Agenda item 5: Day 2 Afternoon session
5 Mar 2024 21:00h - 23:59h
Event report
Agenda item 5
Table of contents
Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.
Knowledge Graph of Debate
Session report
Full session report
UN delegates deliberate on cyberspace norms at OEWG session
During the fourth meeting of the seventh substantive session of the Open-Ended Working Group (OEWG) on Security of, and in the use of Information and Communication Technologies (ICTs), established by the United Nations General Assembly Resolution 75-240, delegates from various nations convened to deliberate on the implementation of rules, norms, and principles of responsible state behaviour in cyberspace. The Chair initiated the session by presenting a discussion paper, along with a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviour in the use of ICTs, and invited comments from the delegates on these documents.
The delegates engaged in a rich dialogue, sharing their national experiences and best practices in implementing the existing norms. The discussion revealed a consensus on the importance of these norms for maintaining international peace and security in the ICT domain. However, opinions diverged on the necessity of developing additional norms, especially in light of the challenges posed by emerging technologies such as Artificial Intelligence (AI). Some delegates, such as those from South Africa, advocated for additional norms to address the specific risks associated with AI, while others, like the Syrian Arab Republic, called for a more balanced approach that includes the development of new, legally binding norms.
A significant portion of the discussion centred on measures to protect critical infrastructure from ICT threats. Delegates underscored the importance of cyber hygiene, security by design, and supply chain integrity. For instance, South Africa suggested that at a minimum, basic cyber hygiene practices should be in place, and security should be built into the design and manufacture of technology products. The South African delegation also called for shared principles over competition in ensuring supply chain integrity.
The Chair’s discussion paper and the checklist were generally well-received as useful tools to support states in their implementation efforts. Delegates appreciated the non-exhaustive nature of the checklist, viewing it as a living document that could evolve over time. They also highlighted the need for the checklist to be voluntary, flexible, and adaptable to national priorities and interests. Some delegates, including those from the United States and Switzerland, recommended slight restructuring of the checklist to distinguish between elements that have achieved consensus and other ideas that do not enjoy the same level of agreement.
The session also touched upon the importance of inclusive participation in international processes like the OEWG. Delegates emphasised the need for dedicated fellowships for developing countries to facilitate their participation in the UN process, with programs like the Women in Cyber Fellowship being highlighted as valuable initiatives.
In conclusion, the meeting underscored the urgency of implementing the existing norms and the potential need for additional guidance or norms to address emerging challenges in cyberspace. The Chair encouraged a pragmatic and incremental approach to the discussion, moving beyond the traditional binary framing of whether to implement existing norms or develop new ones. The Chair also called for continued dialogue and engagement among delegates to find common ground for the implementation of norms in cyberspace.
Noteworthy observations from the transcript include the proactive sharing of national strategies and legislation by countries such as India and Canada, which provided concrete examples of how they are addressing cybersecurity and protecting critical infrastructure. The session also highlighted the ongoing need for capacity building, technology transfer, and technical assistance to support the implementation of norms, particularly for small and developing states.
Overall, the meeting reflected a collective commitment to strengthening cybersecurity and fostering a safe, stable, and peaceful cyberspace through the implementation of agreed norms and principles.
Session transcript
Chair:
Distinguished Delegates, the fourth meeting of the seventh substantive session of the Open-Ended Working Group on Security of, and in the use of ICTs established pursuant to General Assembly Resolution 75-240 is now called to order. Distinguished Delegates, in accordance with the program of work, we will now proceed to begin our discussion on the topic of Rules, Norms, and Principles of Responsible Behavior of States. And I draw your attention once again to the Chair’s discussion paper that I had made available as part of the documentation for this meeting, and I also draw your attention to the list of guiding questions relating to Rules, Norms, and Principles, and I’d like to invite your comments on them. Finally, I also draw your attention to what I said just prior to breaking for lunch, where I had encouraged you very strongly to present a very succinct summary of your interventions, on the understanding that you could send me your written statements so that I could look at it very closely, and your statements would also be put on the website of the OEWG so that all delegations can also look at your statements. So do not feel that you have an obligation to read every word of the statement that you have prepared with great care and thoughtfulness. Do be as succinct as possible so that we can make progress on this section. and also go on to the next section. So with these comments, I now open the floor for delegations wishing to make a statement and I give the floor now to South Africa followed by Bangladesh. South Africa, please.
South Africa:
Chairperson, for this segment of our work, you asked us to reflect on five guiding questions and we are pleased to share our thoughts on some of these questions. On the question of possible additional norms that could potentially complement existing norms, South Africa has maintained that additional norms could be developed by considering gaps identified through the process of implementing those norms. It became very clear during the discussion on threats that despite the many benefits emerging technologies such as AI bring, the associated risks are twofold. Thus, the South African delegation could support a new norm to protect against AI-powered cyber operations and attacks on AI systems to complement existing norms as proposed during the multi-stakeholder consultation last week. Chairperson, turning to the question on measures to be taken to protect critical infrastructure and critical information infrastructure from ICT threats, we would suggest that at a minimum, the basics of cyber hygiene should be in place and this includes the simple measures such as strong passwords, software updates, turning on multi-factor authentication and so forth. The next step is to ensure that security is built into the design and manufacture of technology products, i.e. security by design and default. On strengthening cooperation to ensure the integrity of the supply chain. and prevent the use of harmful hidden functions, we call upon states to strive for shared principles and avoid competition. The South African delegation is still studying the chair’s discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behavior in the use of ICTs, and we would like to return to this at a later date to share our views. Thank you.
Chair:
Thank you. Thank you very much, South Africa. Bangladesh to be followed by India. Bangladesh, please.
Bangladesh:
Thank you, Mr. Chair. My delegation comments your efforts in presenting the chair’s discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviors in the use of ICTs, which in our view is a solid basis and my delegation fully subscribes to it to further discussions in this regard. Mr. Chair, my delegation believes that building a strong cybersecurity posture requires a cultural shift. Equipping future generations with digital literacy skills through cybersecurity education in schools’ curriculums, starting from the elementary level, is a critical first step. Promoting a culture of peace and its program of action, which my delegation is promoting at the UN, remains equally important online as it does offline. Furthermore, workshops and training programs for businesses and government employees on cyber hygiene practices are essential. To solidify these efforts, fostering public-private partnerships is critical for the development and promotion of best practices in secure software development and coding, ensuring that software is secured by design. This lays a strong foundation for a more secure digital future. Developing standardized formats for reporting ICT incidents to facilitate information sharing and analysis by relevant authorities is a critically important first step as practical actions for implementing voluntary norms. To ensure an honest understanding of ICT incidents and develop effective response strategies, a multi-pronged approach is essential. First, conduct a meticulous technical analysis, scrutinizing attack methods, tools, and, if possible, identifying the origin. Equally crucial is an impact assessment, evaluating the incident’s scope, scale, and repercussions on critical infrastructure, businesses, and individuals. However, the evaluation shouldn’t stop at technical aspects. A comprehensive contextual analysis is necessary, considering the geopolitical landscape, potential motives, and any historical incidents with similar characteristics. Navigating attribution challenges in the cyber domain with prudence, acknowledging complexities, and avoiding hasty conclusions based on circumstantial evidence is paramount. Employing this holistic approach ensures a well-rounded understanding of ICT incidents, paving the way for informed and effective response strategies. Mr. Chair, the most effective approach to translating these norms into concrete action lies in collective efforts between States. This collaborative endeavor should focus on providing guidance on the interpretation and implementation of these principles, ensuring their effective application in the evolving cyber landscape. To that end, Bangladesh emphasizes that all States should have the common and comprehensive understanding on these norms. In pursuit of this shared understanding, we need to address the skill gap as a matter of priority. This includes fostering information sharing and facilitating the exchange of knowledge, experience, and expertise. These actions are deemed basic, yet their simplicity and effectiveness make them readily implementable and valuable in strengthening cyber security capabilities for nations in need. In this regard, we underscore the importance of strengthening and expanding inclusive, active, and sustainable participation in international processes like the OEWG. We emphasize the need for dedicated fellowship for developing countries, particularly for LDCs, to facilitate their participation in the UN process. I thank you, Mr. Chair.
Chair:
Thank you very much, Bangladesh. India, to be followed by Canada. India, please.
India:
Mr. Chair, India asserts that maintaining international peace and security in cyberspace is a shared responsibility. Voluntary, non-binding norms of responsible state behavior can reduce risks to international peace, security, and stability, contributing to conflict prevention by increasing predictability and reducing the chances of incorrect perceptions. The norms, rules, and principles in the GGE report of 2021 lay a solid foundation for responsible state behavior. Following these norms, rules, and principles will help secure international peace and security. In this respect, India thanks the Chair for his initiative in drafting a checklist for the implementation of norms. To address the second guiding question about what best practices Member States can undertake to protect critical infrastructure from ICT threats, India would like to highlight some suggested measures, including those currently undertaken by India’s National Critical Information Infrastructure Protection Center. And these include, number one, conduct of comprehensive risk assessments of critical infrastructure to identify potential vulnerabilities and threats. Two, promotion of cybersecurity awareness and training programs to educate stakeholders. Three, collaboration with national and international entities to share threat intelligence. Four, ensuring proactive identification of emerging cyber threats. Five, establishment of incident response teams to promptly address and mitigate cybersecurity incidents. Six, the conduct of regular audits and assessments of the security posture of critical infrastructure entities. 7. Adherence to relevant regulatory requirements and guidelines to protect critical infrastructure from cyber threats. 8. Information sharing and collaboration among critical infrastructure entities to strengthen cybersecurity capabilities collectively. 9. Adoption of advanced technologies and tools to detect and mitigate cyber threats more effectively. 10. Emphasis on a culture of continuous improvement to adapt to evolving cyber threats and enhance cybersecurity measures over time. These practices align with international standards and frameworks for critical infrastructure protection and would contribute to a safer and more secure digital ecosystem.
Chair:
Thank you for your contribution. I give the floor now to Canada to be followed by the European Union. Canada, please.
Canada:
Canada, thank you for this opportunity to take the floor on this important subject. As we heard during statements on threats, cyberspace remains an environment subject to all sorts of stress and sometimes behaviour which is sometimes poor. This context highlights the importance of stepping up efforts to implement the 11 non-binding norms. To respond to your last guiding question, sir, one of the best ways of fostering implementation of existing norms is to try, in good faith, to respect these norms. One norm consists and I quote of not knowingly allowing the territory to be used to commit internationally unlawful acts with the assistance of ICTs. As identified in the verification list proposed by the chair and in the GGE report of 2021, on which consensus was reached, and I quote, a norm leads to an expectation that a state will take reasonable measures within its abilities to bring an end to activities underway in its territory by using proportionate, appropriate, effective measures and respecting international law and also domestic law. Mr. Chair, sir, the credibility of members depend to a large extent on their ability to deliver on their promise. It is great to see various efforts underway to achieve this by dedicating their energy to build the appropriate capacity to implement these norms. Mr. Chair, I do apologize, but I’m having some technical problems and I need to suspend the delivery of my speech. I do apologize.
Chair:
Thank you very much, Canada. We’ll come back to you when your computer is up again. We’ll go through the next speaker, European Union followed by Russian Federation. EU, please.
European Union:
Yes, thank you, Chair, for giving me the floor. The candidate countries, North Macedonia, Montenegro, Serbia, Albania, Ukraine, the Republic of Moldova, Bosnia and Herzegovina and Georgia, and the EFTA country, Norway. member of the European Economic Area, as well as Andorra and San Marino aligned themselves with this statement. The European Union and its member states strongly support the concrete implementation of the UN framework for responsible state behavior in cyberspace.
That among other key components also includes 11 voluntary norms of state behavior in cyberspace. The open-ended working group must continue to elaborate on, strengthen, and enhance the implementation of these 11 norms, and to exchange on best practices as well as expectations in this context. As every country has its own starting point for implementing the UN recommendations, we see the norms checklist, as proposed by the chair, as a valuable tool to enable both the clarification of the content, scope, and expectations that the norms set, and to contribute to the common understanding on how to implement them.
The checklist can build upon the work already done on norms implementation guidances, such as the guidance provided in the 2021 UNGG report, as well as the open-ended working group consensus reports, and on the efforts by other stakeholders, such as ASEAN, the Australian Strategic Policy Institute, and UNIDIR. Throughout previous sessions, UN member states, as well as regional organizations, have suggested different tools, manuals, and practices, which could be helpful to implement the norms. UN member states and regional organizations, including the EU, have also shared domestic and regional practices, positions on international law, ratification on treaties, vulnerability disclosure frameworks, and mechanisms for crisis and incident management that could also be considered relevant in this regard. For the EU, it is important that the checklist would also help to identify barriers to implementation and from there translate those needs into targeted capacity building programs.
Mr. Chair, during previous sessions, the EU and the Member States have been highlighting some of the norms which we believe could be developed further, in particular Norm 13C and the three critical infrastructure-related norms, 13F, G and H.
The Norm 13C that affirms that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs raises the expectations of, first, general prevention. States should take reasonable preventive measures to keep their territory to the extent possible from being used to commit malicious ICT activity to the determinant of third states, as in the case of developing relevant institutional capacities to be able to swiftly respond to malicious use emanating from one’s territory. We would note that taking of preventive measures should not be understood as entailing the responsibility of a state to monitor ICT infrastructure located on its territory at all times.
Second, response to request for cooperation. When notified by another state that such an activity is taking place or that it is highly probable that such an activity shall imminently take place, states should take appropriate measures to address it.
And third, expectation of means. The expectation that states should take appropriate measures in accordance with their To advance the implementation of norms, the European Union has also been a strong advocate of a more consistent cooperation with other stakeholders. Notably, the critical infrastructure operators can support advancing the protection of critical infrastructure, one of the positive obligations under the UN framework. In addition, the private sector could continue to contribute to building capacities using their knowledge and experience on the protection of critical infrastructures, as well as the responses to incidents. Further activities could include to enhance threat monitoring and assessment, reporting and other incident management mechanisms and capabilities. In light of that, we appreciate the meeting by the Chair last week, inviting all interested stakeholders to an informal dialogue to discuss on how stakeholders can further contribute to states’ efforts to develop measures or best practices to protect critical infrastructure from ICT threats and how to better support states in this process.
The Open-Ended Working Group could potentially look into issuing a set of cybersecurity best practices and encourage all public and private sector organizations to apply these practices to improve their cyber resilience.
In this, the Open-Ended Working Group could, for example, draw inspiration from and adopt or further develop some of the good practices from the Geneva Manual that was developed by non-state actors and that clarifies the roles and responsibilities of non-state actors and suggests how they can contribute. to the implementation of the voluntary norms. During previous sessions, the EU and its member states have also called upon states to further develop their understanding on the content, scope, and expectation of the norms. The EU has institutionalized a careful review of cyber incidents against the normative framework to ensure any diplomatic responses are measured and proportionate. In the context of the Open-Ended Working Group, discussions about norms implementation, as well as the application of international law to cyber operations that target critical infrastructure in peacetime and in conflict are vital to improve accountability. We look forward to further engage on the norms checklist and thank the chair for putting it forward as it has the potential to make the Open-Ended Working Group more effective and enable concrete exchange on how countries interpret and track these norms nationally. Thank you.
Chair:
Thank you, European Union. Russian Federation to be followed by the Islamic Republic of Iran. Russia, please.
Russian Federation:
Thank you, Mr. Chair. The mandate of the OEWG approved by all UN member states asks us to continue as a priority to develop rules, norms, and principles of responsible behavior of states in cyberspace. We consider it imperative to strictly follow this. In our view, any unjustified bias in favor of implementing only the existing list of voluntary non-binding rules of behavior, either during discussions or in the outcome documents of the OEWG represents a distortion of the group’s mandate. In this context, we would like to comment on the chair’s. firm on a checklist for implementation of norms. To begin with, it is regrettable that this document, which is quite voluminous and in many substantive aspects is new, was presented for consideration just one week before the session and moreover in English, which for Russia and for many other UN member states is not an official language. Such an approach does not allow us to analyse it in a comprehensive manner or take into account the assessments of competent authorities or present a well-developed official position on this. We would urge the Chair to circulate such papers well in advance, at least two or three weeks before the meeting, so not to put delegations facing an artificial time crunch. Regarding the document itself, we see bias in favour of the implementation of norms. Moreover, it is unclear why the initial set of international rules of responsible behaviour enshrined in UNGA Resolution 73-27 was ignored. We stress the need on launching an equally substantive discussion on developing new norms, especially since states have made a number of proposals in this regard. In particular, we should return to the national contribution set out in the 2019-2021 Chair’s Summary. Russia and a number of other countries have consistently advocated for the need to agree upon a comprehensive universal set of rules, norms and principles of responsible behaviour and make them legally binding. Specifically speaking, we suggest the following new norms. First, the sovereign right of each state to ensure the security of its national information or cyberspace and to establish norms and mechanisms for government in its cyberspace in accordance with national legislation. Secondly, the prevention of the use of ICTs to undermine or infringe upon the sovereignty, territorial integrity or independence of states or to interfere in the internal affairs of states. Thirdly, the inadmissibility of unsubstantiated accusations against states accused of organizing and committing wrongful acts with the use of ICTs including cyberattacks followed by the imposition of various restrictions such as sanctions, unilateral sanctions and other measures of response. Fourthly, the settlement of interstate conflicts through negotiations, mediation, reconciliation or other peaceful means of the state’s choice including through consultations with the participation of the competent national authorities. These norms stemmed from a UN Convention on International Information Security which Russia together with a group of states presented at the beginning of 2023 to the OEWG and as an official document of the 77th session of the UN General Assembly. The document intends to promote the prevention and peaceful settlement of conflicts and the exclusively peaceful use of ICTs. It is to serve as a basis for cooperation between states for these purposes. We look forward to a constructive discussion of our initiative in the OEWG on an equal footing with proposals by other states. We trust that any forms of reporting on norms implementation will be linked to drafting relevant legal obligations. Thank you very much.
Chair:
Thank you, Russian Federation, Islamic Republic of Iran, followed by Cuba.
