Masterclass#1

Masterclass Explores Cyber Norms and Confidence-Building Measures for Critical Infrastructure Protection

The masterclass session offered a deep dive into the complex realm of cyber norms and confidence-building measures (CBMs) with a specific focus on the protection of critical infrastructure. The session was enriched by contributions from representatives of regional organizations such as the OSCE, African Union, ASEAN, and OAS, who shared their experiences and initiatives in promoting the cyber stability frameworks agreed upon at the United Nations.

The discussion centered on the implementation of cyber norms, particularly those related to the protection of critical infrastructure, supply chain security, and responsible reporting of ICT vulnerabilities. The conversation brought to light several challenges in implementing these norms, including capacity limitations, lack of political will, varying levels of awareness, and the absence of clear institutional mechanisms for compliance monitoring. The difficulty of attributing cyber incidents and the differing levels of commitment among states were also highlighted as significant concerns.

CBMs were discussed as vital tools for enhancing cyber stability, especially in the context of increasing geopolitical tensions. It was noted that certain CBMs have gained relevance in such an environment, underscoring the necessity for adaptability and resilience in cyber diplomacy efforts. The session emphasized the importance of CBMs in fostering trust and cooperation between states to prevent escalation and misunderstandings.

The role of non-state actors was underscored as essential for the practical implementation of these norms and measures. The session highlighted the significance of public-private partnerships and the need for collaboration across various stakeholders, including private sector companies, civil society, academia, and the technical community. Such collaboration is crucial for the effective application of cyber norms and CBMs.

The discussion also addressed how regional organizations track and measure the implementation of CBMs. These organizations shared their approaches to maintaining institutional memory and engaging senior decision-makers. Despite CBMs being voluntary and implemented at different paces, there are observable high-level impacts in policy adoption and capacity building at the national level.

The session also touched upon the role of regional organizations in fostering an environment conducive to norms implementation and adherence. These organizations serve as platforms for dialogue, capacity building, and the sharing of best practices among member states.

Key observations from the session included the recognition that the implementation of cyber norms and CBMs is an ongoing and collaborative process requiring multi-stakeholder engagement. The need for improved communication, education, and institutional memory was highlighted to ensure sustained knowledge and engagement among diplomats and technical experts.

In conclusion, the masterclass provided a comprehensive overview of the current state of cyber norms and CBMs implementation, the challenges faced, and the collaborative efforts required to advance the framework for responsible state behaviour in cyberspace. The session underscored the importance of adaptability, resilience, and multi-stakeholder engagement in promoting cyber stability and security.

Anastasiya Kazakov:
So I’d like to take a couple of minutes at the beginning to set this in and just explain the topic of the first masterclass this year before we actually will hear the keynote presentations from our experts and we’ll have the roundtable discussion. So I’m sure you remember that last year we focused on some of the norms in the framework that the states agreed on at the UN and namely we look at the norms related to supply chain security and responsible reporting of our stable manabilities. That was the focus of the first chapter of the Geneva Manual. So while we continue to look at those norms and see where we need to update the content of the manual to add more practices and overall to highlight further challenges that we identified through the course of the dialogue this year, we thought to open up a new phase and to add new norms for us and start discussing the norms related to critical infrastructure protection. So namely those norms, free norms from the framework of the normative framework that states have agreed at the UN. We will really discuss them in detail at multiple meetings this year. I just wanted to give you sort of a heads up on what you could expect from us in the upcoming weeks in terms of the agenda before the first thematic consultation. What will be slightly new, probably for those who are less familiar with the framework of the responsible behavior, we will also look at the confidence building measures. The element, one of the elements of the overall cyber stability framework, which again states have agreed on. So you see on this infographics, besides the norms and the confidence building measures. measures, their capacity building element, the international law, we don’t really touch much on that. So our focus will be to see, again, the roles and responsibilities of relevant non-statistical areas to implement norms. But what would be quite new for many of us probably is the confidence building measures. So we’ll discuss more what’s the difference between them, what are those confidence building measures, how they are different might be from the confidence building measures that exist at the regional level as well. So if you have all of these questions, today will be also the first starting point to discuss all of this. The three norms that we outlined, so those norms actually include the expectations from the states. One of the norms says that states should not conduct or knowingly support nasty activity contrary to its obligations to damage critical infrastructure. So to simply put, do not damage critical infrastructure, do not attack it. The other norm says the expectations that states should take appropriate measures to protect the critical infrastructure from ICT threats. And the third norm that we will look at this year, the norm which mostly relates to international cooperation component, how to put it, it says about the expectations that states should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts. So this is a meta-level message that we have, and our goal would be this year again to decode to more practical discussion to see what these norms can be implemented in which particular context, why they can be implemented, what challenges exist and what good practices we could collect to prepare the next chapter of the Geneva Manual by the end of the year. And again, in terms of the structure, we most likely, but it’s not yet I think decided. we will look at the several components as of last year, at the what component, what particular actions, roles and responsibilities, why it’s mostly about the incentives, the challenges and the good practices. So we try to follow the same structure to keep it coherent with the first chapter of the manual, but again, it’s definitely, I think, open to the discussion, but we’ll see how much actually fruit of thought we have by the end of this year. And as I just mentioned, tentatively by Q1 of the next year, we hope to have the next chapter of the manual, which means that by the end of this year, we will prepare the zero draft of the manual. We will circulate with you all for your feedback, for your comments. So as we did last year, we’ll also try to put it under for public consultations to gather some feedback from experts outside Geneva Dialogue. And the first thematic consultation will be scheduled for April 30, and we will share the agenda beforehand. So today, we will focus on the regional organizations. The focus has been chosen for a number of the reasons, one of them that we haven’t really looked at much what regional organizations do to implement the agreed norms and confidence-building measures last year. And the other reason, as I just mentioned, since we also look at the confidence-building measures, there are different CBMs that exist in different regions. So we really want to learn more from our experts today, what are those CBMs, what challenges they might face to operationalize, to facilitate operationalization of the CBMs, how they see the role of non-state stakeholders of you all representatives of the industry, civil society, academia, and technical community to support states. And overall, what good practices could be shared in this regard. And I’m really happy that we have today with us four experts and representatives of four organisations. Organisation for Security and Cooperation in Europe, Organisation of American States, Association of Southeast Asian Nations and African Union. And the four excellent speakers. So we have today with us Mr. Gregor Ramos, Ms. Kerry Ambert, Ms. Sharifah Rashida-Souad Othman and Mr. Kalima Hamed Osmani from African Union. And I’m also happy that today we will have a moderator whom I’m sure you know very well. Melanie, who represents the academia, the policy side in the Geneva Dialogue, who is also a member of the co-group of the Geneva Dialogue. She will be helping us to navigate through all of the questions that we outlined in the agenda to moderate the discussion. We will start with the first four keynotes. Feel free also to leave your comments and questions in the chat. But after those keynotes, we will open the floor for the roundtable, basically how we usually follow the format. Everyone will be able to be a part of the discussion and discuss the questions and ask questions to experts. So I stop here. And let us know if you have any questions so far in the chat, any House of Rules organisational questions. And I see a number of the questions already, many substantive questions, if I’m not mistaken. So I will look at them in a moment, but I’d like to pass. Oh, yeah. OK. I’ll take a couple of the questions and then we will continue with the keynotes. So, Matt, go ahead.

Imad Aad:
So my question was in the previous Geneva manual, there were three W’s, the why and the what and the who. And now I don’t see any more the who, is it? The who is it? like just one specific role or there will be also like in the previous Geneva manual, different people with different roles?

Anastasiya Kazakov:
Yeah, a good question. I didn’t put them down but definitely we will identify who because we will start with who to discuss what actually those different actors expected to do. It will be one of the questions for all of us to see if we will keep the same sort of category of the stakeholders but I’m pretty sure we’ll probably add more actors since we’ll look at the critical infrastructure specifically. Thank you. Thank you very much. So I’ll pass the floor to Melanie now and again happy to learn from our experts. Today there’s a master class, there’s a more learning exercise so I’m really sure that we will learn a lot and there will be a lot of brand new information from all of us. So Melanie, the floor is yours.

Melanie Kolbe:
Thank you, Nastia. Also welcome for me. So I’m happy that I get to moderate this very first session in our new year, not quite as new year but for us at the Geneva Dialogue. This is the start of our next round as Nastia just explained. So the way we’re structuring this is we first have four great keynotes and I want to give this right over, give the mic right over to our first speaker. I would suggest we’re going in sort of the order in which we had you on our concept notes. So I would start with Gregor, then Kalim, then go over Rashida and end with Kerry-Anne. So just that we have a rough order and I know all of our presenters have also their slides to present. So I would just say we take the first roughly 40-45 minutes for our four keynote speakers and then I’ll transition us a little bit towards our open discussion and Q&A section. All right. Gregor, would you like to start out?

