concern about grey zone activity with cyber-relevant effects. Their inclusion offers a diplomatic entry point for future discussions, even if the scope expansion remains contested.

Ultimately, identifying threats in OEWG reports is not just descriptive; it is a strategic endeavour. These references serve as building blocks for future negotiation efforts. But how states will use them – whether to expand dialogues or resist them – remains to be seen.

Norms

Allison Pytlak

In the ten years since the approval of the 11 norms, it has become evident that states and other relevant stakeholders would benefit from guidance on how to operationalise them and assess progress in doing so. Discussions during the OEWG sessions often revolved around a familiar tension: whether to focus on implementing existing norms or push for new ones.

In the final report, states affirmed that additional new norms could be developed over time, but that doing so should not affect implementation of the present norms. States also affirmed that norms do not replace or alter states’ obligations or rights under international law. The report especially highlights a few of the norms, notably those on due diligence (norm c); protection of critical infrastructure (norms f, g, h); and on supply chain security (norm i), and underscores the importance of public–private partnerships and whole of government coordination.

This 2021–2025 OEWG built on relevant efforts from its 2019-2021 predecessor to draft a voluntary norms checklist, which was submitted for adoption by the OEWG Chair as an annex to the final report. The draft built on guidance provided by the 2021 GGE final report and a checklist developed by ASEAN in 2024, as well as talks in the OEWG. However, despite having received wide support, the checklist is not included in the final report as part of a broader compromise to balance language in the report on developing new norms. Instead, it will remain open for discussion in the new Global Mechanism ‘with a view to its finalization’ but recognizing that it is ‘the prerogative of States to structure their implementation efforts in accordance with national policies and circumstances’.

In a diplomatic process, everything is political and discussion on norms was not exempt. While the original 11 remain relevant, proposals to expand them – on issues like election interference and AI – exposed divides. Many states supporting new norms also advocate for a binding cyber treaty, arguing that existing law is insufficient. A small but vocal group used the OEWG to contest the framework’s legitimacy, pushing for a new legal instrument. This divide is likely to persist in the Global Mechanism.

Proponents of the framework should not have to justify the legitimacy of the norms, but much more can be done to boost capacity for their operationalisation, assess progress and socialise the norms beyond the diplomatic community. Prioritising such activities in the Global Mechanism is essential.

International Law

Talita Dias

Throughout its mandate, the 2021–2025 OEWG operated in a challenging geopolitical environment, including the full-scale invasion of Ukraine and the war in Gaza. Strong political divisions around the world mirrored a staunch ideological battle that marred the group’s discussions about how international law applies to cyber operations.

Proponents of a new legally binding instrument for cyberspace were adamant that the OEWG was not taking them seriously. Other states pushed back with the now well-established truism that international law applies to cyber operations and therefore the focus of the OEWG should be on how it applies in this context. These two dominating camps were seemingly irreconcilable. As a result, no consensus was reached on the matter, beyond reaffirming what the rules and principles that the GGE and the 2019–2021 OEWG had already recognised apply in the ICT context, such as sovereignty, non-intervention, peaceful settlement of disputes, the prohibition on the use of force and international humanitarian law.

Overall, the OEWG annual progress reports offered limited substantive contributions to the evolving debates on these and other rules of international law. This was a missed opportunity, because the choice between adopting a new treaty and relying on the existing international legal framework is not a binary one. Unfortunately, political tensions and false dichotomies persisted until the very end, ultimately derailing the proposal for a dedicated thematic group on international law under the future Global Mechanism.

Yet it would not be entirely accurate to say that the OEWG achieved nothing in this area: ironically, its most meaningful contributions unfolded outside the formal UN setting – through numerous side events and parallel discussions on critical issues, such as the protection of critical infrastructure, due diligence and countermeasures. These efforts, particularly those that led to the development of national positions, stand as the main legacy of the OEWG when it comes to international law in cyberspace.

Confidence-Building Measures 

Eugene EG Tan

‘The OEWG is a confidence building measure’ is probably the sentence most often heard at the 2021–2025 OEWG. While aptly describing the specific discussion on confidence-building measures (CBMs), it is paradoxically taking place at a time where confidence among states is abysmally low due to various geopolitical incidents.

But over the course of the five-year process, states reached consensus on expanding CBMs, recognising that doing so strengthens the collective implementation of the UN Framework for Responsible State Behaviour in Cyberspace.. Among the key outcomes of the OEWG are: (i) the operationalisation of the points-of-contact directory; and (ii) the approval of the list of eight CBMs contained in the third Annual Progress Report in 2024. The progress at the OEWG tells us that confidence and agreement over frameworks is not achieved in a single session, and not in a final year where the negotiation of the report is all that matters. Confidence and agreement are instead intentional, iterative and cumulative.

As this OEWG built on the acquis of its predecessors (OEWG and GGE), the CBMs it produced must be carried forward into the new Global Mechanism. Notably, CBM 8 from the 2024 APR calls for stronger public–private partnerships, acknowledging that responsible behaviour in cyberspace cannot be the remit of states alone. States make the policies and political direction; businesses own and operate critical infrastructure; and academics help when understandings are poor, while working together with other stakeholders to discuss what implementation means to states and societies.

Further, while discussions at the United Nations are still a political process and still require the work of diplomats, discussions over threats from the use of ICT increasingly require technical and non-governmental expertise. Technical expertise is essential to have a holistic understanding of these threats, and so is cross-disciplinary collaboration between policy, legal and technical sectors, to ensure that responses to these threats and future threats are meaningful, feasible and sustainable and agreements made at the OEWG have practical outcomes.

In conclusion, if states truly recognise that the contributions of technical experts are valuable in the development of rules of responsible state behaviour in cyberspace, then states will need to encourage and support the involvement of these experts in both current and future processes. Some experts, especially from developing countries, may need financial support or incentive to participate.

Cyber Capacity-Building

Valentin Weber

In the past five years, cyber capacity-building has gained weight within UN negotiations on intentional cybersecurity. Also, it is the thematical pillar where the OEWG reached the most impactful outcome. For example, dozens of female delegates to the Women in International Security and Cyberspace Fellowship joined and actively shaped the discussions which they otherwise would not have been able to attend.

Capacity-building has action-oriented momentum and has proven itself to be the area where non-state stakeholders have had the strongest voice. In this vein, the final report of the 2021-2025 OEWG contains the recommendation that, starting in 2026, states convene global roundtables on capacity-building, which should allow for more fruitful collaboration between states and non-state stakeholders.

The future Global Mechanism might also discuss a UN voluntary fund to support capacity-building. But while capacity-building is important, there are other priority areas that should receive just as much attention.

The current OEWG, as well as the future Global Mechanism, are just as much about threats, confidence-building measures, international law and the implementation of norms. Annex I of the final report lays out two dedicated thematic groups: one that draws on all five pillars that the OEWG discussed, and a second one which is primarily focused on capacity-building.

This division and heavy emphasis on one single theme, despite being cross-cutting, is difficult to justify. International law or threats are just as cross-cutting in nature. Therefore, the thematic group dedicated to capacity-building should be rebranded as not solely building capacity of the least developed (which would remain important), but the capacity of all. In short, the group should be about norm implementation.

© RUSI, 2025.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.