Blog Reflections from UN Cybersecurity Conference

Blog posts
Written By Stephanie Hwang

From July 8-12, 2024, I had the privilege of attending the United Nations Open-Ended Working Group (OEWG) on Cybersecurity. This eighth session was part of an ongoing effort to tackle the critical cyber threats facing states and shape the future of international law in cyberspace. During this session, diplomats and experts negotiated the third Annual Progress Report (APR)—a significant milestone in global cyber diplomacy.

The first APR in 2022 identified key cyber threats and established norms for responsible state behavior. The second APR refined these norms, focusing on implementation and trust-building. This year's report built on that foundation, introducing concrete steps for international cooperation, capacity-building, and accountability.

Among the key developments in this year's APR were the OEWG Chair’s Voluntary Checklist of Practical Actions, a guide to implementing non-binding norms of responsible state behavior. The report also addressed emerging tech threats, including AI security and data protection in machine learning, and gave more attention to ransomware and cryptocurrency theft. Another highlight was the launch of the Global Points of Contact (POC) directory, designed to foster international cooperation through improved communication and information sharing.

Here are the four biggest takeaways from this session.

1. Emerging Tech Threats Finally Recognized: Cryptocurrency

One of the most important takeaways from the session was the long-overdue focus on cryptocurrency-related threats. Delegates from South Korea, Japan, and the U.S. raised concerns about the growing risks of crypto theft and its impact on international peace and security. For the first time, the APR explicitly acknowledged this threat: “States also highlighted with concern rising cryptocurrency theft and financing of malicious ICT activity using cryptocurrency, which could potentially impact international security” (p. 4, para. 20).

This was personally significant for me, as my senior thesis focused on the cybersecurity risks of cryptocurrencies, particularly ransomware. For years, crypto threats were largely overlooked in both academic and diplomatic circles. In March 2023, while researching for my thesis, I remotely attended the UNIDIR Cyber Stability Conference. Despite the growing risks, digital assets weren’t even mentioned. This omission was striking, especially given that, around the same time, North Korean Advanced Persistent Threat (APT) groups were linked to high-profile crypto hacks, such as the $100 million Harmony bridge attack.

Seeing cryptocurrency threats discussed at such a high-profile forum validated my concerns and signaled a shift in the global cybersecurity discourse. Crypto is no longer viewed as a niche issue but recognized as a central challenge to international security. However, this also highlighted the slow pace of diplomatic progress. The evolving threat landscape demands more proactive and adaptable frameworks.

2. Diplomacy Is All About Precision

The level of technical precision during negotiations was remarkable. Small changes in language—such as China’s push to modify “key function” to “one of the key functions”—can have broader implications for international agreements. Every term, every phrase, is the result of delicate balancing acts between competing political agendas. Watching these negotiations unfold made it clear that, in international law, every word counts.

3. The Debate Over International Humanitarian Law (IHL)

A major flashpoint was the debate on whether International Humanitarian Law (IHL) applies to cyberspace. Countries like the U.S. and France argued strongly for its inclusion, believing IHL is essential for protecting civilians during cyber conflicts. On the other hand, China, Russia, and Iran opposed it, concerned that invoking IHL would legitimize military operations in cyberspace.

Ultimately, IHL was left out of the final document. While this outcome wasn’t surprising given the longstanding disagreements among major players, I strongly disagree with the decision. As civilian infrastructure—like healthcare systems and power grids—becomes increasingly vulnerable to cyberattacks, the lack of clear protections is a significant oversight. The absence of clear rules governing state behavior in cyber conflicts leaves a dangerous gap in protections that IHL could help address.

Given the stark geopolitical divides between Western states and the Sino-Russian bloc, this compromise was likely necessary to ensure the third APR moved forward with unanimous support. While leaving out IHL was a missed opportunity, consensus is key in multilateral diplomacy, and it keeps the momentum going for future discussions. Still, this issue remains an area where stronger legal frameworks must be pursued.

4. Geopolitical clashes over International Law

Beneath the technical debates, this session reflected deeper geopolitical tensions that date back to the early days of global cyber negotiations. The exclusion of International Humanitarian Law (IHL) from the final report highlighted a broader pushback against the Western-led legal order. Russia and China, long-time opponents of IHL’s application to cyberspace, led arguments against its inclusion, positioning it as a tool of Western dominance.

Historically, Russia has proposed an alternative framework, advocating for an alternate Code of Conduct on Information Security as early as 1998. Backed by China, this initiative resurfaced in 2011 and again in 2015 through the Shanghai Cooperation Organization, pushing for more state control over the internet—an idea Western states resisted, fearing it would legitimize authoritarian censorship.

These historical disagreements surfaced again during this OEWG session, as the Sino-Russian bloc, along with countries like Iraq, Nicaragua, and Belarus, continued to push for a legally binding cyber instrument. In contrast, the U.S., UK, and their allies, along with emerging players like Brazil and South Africa, favored sticking to the implementation of previously agreed cyber norms rather than revisiting foundational principles. Despite overwhelming support from these states, the Sino-Russian bloc ultimately succeeded in excluding IHL from the final report. This outcome reflects the delicate balance of power in international cyber diplomacy, where consensus—even on soft-law frameworks—often requires concessions to maintain multilateral progress.

Looking Ahead

The third APR was passed with total consensus on July 13th, 2024. It was a crucial achievement in global cyber diplomacy. Achieving unanimous agreement in a multilateral setting like the UN is rare, especially given the geopolitical tensions between the major powers.

However, looking ahead, the success of future cyber negotiations within the OEWG will hinge on the answers to several questions:

  • How can the Global Points of Contact (POC) Directory be fully implemented and maintained as a confidence-building measure? And should new CBMs be introduced to complement it?

  • The OEWG’s mandate ends in July 2025, which means a new form of Regular institutional dialogue (RID) needs to be established to discuss ICT security. What structure and thematic focus should the new institutional dialogue mechanism adopt post-2025?

  • How should the OEWG involve non-state actors, like private companies and civil society, in its discussions?

As cyber operations become deeply embedded in national security strategies, future discussions must adapt to this shifting landscape. The challenge will be reconciling traditional conflict paradigms with the complex realities of cyber threats. How we define and regulate the intersection of cyber warfare and conventional conflict will shape the future of global security—I'm eager to see how these critical debates unfold.

Stephanie Hwang
Previous

Two Years of X Under Elon Musk
Next

The Fall of Chevron and the Future of Tech Regulation