Gregor Ramus :
Thank you very much, Melanie, and good day to everyone. It’s nice to see you. It’s the first time I’m part of this group, so I’m a newcomer. I have some slides. I hope the colleagues from Diplo can share them. Perfect. So as already mentioned, my name is Gregor Amush. I work for the Organization for Security and Cooperation in Europe, and I specifically work on their cyber ICT security portfolio. What I’ll do today is give you a brief introduction of the organization and how it works in the global cyber diplomacy context. I’ll present our efforts in cyber ICT security specifically, going over the 16 confidence-building measures that the organization and its participating states have adopted. I was also asked to spend some time going over where our CBMs fit into the global framework for responsible state behavior in cyberspace and explore the nexus between norms and CBMs more closely. Next slide, please. So to start a little bit about the organization that I work with, the OSC is the world’s largest regional security organization with 57 participating states in North America, Europe, and Asia. All of our participating states enjoy equal status, and decisions are taken by consensus on a politically but not legally binding basis. The OSC has a comprehensive approach to a variety of security-related issues, and we address those issues through three dimensions, the political-military one, the economic and environmental, and the human dimension. And just for reference, the cyber ICT security portfolio is nested under the political-military or the first dimension, as we call it. This approach means that we address any security-related issue in a cross-dimensional way. For example, we approach cross-border challenges such as climate change, terrorism, or cyber ICT security by promoting stronger ties and cooperation between states, but also by creating partnerships between non-state actors, such as the private and public sectors, and engaging civil society, academia, and the research community. I believe we could call this a sort of a holistic approach to international security. Next slide, please. So the OSCE, its effort in cyber ICT security are mainly championed by the 16 confidence-building measures that the participating states have adopted. But what are confidence-building measures? Their origin actually traces back to the predecessor of the OSCE, the Conference on Security and Cooperation in Europe, in an effort to formulate a cooperative security order at that time. CBMs, for short, were introduced during the Cold War as a means of reducing the risk of war by eliminating the causes of tensions that existed between states. In a military context, a CBM may look like prior notification of military maneuvers, for example, or the exchange of observers or sharing information on military stockpiles. This is what is known in the OSCE context as confidence and security-building measures, CSBMs. The goal of these was to ensure predictability, transparency, and military stability between states in an effort to create a more trusting environment in which states communicate first before escalating. When we look at the cyber context, the underlying idea remains the same. Confidence-building measures are voluntary measures that increase the predictability, stability, and transparency of state actions in cyberspace by fostering communication and cooperation. How they do that is they offer concrete tools that states can use to ensure that. The main stakeholders of CBMs are states. However, as I mentioned, in line with the multi-stakeholder nature of all security-related issues, but cyberspace specifically, non-state stakeholders such as the private sector, civil society, academia, and the research community need to be recognized as playing an increasingly important role in building confidence in cybersecurity. Next slide, please. So how do these CBMs fit into a global discussion on the future of international cybersecurity? OSC cyber ICT security efforts are closely linked to the work of the United Nations, in particular, the groups of governmental experts and the open-ended working groups on security of ICTs. The 2010, 2013, and 2015 consensus reports of the GGE experts established what we call today the evolving international framework for responsible behavior of states in their use of ICTs. What is more, subsequent working groups such as the current process, the OEWG, have reaffirmed this framework. The framework consists of four main pillars. International law, which answers the question, does and how does existing international law apply to cyberspace? I believe that the does international law apply to cyberspace have already been answered largely. It’s yes, it does apply. The question on how is currently still under debate. It’s a more complicated questions and negotiations that are still ongoing. The second elements are norms for responsible state behavior. I believe you’re very familiar with those as this have been part of the Geneva Dialogue before. And these try to answer the question of what rules of the road prescribe states behavior in cyberspace. Then we have confidence building measures, which are more concrete tools and a little bit of a softer approach, which try to reduce the risks of miscalculation, escalation, and conflict. of cyberspace. And the last let’s say overarching element that connects all of the three previous ones is capacity building. And capacity building really ensures that states have the means to implement international law norms and confidence building measures. Now on the difference or similarities between norms and CBMs specifically. You will notice that there are quite a few similarities between norms and CBMs. For example, we have norms on facilitating interstate cooperation on security, protecting critical infrastructure, and reporting ICT vulnerabilities as Nastya has mentioned. These topics are also represented in our CBMs. For example, CBM2 promotes cross-border cooperation, CBM15 comprehensively addresses the protection of critical infrastructure, and CBM16 promotes the responsible reporting of vulnerabilities. But the main difference is in what each instrument is trying to achieve. Norms, albeit non-binding, are adjacent to international law in that they establish expectations or rules of the road by which we measure state behavior in cyberspace. They represent what is called soft law. So states that go against these norms, apologies, display recklessness and irresponsibility. They undermine trust and damage relations between states beyond cyber diplomacy. So a state that goes against any norm that’s currently adopted may not be subject to sanctions, but they will be recognized as an untrustworthy partner. CBMs, on the other hand, work on creating an environment of trust and cooperation where these rules are respected and mutually reinforced. They offer more concrete actions for states to enhance trust, reduce misunderstanding, and prevent escalation. We could say that CBMs therefore socialize norms and international. international law and foster an environment in which these can be respected. Next slide, please. The OSCE is considered a pioneer in the development of cyber CBMs, being the first international regional security organization to adopt such measure. Based on our vast experience in disarmament affairs, implement security in CBMs for conventional arms, as I mentioned before, participating states recognize the potential of applying these measures in the field of cyber security. In 2012, an open ended informal working group was established under the auspices of the Security Committee in the first dimension, with the mandate to draft a set of CBMs for cyberspace. So far, the group has adopted 16 CBMs with participating states adopting the first set of 11 transparency measures in 2013 and a set of additional five cooperative measures in 2016. These measures are non-binding voluntary. However, all 57 participating states have made a political commitment to adhere to them. Next slide. Just to give you a little bit of an overview of the topics that are represented under the 16 CBMs, I wanted to show you this separation into three baskets. So CBMs can largely be categorized into three main categories. The first one is posturing. These are measures which allow states to read another state’s posture in cyberspace and thereby making it more predictable by creating transparency. The next group is communication. These measures are offer concrete tools and opportunities for timely communication and cooperation between states, including to defuse potential tensions. And lastly, we talk about preparedness or resilience. Measures which promote national preparedness and due diligence to address cyber challenges and increase cyber resilience. And I wanted to. spend a little bit of time at the end of my presentation on a specific CBM which has gained quite a lot of international attention at the UN lately and that is CBM 8 on the point of contact network for cyber security. Next slide please. So within the OSC almost every participating state has nominated a technical or and policy point of contact for cyber security and made this information available on the closed cyber ICC security space on our platform and while it may sound that this is just a phone book with names and contact details it’s in fact much more. We have been over the years working with our participating states in continuously engaging them and CBM 8 points of contact in different activities to promote the building of a community of policymakers and experts that work together to promote cyber stability. And how did we do that? From the OSC secretariat sides we conduct regular communication checks or in the UN context what is now called ping tests which aim to verify that the contact details are up to date that national coordination processes are in place and working and to practice exchange between points of contacts. The results of these simulations are aggredated and presented in reports in the informal working group where we meet four times a year. And the idea behind this is not to name and shame but rather to encourage preparedness of national structures in the event of a real incident. And to substitute these we’ve also implemented several other activities such as the annual meetings of CBM 8 points of contact in Vienna to offer more opportunities for this community to meet exchange and build trust. Additionally during the pandemic we had some online expert sessions to make sure that the community keeps engaged and working so we are continuing those and we organize these quite regularly on specific topics, and they’re very similar to the discussion that we’re having today. Next slide, please. I believe I’ll stop here since I’m probably over time already, but I will be happy to go into detail on any of the points that I’ve raised or answer any questions that you may have. Thank you.

Melanie Kolbe:
Thank you so much, Gregor. I see some questions are already in the chat, and I think I would like to come back to these bigger CBM questions. I’m very piqued now to see if the CBMs differ across the different regional organizations or whether they’re the same. I would say in the interest of time and to make sure that we have enough time to discuss later, I would now move to Kalim to hear a little bit the African Union perspective. Thank you.

