Agenda item 5: Day 2 Afternoon session

5 Mar 2024 21:00h - 23:59h

Event report

Agenda item 5

Table of contents

Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.

Full session report

UN delegates deliberate on cyberspace norms at OEWG session

During the fourth meeting of the seventh substantive session of the Open-Ended Working Group (OEWG) on Security of, and in the use of Information and Communication Technologies (ICTs), established by the United Nations General Assembly Resolution 75-240, delegates from various nations convened to deliberate on the implementation of rules, norms, and principles of responsible state behaviour in cyberspace. The Chair initiated the session by presenting a discussion paper, along with a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviour in the use of ICTs, and invited comments from the delegates on these documents.

The delegates engaged in a rich dialogue, sharing their national experiences and best practices in implementing the existing norms. The discussion revealed a consensus on the importance of these norms for maintaining international peace and security in the ICT domain. However, opinions diverged on the necessity of developing additional norms, especially in light of the challenges posed by emerging technologies such as Artificial Intelligence (AI). Some delegates, such as those from South Africa, advocated for additional norms to address the specific risks associated with AI, while others, like the Syrian Arab Republic, called for a more balanced approach that includes the development of new, legally binding norms.

A significant portion of the discussion centred on measures to protect critical infrastructure from ICT threats. Delegates underscored the importance of cyber hygiene, security by design, and supply chain integrity. For instance, South Africa suggested that at a minimum, basic cyber hygiene practices should be in place, and security should be built into the design and manufacture of technology products. The South African delegation also called for shared principles over competition in ensuring supply chain integrity.

The Chair’s discussion paper and the checklist were generally well-received as useful tools to support states in their implementation efforts. Delegates appreciated the non-exhaustive nature of the checklist, viewing it as a living document that could evolve over time. They also highlighted the need for the checklist to be voluntary, flexible, and adaptable to national priorities and interests. Some delegates, including those from the United States and Switzerland, recommended slight restructuring of the checklist to distinguish between elements that have achieved consensus and other ideas that do not enjoy the same level of agreement.

The session also touched upon the importance of inclusive participation in international processes like the OEWG. Delegates emphasised the need for dedicated fellowships for developing countries to facilitate their participation in the UN process, with programs like the Women in Cyber Fellowship being highlighted as valuable initiatives.

In conclusion, the meeting underscored the urgency of implementing the existing norms and the potential need for additional guidance or norms to address emerging challenges in cyberspace. The Chair encouraged a pragmatic and incremental approach to the discussion, moving beyond the traditional binary framing of whether to implement existing norms or develop new ones. The Chair also called for continued dialogue and engagement among delegates to find common ground for the implementation of norms in cyberspace.

Noteworthy observations from the transcript include the proactive sharing of national strategies and legislation by countries such as India and Canada, which provided concrete examples of how they are addressing cybersecurity and protecting critical infrastructure. The session also highlighted the ongoing need for capacity building, technology transfer, and technical assistance to support the implementation of norms, particularly for small and developing states.

Overall, the meeting reflected a collective commitment to strengthening cybersecurity and fostering a safe, stable, and peaceful cyberspace through the implementation of agreed norms and principles.

Session transcript

Chair:
Distinguished Delegates, the fourth meeting of the seventh substantive session of the Open-Ended Working Group on Security of, and in the use of ICTs established pursuant to General Assembly Resolution 75-240 is now called to order. Distinguished Delegates, in accordance with the program of work, we will now proceed to begin our discussion on the topic of Rules, Norms, and Principles of Responsible Behavior of States. And I draw your attention once again to the Chair’s discussion paper that I had made available as part of the documentation for this meeting, and I also draw your attention to the list of guiding questions relating to Rules, Norms, and Principles, and I’d like to invite your comments on them. Finally, I also draw your attention to what I said just prior to breaking for lunch, where I had encouraged you very strongly to present a very succinct summary of your interventions, on the understanding that you could send me your written statements so that I could look at it very closely, and your statements would also be put on the website of the OEWG so that all delegations can also look at your statements. So do not feel that you have an obligation to read every word of the statement that you have prepared with great care and thoughtfulness. Do be as succinct as possible so that we can make progress on this section. and also go on to the next section. So with these comments, I now open the floor for delegations wishing to make a statement and I give the floor now to South Africa followed by Bangladesh. South Africa, please.

South Africa:
Chairperson, for this segment of our work, you asked us to reflect on five guiding questions and we are pleased to share our thoughts on some of these questions. On the question of possible additional norms that could potentially complement existing norms, South Africa has maintained that additional norms could be developed by considering gaps identified through the process of implementing those norms. It became very clear during the discussion on threats that despite the many benefits emerging technologies such as AI bring, the associated risks are twofold. Thus, the South African delegation could support a new norm to protect against AI-powered cyber operations and attacks on AI systems to complement existing norms as proposed during the multi-stakeholder consultation last week. Chairperson, turning to the question on measures to be taken to protect critical infrastructure and critical information infrastructure from ICT threats, we would suggest that at a minimum, the basics of cyber hygiene should be in place and this includes the simple measures such as strong passwords, software updates, turning on multi-factor authentication and so forth. The next step is to ensure that security is built into the design and manufacture of technology products, i.e. security by design and default. On strengthening cooperation to ensure the integrity of the supply chain. and prevent the use of harmful hidden functions, we call upon states to strive for shared principles and avoid competition. The South African delegation is still studying the chair’s discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behavior in the use of ICTs, and we would like to return to this at a later date to share our views. Thank you.

Chair:
Thank you. Thank you very much, South Africa. Bangladesh to be followed by India. Bangladesh, please.

Bangladesh:
Thank you, Mr. Chair. My delegation comments your efforts in presenting the chair’s discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviors in the use of ICTs, which in our view is a solid basis and my delegation fully subscribes to it to further discussions in this regard. Mr. Chair, my delegation believes that building a strong cybersecurity posture requires a cultural shift. Equipping future generations with digital literacy skills through cybersecurity education in schools’ curriculums, starting from the elementary level, is a critical first step. Promoting a culture of peace and its program of action, which my delegation is promoting at the UN, remains equally important online as it does offline. Furthermore, workshops and training programs for businesses and government employees on cyber hygiene practices are essential. To solidify these efforts, fostering public-private partnerships is critical for the development and promotion of best practices in secure software development and coding, ensuring that software is secured by design. This lays a strong foundation for a more secure digital future. Developing standardized formats for reporting ICT incidents to facilitate information sharing and analysis by relevant authorities is a critically important first step as practical actions for implementing voluntary norms. To ensure an honest understanding of ICT incidents and develop effective response strategies, a multi-pronged approach is essential. First, conduct a meticulous technical analysis, scrutinizing attack methods, tools, and, if possible, identifying the origin. Equally crucial is an impact assessment, evaluating the incident’s scope, scale, and repercussions on critical infrastructure, businesses, and individuals. However, the evaluation shouldn’t stop at technical aspects. A comprehensive contextual analysis is necessary, considering the geopolitical landscape, potential motives, and any historical incidents with similar characteristics. Navigating attribution challenges in the cyber domain with prudence, acknowledging complexities, and avoiding hasty conclusions based on circumstantial evidence is paramount. Employing this holistic approach ensures a well-rounded understanding of ICT incidents, paving the way for informed and effective response strategies. Mr. Chair, the most effective approach to translating these norms into concrete action lies in collective efforts between States. This collaborative endeavor should focus on providing guidance on the interpretation and implementation of these principles, ensuring their effective application in the evolving cyber landscape. To that end, Bangladesh emphasizes that all States should have the common and comprehensive understanding on these norms. In pursuit of this shared understanding, we need to address the skill gap as a matter of priority. This includes fostering information sharing and facilitating the exchange of knowledge, experience, and expertise. These actions are deemed basic, yet their simplicity and effectiveness make them readily implementable and valuable in strengthening cyber security capabilities for nations in need. In this regard, we underscore the importance of strengthening and expanding inclusive, active, and sustainable participation in international processes like the OEWG. We emphasize the need for dedicated fellowship for developing countries, particularly for LDCs, to facilitate their participation in the UN process. I thank you, Mr. Chair.

Chair:
Thank you very much, Bangladesh. India, to be followed by Canada. India, please.

India:
Mr. Chair, India asserts that maintaining international peace and security in cyberspace is a shared responsibility. Voluntary, non-binding norms of responsible state behavior can reduce risks to international peace, security, and stability, contributing to conflict prevention by increasing predictability and reducing the chances of incorrect perceptions. The norms, rules, and principles in the GGE report of 2021 lay a solid foundation for responsible state behavior. Following these norms, rules, and principles will help secure international peace and security. In this respect, India thanks the Chair for his initiative in drafting a checklist for the implementation of norms. To address the second guiding question about what best practices Member States can undertake to protect critical infrastructure from ICT threats, India would like to highlight some suggested measures, including those currently undertaken by India’s National Critical Information Infrastructure Protection Center. And these include, number one, conduct of comprehensive risk assessments of critical infrastructure to identify potential vulnerabilities and threats. Two, promotion of cybersecurity awareness and training programs to educate stakeholders. Three, collaboration with national and international entities to share threat intelligence. Four, ensuring proactive identification of emerging cyber threats. Five, establishment of incident response teams to promptly address and mitigate cybersecurity incidents. Six, the conduct of regular audits and assessments of the security posture of critical infrastructure entities. 7. Adherence to relevant regulatory requirements and guidelines to protect critical infrastructure from cyber threats. 8. Information sharing and collaboration among critical infrastructure entities to strengthen cybersecurity capabilities collectively. 9. Adoption of advanced technologies and tools to detect and mitigate cyber threats more effectively. 10. Emphasis on a culture of continuous improvement to adapt to evolving cyber threats and enhance cybersecurity measures over time. These practices align with international standards and frameworks for critical infrastructure protection and would contribute to a safer and more secure digital ecosystem.

Chair:
Thank you for your contribution. I give the floor now to Canada to be followed by the European Union. Canada, please.

Canada:
Canada, thank you for this opportunity to take the floor on this important subject. As we heard during statements on threats, cyberspace remains an environment subject to all sorts of stress and sometimes behaviour which is sometimes poor. This context highlights the importance of stepping up efforts to implement the 11 non-binding norms. To respond to your last guiding question, sir, one of the best ways of fostering implementation of existing norms is to try, in good faith, to respect these norms. One norm consists and I quote of not knowingly allowing the territory to be used to commit internationally unlawful acts with the assistance of ICTs. As identified in the verification list proposed by the chair and in the GGE report of 2021, on which consensus was reached, and I quote, a norm leads to an expectation that a state will take reasonable measures within its abilities to bring an end to activities underway in its territory by using proportionate, appropriate, effective measures and respecting international law and also domestic law. Mr. Chair, sir, the credibility of members depend to a large extent on their ability to deliver on their promise. It is great to see various efforts underway to achieve this by dedicating their energy to build the appropriate capacity to implement these norms. Mr. Chair, I do apologize, but I’m having some technical problems and I need to suspend the delivery of my speech. I do apologize.

Chair:
Thank you very much, Canada. We’ll come back to you when your computer is up again. We’ll go through the next speaker, European Union followed by Russian Federation. EU, please.

European Union:
Yes, thank you, Chair, for giving me the floor. The candidate countries, North Macedonia, Montenegro, Serbia, Albania, Ukraine, the Republic of Moldova, Bosnia and Herzegovina and Georgia, and the EFTA country, Norway. member of the European Economic Area, as well as Andorra and San Marino aligned themselves with this statement. The European Union and its member states strongly support the concrete implementation of the UN framework for responsible state behavior in cyberspace.

That among other key components also includes 11 voluntary norms of state behavior in cyberspace. The open-ended working group must continue to elaborate on, strengthen, and enhance the implementation of these 11 norms, and to exchange on best practices as well as expectations in this context. As every country has its own starting point for implementing the UN recommendations, we see the norms checklist, as proposed by the chair, as a valuable tool to enable both the clarification of the content, scope, and expectations that the norms set, and to contribute to the common understanding on how to implement them.

The checklist can build upon the work already done on norms implementation guidances, such as the guidance provided in the 2021 UNGG report, as well as the open-ended working group consensus reports, and on the efforts by other stakeholders, such as ASEAN, the Australian Strategic Policy Institute, and UNIDIR. Throughout previous sessions, UN member states, as well as regional organizations, have suggested different tools, manuals, and practices, which could be helpful to implement the norms. UN member states and regional organizations, including the EU, have also shared domestic and regional practices, positions on international law, ratification on treaties, vulnerability disclosure frameworks, and mechanisms for crisis and incident management that could also be considered relevant in this regard. For the EU, it is important that the checklist would also help to identify barriers to implementation and from there translate those needs into targeted capacity building programs.

Mr. Chair, during previous sessions, the EU and the Member States have been highlighting some of the norms which we believe could be developed further, in particular Norm 13C and the three critical infrastructure-related norms, 13F, G and H.

The Norm 13C that affirms that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs raises the expectations of, first, general prevention. States should take reasonable preventive measures to keep their territory to the extent possible from being used to commit malicious ICT activity to the determinant of third states, as in the case of developing relevant institutional capacities to be able to swiftly respond to malicious use emanating from one’s territory. We would note that taking of preventive measures should not be understood as entailing the responsibility of a state to monitor ICT infrastructure located on its territory at all times.

Second, response to request for cooperation. When notified by another state that such an activity is taking place or that it is highly probable that such an activity shall imminently take place, states should take appropriate measures to address it.

And third, expectation of means. The expectation that states should take appropriate measures in accordance with their To advance the implementation of norms, the European Union has also been a strong advocate of a more consistent cooperation with other stakeholders. Notably, the critical infrastructure operators can support advancing the protection of critical infrastructure, one of the positive obligations under the UN framework. In addition, the private sector could continue to contribute to building capacities using their knowledge and experience on the protection of critical infrastructures, as well as the responses to incidents. Further activities could include to enhance threat monitoring and assessment, reporting and other incident management mechanisms and capabilities. In light of that, we appreciate the meeting by the Chair last week, inviting all interested stakeholders to an informal dialogue to discuss on how stakeholders can further contribute to states’ efforts to develop measures or best practices to protect critical infrastructure from ICT threats and how to better support states in this process.

