UN OEWG 2021-2025 – Capacity building

31 Mar 2022 19:00h - 22:00h

Event report

Mr Burhan Gafoor (Ambassador and Permanent representative of Singapore), the Chair, welcomed the number of delegations from developing countries who took the floor in the session on capacity building by saying: ‘It is a very good sign and the participation was across the board, north and south, east and west, which clearly shows that there is a high level of expectations in terms of what we can do potentially, and what we can do to build on what we have already achieved in the previous OEWG.’ 

Malawi stressed that ‘being one of the developing countries, we recognize that we also have a significant role to play in identifying our needs’. There was a general consensus among states that, in order for capacity-building initiatives to have the greatest possible impact, capacity-building efforts must be nationally-owned sustainable, non-discriminatory and politically neutral, and guided by the principles contained in the paragraph 56 of the final substantive report of the 2019–2021 OEWG. Brazil, Malawi, Fiji and Pacific Islands Forum countries, South Africa further emphasised the importance of political neutrality. Nicaragua, Cuba, Venezuela, Indonesia, Syria strongly reject the imposition of any unilateral coercive measure that could undermine the development plans. In addition, Bangladesh, Iran, and Sri Lanka stressed the principle of sovereignty. Portugal underlined that cybersecurity capacity building must be complemented by a proportional effort to combat crime.

The role of the OEWG in capacity building

According to a number of member states, most notably Lao PDR, Nicaragua, Malawi, Iraq, Indonesia on behalf of Non-Aligned Movement, Philippines, France, the Russian Federation, Republic of Korea, Finland, India, and Poland, the OEWG can significantly promote capacity building at a global level, while regional bodies and other organisations continue to play a vital role. In order to enhance capacity building at the global level, the EU on behalf of the Turkey, North Macedonia, Montenegro, Serbia, Albania, Bosnia and Herzegovina, Ukraine, the Republic of Moldova, Georgia, and San Marino underlined the need to increase our international coordination using organisations such as the GFCE to bring states together, facilitate the exchange of information on ongoing and planned efforts, best practices and lessons learned. Malawi, Côte d’Ivoire and Ghana expressed the necessity to encourage the sharing of information and to establish a platform and a database that states can use to identify the available capacity- building opportunities and programs. In a similar vein, Singapore, India, and Kenya invited the UN to compile a comprehensive calendar of capacity-building programs that would allow us to have greater visibility of existing needs or gaps to better tailor our programs and focus our resources. Cuba proposed to develop a database of best practices and techniques available. 

Malaysia suggested that the OEWG could facilitate the states’ effort by aligning capacity- building requirements and assistance based on the cybersecurity baselines once these are developed. Germany echoed the remarks made by Finland and Costa Rica on the importance for the OEWG to closely involve the private sector actors at the conceptual and practical level in preparing its recommendations with respect to capacity building. Other member states, most notably Sri Lanka, Nicaragua, Germany, Japan, Colombia, Côte d’Ivoire, Venezuela, Indonesia, Bangladesh, El Salvador, Haiti, Republic of Korea, Finland, Dominican Republic, Costa Rica, India, the EU, Poland, and Kenya also emphasised the role of public-private partnerships in facilitating knowledge and skill transfer and in overall capacity building efforts. According to Chile, the OEWG, through the UN system, could contribute to developing a global map for capacity-building opportunities, while working with regional and other bodies and acting on focal points through a specialised unit in the area,  responsible for coordinating these capacity-building opportunities. Iran suggested that the OEWG should focus on the components of the global architecture for capacity building, including cybersecurity training and education under the auspices of the UN. The Philippines maintains that the OEWG can address significant concerns, such as insufficient coordination and complementarity in the identification and delivery of capacity-building efforts. El Salvador believes that the OEWG could, within its report, highlight the current efforts generating progress in cyberspace and incentivise such initiatives through information exchange. Haiti highlighted the extreme importance to strengthen international cooperation in order to prevent and combat the use of the ICTs for criminal purposes and to establish the necessary follow-up mechanisms. The Netherlands supported the creation of a permanent platform, as suggested by Izumi Nakamitsu (High Representative for Disarmament Affairs), to enhance capacity building by complementing the OEWG work to further develop common understanding and elaborate the consensus framework for responsible state behaviour in cyberspace. France suggested that such a platform could be part of the Programme of Action (PoA).

Addressing the question of the universal principle of capacity building, the Russian Federation stressed that the list of principles should include: 

  1. the inadmissibility of using ICT technology by states as a tool for taking economic, political, or other coercive measures, including measures of a restrictive or blocking nature against particular states which hamper universal access to the benefits from the use of the ICT
  2. the requirement for states to prevent the use of harmful hidden functions in ICT supply chains developed under their control and jurisdiction in order to create or facilitate the creation of vulnerabilities in products, goods, and services that prejudice sovereignty and security of recipient States
  3. the inadmissibility of taking measures that entail unreasonable restrictions on the use of the ICTs for peaceful purposes, international cooperation in this area, or transfer of technology. 