Kaleem Usmani:
Thank you, Melanie. Just one moment. I’m sharing my screen, and then I can start talking. Thank you. Thank you. Thank you very much. And first of all, I’d like to thank Diplo for giving me this opportunity and to share my experiences at the level of the not only African Union, but what’s happening in Africa, because right now here I’m representing a Mauritian CERT. I’m heading the Mauritian CERT, and at the same time, I’m the part of the African Union Cyber Security Expert Group and maybe on that behalf, I will be sharing much more what is happening in Africa, because the impression which I’m having and understanding which I’m having from anesthesia is that maybe we have to focus onto the implementation of norms within the continent, what is happening, as well as some part of the focus, I can have it again onto the CBMs that what CBMs we are talking about. about, but exactly based on to that, maybe I’ll run down my presentation and then set up the context and then come back to the norms implementation landscape in Africa that was basically happening. So if I can just talk about here, if we look at this bigger slide and if, yeah. If, yeah. So if basically I see this, this is a very generic slide and I think why I’m trying to portray is because in different regions, the norms implementation understanding is a little bit different because, and again, different regions that they have a different maturity of the norms understanding as well as the CBMs understanding. And again, the understanding of international law in cyberspace, how it applies to the different regions. So if we look at the UN, all these are the multiple processes which are happening and this is where the Africa is getting involved into these processes because there are parallel cyber crime processes which are happening and I think we all know about it. And this is where we are also trying to discuss that how the norms implementation that could happen and that could be done in Africa, because obviously, as we know, there are different understanding and the different level of maturity which we have. So if I just move on to the next slide, that’s basically the context and this context is coming out of what I was just talking about from the first slide that these are the parallel processes where Africa is, and African countries are very much involved and then surely the maturity we have is varied. And then obviously the understanding is coming up that how these processes, are applicable and how they could benefit the country as well as to the countries accordingly. So that’s basically a little bit of the context which I wanted to talk about because and also in Africa is clearly in different countries there are a different level of commitment which has been seen in terms of understanding of the norms implementation as well as the CBMs. So if I move and then yes these are all the norms and I think we all understand that part and especially the focus of the day here is the norms I and J as well as the norms F, G and H which is very much around the critical infrastructures F, G and H and then I and J that’s around the our supply chain security as well as the ICT vulnerabilities and I think this is where we can also discuss more that what is happening but before that I wanted to share some of the challenges because if I talk about the norms implementation especially in the African context the countries their preparedness and their understanding is still building up and they do not have that kind of capacity still that where they are quite mature onto the understanding and then they start implementing the norm. So meaning to say if I’m saying this it doesn’t mean that the countries they have not embarked onto the norms implementation but yes some of the countries they are doing it even we in Mauritius we have been able to have some of the norms implemented and then we are trying to practice those norms but again what is required basically in Africa as we know that it is an action oriented practice based on public and private partnership and cooperation across groups of stakeholders to leverage the respective strength and capabilities and I think this is where this has to be enforced within the continent and also as already we know it requires a collective and a coordinated response across diplomatic policy and technical communities through a multi-stakeholder consultation and this is the discussion which is happening at the level of Africa in terms of as I mentioned by a great group in terms of points of contact. So I’ll come back there, but these are some of the ways how we can have the implementation of the norms within Africa, and then it could happen better. Now, some of the challenges because, and the challenges are these, and I think this is around, we can talk about it. The lack of capacity, and then lack of capacity in several dimensions, for instance, including legislative and financial to implement norms, as well as accountability measures associated with them. So I think this is very much there, but again, the countries, they have the understanding, they are trying to build capacity. The countries are, in a way, talking to each other. African Union, through African Union Cyber Security Expert Group and the Peace and Security Council, they are trying to discuss around the capacity, how this capacity could be built in terms of the countries to implement norms. So that’s one of the challenges which we see. Second challenge also, which we are looking at, it is the lack of political will, and this is very much around prioritizing and addressing global cyber security threats through collective action, and leveraging the norms and their implementation. So that’s also is a challenge which we think is there. And then also the varied level of awareness of the existence of norms among the states, because some of the countries, they have started late into the whole understanding of the norms, and this will require some sort of an awareness out of which they will be able to build up onto the understanding. And then definitely, then they start implementing. But there are some interesting developments, which obviously I’ll be talking about after these challenges. And then another challenge is of the attribution, the difficulty of placing and attributing incidents in cyber. space. So again this understanding is very much has to be built within the continent so that the countries they can understand and then based on to that they are at ease with the norms implementation right. And some of the another challenge which I could see is a violation of the norms for from the influential states and which acts as a distinct disincentive for others who comply with them. And then also a lack of clear institutional mechanism or processes to monitor and report on compliance institutional mechanisms. And I think very much for the norms F, G and H we’ll be talking around those what is the importance of these institutions in order to implement these norms especially F, G, H and even including I, N, J. And also here if we talk about the policy frameworks this is also a kind of requirement for the continent to have and have in terms of technical legal and the policy frameworks in order for us to have these norms implementation better so that we understand the different positions at the regional and international level and then accordingly we have the guidance in order we have the guidance in order for us to implement these norms. And if I just sort of some statistics here that the recent data suggests that only 118 of 192 UN member states have a CISOTA cert and 24 national certs in Africa out of 55 countries. So again that’s a low number and these kind of organizations they play an important role into the at least a technical norms implementation in particular. So now here coming back to the African Union so African Union what African Union is doing and then what are these different groups and the committees which have been set up how they are trying to advocate and build up the capacity around the implementation of cyber norms and especially capacity building measures. So one is African Union they constituted the African Union cyber security expert group and that was done in 2000. and this is a group which I represent here. And it is a 10-member group representing five different regions of the continent, right? And what basically this group provides is the guidance and recommendations on cyber policies and strategies to African income issue, and with aim to adopt, monitor, prevent, mitigate, and address current and emerging cyber threats and data misuse, okay? Now, these are some of the, because looking at this particular presentation where what I’m trying to make a point here is the norms implementation or the CBMs implementation within the continent is still is picking it up. And this is where we have to have build capacity so that countries are able to take up the norms implementation as well as the CBMs implementation. So basically what happened recently within AU Summit of 2024 in January, which was held in Addis Ababa, there the AU’s digital transformation strategy, which was developed in 2020, talks clearly about the UN-led process for the establishment of the global cybersecurity framework under the UN. So that’s something is a breakthrough where the states are understanding that now we have to have this process and the norms or CBMs to be implemented. And then obviously this will help the countries in order for them to be better resilient in terms of cyber attacks and prevent incidents into their respective states and across the region. And within this particular summit, they have been talking about the continental cybersecurity strategy. I believe this continental level cybersecurity strategy will give a clear direction that how the norms and the CBMs that could be implemented. They also… spoke about the continental chart online protection policy. And this is something obviously also an important factor but again it does not connect to our discussion of today in terms of UN norms implementation as well as the CBMs implementation. Another important step which was in a way agreed on was the all the AU member states openly affirmed their obligations to uphold international law in cyberspace governance to ensure responsible state behavior in cyberspace in accordance with the norms of international law. So that’s again where the African Union has come up with their own position of international law in cyberspace and that was presented. So that’s again a kind of a big through where countries they will be having that obligation and this obviously that will lead to the UN norms implementation and CBMs development within the countries as well as connecting within the region are much better. And then also to the ratification of Malabo convention for better regional cyber governance and thus again a regional convention and this will provide a better regional cyber governance and I believe this will also help in a way to the countries to pick up the UN norms implementation and then have the cooperation measures in order to build capacity through confidence building measures which we can put up in place. And then also what again African Union and this particular cyber security expert group and advocating the understanding of norms and CBMs development and implementation through representation in the OEWG meetings again the group is presenting and then in a way having its views onto the whole implementation process how it’s going to be and again promoting the implementation of norms in regional and international forums. For example, if I talk about Mauritius, we are running the IT center of excellence. We have come up with a full of fledged training program onto the technical norms implementation and especially there we are looking at the FGH IGNK and this training program is running for the last two years and we see a loss of interest into this training program from Africa as well as people from other parts of the world. So it means that the capacity is being built and then understanding what we have to have it has to be in a way more so that people they understand and the countries they understand in order for them to go ahead with the norms implementation. Now again this particular group is promoting the checklist of practical actions and I think this practical actions checklist was very much was in a discussion into the last seventh substantive session in New York and this particular checklist in a way it has a very well formulated guidelines and guidance which provides countries in order for them initially how they will be able to build up and then implement cyber norms and even technical norms I’m talking about including some of the norms which already we are implementing within the country as well as promoting those norms within the region as well. But before that I end my presentation in terms of CBNs and the way we are looking at the CBNs some of the things which have been initiated and I will say that these are the CBNs which have been formalized no not really they have they haven’t been formalized but these CBNs are around we are trying to build up around information sharing so we came up with the cyber threat information sharing platform which we are trying to share within the region and then we are asking countries in order for these countries in order to be sharing cyber threat information on to that so this is something what we’re trying to build that that’s one second one is capacity building capacity building through different centers including our center so that capacity is building around cyber security, as well as around implementing cyber norms and capacity building measures. And one of the also important initiative which has been taken at the level of the Southern African Development Community in the region, that’s called SADC Countries. There are 16 countries within that particular regional agency. And there also, they have set up the CSER Task Force. And the CSER Task Force is very much, is a task force which have been set up in order for the countries to take action in the cyber crisis situation. And I think that’s also one of the CBMs which we are looking at. So these are some of the initiatives and the actions which are being taken in the region. And that’s what basically the AU is promoting in terms of building capacity around implementation of the norms and the CBMs. So maybe I’ll stop here and then I’ll get back to the other questions during the discussion. Thank you very much.

Melanie Kolbe:
Perfect. Thank you so much, Kaleem. I think, so I followed the conversation in the chat. I am very happy that all of you are asking questions and answering questions. This is great engagement, by the way. I think I wanna come back to definitely one of the more spicy topics that we’re discussing but I would like to continue actually and hear a little bit about the ASEAN perspective from Rashida.