The Open-Ended Working Group could potentially look into issuing a set of cybersecurity best practices and encourage all public and private sector organizations to apply these practices to improve their cyber resilience.

In this, the Open-Ended Working Group could, for example, draw inspiration from and adopt or further develop some of the good practices from the Geneva Manual that was developed by non-state actors and that clarifies the roles and responsibilities of non-state actors and suggests how they can contribute. to the implementation of the voluntary norms. During previous sessions, the EU and its member states have also called upon states to further develop their understanding on the content, scope, and expectation of the norms. The EU has institutionalized a careful review of cyber incidents against the normative framework to ensure any diplomatic responses are measured and proportionate. In the context of the Open-Ended Working Group, discussions about norms implementation, as well as the application of international law to cyber operations that target critical infrastructure in peacetime and in conflict are vital to improve accountability. We look forward to further engage on the norms checklist and thank the chair for putting it forward as it has the potential to make the Open-Ended Working Group more effective and enable concrete exchange on how countries interpret and track these norms nationally. Thank you.

Chair:
Thank you, European Union. Russian Federation to be followed by the Islamic Republic of Iran. Russia, please.

Russian Federation:
Thank you, Mr. Chair. The mandate of the OEWG approved by all UN member states asks us to continue as a priority to develop rules, norms, and principles of responsible behavior of states in cyberspace. We consider it imperative to strictly follow this. In our view, any unjustified bias in favor of implementing only the existing list of voluntary non-binding rules of behavior, either during discussions or in the outcome documents of the OEWG represents a distortion of the group’s mandate. In this context, we would like to comment on the chair’s. firm on a checklist for implementation of norms. To begin with, it is regrettable that this document, which is quite voluminous and in many substantive aspects is new, was presented for consideration just one week before the session and moreover in English, which for Russia and for many other UN member states is not an official language. Such an approach does not allow us to analyse it in a comprehensive manner or take into account the assessments of competent authorities or present a well-developed official position on this. We would urge the Chair to circulate such papers well in advance, at least two or three weeks before the meeting, so not to put delegations facing an artificial time crunch. Regarding the document itself, we see bias in favour of the implementation of norms. Moreover, it is unclear why the initial set of international rules of responsible behaviour enshrined in UNGA Resolution 73-27 was ignored. We stress the need on launching an equally substantive discussion on developing new norms, especially since states have made a number of proposals in this regard. In particular, we should return to the national contribution set out in the 2019-2021 Chair’s Summary. Russia and a number of other countries have consistently advocated for the need to agree upon a comprehensive universal set of rules, norms and principles of responsible behaviour and make them legally binding. Specifically speaking, we suggest the following new norms. First, the sovereign right of each state to ensure the security of its national information or cyberspace and to establish norms and mechanisms for government in its cyberspace in accordance with national legislation. Secondly, the prevention of the use of ICTs to undermine or infringe upon the sovereignty, territorial integrity or independence of states or to interfere in the internal affairs of states. Thirdly, the inadmissibility of unsubstantiated accusations against states accused of organizing and committing wrongful acts with the use of ICTs including cyberattacks followed by the imposition of various restrictions such as sanctions, unilateral sanctions and other measures of response. Fourthly, the settlement of interstate conflicts through negotiations, mediation, reconciliation or other peaceful means of the state’s choice including through consultations with the participation of the competent national authorities. These norms stemmed from a UN Convention on International Information Security which Russia together with a group of states presented at the beginning of 2023 to the OEWG and as an official document of the 77th session of the UN General Assembly. The document intends to promote the prevention and peaceful settlement of conflicts and the exclusively peaceful use of ICTs. It is to serve as a basis for cooperation between states for these purposes. We look forward to a constructive discussion of our initiative in the OEWG on an equal footing with proposals by other states. We trust that any forms of reporting on norms implementation will be linked to drafting relevant legal obligations. Thank you very much.

Chair:
Thank you, Russian Federation, Islamic Republic of Iran, followed by Cuba.

Islamic Republic of Iran:
Mr. Chair, thank you for giving me the floor. In response to your first question regarding the additional norms that could potentially complement existing norms, as our colleague from Russian Federation just mentioned, I also wish to emphasize that several states, including my own, have previously put forward the specific norms that were incorporated in the first OEWG Chair Summary. Since those proposals remain valid and retain their relevance, in order to streamline our discussion, I would prefer not to reiterate them here, or as a colleague from Bangladesh said in this morning session, to recycle them here. I wish to recall that yesterday we heard from the distinguished Chair that the idea of new norms were also proposed by stakeholders. Instead, in order to fulfill the outstanding mandate of the OEWG in elaborating additional norms designated by Resolution 75-240 as a priority, we would like to propose that the Chair of the OEWG takes the initiative to craft an initial draft encompassing new rules, norms, and principles, drawing from the Annex to the Chair Summary. This draft could serve as a basis for discussion during the forthcoming substantive sessions, as well as during the dedicated interstitial meeting on rules, norms, and principles of responsible state behavior in the use of ICT, which is outlined in Paragraph 27 of the second APR. Mr. Chair, I would like to express our appreciation for the papers. recently circulated for discussion during this session. However, emphasizing the importance of ensuring a thorough, practical, and meaningful review and consultations by our related internal agencies, like the Russian Federation, we also kindly request that the guiding questions and the discussion documents of the OEWG be circulated early enough. This will provide our internal agencies ample opportunity to study the materials comprehensively, contributing to a more informed and constructive discussion during the OEWG sessions. I would like to take this opportunity to provide some general comments on the discussion paper on a checklist for practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICT. First, in our view, taking measures and initiatives and implementation of rules of behavior appears premature. Before engaging in discussion concerning the operationalization of envisaged norms, the OEWG needs to reach a consensus on a comprehensive list of norms by fulfilling its mandate outlined in paragraph one of resolution 75-240, to introduce change to the rules, norms, and principles of responsible behavior of a state or elaborating additional norms. Second, throughout the OEWG discussions, numerous countries have consistently underscored that further development of new norms and the implementation of existing norms were not mutually exclusive, but could take place in parallel. Currently, this essential balance seems to be overlooked, given that a parallel document addressing the formulation of new norms have yet to be crafted. Thank you, Mr. Chair.

Chair:
Thank you, Islamic Republic of Iran. Cuba to be followed by Slovakia.

Cuba:
Mr. Chairman, the rules, norms and principles on a voluntary basis and the socialization of good practices for cybersecurity are just an intermediary step in the goal of achieving states’ responsible behavior in cyberspace. The community of experts in this domain have a lot to contribute to improve the organization, discipline, order and rigor of the work carried out in cyberspace, and to make this a forum for peaceful development geared towards progress. General Assembly Resolution 75-240 clearly set the priority that this working group has to draft rules, norms and principles for the responsible behavior of states, as well as the corresponding ways of implementation, and, if necessary, to introduce changes to the drafting of additional rules of behavior. A clear sign of the need for new norms is seen in the broad legislative arsenal that the countries currently on the highest rankings of the Global Cybersecurity Index have. This is an index that is systematically published by the ITU. This mechanism assesses states’ responsibility and the degree of their commitment to cybersecurity, and those states who are in this room, some with a great deal of regulatory history. Analyzing this index will be very useful to determine on which aspects we need to establish norms, because these indicators are enablers both for governance and for the management of cybersecurity. In this context, it would be rational and objective to use the existing mechanisms with clearly shown competences in the development of new norms, such as the case of ITU Subcommittee No. 17. In the implementation of norms, we would reiterate the need to assess the binding nature that some of them should have. The draft that you have presented as a checklist on practical actions for the implementation of norms could be a starting point for that. This could foster awareness raising about the need for real international responsibility and objective responsibility in this domain by states. We do not favor the use of one-size-fits-all solutions for the implementation of norms negotiated at the UN. It’s particularly important to respect the specificities of each country, in particular the fact that developing countries don’t have the same technological and technical capacities as developed countries. Even though we do have common responsibilities, they have to be differentiated responsibilities. We reiterate that the drafting and implementation of norms for the responsible behavior of states in cyberspace must respect the principles of sovereignty, political independence and territorial integrity. It must promote peaceful coexistence and international cooperation. It must refrain from making recommendations on the domestic behavior of states, their oversight mechanisms and international procedures to guarantee cyber security. Thank you.

Chair:
Thank you, Cuba. Slovakia to be followed by Belarus. Slovakia, please.

Slovakia:
Mr. Chair, Slovakia aligns itself with the statement delivered by the European Union and wishes to emphasize a couple of points in its national capacity. The starting point for each UN member state with respect to the implementation of the UN Framework for Responsible Behavior in cyberspace differs. It is despite the urgent need for each and every member state to adhere to the framework. While some might view the 11 voluntary non-binding norms as merely normative guidelines to support peaceful and stable cyberspace, their role goes beyond their normative nature. The normative framework, whose implementation we have been navigating for almost a decade, aims at facilitating collaboration, promoting accountability, preserving trust, and protecting continuity of essential services. Slovakia welcomes the initial draft of the norms implementation checklist as proposed by the Chair and sees it as a valuable set of concrete proposals that could be adopted on the national and international level to foster compliance with the framework. That said, Slovakia looks forward to discussing individual elements of your proposal, Mr. Chair, in greater detail with the distinguished delegates as well as the stakeholder community to make the draft checklist more useful and actionable. We also commend other stakeholders’ initiatives such as, but not limited to, UNIDIRS Survey of National Implementation, the Singapore UNIDAT Norms Implementation Checklist, and the Australian Strategic Policy Institute have played a role in developing own implementation guidelines which continue to fit into our discussion in this format. Importantly, actively implementing agreed norms and enhancing own cybersecurity measures are two sides of the same coin. This leads directly to the importance of building national legislative environment as well as capacities required to advance the implementation. On this point, we agree with colleagues who have previously highlighted the role of critical infrastructure operators, relevant private sector entities, experts, and practitioners in advancing positive obligations under the UN framework. Here, the value of the program of action as a permanent, inclusive, and action-oriented mechanism upon conclusion of the current open-ended working group could prove immense. Noncompliance with agreed cyber norms has real-world consequences. Since the adoption of the second annual progress report, there have been novel reports of malicious cyber activities targeting critical infrastructure and democratic institutions and processes. The continued Russian aggression against Ukraine has also greatly impacted our security environment, including cyberspace. Whilst fully agreeing with the EU and others on the necessity to further develop our common understanding of the content and scope of agreed norms, there is a need to align international expectations about the adherence to the norms with what is considered responsible behavior of state in cyberspace. Mr. Chair, we appreciate focused discussion on this important topic and see them as an effort to encourage compliance, predictability, appropriate and proportionate diplomatic measures, and international cooperation to help address collective security concerns in cyberspace. Thank you.

Chair:
Thank you. Slovakia, Belarus, followed by Italy, please.

Belarus:
Distinguished Mr. Chair, given the great importance of cyberspace in people’s lives, Belarus has taken a number of measures to provide a systematic approach to governance in this area. For example, we adopted a information security concept of Belarus. This enshrines the most important provisions of our state policy here. In developing rules, norms and principles for responsible behaviour of states and implementation means. In our opinion, the following measures are key. Ensuring governmental protection of fundamental human rights in cyberspace. Developing e-feedback. The idea of that is to help people address problems by analyzing citizens’ initiatives and proposals and involve them more in the decision-making process. Increasing the population’s digital awareness. Developing a security sphere. In the normative legal sphere, it’s expedient to develop conceptual international documents on cybersecurity. In addition to existing documents here, we pin significant hopes on the process on agreeing on a future convention on countering cybercrime. Focusing on a list of unlawful acts, we think it should be broad. It should not just focus on computer-related issues. In the media, we should focus on ICT resources, and they should be creating good-quality content of interest to users. Taking into consideration the rules of cyberspace in the scientific and educational sphere, we should focus on developing projects to develop ICT security, to create regional digital infrastructures. An important area is also to create intellectual platforms to identify context risks, such as memes, photos, videos, and audio files that contain destructive information, for example, promoting suicide or dangerous games or drugs. and also communication risks, for example, interpersonal relations that might lead to abuse, cyber-stalking or cyber-bullying, for example. Also consumer risks linked with the abuse of the Internet and Internet rules by users, for example, selling counterfeit goods and other related activities. Communication risk involving children in dangerous groups, death groups, for example, or recruiting people into illegal armed groups. Improving national legislation should be conducted taking into consideration sovereignty, the right of a state to form their own ICT policies and to have information flows that are independent of external influence and also ICT neutrality, so there should be no harm conferred upon any other state. In conclusion, we would like to point out that the ultimate aim of the renewed ICT policy is to delineate clear red lines, which are important for not just national but also the international media sphere. Thank you very much.

Chair:
Thank you. Belarus, Italy, followed by Republic of Korea, please.

Italy:
Thank you, Mr. Chair, for giving me the floor. We fully align ourselves with the statement delivered by the European Union. We support the concrete implementation of the UN Framework on Responsible State Behaviour in cyberspace, of which the 11 voluntary norms represent a central component. We welcome, Mr. Chair, the checklist of practical actions that you proposed as an important tool available to states to guide them in the implementation of UN norms. While considering all these measures are useful, we would like to focus now on those that concern the protection of critical infrastructures and the integrity of the supply chain. Cyber-malicious activities targeting critical infrastructures are increasing in scale and geopolitical implications. The participation of a wide range of cyber threat actors, including state-sponsored groups or proxies, in conducting such attacks poses a significant threat to international security in cyberspace. In this context, we think dedicated efforts shall be granted to set up accountability mechanisms aiming at increasing mutual responsibility among states. National measures to detect, defend and respond to and recover from ICT incidents, which may include the establishment at the national level of a center or a responsible agency that leads on ICT matters and of CSIRTs, shall be implemented as well. The private sector, which manages and sometimes even owns critical infrastructure, has a critical role to play in protecting them and building stronger cyber capacities. Public-private partnerships may be an added value to our efforts. We should continue to raise awareness among all relevant stakeholders in this context. Supply chain security is a very important principle. However, ensuring safety and integrity of all products can be a very complex task to achieve. We encourage the adoption of specific frameworks for the assessment of supply chain security of ICT products, based on guidelines and best practices and adherence to international standards, such as ISO. Assessments and evaluations can be performed by a dedicated third-party organization that would operate within the boundaries of such frameworks. We consider the establishment of national evaluation and security. certification centers and adoption of cyber certification schemes as important measures to be implemented. We look forward to further engaging the discussion. Thank you.

