What were the 11 norms?

Voluntary state norms including: not knowingly allowing one's territory to be used for internationally wrongful cyber acts; not damaging critical infrastructure; responding to assistance requests; and protecting critical infrastructure.

Why did the 2017 GGE fail?

Fundamental US-Russia disagreement on how international humanitarian law applies to cyber operations and on whether right to self-defense applies. Negotiations broke down on draft text.

UN GGE (Group of Governmental Experts on ICT)

What It Is

The UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (the GGE) was established in 2004 and met in six iterations. The GGE was the UN's principal cyber-norms forum for over a decade.

Major Outcomes

The GGE produced several foundational normative achievements:

The 2013 GGE report affirmed that international law applies in cyberspace — a foundational normative achievement that has shaped all subsequent cyber-norms work. Before 2013, this was contested; after 2013, it became baseline .
The 2015 GGE report identified eleven voluntary norms of responsible state behavior that have since structured global cyber-norms discussion.
The 2017 GGE failed to reach consensus due to fundamental US-Russia disagreements on the application of international humanitarian law to cyber. The failure marked a major setback in UN cyber diplomacy.

The Eleven 2015 Norms

The 2015 GGE's eleven voluntary norms include:

Inter-state cooperation on security.
Consideration of relevant information in case of ICT incidents.
Non-use of territory for internationally wrongful acts.
Cooperation to ensure international-law observance.
Consideration of how international law applies.
Non-conducting or knowingly supporting damaging activity against critical infrastructure.
Protection of critical infrastructure.
Response to assistance requests.
Supply-chain integrity steps.
Responsible vulnerability disclosure.
Non-harming of computer incident response teams.

These norms have been repeatedly reaffirmed in subsequent UN cyber discussions and have become the standard reference for state cyber behavior.

The 2017 Failure

The 2017 GGE failed to reach consensus due to fundamental disagreements between:

The US, UK, France, and aligned states arguing that international humanitarian law (IHL) applies to cyber operations during .
Russia and aligned states rejecting the IHL application argument, partly because it would create legal frameworks restricting their cyber operations.

The disagreement was not merely technical — it reflected deeper geopolitical differences over how cyber-norms regulation should constrain great-power cyber operations.

Succession by OEWG and PoA

The GGE process was succeeded by the parallel Open-Ended Working Group (OEWG) — open to all UN members rather than the GGE's 15-25 expert format. The 2019-2021 OEWG produced consensus reports building on the GGE foundation.

Subsequent GGE iterations have been less productive than the OEWG . The OEWG's open membership produced broader political legitimacy and consensus, while the GGE's expert format produced more substantive technical analysis but with smaller representation.

The 2024 UN decision to establish the Programme of Action on cyber (PoA cyber) for 2025+ operation is intended to consolidate the GGE and OEWG tracks into a single institutional framework.

Why It Matters

The GGE matters because it produced the foundational normative architecture for international cyber-norms work:

The 2013 international-law-applies determination is the bedrock principle.
The 2015 eleven voluntary norms are the standard reference for state cyber behavior.
The 2017 failure revealed the underlying geopolitical tensions that have shaped subsequent UN cyber diplomacy.

Without the GGE's work, subsequent cyber-norms institutions (OEWG, regional frameworks, the , national legal positions) would lack the foundation they have built on.

Common Misconceptions

The GGE is sometimes assumed to have been a treaty-negotiating body. It was not — it was an expert group producing reports for the General Assembly, with voluntary rather than binding outputs.

Another misconception is that the GGE was a purely technical body. It was political — governments selected the 'experts' (typically diplomats and senior officials), and the negotiations reflected geopolitical disagreements rather than purely technical disputes.

Real-World Examples

The 2013 GGE report has been cited in essentially every subsequent UN cyber discussion. The 2015 GGE eleven norms have been reaffirmed in dozens of subsequent UN resolutions, regional cyber frameworks, and national legal positions. The 2017 GGE failure was a defining inflection point that shaped the subsequent OEWG and PoA institutional architecture.