Shariffah Rashidah :
Thank you very much, Melanie. Let me share my screen. Can you see my screen now? Yes. Okay. Okay, I will start by thanking the previous two speaker, Kaleem and Gregor for explaining in details with regards to norms, the challenges, as well as the interlinking between norms as well as CBMs. So what I would like to share today. So, I’m going to talk to you So, I’m going to talk to you today in terms of our experience which is the RCN implementing the agreed cyber norms as per the meeting norms as per the meeting of objective discussions of today and coming from me, my name is Sharifah Rashida, and I come from the national agency I’m not from the RCN, so I actually was involved in the development of the implementation of cyber norms in the RCN that is being called the RCN regional plan on security of and in the use of ICT that talks about CBM. Allow me to start with regards to the cyber norms itself. These are a little bit of timeline about how the norm experience in the RCN, where we actually receive a top-down in a way instructions from the RCN leaders in the RCN leader statement on cyber security. So, the RCN was So, the RCN was asked to subscribe in principle to the voluntary non binding cyber norms that 11 norms. It was a meeting, the RCN ministerial conference, a conference on cyber security on to strengthen the regional cyber resilience, where the topic of cyber norms that has just been adopted in 2015 GGE is naturally 2015 GGE is naturally an extension to the discussions. Then in 2019, the Then in 2019, the agreement actually expand where the ministers themselves agreed to establish a working level committee to develop long term regional action plan to implement norms. We heard Khaleen mentions about the capacity part, where in RCN region itself, we can see there are countries that are more advanced, and there are also countries that are still developing a lot of things. And when we start discussing about this particular matter. There was only 11. There’s was only 11. There’s none. I see on member state that has a cyber security agent. And we have the most advanced national security agency in the world. And there’s a lot of countries that are developing a lot of things. And when we start discussing about this of the ASEAN of the ASEAN agency. It of the ASEAN agency. It started with Singapore, then it follows with a lot of other ASEAN. Now, I think most of our members that already established a dedicated agencies that that look into cyber security. It look into cyber security. It is actually, I think in my personal experience, I my personal views, it is based on the ongoing discussions that ASEAN has been doing with regards to cyber security or network security part. Then, next in 2020, there was a discussions between Malaysia and Singapore where we see the the an opportunity for ASEAN, where we at ASEAN region receive a lot of capacity building from the ASEAN partners, where we feel that the development of regional action plan is actually a map out or how ASEAN look into the implementations of 11 voluntary cyber norms and associate that with the relevant ASEAN platform that we have and tie that with capacity building next and next in 2021, we actually adopted the capacity building plan metrics and it is being indicated as a live document that continuously until now being reviewed as we know that the discussions even at the UN is an ongoing process as well. Then in 2022, Singapore continues the work to conduct a workshop with UN or DA in terms of developing ASEAN norms implementation checklist, and we will discuss with Singapore in order to take a way forward to take this regional action plan metric and further develop norms implementation checklist with the external partners in the region. So, that’s why we have the regional action plan for indigenous and so that we can map that up with the ongoing discussions at the at the discussions at the at the OEWG. Okay. Coming back to the norms itself, we have the RCM regional action plan rep metrics that we call where the objective is to identify capabilities required to implement the norms and implement such cooperation capacity building activities and confidence building measures to develop required capabilities to implement the norms and implement such cooperations and activity through the platform that we have, such as ASEAN Singapore Cyber Security Centre of Excellence and ASEAN Japan Cyber Security Capacity Building Centre. And in the norms implementation checklist, which we endorse at the UN to serve as a guide for all countries and the checklist will list out the policy, operational, technical and diplomatic actions that STIGS can take concretely to implement this norm. And we are also guided with the ASEAN Cyber Security Cooperation Strategy 2021 2025 that actually contains five dimensions of work regarding the advancing cyber readiness cooperations, strengthening international cyber policy coordinations, enhancing trust in cyberspace and regional capacity building and international cooperations. These are the example, not example, this is the regional action plans metric that we have developed and mapped with with five focus area, which is cooperations, development of policy, strategy and framework, enhancing, strengthening national cyber security and cyber crime laws and cyber cooperations, where we might map it up with what are the supported norms under the 11 norms and what are the non-supported norms and what are the non-supported norms and what are the non-supported norms and what are the non-supported norms are the platform and sectoral body at ASEAN that we can leverage on in terms of implementations of the norm itself. So these are the metric itself in a nutshell. Then I would like to touch a little bit with regards to confidence building measures, where I do not have, I think, to reiterate back how the link between norms and CBMs. Under the ASEAN, we have ASEAN Regional Forum, where the ASEAN Regional Forum is a forum with the 10 ASEAN member state, plus 17 participating partners of the ARF. So the members of the participating partners come from, I think, different regions in the world. It consists of the ASEAN partners, such as the US, Canada, the Europe, even China, Russia. So we have a lot of discussions with confidence building measures. And personally, when I attended the discussion, it also give a flavor of what is happening at the multilateral discussions at the UN, especially if there is discussions with regards to geopolitical issues. But come back to the ASEAN Regional Forum, where we call the CBM, the CBM itself is being called the ASEAN Regional Forum Plan on Security of and in the Use of ICT, where the promotions is, I think, similar to any other CBMs plan to promote a peaceful, secure, open and cooperative ICT environment, and to prevent conflict and crisis by developing trust and confidence between states in the ARF region and by building capacity. So there are four things that we put in the ARF work plan. First and foremost, of course, about the promoting transparency and develop confidence building measures, raise awareness. and the use of ICT and and the use of ICT and enhanced practical cooperation between ARF participating countries to protect ICT enable critical infrastructure and improve cooperation, including develop regional capacity to respond to criminal and terrorist use of ICT through improved coordination and coordinated response. So, there is So, there is entire document that explain about the use of So, there is entire document that explain about the ARF plan, but I always refer to plan, but I always refer to this simple diagram to explain about the work plan itself. The, the, the four objectives The, the, the four objectives are the square box in that what actually it consists is about corporations, and the smaller bullets that explain what are the corporations can can can be implemented the CBMs, the point that we actually indicated about that we actually indicated about the enforcement part is big. This, the platform to discuss This, the platform to discuss cybersecurity in the ASEAN. With regards to confidence building measures actually came from the countering terrorism, hence why the work plan that talks about the ARF cybersecurity will touch cybersecurity will touch upon on and off and on and off and on and off with regards to the on and off with regards to the enforcement, the elements of cyber crime, dedicated cyber crime, dedicatedly. So, because of the inherits with regards to countering terrorism platform where before the establishment of this, the dedicated platform that talks about CBMs, and we about CBMs, and we also indicated the elements of cultural diversity, because cultural diversity, because in India, our part of the world. The element of culture is quite important between steps important between steps, two states, then norms rules and responsibilities occurs during the development of development of the institutionalized regimes through human rights and responsibility. So that I think it would be interesting, when we consider the So, I think I will end my So, I think I will end my discussions, my my presentations here. I’m happy to talk later and discuss later.

Melanie Kolbe:
Thank you, Rashida. Great to hear Thank you, Rashida. Great to hear that as it has worked on this platform for a long time, and I’m really looking forward to the future of this platform. I’m really looking forward to the future of this platform. I’m really looking forward to this platform, and I’m really looking forward to the future of this platform, and I’m really looking forward to the future of this platform, and I’m really looking forward to the future of this platform. And I know that the, the, the, the discussion has worked on this quite extensively and quite early. I think this, the checklist I found very interesting sounds like a very applied extensive guide was the approach to CBMs and norms and norms internet. It can enhance it may make some things more challenging, and so on. So our last speaker is Kareem who is going to give us the perspective of us on CBS of us on CBS in norms implementation. Kareem.