Chair:
Thank you. Italy, Republic of Korea, to be followed by United States.

Republic of Korea:
Thank you. My delegation believes that we are now at the stage of beginning the implementation of the norms we have already agreed upon. In the GGE and adopted at the UN General Assembly, the checklist would be helpful to states in implementing the norms as it comprehensively reflects domestic and international measures. We hope to see the checklist develop into a more completed form by combining and coordinating the comments from the members and the stakeholders of the group. My delegation believes that voluntary non-binding norms can encourage states to get more acquainted with the elements of the normative domain of cybersecurity, guiding towards common understandings leading up to convergence, and thus help states as well as other stakeholders to be better prepared for the potential incidents. These non-binding norms can assist states to flexibly respond to the cyberspace and rapidly advancing technology. Moreover, non-binding norms can be inclusive in its nature and can help bridge the gap between and within countries. Through the checklist, gaps can be identified, thus it could give guidance to programming and implementing capacity building measures. In this regard, the checklist should be linked with capacity building in order to be successfully implemented. The Republic of Korea will continue its efforts in supporting capacity building for the developing countries. Turning to the elements of the checklist, my delegation would like to stress the importance of national coordination. and interagency cooperation. We welcome that this notion is reflected in the checklist. In order to effectively detect, protect, and respond to ICT incidents and threats, domestic coordinating agency is needed, and interagency cooperation is imperative. To this end, like many other countries, ROK operates the National Cyber Security Center for Coordinated and Systematic Security Monitoring. My delegation notes that the checklist also incorporates norms for malicious ICT activity attributable to other states and illegal ICT activity carried out within the territory. My delegation is of the view that in order to effectively respond to cyber attacks, the cooperation from the country of origin and transit countries is critical. And we hope to see relevant norms can be elaborated and clarified further in this group. In particular, applying due diligence in cyberspace would be useful for a timely response in case of cyber attacks. Details of the norm should be further clarified while taking into consideration the capacity gap among countries when applying the due diligence rule. In securing the integrity of the supply chain, fostering partnership with ICT companies is indispensable. Furthermore, it will be helpful to build institutional and normative foundations to provide security guidelines starting from the development stage of software products, which can be used in the public sector in order to protect public service or critical infrastructure from being targeted by serious cyber attacks. Since 2013, ROK had established guidelines for the establishment and operation of information systems in administrative and public institutions to secure the integrity of the supply chain. We look forward to hearing more about other best practices on how states coordinate with private sector including ICT enterprises. Thank you.

Chair:
Thank you, Republic of Korea. United States followed by the United Kingdom.

United States:
Thank you, Chair. In your guiding questions, you asked whether there are specific areas in which the implementation of the consensus norms is currently lacking, where existing implementation efforts can be improved, and how additional guidance can be leveraged to accelerate implementation efforts. During my intervention, I intend to examine these questions using the example of ransomware attacks against health care facilities, which have been on the rise, as documented by the World Health Organization in a recent report examining cyber threats to the health care sector. Which norms come into play when a medical facility is the victim of a ransomware attack, and what practical steps to implement those norms would be most effective in countering or responding to this threat? Norm 13G counsels states to take appropriate measures to protect their critical infrastructure from ICT threats, taking into account GA Resolution 58-199. One such measure is a state’s designation of infrastructure or a sector as critical. To effectively protect critical infrastructure, a state must first classify it as such. In addition to enacting policies, regulations, and laws to ensure critical infrastructure owner and operators secure these networks, states should build or strengthen their capacity to investigate malicious cyber activity targeting them. Acting pursuant to norms 13C, F, and H, entails determining the origin of malicious activity. As norm 13B advises, state should consider all relevant information when determining attribution. Partners can be a valuable resource when investigating an incident. Stakeholders can assist in both technical assistance and capacity building to bolster a state’s ability to conduct effective incident response. A state may also choose to ask another state for assistance. Norm 13D, which advises states to consider how best to cooperate to exchange information and assist each other, reflects the reality that a state’s investigation will often involve the investigative resources and cooperation of other states. POC directories, including existing regional directories and the upcoming global POC directory, could be of use in requesting assistance, whether of a third country or the state from whose territory the ransomware attack is emanating. In addition to POC directories, guidance on how to formulate and respond to requests for assistance would enable more effective communication. The OEWG could lay the groundwork for the development of templates that would clarify for states what information needs to be shared and in what format. These could include, one, a request under norm 13H to mitigate malicious ICT activity emanating from another state’s territory. That is impacting the requesting state’s critical infrastructure. Number two, the notification under norm 13C that an internationally wrongful act conducted using ICTs is emanating from or transiting through the notified state’s territory. And a request that it take all appropriate and reasonably available and feasible steps to address the situation. And just as importantly, appropriate responses. from states that have been asked to investigate such malicious activity. As well as a request for assistance to a third state under norms B, C, or H. Such additional confidence building measures in the form of guidance on effectively formulating and appropriately responding to requests for assistance could significantly speed relief to member states in need. Finally, Chair, I wish to express my thanks for your discussion paper containing a draft norms implementation checklist and want to provide a few preliminary reactions. Your draft demonstrates that there are several fundamental prerequisites for states to put in place at the national level to enable their implementation of the framework and its norms. In particular, this includes creating a cert, creating whole of government cyber strategies, legislation, and other policies, establishing public-private partnerships, and establishing cooperative relationships on cyber matters with other countries. The OEWG should highlight these priority national steps. This would contribute significantly to norms implementation and related capacity building to elevate these needs. Separately, we appreciate that the checklist includes many of the useful ideas contained in the 2021 GGE report. We note, however, that this 2021 GGE report represents consensus language affirmed by all member states. And is not on the same footing with the new ideas and non-consensus proposals also included in your checklist. We recommend the 2021 GGE report’s text on norms be included as is within a future OEWG report. So that the OEWG can build upon this existing foundation to further common understanding on how to implement the consensus norms. Thank you, Chair.

Chair:
Thank you, United States. UK followed by Egypt, please.

United Kingdom:
Good afternoon, Chair, and thank you for the draft discussion paper on a norms checklist. While the voluntary norms are designed to be universal, their implementation is context-dependent. We think the voluntary practical actions in your paper are at the right level of detail to allow states to decide the most appropriate ways to implement the norms. As a whole, the paper outlines a baseline of cybersecurity capacities. Establishing such a baseline is one of the recommendations of the Global Cybersecurity Capacity Centre, based at the University of Oxford. Their recent research project, based on discussions with states and stakeholders, considered cybersecurity capacities for the application of UN cyber norms. They recommend, and my delegation agrees, that the future programme of action should support states to work towards a capacity baseline. This focus on baseline capacities echoes UNIDIR’s important work on foundational cyber capacities and has similarities to the evaluative approach taken by the UN programme of action on small arms and light weapons. Your draft paper is a promising step towards a universal baseline. The University of Oxford’s findings also highlight the importance of raising awareness of the norms among policymakers responsible for cyber capabilities, and we encourage states to continue to do this within their national systems. Our final observation on the draft guidance paper is that it includes some consensus guidance from the 2021 GGE report and some new content. As the United States has just noted, we could further clarify the different levels of consensus contained in the draft. Turning to your question on improving norms implementation, we would like to build on our remarks made yesterday on the growing commercial market for intrusive ICT capabilities. The existing rules, norms and principles of responsible state behaviour, confidence building measures and capacity building provide a robust framework to guide the behaviour of states when interacting with this market. Yesterday we outlined the main components of this market because the commercial dimension is significant. Market dynamics are supercharging the development and availability of advanced intrusion capabilities in a way that is new. At the sixth session of the OEWG, the United Kingdom and France emphasised that there are legitimate uses for commercially available intrusive cyber tools. The private sector has and will continue to have a legitimate role in this market for cyber tools and services. States will continue to make use of these tools and services for national security and law enforcement. In this context, one of the questions for states is what does responsible activity look like in practice? We believe this could include the following. First, states can set out their collective expectations with regard to the commercial market so that it does not undermine stability in cyberspace and works to prevent commercially available cyber intrusion capabilities from being used irresponsibly. Second, governments can ensure that we are taking the appropriate regulatory steps within our domestic jurisdictions through enforcing existing legal frameworks, evaluating or developing new domestic laws, or making use of policy levers. to identify and respond to irresponsible activity in the market. Third, it is incumbent on states to conduct procurement responsibly, including by discouraging irresponsible behavior when engaging private actors. Finally, when states choose to use cyber capabilities in support of national security and law enforcement, it is important that they do so in a way that is not only lawful but also responsible. States can share what responsible state behavior means in practice for them. We believe this kind of transparency helps to avoid miscalculation and builds confidence. Examples of this practice from the UK include our publication National Cyber Force Responsible Cyber Power in Practice in 2023 and the exposition of our equities process in 2018, which outlines how decisions about the disclosure of vulnerabilities in technology are taken. The PALMAL process seeks to provide a framework for inclusive dialogue between states and with stakeholders on this issue. The UN Framework for Responsible State Behavior is at the heart of the process and is referenced extensively in the PALMAL declaration published last month. More work is needed to determine collectively what additional norms guidance might be needed in the context of advanced commercial cyber tools, but further recognition in the draft guidance that the norms guide not only states but also how states engage with the market for commercially available cyber capabilities could be beneficial. Our aim is that the outcomes of the process will ultimately help to inform further good practice. in the implementation of the norms. Thank you, Chair.

Chair:
Thank you very much, UK. This is turning out to be a very useful discussion and I just wanted to at this point make a brief comment. I still have a good list of speakers and we’ll go through them one by one, but I welcome very much all of you responding to the different questions, guiding questions that I’ve put forward and I think it’s useful that all of us listen to the different contributions from the different member states. And I also wanted to point out that the discussion paper is precisely that, to have a discussion and while some of you have said that you wished you had received it much earlier, that is a point I take, but that is precisely the purpose at this meeting to also have that discussion in a collective context. And with regard to the discussion paper, I wanted to first of all situate that discussion paper in the context of our second annual progress report. If you look at paragraph 23F of the second annual progress report, we talk about how we can support states in implementing the rules, norms, and principles of responsible state behavior. And in that context, there was a discussion of a checklist and it was in that context, the chair was mandated to prepare the checklist. Second, if you look at the checklist in paragraph two and I invite all of you to look at it, at this point. Paragraph two of the chair’s discussion paper says, and I quote, in this regard, this checklist could serve as a starting point to support states’ implementation efforts. In other words, member states are already implementing the rules, norms, and principles. The question is, do we help them or do we not? We had that discussion last year, and the answer or the sentiment was that, yes, we should support efforts by states to implement the rules, norms, and principles. And that’s where the checklist comes in as a tool to support implementation that is already happening, perhaps not happening fast, but happening to some extent. So the question is, how can the checklist become a catalyst to accelerate implementation, but also a catalyst for capacity building? And this is reflected in the discussion paper as point number two. Provide a useful means of identifying priorities in tailored capacity building efforts. And sub-point C talks about how the checklist could function as a common reference point to support the exchange of best practices in specific areas of ICT security. So as we get into this discussion on the discussion paper, I also want you to have that broader point in mind, which is that many states have already begun implementation. The POC directory is in some ways also an implementation exercise by states at the national level. And states are struggling with that implementation. whether it’s establishing the POC network or a focal point, implementing the agreed norms, implementing the initial list of CBMs. And I think it’s urgent and imperative that we provide whatever assistance we can to support states. So we’ll come to this capacity building discussion in the later section. So that part we are coming to it. But in the context of rules, norms, and principles, the checklist was intended as a tool to help states in the implementation efforts. So keep that in mind as a tool to support states, as a catalyst for capacity building, as a potential accelerator of implementation. Now talking about implementation does not mean we do not talk about other things, including the need for additional guidance and discussions on additional potential norms. But we can do multiple things at the same time. And that precisely is the challenge that we are engaged in. So keep that in mind. I thought I would inject some observations at this point. And if you have any reactions to my comments as well, that is welcome. We do have a speaker’s list. So I’ll go through them. Once again, be as succinct as possible. This is not going to be our last discussions. We’ll come back to the issue in May when we have the intersessionals. But this is already turning out to be a very useful initial discussion on the discussion paper. Egypt, followed by Colombia, please.

Egypt:
Thank you, Mr. Chairman. Since it’s our first time to take the floor, let me join other delegations in expressing our appreciation to you, Mr. Chairman, your team, as well as the Secretariat for all efforts to steer forward the work of this group. and rest assured of our continued support and active participation to this process. We also express our appreciation to you, Mr. Chairman, for sharing the draft elements paper on both the implementation checklist as well as the future regular institutional dialogue, which are still being considered thoroughly at our capital. However, let me share with you our preliminary observations and also responding to your guiding questions. Egypt has consistently stressed the importance of moving forward from the conceptually repetitive discussions that took place over the past 25 years in this domain towards an action-oriented approach that would allow the implementation of the existing framework of rules, norms, principles, and the use of ICT in the context of international security. Such approach should not contradict or undermine the ongoing or future discussions on the further development of the existing agreed framework. The proposed checklist should be simplified and rationalized as it includes duplicative measures as well as technical and detailed actions in particular at the national level that might go beyond the state’s capabilities. Subsequently, it would also require adequate time for its consideration and coordination at the national level. Moreover, we believe that such a checklist could represent a concrete step towards the full and effective implementation of the existing agreed framework, pending the elaboration of existing framework and binding rules as appropriate. However, it should represent a non-exhaustive list of implementation measures that could be further developed over time in line with the evolving nature of the ICT domain. Furthermore, the proposed list or any other implementation measures should take into account the following elements and principles that also need to be included in the CHAPO paragraphs. along with the already-reflected voluntary nature of its implementation. First, the technological gaps among developing and developed states. Second, the diverse national legal systems. Third, respecting each region’s specificities. Fourth, this implementation list should not prejudice states’ positions in the future discussions on the implementation of the existing framework. Mr. Chairman, we have surpassed the midpoint of this OEWG and getting closer to the final annual cycle of this group. Although there could be merits on continuing the discussions on all agenda items of the group concurrently, it could be also the right moment to consider giving priority and special attention to specific matters. Why discussions on the traditional outstanding matters could take place adequately in the future regular institutional dialogue that we believe must be a permanent, comprehensive, and single-track process? These elements that we’ll touch upon in our intervention in the next agenda items within the OEWG. And finally, we reiterate our continued support to this process and our willingness to actively participate on it. Thank you.

