International Cyber Law Strategy for the UN Global Mechanism

[Liis Vihul is the Founder and Chief Executive Officer of Cyber Law International and an Ambassador of the NATO Cooperative Cyber Defence Centre of Excellence. She served as the Managing Editor of the “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations” and was a member of, and advised, the Estonian delegation at the United Nations Group of Governmental Experts on Information and Telecommunications in the Context of International Security in 2014-21.]

As the new United Nations Global Mechanism begins its work this week, states will soon need to decide how international law will feature in it.

The Global Mechanism is the UN’s new standing forum for state-led discussions on cyberspace, replacing a series of time-limited processes. Its purpose is to provide a permanent platform for multilateral dialogue, coordination, and the gradual development of a framework governing responsible state behavior in cyberspace.

The Global Mechanism will operate in five-year cycles, each comprising two consecutive two-year phases followed by a review phase in the fifth year. During each two-year phase, states will meet twice annually in week-long sessions, with one week devoted to plenary meetings and the other to so-called “dedicated thematic groups.” In the first five-year cycle, the Global Mechanism will have two thematic groups: one focused on “specific challenges” to international peace and security in the cyber context, and the other on capacity-building. All decisions of the Global Mechanism will be adopted by consensus in plenary. 

States have already agreed that one of the functions of the Global Mechanism will be “to continue to study how international law applies in the use of ICTs … .” The international law mandate is built into the plenary structure, which is organized around the “five pillars” of the framework for responsible State behaviour in the use of ICTs. International law is one of these pillars, alongside existing and potential threats, voluntary norms, confidence-building measures, and capacity building. This means that approximately one day of the annual five-day plenary session will be devoted to international law. Next week’s meeting will also decide to what extent international law will feature in the deliberations of the thematic working groups. With such limited time available for international law matters, choosing how to spend scarce negotiating capital becomes especially critical. This post outlines four ways states could structure their engagement with international law within the Global Mechanism.

From Applicability to Practice

The predecessors of the Global Mechanism, the UN Groups of Governmental Experts (operating between 2012–2021) and the Open-Ended Working Groups (2019–2025), approached international law largely at an abstract level. Their deliberations focused on whether existing law applies in the cyber context and whether new law is required to govern this domain.

While meaningful progress was made in recognizing the applicability of certain principles and rules, agreement remained contested on others, including countermeasures, self-defence, and international humanitarian law (IHL). These disagreements were significant enough to contribute to the 2016–17 GGE failure, demonstrating how difficult it was to reach consensus on key legal questions. Considerable effort was subsequently required to rebuild common ground, culminating in the 2021 GGE report – the high point of agreement on international law in this domain – which reaffirmed established positions, further elaborated the relevant international law, and explicitly recognized the applicability of IHL to cyber operations in armed conflict.

That consensus, however, proved difficult to sustain. During the 2021–25 OEWG process, previously agreed language was reopened, and by 2025 the 2021 GGE formulations were only partially reflected in the final outcome.

Because UN processes to date have largely focused on debating whether existing law applies in the cyber context, they have not meaningfully addressed the central aspect of their mandates, namely how it applies. While this inquiry necessarily begins with identifying the applicable rules, its core lies in examining how the relatively broad principles and rules of international law operate in practice.

In shaping the international law agenda for the Global Mechanism, states therefore face a strategic choice – whether to continue with abstract, consensus-driven debates on applicability, or to shift toward a more practice-oriented approach. Given persistent disagreements and limited negotiating space, the former is unlikely to produce meaningful progress. This post argues for the latter and proposes a set of concrete international law deliverables. Whether these are best pursued in the plenary or within thematic groups will depend on how states define their scope and tasks.

Four Functions for Advancing International Law

The first international law deliverable of the Global Mechanism would be an international law reporting function. This would involve annual reporting on Member States’ international law practices, including, for example, adopted or revised national positions on the application of international law in cyberspace, expressions of opinio juris, invocations of international law in response to cyber operations, and relevant domestic or regional jurisprudence. Reporting mechanisms in other areas of international law, such as human rights treaty bodies and transparency frameworks in arms control, demonstrate how the systematic collection of state practice can enhance transparency, clarify how states interpret their legal obligations, and inform compliance assessments. If done well, a reporting function would create a centralized, comprehensive, and up-to-date public record of international law practice, which, beyond its intrinsic value, would also help cultivate a rule of law culture in cyberspace.