Islamic Republic of Iran:
Mr. Chair, thank you for giving me the floor. In response to your first question regarding the additional norms that could potentially complement existing norms, as our colleague from Russian Federation just mentioned, I also wish to emphasize that several states, including my own, have previously put forward the specific norms that were incorporated in the first OEWG Chair Summary. Since those proposals remain valid and retain their relevance, in order to streamline our discussion, I would prefer not to reiterate them here, or as a colleague from Bangladesh said in this morning session, to recycle them here. I wish to recall that yesterday we heard from the distinguished Chair that the idea of new norms were also proposed by stakeholders. Instead, in order to fulfill the outstanding mandate of the OEWG in elaborating additional norms designated by Resolution 75-240 as a priority, we would like to propose that the Chair of the OEWG takes the initiative to craft an initial draft encompassing new rules, norms, and principles, drawing from the Annex to the Chair Summary. This draft could serve as a basis for discussion during the forthcoming substantive sessions, as well as during the dedicated interstitial meeting on rules, norms, and principles of responsible state behavior in the use of ICT, which is outlined in Paragraph 27 of the second APR. Mr. Chair, I would like to express our appreciation for the papers. recently circulated for discussion during this session. However, emphasizing the importance of ensuring a thorough, practical, and meaningful review and consultations by our related internal agencies, like the Russian Federation, we also kindly request that the guiding questions and the discussion documents of the OEWG be circulated early enough. This will provide our internal agencies ample opportunity to study the materials comprehensively, contributing to a more informed and constructive discussion during the OEWG sessions. I would like to take this opportunity to provide some general comments on the discussion paper on a checklist for practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICT. First, in our view, taking measures and initiatives and implementation of rules of behavior appears premature. Before engaging in discussion concerning the operationalization of envisaged norms, the OEWG needs to reach a consensus on a comprehensive list of norms by fulfilling its mandate outlined in paragraph one of resolution 75-240, to introduce change to the rules, norms, and principles of responsible behavior of a state or elaborating additional norms. Second, throughout the OEWG discussions, numerous countries have consistently underscored that further development of new norms and the implementation of existing norms were not mutually exclusive, but could take place in parallel. Currently, this essential balance seems to be overlooked, given that a parallel document addressing the formulation of new norms have yet to be crafted. Thank you, Mr. Chair.
Chair:
Thank you, Islamic Republic of Iran. Cuba to be followed by Slovakia.
Cuba:
Mr. Chairman, the rules, norms and principles on a voluntary basis and the socialization of good practices for cybersecurity are just an intermediary step in the goal of achieving states’ responsible behavior in cyberspace. The community of experts in this domain have a lot to contribute to improve the organization, discipline, order and rigor of the work carried out in cyberspace, and to make this a forum for peaceful development geared towards progress. General Assembly Resolution 75-240 clearly set the priority that this working group has to draft rules, norms and principles for the responsible behavior of states, as well as the corresponding ways of implementation, and, if necessary, to introduce changes to the drafting of additional rules of behavior. A clear sign of the need for new norms is seen in the broad legislative arsenal that the countries currently on the highest rankings of the Global Cybersecurity Index have. This is an index that is systematically published by the ITU. This mechanism assesses states’ responsibility and the degree of their commitment to cybersecurity, and those states who are in this room, some with a great deal of regulatory history. Analyzing this index will be very useful to determine on which aspects we need to establish norms, because these indicators are enablers both for governance and for the management of cybersecurity. In this context, it would be rational and objective to use the existing mechanisms with clearly shown competences in the development of new norms, such as the case of ITU Subcommittee No. 17. In the implementation of norms, we would reiterate the need to assess the binding nature that some of them should have. The draft that you have presented as a checklist on practical actions for the implementation of norms could be a starting point for that. This could foster awareness raising about the need for real international responsibility and objective responsibility in this domain by states. We do not favor the use of one-size-fits-all solutions for the implementation of norms negotiated at the UN. It’s particularly important to respect the specificities of each country, in particular the fact that developing countries don’t have the same technological and technical capacities as developed countries. Even though we do have common responsibilities, they have to be differentiated responsibilities. We reiterate that the drafting and implementation of norms for the responsible behavior of states in cyberspace must respect the principles of sovereignty, political independence and territorial integrity. It must promote peaceful coexistence and international cooperation. It must refrain from making recommendations on the domestic behavior of states, their oversight mechanisms and international procedures to guarantee cyber security. Thank you.
Chair:
Thank you, Cuba. Slovakia to be followed by Belarus. Slovakia, please.
Slovakia:
Mr. Chair, Slovakia aligns itself with the statement delivered by the European Union and wishes to emphasize a couple of points in its national capacity. The starting point for each UN member state with respect to the implementation of the UN Framework for Responsible Behavior in cyberspace differs. It is despite the urgent need for each and every member state to adhere to the framework. While some might view the 11 voluntary non-binding norms as merely normative guidelines to support peaceful and stable cyberspace, their role goes beyond their normative nature. The normative framework, whose implementation we have been navigating for almost a decade, aims at facilitating collaboration, promoting accountability, preserving trust, and protecting continuity of essential services. Slovakia welcomes the initial draft of the norms implementation checklist as proposed by the Chair and sees it as a valuable set of concrete proposals that could be adopted on the national and international level to foster compliance with the framework. That said, Slovakia looks forward to discussing individual elements of your proposal, Mr. Chair, in greater detail with the distinguished delegates as well as the stakeholder community to make the draft checklist more useful and actionable. We also commend other stakeholders’ initiatives such as, but not limited to, UNIDIRS Survey of National Implementation, the Singapore UNIDAT Norms Implementation Checklist, and the Australian Strategic Policy Institute have played a role in developing own implementation guidelines which continue to fit into our discussion in this format. Importantly, actively implementing agreed norms and enhancing own cybersecurity measures are two sides of the same coin. This leads directly to the importance of building national legislative environment as well as capacities required to advance the implementation. On this point, we agree with colleagues who have previously highlighted the role of critical infrastructure operators, relevant private sector entities, experts, and practitioners in advancing positive obligations under the UN framework. Here, the value of the program of action as a permanent, inclusive, and action-oriented mechanism upon conclusion of the current open-ended working group could prove immense. Noncompliance with agreed cyber norms has real-world consequences. Since the adoption of the second annual progress report, there have been novel reports of malicious cyber activities targeting critical infrastructure and democratic institutions and processes. The continued Russian aggression against Ukraine has also greatly impacted our security environment, including cyberspace. Whilst fully agreeing with the EU and others on the necessity to further develop our common understanding of the content and scope of agreed norms, there is a need to align international expectations about the adherence to the norms with what is considered responsible behavior of state in cyberspace. Mr. Chair, we appreciate focused discussion on this important topic and see them as an effort to encourage compliance, predictability, appropriate and proportionate diplomatic measures, and international cooperation to help address collective security concerns in cyberspace. Thank you.
Chair:
Thank you. Slovakia, Belarus, followed by Italy, please.
Belarus:
Distinguished Mr. Chair, given the great importance of cyberspace in people’s lives, Belarus has taken a number of measures to provide a systematic approach to governance in this area. For example, we adopted a information security concept of Belarus. This enshrines the most important provisions of our state policy here. In developing rules, norms and principles for responsible behaviour of states and implementation means. In our opinion, the following measures are key. Ensuring governmental protection of fundamental human rights in cyberspace. Developing e-feedback. The idea of that is to help people address problems by analyzing citizens’ initiatives and proposals and involve them more in the decision-making process. Increasing the population’s digital awareness. Developing a security sphere. In the normative legal sphere, it’s expedient to develop conceptual international documents on cybersecurity. In addition to existing documents here, we pin significant hopes on the process on agreeing on a future convention on countering cybercrime. Focusing on a list of unlawful acts, we think it should be broad. It should not just focus on computer-related issues. In the media, we should focus on ICT resources, and they should be creating good-quality content of interest to users. Taking into consideration the rules of cyberspace in the scientific and educational sphere, we should focus on developing projects to develop ICT security, to create regional digital infrastructures. An important area is also to create intellectual platforms to identify context risks, such as memes, photos, videos, and audio files that contain destructive information, for example, promoting suicide or dangerous games or drugs. and also communication risks, for example, interpersonal relations that might lead to abuse, cyber-stalking or cyber-bullying, for example. Also consumer risks linked with the abuse of the Internet and Internet rules by users, for example, selling counterfeit goods and other related activities. Communication risk involving children in dangerous groups, death groups, for example, or recruiting people into illegal armed groups. Improving national legislation should be conducted taking into consideration sovereignty, the right of a state to form their own ICT policies and to have information flows that are independent of external influence and also ICT neutrality, so there should be no harm conferred upon any other state. In conclusion, we would like to point out that the ultimate aim of the renewed ICT policy is to delineate clear red lines, which are important for not just national but also the international media sphere. Thank you very much.
Chair:
Thank you. Belarus, Italy, followed by Republic of Korea, please.
Italy:
Thank you, Mr. Chair, for giving me the floor. We fully align ourselves with the statement delivered by the European Union. We support the concrete implementation of the UN Framework on Responsible State Behaviour in cyberspace, of which the 11 voluntary norms represent a central component. We welcome, Mr. Chair, the checklist of practical actions that you proposed as an important tool available to states to guide them in the implementation of UN norms. While considering all these measures are useful, we would like to focus now on those that concern the protection of critical infrastructures and the integrity of the supply chain. Cyber-malicious activities targeting critical infrastructures are increasing in scale and geopolitical implications. The participation of a wide range of cyber threat actors, including state-sponsored groups or proxies, in conducting such attacks poses a significant threat to international security in cyberspace. In this context, we think dedicated efforts shall be granted to set up accountability mechanisms aiming at increasing mutual responsibility among states. National measures to detect, defend and respond to and recover from ICT incidents, which may include the establishment at the national level of a center or a responsible agency that leads on ICT matters and of CSIRTs, shall be implemented as well. The private sector, which manages and sometimes even owns critical infrastructure, has a critical role to play in protecting them and building stronger cyber capacities. Public-private partnerships may be an added value to our efforts. We should continue to raise awareness among all relevant stakeholders in this context. Supply chain security is a very important principle. However, ensuring safety and integrity of all products can be a very complex task to achieve. We encourage the adoption of specific frameworks for the assessment of supply chain security of ICT products, based on guidelines and best practices and adherence to international standards, such as ISO. Assessments and evaluations can be performed by a dedicated third-party organization that would operate within the boundaries of such frameworks. We consider the establishment of national evaluation and security. certification centers and adoption of cyber certification schemes as important measures to be implemented. We look forward to further engaging the discussion. Thank you.
Chair:
Thank you. Italy, Republic of Korea, to be followed by United States.
Republic of Korea:
Thank you. My delegation believes that we are now at the stage of beginning the implementation of the norms we have already agreed upon. In the GGE and adopted at the UN General Assembly, the checklist would be helpful to states in implementing the norms as it comprehensively reflects domestic and international measures. We hope to see the checklist develop into a more completed form by combining and coordinating the comments from the members and the stakeholders of the group. My delegation believes that voluntary non-binding norms can encourage states to get more acquainted with the elements of the normative domain of cybersecurity, guiding towards common understandings leading up to convergence, and thus help states as well as other stakeholders to be better prepared for the potential incidents. These non-binding norms can assist states to flexibly respond to the cyberspace and rapidly advancing technology. Moreover, non-binding norms can be inclusive in its nature and can help bridge the gap between and within countries. Through the checklist, gaps can be identified, thus it could give guidance to programming and implementing capacity building measures. In this regard, the checklist should be linked with capacity building in order to be successfully implemented. The Republic of Korea will continue its efforts in supporting capacity building for the developing countries. Turning to the elements of the checklist, my delegation would like to stress the importance of national coordination. and interagency cooperation. We welcome that this notion is reflected in the checklist. In order to effectively detect, protect, and respond to ICT incidents and threats, domestic coordinating agency is needed, and interagency cooperation is imperative. To this end, like many other countries, ROK operates the National Cyber Security Center for Coordinated and Systematic Security Monitoring. My delegation notes that the checklist also incorporates norms for malicious ICT activity attributable to other states and illegal ICT activity carried out within the territory. My delegation is of the view that in order to effectively respond to cyber attacks, the cooperation from the country of origin and transit countries is critical. And we hope to see relevant norms can be elaborated and clarified further in this group. In particular, applying due diligence in cyberspace would be useful for a timely response in case of cyber attacks. Details of the norm should be further clarified while taking into consideration the capacity gap among countries when applying the due diligence rule. In securing the integrity of the supply chain, fostering partnership with ICT companies is indispensable. Furthermore, it will be helpful to build institutional and normative foundations to provide security guidelines starting from the development stage of software products, which can be used in the public sector in order to protect public service or critical infrastructure from being targeted by serious cyber attacks. Since 2013, ROK had established guidelines for the establishment and operation of information systems in administrative and public institutions to secure the integrity of the supply chain. We look forward to hearing more about other best practices on how states coordinate with private sector including ICT enterprises. Thank you.
Chair:
Thank you, Republic of Korea. United States followed by the United Kingdom.
United States:
Thank you, Chair. In your guiding questions, you asked whether there are specific areas in which the implementation of the consensus norms is currently lacking, where existing implementation efforts can be improved, and how additional guidance can be leveraged to accelerate implementation efforts. During my intervention, I intend to examine these questions using the example of ransomware attacks against health care facilities, which have been on the rise, as documented by the World Health Organization in a recent report examining cyber threats to the health care sector. Which norms come into play when a medical facility is the victim of a ransomware attack, and what practical steps to implement those norms would be most effective in countering or responding to this threat? Norm 13G counsels states to take appropriate measures to protect their critical infrastructure from ICT threats, taking into account GA Resolution 58-199. One such measure is a state’s designation of infrastructure or a sector as critical. To effectively protect critical infrastructure, a state must first classify it as such. In addition to enacting policies, regulations, and laws to ensure critical infrastructure owner and operators secure these networks, states should build or strengthen their capacity to investigate malicious cyber activity targeting them. Acting pursuant to norms 13C, F, and H, entails determining the origin of malicious activity. As norm 13B advises, state should consider all relevant information when determining attribution. Partners can be a valuable resource when investigating an incident. Stakeholders can assist in both technical assistance and capacity building to bolster a state’s ability to conduct effective incident response. A state may also choose to ask another state for assistance. Norm 13D, which advises states to consider how best to cooperate to exchange information and assist each other, reflects the reality that a state’s investigation will often involve the investigative resources and cooperation of other states. POC directories, including existing regional directories and the upcoming global POC directory, could be of use in requesting assistance, whether of a third country or the state from whose territory the ransomware attack is emanating. In addition to POC directories, guidance on how to formulate and respond to requests for assistance would enable more effective communication. The OEWG could lay the groundwork for the development of templates that would clarify for states what information needs to be shared and in what format. These could include, one, a request under norm 13H to mitigate malicious ICT activity emanating from another state’s territory. That is impacting the requesting state’s critical infrastructure. Number two, the notification under norm 13C that an internationally wrongful act conducted using ICTs is emanating from or transiting through the notified state’s territory. And a request that it take all appropriate and reasonably available and feasible steps to address the situation. And just as importantly, appropriate responses. from states that have been asked to investigate such malicious activity. As well as a request for assistance to a third state under norms B, C, or H. Such additional confidence building measures in the form of guidance on effectively formulating and appropriately responding to requests for assistance could significantly speed relief to member states in need. Finally, Chair, I wish to express my thanks for your discussion paper containing a draft norms implementation checklist and want to provide a few preliminary reactions. Your draft demonstrates that there are several fundamental prerequisites for states to put in place at the national level to enable their implementation of the framework and its norms. In particular, this includes creating a cert, creating whole of government cyber strategies, legislation, and other policies, establishing public-private partnerships, and establishing cooperative relationships on cyber matters with other countries. The OEWG should highlight these priority national steps. This would contribute significantly to norms implementation and related capacity building to elevate these needs. Separately, we appreciate that the checklist includes many of the useful ideas contained in the 2021 GGE report. We note, however, that this 2021 GGE report represents consensus language affirmed by all member states. And is not on the same footing with the new ideas and non-consensus proposals also included in your checklist. We recommend the 2021 GGE report’s text on norms be included as is within a future OEWG report. So that the OEWG can build upon this existing foundation to further common understanding on how to implement the consensus norms. Thank you, Chair.
Chair:
Thank you, United States. UK followed by Egypt, please.
United Kingdom:
Good afternoon, Chair, and thank you for the draft discussion paper on a norms checklist. While the voluntary norms are designed to be universal, their implementation is context-dependent. We think the voluntary practical actions in your paper are at the right level of detail to allow states to decide the most appropriate ways to implement the norms. As a whole, the paper outlines a baseline of cybersecurity capacities. Establishing such a baseline is one of the recommendations of the Global Cybersecurity Capacity Centre, based at the University of Oxford. Their recent research project, based on discussions with states and stakeholders, considered cybersecurity capacities for the application of UN cyber norms. They recommend, and my delegation agrees, that the future programme of action should support states to work towards a capacity baseline. This focus on baseline capacities echoes UNIDIR’s important work on foundational cyber capacities and has similarities to the evaluative approach taken by the UN programme of action on small arms and light weapons. Your draft paper is a promising step towards a universal baseline. The University of Oxford’s findings also highlight the importance of raising awareness of the norms among policymakers responsible for cyber capabilities, and we encourage states to continue to do this within their national systems. Our final observation on the draft guidance paper is that it includes some consensus guidance from the 2021 GGE report and some new content. As the United States has just noted, we could further clarify the different levels of consensus contained in the draft. Turning to your question on improving norms implementation, we would like to build on our remarks made yesterday on the growing commercial market for intrusive ICT capabilities. The existing rules, norms and principles of responsible state behaviour, confidence building measures and capacity building provide a robust framework to guide the behaviour of states when interacting with this market. Yesterday we outlined the main components of this market because the commercial dimension is significant. Market dynamics are supercharging the development and availability of advanced intrusion capabilities in a way that is new. At the sixth session of the OEWG, the United Kingdom and France emphasised that there are legitimate uses for commercially available intrusive cyber tools. The private sector has and will continue to have a legitimate role in this market for cyber tools and services. States will continue to make use of these tools and services for national security and law enforcement. In this context, one of the questions for states is what does responsible activity look like in practice? We believe this could include the following. First, states can set out their collective expectations with regard to the commercial market so that it does not undermine stability in cyberspace and works to prevent commercially available cyber intrusion capabilities from being used irresponsibly. Second, governments can ensure that we are taking the appropriate regulatory steps within our domestic jurisdictions through enforcing existing legal frameworks, evaluating or developing new domestic laws, or making use of policy levers. to identify and respond to irresponsible activity in the market. Third, it is incumbent on states to conduct procurement responsibly, including by discouraging irresponsible behavior when engaging private actors. Finally, when states choose to use cyber capabilities in support of national security and law enforcement, it is important that they do so in a way that is not only lawful but also responsible. States can share what responsible state behavior means in practice for them. We believe this kind of transparency helps to avoid miscalculation and builds confidence. Examples of this practice from the UK include our publication National Cyber Force Responsible Cyber Power in Practice in 2023 and the exposition of our equities process in 2018, which outlines how decisions about the disclosure of vulnerabilities in technology are taken. The PALMAL process seeks to provide a framework for inclusive dialogue between states and with stakeholders on this issue. The UN Framework for Responsible State Behavior is at the heart of the process and is referenced extensively in the PALMAL declaration published last month. More work is needed to determine collectively what additional norms guidance might be needed in the context of advanced commercial cyber tools, but further recognition in the draft guidance that the norms guide not only states but also how states engage with the market for commercially available cyber capabilities could be beneficial. Our aim is that the outcomes of the process will ultimately help to inform further good practice. in the implementation of the norms. Thank you, Chair.