Chair:
Thank you very much, Egypt, for your contribution. Colombia to be followed by the Netherlands.

Colombia:
Mr. Chairman, we’d like to thank you for your efforts and leadership at the helm of this working group and for preparing for this seventh meeting. We’d like to reiterate our support to you and our availability to continue working constructively within this process. Answering your question about which additional norms could be developed, bearing in mind the discussions that have been taking place within the OEWG, we think that the existing norms do have necessary flexibility. for cyberspace and emerging technologies and for now efforts should be focused on people’s understanding them and implementing them. We also think nevertheless we can discuss principles on the safe deployment of new technologies with a human-centered approach. In terms of the checklist for practical actions for implementing voluntary norms, we are grateful for your efforts to draft the list and we think that it should be a starting point for looking at how states can implement norms as well as pinpointing priorities in terms of capacity building and it should be a common benchmark for the exchange of good practices and implementation of the relevant norms. We also think that the list can be a national assessment tool that states can use to identify challenges that they have and it will make it possible for us to look at the existing supply and this has been gone into in the document that you provided. I would also like to add the following comments. In terms of norm B, we think that we need to include the reference to the global directory as the timely forum for the exchange of information as well as to respond to requirements for assistance in terms of challenges of ICTs. On H, to move forward with the list, we would like to know how other states have fared in developing responses to cyber incidents. On E, we think we need to have the support of civil society to ensure the promotion and protection of human rights online. And finally, on F. Colombia is making headway in designing our own strategy to safeguard our critical infrastructure. Given the methodology that we have in this area and the listing of our national inventory, we would be interested in exchanging ideas and good practices of how best to protect critical infrastructure and how to implement Norm F at the national level. To conclude, we think that we need to prioritize the global implementation and overall implementation of these norms. We think that this is necessary. We need to look at sustainable initiatives for capacity building, the exchange of good practices, and equitable geographical representation in international processes such as the OEWG. Thank you.

Chair:
Thank you very much, Colombia. Netherlands, to be followed by Spain. Please.

Netherlands:
Thank you very much, Chair. The Netherlands aligns itself with the statement delivered by the European Union, and I will make some additional remarks in my national capacity. Norms continue to be a key component in our cumulative and evolving framework. Complementary to the rules of international law, they reflect expectations of states and set standards for responsible state behavior that are specific to the cyber domain. Moreover, the previous OEWG reports have provided practical guidance on the norms that lay out concrete measures states can implement at the national and international level. The Netherlands is convinced that doing so will foster meaningful progress towards a more open, free, accessible, stable, secure, and peaceful cyberspace. In this regard, I would like to thank you, Chair, and your team for putting forward the discussion paper on today’s meeting. on a checklist of practical actions for the implementation of a voluntary non-binding norms. While we are still in the process of studying the paper more in depth, please allow me to share some initial reflections. The paper seems to provide a useful overview of concrete measures for states to take as well as a practical checklist. We welcome the incremental approach reflecting the design of the checklist by drawing from previous consensus reports as well as contributions from UNIDIR’s work on unpacking cyber capability needs. The Netherlands believes that these practical efforts are also useful in approaching your guiding questions around concrete measures to secure critical infrastructure and supply change, which many delegations also addressed during our discussions on threats during the past day and a half. Addressing the threats through the lens of the norms and the concrete measures included in your checklist provide a useful basis for states to identify their capacity building needs. Chair, allow me to provide a few initial reflections with respect to the discussion paper. Firstly, we wish to address norm C, which holds that states should not knowingly allow their territory to be used for international wrongful acts. The Netherlands believes that this norm is essential for states to address threats posed by non-state actors. We welcome this item included in the checklist encouraging states to discuss the content, scope, and conditions of this norm in order to achieve a more transparency on how this norm is nationally interpreted and applied. The Netherlands has done so in its national position on the application of international law to cyberspace. in which we consider the due diligence principle not only as a norm, but also as a rule of international law. Secondly, on norm E on human rights, we welcome the proposed action for states to develop a position on how international law, including humanitarian rights law, applies in the ICT domain. Under this norm, there are two elements from previous consensus reports that we would propose to reflect in the checklist. One, we believe that the observance of freedom of expression can contribute to promoting non-discrimination and narrowing the digital divide, including with regard to gender. Two, we consider that the checklist should include the consensus notion that state practices, such as mass arbitrary or unlawful mass surveillance, may have particular negative impacts on the exercise and enjoyment of human rights, in particular the right to privacy. Thank you very much, Chair.

Chair:
Thank you very much, Netherlands. Spain to be followed by Hungary.

Spain:
First and foremost, thank you for your questions. We would like to, in particular, welcome the checklist for voluntary behavior for states in cyberspace. This list that you proposed might be a very useful instrument in terms of implementing the norms upon which we already have consensus. We underscore that we’re not just starting from zero. We’ve already started the process. Many states have already made progress, thanks to regional organizations and their work, to continue to promote multilateralism in international processes when we’re talking about consolidating the implementation of norms that have consensus. We welcome an intersession meeting being convened in May. We do hope that then we’ll be able to go even further. We do hope that that technical meeting, that intersession meeting, will be able to be organized fairly regularly in order to enrich the discussions that took place in plenary. We hope that the content of the discussion will be represented in the annual report. These annual debates are extremely important. This is particularly true when we think about the role and the added value of the academic sphere and the private sector and the contributions that they can make in terms of thinking about the implementation of the regulatory framework for states’ behavior in cyberspace. We believe that it’s a good idea to pay enough attention and time to these exchanges. Expert discussions can be guided by specific questions. This is a useful format in the plenary. A constructive, properly targeted discussion might be able to help us highlight which norms need to be further clarified and which needs to be further highlighted, because this is all going to be in vain if, at the same time, we can’t put forward confidence-building measures at the same time. I’m thinking here about the global register of contact points. We need to operationalize that. We also need to focus on capacity building. These are interlinked. They all strengthen each other to promote this appropriate behavior in cyberspace. We’re talking about the rules, norms, and principles of responsible behavior. We think that for this, there’s a need to develop a code of good practice and exchange of information between the relevant national authorities. In this way, we might be able to counter the domino effect of cyber attacks. This is the only way that we can continue to make progress to set up a framework that regulates a state’s behavior in cyberspace. Thank you.

Chair:
Thank you very much, Spain, for your contribution. Japan to be followed by Czechia.

Japan:
Thank you. Thank you, Mr. Chairman. Japan is of the view that voluntary and non-binding norms of responsible state behavior can reduce risks to international peace, security, and stability. Japan considers that it is important to focus on deepening the discussion and the steady implementation of the existing norms. Mr. Chair, Japan would like to express our appreciation for the Chair’s leadership in making the discussion paper on the checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior. We hope the checklist will serve as a starting point for deepening the discussions on the existing norms. And Mr. Chair, for example, to protect critical infrastructure, it is important to check and promote the implementation of Norms F, G and H in each country through the checklist. Exchanging best practices that Member States can undertake to protect critical infrastructure from cyber threats would be beneficial. As for specific ways in which States can further strengthen cooperation to ensure the integrity of the supply chain and prevent the use of harmful hidden functions, the Secure by Design could be important, because Secure by Design states that manufacturers prioritize the integration of product security as a critical prerequisite to features and speed to market. Furthermore, we should continue conducting discussions on how exactly manufacturers can achieve the Secure by Design. To this end, we believe the SBOM, which shows who made each component of the software, what the software contains, and how the software is configured, can be an effective method. It enables a detailed understanding of software configuration information, which can be used to immediately identify and respond to the vulnerabilities, leading to improved security of the software supply chain. It is important for each country to share information on good practices based on these efforts at the OEWG. and in various other forums. In any case, I wish to stress that it is important to listen to the voices of private actors to consider effective countermeasures. Finally, capacity building is important for states to deepen their understanding of the norms of responsible state behavior and to implement them appropriately. Japan provides the training programs to support these efforts and continues to do so. Thank you, Mr. Chairman.

Chair:
Thank you, Japan, for your statement. Czechia, to be followed by China.

Czechia:
Thank you, Mr. Chair. Czechia, itself, is the EU statement, and we should emphasize a couple of points about its national capacity. Czechia repeatedly highlighted during the open-ended working group sessions that 11 norms of responsible state behavior are essential for stability and predictability in cyberspace. They are a key element of the normative framework and are complementary to international law. We thank you, Mr. Chair, for publishing the first draft of checklist we have asked for. We consider this as an excellent work we can definitely build on. Our longstanding priorities are norms G and J of the 2015 GGE report, focusing on protection of critical information infrastructure and security of supply chain. We welcome that the proposed guidance includes recommendations that mostly reflect our implementation on the national level. When addressing the national level, we would like to share our experience in implementing those norms. Our initial and prominent steps revolved around establishing comprehensive cybersecurity legislation and policies. Having solid grounds is the key to enhance fostering and expanding national capacities and improve other aspects of cybersecurity, including establishment of third national institution. and other mechanisms and processes that are already mentioned in the checklist. Thus, based on this experience, we are pleased to see that creating and adopting cybersecurity legislative and policies is a recommendation included almost in every norms guidance. Regarding additional guidance to accelerate implementation of norms, we would suggest sharing best practices and lessons learned to each other in order to get a better idea about the whole process and its real implications. For example, the similar way we have just described our first step in establishing the National Cybersecurity Framework. Czechia, also during Open-Ended Working Group, regularly emphasizes the implementation of Norm E of the 2015 GGE report, which should be discussed in more detail. Protection and promotion of human rights, both online and offline, is a priority for Czechia. In this regard, we promote a human-rights-based and human-centric approach to digital transformation. Finally, we would like to mention that when implementing the norms, discussion with all relevant stakeholders should be taken into consideration. Thank you, Mr. Chair.

Chair:
Thank you, Czechia. China, to be followed by El Salvador.

China:
Thank you, Mr. Chair. In connection with the guiding questions you gave us, we believe that we should have new norms in the cyberspace. Now, the international community has placed a lot of attention to the issue. G-Resolution 75-240 mandates the OEWG to continue discussing the risks and challenges, including those associated with data security, as well as measures to address them. The second annual progress report of the Working Group from last year has this to say, and I’ll quote, Considering the growth and aggregation of data associated with new and emerging technologies, there is also noted increasing relevance of data protection and data security. Unquote. In addition, national practice in data security governance has consistently improving. It is a great source of inputs for substantive discussions at the OEWG. In the light of the discussions at multilateral fora such as the UN and the governance practice of various countries, China championed the Global Data Security Initiative, which can serve as basis for the discussion and formulation of relevant norms. The initiative contains specific commitments on data security, supply chain security, and critical infrastructure protection, including, and earlier I quote, to maintain an open, secure, and stable supply chain of global ICT products and services, to stand against ICT activities that impair or steal important data of other states’ critical infrastructure, not to request domestic companies to store data generated and obtained overseas in their own territory, not to obtain data located in other states through companies or individuals without other states’ permission, and not to install backdoors in their products and services. Moving on to guiding question four, China appreciates the EHS effort in preparing the checklist of practical actions for the implementation of the framework. We are in the middle of studying the paper, and that carefully. That said, since ICT development and capacity vary from country to country, in our view, the proposed actions should be voluntary in nature, and be taken step by step, and should be anchored in the relevant UN reports on which consensus has been achieved. We also agreed with some of the statements of the previous speakers that we need to elaborate new norms and balance them against existing norms. Thank you.

Chair:
Thank you very much, China. El Salvador, to be followed by Sri Lanka. El Salvador, please.

El Salvador:
My delegation would like to thank you for presenting the document which sets out practical ways to implement voluntary norms for the responsible behaviour of states in the use of ICTs. We think the list is a valuable tool that provides guidelines for states on how to operationalise all of the norms. This is a matter that we’ve discussed in previous sessions of the group. Given that we already have a framework for responsible behaviour, we need to look at the way in which states can implement these norms, and this of course needs to be based on each country’s specificities. Countries need to identify national priorities and ensure capacity building, ensure that this is also in line with the existing needs. We appreciate the list that has been presented, which sets out measures that can see the practical implementation of specific norms, particularly those that require international cooperation if they are to be effectively implemented. It’s particularly important to tie the implementation of the framework to other initiatives that the group has promoted, such as the establishment of the Global Directory for Contact, or Focal Points, which we think is critical for the implementation of Norm C and H. We are in favour of including actions that use channels, such as the Contact Point list, for this purpose, as was mentioned by Columbia. We welcome actions proposed for Norm E and its implementation on the promotion and protection of human rights online, including the rights to privacy in the digital era and the right for the freedom of expression. As Czechia said, we need to have a comprehensive approach within the United Nations to ensure that we have a more inclusive and accessible use of ICTs. and also to protect the parts of our population who are most vulnerable, such as boys and girls. We also need to use the experience from regional forums, such as the OEA, as a benchmark. And this can help us to promote the full, meaningful and equal participation of women in the decision-making process on ICTs. And this is something that we need to do. This contributes to helping us to address key issues, to reduce the digital gap, the gender gap online, and to ensure that women can participate in an equal footing in this effort. This working group needs to look at the potential for developing indicators on how to make further progress on these issues going forward. My delegation recognises the importance of international cooperation in this domain, as well as capacity building, technology transfer and technical assistance. These are all critical ways of making headway in the implementation of the norms we have. Thank you.

