UN Norms: Tackling the Rise of Cyber Capabilities

The United Nations’ two‑decade effort to codify state conduct in cyberspace reached a modest milestone in July 2025 when the Open‑Ended Working Group (OEWG) issued its final report. By anchoring the 2015 Group of Governmental Experts (GGE) framework—eleven widely‑accepted norms—the OEWG avoided controversy but also failed to push the agenda forward. This outcome reflects a broader diplomatic calculus: states prefer consensus on low‑risk language rather than confronting the thornier issues of cyber warfare, espionage, and private‑sector involvement that could jeopardise strategic advantages. The creation of a permanent Global Mechanism signals a willingness to keep the conversation alive, yet its effectiveness will hinge on whether it can move beyond symbolic confidence‑building measures toward actionable transparency.

Political realities dominate the cyber‑norms landscape. Russia and China, backed by a handful of aligned nations, consistently block discussions that might constrain their offensive capabilities or expose espionage programs. Meanwhile, Western powers are reluctant to cede any operational freedom, resulting in a stalemate that mirrors Cold‑War arms‑control deadlocks but without the existential urgency that once drove nuclear negotiations. Existing confidence‑building measures—information exchanges, notification protocols—are ill‑suited to the covert, rapid nature of cyber attacks, rendering them largely ceremonial. Moreover, the private sector, which designs and operates much of the critical infrastructure, remains on the periphery of negotiations, limiting the practical relevance of any norms that emerge.

Looking ahead, the Global Mechanism’s dual‑track structure—one focusing on concrete cyber challenges, the other on capacity building—offers a pragmatic pathway. By leveraging real‑world incident sharing and joint resilience projects, member states can build trust incrementally, laying groundwork for tougher debates on offensive cyber operations and espionage. Updating the 2015 norms to address cloud computing, AI, and big‑data analytics will also be essential to maintain relevance. While progress will be gradual, sustained engagement through the Mechanism could prevent a fragmented regulatory environment and foster a baseline of responsible state behaviour in an increasingly contested digital domain.