Chair:
Thank you very much, UK. This is turning out to be a very useful discussion and I just wanted to at this point make a brief comment. I still have a good list of speakers and we’ll go through them one by one, but I welcome very much all of you responding to the different questions, guiding questions that I’ve put forward and I think it’s useful that all of us listen to the different contributions from the different member states. And I also wanted to point out that the discussion paper is precisely that, to have a discussion and while some of you have said that you wished you had received it much earlier, that is a point I take, but that is precisely the purpose at this meeting to also have that discussion in a collective context. And with regard to the discussion paper, I wanted to first of all situate that discussion paper in the context of our second annual progress report. If you look at paragraph 23F of the second annual progress report, we talk about how we can support states in implementing the rules, norms, and principles of responsible state behavior. And in that context, there was a discussion of a checklist and it was in that context, the chair was mandated to prepare the checklist. Second, if you look at the checklist in paragraph two and I invite all of you to look at it, at this point. Paragraph two of the chair’s discussion paper says, and I quote, in this regard, this checklist could serve as a starting point to support states’ implementation efforts. In other words, member states are already implementing the rules, norms, and principles. The question is, do we help them or do we not? We had that discussion last year, and the answer or the sentiment was that, yes, we should support efforts by states to implement the rules, norms, and principles. And that’s where the checklist comes in as a tool to support implementation that is already happening, perhaps not happening fast, but happening to some extent. So the question is, how can the checklist become a catalyst to accelerate implementation, but also a catalyst for capacity building? And this is reflected in the discussion paper as point number two. Provide a useful means of identifying priorities in tailored capacity building efforts. And sub-point C talks about how the checklist could function as a common reference point to support the exchange of best practices in specific areas of ICT security. So as we get into this discussion on the discussion paper, I also want you to have that broader point in mind, which is that many states have already begun implementation. The POC directory is in some ways also an implementation exercise by states at the national level. And states are struggling with that implementation. whether it’s establishing the POC network or a focal point, implementing the agreed norms, implementing the initial list of CBMs. And I think it’s urgent and imperative that we provide whatever assistance we can to support states. So we’ll come to this capacity building discussion in the later section. So that part we are coming to it. But in the context of rules, norms, and principles, the checklist was intended as a tool to help states in the implementation efforts. So keep that in mind as a tool to support states, as a catalyst for capacity building, as a potential accelerator of implementation. Now talking about implementation does not mean we do not talk about other things, including the need for additional guidance and discussions on additional potential norms. But we can do multiple things at the same time. And that precisely is the challenge that we are engaged in. So keep that in mind. I thought I would inject some observations at this point. And if you have any reactions to my comments as well, that is welcome. We do have a speaker’s list. So I’ll go through them. Once again, be as succinct as possible. This is not going to be our last discussions. We’ll come back to the issue in May when we have the intersessionals. But this is already turning out to be a very useful initial discussion on the discussion paper. Egypt, followed by Colombia, please.
Egypt:
Thank you, Mr. Chairman. Since it’s our first time to take the floor, let me join other delegations in expressing our appreciation to you, Mr. Chairman, your team, as well as the Secretariat for all efforts to steer forward the work of this group. and rest assured of our continued support and active participation to this process. We also express our appreciation to you, Mr. Chairman, for sharing the draft elements paper on both the implementation checklist as well as the future regular institutional dialogue, which are still being considered thoroughly at our capital. However, let me share with you our preliminary observations and also responding to your guiding questions. Egypt has consistently stressed the importance of moving forward from the conceptually repetitive discussions that took place over the past 25 years in this domain towards an action-oriented approach that would allow the implementation of the existing framework of rules, norms, principles, and the use of ICT in the context of international security. Such approach should not contradict or undermine the ongoing or future discussions on the further development of the existing agreed framework. The proposed checklist should be simplified and rationalized as it includes duplicative measures as well as technical and detailed actions in particular at the national level that might go beyond the state’s capabilities. Subsequently, it would also require adequate time for its consideration and coordination at the national level. Moreover, we believe that such a checklist could represent a concrete step towards the full and effective implementation of the existing agreed framework, pending the elaboration of existing framework and binding rules as appropriate. However, it should represent a non-exhaustive list of implementation measures that could be further developed over time in line with the evolving nature of the ICT domain. Furthermore, the proposed list or any other implementation measures should take into account the following elements and principles that also need to be included in the CHAPO paragraphs. along with the already-reflected voluntary nature of its implementation. First, the technological gaps among developing and developed states. Second, the diverse national legal systems. Third, respecting each region’s specificities. Fourth, this implementation list should not prejudice states’ positions in the future discussions on the implementation of the existing framework. Mr. Chairman, we have surpassed the midpoint of this OEWG and getting closer to the final annual cycle of this group. Although there could be merits on continuing the discussions on all agenda items of the group concurrently, it could be also the right moment to consider giving priority and special attention to specific matters. Why discussions on the traditional outstanding matters could take place adequately in the future regular institutional dialogue that we believe must be a permanent, comprehensive, and single-track process? These elements that we’ll touch upon in our intervention in the next agenda items within the OEWG. And finally, we reiterate our continued support to this process and our willingness to actively participate on it. Thank you.
Chair:
Thank you very much, Egypt, for your contribution. Colombia to be followed by the Netherlands.
Colombia:
Mr. Chairman, we’d like to thank you for your efforts and leadership at the helm of this working group and for preparing for this seventh meeting. We’d like to reiterate our support to you and our availability to continue working constructively within this process. Answering your question about which additional norms could be developed, bearing in mind the discussions that have been taking place within the OEWG, we think that the existing norms do have necessary flexibility. for cyberspace and emerging technologies and for now efforts should be focused on people’s understanding them and implementing them. We also think nevertheless we can discuss principles on the safe deployment of new technologies with a human-centered approach. In terms of the checklist for practical actions for implementing voluntary norms, we are grateful for your efforts to draft the list and we think that it should be a starting point for looking at how states can implement norms as well as pinpointing priorities in terms of capacity building and it should be a common benchmark for the exchange of good practices and implementation of the relevant norms. We also think that the list can be a national assessment tool that states can use to identify challenges that they have and it will make it possible for us to look at the existing supply and this has been gone into in the document that you provided. I would also like to add the following comments. In terms of norm B, we think that we need to include the reference to the global directory as the timely forum for the exchange of information as well as to respond to requirements for assistance in terms of challenges of ICTs. On H, to move forward with the list, we would like to know how other states have fared in developing responses to cyber incidents. On E, we think we need to have the support of civil society to ensure the promotion and protection of human rights online. And finally, on F. Colombia is making headway in designing our own strategy to safeguard our critical infrastructure. Given the methodology that we have in this area and the listing of our national inventory, we would be interested in exchanging ideas and good practices of how best to protect critical infrastructure and how to implement Norm F at the national level. To conclude, we think that we need to prioritize the global implementation and overall implementation of these norms. We think that this is necessary. We need to look at sustainable initiatives for capacity building, the exchange of good practices, and equitable geographical representation in international processes such as the OEWG. Thank you.
Chair:
Thank you very much, Colombia. Netherlands, to be followed by Spain. Please.
Netherlands:
Thank you very much, Chair. The Netherlands aligns itself with the statement delivered by the European Union, and I will make some additional remarks in my national capacity. Norms continue to be a key component in our cumulative and evolving framework. Complementary to the rules of international law, they reflect expectations of states and set standards for responsible state behavior that are specific to the cyber domain. Moreover, the previous OEWG reports have provided practical guidance on the norms that lay out concrete measures states can implement at the national and international level. The Netherlands is convinced that doing so will foster meaningful progress towards a more open, free, accessible, stable, secure, and peaceful cyberspace. In this regard, I would like to thank you, Chair, and your team for putting forward the discussion paper on today’s meeting. on a checklist of practical actions for the implementation of a voluntary non-binding norms. While we are still in the process of studying the paper more in depth, please allow me to share some initial reflections. The paper seems to provide a useful overview of concrete measures for states to take as well as a practical checklist. We welcome the incremental approach reflecting the design of the checklist by drawing from previous consensus reports as well as contributions from UNIDIR’s work on unpacking cyber capability needs. The Netherlands believes that these practical efforts are also useful in approaching your guiding questions around concrete measures to secure critical infrastructure and supply change, which many delegations also addressed during our discussions on threats during the past day and a half. Addressing the threats through the lens of the norms and the concrete measures included in your checklist provide a useful basis for states to identify their capacity building needs. Chair, allow me to provide a few initial reflections with respect to the discussion paper. Firstly, we wish to address norm C, which holds that states should not knowingly allow their territory to be used for international wrongful acts. The Netherlands believes that this norm is essential for states to address threats posed by non-state actors. We welcome this item included in the checklist encouraging states to discuss the content, scope, and conditions of this norm in order to achieve a more transparency on how this norm is nationally interpreted and applied. The Netherlands has done so in its national position on the application of international law to cyberspace. in which we consider the due diligence principle not only as a norm, but also as a rule of international law. Secondly, on norm E on human rights, we welcome the proposed action for states to develop a position on how international law, including humanitarian rights law, applies in the ICT domain. Under this norm, there are two elements from previous consensus reports that we would propose to reflect in the checklist. One, we believe that the observance of freedom of expression can contribute to promoting non-discrimination and narrowing the digital divide, including with regard to gender. Two, we consider that the checklist should include the consensus notion that state practices, such as mass arbitrary or unlawful mass surveillance, may have particular negative impacts on the exercise and enjoyment of human rights, in particular the right to privacy. Thank you very much, Chair.
Chair:
Thank you very much, Netherlands. Spain to be followed by Hungary.
Spain:
First and foremost, thank you for your questions. We would like to, in particular, welcome the checklist for voluntary behavior for states in cyberspace. This list that you proposed might be a very useful instrument in terms of implementing the norms upon which we already have consensus. We underscore that we’re not just starting from zero. We’ve already started the process. Many states have already made progress, thanks to regional organizations and their work, to continue to promote multilateralism in international processes when we’re talking about consolidating the implementation of norms that have consensus. We welcome an intersession meeting being convened in May. We do hope that then we’ll be able to go even further. We do hope that that technical meeting, that intersession meeting, will be able to be organized fairly regularly in order to enrich the discussions that took place in plenary. We hope that the content of the discussion will be represented in the annual report. These annual debates are extremely important. This is particularly true when we think about the role and the added value of the academic sphere and the private sector and the contributions that they can make in terms of thinking about the implementation of the regulatory framework for states’ behavior in cyberspace. We believe that it’s a good idea to pay enough attention and time to these exchanges. Expert discussions can be guided by specific questions. This is a useful format in the plenary. A constructive, properly targeted discussion might be able to help us highlight which norms need to be further clarified and which needs to be further highlighted, because this is all going to be in vain if, at the same time, we can’t put forward confidence-building measures at the same time. I’m thinking here about the global register of contact points. We need to operationalize that. We also need to focus on capacity building. These are interlinked. They all strengthen each other to promote this appropriate behavior in cyberspace. We’re talking about the rules, norms, and principles of responsible behavior. We think that for this, there’s a need to develop a code of good practice and exchange of information between the relevant national authorities. In this way, we might be able to counter the domino effect of cyber attacks. This is the only way that we can continue to make progress to set up a framework that regulates a state’s behavior in cyberspace. Thank you.
Chair:
Thank you very much, Spain, for your contribution. Japan to be followed by Czechia.
Japan:
Thank you. Thank you, Mr. Chairman. Japan is of the view that voluntary and non-binding norms of responsible state behavior can reduce risks to international peace, security, and stability. Japan considers that it is important to focus on deepening the discussion and the steady implementation of the existing norms. Mr. Chair, Japan would like to express our appreciation for the Chair’s leadership in making the discussion paper on the checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior. We hope the checklist will serve as a starting point for deepening the discussions on the existing norms. And Mr. Chair, for example, to protect critical infrastructure, it is important to check and promote the implementation of Norms F, G and H in each country through the checklist. Exchanging best practices that Member States can undertake to protect critical infrastructure from cyber threats would be beneficial. As for specific ways in which States can further strengthen cooperation to ensure the integrity of the supply chain and prevent the use of harmful hidden functions, the Secure by Design could be important, because Secure by Design states that manufacturers prioritize the integration of product security as a critical prerequisite to features and speed to market. Furthermore, we should continue conducting discussions on how exactly manufacturers can achieve the Secure by Design. To this end, we believe the SBOM, which shows who made each component of the software, what the software contains, and how the software is configured, can be an effective method. It enables a detailed understanding of software configuration information, which can be used to immediately identify and respond to the vulnerabilities, leading to improved security of the software supply chain. It is important for each country to share information on good practices based on these efforts at the OEWG. and in various other forums. In any case, I wish to stress that it is important to listen to the voices of private actors to consider effective countermeasures. Finally, capacity building is important for states to deepen their understanding of the norms of responsible state behavior and to implement them appropriately. Japan provides the training programs to support these efforts and continues to do so. Thank you, Mr. Chairman.
Chair:
Thank you, Japan, for your statement. Czechia, to be followed by China.
Czechia:
Thank you, Mr. Chair. Czechia, itself, is the EU statement, and we should emphasize a couple of points about its national capacity. Czechia repeatedly highlighted during the open-ended working group sessions that 11 norms of responsible state behavior are essential for stability and predictability in cyberspace. They are a key element of the normative framework and are complementary to international law. We thank you, Mr. Chair, for publishing the first draft of checklist we have asked for. We consider this as an excellent work we can definitely build on. Our longstanding priorities are norms G and J of the 2015 GGE report, focusing on protection of critical information infrastructure and security of supply chain. We welcome that the proposed guidance includes recommendations that mostly reflect our implementation on the national level. When addressing the national level, we would like to share our experience in implementing those norms. Our initial and prominent steps revolved around establishing comprehensive cybersecurity legislation and policies. Having solid grounds is the key to enhance fostering and expanding national capacities and improve other aspects of cybersecurity, including establishment of third national institution. and other mechanisms and processes that are already mentioned in the checklist. Thus, based on this experience, we are pleased to see that creating and adopting cybersecurity legislative and policies is a recommendation included almost in every norms guidance. Regarding additional guidance to accelerate implementation of norms, we would suggest sharing best practices and lessons learned to each other in order to get a better idea about the whole process and its real implications. For example, the similar way we have just described our first step in establishing the National Cybersecurity Framework. Czechia, also during Open-Ended Working Group, regularly emphasizes the implementation of Norm E of the 2015 GGE report, which should be discussed in more detail. Protection and promotion of human rights, both online and offline, is a priority for Czechia. In this regard, we promote a human-rights-based and human-centric approach to digital transformation. Finally, we would like to mention that when implementing the norms, discussion with all relevant stakeholders should be taken into consideration. Thank you, Mr. Chair.
Chair:
Thank you, Czechia. China, to be followed by El Salvador.
China:
Thank you, Mr. Chair. In connection with the guiding questions you gave us, we believe that we should have new norms in the cyberspace. Now, the international community has placed a lot of attention to the issue. G-Resolution 75-240 mandates the OEWG to continue discussing the risks and challenges, including those associated with data security, as well as measures to address them. The second annual progress report of the Working Group from last year has this to say, and I’ll quote, Considering the growth and aggregation of data associated with new and emerging technologies, there is also noted increasing relevance of data protection and data security. Unquote. In addition, national practice in data security governance has consistently improving. It is a great source of inputs for substantive discussions at the OEWG. In the light of the discussions at multilateral fora such as the UN and the governance practice of various countries, China championed the Global Data Security Initiative, which can serve as basis for the discussion and formulation of relevant norms. The initiative contains specific commitments on data security, supply chain security, and critical infrastructure protection, including, and earlier I quote, to maintain an open, secure, and stable supply chain of global ICT products and services, to stand against ICT activities that impair or steal important data of other states’ critical infrastructure, not to request domestic companies to store data generated and obtained overseas in their own territory, not to obtain data located in other states through companies or individuals without other states’ permission, and not to install backdoors in their products and services. Moving on to guiding question four, China appreciates the EHS effort in preparing the checklist of practical actions for the implementation of the framework. We are in the middle of studying the paper, and that carefully. That said, since ICT development and capacity vary from country to country, in our view, the proposed actions should be voluntary in nature, and be taken step by step, and should be anchored in the relevant UN reports on which consensus has been achieved. We also agreed with some of the statements of the previous speakers that we need to elaborate new norms and balance them against existing norms. Thank you.
Chair:
Thank you very much, China. El Salvador, to be followed by Sri Lanka. El Salvador, please.
El Salvador:
My delegation would like to thank you for presenting the document which sets out practical ways to implement voluntary norms for the responsible behaviour of states in the use of ICTs. We think the list is a valuable tool that provides guidelines for states on how to operationalise all of the norms. This is a matter that we’ve discussed in previous sessions of the group. Given that we already have a framework for responsible behaviour, we need to look at the way in which states can implement these norms, and this of course needs to be based on each country’s specificities. Countries need to identify national priorities and ensure capacity building, ensure that this is also in line with the existing needs. We appreciate the list that has been presented, which sets out measures that can see the practical implementation of specific norms, particularly those that require international cooperation if they are to be effectively implemented. It’s particularly important to tie the implementation of the framework to other initiatives that the group has promoted, such as the establishment of the Global Directory for Contact, or Focal Points, which we think is critical for the implementation of Norm C and H. We are in favour of including actions that use channels, such as the Contact Point list, for this purpose, as was mentioned by Columbia. We welcome actions proposed for Norm E and its implementation on the promotion and protection of human rights online, including the rights to privacy in the digital era and the right for the freedom of expression. As Czechia said, we need to have a comprehensive approach within the United Nations to ensure that we have a more inclusive and accessible use of ICTs. and also to protect the parts of our population who are most vulnerable, such as boys and girls. We also need to use the experience from regional forums, such as the OEA, as a benchmark. And this can help us to promote the full, meaningful and equal participation of women in the decision-making process on ICTs. And this is something that we need to do. This contributes to helping us to address key issues, to reduce the digital gap, the gender gap online, and to ensure that women can participate in an equal footing in this effort. This working group needs to look at the potential for developing indicators on how to make further progress on these issues going forward. My delegation recognises the importance of international cooperation in this domain, as well as capacity building, technology transfer and technical assistance. These are all critical ways of making headway in the implementation of the norms we have. Thank you.
Chair:
Thank you very much, El Salvador. Sri Lanka, to be followed by France. Sri Lanka, please. Ambassador.