Chair:
Thank you very much, El Salvador. Sri Lanka, to be followed by France. Sri Lanka, please. Ambassador.

Sri Lanka:
It is a sine qua non that protecting critical infrastructure and critical information infrastructure from ICT threats is crucial for national security and economic stability. Overall, these rules, norms and principles are necessary for the regulation of ICT to ensure security, protect consumer rights, foster innovation, promote ethical conduct in the digital realm. They provide a framework for the responsible and beneficial use of technology for individuals, organisations and society as a whole. My delegation will seize upon this opportunity to allude to some possible measures that Member States may consider. to undertake, which would further be exploited by this working group. Firstly, we think it is important, as has been referred to repeatedly, to conduct comprehensive risk assessment to identify vulnerabilities and potential threats to critical infrastructure and critical information infrastructure. Member states can accordingly develop risk management strategies to mitigate this risk effectively. It is also noteworthy that these risk management and assessment procedures will be guided by the definition of the CI and CII of each country. Secondly, it could also be considered to establish and enforce regulatory frameworks that mandate security standards for CI and CII sectors. This can include requirements for encryption, access control, and data protection. Sri Lanka is in the process of drafting its second cyber strategy for 2024-2027, which is aimed at strengthening the resilience of CII and government organisations in Sri Lanka, including completing a critical infrastructure readiness survey to identify critical national information infrastructure providers while assessing their cyber security preparedness. Thirdly, investment in advanced cyber security technologies such as artificial intelligence, machine learning, and behavioural analytics to enhance threat detection and response capabilities could also protect CI and CII from potential threats. Now, in the field of information technology, there are several rules and norms, however drafted and they are essential for effective and ethical use. First of all, we need to respect the privacy of individuals and ensure the secure handling of personal data in terms of privacy and data protection. In the case of intellectual property, we need to respect copyrights, trademarks, intellectual property rights, and so on and so forth. In terms of accessibility, ensure that digital content technology is are accessible to all individuals, including those with disabilities, follow accessibility guidelines and standards. Then we have the question of net neutrality. The threat on all internet traffic, treat all internet traffic equally, without discrimination or preference, support the principle of open and non-discriminatory access to online content. Then we have the need for ethical use. In other words, to use it responsibly and ethically, avoiding harmful or malicious activities such as hacking, cyber bullying and spreading misinformation. Seventhly, the sustainable use of ICT. Promote environmentally sustainable practices in ICT, such as energy efficient hardware, responsible disposal of electronic waste and minimising the carbon footprint of data centres. Then interoperability. Support open standards and interoperability between ICT systems and platforms. Digital inclusion, meaning work towards bridging the digital divide and ensuring equal access to ICT resources and opportunities for all individuals. Empower users by providing transparent information, clear terms of service, meaningful choices. Now these rules and norms and principles, I’m sure we can develop, help create a responsible and inclusive ICT ecosystem that fosters innovation, protects user rights and contributes to the overall wellbeing of individuals and society. The question that you posed from the Chair, Mr Chair, in reference to paragraph 23 of the second annual progress report, how do we help states to live by these checks and balances? I suppose the final analysis is I think that states must have the will to abide by these norms. Parties must have the will to abide by these principles, the necessary legislation perhaps, in every case. With all the will in the world, we most times are not able to keep up to these norms for a multitude of reasons. Be that as it may, I wish that we can probably put down a regime, a protocol by which we can mandatorily perhaps comply with, so that we can perhaps ensure a uniform system of user in the field of ICTs. Thank you.

Chair:
Thank you very much, Ambassador, for your contribution. I give the floor now to France, to be followed by Mexico. France, please.

France:
Mr. Chairman, my delegation aligns itself with the statement delivered by the European Union, and we’d like to make the following comments in our national capacity. We welcome the update of the guidelines and the proposal for a checklist to guide states in implementing the 11 norms for responsible behaviour, which are one of the crucial parts of the normative framework that we’ve drafted thus far. My statement will be based on two issues, examples of good practice in the implementation of these norms, and more specifically, the principle of due diligence. In terms of good practices, first of all, on the supply chain, we would like to share our national and European experience that we think provides specific examples for regulatory models for the implementation of the norms. Norm 13i states that the integrity of the supply chain must be guaranteed by states so as to bolster the trust of users in the security of the products they use. Indeed, the threat weighs heavily upon those providing the services, and attackers can profit from shortcomings and misuse the products accordingly. At the regional level, the European Union, through the NIS2 directive, has strengthened the security of the supply chain by establishing a high common level of cyber security throughout the European Union. And it’s also the case for the new regulation on cyber resilience, CRA, which aims to lay out minimum standards for cyber security, which are for those products which are made available on the European market for connected objects. This will be monitored by all of those actors in the supply chain, the manufacturer, the importer and the distributor, and this will be borne in mind in compliance measures. There are therefore useful complementary issues to those laid out in the checklist, so as to deepen the development of measures taken at the national level. Item 13i also mentions the nonproliferation of tools that can be abused. This is critical in a context of the rapid growth of the private market, where these may be used for offensive purposes. I would like to support what was said by the UK on this point. On the reflection started by the Pal-Mal process, which was led jointly by France and the UK in an inclusive and multi-stakeholder fashion, and of course based on the framework for the responsible behaviour. of states. Finally, on K, on the response teams, rapid response teams, which are commonly known as the CERT, France draws your attention to the need to work on what has already been done, particularly within the first network that aims to link the CERT teams together. We think that work such as this are a good foundation for the implementation of this norm. Secondly, I would like to focus on norm C, on due diligence. France is continuing its work on this norm with a group of countries because we think we need to pinpoint the best practices that we can have to implement this norm, to learn experiences at the national and regional level. As the European Union said in its statement, this voluntary norm states that states should not knowingly allow their territory to be used for the commission of illicit acts through ICTs. This norm underlines states’ sovereignty and paves the way for cooperation in the management of incidents. We should link the implementation of this norm to the use of the global contact point repertory, as was stated notably by the United States. The principle of due diligence implies a preventive approach for states to take reasonable measures to avoid their territory being used as much as possible for the commission of abusive acts to the detriment of a third country. There is a need for means to respond to requests for cooperation. This underscores the importance of capacity building in the cyber domain, which was mentioned notably by the Republic of Korea and Japan. We think we need to continue to deepen our collective understanding of Norm C and its specific implications, and to continue to work on this. Thank you.

Chair:
Thank you very much, France, for your statement. Mexico to be followed by Chile.

Mexico:
Thank you, sir. Mexico reiterates our commitment to the practical implementation of norms and standards adopted by consensus within the context of the GGE and the 2021 Working Group. These norms are the foundation for a safe cyberspace as well as a neutral, open cyberspace to provide a pragmatic approach to achieve these goals. By providing guidelines on the responsible behavior of states in cyberspace, without imposing new obligations, these norms facilitate a clear understanding of the expectations. They can be a flexible framework to promote cooperation and promote peace and pave the way for more specific developments in international law in cyberspace. This approach is adapted to the ever-evolving nature of the digital domain, allowing for us to adapt to new challenges and opportunities that are offered by emerging technologies. We welcome the framework for the responsible behavior of states in cyberspace as a way to strengthen cooperation through discussions in the current Open-Ended Working Group, and we hope that this can be strengthened. with a future mechanism for permanent dialogue. We welcome the follow-up list of the norms that were taken from the second annual progress report. Mexico believes that this initiative is key in guiding efforts to practically implement norms for responsible behaviour, which are derived from the final outcome reports of the GGE and the 2021 Working Group. In this regard, we reaffirm our commitment to the National Survey for Implementation, which was developed by UNIDIR, which implements one of the recommendations from the 2021 Open-Ended Working Group final report. We reiterate the call to all states to use these tools to move towards a more practical approach in the implementation of the Voluntary Framework for Responsible Behaviour, including confidence-building measures. These exercises show the value of the norms and CBMs as the ideal framework for a safe cyberspace. They also are the foundation to move towards an action-based approach, which makes it possible to monitor and share best practices in the operationalisation of this global framework for the peaceful and responsible use of cyberspace. To conclude, I would like to underscore the work undertaken by regional organisations in promoting and moving forward the implementation of the 11 non-binding voluntary norms on the responsible behaviour of states in cyberspace, adopted at the Resolution 70-237 of the UN General Assembly. Thank you.

Chair:
Thank you very much, Mexico. Chile, to be followed by Singapore. Please.

Chile:
Thank you, sir. We think that voluntary non-binding norms for the responsible behaviour of states can reduce risks to peace, security and international stability, and they can contribute to increasing predictability and reducing the risks of misunderstanding and can therefore help us to prevent conflicts. We think that we need to promote the implementation of the norms we already have, strengthening capacity at the national level. We also think it is critical that we make headway in developing additional guidelines that will help states to improve understanding about the importance of implementing these norms. On the document we are discussing on a checklist for practical actions to implement the voluntary and non-binding norms, we are grateful to you, sir, and your team for this valuable document, which we think is a helpful contribution which can help countries to better implement the 11 norms. And you have our full support in this regard. We would like to highlight some elements within this document. On A, on the participation in international processes, we wish once again to highlight the Women in Cyber programme, which has made it possible for many women to participate in discussions, and also the special committee for the negotiations of a UN treaty on cybercrime. We also think that the implementation of international law in cyberspace will help us to strengthen stability and security in the use of ICTs. On B, we would like to highlight the inclusive participation in this regard and the use of contact points and at the level of foreign affairs ministries, both at the regional level and at the national level. So, as to foster cooperation and the exchange of information on legal capacities that will be required, we think we need to have training courses rolled out so that we can enhance the implementation of international law in cyberspace. This includes the development of practical simulation exercises at the national and international level. This training should be considered not just by policy makers but also at other levels such as the operational level. On Norm C, we think that the global directory for contact points is a valuable way to establish a clear communication channel that would allow a state to provide information about the abusive acts that may be carried out within their territory. The global directory needs to be updated if it is to be relevant and helpful to all states so that states can provide information in real time. On H, states could establish bilateral mechanisms for cooperation. They can sign agreements on cyber security, for instance. This is part of Measure 6 to strengthen confidence in cyberspace of the Organization of American States. If states require aid urgently, then that is something that should be able to be requested, as El Salvador has already pointed out. On I, in particular on supply chains, we think that the security of supply chains is critical to protect the integrity of data and mitigate risks associated with external collaboration. States need to be able to share risk assessments with potential providers, and this includes providing security. revising security policies, if necessary, providing information about prior security incidents, etc. This also implies continued monitoring to identify any suspicious activity. Contingency and resilience plans need to be in place so that states can respond quickly to incidents and ensure that trade can continue. States can share best practices in this regard. Thank you very much.

Chair:
Thank you very much, Shile. Singapore to be followed by New Zealand.

Singapore:
Thank you, Chair. The effective implementation of norms requires a multidimensional approach comprising operational, technical, policy and cyber diplomacy aspects to effectively implement voluntary non-binding norms. It is therefore important for states to organise themselves internally to identify the capabilities across these domains. In this regard, we strongly support the Chair’s effort to develop a draft checklist to guide us in the implementation of norms in line with Line 26 of the Second APR. Singapore further welcomes the use of language from various key sources in the Chair’s checklist, which draws guidance from both the consensus language in the 2021 UNGG report, as well as the UNIDIR report on the implementation of norms. We also appreciate the clear set of actions outlined in the checklist which will help states, especially small and developing states, take concrete steps to implement them. At the same time, a norms implementation checklist is not a one-size-fits-all solution, and we positively view the Chair’s checklist as broad and flexible enough for states to implement it according to their national priorities and interests. The President The President

New Zealand:
Thank you, Chair, and we acknowledge the work by you and your team to produce the Checklist of Norms. The strength of this checklist lies in it carefully and deliberately reflecting what has already been agreed by consensus. This lends it immediate credibility as a practical tool for norms implementation, and we agree there would be value in distinguishing between elements that have achieved consensus and other ideas. There is a clear link between the agreed norms and capacity-building efforts, and this checklist nicely links the two. In our view, the agreed framework for responsible state behaviour is both necessary and sufficient to maintain a stable and peaceful cyberspace, and forms the basis for effective cooperation between states. If consistently implemented by all states, We would then be in a position to assess whether any gaps exist, but unfortunately we do not think we are yet in this position. On the issue of considering new areas for discussion about norms, we therefore think the OEWG could usefully examine what to do when agreed norms are willfully ignored and ways to build accountability. Thank you.

Chair:
Thank you. Switzerland to be followed by Canada.

