OEWG – ICT4Peace supporting Joint Civil Society Statement at Chair’s informal dialogue on July 3, 2025

The Statement reads as follows:

Joint civil society statement at Chairʼs informal dialogue on July 3, 2025

Thank you, Ambassador Gafoor, for convening this dialogue and for your continued commitment to engaging with stakeholders.

I speak on behalf of the Centre for Humanitarian Dialogue, the Cybersecurity Policy and Resilience Program of interface, CyberPeace Institute, FIRST, the Global Cyber Alliance, Global Partners Digital, ICT4Peace Foundation, Red en Defensa de los Derechos Digitales, as well as the experts Alexandra Paulus, Allison Pytlak, Chris Painter, Elaine Korzak, Klara Marland, and Valentin Weber. We represent members of the organized civil society and research community in this discussion.

Given the importance of the issue, we would collectively like to address the Zero Draft and Rev. 1ʼs section on Additional Elements on Modalities on the Participation of Other Interested Parties and Stakeholders, including Businesses, Non-Governmental Organizations, and Academia in Annex III.

The scope and extent of non-governmental stakeholder participation in a future permanent mechanism on cybersecurity issues under UN auspices is central to that bodyʼs real-world impact, relevance, and credibility. While this mechanism, like the OEWG, will be a state-led process, it is undeniable that ICTs are inherently multi-stakeholder in nature. Stakeholders play vital roles in the cybersecurity ecosystem, for example, by operating and defending infrastructure, providing practical guidance on the implementation of norms and the application of international law, conducting cyber capacity building activities, gathering and sharing cyber threat intelligence, and amplifying awareness of UN-level discussions by informing their networks about ongoing developments. This was also acknowledged by many Member States during the last OEWG substantive sessions.

Ensuring meaningful stakeholder participation is primarily for the benefit of UN Member States, also against the backdrop of limited resources and expertise. Leveraging the broad range of stakeholder expertise can support states in advancing an open, secure, stable, accessible, peaceful, and interoperable ICT environment. In the written version of our statement, the annex will also include a list of concrete examples of how the work of our organizations have contributed to previous discussions and can continue to contribute to the future permanent mechanismʼs efforts.

The role of stakeholders in UN processes has been recognized from the very outset – at the San Francisco Conference exactly eighty years ago. It brought together not only official state delegations but also non-state “consultants.ˮ The role of non-governmental organizations is also recognized in Article 71 of the UN Charter. As states wish to continue benefiting from the expertise and experience of stakeholders, it is essential that the rules and procedures of the new mechanism are favorable to their participation, predictable, and guided by principles of openness, inclusivity, and transparency.

Unfortunately, the text contained in the Zero Draft and Rev. 1 falls short of providing for stakeholder involvement in a “systematic, sustained, and substantive mannerˮ (paragraph 17a)). Additional steps are needed to ensure that stakeholders can effectively add their voice to the discussions.

This includes: 1. First, eliminating as a priority the veto power of individual states in accrediting non-ECOSOC-accredited organizations in favour of a more transparent and inclusive accreditation process (relates to paragraphs 17e) and f)). The envisioned informal consultations of the Chair with objecting states, as outlined in paragraph 17f), will require the Chairʼs time and resources, but are highly unlikely to result in any meaningful changes to the current status quo. They also do not provide an incentive to refrain from unsubstantiated vetoes.

The suggested language by Canada and Chile in their latest working paper, supported by a cross-regional group of now 40 states, offers a constructive way forward by introducing a “last resortˮ procedural decision by majority vote if consensus cannot be reached.

2. Second, also relating to paragraph 17f), greater transparency around objections is needed. Your proposal, Mr. Chair, is for the future Chair to disseminate a list of who vetoed who to Member States. However, objected stakeholders and the general public should also be informed, for instance, through a letter published on the website of the future mechanism. Moreover, statesʼ rationales to object to a stakeholderʼs accreditation should be mandatory rather than voluntary, and specific rather than general.