Sri Lanka:
It is a sine qua non that protecting critical infrastructure and critical information infrastructure from ICT threats is crucial for national security and economic stability. Overall, these rules, norms and principles are necessary for the regulation of ICT to ensure security, protect consumer rights, foster innovation, promote ethical conduct in the digital realm. They provide a framework for the responsible and beneficial use of technology for individuals, organisations and society as a whole. My delegation will seize upon this opportunity to allude to some possible measures that Member States may consider. to undertake, which would further be exploited by this working group. Firstly, we think it is important, as has been referred to repeatedly, to conduct comprehensive risk assessment to identify vulnerabilities and potential threats to critical infrastructure and critical information infrastructure. Member states can accordingly develop risk management strategies to mitigate this risk effectively. It is also noteworthy that these risk management and assessment procedures will be guided by the definition of the CI and CII of each country. Secondly, it could also be considered to establish and enforce regulatory frameworks that mandate security standards for CI and CII sectors. This can include requirements for encryption, access control, and data protection. Sri Lanka is in the process of drafting its second cyber strategy for 2024-2027, which is aimed at strengthening the resilience of CII and government organisations in Sri Lanka, including completing a critical infrastructure readiness survey to identify critical national information infrastructure providers while assessing their cyber security preparedness. Thirdly, investment in advanced cyber security technologies such as artificial intelligence, machine learning, and behavioural analytics to enhance threat detection and response capabilities could also protect CI and CII from potential threats. Now, in the field of information technology, there are several rules and norms, however drafted and they are essential for effective and ethical use. First of all, we need to respect the privacy of individuals and ensure the secure handling of personal data in terms of privacy and data protection. In the case of intellectual property, we need to respect copyrights, trademarks, intellectual property rights, and so on and so forth. In terms of accessibility, ensure that digital content technology is are accessible to all individuals, including those with disabilities, follow accessibility guidelines and standards. Then we have the question of net neutrality. The threat on all internet traffic, treat all internet traffic equally, without discrimination or preference, support the principle of open and non-discriminatory access to online content. Then we have the need for ethical use. In other words, to use it responsibly and ethically, avoiding harmful or malicious activities such as hacking, cyber bullying and spreading misinformation. Seventhly, the sustainable use of ICT. Promote environmentally sustainable practices in ICT, such as energy efficient hardware, responsible disposal of electronic waste and minimising the carbon footprint of data centres. Then interoperability. Support open standards and interoperability between ICT systems and platforms. Digital inclusion, meaning work towards bridging the digital divide and ensuring equal access to ICT resources and opportunities for all individuals. Empower users by providing transparent information, clear terms of service, meaningful choices. Now these rules and norms and principles, I’m sure we can develop, help create a responsible and inclusive ICT ecosystem that fosters innovation, protects user rights and contributes to the overall wellbeing of individuals and society. The question that you posed from the Chair, Mr Chair, in reference to paragraph 23 of the second annual progress report, how do we help states to live by these checks and balances? I suppose the final analysis is I think that states must have the will to abide by these norms. Parties must have the will to abide by these principles, the necessary legislation perhaps, in every case. With all the will in the world, we most times are not able to keep up to these norms for a multitude of reasons. Be that as it may, I wish that we can probably put down a regime, a protocol by which we can mandatorily perhaps comply with, so that we can perhaps ensure a uniform system of user in the field of ICTs. Thank you.
Chair:
Thank you very much, Ambassador, for your contribution. I give the floor now to France, to be followed by Mexico. France, please.
France:
Mr. Chairman, my delegation aligns itself with the statement delivered by the European Union, and we’d like to make the following comments in our national capacity. We welcome the update of the guidelines and the proposal for a checklist to guide states in implementing the 11 norms for responsible behaviour, which are one of the crucial parts of the normative framework that we’ve drafted thus far. My statement will be based on two issues, examples of good practice in the implementation of these norms, and more specifically, the principle of due diligence. In terms of good practices, first of all, on the supply chain, we would like to share our national and European experience that we think provides specific examples for regulatory models for the implementation of the norms. Norm 13i states that the integrity of the supply chain must be guaranteed by states so as to bolster the trust of users in the security of the products they use. Indeed, the threat weighs heavily upon those providing the services, and attackers can profit from shortcomings and misuse the products accordingly. At the regional level, the European Union, through the NIS2 directive, has strengthened the security of the supply chain by establishing a high common level of cyber security throughout the European Union. And it’s also the case for the new regulation on cyber resilience, CRA, which aims to lay out minimum standards for cyber security, which are for those products which are made available on the European market for connected objects. This will be monitored by all of those actors in the supply chain, the manufacturer, the importer and the distributor, and this will be borne in mind in compliance measures. There are therefore useful complementary issues to those laid out in the checklist, so as to deepen the development of measures taken at the national level. Item 13i also mentions the nonproliferation of tools that can be abused. This is critical in a context of the rapid growth of the private market, where these may be used for offensive purposes. I would like to support what was said by the UK on this point. On the reflection started by the Pal-Mal process, which was led jointly by France and the UK in an inclusive and multi-stakeholder fashion, and of course based on the framework for the responsible behaviour. of states. Finally, on K, on the response teams, rapid response teams, which are commonly known as the CERT, France draws your attention to the need to work on what has already been done, particularly within the first network that aims to link the CERT teams together. We think that work such as this are a good foundation for the implementation of this norm. Secondly, I would like to focus on norm C, on due diligence. France is continuing its work on this norm with a group of countries because we think we need to pinpoint the best practices that we can have to implement this norm, to learn experiences at the national and regional level. As the European Union said in its statement, this voluntary norm states that states should not knowingly allow their territory to be used for the commission of illicit acts through ICTs. This norm underlines states’ sovereignty and paves the way for cooperation in the management of incidents. We should link the implementation of this norm to the use of the global contact point repertory, as was stated notably by the United States. The principle of due diligence implies a preventive approach for states to take reasonable measures to avoid their territory being used as much as possible for the commission of abusive acts to the detriment of a third country. There is a need for means to respond to requests for cooperation. This underscores the importance of capacity building in the cyber domain, which was mentioned notably by the Republic of Korea and Japan. We think we need to continue to deepen our collective understanding of Norm C and its specific implications, and to continue to work on this. Thank you.
Chair:
Thank you very much, France, for your statement. Mexico to be followed by Chile.
Mexico:
Thank you, sir. Mexico reiterates our commitment to the practical implementation of norms and standards adopted by consensus within the context of the GGE and the 2021 Working Group. These norms are the foundation for a safe cyberspace as well as a neutral, open cyberspace to provide a pragmatic approach to achieve these goals. By providing guidelines on the responsible behavior of states in cyberspace, without imposing new obligations, these norms facilitate a clear understanding of the expectations. They can be a flexible framework to promote cooperation and promote peace and pave the way for more specific developments in international law in cyberspace. This approach is adapted to the ever-evolving nature of the digital domain, allowing for us to adapt to new challenges and opportunities that are offered by emerging technologies. We welcome the framework for the responsible behavior of states in cyberspace as a way to strengthen cooperation through discussions in the current Open-Ended Working Group, and we hope that this can be strengthened. with a future mechanism for permanent dialogue. We welcome the follow-up list of the norms that were taken from the second annual progress report. Mexico believes that this initiative is key in guiding efforts to practically implement norms for responsible behaviour, which are derived from the final outcome reports of the GGE and the 2021 Working Group. In this regard, we reaffirm our commitment to the National Survey for Implementation, which was developed by UNIDIR, which implements one of the recommendations from the 2021 Open-Ended Working Group final report. We reiterate the call to all states to use these tools to move towards a more practical approach in the implementation of the Voluntary Framework for Responsible Behaviour, including confidence-building measures. These exercises show the value of the norms and CBMs as the ideal framework for a safe cyberspace. They also are the foundation to move towards an action-based approach, which makes it possible to monitor and share best practices in the operationalisation of this global framework for the peaceful and responsible use of cyberspace. To conclude, I would like to underscore the work undertaken by regional organisations in promoting and moving forward the implementation of the 11 non-binding voluntary norms on the responsible behaviour of states in cyberspace, adopted at the Resolution 70-237 of the UN General Assembly. Thank you.
Chair:
Thank you very much, Mexico. Chile, to be followed by Singapore. Please.
Chile:
Thank you, sir. We think that voluntary non-binding norms for the responsible behaviour of states can reduce risks to peace, security and international stability, and they can contribute to increasing predictability and reducing the risks of misunderstanding and can therefore help us to prevent conflicts. We think that we need to promote the implementation of the norms we already have, strengthening capacity at the national level. We also think it is critical that we make headway in developing additional guidelines that will help states to improve understanding about the importance of implementing these norms. On the document we are discussing on a checklist for practical actions to implement the voluntary and non-binding norms, we are grateful to you, sir, and your team for this valuable document, which we think is a helpful contribution which can help countries to better implement the 11 norms. And you have our full support in this regard. We would like to highlight some elements within this document. On A, on the participation in international processes, we wish once again to highlight the Women in Cyber programme, which has made it possible for many women to participate in discussions, and also the special committee for the negotiations of a UN treaty on cybercrime. We also think that the implementation of international law in cyberspace will help us to strengthen stability and security in the use of ICTs. On B, we would like to highlight the inclusive participation in this regard and the use of contact points and at the level of foreign affairs ministries, both at the regional level and at the national level. So, as to foster cooperation and the exchange of information on legal capacities that will be required, we think we need to have training courses rolled out so that we can enhance the implementation of international law in cyberspace. This includes the development of practical simulation exercises at the national and international level. This training should be considered not just by policy makers but also at other levels such as the operational level. On Norm C, we think that the global directory for contact points is a valuable way to establish a clear communication channel that would allow a state to provide information about the abusive acts that may be carried out within their territory. The global directory needs to be updated if it is to be relevant and helpful to all states so that states can provide information in real time. On H, states could establish bilateral mechanisms for cooperation. They can sign agreements on cyber security, for instance. This is part of Measure 6 to strengthen confidence in cyberspace of the Organization of American States. If states require aid urgently, then that is something that should be able to be requested, as El Salvador has already pointed out. On I, in particular on supply chains, we think that the security of supply chains is critical to protect the integrity of data and mitigate risks associated with external collaboration. States need to be able to share risk assessments with potential providers, and this includes providing security. revising security policies, if necessary, providing information about prior security incidents, etc. This also implies continued monitoring to identify any suspicious activity. Contingency and resilience plans need to be in place so that states can respond quickly to incidents and ensure that trade can continue. States can share best practices in this regard. Thank you very much.
Chair:
Thank you very much, Shile. Singapore to be followed by New Zealand.
Singapore:
Thank you, Chair. The effective implementation of norms requires a multidimensional approach comprising operational, technical, policy and cyber diplomacy aspects to effectively implement voluntary non-binding norms. It is therefore important for states to organise themselves internally to identify the capabilities across these domains. In this regard, we strongly support the Chair’s effort to develop a draft checklist to guide us in the implementation of norms in line with Line 26 of the Second APR. Singapore further welcomes the use of language from various key sources in the Chair’s checklist, which draws guidance from both the consensus language in the 2021 UNGG report, as well as the UNIDIR report on the implementation of norms. We also appreciate the clear set of actions outlined in the checklist which will help states, especially small and developing states, take concrete steps to implement them. At the same time, a norms implementation checklist is not a one-size-fits-all solution, and we positively view the Chair’s checklist as broad and flexible enough for states to implement it according to their national priorities and interests. The President The President
New Zealand:
Thank you, Chair, and we acknowledge the work by you and your team to produce the Checklist of Norms. The strength of this checklist lies in it carefully and deliberately reflecting what has already been agreed by consensus. This lends it immediate credibility as a practical tool for norms implementation, and we agree there would be value in distinguishing between elements that have achieved consensus and other ideas. There is a clear link between the agreed norms and capacity-building efforts, and this checklist nicely links the two. In our view, the agreed framework for responsible state behaviour is both necessary and sufficient to maintain a stable and peaceful cyberspace, and forms the basis for effective cooperation between states. If consistently implemented by all states, We would then be in a position to assess whether any gaps exist, but unfortunately we do not think we are yet in this position. On the issue of considering new areas for discussion about norms, we therefore think the OEWG could usefully examine what to do when agreed norms are willfully ignored and ways to build accountability. Thank you.
Chair:
Thank you. Switzerland to be followed by Canada.
Switzerland:
Thank you, Mr. Chair. In our statement on threats, we referred to the increasing intensity of ransomware attacks and state-sponsored attacks against critical infrastructure. We therefore see merit focusing on norms referred in C, F, G and H, calling for the protection of all critical infrastructure, supporting essential services to the public, in particular medical and healthcare facilities, as well as cooperation between states for this purpose. The 2021 GG report provides a good basis for the implementation of these norms. It lists the norms and provides further guidance on how to implement them. But there are also a wide variety of good practice guides available. Regional organizations have already done a lot of valuable work from which we can benefit. As an example, I would like to mention the work of the OECE on the protection of critical infrastructure. A continued in-depth exchange between the open-ended working group and regional organizations, as well as between regional organizations themselves, would therefore be useful. One of the key elements to protecting and identifying critical infrastructure from ICT threats is establishing a trusted exchange between the critical infrastructure operators and the relevant government authorities. Switzerland has established such an information exchange platform or network. Participation in this network is based on a flexible definition of critical infrastructure. Critical infrastructures are defined as processes, systems, and facilities that are essential for the functioning of the economy or the livelihoods of the population. We are happy to share our experience with other states. In last September, 2023, our parliament also passed an amendment to the Information Security Act which introduces a reporting obligation for cyberattacks on critical infrastructures. These allow us to detect such attacks in an early manner and to inform other providers of critical infrastructures of the threats they might face. Mr. Chair, Switzerland would like to thank you and your team for the draft paper on the norms implementation checklist. The draft paper is still under consideration in our capital. But allow me to share some initial observations. We understand such practical guidance as a helpful effort and tool in operationalizing the norms. We welcome the fact that the checklist emphasizes the important role of CERDs and CSERDs. We also welcome the fact that FIRST is mentioned. FIRST plays an important role in the international cooperation of CERDs and CSERDs and in the area of capacity building. States should create a framework or framework conditions that allow FIRST to operate as freely as possible. We therefore regret all the more that one delegation has vetoed FIRST’s participation in this open-ended working group. We also welcome the recommendation to put in place cooperation between national CERDs and CSERDs, national authorities, and the diplomatic community under Norm B. In our view, this cooperation and network between the diplomatic and technical community is not only important for the implementation of Norm B, but for the implementation of all norms. The points of contact networks could form a good basis also to help us foster this cooperation between both communities. We believe the checklist could be further refined and developed by building on existing initiatives, exploiting synergies, and working closely with other multi-stakeholders. The vast majority of ICT is provided, maintained, and used by private actors and civil society, which ultimately must be involved in the effort to successfully implement norms. From a practical point of view, it could also be worth considering listing possible measures and then noting for which norms they are useful in their implementation. For example, the creation of CERDs or C-CERDs is currently mentioned in many places in the list, which seems repetitive. The creation of CERDs and C-CERDs could be proposed once and then mentioned for which norms and their implementation they are useful, but changing a little bit the structure of the checklist. Mr. Chair, let me take this opportunity to mention one multi-stakeholder initiative to support implementation of supply chain security and vulnerability standards, the Geneva Manual. The Geneva Manual offers an action-oriented approach to cybersecurity. It was developed in the framework of the Geneva Dialogue on Responsible Behavior in Cyberspace. The Dialogue analyzes and maps the roles and responsibilities of various actors in ensuring the security and stability of cyberspace. Switzerland, together with Canada, Chile, the Netherlands, and Diplo foundations, is organizing a side event on Thursday during lunchtime to present the Geneva Manual. It will take place at the Swiss Mission, and I would like to invite all delegations to attend this side event. Thank you.
Chair:
Thank you very much, Switzerland. I presume lunch is provided. Thank you for that. No pressure at all. But thank you for your statement. Canada to be followed by Vietnam.
Canada:
Thank you for your patience and understanding, sir. And next time, I’m going to bring a good old-fashioned paper version. So I will take off from where I left off last time when I was giving my speech. The… You can listen to the whole statement, please. Sorry to interrupt you. No problem, thank you. Okay, I will start from the very beginning. Canada would like to thank you for this opportunity to take the floor on this important issue, sir. As we heard during statements on threats, cyberspace remains an environment subject to all sorts of stress and sometimes malicious behavior. This context reveals the importance of stepping up efforts to implement the 11 non-binding norms. Indeed, to respond first to your last guiding question, sir, one of the best ways to implement existing norms is to try, in good faith, to respect these norms. One of the norms is, and I quote, to not knowingly allow the territory to be used to commit internationally unlawful acts with the assistance of ICTs. As identified in the checklist proposed by you, sir, and in the GGE report of 2021, where there’s consensus, and I quote, the norm leads to the expectation that a state will take reasonable measures in… within its existing resources to bring an end to activities underway in its territory by using the proportionate, appropriate and effective measures whilst respecting international law and internal or domestic law. The credibility of members depends, to a large extent, on their ability to deliver on their promise. It is inspiring to see the efforts of several members to achieve this, be this by expending their energy on building capacity to implement norms or by contributing to discussions to help our shared understanding of these norms. There is a whole number of members who are leading by example and specifically showing their good faith. We should further support the implementation thereof of these existing norms. Canada welcomes the work of the Chair to make available to members a voluntary checklist and a practical practice. This list draws lessons from the work that has previously been carried out by members, including within the GGE report adopted by consensus in 2021. Mr Chair, the checklist that you have proposed is an interesting option. We will study it carefully and we are very much looking forward to contributing to it. Our work to implement the norms must make effective progress. Thus, we will really become more resilient at the global level. To make serious progress towards this, we need to be focused. This is why we believe that the best use of our resources is to consolidate and to build on what we have already achieved. We nonetheless take note of the first guiding question put by the Chair and the fact that some States have highlighted this, so namely the idea of discussing together if there is consensus on developing new norms or not. As we said, in Canada’s opinion, The OEWG 2021-2025 should focus primarily on implementing existing norms. There’s a lot of work to be done here, and indeed we think that without the implementation of existing norms, it would be very difficult to assess what really needs to be developed or would need to be developed. We do respect the point of view and the contribution of our partners and stakeholders, and you’ve referred to them yesterday morning. While we do that, we’re still not convinced that the new norms that exist might not be able to be respected within the context of existing norms. In our opinion, the structure envisaged for the programme of action, in particular with its virtuous circle, this structure might create the necessary space for the examination of future potential norms if there are indeed lacunae, indeed practical initiatives and technical meetings that are planned for in the POA will contribute to capacity building and therefore to identifying any gaps that might exist between the norms and cyber events. That is how we can seek to develop a responsible behaviour framework in the best way. In conclusion, we’d like to provide an example of an implementation of a norm in Canada. The example that we’re going to give you is on 3G, the one that notes that states must protect their critical infrastructure from threats to cyber security. So this is the scenario. We see numerous attacks on infrastructure throughout the world, including in our region. To understand as best as possible the threats that we’re facing, we consult experts, including people in the private sector. The industry furthermore, provides comments to best clarify the regulatory framework that we are planning. Having identified the threats, we also want to identify the infrastructures themselves and thus we need to consider which ones, if affected, could have a negative impact on our population, including on the most vulnerable communities. Civil society is best placed to help us evaluate this based on the sector or the critical infrastructure area. The areas identified as the most relevant include finance, energy, telecommunications and transport. Civil society thus highlights issues to be considered, in particular regarding the right to a private life. In order to consider what measures need to be taken, we need to go off the beaten path, so to speak, and therefore we call upon the circle of academia because this has the potential to contribute. Thanks to our interactions with all these stakeholders throughout the project, the stakeholders understand the ins and outs of the draft that we are trying to draw up, the draft law. This understanding leads to adhesion and a feeling that we are all working together as a team. The draft law that I have just talked about is draft law C-26. This draft law seeks to protect cyber systems that are regulated by our government and are at the basis of our essential infrastructure. This draft is going through the Canadian Parliament and the next stage is an article-by-article examination. In conclusion, sir, I’d like to conclude on a very quick personal note. I am absolutely delighted that the Government of Canada, personally speaking, is working with the best experts possible to protect my bank account and my private data. So this is how I want to wrap up my statement, sir. Canada will continue to be actively involved in implementing non-binding norms. Thank you very much.