Kerry-Ann Barrett :
Can you hear me now. Yes. All right, thanks Melanie I’m hoping everyone could see the screen. I think the previous speaker kind of set the where I’m going to go with our presentation. In essence, I’m going to just give you a quick overview of what is a cyber security program because that’s where a lot of the Kareem’s work has occurred. What confidence building measures have already been agreed to in the region. Talk about our working group a little bit and then some of the work that we’ve been doing within the OAS on this. So So just to give you some structure, the cybersecurity program of the OAS sits within CICTE, which is the Inter-American Committee Against Terrorism. This body is a political body established in 1999 to prevent and counter terrorism in the Americas. Oftentimes when persons in our region see that we’re seated within CICTE, they’re like a little bit squeamish, because they’re like terrorism and you do more But for us, the OAS has a broader structure within which we sit. So there is the OAS General Assembly, the Permanent Council, but within that is the Committee of Hemispheric Security, under which there are several secretariats, including democracy, human rights, falls under that, for example, and there’s a secretariat for multidimensional security, under which CICTE sits. The regional body or the regional entity in terms of how we exist in our region is really set up to promote cooperation and dialogue to counter terrorism. That’s what the committee does. But we also look at the sovereignty of countries, rule of law, and how international law applies more broadly. Now, the cybersecurity program has been around for 20 years. And over the years, to give you a flavor of what we do on the capacity building side, just 2023 alone, we would have supported policy development. We would have participated in an open-ended working group as the general secretariat. Unlike other regions, we don’t represent the views of our member states during those meetings. We would usually represent the views of the general secretariat, which is where the capacities sit. We continue to support implementation of various CBMs, which is our cyber CBMs, which I’ll speak about in a little bit. We also do many capacity building on workforce development. We look at how people participate in the UN processes, in training that we offer. And we also focus a lot on gender. So even the question that Melanie posed about how cultural diversity, we look at how the gender dimensions affect cyber security. security as well. So with that broad context, the question that we decided to focus on for this presentation is how do we really contribute to norms implementation, and we see it in four contexts. One is the political agreement that has already happened. We look at the POC directories already established in our region, capacity building, research and frameworks, and our convening power as the OAS, as an institution, and how we engage multi-stakeholders. With that said, I’d like to go over to the first thing in terms of political agreement. In the Latin American and Caribbean region, we have already begun to talk about CBMs long before cyber confidence building measures happened. As far back as 1999, we had what was called confidence security and building measures similar to the OSCE. So as a hemisphere, it has always been a topic of interest. So we have traditional CSBMs similar to the OSCE, which speaks to military deterrence and ensuring that there’s cooperation among member states in that regard. More recently, in 2016, however, we started to look at non-traditional measures and recognize that there was a need to start speaking about other measures that are not so much specific to military operations, but more broadly in terms of the internet and other topics like that. As such, our confidence building measures working group was established. The ultimate goal for these have been starting off with a basis of just information sharing. So our first three CBMs really spoke to provision of national points of contacts, sharing policies. Then we got into the substance based on what was already happening at the UN level. So that is when we started to talk about the 11 non-binding norms. We started to add the designation, the applicability of international law to cyberspace. And the discussions continue to grow over the the years until now, with us just having a few meetings, which is one of the things that we’ve been very proud of since the establishment in 2017, falling quickly behind OAC, we now have 11 norms, recognizing that the OAC has long more like a lot more years experience in this than us. But we’ve been really, really happy that we’ve had our five CBMs working group meetings, the last of which happened in February, and we already have 11 agreed CBMs. Now, why is this political process? Important apologies for that. Let me just go back one slide, a slide my computer has been giving me a lot of trouble. There we go. Why is this important to us? It’s important to us because the political agreement for us is the first way in which regional bodies are relevant. If it is that at a regional level, you can have some amount of cohesion, as has been evidenced in the UN negotiations, both at the Ad Hoc Committee and even at the Open Ended Working Group, there’s been similarities in the areas of focus for our member states. One of which was already mentioned when one of the previous speakers is the point of contacts directory. For the OAS already, we have over 82 cyber policy points of contacts, and 19 ministers of foreign affairs contacts. Why is this necessary in terms of how we described it? The OAS has a very strong ministries of foreign affairs in terms of their participation in the UN processes. So our member states one in CBM one actually said, designate policy persons who has the responsibility for cyber security, if they are different, nominate persons of ministries of foreign affairs. The CBM also makes it very clear that it should be distinct from the persons who represent the member state for law enforcement and criminal investigations said automatically hints that the Interpol 24 seven network should not be not nominated here because it’s not for the same purpose. The countries so far participating in this are 30 of our member states. We recognize that there is a need to continually update these points of contacts. One, because of how quickly diplomats get reassigned, their desks get changed, they may have a different portfolio. So actually thinking about from the regional context as to how we can play into the implementation of norms is that we have a responsibility to keep this points of contact directory updated. In order to have confidence in who you’re reaching out to, it should be the person that’s actually there. So it’s something that we’ve taken a very practical approach to. And similar to the OSCE, we have actually conducted pain testing as well. I’m going to get into some of the other ways in which we’re doing that. But you may be wondering, why is it that we have not, as a part of our CBMs, designated technical points of contacts? And the reason we have not done that, it’s because as far back as 2004, the OAS had approved what is called a regional cybersecurity strategy. As a part of that strategy, we actually recognize the need to establish a hemisphere network of government certs of member states of the OAS. This has evolved over the years to become a community, which we’re calling a cybersecurity community, of over 47 certs, 22 countries, and 379 professionals. Our approach for the CSERTS Americas network is that we have certs who are on board. We share information with them, one directional. We’re very focused on threat intelligence with them. But we share that based on our third party sources. We focus on capacity building. And we partner with institutions such as FIRST for the establishment of the certs. And we partner with ITU as well for the establishment of certs, as well as many other partners from Europe to do this. So from the OAS’s perspective, we see our points of contact. being built out, one from the CPM’s working group and two from the CSIRTS Americas Network. How we support the UN processes with this is with the chair of the Open-Ended Working Group, Ambassador Bufford, his ethos of ensuring that the Global Points of Contacts Directory works well. We have been working really closely with the secretaries of the UNODA to make sure that there’s consistency, or if not consistency, our member states have been speaking to us about how do we ensure that we share these points of contacts to ensure that what is at the global level, there is some connection to the regional level as well. So I think that is one key way in which this is done. As mentioned earlier, another way that we support the UN processes is really aligning a lot of the training topics that we do to approve CPMs, which then in turn builds up into what is happening at the UN level. So our Cybersecurity Diplomacy Training Program has been around longer than 2022, it’s actually been around since 2017. And just in the past year alone, we have been linking as a more advanced process in what we do, our CBMs to the actual training that we do. And this includes also looking at the 11 norms. So for example, I wanna give just a few examples. Our CBM number four speaks to the development and strengthening of capacity building through activities such as seminars. So we’ve delivered two more general course, which is an International Cyber Diplomacy Law and Norms course to raise the basic level of awareness on the topic. Fast forward, we’ve also delivered on a CBM five, which actually went into the specific issues of doing training for ministers of foreign affairs. So we’ve partnered in the past with Diplo Foundation, for example, and plan to partner with them later this year to give these more general courses for diplomats so they understand the internet and understand the issues related with that. We’ve also done a specific course on the program of action, recognizing that. One, we don’t take political positions on what is being discussed, but we look at a more holistic approach for them to understand how a program of action is created, how have they been used in the past in the UN processes and how they could be used for our purposes and for the UN purposes. Another CBM that we’ve done specific courses on have been on the applicability of international law. We’ve done two masterclasses to date, and then we’ve actually done a masterclass that breaks into the international humanitarian law components as well. We’ve done one on state responsibility and response options based on one of our CBMs, which speaks specifically to the implementation of the 11 non-binding norms of the UN. So to date, how we see us contributing more holistically is that we see capacity building as being a key component. If it is that our member states and our diplomats are trained up in capacity building, it means automatically they contribute to a greater discussion that would happen at the UN level. As such, since 2017, we’ve trained over 850 officials, 26 courses have been held, and we show these numbers only to show that at the UN, we’re actually seeing a shift in the discussions and participation of Latin American Caribbean participants. And we’re actually seeing that the level of dialogue and engagement has shifted as well. And we think that actually speaks to building confidence. The last two points I wanted to make is, as it relates to the contribution that we make, research and the development of frameworks is critical. As we speak to the discussions that we’re having today, which is around critical infrastructure and its protection, the OAS believes that research and the development of regional frameworks supports these concepts or supports the 11 norms. In that, more recently, the OAS approved a practical guide for protecting critical infrastructure against all hazards. And in that regard, member states are encouraged to implement national critical infrastructure frameworks, not just against natural hazards, but also with regards to any internet or cyber security hazards that could occur. We also try to ensure that there is a level of an awareness of what is the state of cyber security in the region. That research helps member states to poise themselves, one, where do they need to go. So we use the Oxford cyber security maturity model to implement our regional cyber security maturity report, which we’ve done two of so far. And the third one should be coming out now. And I think finally, just to wrap up, is we believe that regional bodies can support the 11 norms and the critical infrastructure through stakeholder engagement. Our convenient powers to be able to bring together all critical infrastructure operators, facilitate collaboration and cooperation among them, and recognizing that we have the capacity to reach civil society and academia at the same table, I think is something that is pretty powerful and something that should not be understated. In general, from where we sit, and I kind of rushed it because I know that we want to get to the discussion, Melanie, but I think, in essence, where we see that regional bodies play a part in this is capacity building is crucial. Our capacity building is built on our research and what our gaps or member states have identified on their needs. And then through cooperation and stakeholder engagement, we generally believe that we’re able to identify some of the key components for the 11 norms implementation, including critical infrastructure protection, and do capacity building programs to support that. So I’ll stop there. Thank you.

Melanie Kolbe:
Thank you so much, Kyrianne. Very interesting, also great to hear the gender perspective. I was, I had an inkling, it might, it might come up at some point. of approaches and the focus, though there are clearly also some commonalities I can see in particular in regard to the CBMs that have been discussed. And I think I would like to kind of use this transition also to kind of get to one of the bigger first questions. Since I see that there’s a lot of questions also in the chat, and I want to give ample time to those questions to be answered if they have not already been answered in the chat, I’m going to keep it a bit short from my side, and then we’ll just have everyone kind of unmute. Or if you want to, you can also write it into the chat and we can read it out, but unmuting is a bit nicer because we can talk. So kind of coming off of the four very good presentations, very interesting presentation of the various regional approaches to norms and a norm implementation, I think I would like to start out with the interesting question of the confidence building measures, which clearly is one of the things we’re looking quite into. And here I think that the interesting conversation in the chat, but also if you read between the presentations is the question about how CBMs are holding up in the current context of rising geopolitical tensions, sometimes also within regions, sometimes between regions. And I think it’s quite interesting going off from what Gregor was talking about, these different types of buckets of CBMs that the OSCE is using, and I’ve seen them in some of the other presentations as well, like posturing, communication, information sharing, and preparedness. And I’ve seen these also reflected in some of the points the other presenters were talking about. And to me, it seems that it’s correct, probably, that in conflict times or in times where trust is weakening. probably some of them might become more politicized. I would say information sharing becomes more of a touchy CBM2 approach. Others, I think it seems stay relevant regardless and that is clearly preparedness, capacity building, educating your own resources. And others might actually be even more important in conflict times. And I think I agree with Vlada here, anything that goes into posturing and making sure that I’m correctly read, correctly understood as a state actor to anticipate what behavior is coming forward might even be more important. So I wanna put this back into the speakers and you can all be addressed or maybe some of you only wanna take this question. How do you see confidence building measures panning out? Are there changes in how they’re being implemented or discussed at the moment, given that we’re transitioning from a more peaceful to a more conflictual attention rich time? Would like to take them.

Gregor Ramus :
I guess I’ll start. Yes, go ahead. The question started with me. And this is a question actually that we get quite often since 2022. As I mentioned in the chat, the confidence building measures that were adopted for cyber security at the OSC were adopted for peacetime. Obviously this situation has changed in the OSC and at the beginning of 2022, we were struggling to see how we can continue pushing forward the CBM process in the current geopolitical context. But luckily what we’ve seen is that states remain engaged in this process on a very technical level. And as you mentioned that some CBMs have actually become more important than before. A very good example of this is CBMs that can be implemented on a national level. This is also something that I mentioned in the chat. This is, for example, CBM 15, which addresses the protection of critical infrastructure. In the last two years, we’ve really seen an uptake in the implementation of this CBM on a national level, as well as exchanges between like-minded states. And there’s no way of going around this. We have to understand that the exchanges that you mentioned, the communication and exchanges information at this point will happen between like-minded states. But what we can do with other CBMs that are more oriented towards keeping communication channels open, for example, CBM 8, is create an environment where tensions can be diffused through communications also on a 57 participating state basis. And CBM 8 is another example of a CBM, which is increasingly important in this, let’s say, pension-rich environment. CBM 8 is kind of an informal network. The OSC Secretariat does not control the communication that goes through the CBM 8 point of contact network. We don’t leave it to the states to decide on their own. We actually promote bilateral communication that doesn’t go through the Secretariat. We do have activities which are Secretariat driven. I’ve mentioned those before. The communication checks, the online expert sessions, the annual meetings. But in general, we see this more as an organic structure that states own. So the ownership is really on the part of states. And this is something that’s become important in the last two years, is that any state can reach out to any other state at any point. So we do not control that. It hasn’t broken down. And from what we’ve seen, it continues to be functional. I hope this is a good start to the conversation. Happy to talk to you. to come back on any other points.

Melanie Kolbe:
Fantastic, I muted myself. Yes, so again, in case you cannot lip read. Thank you so much, Gregor, for getting into this. Any of the other regional organization representatives have you observed certain CBMs becoming more relevant, less relevant, maybe more touchy in terms of how to implement them? What is your, I see Rashida, you’re unmuted. Would you like to take that one? Go ahead.