The second, and more ambitious, deliverable would be an international law review function for the Global Mechanism. This function could draw on elements from established mechanisms such as the Human Rights Council’s Universal Periodic Review or the UN Convention Against Corruption’s Implementation Review Mechanism. Unlike the reporting function, it would assess the extent to which states’ practices comply with international law, relevant standards, and best practices. To that end, the Global Mechanism would need to define the criteria for such assessments. These could include whether states have developed international legal policies on cyber matters, how clear and transparent those policies are, how they align with established baseline commitments reflected in the GGE and OEWG reports, and whether states’ public record of cyber activities appears consistent with international law. If properly scoped, such a function would help align how states apply and interpret international law in cyberspace, while also introducing a degree of peer accountability.

Of course, it is unrealistic to expect that a review proposal along these lines would be adopted without significant resistance, particularly given that many, if not most, states would be unwilling to subject themselves to mandatory review. Any such function would therefore need to be introduced initially on an opt-in basis. Moreover, key questions such as who conducts the review, how politicization is mitigated, and whether outcomes are descriptive or evaluative would need to be addressed. The scope of the review would also need to be carefully limited, at least at the outset, to avoid politically sensitive issues such as adjudicating facts or attributing cyber operations. Despite these challenges, it is worth noting that review mechanisms already exist within the UN system. A narrowly and clearly scoped voluntary review function would therefore provide a practical means of signalling the value of proactive and transparent engagement with international law in cyberspace, as well as the importance of consistency between states’ legal positions and their conduct.

The third international law deliverable would be an operationalization function. This would shift the debate from abstract doctrinal discussions to the practical application of international law to concrete cyber incidents, responding to repeated proposals by states in the second OEWG process for scenario-based discussions. To deliver lasting value, it would need to produce substantive, concrete outputs, rather than serve solely as a forum for discussion.

The Global Mechanism could, for example, develop a series of representative cases reflecting high-risk cyber activities, such as ransomware operations with a state nexus or disruptive cyber operations affecting critical infrastructure, and examine their legal implications through a structured process involving written state inputs and facilitated deliberations. The outputs could include consolidated summaries of positions, areas of convergence and divergence, as well as identification of key points of disagreement and their underlying legal rationales. In this way, the operationalization function would generate de facto interpretive guidance without requiring consensus among states on the precise legal characterization of specific cases.

A fourth international law deliverable would take the form of a capacity-building function that would strengthen states’ ability to apply international law in practice and to develop national legal policy in the cyber domain. Given that capacity-building is one of the plenary’s five pillars, and that one of the dedicated thematic groups is tasked with advancing it, integrating international law capacity-building into both the plenary and the dedicated thematic group would be relatively straightforward. 

States’ capacity-building needs in international law are multifaceted. These range from basic and advanced training for legal and other government officials to legal advice on responding to cyber incidents, support in developing national positions on the application of international law in cyberspace in a manner that best serves their national interests, and the integration of international law into cyber defence and operations doctrine. To maximize impact, the Global Mechanism should help ensure that capacity-building efforts are sustained and tailored, and supported by a broader base of donor states.

Feasibility and Strategic Implications

The four proposed functions rest on the assumption that a critical mass of states is willing to commit its negotiating capital to upholding the rule of law in cyberspace. The reporting and review functions are likely to appeal to states that have developed national positions on the application of international law in cyberspace or that are transparent about their cyber activities and confident in their lawfulness. The operationalization function may appeal to states that seek progress without formally locking in legal positions.

Moreover, realizing any of the four proposed functions would require a departure from the largely statement-driven formats of previous UN processes. It would instead depend on structured intersessional work, written state inputs, and active facilitation by the Chair and Secretariat.

Taken together, these functions would shift international law discussions on cyber matters at the UN from text-based negotiation to practice-shaping processes. They would also help ensure that the international law track is not sidelined in the Global Mechanism’s work. Importantly, this approach would allow states to move beyond the longstanding dilemma of whether new international law is required to regulate cyberspace, and enable progress even if broader geopolitical disagreements remain unresolved.