Switzerland:
Thank you, Mr. Chair. In our statement on threats, we referred to the increasing intensity of ransomware attacks and state-sponsored attacks against critical infrastructure. We therefore see merit focusing on norms referred in C, F, G and H, calling for the protection of all critical infrastructure, supporting essential services to the public, in particular medical and healthcare facilities, as well as cooperation between states for this purpose. The 2021 GG report provides a good basis for the implementation of these norms. It lists the norms and provides further guidance on how to implement them. But there are also a wide variety of good practice guides available. Regional organizations have already done a lot of valuable work from which we can benefit. As an example, I would like to mention the work of the OECE on the protection of critical infrastructure. A continued in-depth exchange between the open-ended working group and regional organizations, as well as between regional organizations themselves, would therefore be useful. One of the key elements to protecting and identifying critical infrastructure from ICT threats is establishing a trusted exchange between the critical infrastructure operators and the relevant government authorities. Switzerland has established such an information exchange platform or network. Participation in this network is based on a flexible definition of critical infrastructure. Critical infrastructures are defined as processes, systems, and facilities that are essential for the functioning of the economy or the livelihoods of the population. We are happy to share our experience with other states. In last September, 2023, our parliament also passed an amendment to the Information Security Act which introduces a reporting obligation for cyberattacks on critical infrastructures. These allow us to detect such attacks in an early manner and to inform other providers of critical infrastructures of the threats they might face. Mr. Chair, Switzerland would like to thank you and your team for the draft paper on the norms implementation checklist. The draft paper is still under consideration in our capital. But allow me to share some initial observations. We understand such practical guidance as a helpful effort and tool in operationalizing the norms. We welcome the fact that the checklist emphasizes the important role of CERDs and CSERDs. We also welcome the fact that FIRST is mentioned. FIRST plays an important role in the international cooperation of CERDs and CSERDs and in the area of capacity building. States should create a framework or framework conditions that allow FIRST to operate as freely as possible. We therefore regret all the more that one delegation has vetoed FIRST’s participation in this open-ended working group. We also welcome the recommendation to put in place cooperation between national CERDs and CSERDs, national authorities, and the diplomatic community under Norm B. In our view, this cooperation and network between the diplomatic and technical community is not only important for the implementation of Norm B, but for the implementation of all norms. The points of contact networks could form a good basis also to help us foster this cooperation between both communities. We believe the checklist could be further refined and developed by building on existing initiatives, exploiting synergies, and working closely with other multi-stakeholders. The vast majority of ICT is provided, maintained, and used by private actors and civil society, which ultimately must be involved in the effort to successfully implement norms. From a practical point of view, it could also be worth considering listing possible measures and then noting for which norms they are useful in their implementation. For example, the creation of CERDs or C-CERDs is currently mentioned in many places in the list, which seems repetitive. The creation of CERDs and C-CERDs could be proposed once and then mentioned for which norms and their implementation they are useful, but changing a little bit the structure of the checklist. Mr. Chair, let me take this opportunity to mention one multi-stakeholder initiative to support implementation of supply chain security and vulnerability standards, the Geneva Manual. The Geneva Manual offers an action-oriented approach to cybersecurity. It was developed in the framework of the Geneva Dialogue on Responsible Behavior in Cyberspace. The Dialogue analyzes and maps the roles and responsibilities of various actors in ensuring the security and stability of cyberspace. Switzerland, together with Canada, Chile, the Netherlands, and Diplo foundations, is organizing a side event on Thursday during lunchtime to present the Geneva Manual. It will take place at the Swiss Mission, and I would like to invite all delegations to attend this side event. Thank you.

Chair:
Thank you very much, Switzerland. I presume lunch is provided. Thank you for that. No pressure at all. But thank you for your statement. Canada to be followed by Vietnam.

Canada:
Thank you for your patience and understanding, sir. And next time, I’m going to bring a good old-fashioned paper version. So I will take off from where I left off last time when I was giving my speech. The… You can listen to the whole statement, please. Sorry to interrupt you. No problem, thank you. Okay, I will start from the very beginning. Canada would like to thank you for this opportunity to take the floor on this important issue, sir. As we heard during statements on threats, cyberspace remains an environment subject to all sorts of stress and sometimes malicious behavior. This context reveals the importance of stepping up efforts to implement the 11 non-binding norms. Indeed, to respond first to your last guiding question, sir, one of the best ways to implement existing norms is to try, in good faith, to respect these norms. One of the norms is, and I quote, to not knowingly allow the territory to be used to commit internationally unlawful acts with the assistance of ICTs. As identified in the checklist proposed by you, sir, and in the GGE report of 2021, where there’s consensus, and I quote, the norm leads to the expectation that a state will take reasonable measures in… within its existing resources to bring an end to activities underway in its territory by using the proportionate, appropriate and effective measures whilst respecting international law and internal or domestic law. The credibility of members depends, to a large extent, on their ability to deliver on their promise. It is inspiring to see the efforts of several members to achieve this, be this by expending their energy on building capacity to implement norms or by contributing to discussions to help our shared understanding of these norms. There is a whole number of members who are leading by example and specifically showing their good faith. We should further support the implementation thereof of these existing norms. Canada welcomes the work of the Chair to make available to members a voluntary checklist and a practical practice. This list draws lessons from the work that has previously been carried out by members, including within the GGE report adopted by consensus in 2021. Mr Chair, the checklist that you have proposed is an interesting option. We will study it carefully and we are very much looking forward to contributing to it. Our work to implement the norms must make effective progress. Thus, we will really become more resilient at the global level. To make serious progress towards this, we need to be focused. This is why we believe that the best use of our resources is to consolidate and to build on what we have already achieved. We nonetheless take note of the first guiding question put by the Chair and the fact that some States have highlighted this, so namely the idea of discussing together if there is consensus on developing new norms or not. As we said, in Canada’s opinion, The OEWG 2021-2025 should focus primarily on implementing existing norms. There’s a lot of work to be done here, and indeed we think that without the implementation of existing norms, it would be very difficult to assess what really needs to be developed or would need to be developed. We do respect the point of view and the contribution of our partners and stakeholders, and you’ve referred to them yesterday morning. While we do that, we’re still not convinced that the new norms that exist might not be able to be respected within the context of existing norms. In our opinion, the structure envisaged for the programme of action, in particular with its virtuous circle, this structure might create the necessary space for the examination of future potential norms if there are indeed lacunae, indeed practical initiatives and technical meetings that are planned for in the POA will contribute to capacity building and therefore to identifying any gaps that might exist between the norms and cyber events. That is how we can seek to develop a responsible behaviour framework in the best way. In conclusion, we’d like to provide an example of an implementation of a norm in Canada. The example that we’re going to give you is on 3G, the one that notes that states must protect their critical infrastructure from threats to cyber security. So this is the scenario. We see numerous attacks on infrastructure throughout the world, including in our region. To understand as best as possible the threats that we’re facing, we consult experts, including people in the private sector. The industry furthermore, provides comments to best clarify the regulatory framework that we are planning. Having identified the threats, we also want to identify the infrastructures themselves and thus we need to consider which ones, if affected, could have a negative impact on our population, including on the most vulnerable communities. Civil society is best placed to help us evaluate this based on the sector or the critical infrastructure area. The areas identified as the most relevant include finance, energy, telecommunications and transport. Civil society thus highlights issues to be considered, in particular regarding the right to a private life. In order to consider what measures need to be taken, we need to go off the beaten path, so to speak, and therefore we call upon the circle of academia because this has the potential to contribute. Thanks to our interactions with all these stakeholders throughout the project, the stakeholders understand the ins and outs of the draft that we are trying to draw up, the draft law. This understanding leads to adhesion and a feeling that we are all working together as a team. The draft law that I have just talked about is draft law C-26. This draft law seeks to protect cyber systems that are regulated by our government and are at the basis of our essential infrastructure. This draft is going through the Canadian Parliament and the next stage is an article-by-article examination. In conclusion, sir, I’d like to conclude on a very quick personal note. I am absolutely delighted that the Government of Canada, personally speaking, is working with the best experts possible to protect my bank account and my private data. So this is how I want to wrap up my statement, sir. Canada will continue to be actively involved in implementing non-binding norms. Thank you very much.

Chair:
Thank you very much, Canada. I think we have to declare your laptop to be critical information infrastructure, too. It needs all the protection you can get, and I think all our laptops need all the protection we could get. Vietnam to be followed by Brazil. Vietnam, please.

Vietnam:
Thank you for giving me the floor. Vietnam emphasises the importance of a shared understanding how rules, norms and principles apply in cyberspace. We firmly stand behind the endeavour for a unified interpretation regarding the principle of non-intervention in internal affairs in which states, particularly through their online activities in cyberspace, including social networks, should refrain from generating, disseminating and facilitating controversial, negative, false or incendiary content that could potentially disrupt or impact the internal affairs of other nations. Furthermore, Vietnam extends its full support towards clarifying the responsibilities of states in combating production, generation and dissemination of fake news or content which incites violence, hatred, discrimination and terrorism, which is especially crucial in light of the pervasive deployment of AI technologies, especially generative AI. States should assert control over their respective national cyberspaces and potentially restrict access to sources of information that have not been duly verified. Mr Chair, the cyberspace as we know it is highly interconnected and technically developed to the point that many states are considering it as a global common and may become an issue. essential tool for us to realize the promise of practice, tolerance, and live together in peace with one another as good neighbors, as mentioned in the UN Charter. In essence, Vietnam advocates for a concerted effort with the international community to establish robust frameworks and mechanisms aimed at upholding the principles of sovereignty, non-interference, and responsible behavior in cyberspace as good neighbors. Mr. Chair, regarding the development of future norms, this delegation also strongly supports the development and mutual recognition of technical standards regarding electronic evidence to facilitate the handling and verification of the origins of cybersecurity incidents. The technical experts are in need of such a tool to allow for a thorough and objective assessment of forensic evidence of ICT incidents through international cooperation activities. We believe that this tool would also contribute to the discussion on attribution of ICT incidents, which has seriously hampered the confidence-building efforts. Thank you, Mr. Chair, for your kind attention.

Chair:
Thank you very much, Vietnam. Brazil, to be followed by Ecuador. Brazil, please.

Brazil:
Thank you very much, Mr. Chair. Brazil is a staunch supporter of the acquis of previous UN processes on ICTs and international security, particularly the voluntary norms of responsible state behavior, which have guided us in the establishing of our national norms and policies to secure our critical infrastructures and information infrastructures. Our legal and institutional framework is currently undergoing a review process, which has already resulted in a more robust legal and institutional framework to tackle this issue. A presidential decree of December 2023 instituted our national cybersecurity policy and established our National Security Committee, whose first meeting will take place on March 20. The policy will provide improved guidance on cybersecurity measures to be taken by all competent authorities, and the committee will monitor the implementation and evolution of the policy and other domestic norms on the issue. It will also ensure ongoing closer coordination between the different government bodies with key mandates in the area represented at the committee, which will meet regularly. Brazil appreciates the work you and your team have done so far to advance our discussions on rules, norms, and principles, and we welcome your discussion paper on a checklist on practical actions for the implementation of the voluntary norms of responsible state behavior in the use of ICTs. They are a useful step in translating general international norms to concrete measures to be adopted at the national level to operationalize those norms in each state. Our relevant national institutions are currently analyzing the draft checklist and will provide specific suggestions as soon as possible. We can already support, however, Columbia’s suggestion to include a reference to the points of contact directory in the checklist for norm B. Mr. Chair, we reiterate the importance of international cooperation, including through capacity building and the transfer of technology in promoting the national implementation of the norms. We have greatly benefited from the national experiences of other countries, and therefore fully welcome continued knowledge sharing in this area, which will also contribute to better and more targeted capacity building efforts. Regional cooperation has been particularly relevant in this area, and Brazil remains engaged in OASC CERT Americas, for instance, which has been instrumental in advancing the norms related to information sharing on threats and vulnerabilities, and in Mercosur’s Cybersecurity Commission, which has fostered national implementation of the norms through information exchange on cybersecurity legal frameworks, and the ongoing development of a common regional taxonomy. Finally, my delegation takes note of proposals of new norms to be adopted in the future. We believe that, as technology evolves, additional norms will indeed become necessary to address the challenges to the security of states that they could present. We would like to stress, however, that any efforts aimed at eventually developing new norms must be inclusive and therefore take place within the UN, which currently means this Open Networking Group. While we recognize the value of many international initiatives mentioned throughout this and previous sessions in fostering discussions on key cybersecurity issues and participate in many of them, norms will only have effectiveness and legitimacy when negotiated in an open and inclusive manner, in a universal forum, where the needs of all countries, including developing countries, are duly taken into account. I thank you.

Chair:
Thank you very much, Brazil, for your contribution. Ecuador, to be followed by Malaysia, please.

Ecuador:
Thank you very much, Mr. Chairman. Given that this is the first time that my delegation is taking the floor, we’d like to thank you for your efforts and your team for your efforts at the helm of this group, and we’d like to highlight the major work that has gone into the documents that have been provided to us for discussion at this meeting, including the checklist of specific ways to implement the voluntary norms for the responsible behavior of states. On this, my country is fully committed to help. We’d also like to thank the Secretariat for their work and for the efforts for the forthcoming operationalization of the points of contact directory. I would like to say, Mr. Chairman, that for my delegation, we are pleased to see the evolution of our discussions and the level of technical depth we have gone into. A lot of this has been provided by the Women in Cyber program, and we are pleased to have been part of this since March 2023. and my delegation has benefited significantly from this program. And now I get back to the main part of my statement. Like many other states who preceded me in taking the floor, Ecuador would like to acknowledge the need to make headway in the implementation of norms for the responsible behavior of states in cyberspace. We think that the list that you have put forward is very timely. This will allow us to have references and specific measures to achieve the goal of cyber security, to protect critical infrastructure and to ensure that our citizens can have access to a safe, stable cyberspace. Ecuador has tried to move forward on many of the measures that have been put forward in the document. For instance, to have appropriate digital governance, as this is a priority for us. This is currently being seen through a bill on cyber security that we have put forward to bolster our cyber security and also to strengthen our cyber infrastructure. We’d like to learn from other delegations how they have had experiences in this domain. The checklist is particularly helpful because it can provide good practices and can help states in specific areas of ICTs. If we are to have a safe global cyberspace, then this needs to be done. And this needs to be done also through public-private cooperation and sustainable, lasting, responsible international cooperation. We need to be mindful of the size of the current challenges and we need to be fully committed to achieving a safe cyberspace for all. I would like to support what was stated by the delegation of Colombia on having a reference on the… the points of contact directory in the document. We will be mindful and listen attentively to what is being said in this discussion, Mr. Chairman. My delegation supports what was said by Kenya on structuring a repository of threats that can be used by states. This can be a way of providing confidence, and it can be used as a confidence-building measure. Finally, Chairman, I would like to express my delegation’s commitment to make further headway in achieving the goals under our mandate, under your leadership. Thank you.

Chair:
Thank you very much. Ecuador. Malaysia, to be followed by Argentina. Malaysia, please.