The role of UNIDIR

UNIDIR has been brought up in the discussion in many instances.  Germany reminded that it is an independent institute funded by UN member states on a voluntary basis and cannot work per se – the OEWG can suggest areas for further research or work to UNIDIR, which would require additional resources to be provided by the member states. Japan recommended that the UNIDIR portal could be used to post information concerning cyber-related events around the world. Furthermore, countries that provide capacity-building initiatives could provide a summary of their programs to be included in the annual reports of the OEWG or on the UNIDIR’s portal to share information related to capacity building. In addition, Indonesia proposed that UNIDIR could play a role in compiling lessons learnt on capacity building and ICT security. Furthermore, the Philippines suggested that UNIDIR can support a more coordinated role in capacity building by conducting a comparative analysis on different international and regional organisations that offer programs and assessment tools, cyber capacity building, while determining best practices and creating a list of recommendations for the OEWG’s consideration on how the UN can improve the existing initiatives. 

Proposals

A number of concrete proposals for capacity building were put forward by delegations. The UK proposed the Oxford Centre Cybersecurity Capacity Maturity model, CMM, co-sponsored by Australia, Botswana, Chile,Colombia, the Dominican Republic, Fiji, Georgia, Germany, Iceland, Japan, Malawi, Mauritius, the Netherlands, Norway, Peru, Switzerland, Tanzania, Uganda, the United Kingdom, and Global Cyber Security Capacity Centre (GCSCC), the Cybersecurity Capacity Centre for Southern Africa, the Commonwealth Telecommunications Organization, the OAS, and the GFCE, to review cybersecurity capacity maturity; CMM would enable nations to self-assess, benchmark and better plan investments and national cybersecurity strategies, as well as set priorities for capacity development.

The UK called on the OEWG to promote the routes by which states can access support including funding to conduct the CMM and invited UNIDR to track global progress and assess states priority needs, perhaps through voluntary reporting using the survey of national implementation. Malawi, the country that has conducted the CMM, attested that its first assessment provided a baseline of where the country stood when it came to cybersecurity, and helped formulate a strategy that targeted its needs. Fiji, Colombia, Malaysia, the Philippines supported the UK’s intervention, and underscored the importance of the assessment of capacities of each state.

Singapore highlighted that capacity building would enable countries to contribute meaningfully to international cyber discussions. In light of this, the establishment of the UN Singapore Cyber Fellowship Program that should target senior level officials, particularly those from developing countries holding decision-making responsibilities in the areas of social security and cyber governance, was mentioned. Fiji, Brazil, Iran, South Africa, Malaysia, and Egypt expressed their support by saying that these initiatives constitute a good basis for a more focused discussion in the next session.

A number of developing countries expressed the necessity to enhance financial support. Iran, Nicaragua, Cuba, and Pakistan proposed to establish a mechanism for financial assistance to developing countries,  especially in projects which promote safe and peaceful use of the ICTs, as well as through the promotion of scholarships, workshops, seminars, and other initiatives for the exchange of experience. Providing Technical assistance to developing countries was highlighted by Sri Lanka, Nicaragua, Lao PDR, Cuba, Venezuela, Côte d’Ivoire, Ghana, and Pakistan. Ghana suggested that it should be anchored in the normative framework, in order to ensure that there are clear guidelines through which it can be carried out. In addition, Colombia suggested to carry out technical studies like ‘gaps research’, in order to allow us to understand the needs of a country, in order to present and offer adapted assistance. Pakistan proposed that developing states should be provided with necessary financial and technical support, and resources required for the establishment of the CSIRT, securing critical infrastructure and training for crisis management. In light of this, India suggested developing an ‘international counter task force’ by involving experts from the member states to provide technical assistance to developing countries in cases of cyberattacks targeting their critical infrastructure. Such a task force could also provide support in guiding these countries with necessary infrastructure to protect their assets against cyberattacks. Germany would welcome further elaboration of the task force development.

Development of specific capacity building programs

Developing countries put forward a number of capacity-building programs. Cuba proposed the creation of a scholarship program to train experts in developing countries on all aspects of cybersecurity, while taking into consideration current debates within the UN. Additionally, Pakistan suggested diverse fellowships and training for cybersecurity professionals from developing states in the areas of critical infrastructure security, cyber policy making, and the application of international law. Kenya advocated for the development of exchange programs, including south to south triangular cooperation through which states can learn from each other’s experience. Furthermore, centres of cyber excellence could reinforce capacity-building efforts.