3. Third, the modalities should be predictable and specify clear timelines. Currently, there is no clear deadline for when stakeholders are informed of the outcome of their accreditation requests. This carries the risk of effectively barring stakeholders from the substantive plenary sessions and dedicated thematic working group meetings held in close temporal proximity since informal consultations may still be ongoing after those meetings have already taken place. In addition, the absence of language on clear timelines does not ensure that stakeholders have sufficient time to arrange travel and visas if accredited, or to make alternative plans if not. Therefore, there should be a definitive update on stakeholder accreditation at least six weeks prior to the substantive plenary sessions to ensure that the annual accreditation process concludes before each substantive plenary session begins. If reports by the Chair on informal consultations are presented only at the next substantive plenary session, as foreseen in paragraph 17f), this risks stalling the process and turning accreditation into an unnecessarily prolonged issue. To enable sustained stakeholder engagement, stakeholder accreditation, once granted, should be valid for five years – rather than being tied to the duration of a five-year cycle as outlined in paragraph 17c), which may shorten the accreditation period if granted late in the cycle.

4. Fourth, unless states agree to introduce a fallback mechanism to the current veto power of individual states (see Point 1, the paragraph on provisional stakeholder participation during informal consultations – originally included in your January discussion paper, Mr. Chair – should be urgently reintroduced in Rev. 2 of the final report. Under this status, stakeholders may attend substantive plenary sessions and review conferences but cannot make statements. When reintroduced, the wording should also clarify that provisional participation applies at least until the Chair reports back on the informal consultations at the next substantive plenary session.

5. Fifth, referring to paragraph 17d), it would be desirable to specify that dedicated stakeholders will be able to attend substantive plenary sessions, meetings of dedicated thematic working groups, and review conferences.

6. Sixth, relating to paragraph 17d) addressing the participation of stakeholders in formal meetings, for stakeholder engagement to be truly effective, it is desirable that stakeholder interventions are not limited to dedicated stakeholder sessions, which only allow stakeholders to speak once during the week, often requiring them to focus their remarks on a specific pillar of the framework designated in advance. Rather than a single dedicated stakeholder session, a stakeholder segment should be included for each listed agenda item, with the opportunity for stakeholders to speak after states, while ensuring due consideration for the overall meeting time.

7. Lastly, accredited stakeholders should be able to make their interventions remotely, thereby alleviating financial or other barriers to participating in-person in New York. To support broad participation, these opportunities should be provided at rotating time slots to accommodate stakeholders based in different geographical regions. To allow stakeholders participating remotely to follow the ongoing discussion, it should be also ensured that all substantive sessions will be live-streamed via UN WebTV. In this spirit, we call on states to ensure stakeholder participation in an inclusive, meaningful, and resource-preserving manner in the future permanent mechanism.

Thank you very much, Mr. Chair. We look forward to continuing the conversation on these important issues next week, and we hope that states will reach consensus on language that goes beyond the current text, which falls far short of reflecting the value stakeholders can bring to support intergovernmental deliberations on cybersecurity issues. We will also provide a written version of our statement.

Supporting organizations (in alphabetical order):

● Centre for Humanitarian Dialogue, Geneva ● Cybersecurity Policy and Resilience Program, interface ● CyberPeace Institute ● Forum of Incident Response and Security Teams FIRST ● Global Cyber Alliance GCA● Global Partners Digital ● ICT4Peace Foundation ● R3D Red en Defensa de los Derechos Digitales Supporting experts (in alphabetical order): ● Alexandra Paulus, Researcher, German Institute for International and Security Affairs SWP● Allison Pytlak, Senior Fellow and Cyber Program Director, Stimson Center ● Chris Painter ● Elaine Korzak, Research Scholar, Berkeley Risk and Security Lab, UC Berkeley ● Klara Marland, Advisor and Lead of the Women in International Security and Cyberspace WiC Fellowship, Global Forum on Cyber Expertise GFCE ● Valentin Weber, Senior Research Fellow, German Council on Foreign Relations DGAP

Annex: Non-exhaustive examples of work by supporting organizations relevant to discussions in the OEWG and any future permanent mechanism under UN auspices discussing the security of ICTs:

Centre for Humanitarian Dialogue: ● Pioneer of discreet, impartial and independent conflict mediation with a Digital Conflict Programme that draws on and feeds into broader multilateral initiatives to create a global framework for cyber stability. ● Engaging with a range of countries possessing advanced cyber capabilities to foster bilateral and regional dialogue and develop confidence-building measures. ● Providing expert input on UN efforts to build confidence in state use of ICT capabilities that respects international law and norms of responsible State behaviour.