Shariffah Rashidah :
Yeah, allow me to speak based on coming from not only ASEAN, but coming from a state where I think Gregor mentions about how useful it will be for states and how meaningful the elements of CBMs and norms and how does it actually link implementations at the national level. So one thing I agree that the importance of the protections of critical information infrastructure or critical infrastructure has been crucial discussions and the movement of one, cybersecurity is a national issues. Yes, despite any geopolitical tensions that happen, it is a reality coming from the practitioner, from the policymaker at national level, you need to go deep down until the technical level to find the answer. Because when you talk about cyber incidences, in order for you to kick off and start the investigations or anything, you need to have visibility. And to do that, you need information. You need to have appropriate capacity to see the networks, your networks, your surrounding. So coming from the states. So, I think it’s important to think about this when the discussions about the norms that actually requests for the states to. to elevate the base to elevate the baseline that they have in each and every they have in each and every region and each at every level that they have at national level. It is indeed, actually. It is indeed, actually. An element that is important or else as a state, you wouldn’t be able to perform what you be able to perform what you actually has agreed upon and subscribe. For example, in order for you to order for you to, to, to, to give a system you need to have the capability to, to, to, to the capability to, to, to, to see or to take actions in order for you to do international cooperations, you need to have the capability to receive and do in two ways around so yeah. Thank you.

Kerry-Ann Barrett :
I’m going to kind of just give I’m going to kind of just give up probably just a reflection on your question, Melanie because it’s often said that the CPMs aren’t determined in order of priority so is there an assumption in your question that all CBM should be implemented at the same time. When in fact, because there’s no order of priority I think any CBM, once it’s applied it means that whether it’s peace of mind, or it’s a non-violent action, it means that it’s not focused on capacity building very targeting diplomats and point of contact sharing and to me I often heard person speak to, you know, are the CBM to, you know, are the CBMs being enforced CBMs are non voluntary are voluntary measures of they’re not compulsory measures. So I think even in how we view CBMs, we have to recognize that the CBMs may not fully currently are complying with the ethos of what the CBMs are but it’s always to recognize that they’re voluntary measures. So to the extent in which they are being implemented I think it’s sometimes it’s really difficult to measure, which is why I think it’s important to recognize that the CBMs are voluntary measures, which is why I think it’s important to recognize that the CBMs are which is oftentimes in our assembly general resolutions, we speak to encouraging member states to implement the CBMs, but not necessarily saying that member states must, or that is a show of non-compliance. At a higher level for us in the region, we also have what is called our Inter-American Defense Board which manages our CSBMs. So the OAS has over 37 CSBMs, which a part of that is the 11 CBMs for cybersecurity. So just to say that what we do every year is that member states are encouraged to provide updates on how they’re implementing all 37, including the 11 cyber CBMs. So I just want to kind of just respond by saying that there can be an assumption that they must be implemented. There is, yes, a show of lack of confidence if some of them aren’t, but which one do we prioritize more? A country may not be sharing information, but they’re doing capacity building. So it’s kind of to say, which one are we measuring as more important than the other, given that they’re all, they’re not done in order of priority. And I mean, there’s a lot of professionals here too. So, I mean, even having their views on this, I think would be good as well.

Melanie Kolbe:
Okay. Kalim, go ahead.

Kaleem Usmani:
Yeah, thank you, Melanie. Yes, coming back to this particular question. I think that’s very interesting from the country perspective, if I look at it, because from Mauritius, if I talk about the CBMs and especially the way we have built it up, because why I’m saying is because I’m going to relate it to the region and then obviously how it’s happening elsewhere. So if I talk about even capacity building, capacity building is the key because that was needed for different organizations and different agencies in order to build up capacity around incident handling. Even we started talking about setting up the critical information infrastructure policy and we thought that there was lots of interest from the different organizations, how they will be able to have the different controls to be put up in place. And this is where we’ve been promoting the whole component of the… the CBMs which we have built up around capacitive building of CIP implementation. So in a way, if I roughly touch on to the event part of the information sharing, like information sharing, if I talk about Africa, cyber threat information is the key because most of the states or the countries are still they’re trying to have that information out of fish, their resilience could be improved. So obviously, just to say that there are CBMs, which are really they’re working because why the reason is that the maturity is important here. Because if we have a maturity, then surely the other components of understanding comes into picture. But if not, then obviously you have to learn from others than you start doing it. So I believe yes, it works. But again, in a different context. Thank you very much.

Melanie Kolbe:
All right. Thank you. Nastia, is this on this question or is this a different question?

Anastasiya Kazakov:
A different one.

Melanie Kolbe:
Okay. One thing before I want to hand this over is, is quite, is quite instrumental for what we’re doing at Geneva Dialogue, which is about the role of non-state actors. Right. So one thing, of course, and Gregor already kind of acknowledges CBMs is really something really about the main stake or stakeholders or states. Right. But the other, the other presentation as well as Gregor’s, of course, there is also an involvement of other stakeholders. I think Pauline was also discussing public-private partnerships, cooperation with stakeholders to basically have more connection and implementation of those norms with confidence-building measures or just generally norms implementation. So I would like to ask the panelists. So what role do you see as kind of interacting with these non-state actors and other stakeholders in the implementation of these agreed upon norms within your region? and how do you actually engage, to what extent, and how do you engage, and at what stage, maybe, with these relevant stakeholders? I think it’s really instructive also for our work moving forward at the Geneva Dialogue to understand this. So I’d like to take this. Next question. Go ahead.

Kerry-Ann Barrett :
Let me go first quickly. So for the, I think it’s important to distinguish what the General Secretariat does. For us, we are the technical secretariat to the working group. So we only can do what is asked of us to do, oftentimes, and what we have done is looked at the CBMs related to workshops and sessions and information and training, and used that to direct our work plan for the year. Another key thing to look at with the implementation is, and I had posed the question to Kalim as well in the chat, is who funds it? And even for Rashida, like if it is that you have a work plan, thinking through the implementation of the norms there, some of it comes at a cost. So at the national level, a lot of our member states have just partnered with non-state actors. So for example, partnering with the private sector to be able to offer services at the national level, including threat intelligence or coordination at the national level. Some of them have reached out to partners, like as I said, we use some of the providers, we use Dipler Foundations, we use ICT for Peace. We try to engage with neutral, academic, quasi-civil society entities to be able to deliver our capacity building. We also try to look at experts in the field who are talking about the topic, like Chatham House, we partner with ICRC, that’s a technical secretariat. But what has been fascinating for us is that when we do offer to our member states these capacities, they receive it, they accept it. So it shows that while sometimes they may not have direct relationships or they have their own programming, many of our member states have participated in all. the numbers like we’ve had high levels of participation at any one of our trainings from our member states. So I think if you not only look at the individual states and what they’re doing, I think their participation in these initiatives and activities also says a lot about how they’re implementing the norms or the CPMs. I hope that makes sense, that makes sense in my head.

Melanie Kolbe:
Yes, so it sounds like, yeah, yeah, so absolutely, so you can definitely say from your experience, right, a lot of this is in the actual implementation on the ground, realization of some of the CBMs, right? Rashida, go ahead.

Shariffah Rashidah :
Yeah, I would like to actually echo Carrie. I mean, I think similar happens to us as well. We actually, in order for us to implement the activities, we’ll definitely do that with the non-stakeholder. For example, I can share the experience when we did with, we do our ASEAN regional work plan, not the ARF point of contact. Malaysia and Australia co-lead the initiative. In order for us to justify the need for us to establish a dedicated ASEAN regional foreign point of contact, we actually perform a cyber exercise in the ARF platform. The cyber exercise was being done in such a way where we called states as well as the private sector to be together on table and discuss that, and we create scenario to see the importance of the importance and how actually the ASEAN possible ASEAN point of contact be implemented and how if one incident happened at national level, between states as well as the private sector that comes from the state and such that’s come in the discussion. So, it is actually a testifying. So, it is actually a testifying. A testimonial that for A testimonial that for states to actually commit in terms of the actually commit in terms of the, if we want to talk about the framework of responsible state behavior, whether you like it at national level, you’ll definitely meet the cooperation definitely meet the cooperation and works together with the non stakeholder, because reality is that coming from the government, the backbone of the critical infrastructure the backbone of the internet, that is not owned by the government and the standards that has been ongoing, go so far away compared to the discussions between the government, something that you need to elevate and be at power with so, and we do not want, I think, in the, in the OEWG, there was a discussions where we do not want to reinvent the wheel of the process and so I think it’s important that we can collaborate and work together between all the stakeholder to discuss what would be the best way forward for us to implement this particular matter.

Melanie Kolbe:
Right. Perfect. So I think Right. Perfect. So I think at this point I’m going to be a bit more hands off. So we have a lot of questions and I think I would like to go first with Nastia, who had one question, and then I see Chris hand is up as well. So I’m going to go first with Nastia and then Chris. So I’m going to go first with Nastia and then Chris. So I’m going to go first with Nastia and then Chris.

Anastasiya Kazakov:
Thank you very much. This is so so helpful and super interesting. Thanks a lot for really structure it over the work of the teacher, each organization. My question is, in relation to the in relation to the private actors, given that some of those especially the companies that provide ICT services with the regional international impact. even though they’re established in one country, but the services are critical to multiple countries, have been, has there been any discussion to complement the existing CBMs, to incorporate the role of those companies that are actually being really critical, either in a peace or in a conflict times, or maybe in through the other way, to address the accountability and behavior of those actors as well.

Kerry-Ann Barrett :
I mean, I could reply first just to state that the last CBMs meeting that we had in February, this didn’t come up as a discussion because I think the POC directory was more present for the member states, given that the open-ended working group was the following week, but more generally the private sector is seen as a source for information and for cooperation. So in previous meetings, for example, the meeting we had in Mexico, which was our fourth meeting, we actually had Microsoft present on threats and information and coordinated with them for that presentation. So in one of our resolutions previous to this last meeting, because no resolutions came out of the fifth meeting, in the fourth meeting, we actually recognized the role that private sector and civil society plays for the implementation of CBMs for the OAS. It’s just that, as I said, because the open-ended working group was the following week, this meeting particularly focused solely on progress, threats, and then we went into the POC directory. So I don’t know if that answers your question, Anastasia.