Chair:
Thank you very much, Canada. I think we have to declare your laptop to be critical information infrastructure, too. It needs all the protection you can get, and I think all our laptops need all the protection we could get. Vietnam to be followed by Brazil. Vietnam, please.
Vietnam:
Thank you for giving me the floor. Vietnam emphasises the importance of a shared understanding how rules, norms and principles apply in cyberspace. We firmly stand behind the endeavour for a unified interpretation regarding the principle of non-intervention in internal affairs in which states, particularly through their online activities in cyberspace, including social networks, should refrain from generating, disseminating and facilitating controversial, negative, false or incendiary content that could potentially disrupt or impact the internal affairs of other nations. Furthermore, Vietnam extends its full support towards clarifying the responsibilities of states in combating production, generation and dissemination of fake news or content which incites violence, hatred, discrimination and terrorism, which is especially crucial in light of the pervasive deployment of AI technologies, especially generative AI. States should assert control over their respective national cyberspaces and potentially restrict access to sources of information that have not been duly verified. Mr Chair, the cyberspace as we know it is highly interconnected and technically developed to the point that many states are considering it as a global common and may become an issue. essential tool for us to realize the promise of practice, tolerance, and live together in peace with one another as good neighbors, as mentioned in the UN Charter. In essence, Vietnam advocates for a concerted effort with the international community to establish robust frameworks and mechanisms aimed at upholding the principles of sovereignty, non-interference, and responsible behavior in cyberspace as good neighbors. Mr. Chair, regarding the development of future norms, this delegation also strongly supports the development and mutual recognition of technical standards regarding electronic evidence to facilitate the handling and verification of the origins of cybersecurity incidents. The technical experts are in need of such a tool to allow for a thorough and objective assessment of forensic evidence of ICT incidents through international cooperation activities. We believe that this tool would also contribute to the discussion on attribution of ICT incidents, which has seriously hampered the confidence-building efforts. Thank you, Mr. Chair, for your kind attention.
Chair:
Thank you very much, Vietnam. Brazil, to be followed by Ecuador. Brazil, please.
Brazil:
Thank you very much, Mr. Chair. Brazil is a staunch supporter of the acquis of previous UN processes on ICTs and international security, particularly the voluntary norms of responsible state behavior, which have guided us in the establishing of our national norms and policies to secure our critical infrastructures and information infrastructures. Our legal and institutional framework is currently undergoing a review process, which has already resulted in a more robust legal and institutional framework to tackle this issue. A presidential decree of December 2023 instituted our national cybersecurity policy and established our National Security Committee, whose first meeting will take place on March 20. The policy will provide improved guidance on cybersecurity measures to be taken by all competent authorities, and the committee will monitor the implementation and evolution of the policy and other domestic norms on the issue. It will also ensure ongoing closer coordination between the different government bodies with key mandates in the area represented at the committee, which will meet regularly. Brazil appreciates the work you and your team have done so far to advance our discussions on rules, norms, and principles, and we welcome your discussion paper on a checklist on practical actions for the implementation of the voluntary norms of responsible state behavior in the use of ICTs. They are a useful step in translating general international norms to concrete measures to be adopted at the national level to operationalize those norms in each state. Our relevant national institutions are currently analyzing the draft checklist and will provide specific suggestions as soon as possible. We can already support, however, Columbia’s suggestion to include a reference to the points of contact directory in the checklist for norm B. Mr. Chair, we reiterate the importance of international cooperation, including through capacity building and the transfer of technology in promoting the national implementation of the norms. We have greatly benefited from the national experiences of other countries, and therefore fully welcome continued knowledge sharing in this area, which will also contribute to better and more targeted capacity building efforts. Regional cooperation has been particularly relevant in this area, and Brazil remains engaged in OASC CERT Americas, for instance, which has been instrumental in advancing the norms related to information sharing on threats and vulnerabilities, and in Mercosur’s Cybersecurity Commission, which has fostered national implementation of the norms through information exchange on cybersecurity legal frameworks, and the ongoing development of a common regional taxonomy. Finally, my delegation takes note of proposals of new norms to be adopted in the future. We believe that, as technology evolves, additional norms will indeed become necessary to address the challenges to the security of states that they could present. We would like to stress, however, that any efforts aimed at eventually developing new norms must be inclusive and therefore take place within the UN, which currently means this Open Networking Group. While we recognize the value of many international initiatives mentioned throughout this and previous sessions in fostering discussions on key cybersecurity issues and participate in many of them, norms will only have effectiveness and legitimacy when negotiated in an open and inclusive manner, in a universal forum, where the needs of all countries, including developing countries, are duly taken into account. I thank you.
Chair:
Thank you very much, Brazil, for your contribution. Ecuador, to be followed by Malaysia, please.
Ecuador:
Thank you very much, Mr. Chairman. Given that this is the first time that my delegation is taking the floor, we’d like to thank you for your efforts and your team for your efforts at the helm of this group, and we’d like to highlight the major work that has gone into the documents that have been provided to us for discussion at this meeting, including the checklist of specific ways to implement the voluntary norms for the responsible behavior of states. On this, my country is fully committed to help. We’d also like to thank the Secretariat for their work and for the efforts for the forthcoming operationalization of the points of contact directory. I would like to say, Mr. Chairman, that for my delegation, we are pleased to see the evolution of our discussions and the level of technical depth we have gone into. A lot of this has been provided by the Women in Cyber program, and we are pleased to have been part of this since March 2023. and my delegation has benefited significantly from this program. And now I get back to the main part of my statement. Like many other states who preceded me in taking the floor, Ecuador would like to acknowledge the need to make headway in the implementation of norms for the responsible behavior of states in cyberspace. We think that the list that you have put forward is very timely. This will allow us to have references and specific measures to achieve the goal of cyber security, to protect critical infrastructure and to ensure that our citizens can have access to a safe, stable cyberspace. Ecuador has tried to move forward on many of the measures that have been put forward in the document. For instance, to have appropriate digital governance, as this is a priority for us. This is currently being seen through a bill on cyber security that we have put forward to bolster our cyber security and also to strengthen our cyber infrastructure. We’d like to learn from other delegations how they have had experiences in this domain. The checklist is particularly helpful because it can provide good practices and can help states in specific areas of ICTs. If we are to have a safe global cyberspace, then this needs to be done. And this needs to be done also through public-private cooperation and sustainable, lasting, responsible international cooperation. We need to be mindful of the size of the current challenges and we need to be fully committed to achieving a safe cyberspace for all. I would like to support what was stated by the delegation of Colombia on having a reference on the… the points of contact directory in the document. We will be mindful and listen attentively to what is being said in this discussion, Mr. Chairman. My delegation supports what was said by Kenya on structuring a repository of threats that can be used by states. This can be a way of providing confidence, and it can be used as a confidence-building measure. Finally, Chairman, I would like to express my delegation’s commitment to make further headway in achieving the goals under our mandate, under your leadership. Thank you.
Chair:
Thank you very much. Ecuador. Malaysia, to be followed by Argentina. Malaysia, please.
Malaysia:
Mr. Chair, Malaysia shares your view that the OEWG needs to further develop common understanding of the normative framework, and also continue efforts to implement the agreed norms. The agreed norms are central to the cumulative and evolving framework, and will continue to contribute to international peace and security. Malaysia thanks you, Chair, for your discussion paper on a checklist of practical actions for the implementation of voluntary, non-binding norms of responsible state behaviour in the use of ICTs. Malaysia is still studying the paper, and would like to share our preliminary views. Malaysia joins other states in welcoming the Chair’s discussion paper, which provides a good basis for our discussions. Malaysia appreciates the indication of the non-exhaustive nature of the checklist. Malaysia envisions that the checklist as a living document that will continue to be enhanced as we delve deeper into the relevant issues. As mentioned by the UK, this paper could facilitate efforts toward universal baseline. designs. Malaysia further supports Japan’s comments on the importance of embedding security by design in ensuring supply chain security for the norm aisle. Finally, Malaysia agrees with the view of previous speakers that this checklist will assist Member States in the identifications of capacity-building needs for further implementations of the norms.
Argentina:
Thank you very much, Mr. Chairman. Argentina acknowledges the challenge posed by the way in which ICTs are evolving, and we do not think we need new norms. We need to implement the existing norms. We think it is urgent that we effectively implement the norms we have, the norms we have already agreed upon. We would like to highlight that the norms adopted have been placed within our national legislation. They are part of the second national strategy on cyberspace that we have. Mr. Chairman, each state belongs to a specific region with its own characteristics, challenges and threats. As a result of this, it is critical that we promote understanding and international cooperation so that states can have similar tools at their disposal when they pull efforts at the national or international level to implement the norms we have already implemented or approved, particularly within an operable cyber environment. We are grateful for your efforts, sir, in drafting this document and the checklist for voluntary norms and practical measures to implement the norms that have been agreed upon. We think that the document represents a good starting point to support states’ efforts at implementation, but in particular to promote the exchange of best practices and to identify priorities in order to establish capacity building on cyber security in a broad sense to help with the implementation of the norms themselves. In terms of the questions on how we can continue to strengthen and broaden inclusive participation and active sustainable participation in international processes, such as for instance in this working group, we think that discussions in this group need to consider efforts that other fora and international organizations have made, international organizations that are dealing with cyber security challenges, such as the International Telecommunications Union, which has 193 member states and a framework on cyber security, and encourage them to be part of our discussions and to put forward proposals. That is why we welcome Norms B and D, the fact that they mention actions that require international cooperation as well as the need to continue strengthening and further developing those mechanisms that can facilitate the exchange of relevant information between international regional relevant bodies to raise understanding about the centrality of ICTs between states. Thank you.
Chair:
Thank you, Argentina. Syrian Arab Republic to be followed by Hungary, please.
Syrian Arab Republic:
Thank you, Mr. Chair. From the outset, my delegation would like to express its appreciation for your efforts to prepare the checklist regarding responsible behavior. We had hoped that this might have been available sufficiently in advance to allow our specialized national agencies to So, we believe very firmly that if we are focusing on non-binding norms, in particular given the voluntary nature of this, we believe firmly that this is not the best approach to make tangible progress in the area of cyberspace. This is particularly true because these norms depend on the interests of states. We think rather that in line with the mandate of this group and given the equal importance of the two processes, we think we need to strike a balance between implementing existing norms and developing new norms, including legally binding norms that can guarantee the application thereof. Here we’d like to underscore what follows. We underscore that voluntary measures are not sufficiently effective to ensure stability and security in cyberspace. Secondly, as we await for a legally binding instrument to be drafted that would impose clear commitments, we underscore the importance of reaching agreement on a global agreement on norms and principles of responsible behavior that would deal with all aspects of behavior in cyberspace and would also contribute to identify the rights and obligations of all parties in a balanced, fair way. We underscore the sovereign right of states to guarantee a national cybersecurity and to have mechanisms and norms linked to that to be established based on the principle of non-interference in domestic affairs. So one principle is to refrain from imposing unilateral coercive measures and other restrictive measures that might hinder states’ ability to access and the various things that are necessary for cyberspace to be developed and in order to appropriately deal with any attacks. So we have reconciliation and mediation. We have other peaceful means of settling disputes. These are all crucial things that need to be upheld. Thank you.
Chair:
Thank you very much, Syrian Arab Republic. Hungary, to be followed by Mauritius.
Hungary:
Thank you, Chair. First, I’d like to express my gratitude to you and your team for guiding our work in the room and also for regularly providing a, quote, safe place for continued discussions informally outside of the room. Hungary aligns itself with the statement delivered by the European Union and wishes to add the following in our national capacity. Mr. Chair, in general, we believe that there is a lot member states can still do to promote the existing UN framework for responsible state behavior at national, regional and international level in order to explain to the public how we actually contribute to stronger international cooperation on cyber and ICD security and to addressing existing and emerging threats like ransomware, the potential misuse of AI for malicious purposes or for influencing democratic processes. This is our joint responsibility. Every UN member state has a different story to tell, has different skills and capacities. And even though cyber security is not the first priority for all member states due to other more imminent security challenges, there should be a common baseline. to govern our cooperation in this domain. Therefore, my delegation would like to thank Mr. Chair for sharing the discussion paper on the checklist of practical action for the implementation of the 11 voluntary non-binding norms with guiding questions that we will continue to study further in detail. To offer a couple of preliminary views on Norm B, for example, we believe that so far the rising geopolitical tangents and the lack of trust among member states have not allowed for states to agree on any meaningful and unbiased consultation mechanisms on regional or global level to help reduce the risk of misperception and of possible emergence of political and military tangents or conflicts. As you, Chair, earlier referred to, the risk of a misuse of ICT technologies turning into an armed conflict is getting a reality, which can be devastating considering the far-reaching spillover effects. Hereby I’d like to refer to the activities of the OSCE aiming for the implementation of the regionally adopted confidence-building measures. We believe that there is an opportunity for member states, big and small, to share their views and experiences from small-group discussions of the aforementioned consultation mechanisms that can further benefit the global consultations as well. Mr. Chair, you asked us what other voluntary measures might be possible to promote international cooperation. That is norm A. I’d like to highlight that diplomats, once working on cyber issues, might soon be assigned to other positions. But you will still have the valuable experience and the network that can be helpful later. So it’s worth to think about building a cyber alumni community for those who served, for example, as a national POC in the global or regional POC directories, or who was part of a fellowship program, such as the U.S.-Singapore Cyber Fellowship Program, or the Women in Cyber Fellowship Programs. Chair, we are looking forward to further engage on these issues later on. Thank you.
Chair:
Thank you very much, Hungary, for your statement and also for your suggestions. More issues to be followed by Albania, please.
Mauritius:
Good afternoon, Chair. First and foremost, let me thank you and your team for all the efforts for coming up with the initial draft of a checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICTs upon the recommendation of states. As one of the guiding questions, member states were asked to provide their views on this discussion paper. Mauritius acknowledged that the UN norms act as a foundation for safe and peaceful cyberspace. Mauritius firmly believes that the checklist that has been put forward serves as a comprehensive roadmap, especially for small and developing countries, to navigate through the complex challenges of cyberspace due to the lack of institutional structure, legal and regulatory frameworks, resources, and expertise. Consequently, they are still struggling with the implementation of the existing norms. This checklist could act as a practical tool that could help in identifying and mitigating the challenges of cyberspace. their priorities and also in their implementation efforts. However, while the checklist provides a valuable framework for action, it could be further enhanced. Its successful implementation will require sustained commitment and investment from all stakeholders. Mauritius believes in the adoption of a multi-stakeholder partnership model that allows the government, industry, civil society and the technical community to work together to translate these norms into tangible policies, practices and capabilities that enhance cyber security and protect our collective interests. This collaborative approach incorporating inputs from various stakeholders can serve as a pragmatic framework for fostering cooperation among diverse actors. Moreover, Mauritius is of the opinion that a guideline could be developed to complement the checklist that could greatly facilitate the implementation process in terms of clarity and accessibility. The guideline could list out the key points of the checklist into clear and concise language that is accessible to a wider audience. This will ensure that stakeholders including policymakers, government officials and industry leaders to easily understand and follow the guidance provided. Additionally, it could be beneficial to integrate practical examples and case studies to demonstrate how the norms can be applied in real-world situations. This inclusion assists stakeholders in contextualizing the guidance offered and comprehending its significance within their particular context or sector. Thank you, Chair.
Chair:
Albania, to be followed by Australia, please.
Albania:
Dear Mr. Chair, thank you very much for giving me the floor, and since this is the first time that I am speaking, I would like to specifically thank you, the Department of State, who is supporting my participation and my colleagues’ participation here and give me the opportunity to speak in this distinguished floor. I am honored. Albania is committed to bolstering its cybersecurity measures. Despite being ranked the 50th in the National Cybersecurity Index, indicating areas for improvement, Albania is dedicated to enhance the cybersecurity strategy, infrastructure, policies and practices. To address these challenges, safeguard our national interest, to address the international norms and responsible behavior, Albanian government is undertaking several key initiatives. We have revised our cybersecurity law, which is now on the floor on the Albanian Parliament for approval. Over 20 regulations will be addressed, emerging threats and ensuring a robust legal framework that supports both the prevention and the responses, and a new strategy on cybersecurity for Albania will be approved by the end of 2024. Recognizing the importance of resilience infrastructure, we are investing in advanced cybersecurity technologies and systems to protect our critical national assets. Albania is a small country. We need a lot of support in addressing all the issues and needs of our strategy. We’re thankful to the United States government and other countries who are supporting the efforts of the government of Albania in building cyber-resilient, in protecting our critical and important infrastructures, in defense capacity, in defense capabilities in cyber security. We are committed to building the cyber security skills of our workforce and raising awareness among citizens and businesses about cyber risk and best practices. During last year and currently we have trained hundreds of IT professionals from the Albanian critical and important infrastructures and from the staff of our institutions and we will continue in this rate. A good part of the training is now offered from our experts but still Albania has a strong need to work with international partners and invest in increasing our capacities. Albania understand that cyber security is a global issue requiring international cooperation. We are actively engaging with international partners and organizations to share knowledge, enhance our capabilities and collectively improve our defense against cyber threats. Through the National Authority for Cyber Security we are currently member of a world-class organization on cyber security. To mention a few, we are full members of FIRST, Counting Ransom Initiative, part of NATO Cyber Coalition exercise. Albania is in full alignment with the NISA guidelines. We are part of, since last year, of this open-ended working group. We are active on implementing CBMs with OSCE. Albania is following a number of initiatives of working with other countries in the Western Balkans and I can promise that by next week we will bring our point of contacts to you. The government of Albania is fully committed to advancing our cyber security measures, protecting our national infrastructures and ensuring the digital safety of our citizens. We recognize the evolving nature of cyber threats and affirm our dedication to continue improvement and international cooperation in the fight against cybercrime. As a final point, Mr. Chair, please allow me to retaliate Albania’s firm position for a global, open, free, stable and secure cyberspace. Thank you.
Chair:
Thank you very much, Albania, for your statement. Australia to be followed by Israel, please.
