Blocking Experts Will Weaken the UN's New Cyber Rules
Joyce Hakmeh, Lea Kaspar / Jul 16, 2026
The United Nations General Assembly Hall in New York City. Shutterstock
Fifty of the 92 organizations that asked to join the UN's new cybersecurity process this year were blocked from taking part, and in most cases no reason was given. When the body holds its first substantive session next week, many of the incident responders, security companies, digital rights organizations and researchers who run and defend cyberspace will be absent, leaving the global cyber rules at risk of losing touch with the expertise they depend on.
Cyberattacks now shape both war and everyday life. Ransomware gangs shut down hospitals. State-linked hackers hit retailers, pipelines and banks, disrupting daily life and creating risks for national security and economic stability. Cyber operations have also become a standard feature of armed conflict, knocking out power grids, disabling communications and disrupting military and civilian systems alike alongside troops on the ground. As these capabilities grow more sophisticated, and are used across the spectrum between peace and conflict, developing and implementing the rules for how they should be used responsibly and legally matters more than ever.
That is the promise of the UN's new Global Mechanism on ICT security, a process where states negotiate the cyber rules and how they should work in practice. Cyberspace is not built, run or defended by governments alone, and the rules of this process reflect that: while states lead the negotiations, they explicitly allow non-state actors, often referred to collectively as the multistakeholder community, including researchers, technical community and civil society groups, to take part too. However, more than half of the organizations that applied to take part in the process were blocked. The result is a process that risks becoming progressively detached from the operational and technical expertise on which effective cyber governance depends.
A blanket bar, not case-by-case scrutiny
The numbers tell part of the story. Of the 92 non-governmental organizations that applied for accreditation this year, 50 were blocked. Russia alone objected to 43, a list spanning think tanks, universities, cybersecurity companies and civil society organizations across Europe, the Americas, Asia and Oceania. A handful of other states lodged further objections. The scale suggests a blanket approach that has the effect of keeping many stakeholders out. In almost every case, no reason was given. The rules do not require one: an objecting state is only asked to make known to the Chair of the process "on a voluntary basis," the general basis of its objection. A single state objecting is enough to block an organization outright, with no threshold of support needed from other states and no formal appeal available to the organization itself.
The Chair has been consulting objecting states in the hope of reversals, and deserves credit for trying, but that process is capped at three months of informal consultations, with no mechanism to force a decision and little prospect these states will withdraw before the session opens. A procedure meant to be used judiciously, as an exception, has become a general bar.
The cost of leaving expertise at the door
It is tempting to file this under diplomatic procedure, the kind of skirmish UN processes generate routinely. That would be a mistake. Objections of this kind have historically reflected a mix of geopolitical disagreement and competing views over whether governments alone should govern these issues. But the organizations excluded are not observers of the domain being regulated; most of them operate it. They are the incident responders working through the night when a hospital's systems go down, and the network operators and standards bodies keeping the internet functioning. They are the companies sharing threat intelligence the moment an attack is detected, often before governments are aware of the scale or nature of the incident. And they are the researchers and civil society groups who have spent years studying how these capabilities harm ordinary people, and who hold both governments and companies accountable.
The exclusion also lands unevenly. Wealthy governments can convene their own companies and fund their own research; less-resourced states rely on the multilateral table to access that expertise. Each blocked organization risks widening the gap between governments that can access this expertise and those that rely more heavily on multilateral processes to provide it, further deepening inequalities between states.
None of this means stakeholders have no voice left. The Dedicated Thematic Groups (DTGs), an informal part of the process, with two working groups, one looking at challenges in cyberspace and one on capacity-building are meant to include experts in their discussions. As such, they remain a genuine and valuable channel for technical input. In addition, stakeholders can continue to submit written contributions and organize events around the process regardless of accreditation. These channels matter and should be protected. But they operate alongside or after the formal negotiations, not within them, and cannot substitute for a seat at the table where the text itself is negotiated and agreed. Input offered once a text has already taken shape is generally less able to influence it than input offered while it is still being drafted. By the time stakeholders can react, positions have often already hardened around whatever the most cautious states are willing to accept.
What supportive governments must do
Which brings us to governments that support the multistakeholder model. That commitment is written into the mechanism's foundations: states agreed, by consensus, to engage stakeholders in a "systematic, sustained and substantive manner." Living up to that will take more than reaffirming it.
Supportive governments should arrive at the first negotiating session, ready to act. With reversal unlikely before the session opens, the immediate task is less about undoing this round of blocks than preventing it becoming the template for every round after it. Governments should make strong statements on the record, and use the exchange of views on accreditation to ask what the rules already invite: that objecting states explain their reasoning, so it can be tested. We expect some states will already do this — but there is strength in numbers, and the more countries that make these points, particularly from the Global Majority, the stronger the case.
Creating that record, getting these objections and any reasons for them written down, is important even if it doesn't change the outcome this time. They should press for transparency in how decisions are made and unmade, particularly ahead of the next accreditation window, so this year's blocked organizations are not blocked by default again. They should protect the avenues that remain, above all the Dedicated Thematic Groups, agreed by consensus to include stakeholders, and say plainly that objections raised in the plenary should not bleed into those spaces. And they should nominate diverse, independent experts to the pool of outside speakers invited to brief the meetings and open their own delegations to independent participation where stakeholders have been shut out.
Beyond the negotiating room, they should fund stakeholder coordination and participation, particularly from the Global Majority, rather than assume engagement in a process this demanding sustains itself. They should also strategically engage their own domestic companies and civil society directly, telling them where their expertise and evidence could be most useful, rather than assuming they already know.
The multistakeholder community has work of its own to do. It should organize across regions, pooling evidence and aligning messages so their contributions carry maximum weight. It should keep contributing to the framework states have already agreed to. Accredited or not, the work of securing cyberspace does not pause for a procedural bar.
An obligation, not a favor
The deeper point is one that should be familiar to states committed to pluralistic governance. They govern diverse societies on the basis that the most consequential decisions should not rest with the state alone. Many of the countries that have built their digital economies and security on an open, secure and inclusive cyberspace have spoken up against a model where governments alone call every shot at the UN, but voicing objection has not been enough to stop it. These states have an obligation to make the multistakeholder model work, not as a favor to these actors, but because rules written by governments alone will fail on their own terms. Fifty organizations being blocked this year may not be reversible. Whether it becomes the norm still is. That is the real question this session begins to answer.
Disclosure: Global Partners Digital and Oxford Information Labs, where the authors are affiliated, were among the organizations blocked from accreditation this year.
Authors