Gregor Ramus :
If I may come in as well, we actually have a specific CBM on promoting public-private partnerships at DOC at CBM 14. And I’ve mentioned that we worked, I think it was last year or the year before, it was a multi-year effort with an academic. on mapping the existing public-private partnerships that exist in the OSCE area. And we published a report, which I’ve linked in the chat, which I think is quite an interesting exercise in not only seeing how much cooperation already exists in this area between the public and private sector, but also to see how the national approaches differ in this context. And I think this would also be a partially answer to your question, Nastia, on the accountability. We do not prescribe specific terms on how a CBM should be implemented. It’s up to the states to decide how they implement this. And you will see that in the report, we do have some sections on states going into more detail about how they cooperate with private sector and what that entails in terms of their behavior and actions in cyberspace.

Melanie Kolbe:
Right. Thank you. Then Chris, go ahead, please.

Christopher Samson:
Well, good evening, everyone from Australia. Nice to see you all. So I think I just want to comment on the role of non-state actors here. You know, we spent last year discussing two of the norms and I think it became obvious that it’s at the implementation where frankly the states can’t do it. It has to be done with the cooperation and the collaboration of the non-state actors. And I get the sense just looking at all of the norms that that’s really going to be the case. And as you’ve started to explain this concept of confidence building measures, I think the reality is that at the point of implementation, states will, you know, either individually within their own boundaries or. or through mechanisms that themselves are either regional or international in terms of private sector and civil society organizations and academia. And also the technical community will have to collaborate to actually achieve the implementation. And that what’s happening seems to me is that the norms coming out of the UN mechanism and the confidence building measures coming out both of the UN mechanism and of these regional bodies that we’ve been hearing from tonight are sort of think tank level outputs that when they get to the implementation stage you’re going to need much more of a collaborative effort. So there’s a kind of an ecosystem effect to achieve them. And I think to help make that happen there needs to be a little bit more clarity around the communication and around the, what you might call the model of the ecosystem. So more actors, more non-state actors can actually understand what these norms actually are and why they’re so important and how they can contribute to both implementation of the norms and the confidence building measures. And to try and sort of create that self-organizational force, you know. And I reflect that what we’re facing with cyber crime or we’re facing with the malicious use of ICT are forces that are themselves self-organizing, right? Because they’re not bound by state boundaries. And we need to start moving towards much more of a self-organizing. organizations and that type of thinking to really be able to more effectively counter and tackle the forces up against us. That makes sense to everyone.

Melanie Kolbe:
Yes, absolutely. Thank you. Thank you, Chris, for sharing your thoughts on this, especially the collaborative nature. I wanted to, before we move on to two other questions that have been raised, Kerry-Anne, I understand you have to leave soon, but before you drop out and we continue the conversation, thank you so much. It was very interesting. And I hope we also stay a little bit in touch as we move on with the Geneva Dialogue and it’s very much appreciated that you took the time to present. Thank you.

Kerry-Ann Barrett :
Thanks, Melania. I’ll be here until 9.45 and then I’ll drop. Thank you.

Melanie Kolbe:
Thank you so much. Okay, fantastic. So I think it would be interesting to also move to some of the other questions. So there have been some in the chat, but again, I would encourage everyone to maybe raise their hand and contribute. Apologies for my video being off. I have exactly one power outlet on this laptop and the camera takes too much time. So I have to be invisible for a moment to not drop out of the call. Are there any other questions? One thing I saw in the text, in the text I found interesting, maybe I get reprimanded for this, but my question is also, how do we track implementations of confidence building measures? Clearly they’re voluntary. They all happen at probably different paces and in different extent, but also are there some kind of high level impact that we can see Sharifa has asked in terms of the policy adoption or in terms of capacity building? How do your organizations track this and sort of what is your resume on the current efforts?

Kaleem Usmani:
Melanie, if I may,

Melanie Kolbe:
Yes, go ahead.

Kaleem Usmani:
Thank you. I think, Melanie, there was another question also from Dr. Sharif here. And then again, he is talking about that. What is the sort of the policy level or national level strategies or policy statements incorporated the agreed cyber norms in CBN? So I think the way we can do it, and this is how, in fact, we have tried to reflect into our country in Mauritius, that the cybersecurity strategy is a very clear action and the guideline and not the guideline, but the clear action and strategic direction talks about that. We have to have the implementation of norms and the CBNs in the country. So first of all, we can have that as a strategic direction into the national level policies. And also, since I was talking about the continental level strategy there also, I believe, if that content is in there, then obviously that will be helpful. So I think these are the two ways where the regional agencies as well as the national agencies, they could play a role in order to implement these norms and the CBNs. Thank you.

Kerry-Ann Barrett :
I’ll probably jump in before I drop off as well, just to say that within the Latin American region, we have over 20 national cybersecurity strategies and almost all of them has a component that speaks to international cooperation. And while some of them may not outrightly state CBNs or the implementation of the UN norms, it does speak to participation in international fora or something of that regard. It does recognize the need for participation or international coordination, cooperation. And while some of our member states have made a public statement on how international law applies to cyberspace, I think the fact that in our CBN, it actually speaks to the 11 norms and the implementation of those 11 norms on the UN, it’s kind of like there is a general consensus, while there may not be specific statements on it. And I think that says that the region is thinking about it, even if they’re not able to have national positions or commitment on it.

Melanie Kolbe:
All right, Sharif, would you unmute yourself to jump in?

Sherif Hashem :
Sure, I’d like to thank all the speakers for such excellent and comprehensive presentations, but I’d like to follow up on my question that I shared in the chat. If we want to have an impact, global impact, really, and especially in developing and emerging economies, we need to engage decision makers and senior diplomats. I’ve been involved in training of diplomats, but usually the people who get sent there are like entry-level or mid-level diplomats who are in the middle of their career, which is promising that in 5, 10, 20 years, we will have diplomats at a high level who understand about cyber and cyber issues. But the point is to get things started in a pragmatic way and really in an impactful way, we need to quickly engage senior decision makers in industry, in government, in diplomacy, and to make sure that this is reflected upon in strategies and policies, like what Dr. Kalim just mentioned in Mauritius, and it was shared also in the Asian region, and I’m sure in the Americas as well. This is not trivial. I come from Egypt, so I have experience in the Middle East, in Africa, and in a few regions, and also I was on the board of FIRST for a couple of years, and I can see like developing countries and developing economies need engagement at a higher level, so that to impact? If you have a training, for instance, for infrastructure protection, do we engage CEO or top executives in industry that are operating critical infrastructure, or are we training engineers who are more on the operational side? I think we should do both. But coming from Egypt, we’re talking about the pyramid. You have the base of the pyramid where everybody has decent knowledge of cyber norms and CBMs. But at the top, you also need the tabletop exercises, the type of training and awareness of what’s happening, how cyber incidents unfold so that decision makers know what’s going on and really make the right decisions at the right time. In the developed world, it’s more obvious. In the developing world, it’s less obvious. I really appreciate the input of the speakers around their experiences in this way, engaging decision makers and high-level policy statements. Thank you.

Anastasiya Kazakov:
Thank you, Sherif. Any more responses? Yes, Ashida, go ahead.

Shariffah Rashidah :
Thank you, Sherif, for your views. Speaking from my experience, I can really relate to how important it is to make everyone understand that norms, CBMs, it is not something that is as alienated subject if you bring back at national level. One thing that I found beneficial in my experience is I’m not sure whether this is fortunate or unfortunate. I came from the technical background, but I was being put to do policy and later to do the issues of OEWG that talks about the framework of responsible states’ behavior. So having a little bit knowledge in terms of technical I’m not saying that it is easy to I’m not saying that it is easy to explain the is quite a challenge explain the is quite a challenge , but one thing that I, I think , but one thing that I, I think what people like I believe us what people like I believe us that understand where we actually already started to engage in this conversation is to connect with the people who are already engaged in this conversation. And I think that , but one thing that I think what people like I believe us that understand where we already started to engage in this conversation is to continue to, to meet up and find the leaders and keep on persistently leaders and keep on persistently see them and explain to them and finally you can actually see finally you can actually see some understanding and sometimes people think cyber is a very people think cyber is a very difficult thing to do. So I think that’s one thing that I think that’s one thing that I think that’s one thing that I think the, the shift and changes that from from the experience that I have at the national level, and with times I think just to share with all times I think just to share with all the participants today next week, Malaysia will be table the in the parliament, our cyber security bill that talks about the, the implementation of the, the implementation of cyber security so that is I think the, the continuous engagement that really really need to be done at, I think our level so that the people at the technical side, as well as the leaders can really see it, but I’m not saying it’s easy. It’s a very challenging journey a very challenging journey to get that. Yeah.

Melanie Kolbe:
Thank you. Thank you. Thank you, Gregor did I see your hand?