Australia:
Thank you very much, Chair. I want to start by thanking you and your team for your work on collating the checklist for consideration on norms implementation. As we all know, the implementation of the norms and working together to both understand how these norms assist us helps us address the emerging threats we spoke about yesterday about artificial intelligence, the proliferation of intrusive cyber tools, techniques, malware, cascading effects and spillover effects and other issues that we have been speaking about. This checklist, much of which is based upon consensus and agreed guidance, shows how much work has already been done by this group and also by our predecessors on norms implementation guidance, particularly that of the 2021 group of government experts, which provided in-depth guidance to all countries on how these norms can be implemented and applied. Australia would suggest considering some slight restructuring of this checklist, similar to the points that were raised by several others this morning. We think it is very important to recognise consensus text. We suggest looking at other examples of norms implementation guidelines and work. There is a lot of ongoing work and projects by UNIDIR, by ASPE, by Oxford and others. to provide guidance on minimum baselines of norms implementation by states. And most of this work sets out the agreed text, the 2021 GG norms guidance as chapeau paragraphs, and then sets out the actions that states can take to implement the norms under that guidance. This kind of structure reflects the way that the norms themselves were developed over time, not imposed by the top down, from the top down by the United Nations, but by collecting together the best practice examples of how countries were addressing cyber threats on the ground into this collection of agreed norms that we have today. Another aspect that Australia thinks would make this checklist very valuable will be the use of examples of putting this document into practice. That is each of us sharing concrete examples of the ways we are ticking off this checklist and making this exercise valuable, like India, Canada, and others have done this afternoon. And I’d like to follow that example, and in that way answer your guiding question regarding measures or best practices that member states can undertake to protect critical infrastructure from cyber threats. Australia has published non-exhaustive examples of the way Australia implements the 11 agreed norms, and regarding norm G, part of that publication includes information on Australia’s critical infrastructure centre, which brings together expertise and capability from across government to manage the complex and evolving national security risks from foreign involvement in Australia’s critical infrastructure, and is focused on the risks of sabotage, espionage, and coercion, and has identified 11 sectors in which this is taking place. These include a couple of examples, telecommunications, electricity, gas, water, and ports. We have a Security of Critical Infrastructure Act. This provides a range of powers, functions, and obligations that only apply in relation to specific critical infrastructure assets. And we do have specific legislation as well for the protection and, again, additional obligations upon the operators of certain sectors of critical infrastructure. An example of this is the telecommunications sector security reform legislation, which manages cyber risks and other risks to our telecommunications networks and facilities. I won’t go into any more examples, but I do think it’s very encouraging to hear from others your own experiences. And we encourage everyone, like Mauritius did before me, to share their experiences and the practical examples of norms implementation here in our statements, but also through publications and through surveys. The reason why sharing our own experiences matters is because this provides a way to help others understand how we interpret the norms. This increases transparency and decreases the risk of miscommunication or miscalculation. And it also helps others and each other understand how we could uplift and review our implementation so that we all collectively increase security in cyberspace. Finally, you asked, Chair, about how additional guidance, including this checklist, can be leveraged to accelerate implementation efforts. And we would suggest that continuing the ongoing work to embed the norms, we should use this checklist and other valuable projects from ASPE, from Singapore, from Oxford and UNIDIR as the basis to self-assess the actions each of us have taken to implement the norms, and very importantly, what actions are still required to implement them fully. We think that surveying implementation through self-assessment provides several benefits. Not only can states identify how they’ve implemented the norms, and I am very confident, as I’ve said before, that every country when we look at our own systems will see that we have implemented the norms in some capacity, but also where the gaps in implementation may be and very particularly in identifying the barriers to implementation. These barriers can include political barriers, for example the issue not being considered a priority on the political agenda, structural or organizational barriers, things like unclear lines of responsibility or ownership of a particular issue, personnel and resourcing barriers, knowledge barriers and financial barriers. And by identifying these barriers we can identify the actions that we need to overcome them. We’ve already identified for example a need for increased resources for awareness on implementation through capacity building. And it also helps us with other parts of the framework, for example with capacity building programs. It’s very important to find the gaps to fill to make sure that the capacity building programs for norms implementation are targeted and actually effective. And Australia considers that civil society and regional organisations have a very positive role to play in this endeavour. Particularly because implementation is not a once-and-done thing. It requires review, it requires updating as threats change, as technology evolves and as behaviours adapt. Australia finally remains very committed to working here on mainstreaming the norms that we have agreed and increasing the awareness of the norms in domestic governments and outside of these hallowed halls of the United Nations. And then also increasing our implementation. We think domestically, regionally, by states and with the help of stakeholders is the only way that we are going to see all countries contribute to building a more resilient cyberspace through norms implementation. Thank you, Chair.
Chair:
Thank you Australia for your statement. Israel to be followed by Ghana. Israel, please.
Israel:
Thank you. Thank you, Mr. Chair, for giving us the floor to comment on the important issue of our normative framework. I will do my best to be very concise, especially given this afternoon’s session is almost ending. Answering your guiding question, at this point in time, there is no need, in our opinion, to develop or elaborate any new norms, nor do we see the need for developing any legally binding instruments. We believe that a more cautious approach with respect to norms is required. As things currently stand, there is still a lack of certainty as to the manner in which existing norms and rules are being implemented and interpreted by states. Let us all recall that the 2015 GGE norm rules and principles are voluntary and non-binding in nature and do not detract from or extend beyond international law. Thus, norms are intended to signal expectations of the international community regarding appropriate state behavior. From what we have seen thus far, their implementation has been, at best, short and uneven. Mr. Chair, before embarking on any process of updating the existing norms or developing new norms, it would be more appropriate, in our view, to focus on those norms that currently exist, sharing best practices and assessing whether and how they are being understood and applied, ensuring that there exists a common language and understanding when referring to those norms. For that purpose, the Chair’s discussion paper suggesting a checklist on norm implementation can serve as a good base and can assist us in our further discussions. We would like to support the U.S. suggestions and other states that mentioned also to make sure that the consensual language quoted from the GGE documents be separated. in this paper from any additional text added that doesn’t enjoy the same level of agreement. Thank you, Chair.
Chair:
Thank you. Thank you, Israel, for your statement. Ghana, you have the floor, please.
Ghana:
Thank you very much for giving me the floor, Mr. Chair. Mr. Chair, my delegation is pleased to offer a perspective on the discussion concerning the checklist of practical actions for implementing voluntary non-binding norms of responsible state behavior. We wish to focus on norms A, B, E, and G. Regarding norm A, Ghana fully supports the current actions listed and sees them as valuable in fostering regional and international cooperation. However, we believe that states can take several additional steps to enhance cooperation in developing and applying measures to increase stability and security in the use of ICTs. This includes the establishment of bilateral and multilateral agreements, allowing states to enter into agreement with each other to promote information sharing, joint exercises, and coordinated responses to cyber threats. Ghana emphasizes the importance of such cooperation, drawing from our first-hand experience and how beneficial bilateral and multilateral agreements have been to our cyber security development. In addressing your guiding question on ensuring inclusive, active, and sustainable participation, we wish to highlight the role of initiatives like fellowships such as the Women in Cyber Fellowship, the UN Singapore Fellowship, and the EU Cyber Direct Fellowship in building member states’ capacity to participate effectively in such processes. In addition to the actions outlined under norm B, we propose voluntary practical actions such as investing in research and development to enhance national capacity for attribution and incident response. Regular exercises and stimulations at national and international levels are also crucial for testing and improving incident responses. This could be facilitated through cyber drills and the development of requisite technical expertise to share knowledge of emerging cyber threats and crisis management capabilities. Regarding Norm C, Ghana supports the effective implementation of the POC Directory and has submitted the relevant details needed in this regard due to our firm belief that it is a very beneficial initiative. My delegation believes an active engagement in this process by member states will contribute significantly to implementation at multiple levels. Having active engagement at a diplomatic and technical level can contribute to ensuring that member states benefit from international cooperation as a prerequisite to ensuring that relevant information on cybercrime and existing threats are adequately shared. Mr. Chair, other voluntary practical actions for the implementation of Norm E could include the provision of human rights training and awareness programs for ICT professionals, government officials and other stakeholders. This will promote a better understanding of human rights principles in the ICT domain and ensure that digital rights are upheld online as they are offline. Finally, in addition to the actions listed under Norm G, Ghana fully supports the actions stated in both national and international levels. Sections 35 to 40 of Ghana’s Cybersecurity Act 2020, which is Act 1038, provides a concrete example of our commitment to protecting critical information infrastructure. These sections outline essential provisions such as designation, registration, withdrawal of designation, management and compliance audit of CI, duty onus of CI, and access to CI. For instance, the Act identifies 13 sectors as critical. based on the criteria outlined in Section 35. Moreover, Ghana’s recent launch of a directive for the protection of CI on October 1st, 2021, exemplifies our proactive approach to safeguarding our digital assets. This legal framework underscores the importance of adopting legislation and policies to enhance cybersecurity measures, ensuring the resilience of Ghana’s digital infrastructure. Currently, the latest key milestone has been the framework for the licensing of cybersecurity service providers, accreditation of cybersecurity establishments, and accreditation of cybersecurity professionals. This regime aims to provide a streamlined mechanism for ensuring that cybersecurity service providers, cybersecurity establishments, and cybersecurity professionals offer their services in accordance with approved standards and procedures, aligning with domestic requirements and international best practices. This process will provide greater assurance of cybersecurity solutions to consumers and acknowledge the crucial role of cybersecurity professionals in supporting and sustaining Ghana’s digital transformation. These measures aim to ensure that accredited professionals contribute effectively to combating cybercrime and protecting critical information infrastructure, thereby supporting Ghana’s digital transformation. Thank you.
Chair:
Thank you very much, Ghana. That was the last speaker. It’s getting close to six o’clock. I do not intend to make a summary per se, but I wanted to very quickly say that this has been a very, very good discussion. From my point of view, I want to thank all of you for responding to the guiding questions. In many ways, this discussion already was a sharing of best practices and experience that in itself I think was very useful. And also talking about norms implementation from national perspective. It also gives everyone a sense of how others are looking at implementation, how others are looking at the norms itself. So very useful discussion. Second, thank you very much for your views, reactions to the discussion paper. Many of you said you will take it back to capitals and discuss further. That’s very good. Thank you very much for that. And having heard the views of others this week, I hope that those views will also be very helpful as you reflect on your own position and as you bring it back into your interagency processes back in capitals. In the context of the discussion paper, as I said earlier, look at it as a voluntary list of actions. It is intended to support the efforts of states as they undertake implementation efforts. It’s supposed to be a catalyst for capacity building. It’s supposed to help at the national level what is already happening and where states certainly are signaling that they will need support in terms of implementation. There was also a sense of the traditional dynamic of a binary framing of the issue in terms of, yes, we don’t need new norms, we just need to implement existing norms, no, we need new norms, and it’s not enough to have just the existing framework and implement them. That traditional binary discussion is something that has been there in the working group. I recognize that. But I would also encourage each one of you to look at it not in a binary way, but look at it in a very pragmatic way, in an incremental way, in a… step-by-step manner, what is it that we can do to support states implement the existing framework, and at the same time, what is it as we implement these norms, what is it that is appearing to us as areas where we need a discussion on new guidance and new norms potentially, because we need to keep in mind that if there is going to be any discussion on new norms or new guidance for implementation, it has to be the result of consensus. So that discussion has to begin at some point. That discussion has been going on in the working group for some time, but we need to have that discussion. We have received some useful inputs from stakeholders. Certainly evolving technological landscape will also bring in a dimension as to how the existing framework can evolve and adapt, because it is a cumulative and evolving framework, which by definition means that we will have to accumulate layers and layers of understanding so that we all implement it, layers and layers of additional consensus elements that will help us all implement it nationally and also globally. So I think that binary framing is something that we need to go beyond that, and that’s what I was trying to do in my guiding questions, and that’s what is also intended in the discussion paper. So certainly this is a discussion we need to continue at the international in May when you come back, and I would also encourage delegations to talk to each other, interested delegations to talk to each other, and those who have expressed a slightly different view also reach out and talk to the others. This is certainly a work in progress. It’s a discussion paper. We have had a good discussion. More discussion is needed. And we need to find some common ground and see how we can take a step forward. So with those comments, I’d like to thank you all for a long but productive day. I wish you a pleasant evening. The meeting will start tomorrow morning at 10 a.m. sharp, Swiss time. The meeting is adjourned. Thank you.
Speakers
A
Albania
Speech speed
135 words per minute
Speech length
596 words
Speech time
265 secs
Report
Albania is ardently progressing its cybersecurity initiatives in response to its 50th-place ranking in the National Cybersecurity Index, highlighting an essential drive for improvement. Recognising the need to bolster its digital defences, the Albanian government is diligently revising its cybersecurity legislation.
With over 20 new regulations under parliamentary consideration, this overhaul aims to strengthen Albania’s legal framework to counter and adapt to the burgeoning variety of cyber threats. In parallel with legislative reform, Albania’s government is gearing up to endorse a new cybersecurity strategy by the end of 2024.
This strategic document is expected to chart a comprehensive course for the nation’s cybersecurity pursuits. Investments in state-of-the-art cybersecurity technology and infrastructure underline Albania’s commitment to protecting its critical national infrastructure against cyber vulnerabilities. These proactive measures demonstrate the country’s serious approach to mitigating potential cyber risks.
Acknowledging the importance of international collaboration, Albania values the support it receives, particularly from the United States, in its mission to build a robust cybersecurity foundation. It recognises that global partnerships are pivotal to its efforts to improve cybersecurity capacities.
The training of IT professionals in Albania underscores the nation’s dedication to cultivating specialised expertise to protect its critical infrastructure and government institutions. This focus on human capital development is being bolstered by homegrown experts, although there remains a continued reliance on international support to enhance training programs and counteract the international nature of cyber threats effectively.
Albania’s active engagement with various international cybersecurity bodies aligns with best practices and guidelines such as those from the NISA. By participating in esteemed forums like FIRST and the NATO Cyber Coalition exercise, Albania is strengthening international cooperation, leveraging collective knowledge, and building joint defences against cyber adversaries.
Through entering international agreements and partaking in initiatives, Albania demonstrates a steadfast commitment to cybersecurity, observes OSCE confidence-building measures, and collaborates with Western Balkan countries on pertinent cybersecurity matters. In summary, Albania’s commitment to establishing secure, open, and stable cyberspace is unwavering.
The nation is cementing its role as a proactive player in the global effort to ensure a safe and secure digital ecosystem, one that upholds core values and safeguards the digital realm for its citizens and the international community alike.
A
Argentina
Speech speed
132 words per minute
Speech length
407 words
Speech time
185 secs
Arguments
Argentina acknowledges the need for effective implementation of existing ICT norms
Supporting facts:
- Argentina has incorporated the agreed upon norms within their national legislation, and these form part of the second national strategy on cyberspace.
Topics: Cybersecurity, ICT Policy
National characteristics should shape the implementation of ICT norms
Supporting facts:
- Argentina emphasizes the importance of regional specificities in addressing cybersecurity challenges.
Topics: Cybersecurity, Regional Cooperation
Promotion of international cooperation is crucial for ICT norm implementation
Supporting facts:
- Argentina calls for a collaborative approach using similar tools for implementing ICT norms and highlights the urgency of such cooperation.
Topics: International Cooperation, Cybersecurity
The Chairman’s document is seen as a positive starting point for implementation efforts
Supporting facts:
- Argentina welcomes the document and its checklist for voluntary norms as it supports states’ efforts and promotes the exchange of best practices for implementing cybersecurity norms.
Topics: Cybersecurity, Policy Implementation
Engagement with international organizations like the ITU is necessary for cybersecurity
Supporting facts:
- Argentina advocates for the inclusion of other international organizations, such as the ITU, in cybersecurity discussions to ensure a comprehensive approach to the challenges.
Topics: Cybersecurity, Global Governance
Report
Argentina is demonstrating a significant commitment to fortifying its cybersecurity infrastructure through the integration of international ICT norms into its national legislative framework. This commitment is articulated in the country’s second national strategy on cyberspace, which symbolises a positive sentiment towards the global consensus on cyber security measures.
By enacting these agreed norms into law, Argentina underscores its recognition of the necessity to embody and operationalise these standards at a local level to reinforce the digital security and governance of its information infrastructure. With a sophisticated understanding of the relationship between local conditions and international policies, Argentina highlights the importance of adapting the implementation of these ICT norms to reflect the unique context of each region.
This viewpoint promotes the notion that cybersecurity strategies are most effective when they are sensitive to the regional specificities and national characteristics they aim to protect. Furthermore, Argentina emphasises the urgency and indispensability of international cooperation in the realm of cybersecurity.
The Argentinian stance is grounded in the belief that harmonising tools and approaches for implementing ICT norms is central to mounting an adequate collective defence against cyber threats. The promotion of collaborative efforts underscores Argentina’s foresight in acknowledging that isolated actions may be insufficient in the face of increasingly sophisticated and transnational cyber risks.
In addition to collaboration among states, Argentina advocates the active engagement of various international organisations, including the International Telecommunication Union (ITU). This represents an appreciation for the complex and multifaceted nature of cyber governance, which requires a multitude of perspectives and expertise to address thoroughly.
Argentina also positively regards the existing framework for implementing cybersecurity norms, seeing the checklist for voluntary norms appreciated by the Chairman as a constructive aid to countries looking to bolster their cybersecurity practices. This endorsement of the Chairman’s document points to an inclination towards leveraging established guidelines and sharing best practices as a means of advancing global cyber security efforts.
However, it’s noteworthy that while Argentina supports the strengthening of international cooperation and policy development, it also expresses a pragmatic approach that advocates for concentrating on the effective enactment of the norms currently in place. There is a discernible neutral sentiment towards the notion of creating new norms, with Argentina favouring instead the full realisation and utilisation of existing frameworks.
From the analysis presented, it is evident that Argentina’s posture is one of proactive engagement, with an emphasis on practical application and collaborative progress in cybersecurity matters. Its approach reflects a nuanced and measured balance between respect for the international consensus and an appreciation for regional and national particularities.
The country’s stances and actions suggest a dedication to shaping a secure and resilient cyberspace that aligns with both Argentina’s domestic priorities and the collective interests of the global community. The summary preserves the core aspects of Argentina’s position towards cyber security and international cooperation, ensuring UK spelling and grammar adherence while offering a detailed reflection of the main analysis.
Key long-tail keywords such as “cybersecurity infrastructure,” “international ICT norms,” “national legislative framework,” “strategy on cyberspace,” “digital security and governance,” “regional specificities,” “transnational cyber risks,” “International Telecommunication Union,” “global cyber security efforts,” and “secure and resilient cyberspace” are naturally integrated, enriching the text without compromising its informational quality.
A
Australia
Speech speed
161 words per minute
Speech length
1158 words
Speech time
432 secs
Report
At a recent meeting on the implementation of cybersecurity norms, the Australian representative thanked the Chair and their team for an essential checklist developed to aid the application of these norms. The significance of these norms was emphasised, particularly in mitigating the cyber threats linked to advanced technologies like AI, as well as the proliferation of malicious cyber tools and techniques.
The Australian delegate suggested structural improvements to the checklist, advocating for a reflection of consensus texts and the integration of guidance from organizations such as UNIDIR, ASPE, and Oxford. The proposition was to start with a consensus text that would then be complemented by actionable steps, thus reflecting the norms’ progression shaped by best practices derived from international experiences with cyber threats.
Australia shared its adherence to the 11 unanimously agreed norms, especially in the realm of critical infrastructure protection. They pointed to the establishment of the Critical Infrastructure Centre in Australia, which addresses national security risks associated with foreign involvement in essential sectors and protects against espionage, sabotage, and coercive actions.
Examples were given of critical sectors including telecommunications, electricity, gas, water, and ports. Specific legislation was referenced, such as the Security of Critical Infrastructure Act and sector-based legal reforms, particularly in telecommunications, to combat cyber threats. Sharing national experiences was underscored as a means to enhance transparency, mutual understanding, and reduce potential miscommunication that could lead to escalations.
The Australian representative highlighted the utility of the checklist for conducting self-assessments, which can shed light on successful applications of norms and pinpoint areas in need of improvement. Recognising various obstacles—such as political, structural, resource, knowledge, and financial barriers—nations can establish clear strategies to overcome them.