Challenges

A couple of member states expressed challenges they face when it comes to capacity building. Fiji, on behalf of 14 states of the Pacific Islands Forum, underscored the importance of capacity building to contribute towards resilience against the greatest challenge of our generation – the climate change. The volcanic eruption and tsunami that occurred in the beginning of this year caused a breakdown in ICT capacity. Fiji called to ‘urgently ensure that the ICT, including cybersecurity infrastructure, is climate and disaster resilient.’ According to Iran, restrictive measures against other member states, such as limiting and blocking IP addresses, restrictions to the registration of domain names and removal of popular apps from the app market, pose serious threats to ICT development, security and trust, while affecting existing efforts in building and developing the required capacities. 

Gender 

Several countries highlighted gender parity in cybersecurity discussions and capacity building as imperative. Malawi, Sri Lanka, and Colombia stressed that any capacity building efforts should consider gender issues. Canada and Netherlands stressed that the OEWG should further promote a gender sensitive approach to cyber capacity building. This also applies to the area of cyber diplomacy where we should seek to increase the representation of women in discussions.

Programme of Action

Many delegations – most notably Germany, Finland, Dominican Republic, Republic of Korea, Chile, Japan, Colombia, and Netherlands, pointed to the unique role of  Programme of Action (PoA) in operationalisation of the principles to conduct capacity-building activities set in paragraph 56 in the final report of the previous OEWG. Egypt explained that the PoA could play a crucial role in the capacity-building efforts as well, allowing a bottom-up mechanism to support implementation efforts at the national level, particularly through tailored and coordinated fashion, while fully respecting state sovereignty. 

In addition, France explained how the PoA would materialise in practice – e.g. PoA could encourage the development of capacity-building efforts to assist states in the establishment of a national cybersecurity strategy, to help them to build capacity on incident response or in outlining policies that would improve the protection of critical infrastructure. Switzerland highlighted the uniquely universal role of the UN where the PoA would facilitate capacity building at the global level – e.g. the PoA could support the development and appropriate update of the UNIDIR survey of national implementation. It could also encourage the use of the survey to regularly assess states’ needs and to identify further actions, required for  the development of capacity building. The PoA would also have a dedicated trust fund for capacity-building projects. 

Global Forum on Cyber Expertise

The role of the Global Forum on Cyber Expertise (GFCE) in the capacity-building initiatives was underscored by a number of delegations. Chile maintains that the UN could evaluate these kinds of initiatives to move forward with viable cooperation, assistance, capacity- building plans and strategies. The Netherlands and Portugal highlighted the work of the GFCE which helps match capacity-building needs with expertise and resources. 

Singapore advised the OEWG to consult with UNIDIR, the member states, regional organisations and stakeholders in organisations, such as the GFCE to better identify synergies for a more collaborative and sustainable approach to cyber capacity building, e.g. the Cybil Portal of the GFCE has enabled participating member states to tap on the ridge exchanges of cyber capacity-building initiatives. Similarly, the Philippines suggested that the OEWG can build on the work of the GFCE or look into replicating the GFCE working groups to organise sub-working groups which would focus on thematic priorities of capacity building, inter alia, the implementation and establishment of norms and of national strategies, the applicability of international law, incident response emergency management and protection of critical infrastructure, which would offer concrete deliverables. Canada and the Dominican Republic highlighted the work and significant progress of the GFCE since its establishment in increasing participation and providing all participants with the tools, knowledge, and expertise required to coordinate global efforts in cyber capacity building.

Crisis in Ukraine

Few delegations made a reference to the ongoing crisis in Ukraine. Poland said it is deeply deplorable that while discussing responsible behaviour in cyberspace, we are witnessing not only military aggression of the Russian Federation against the independent Ukraine, but also continued malicious cyber activities conducted from the Russian territory. Poland called on the Russian Federation and other countries, who allow using its cyberspace for malicious activities, to stop them once and for all.

As we have heard, the OEWG itself is considered a capacity-building exercise, said Canada, but in order for it to be truly effective, there needs to be a degree of trust among states. It is therefore incumbent of us to speak out against the unprovoked and unjustifiable devastation that Russia’s military forces are causing Ukraine. Canada stressed that Russia’s president Vladimir Putin’s ‘war of choice’ threatens Ukraine’s and Europe’s security, the rules-based international order, and the normative framework for responsible state behaviour in cyberspace. Canada ‘humbly’ suggested that the OEWG invite the delegation of Ukraine to present to the entirety of the OEWG their exemplary efforts in cyber resilience and bolstering their defences. The EU stressed that more coordination should take place between states and other stakeholders – such as private sector and civil society to cyber capacity building, as we also see now happening in support of Ukraine to mitigate the impact of the Russian aggression.