Gregor Ramus :
Thank you very much. I just wanted to add to these points already by giving you some examples of how the OSC approaches capacity building and how we try to engage different sectors of the world. So I think that’s one thing that I think that’s one thing that I think that’s one thing that I think that’s one thing that I think that’s one thing that I think stakeholders. And I’ll do that by giving you some examples of the trainings that we do have. So we have dedicated trainings, for example, on critical infrastructure protection, which are very focused on creating national cyber incident severity scales. Now, this is an example of a training which engages more the technical people, the engineers. So there, we really ask in the invitation letters for participating states to nominate technical level experts, because that’s what the training is about. Another example of a technical training would be a training on coordinated vulnerability disclosure, CBM 16, we ran several trainings last year, which really engaged the technical community, the research community in that, in that area as well. And again, here, we really stress the importance of nominating technical participants. But then on the other hand, we have I think, Carrie Anne also mentioned that they have this DOS trainings on international cyber diplomacy. And these are trainings which are targeted more more at policy level, senior diplomats, that perhaps are not yet engaging so much in UN processes on cybersecurity or an OSC processes on cybersecurity. And we really try to bring in people that are engaging, that will be engaging in these processes in the future, and train them on, for example, very practical things how to deliver national statements or prepare national statements in advance, how to coordinate that those statements with relevant national stakeholders, as well as how to react on the floor to an ongoing negotiation discussion. And then I also wanted to give you one last example when we merge the two groups, so technical and diplomacy together. And this is subregional trainings on cyber confidence building measures. And this is a training which targets both the technical community and diplomats, and bring them together to kind of try to close the gap. between those two groups. And here the kind of the mixture in the agenda is both a technical discussion as well as policy discussion, but what is important, and I think you mentioned this, Sharif, is the tabletop exercise that we have on day two. And this is really appreciated by our participants because it makes them recognize the importance of working together. So the tabletop exercise is designed to engage both groups and make them coordinate, cooperate, and response to a fictional cyber incident. So just wanted to add that. Thank you.

Melanie Kolbe:
Thank you so much, Sharif. Okay, I see a thumbs up from Sharif, so hopefully he got some questions. John, go ahead. I think exactly we have time. So we have 10 minutes before we end, so we have time for one short or two short questions, and that’s it. Okay, John.

John Madelin:
Just great, great sessions. Thank you so much. Really well putting across some complex content in a very understandable way. I’m interested about when there’s misbehavior, so the subject of attribution. As we know, some nation states distance themselves from actors, but even so, it’s hard to know who’s doing what bad stuff. It’s a little bit associated with Chris’s question. So, you know, what’s our role when there’s a little misbehavior? For example, recent geopolitical events have seen a surge in DDoS attacks, which look like they’re nation state sponsored, but geez, it’s hard to get to the bottom of that. Yes, is that true? The entire panel? Yeah, I mean, you know, I saw Gregor smiling a little bit there. So maybe if I put you on the spot, Gregor.

Melanie Kolbe:
I saw Rashida nodding too, so that’s the downside of cameras, we can actually see you.

John Madelin:
Yeah, she’s on camera for me.

Melanie Kolbe:
Perfect. I would say Gregor and Rashida.

Gregor Ramus :
I’m afraid my answer will probably be a little bit disappointing, because the OSCE has no mandate to respond to cyber attacks, more so not to do attribution. But what we have seen… is in the informal working group, which is the main process on cyber at the OSCE. We have seen states attribute recent cyber attacks in their country to specific actors. I think a very good example in this case, because it’s, let’s say, less politically sensitive for me, because Iran is not a member of the OSCE. But you remember that Albania suffered a cyber attack in 2022, which originated from Iran. And they announced that in the informal working group and also presented some evidence, which was which is always, you know, encouraged. And this is how we should approach attribution. But I know that attribution is a sensitive topic. So we leave it up to the states to decide how and when to attribute, because we have different levels of attribution. And, yeah, we, as the OSCE Secretariat, do not get involved in this process.

John Madelin:
But that’s at least a good use case of the sort of behaviors you might expect in those sensitive situations. Yeah. Thank you.

Melanie Kolbe:
Ashidet, go ahead.

Shariffah Rashidah :
Yeah, I think one of the things that is truly important is your questions regarding attribution. So, I mean, there are three types of attributions where you always start with the technical attributions, then probably legal attributions, and it goes back to the political attributions. So, I mean, again, it’s up to the state on how you actually handle one incident, whether you want to attribute or not. But coming from my views is that my personal views is that it goes back to the contradictions of the commitment of states. It already shows. Just now, we talked about how you actually want to measure the CBMs. CBMs is about confidence-building measures. Why actually one state openly attributes to another state? It means that the confidence-building measures is not an effective tools between that states anymore that makes them to openly attribute. So that is, I think, the works that states needs to be done. And it goes back to the questions, do you uphold the framework of responsible states behavior? So you talk about confidence building measures, and you do not really do that. So that means that it is, for me, at least the measurements of how confidence building measures does not work. It’s not the activities, the results of such. That incident will testify whether the elements of confidence building measures works or not. So that is my thoughts.

John Madelin:
Thank you.

Melanie Kolbe:
Thank you so much for clarifying this. OK, one last very short question. Martin, do you want to go ahead? Can you unmute yourself? Yes.

Dr Martin Koyabe :
Yeah, thank you so much for giving me this opportunity. First of all, I really want to thank the speakers, and also for the questions that they’ve raised, and also the contributions from other participants. I just wanted to zoom in to a specific area, and I think this covers the capacity development. Having worked within the continent, and I really agree with Dr. Kallim that there are a number of interventions that are going on in Africa. But more specifically, there could be areas that we could enhance or improve. And one of these, the key area that I look at is I’ve seen that we’ve talked about the strategy having the component of CBM as part of an implementation, or part of the aspect of making sure that CBMs are implemented in countries. There’s also the area around, how do we build capacity in Africa, and how do we build capacity in other countries? And I think that’s a key area that we need to look at. within CBMs. The area that I really wanted to focus on is the human resource. In many cases, we talk about the diplomats meeting the technical community, but what we know within Africa and in many other countries, you have this cycle of politics where some of these diplomats leave. And therefore, the question is, what do you do when that gap appears more often than not? There is also the issue around how do we keep the institutional memory so that people who come after could be able to get the experience that was actually covered by their predecessors and continue with the work that many of the countries would have invested. So there is an issue around sustainment of knowledge within institutions, and that calls for institutional memory. And the other thing is also the political will, which I think Kerry talked about it, and other speakers talked about it, which is useful. But that, having said that, it still requires some prioritization of who gets trained. So the suggestion here would be, first of all, to look at a framework that many of the countries that do not have any framework of any sort, especially in the CBMs and how they articulate the issues, could be able to follow. That would be a very useful component. And then also look at how do you invest in the human resource. And my suggestion here, from the experience that we’ve had with the AUGFCE project that we’ve had in Africa, is to look at the middle-tier staff, because the middle-tier staff tend to stay longer in institutions. They are not politically appointed. And most of them, sometimes with good incentive mechanism, do hold a lot of memory, and they can hold a lot of technical information that can help many of the countries to be able to address some of these issues. And then finally, is the issue around support. How do we support some of these activities? And I think we’ve talked about working… We talked about having sponsorships in various areas or forums to ensure that this is taking place. But the most important thing here for me would be to ensure that the people who are able to get this knowledge could be able to pass on this knowledge through institutional memory frameworks that can remain within the country. Thank you.

Melanie Kolbe:
Thank you so much. Thanks for highlighting. This has come up in the conversation before, obviously, about the capacity and skills development and side of this and also the institutional memory to not lose this. Any quick responses? Is there some CBM or some experiences from one of your regional organizations that is relevant?

Gregor Ramus :
Sure, I can give you two examples of how we approach the issue of diplomats leaving. It happens quite a lot. It’s relevant both for CBM and point of contact network, not just diplomats, also on a national level, technical experts leave. This is why we continue to do the comp checks to ensure that their data is relevant. But I also wanted to specifically answer on the problem of diplomats kind of taking away the knowledge of the process at the OSC level. And what we’ve done with the international cyber diplomacy trainings that I mentioned before is we’ve established an alumni network of people that have taken the training and share the details and kind of keep up the community of these people that we can reach out to. So participants that have already participated in previous years, we call them back as speakers. And even if they left for a different post, they can still share their experience whilst they were working in this area. And the second, I want to just quickly mention on institutional memory on the CBM process at the OSC, that the secretariat actually serves as a keeper of that memory. And we have in the past and will also in the future organize trainings for newly arrived diplomats on what, at least at the OSC level. and also a little bit at the UN level, what this process is, how to engage with it best and what our recommendations would be in terms of national coordination.

Dr Martin Koyabe :
Just a recap, so sorry for that.

Melanie Kolbe:
Martin, Martin, but we’re running out of time. I really, this has to be a very short response, right? So I can give two more minutes, Martin.

Dr Martin Koyabe :
I just needed one minute actually. So the recap is that when you think about institution, think about the implementation, not the institution that actually covers it, but in the country. That’s what I thought. Thank you.

Melanie Kolbe:
Perfect. Thank you so much. All right. Thank you to all our presenters. Thank you for also all the participants with a very interesting, very relevant questions. I think we covered quite a wide field. And also, I think this is also part of the Geneva Dialogue, very interesting as we’re progressing with our next steps at CBMs. Clearly is one thing we have been discussing as a point of focus, but also helping us also immensely to understand the role and the various activities of the regional organizations in fostering an environment for norms, norms implementation and adherence. And I think this has been quite a conducive discussion that I’ve seen from the chat comments that I’m not alone with that. So thank you so much for making time for this discussion today. We will follow up as usual in the Geneva Dialogue. Anastasia, any final words from your side?

Anastasiya Kazakov:
Thanks a lot, Melanie, for the support moderated moderation today and also to all speakers and all participants. We will collect all the questions. We’ll definitely will include them in the thematic consultation. I think there’s so much to discuss and think all together more. We’ll also ask our experts to share the slides with us. So we’ll circulate them if they could be helpful for further work. And again, on April 30, we will look forward to further discussing the focus on. the critical infrastructure. And in the meantime, if you have any questions, just feel free as always ping us. So thanks a lot for your time and wish a good rest of the day. Thank you very much. Thank you. Bye. Thank you. Good session. Thank you. Thank you. Good night everyone.