He pointed out that capacity building should be tailored to these specific gaps. The importance of civil society and regional organisations in upholding norm implementation was acknowledged, stressing the dynamic nature of the task which necessitates ongoing vigilance and adjustment as cyber threats and technology evolve.
To sum up, Australia affirmed its dedication to advancing the comprehension and enactment of recognised cybersecurity norms, both within its borders and through collective efforts with regional partners and stakeholders. By promoting extensive, ongoing implementation of these norms, Australia aims to contribute to creating a more secure and resilient cyberspace.
Throughout the summary, UK spelling and grammar have been employed, ensuring accuracy in reflecting the main analysis text.
B
Bangladesh
Speech speed
154 words per minute
Speech length
557 words
Speech time
217 secs
Report
The delegation commenced by commending the Chair for composing a discussion paper that revolves around a detailed checklist, which serves as a guideline for implementing voluntary, non-binding norms that govern the responsible conduct of states in utilising information and communication technologies (ICTs).
They enthusiastically concurred with the contents of the document and recommended it as a cornerstone for further discourse in the realm of cybersecurity. Emphasising the pivotal role of cultural context, the delegation advocated for the integration of cybersecurity education into primary school curricula, believing that instilling early digital literacy is crucial for crafting a defence against cyber threats.
Concurrently, they championed the promotion of a culture of peace in cyberspace, reflective of an analogous campaign at the United Nations, asserting that this principle should permeate the digital sphere. The delegation offered pragmatic measures, like conducting cybersecurity workshops and courses to inculcate vital cyber hygiene practices amongst businesses and government personnel.
They recognised that forming public-private partnerships could vastly improve security measures in the earliest phases of software and code development. They identified the pressing need for standardised protocols in reporting ICT incidents to streamline information sharing and enhance the efficacy of response strategies.
The delegation placed emphasis on comprehensive technical analysis of cyber incidents, encompassing methods, tools employed, and potential origins of threats, and urged an evaluation of the repercussions on critical infrastructure, commerce, and the public. Beyond technical scrutiny, they stressed the significance of a sweeping contextual analysis to consider the geopolitical climate, motives behind cyber incidents, and historical connections.
The delegation advised a cautious approach in attributing cyber incidents, favouring balanced assessments over premature conclusions based on insufficient evidence. The delegation asserted that actionable cybersecurity norms necessitate concerted international collaboration, focusing on providing interpretative assistance to adapt these principles appropriately amidst the dynamic nature of cybersecurity threats.
They acknowledged the disparity in cybersecurity capacities and called for a shared understanding of these norms worldwide. Addressing the skills gap was identified as pivotal, with solutions including the exchange of information, know-how, and expertise among nations, particularly to enhance the cybersecurity posture of the most vulnerable states.
Finally, the delegation proposed the establishment of dedicated fellowships to facilitate the involvement of delegates from developing countries, especially from Least Developed Countries (LDCs), in UN discussions like the Open-Ended Working Group (OEWG), promoting a more inclusive and sustainable international cybersecurity dialogue.
In their closing statements, the delegation summarised their key points, emphasising the intricate link between these issues and the collective responsibility of states to fortify cybersecurity measures.
B
Belarus
Speech speed
111 words per minute
Speech length
436 words
Speech time
236 secs
Report
Belarus has embarked on a strategic path to regulate its cyberspace by establishing an information security concept that aligns with the country’s policy objectives. This plan is grounded in a commitment to uphold human rights online while enhancing the digital literacy of its populace.
In a move to improve government-citizen interaction, Belarus is instigating an e-feedback system aimed at gathering and assessing public propositions and initiatives, thereby strengthening participatory governance. The state is also concentrating on improving the standard of content across ICT platforms, striving to construct a media environment that consistently delivers high-value, engaging content to the digital population.
This undertaking aims to elevate the quality of information and user satisfaction in the online world. Focusing on cybersecurity, Belarus is advancing towards drafting international cybersecurity documents to supplement existing ones. These documents are expected to enumerate a comprehensive set of unlawful cyber activities, going beyond computer-related offences to cover a wide spectrum of cybercrimes.
Belarus is particularly vigilant about addressing various cyberspace risks, including contextual risks linked to the distribution of harmful multimedia content that may advocate dangerous behaviours. Communication risks, such as cyber-stalking and cyber-bullying, along with consumer risks like the online sale of counterfeit products, are also targeted for legislative action.
Protective measures are being intensified to safeguard children and vulnerable groups from joining online entities that incite danger or becoming ensnared in illegal armed recruitments. The refinement of national legislation is steered by the sovereignty principle, enabling Belarus to develop independent ICT policies and to control information flow, immune to foreign sway.
This is accompanied by a doctrine of ICT neutrality, promising that Belarusian cyber activities will not instigate harm to other nations. In conclusion, Belarus underscores the necessity of defining clear ‘red lines’ in its ICT policy. These boundaries are crucial not only for ensuring the national media sphere’s integrity but also for upholding international media security.
Establishing these parameters is crucial for cultivating a safe, responsible, and collaborative global cyberspace.
B
Brazil
Speech speed
172 words per minute
Speech length
616 words
Speech time
215 secs
Report
The Brazilian delegate reaffirmed Brazil’s dedication to adhering to United Nations (UN) guidelines on information and communication technologies (ICTs) for international security, highlighting how these norms have influenced the development of Brazil’s national cyber policy. These guidelines have played a pivotal role in protecting Brazil’s critical infrastructure and in securing its information systems.
In a demonstration of its commitment to enhanced cybersecurity measures, Brazil updated its legal and regulatory frameworks with a presidential decree in December 2023, which led to the establishment of a comprehensive national cybersecurity strategy and the creation of a National Security Committee.
The prominence the country is placing on cybersecurity is further emphasized by the upcoming inaugural meeting of this committee on the 20th of March. Support was also expressed for a recent UN discussion paper which offers effective pathways for translating voluntary norms into national legislation, and Brazil welcomed the Colombian proposal to improve the framework by integrating a directory for contact points as stipulated for a particular norm (norm B).
This step shows Brazil’s proactivity in making these guidelines more robust and practical. Brazil places great importance on cooperation at both international and regional levels to strengthen the adoption and comprehension of these norms, acknowledging the benefits of learning from global experiences.
The country recognises the special significance of regional partnerships, with specific praise for the work undertaken by networks such as the Organisation of American States—Computer Emergency Response Team (OAS-CERT) in the Americas and the Mercosur Cybersecurity Commission. These regional entities are instrumental in fostering the sharing of critical information on cyber threats and vulnerabilities, and in the creation of harmonised regional cyber threat classifications.
Furthermore, given the pace of technological advancements and the dynamic nature of the cyber domain, Brazil understands the need for the establishment of new norms. However, Brazil insists that any endeavour to craft such norms should proceed within the inclusive framework of the UN to preserve their efficacy and legitimacy, advocating for a global dialogue that genuinely considers the perspectives and necessities of all countries, particularly ones that are developing.
In conclusion, Brazil’s statement voiced strong support for adhering to existing UN cyber norms while also calling for the continuous refinement of international cybersecurity standards. Emphasizing the significance of an inclusive approach in formulating new guidelines and recognising the UN as the primary platform for these discussions underscores Brazil’s engagement in fostering a collaborative, secure, and equitable cyber future.
C
Canada
Speech speed
147 words per minute
Speech length
1430 words
Speech time
585 secs
Arguments
Cyberspace is subject to stress and poor behavior, underscoring the need for enhanced effort to implement cyber norms.
Supporting facts:
- As heard during statements on threats, cyberspace remains an environment subject to all sorts of stress.
Topics: Cyberspace Security, International Cooperation
Canada supports the good faith implementation of non-binding cyber norms.
Supporting facts:
- One of the best ways of fostering implementation of existing norms is to try, in good faith, to respect these norms.
Topics: Cyber Governance, International Norms
Support for the specific norm against using one’s territory for internationally unlawful acts using ICTs.
Supporting facts:
- One norm consists of not knowingly allowing the territory to be used for internationally unlawful acts with ICTs.
Topics: Cybersecurity Norms, Territorial Integrity
States are expected to take reasonable measures to end harmful activities originating from their territory.
Supporting facts:
- A state is expected to take reasonable measures within its abilities to bring an end to activities underway in its territory by using proportionate, appropriate, effective measures.
Topics: State Responsibility, Cybersecurity
Report
The discourse surrounding cyberspace security has highlighted a challenging environment rife with misconduct, with statements acknowledging the extensive strains it endures. This highlights the urgent necessity for increased efforts to promote adherence to and reinforcement of established cyber norms. In this context, Canada has positively asserted its support for the dedicated implementation of such non-binding cyber norms, championing international cooperation to sustain cyber governance standards.
Moreover, specific cyber norms dictate that nations prevent their territories from being used for illicit activities related to ICTs on an international scale. Canada’s support for this particular norm illustrates its proactive stance towards upholding cybersecurity and ensuring that international norms are maintained and respected.
Such a position is aligned with the general expectation that nations should enact proportionate and effective measures to counteract pernicious cyber operations originating from their vicinities, contributing to the global digital order’s stability. It is universally acknowledged that state responsibility in cybersecurity extends beyond mere compliance to active and reasonable engagement against threats developing domestically.
Recognised through a neutral perspective, there is an expectation for states to adopt practicable interventions within their capabilities to defuse or mitigate such harmful activities. Canada underscores the importance of credibility in international relations, especially in relation to adherence to cyber norms.
An evaluation of the Canadian perspective reveals that the trustworthiness of nations heavily depends on their ability to uphold their commitments to these norms. Therefore, Canada’s viewpoint suggests that national integrity in cyber norms compliance has significant implications for a nation’s international reputation.
In summary, the analysis depicts cyberspace as a domain demanding astute governance, underscored by concerted efforts toward ensuring norm compliance. The discourse advocates for sincere enactment of cyber norms and recognises the integral link between a nation’s credibility and its commitment to action within cyber governance.
The collected viewpoints call for enhanced international cooperation, aiming to preserve cyberspace as a secure and regulated environment, guided by collectively endorsed rules and frameworks.
C
Chair
Speech speed
142 words per minute
Speech length
2537 words
Speech time
1075 secs
Arguments
The fourth meeting of the seventh substantive session of the OEWG on ICT security is in session.
Supporting facts:
- Established pursuant to General Assembly Resolution 75-240
- Focus on Rules, Norms, and Principles of Responsible Behavior of States
Topics: ICT Security, Open-Ended Working Group, International Governance
Discussion is to focus on Rules, Norms, and Principles of Responsible Behavior of States.
Supporting facts:
- Chair’s discussion paper provided as part of the meeting documentation
- List of guiding questions made available
Topics: Cybersecurity Norms, State Behavior in Cyberspace, International Cyber Law
Chair encourages succinct summaries for efficient progress in discussions.
Supporting facts:
- Delegates can submit written statements for thorough examination
- Written statements to be published on OEWG website
Topics: Meeting Conduct, Effective Communication
South Africa suggests additional norms to protect against AI-powered cyber operations and attacks on AI systems.
Supporting facts:
- South Africa recognizes the twofold risks of AI and is in support of new norms to manage these.
Topics: Artificial Intelligence, Cybersecurity, Emerging Technologies
South Africa advocates for cyber hygiene and security by design as measures to protect critical infrastructure.
Supporting facts:
- Basics of cyber hygiene include strong passwords, software updates, and multi-factor authentication.
- Security should be integrated into the design and manufacture of technology products.
Topics: Cyber Hygiene, Critical Infrastructure Protection, Security by Design
South African delegation calls for cooperation over competition in ensuring supply chain integrity.
Supporting facts:
- International cooperation is preferred to competition to avoid harmful hidden functions in technology.
Topics: Supply Chain Security, International Cooperation, Cybersecurity Norms
Maintaining international peace and security in cyberspace is a shared responsibility.
Supporting facts:
- Voluntary norms can contribute to conflict prevention
- The GGE report of 2021 provides a framework for responsible state behavior
Topics: Cybersecurity, International Relations
Following the norms, rules, and principles will help secure international peace and security.
Supporting facts:
- India supports the implementation checklist for norms
- Adherence to the GGE report norms is crucial
Topics: Cybersecurity, Peace and Justice
Best practices can protect critical infrastructure from ICT threats.
Supporting facts:
- Comprehensive risk assessments and cybersecurity awareness are essential
- Collaboration on threat intelligence is important
- Regular audits and the establishment of response teams strengthen resilience
Topics: Cybersecurity, Critical Infrastructure Protection
Cybersecurity norms are a crucial intermediary step for responsible state behavior in cyberspace
Supporting facts:
- General Assembly Resolution 75-240 prioritizes the working group’s drafting of rules and principles
- Experts contribute to the organization and order in cyberspace
Topics: Cybersecurity, State Behavior
Existing cyber legislation among top-ranked Global Cybersecurity Index countries indicates the need for new norms
Supporting facts:
- Countries with high rankings in the Global Cybersecurity Index have extensive legislative arsenals
Topics: Cybersecurity Legislation, Global Cybersecurity Index
The binding nature of some cybersecurity norms should be assessed
Supporting facts:
- A checklist on practical actions for norms implementation could be used as a starting point
Topics: Cybersecurity Norms, Binding Nature
UN-negotiated cybersecurity norms should respect country-specific capacities and promote differentiated responsibilities
Supporting facts:
- Not all countries have the same technological and technical capacities
- Common but differentiated responsibilities principle
Topics: Cybersecurity, Developed vs. Developing Countries
Cybersecurity norms must adhere to sovereignty, political independence, territorial integrity, peaceful coexistence, and promote international cooperation
Supporting facts:
- Cybersecurity norms should refrain from recommending states’ domestic behavior
Topics: Cybersecurity Norms, Sovereignty, International Cooperation
The discussion paper on a norms checklist is intended to support states in implementing cybersecurity capacities.
Supporting facts:
- The paper outlines a baseline of cybersecurity capacities.
- It serves as a starting point to support state implementation efforts.
Topics: Cybersecurity, International Norms, Capacity Building
The chair’s discussion paper is meant to provoke a collective discussion and is not final.
Supporting facts:
- The chair acknowledges the desire to have received the paper earlier but emphasizes its purpose for discussion in the meeting.
- Discussion papers are a routine element in international dialogues to initiate collective discussions on draft proposals.
Topics: Policy Discussion, International Collaboration
The checklist aims to be a catalyst for capacity building and accelerate the implementation of ICT security.
Supporting facts:
- The checklist is seen as a tool to support state implementation.
- It aims to identify priorities in tailored capacity building efforts and support the exchange of best practices.
Topics: Cybersecurity, Capacity Building, ICT Security
Colombia expresses gratitude for the Chair’s efforts and reaffirms support and willingness to work constructively.
Supporting facts:
- Colombia thanks the Chair for leadership in the working group.
- Colombia reiterates support and offers continued cooperation.
Topics: International Cooperation, Cyberspace Governance
Colombia advocates for the current flexibility of existing norms and prioritizes understanding and implementation over the development of additional norms.
Topics: Cyber Norms, Cybersecurity, Capacity Building
Colombia suggests discussing principles for the safe deployment of new technologies with a human-centered approach.
Topics: Technology Deployment, Human-Centered Design
Colombia views the checklist as foundational for states’ norms implementation and capacity building prioritization.
Supporting facts:
- Colombia appreciates drafting of the checklist.
- Checklist seen as a tool for identifying implementation challenges.
Topics: Capacity Building, Cyber Norms Implementation
Colombia proposes the global directory as the focal point for information exchange and assistance regarding ICT challenges.
Supporting facts:
- Reference to a global directory for exchanges and ICT assistance highlighted.
Topics: ICT, Global Directory, Information Exchange
Colombia is interested in international experiences with cyber incident response development.
Topics: Cybersecurity, Incident Response
Colombia emphasizes the importance of civil society in promoting and safeguarding human rights online.
Topics: Human Rights, Civil Society, Online Safety
Colombia shares progress on national critical infrastructure strategy and seeks an exchange on best practices for implementing Norm F.
Supporting facts:
- Colombia developing strategy for critical infrastructure protection.
- Interested in international exchange of best practices.
Topics: Critical Infrastructure, Cybersecurity Strategy
Colombia calls for prioritizing global implementation of norms, sustainable capacity building, and fair geographical representation in international processes.
Topics: Global Implementation, Capacity Building, International Representation
Spain welcomes the checklist for voluntary state behavior in cyberspace as a useful instrument to implement consensus norms
Supporting facts:
- Spain underscores existing progress thanks to regional organizations
- The process of implementing norms is not starting from zero
Topics: Cybersecurity, International Norms in Cyberspace, State Behavior in Cyberspace
Spain supports the idea of intersession meetings to enrich discussions
Supporting facts:
- Intersession meeting scheduled for May
- Spain hopes meetings become regular
Topics: Cybersecurity, Diplomatic Processes
Contributions from academia and the private sector are crucial for implementing regulatory frameworks in cyberspace
Supporting facts:
- Spain emphasizes the role and added value of academic and private sectors
Topics: Cybersecurity, Private Sector and Academia Contributions
Expert-guided discussions can highlight which norms need further clarification
Supporting facts:
- Spain suggests targeted discussions in plenary sessions
Topics: Cybersecurity, Expert Discussions
There is a need for confidence-building measures and operationalizing the global register of contact points
Supporting facts:
- Spain highlights importance of confidence-building measures
Topics: Cybersecurity, Confidence-Building Measures
Cybersecurity capacity building and operationalization are interconnected
Supporting facts:
- Spain views these efforts as mutually reinforcing for responsible state behavior
Topics: Cybersecurity, Capacity Building
A code of good practice and information exchange are essential to prevent the domino effect of cyber attacks
Supporting facts:
- Spain advocates for a code of practice and better information exchange between national authorities
Topics: Cybersecurity, Information Sharing
Voluntary and non-binding norms of responsible state behavior are crucial for reducing risks to international peace, security, and stability.
Supporting facts:
- Japan emphasizes the importance of voluntary non-binding norms.
- Discussions on implementation of existing norms are prioritized.
Topics: Cybersecurity, International Relations
Deepening discussions and steadily implementing existing norms are imperative.
Supporting facts:
- Japan appreciates the checklist for implementing norms of responsible state behavior.
Topics: Cyber Norms, Policy Implementation
Protecting critical infrastructure requires the promotion of specific norms and exchange of best practices.
Supporting facts:
- Japan highlights the importance of Norms F, G and H for protection of critical infrastructure.
Topics: Critical Infrastructure Protection, Cyber Norms
Secure by Design principles and SBOM can enhance supply chain integrity and security.
Supporting facts:
- Secure by Design emphasizes security in product development.
- SBOM provides details on software components aiding in vulnerability management.
Topics: Supply Chain Security, Cybersecurity
Incorporating private sector input is crucial for effective cybersecurity measures.
Supporting facts:
- Japan believes in listening to private actors for countermeasures.
Topics: Private Sector Collaboration, Cybersecurity
International capacity building facilitates better understanding and implementation of responsible state behavior norms.
Supporting facts:
- Japan supports training programs for states to understand and implement norms.