Malaysia:
Mr. Chair, Malaysia shares your view that the OEWG needs to further develop common understanding of the normative framework, and also continue efforts to implement the agreed norms. The agreed norms are central to the cumulative and evolving framework, and will continue to contribute to international peace and security. Malaysia thanks you, Chair, for your discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviour in the use of ICTs. Malaysia is still studying the paper, and would like to share our preliminary views. Malaysia joins other states in welcoming the Chair’s discussion paper, which provides a good basis for our discussions. Malaysia appreciates the indication of the non-exhaustive nature of the checklist. Malaysia envisions that the checklist as a living document that will continue to be enhanced as we delve deeper into the relevant issues. As mentioned by the UK, this paper could facilitate efforts toward universal baseline. designs. Malaysia further supports Japan’s comments on the importance of embedding security by design in ensuring supply chain security for the norm aisle. Finally, Malaysia agrees with the view of previous speakers that this checklist will assist Member States in the identifications of capacity-building needs for further implementations of the norms.

Argentina:
Thank you very much, Mr. Chairman. Argentina acknowledges the challenge posed by the way in which ICTs are evolving, and we do not think we need new norms. We need to implement the existing norms. We think it is urgent that we effectively implement the norms we have, the norms we have already agreed upon. We would like to highlight that the norms adopted have been placed within our national legislation. They are part of the second national strategy on cyberspace that we have. Mr. Chairman, each state belongs to a specific region with its own characteristics, challenges and threats. As a result of this, it is critical that we promote understanding and international cooperation so that states can have similar tools at their disposal when they pull efforts at the national or international level to implement the norms we have already implemented or approved, particularly within an operable cyber environment. We are grateful for your efforts, sir, in drafting this document and the checklist for voluntary norms and practical measures to implement the norms that have been agreed upon. We think that the document represents a good starting point to support states’ efforts at implementation, but in particular to promote the exchange of best practices and to identify priorities in order to establish capacity building on cyber security in a broad sense to help with the implementation of the norms themselves. In terms of the questions on how we can continue to strengthen and broaden inclusive participation and active sustainable participation in international processes, such as for instance in this working group, we think that discussions in this group need to consider efforts that other fora and international organizations have made, international organizations that are dealing with cyber security challenges, such as the International Telecommunications Union, which has 193 member states and a framework on cyber security, and encourage them to be part of our discussions and to put forward proposals. That is why we welcome Norms B and D, the fact that they mention actions that require international cooperation as well as the need to continue strengthening and further developing those mechanisms that can facilitate the exchange of relevant information between international regional relevant bodies to raise understanding about the centrality of ICTs between states. Thank you.

Chair:
Thank you, Argentina. Syrian Arab Republic to be followed by Hungary, please.

Syrian Arab Republic:
Thank you, Mr. Chair. From the outset, my delegation would like to express its appreciation for your efforts to prepare the checklist regarding responsible behavior. We had hoped that this might have been available sufficiently in advance to allow our specialized national agencies to So, we believe very firmly that if we are focusing on non-binding norms, in particular given the voluntary nature of this, we believe firmly that this is not the best approach to make tangible progress in the area of cyberspace. This is particularly true because these norms depend on the interests of states. We think rather that in line with the mandate of this group and given the equal importance of the two processes, we think we need to strike a balance between implementing existing norms and developing new norms, including legally binding norms that can guarantee the application thereof. Here we’d like to underscore what follows. We underscore that voluntary measures are not sufficiently effective to ensure stability and security in cyberspace. Secondly, as we await for a legally binding instrument to be drafted that would impose clear commitments, we underscore the importance of reaching agreement on a global agreement on norms and principles of responsible behavior that would deal with all aspects of behavior in cyberspace and would also contribute to identify the rights and obligations of all parties in a balanced, fair way. We underscore the sovereign right of states to guarantee a national cybersecurity and to have mechanisms and norms linked to that to be established based on the principle of non-interference in domestic affairs. So one principle is to refrain from imposing unilateral coercive measures and other restrictive measures that might hinder states’ ability to access and the various things that are necessary for cyberspace to be developed and in order to appropriately deal with any attacks. So we have reconciliation and mediation. We have other peaceful means of settling disputes. These are all crucial things that need to be upheld. Thank you.

Chair:
Thank you very much, Syrian Arab Republic. Hungary, to be followed by Mauritius.

Hungary:
Thank you, Chair. First, I’d like to express my gratitude to you and your team for guiding our work in the room and also for regularly providing a, quote, safe place for continued discussions informally outside of the room. Hungary aligns itself with the statement delivered by the European Union and wishes to add the following in our national capacity. Mr. Chair, in general, we believe that there is a lot member states can still do to promote the existing UN framework for responsible state behavior at national, regional and international level in order to explain to the public how we actually contribute to stronger international cooperation on cyber and ICD security and to addressing existing and emerging threats like ransomware, the potential misuse of AI for malicious purposes or for influencing democratic processes. This is our joint responsibility. Every UN member state has a different story to tell, has different skills and capacities. And even though cyber security is not the first priority for all member states due to other more imminent security challenges, there should be a common baseline. to govern our cooperation in this domain. Therefore, my delegation would like to thank Mr. Chair for sharing the discussion paper on the checklist of practical action for the implementation of the 11 voluntary non-binding norms with guiding questions that we will continue to study further in detail. To offer a couple of preliminary views on Norm B, for example, we believe that so far the rising geopolitical tangents and the lack of trust among member states have not allowed for states to agree on any meaningful and unbiased consultation mechanisms on regional or global level to help reduce the risk of misperception and of possible emergence of political and military tangents or conflicts. As you, Chair, earlier referred to, the risk of a misuse of ICT technologies turning into an armed conflict is getting a reality, which can be devastating considering the far-reaching spillover effects. Hereby I’d like to refer to the activities of the OSCE aiming for the implementation of the regionally adopted confidence-building measures. We believe that there is an opportunity for member states, big and small, to share their views and experiences from small-group discussions of the aforementioned consultation mechanisms that can further benefit the global consultations as well. Mr. Chair, you asked us what other voluntary measures might be possible to promote international cooperation. That is norm A. I’d like to highlight that diplomats, once working on cyber issues, might soon be assigned to other positions. But you will still have the valuable experience and the network that can be helpful later. So it’s worth to think about building a cyber alumni community for those who served, for example, as a national POC in the global or regional POC directories, or who was part of a fellowship program, such as the U.S.-Singapore Cyber Fellowship Program, or the Women in Cyber Fellowship Programs. Chair, we are looking forward to further engage on these issues later on. Thank you.

Chair:
Thank you very much, Hungary, for your statement and also for your suggestions. More issues to be followed by Albania, please.

Mauritius:
Good afternoon, Chair. First and foremost, let me thank you and your team for all the efforts for coming up with the initial draft of a checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICTs upon the recommendation of states. As one of the guiding questions, member states were asked to provide their views on this discussion paper. Mauritius acknowledged that the UN norms act as a foundation for safe and peaceful cyberspace. Mauritius firmly believes that the checklist that has been put forward serves as a comprehensive roadmap, especially for small and developing countries, to navigate through the complex challenges of cyberspace due to the lack of institutional structure, legal and regulatory frameworks, resources, and expertise. Consequently, they are still struggling with the implementation of the existing norms. This checklist could act as a practical tool that could help in identifying and mitigating the challenges of cyberspace. their priorities and also in their implementation efforts. However, while the checklist provides a valuable framework for action, it could be further enhanced. Its successful implementation will require sustained commitment and investment from all stakeholders. Mauritius believes in the adoption of a multi-stakeholder partnership model that allows the government, industry, civil society and the technical community to work together to translate these norms into tangible policies, practices and capabilities that enhance cyber security and protect our collective interests. This collaborative approach incorporating inputs from various stakeholders can serve as a pragmatic framework for fostering cooperation among diverse actors. Moreover, Mauritius is of the opinion that a guideline could be developed to complement the checklist that could greatly facilitate the implementation process in terms of clarity and accessibility. The guideline could list out the key points of the checklist into clear and concise language that is accessible to a wider audience. This will ensure that stakeholders including policymakers, government officials and industry leaders to easily understand and follow the guidance provided. Additionally, it could be beneficial to integrate practical examples and case studies to demonstrate how the norms can be applied in real-world situations. This inclusion assists stakeholders in contextualizing the guidance offered and comprehending its significance within their particular context or sector. Thank you, Chair.

Chair:
Albania, to be followed by Australia, please.

Albania:
Dear Mr. Chair, thank you very much for giving me the floor, and since this is the first time that I am speaking, I would like to specifically thank you, the Department of State, who is supporting my participation and my colleagues’ participation here and give me the opportunity to speak in this distinguished floor. I am honored. Albania is committed to bolstering its cybersecurity measures. Despite being ranked the 50th in the National Cybersecurity Index, indicating areas for improvement, Albania is dedicated to enhance the cybersecurity strategy, infrastructure, policies and practices. To address these challenges, safeguard our national interest, to address the international norms and responsible behavior, Albanian government is undertaking several key initiatives. We have revised our cybersecurity law, which is now on the floor on the Albanian Parliament for approval. Over 20 regulations will be addressed, emerging threats and ensuring a robust legal framework that supports both the prevention and the responses, and a new strategy on cybersecurity for Albania will be approved by the end of 2024. Recognizing the importance of resilience infrastructure, we are investing in advanced cybersecurity technologies and systems to protect our critical national assets. Albania is a small country. We need a lot of support in addressing all the issues and needs of our strategy. We’re thankful to the United States government and other countries who are supporting the efforts of the government of Albania in building cyber-resilient, in protecting our critical and important infrastructures, in defense capacity, in defense capabilities in cyber security. We are committed to building the cyber security skills of our workforce and raising awareness among citizens and businesses about cyber risk and best practices. During last year and currently we have trained hundreds of IT professionals from the Albanian critical and important infrastructures and from the staff of our institutions and we will continue in this rate. A good part of the training is now offered from our experts but still Albania has a strong need to work with international partners and invest in increasing our capacities. Albania understand that cyber security is a global issue requiring international cooperation. We are actively engaging with international partners and organizations to share knowledge, enhance our capabilities and collectively improve our defense against cyber threats. Through the National Authority for Cyber Security we are currently member of a world-class organization on cyber security. To mention a few, we are full members of FIRST, Counting Ransom Initiative, part of NATO Cyber Coalition exercise. Albania is in full alignment with the NISA guidelines. We are part of, since last year, of this open-ended working group. We are active on implementing CBMs with OSCE. Albania is following a number of initiatives of working with other countries in the Western Balkans and I can promise that by next week we will bring our point of contacts to you. The government of Albania is fully committed to advancing our cyber security measures, protecting our national infrastructures and ensuring the digital safety of our citizens. We recognize the evolving nature of cyber threats and affirm our dedication to continue improvement and international cooperation in the fight against cybercrime. As a final point, Mr. Chair, please allow me to retaliate Albania’s firm position for a global, open, free, stable and secure cyberspace. Thank you.

Chair:
Thank you very much, Albania, for your statement. Australia to be followed by Israel, please.

Australia:
Thank you very much, Chair. I want to start by thanking you and your team for your work on collating the checklist for consideration on norms implementation. As we all know, the implementation of the norms and working together to both understand how these norms assist us helps us address the emerging threats we spoke about yesterday about artificial intelligence, the proliferation of intrusive cyber tools, techniques, malware, cascading effects and spillover effects and other issues that we have been speaking about. This checklist, much of which is based upon consensus and agreed guidance, shows how much work has already been done by this group and also by our predecessors on norms implementation guidance, particularly that of the 2021 group of government experts, which provided in-depth guidance to all countries on how these norms can be implemented and applied. Australia would suggest considering some slight restructuring of this checklist, similar to the points that were raised by several others this morning. We think it is very important to recognise consensus text. We suggest looking at other examples of norms implementation guidelines and work. There is a lot of ongoing work and projects by UNIDIR, by ASPE, by Oxford and others. to provide guidance on minimum baselines of norms implementation by states. And most of this work sets out the agreed text, the 2021 GG norms guidance as chapeau paragraphs, and then sets out the actions that states can take to implement the norms under that guidance. This kind of structure reflects the way that the norms themselves were developed over time, not imposed by the top down, from the top down by the United Nations, but by collecting together the best practice examples of how countries were addressing cyber threats on the ground into this collection of agreed norms that we have today. Another aspect that Australia thinks would make this checklist very valuable will be the use of examples of putting this document into practice. That is each of us sharing concrete examples of the ways we are ticking off this checklist and making this exercise valuable, like India, Canada, and others have done this afternoon. And I’d like to follow that example, and in that way answer your guiding question regarding measures or best practices that member states can undertake to protect critical infrastructure from cyber threats. Australia has published non-exhaustive examples of the way Australia implements the 11 agreed norms, and regarding norm G, part of that publication includes information on Australia’s critical infrastructure centre, which brings together expertise and capability from across government to manage the complex and evolving national security risks from foreign involvement in Australia’s critical infrastructure, and is focused on the risks of sabotage, espionage, and coercion, and has identified 11 sectors in which this is taking place. These include a couple of examples, telecommunications, electricity, gas, water, and ports. We have a Security of Critical Infrastructure Act. This provides a range of powers, functions, and obligations that only apply in relation to specific critical infrastructure assets. And we do have specific legislation as well for the protection and, again, additional obligations upon the operators of certain sectors of critical infrastructure. An example of this is the telecommunications sector security reform legislation, which manages cyber risks and other risks to our telecommunications networks and facilities. I won’t go into any more examples, but I do think it’s very encouraging to hear from others your own experiences. And we encourage everyone, like Mauritius did before me, to share their experiences and the practical examples of norms implementation here in our statements, but also through publications and through surveys. The reason why sharing our own experiences matters is because this provides a way to help others understand how we interpret the norms. This increases transparency and decreases the risk of miscommunication or miscalculation. And it also helps others and each other understand how we could uplift and review our implementation so that we all collectively increase security in cyberspace. Finally, you asked, Chair, about how additional guidance, including this checklist, can be leveraged to accelerate implementation efforts. And we would suggest that continuing the ongoing work to embed the norms, we should use this checklist and other valuable projects from ASPE, from Singapore, from Oxford and UNIDIR as the basis to self-assess the actions each of us have taken to implement the norms, and very importantly, what actions are still required to implement them fully. We think that surveying implementation through self-assessment provides several benefits. Not only can states identify how they’ve implemented the norms, and I am very confident, as I’ve said before, that every country when we look at our own systems will see that we have implemented the norms in some capacity, but also where the gaps in implementation may be and very particularly in identifying the barriers to implementation. These barriers can include political barriers, for example the issue not being considered a priority on the political agenda, structural or organizational barriers, things like unclear lines of responsibility or ownership of a particular issue, personnel and resourcing barriers, knowledge barriers and financial barriers. And by identifying these barriers we can identify the actions that we need to overcome them. We’ve already identified for example a need for increased resources for awareness on implementation through capacity building. And it also helps us with other parts of the framework, for example with capacity building programs. It’s very important to find the gaps to fill to make sure that the capacity building programs for norms implementation are targeted and actually effective. And Australia considers that civil society and regional organisations have a very positive role to play in this endeavour. Particularly because implementation is not a once-and-done thing. It requires review, it requires updating as threats change, as technology evolves and as behaviours adapt. Australia finally remains very committed to working here on mainstreaming the norms that we have agreed and increasing the awareness of the norms in domestic governments and outside of these hallowed halls of the United Nations. And then also increasing our implementation. We think domestically, regionally, by states and with the help of stakeholders is the only way that we are going to see all countries contribute to building a more resilient cyberspace through norms implementation. Thank you, Chair.