CyberPeace Institute ● Promoting a harm-based, victim-centric approach to responsible state behavior through the Harms Methodology, to assess the human, societal, and systemic impact of cyberattacks. ● Tracking cyberattacks on vulnerable sectors via the Cyber Incident Tracer(s), linking incidents to UN norms and making harm data accessible for accountability and norm implementation. ● Providing demand-driven cyber capacity building to under-resourced organizations through tailored support and expert volunteer networks, reinforcing a human rights-based, inclusive approach.

Forum of Incident Response and Security Teams FIRST● Development and delivery of the Toastville Table Top Exercise TTXs series as part of the Women in International Security and Cyberspace WiC Fellowship program to build strong awareness and understanding of incident response and emerging threats, including TTXs on ransomware, DDoS (distributed denial of service), and AI-enabled cybercrime. ● Ongoing formal and informal engagement with policymakers, diplomats, and other decision makers to share insights into operational incident response and good practices, including the potential impacts of policy decisions on incident response, to support more well informed decision making. ● Delivering on the cyber capacity building and confidence building measures highlighted by the OEWG, including support for the establishment of CERT/CSIRTs, maintenance of a global incident response point of contact database, extensive formal and informal incident response mentorship initiatives, fostering of practice incident response communities of practice, and more, as highlighted at https://www.first.org/community.

Global Cyber Alliance ● Providing free cybersecurity toolkits in multiple languages to help build capacity in groups often left behind by existing efforts. ● Collecting and sharing data on global cybersecurity risks, including from malicious domains, malicious traffic, and poor routing practices. ● Establishing the Common Good Cyber Initiative with partners to strengthen the efforts of cybersecurity nonprofits and civil society on behalf of the common good.

Global Partners Digital ● Supporting broader civil society engagement, particularly from the Global Majority, through awareness raising, capacity building, and direct support to attend meetings. ● Assessing statesʼ positions on the applicability of international law from a human rights perspective, contributing meaningful analysis and insight on international law to foster consensus and give examples of good practice. ● Publishing toolkits and guidance on the development and implementation of the norms, including through the design of national cybersecurity strategies, helping translate agreements into action.

ICT4Peace Foundation ● Developing and operationalizing human rights-based guidance: Through initiatives like the ‘Boots to Bytes’ Toolkit and regional capacity-building programs, ICT4Peace Foundation provides concrete, practical guidance for states and other actors on how to implement responsible state behavior norms and international law in cyberspace, ensuring human rights are at the core. ● Highlighting human impacts and fostering accountability: Research and advocacy bringing a human-centric perspective to digital governance discussions, shining a light on the real-world impacts and unintended consequences of state cyber activities and policies on affected communities, and providing feedback for improvement.

interface (formerly Stiftung Neue Verantwortung) ● Research and analysis on how governments can implement the UN norms for responsible state behavior. Past outputs include policy papers on the implementation of norm (i) on software supply chain security and norm (j) on vulnerability disclosure. This year, the project examines how cyber capacity-building activities can support states in implementing the UN cyber norms, with a particular focus on enhancing detection capabilities. ● Research and analysis on the status quo of multilateral CBM implementation and the factors that contribute to their effective implementation. ● Awareness-raising of UN-level discussions by informing networks through online OEWG session debriefs, co-organized with the German Council on Foreign Relations DGAP.

R3D Red en Defensa de los Derechos Digitales ● Contributing to the operationalization of norms (especially norm 5 through the development of national legal and policy guidance, ensuring a rights-respecting approach. ● Gathering factual evidence on malware and assessing specific cyber risks through a human-centric approach, focusing on threats targeting public interest groups, including journalists and human rights defenders. ● Enhancing the capacity of public interest groups to address emerging cyber threats effectively by conducting digital security workshops. Throughout the OEWG mandate, R3D has provided a Global Majority perspective to emphasise the need for its inclusion in these discussions.