Chair:
Thank you Australia for your statement. Israel to be followed by Ghana. Israel, please.

Israel:
Thank you. Thank you, Mr. Chair, for giving us the floor to comment on the important issue of our normative framework. I will do my best to be very concise, especially given this afternoon’s session is almost ending. Answering your guiding question, at this point in time, there is no need, in our opinion, to develop or elaborate any new norms, nor do we see the need for developing any legally binding instruments. We believe that a more cautious approach with respect to norms is required. As things currently stand, there is still a lack of certainty as to the manner in which existing norms and rules are being implemented and interpreted by states. Let us all recall that the 2015 GGE norm rules and principles are voluntary and non-binding in nature and do not detract from or extend beyond international law. Thus, norms are intended to signal expectations of the international community regarding appropriate state behavior. From what we have seen thus far, their implementation has been, at best, short and uneven. Mr. Chair, before embarking on any process of updating the existing norms or developing new norms, it would be more appropriate, in our view, to focus on those norms that currently exist, sharing best practices and assessing whether and how they are being understood and applied, ensuring that there exists a common language and understanding when referring to those norms. For that purpose, the Chair’s discussion paper suggesting a checklist on norm implementation can serve as a good base and can assist us in our further discussions. We would like to support the U.S. suggestions and other states that mentioned also to make sure that the consensual language quoted from the GGE documents be separated. in this paper from any additional text added that doesn’t enjoy the same level of agreement. Thank you, Chair.

Chair:
Thank you. Thank you, Israel, for your statement. Ghana, you have the floor, please.

Ghana:
Thank you very much for giving me the floor, Mr. Chair. Mr. Chair, my delegation is pleased to offer a perspective on the discussion concerning the checklist of practical actions for implementing voluntary non-binding norms of responsible state behavior. We wish to focus on norms A, B, E, and G. Regarding norm A, Ghana fully supports the current actions listed and sees them as valuable in fostering regional and international cooperation. However, we believe that states can take several additional steps to enhance cooperation in developing and applying measures to increase stability and security in the use of ICTs. This includes the establishment of bilateral and multilateral agreements, allowing states to enter into agreement with each other to promote information sharing, joint exercises, and coordinated responses to cyber threats. Ghana emphasizes the importance of such cooperation, drawing from our first-hand experience and how beneficial bilateral and multilateral agreements have been to our cyber security development. In addressing your guiding question on ensuring inclusive, active, and sustainable participation, we wish to highlight the role of initiatives like fellowships such as the Women in Cyber Fellowship, the UN Singapore Fellowship, and the EU Cyber Direct Fellowship in building member states’ capacity to participate effectively in such processes. In addition to the actions outlined under norm B, we propose voluntary practical actions such as investing in research and development to enhance national capacity for attribution and incident response. Regular exercises and stimulations at national and international levels are also crucial for testing and improving incident responses. This could be facilitated through cyber drills and the development of requisite technical expertise to share knowledge of emerging cyber threats and crisis management capabilities. Regarding Norm C, Ghana supports the effective implementation of the POC Directory and has submitted the relevant details needed in this regard due to our firm belief that it is a very beneficial initiative. My delegation believes an active engagement in this process by member states will contribute significantly to implementation at multiple levels. Having active engagement at a diplomatic and technical level can contribute to ensuring that member states benefit from international cooperation as a prerequisite to ensuring that relevant information on cybercrime and existing threats are adequately shared. Mr. Chair, other voluntary practical actions for the implementation of Norm E could include the provision of human rights training and awareness programs for ICT professionals, government officials and other stakeholders. This will promote a better understanding of human rights principles in the ICT domain and ensure that digital rights are upheld online as they are offline. Finally, in addition to the actions listed under Norm G, Ghana fully supports the actions stated in both national and international levels. Sections 35 to 40 of Ghana’s Cybersecurity Act 2020, which is Act 1038, provides a concrete example of our commitment to protecting critical information infrastructure. These sections outline essential provisions such as designation, registration, withdrawal of designation, management and compliance audit of CI, duty onus of CI, and access to CI. For instance, the Act identifies 13 sectors as critical. based on the criteria outlined in Section 35. Moreover, Ghana’s recent launch of a directive for the protection of CI on October 1st, 2021, exemplifies our proactive approach to safeguarding our digital assets. This legal framework underscores the importance of adopting legislation and policies to enhance cybersecurity measures, ensuring the resilience of Ghana’s digital infrastructure. Currently, the latest key milestone has been the framework for the licensing of cybersecurity service providers, accreditation of cybersecurity establishments, and accreditation of cybersecurity professionals. This regime aims to provide a streamlined mechanism for ensuring that cybersecurity service providers, cybersecurity establishments, and cybersecurity professionals offer their services in accordance with approved standards and procedures, aligning with domestic requirements and international best practices. This process will provide greater assurance of cybersecurity solutions to consumers and acknowledge the crucial role of cybersecurity professionals in supporting and sustaining Ghana’s digital transformation. These measures aim to ensure that accredited professionals contribute effectively to combating cybercrime and protecting critical information infrastructure, thereby supporting Ghana’s digital transformation. Thank you.

Chair:
Thank you very much, Ghana. That was the last speaker. It’s getting close to six o’clock. I do not intend to make a summary per se, but I wanted to very quickly say that this has been a very, very good discussion. From my point of view, I want to thank all of you for responding to the guiding questions. In many ways, this discussion already was a sharing of best practices and experience that in itself I think was very useful. And also talking about norms implementation from national perspective. It also gives everyone a sense of how others are looking at implementation, how others are looking at the norms itself. So very useful discussion. Second, thank you very much for your views, reactions to the discussion paper. Many of you said you will take it back to capitals and discuss further. That’s very good. Thank you very much for that. And having heard the views of others this week, I hope that those views will also be very helpful as you reflect on your own position and as you bring it back into your interagency processes back in capitals. In the context of the discussion paper, as I said earlier, look at it as a voluntary list of actions. It is intended to support the efforts of states as they undertake implementation efforts. It’s supposed to be a catalyst for capacity building. It’s supposed to help at the national level what is already happening and where states certainly are signaling that they will need support in terms of implementation. There was also a sense of the traditional dynamic of a binary framing of the issue in terms of, yes, we don’t need new norms, we just need to implement existing norms, no, we need new norms, and it’s not enough to have just the existing framework and implement them. That traditional binary discussion is something that has been there in the working group. I recognize that. But I would also encourage each one of you to look at it not in a binary way, but look at it in a very pragmatic way, in an incremental way, in a… step-by-step manner, what is it that we can do to support states implement the existing framework, and at the same time, what is it as we implement these norms, what is it that is appearing to us as areas where we need a discussion on new guidance and new norms potentially, because we need to keep in mind that if there is going to be any discussion on new norms or new guidance for implementation, it has to be the result of consensus. So that discussion has to begin at some point. That discussion has been going on in the working group for some time, but we need to have that discussion. We have received some useful inputs from stakeholders. Certainly evolving technological landscape will also bring in a dimension as to how the existing framework can evolve and adapt, because it is a cumulative and evolving framework, which by definition means that we will have to accumulate layers and layers of understanding so that we all implement it, layers and layers of additional consensus elements that will help us all implement it nationally and also globally. So I think that binary framing is something that we need to go beyond that, and that’s what I was trying to do in my guiding questions, and that’s what is also intended in the discussion paper. So certainly this is a discussion we need to continue at the international in May when you come back, and I would also encourage delegations to talk to each other, interested delegations to talk to each other, and those who have expressed a slightly different view also reach out and talk to the others. This is certainly a work in progress. It’s a discussion paper. We have had a good discussion. More discussion is needed. And we need to find some common ground and see how we can take a step forward. So with those comments, I’d like to thank you all for a long but productive day. I wish you a pleasant evening. The meeting will start tomorrow morning at 10 a.m. sharp, Swiss time. The meeting is adjourned. Thank you.

A

Albania

Speech speed

135 words per minute

Speech length

596 words

Speech time

265 secs

Click for more

A

Argentina

Speech speed

132 words per minute

Speech length

407 words

Speech time

185 secs

Click for more

A

Australia

Speech speed

161 words per minute

Speech length

1158 words

Speech time

432 secs

Click for more

B

Bangladesh

Speech speed

154 words per minute

Speech length

557 words

Speech time

217 secs

Click for more

B

Belarus

Speech speed

111 words per minute

Speech length

436 words

Speech time

236 secs

Click for more

B

Brazil

Speech speed

172 words per minute

Speech length

616 words

Speech time

215 secs

Click for more

C

Canada

Speech speed

147 words per minute

Speech length

1430 words

Speech time

585 secs

Click for more

C

Chair

Speech speed

142 words per minute

Speech length

2537 words

Speech time

1075 secs

Click for more

C

Chile

Speech speed

138 words per minute

Speech length

630 words

Speech time

274 secs

Click for more

C

China

Speech speed

160 words per minute

Speech length

404 words

Speech time

152 secs

Click for more

C

Colombia

Speech speed

142 words per minute

Speech length

478 words

Speech time

201 secs

Click for more

C

Cuba

Speech speed

138 words per minute

Speech length

483 words

Speech time

211 secs

Click for more

C

Czechia

Speech speed

175 words per minute

Speech length

401 words

Speech time

137 secs

Click for more

E

Ecuador

Speech speed

167 words per minute

Speech length

591 words

Speech time

213 secs

Click for more

E

Egypt

Speech speed

146 words per minute

Speech length

536 words

Speech time

220 secs

Click for more

ES

El Salvador

Speech speed

157 words per minute

Speech length

487 words

Speech time

186 secs

Click for more

EU

European Union

Speech speed

137 words per minute

Speech length

1005 words

Speech time

441 secs

Click for more

F

France

Speech speed

126 words per minute

Speech length

728 words

Speech time

346 secs

Click for more

G

Ghana

Speech speed

147 words per minute

Speech length

747 words

Speech time

306 secs

Click for more

H

Hungary

Speech speed

133 words per minute

Speech length

547 words

Speech time

246 secs

Click for more

I

India

Speech speed

123 words per minute

Speech length

327 words

Speech time

160 secs

Click for more

IR

Islamic Republic of Iran

Speech speed

153 words per minute

Speech length

549 words

Speech time

215 secs

Click for more

I

Israel

Speech speed

151 words per minute

Speech length

333 words

Speech time

132 secs

Click for more

I

Italy

Speech speed

147 words per minute

Speech length

398 words

Speech time

163 secs

Click for more

J

Japan

Speech speed

110 words per minute

Speech length

402 words

Speech time

219 secs

Click for more

M

Malaysia

Speech speed

137 words per minute

Speech length

228 words

Speech time

99 secs

Click for more

M

Mauritius

Speech speed

132 words per minute

Speech length

413 words

Speech time

188 secs

Click for more

M

Mexico

Speech speed

142 words per minute

Speech length

429 words

Speech time

181 secs

Click for more

N

Netherlands

Speech speed

145 words per minute

Speech length

605 words

Speech time

250 secs

Click for more

NZ

New Zealand

Speech speed

144 words per minute

Speech length

198 words

Speech time

82 secs

Click for more

RO

Republic of Korea

Speech speed

145 words per minute

Speech length

576 words

Speech time

238 secs

Click for more

RF

Russian Federation

Speech speed

132 words per minute

Speech length

643 words

Speech time

292 secs

Click for more

S

Singapore

Speech speed

128 words per minute

Speech length

205 words

Speech time

96 secs

Click for more

S

Slovakia

Speech speed

140 words per minute

Speech length

516 words

Speech time

222 secs

Click for more

SA

South Africa

Speech speed

139 words per minute

Speech length

321 words

Speech time

139 secs

Click for more

S

Spain

Speech speed

129 words per minute

Speech length

444 words

Speech time

207 secs

Click for more

SL

Sri Lanka

Speech speed

144 words per minute

Speech length

748 words

Speech time

312 secs

Click for more

S

Switzerland

Speech speed

154 words per minute

Speech length

817 words

Speech time

318 secs

Click for more

SA

Syrian Arab Republic

Speech speed

129 words per minute

Speech length

364 words

Speech time

169 secs

Click for more

UK

United Kingdom

Speech speed

143 words per minute

Speech length

821 words

Speech time

345 secs

Click for more

US

United States

Speech speed

156 words per minute

Speech length

783 words

Speech time

302 secs

Click for more

V

Vietnam

Speech speed

123 words per minute

Speech length

364 words

Speech time

178 secs

Click for more