Topics: Capacity Building, Cyber Norms
Czechia values the 11 norms for responsible state behavior in cyberspace for stability and predictability.
Supporting facts:
- Czechia emphasized the importance of the 11 norms during open-ended working group sessions.
- Norms are seen as essential elements of the normative framework and complement international law.
Topics: Cybersecurity, International Norms
Czechia appreciates the initial draft of the checklist for cybersecurity guidance.
Supporting facts:
- The draft reflects Czechia’s national implementation of cybersecurity recommendations.
- Czechia considers the draft as a base for further work.
Topics: Cybersecurity, Policy Drafting
Czechia prioritizes protection of critical information infrastructure and supply chain security.
Supporting facts:
- Emphasis on norms G and J of the 2015 GGE report.
- Welcomes guidance that aligns with national implementation.
Topics: Cybersecurity, Critical Information Infrastructure, Supply Chain Security
Czechia advocates for a human-rights-based approach in cyberspace.
Supporting facts:
- Commitment to the implementation of Norm E of the 2015 GGE report.
- Promotion of human-centric digital transformation.
Topics: Human Rights, Digital Transformation
Czechia suggests shared best practices to accelerate norms implementation.
Supporting facts:
- Czechia focuses on sharing experiences and learning from others.
- Advocates for collaborative approach in understanding the process and implications.
Topics: Best Practices, Cybersecurity, Implementation Strategy
Involvement of all relevant stakeholders is crucial in implementing cybersecurity norms.
Topics: Stakeholder Engagement, Cybersecurity Policy
Czechia has established a comprehensive national cybersecurity framework.
Supporting facts:
- Creation of cyber legislation and policy as initial steps.
- Includes establishment of national institutions and processes for cybersecurity.
Topics: National Cybersecurity Framework, Legislation and Policy
China supports the creation of new norms in cyberspace.
Supporting facts:
- G-Resolution 75-240 mandates OEWG to discuss challenges in data security.
- Global Data Security Initiative proposed by China contains specific commitments.
Topics: Cyberspace Governance, International Law, Data Security
China has introduced the Global Data Security Initiative to guide discussions on data security norms.
Supporting facts:
- The initiative includes commitments on data security, supply chain security, and critical infrastructure protection.
- China advocates against data impairment, unauthorized data location changes, and installation of backdoors by states.
Topics: Data Security, Global Data Security Initiative, Cybersecurity Norms
Implementation of ICT practices should be voluntary, step-by-step, and consensus-based.
Supporting facts:
- ICT development and capacities vary across countries, necessitating a flexible approach.
- The actions should align with UN reports where consensus has been achieved.
Topics: ICT Development, Voluntary Implementation, International Consensus
El Salvador values the practical ways proposed for implementing ICT responsibility norms.
Supporting facts:
- The document presents practical implementation measures for ICT norms.
- Discussions have taken place in previous sessions about responsible behavior in ICT use.
Topics: ICT Responsibility, Cybersecurity, International Cooperation
El Salvador acknowledges the need for national specificity in implementing these norms.
Topics: National Priorities, Capacity Building
International cooperation is essential for effective implementation of certain ICT norms.
Supporting facts:
- Specific norms require international cooperation to be effective.
Topics: International Cooperation, ICT
Support expressed for Global Directory for Contact as critical for implementing certain norms.
Supporting facts:
- The directory is deemed critical for Norms C and H.
Topics: Global Directory for Contact, ICT Policy
Importance placed on promoting and protecting human rights online.
Supporting facts:
- Norm E is focused on human rights online.
- Protection of privacy and freedom of expression online is valued.
Topics: Human Rights, Online Privacy, Freedom of Expression
Inclusion and reduction of gender gap in ICT are important goals for El Salvador.
Supporting facts:
- Experience from regional forums can be a benchmark.
- There is a call for meaningful participation of women in ICT decision-making.
Topics: Gender Inclusion, Digital Gender Gap
El Salvador suggests developing indicators to measure progress on ICT norms and gender equality.
Topics: ICT Norms, Gender Equality, Measurement Indicators
International cooperation, capacity building, technology transfer, and technical assistance are pivotal.
Supporting facts:
- These elements are critical for advancement in implementing ICT norms.
Topics: International Cooperation, Capacity Building, Technology Transfer
Voluntary non-binding norms can reduce risks to international peace and stability.
Supporting facts:
- Non-binding norms contribute to predictability and reduce misunderstanding.
- Preventive measures can help to avert conflicts.
Topics: International Law, Cybersecurity
Enhanced implementation of existing norms and development of additional guidelines are crucial.
Supporting facts:
- Strengthening national capacities is fundamental.
- Developing guidelines can improve states’ understanding of implementing norms.
Topics: Capacity Building, Cyber Norms Implementation
Participation in international processes, including the involvement of women, is essential.
Supporting facts:
- Programmes dedicated to increasing the participation of women in cyber discussions are valuable.
- Negotiations for a UN treaty on cybercrime involve a collaborative international approach.
Topics: Women in Cyber Programme, UN Treaty on Cybercrime
The application of international law in cyberspace reinforces stability and security.
Supporting facts:
- International law applicability can be promoted through national and regional cooperation.
- Training and simulation exercises are recommended for understanding the international law in cyberspace.
Topics: International Law, Cybersecurity
Establishing a global directory for contact points is beneficial for clear communication.
Supporting facts:
- A global directory facilitates real-time information sharing about cyber threats.
- Regular updates of the directory are necessary for its effectiveness.
Topics: Cybersecurity, International Cooperation
Bilateral mechanisms and agreements can strengthen confidence and cooperation in cyberspace.
Supporting facts:
- Organizational measures such as from the Organization of American States are steps towards improving trust in cyberspace.
- Urgent aid requests are in place, demonstrated by the precedent set by El Salvador.
Topics: Cybersecurity, Bilateral Agreements
Security of supply chains is critical for data integrity and risk mitigation.
Supporting facts:
- Risk assessments and security policies need to be shared and revised as necessary.
- Continuous monitoring and contingency plans are essential to respond to incidents.
Topics: Supply Chain Security, Risk Management
New Zealand acknowledges and supports the Checklist of Norms for its reflection of agreed consensus and for its potential as a practical tool for norms implementation in cyberspace.
Supporting facts:
- Checklist reflects agreed consensus
- Seen as a practical tool for implementation
Topics: Cybersecurity, International Consensus
New Zealand believes the agreed framework for responsible state behavior is adequate to maintain stability in cyberspace
Supporting facts:
- Framework deemed necessary and sufficient by New Zealand
Topics: Cybersecurity, International Cooperation
There is a need to examine repercussions and build accountability when states willfully ignore agreed cyber norms
Supporting facts:
- Current assessment of norms implementation is not satisfactory
Topics: Cybersecurity, Accountability
Switzerland emphasized the increasing intensity of ransomware and state-sponsored attacks against critical infrastructure, including healthcare facilities.
Supporting facts:
- Referenced a focus on norms C, F, G, and H for the protection of critical infrastructure.
- Highlighted cooperation between states for protecting critical infrastructure.
Topics: Cybersecurity, Ransomware, State-sponsored attacks, Critical infrastructure protection
The 2021 GG report provides a basis for implementing norms to protect critical infrastructure.
Supporting facts:
- The report lists norms and gives guidance on their implementation.
Topics: Cybersecurity, Norms Implementation, Reports
Switzerland highlighted the value of regional organizations and suggested benefitting from their work on critical infrastructure protection.
Supporting facts:
- Mentioned the OECE’s work as an example.
Topics: Regional Organizations, Critical Infrastructure Protection
Switzerland maintains an information exchange platform for critical infrastructure operators and authorities.
Supporting facts:
- Defines critical infrastructure flexibly.
- Information Security Act amendment introduces a reporting obligation for cyberattacks.
Topics: Information Exchange, Public-private cooperation, Critical Infrastructure Protection
Switzerland considers practical guidance like the norms implementation checklist helpful for operationalizing cyber norms.
Supporting facts:
- Welcomed checklist’s emphasis on roles of CERTs and CSIRTs.
- Regrets FIRST’s exclusion from the working group.
Topics: Cyber Norms, Implementation Checklist
The Geneva Manual, a multi-stakeholder initiative, supports implementation of supply chain security and vulnerability standards.
Supporting facts:
- Developed in the Geneva Dialogue on Responsible Behavior in Cyberspace.
- Analyses roles and responsibilities for cybersecurity.
Topics: Supply Chain Security, Vulnerability Standards, Multi-stakeholder Initiatives
Vietnam emphasizes the need for a shared understanding of cyber rules, norms and principles.
Supporting facts:
- Vietnam stands for a unified interpretation regarding the principle of non-intervention in internal affairs in cyberspace.
Topics: Cybersecurity, International Law
Vietnam supports clear responsibilities of states in combating harmful online content.
Supporting facts:
- Vietnam endorses efforts to fight the spread of fake news and content that incites violence, hatred, discrimination and terrorism.
- Vietnam highlights the challenge posed by the pervasive deployment of AI technologies in this context.
Topics: Cybersecurity, Online Misinformation
Vietnam advocates for control over national cyberspaces and restrictions on unverified information.
Supporting facts:
- Countries should assert control over their national cyberspaces and potentially restrict access to unverified information sources.
Topics: Cyber Sovereignty, Information Verification
Vietnam calls for international cooperation to establish cyber norms and mechanisms.
Supporting facts:
- Vietnam encourages a concerted effort to establish frameworks for upholding sovereignty, non-interference, and responsible behavior in cyberspace.
Topics: Cyber Diplomacy, International Cooperation
Vietnam supports the development and recognition of technical standards for electronic evidence.
Supporting facts:
- Vietnam sees the need for tools that allow thorough and objective assessment of ICT incident evidence.
- The recognition of technical standards would contribute to the discussion on attribution of ICT incidents.
Topics: Cyber Forensics, International Standards
Brazil supports the existing UN processes on ICTs and international security.
Supporting facts:
- Brazil is a staunch supporter of the voluntary norms of responsible state behavior, which have guided the establishment of national norms and policies.
Topics: ICTs, UN processes, international security
Brazil is reviewing its legal and institutional frameworks to improve cybersecurity.
Supporting facts:
- A review process has resulted in a more robust framework, with a presidential decree instituting a national cybersecurity policy and establishing a National Security Committee.
Topics: cybersecurity, legal framework, institutional framework
Brazil values international cooperation and technology transfer for implementing cybersecurity norms.
Supporting facts:
- Brazil has benefited from the experiences of other countries and welcomes knowledge sharing, also emphasizing the role of regional cooperation through OASC CERT Americas and Mercosur’s Cybersecurity Commission.
Topics: international cooperation, technology transfer, cybersecurity norms implementation
Further development of new norms for cybersecurity should be conducted inclusively and within the UN framework.
Supporting facts:
- Legitimacy and effectiveness of new norms require open and inclusive negotiations, with the consideration of the needs of all countries, especially developing ones.
Topics: cybersecurity norms development, UN framework, inclusiveness
Argentina recognizes the complexity of evolving ICTs but emphasizes the need to implement existing norms rather than creating new ones.
Supporting facts:
- Argentina has incorporated the adopted norms into its national legislation.
- Argentina is following its second national strategy on cyberspace.
Topics: Cybersecurity, ICT Development, International Law
Argentina highlights the importance of international cooperation for the implementation of cybersecurity norms due to regional differences.
Supporting facts:
- Each state belongs to a specific region with unique challenges and threats.
- The need for states to have similar tools for implementing approved norms.
Topics: International Cooperation, Regional Security
Argentina supports the document and checklist drafted to aid in the implementation of agreed cybersecurity norms and to promote the sharing of best practices.
Supporting facts:
- The document serves as a good starting point for states’ implementation efforts.
- The aim is to encourage the exchange of best practices and identify priorities for capacity building.
Topics: Cybersecurity Best Practices, Capacity Building
Argentina welcomes norms that underscore the necessity for international cooperation and information exchange between relevant bodies regarding ICTs.
Supporting facts:
- Norms B and D mentioned by Argentina specify actions requiring international cooperation.
- The importance of information exchange to increase understanding of ICT significance among states.
Topics: International Norms, Information Sharing, ICT Cooperation
Voluntary measures are insufficient for cybersecurity
Supporting facts:
- The Syrian Arab Republic delegation expresses concerns over the effectiveness of non-binding norms in cyberspace.
Topics: Cybersecurity, International Law
Legally binding norms are necessary for tangible progress in cyberspace
Supporting facts:
- The Syrian Arab Republic advocates for developing legally binding norms for responsible behavior in cyberspace.
Topics: Cybersecurity, International Law
Balance between implementing existing norms and developing new norms is essential
Supporting facts:
- The Syrian Arab Republic’s delegation highlights the need for a balanced approach between enforcing current norms and forming new, legally binding norms.
Topics: Cybersecurity, Legislation
A global agreement on cyber norms and principles is important
Supporting facts:
- The Syrian Arab Republic underlines the significance of reaching a global consensus on behavior in cyberspace and identifying rights and obligations of parties.
Topics: Cybersecurity, International Relations
States have a sovereign right to national cybersecurity
Supporting facts:
- Syrian Arab Republic insists on the sovereign right of states to ensure cybersecurity and non-interference in their domestic affairs.
Topics: National Sovereignty, Cybersecurity
Unilateral coercive measures in cyberspace are not acceptable
Supporting facts:
- Syrian Arab Republic condemns unilateral restrictive measures which impair states’ capabilities in cyberspace.
Topics: Cybersecurity, International Relations
The discussion has been a sharing of best practices and experiences, deemed very useful for understanding national perspectives on norms implementation.
Supporting facts:
- The discussion served as an exchange of how states are looking at implementation and viewing the norms themselves.
Topics: Cybersecurity, International Cooperation, Capacity Building
There is a need to move beyond the binary framing of whether to implement existing norms or develop new ones and instead adopt a pragmatic and incremental approach.
Supporting facts:
- The traditional binary discussion has been prevalent, but a more nuanced view is encouraged.
- The evolving technological landscape necessitates an adaptable framework that accumulates understanding and consensus.
Topics: Cyber Governance, Norms Development, Consensus Building
The Chair encourages delegations to reach out and engage in dialogues with others who may hold different views to find common ground.
Supporting facts:
- Interested delegations are encouraged to talk to each other and aim for consensus.
Topics: Diplomacy, Conflict Resolution, Cybersecurity
The discussion paper serves as a catalyst for capacity building and to support states in their implementation efforts of the existing framework.
Supporting facts:
- The discussion paper is intended to help at the national level and signal where states will need support.
Topics: Cyber Capacity Building, Policy Frameworks
Report
The Open-Ended Working Group (OEWG) on ICT security, which serves as a pivotal forum for global discourse on cybersecurity, is engaged in sessions aimed at formulating a comprehensive framework of Rules, Norms, and Principles of Responsible State Behaviour. These sessions are a direct consequence of the mandate conferred by General Assembly Resolution 75-240, with the OEWG playing a significant role in refining international governance in relation to cyberspace.
The Chair’s method is centred around promoting efficient dialogue through concise submissions of written statements and arguments. This strategy is instrumental in achieving a concentrated and thorough review of contributions, creating a conducive environment where delegates can express their viewpoints in a clear and constructive way.
Throughout the sessions, a range of themes and initiatives have surfaced. South Africa has taken an active stance, underscoring the dual threats posed by Artificial Intelligence and advocating for the establishment of new norms to mitigate these concerns. The nation is also championing cyber hygiene and the notion of ‘security by design’ in technology products, crucial for protecting critical infrastructure.
Significantly, South Africa favours international cooperation rather than competition, mirroring a common belief among nations regarding the significance of joint efforts in securing supply chains. The provision of discussion papers, inclusive of a checklist designed to assist states in norm implementation, has been well received.
States like Argentina and Brazil have supported these aids as practical means of promoting the exchange of best practices. These documents not only provide a foundation for cybersecurity capacities but also guide states in identifying specific implementation challenges and priorities.
Spain, New Zealand, and the Czech Republic have communicated their backing for the OEWG’s strategies. Spain calls for continued intersession meetings to enrich dialogue, New Zealand points out the necessity for accountability when states intentionally contravene agreed norms, and the Czech Republic values the cybersecurity guidance provided by the checklist, in line with national objectives.
Nations have collectively acknowledged the importance of the sessions in enhancing mutual understanding and enactment of the non-binding norms highlighted in earlier reports, as exhibited by India and Switzerland emphasising the need for measures contributing to the prevention of conflicts and the advancement of peace, justice, and strong institutions across cyberspace.
There is widespread agreement that these norms play an essential role in state security as pivotal frameworks in international relations. Japan’s remarks about the non-binding nature of norms have been reiterated by various states, stressing the importance of effective implementation, the appeal for international capacity building, and integration of private sector intelligence for enhanced cybersecurity measures.
Conversely, the Syrian Arab Republic presents a contrasting viewpoint, arguing that voluntary measures are insufficient for cybersecurity. They contend that progress in cyberspace security necessitates a trend towards enforceable, legally binding norms. The Chair of the OEWG has displayed adept management of the sessions, recognising the input of member states and urging dialogue and consensus among those with differing opinions.
The prevailing undertone of the discussions indicates that while each country must devise its national cybersecurity strategy, global stability in cyberspace can only be attained through consistent international cooperation. In summary, the OEWG meetings have facilitated an exchange of diverse perspectives, demonstrating a collective recognition of cybersecurity’s essential contribution to achieving the Sustainable Development Goals (SDGs), especially SDG 16, related to peace, justice, and strong institutions.
The enthusiastic and accommodating attitudes of states towards utilising existing behavioural norms and exploring the possibility of new regulations reflect a commitment to fostering a secure, robust, and harmonious cyberspace.
C
Chile
Speech speed
138 words per minute
Speech length
630 words
Speech time
274 secs
Report
The statement advocates strongly for the adoption and enhancement of voluntary, non-binding norms to guide responsible state behaviour in cyberspace to ensure international peace, security, and stability. It highlights the role these norms play in preventing conflict by promoting predictability and reducing the likelihood of misunderstandings.
The importance of implementing the established norms at a national level while continuing to develop additional guidelines to encourage state recognition and adoption of these norms is emphasized. The statement lauds a particular document that acts as a checklist for practical actions to enforce voluntary, non-binding norms.
This resource is celebrated for its utility in supporting countries to implement a set of 11 norms effectively, proving particularly beneficial for those striving to meet international expectations. The endorsement of the document and its objectives is clear-cut. Key points are delineated within the statement, relating to the overarching goal of enhancing cyber stability and security through collaborative efforts: 1.
Participation in international processes is recommended, with a special mention of the ‘Women in Cyber’ initiative, which has played a pivotal role in increasing female participation in cyber discussions. Additionally, the creation of a special committee designated to negotiate a UN treaty on cybercrime illustrates the global commitment to combatting such issues.
2. Strengthening international law application in cyberspace is proposed, aiming to bolster ICT stability and security. The call for action includes promoting inclusive involvement through foreign affairs ministry contact points and standardising training courses alongside realistic simulation exercises for both policymakers and operational staff.
3. The global directory of contact points is acknowledged as crucial for establishing unambiguous communication channels, allowing states to report within their domains incidents of cyber abuse. It is recommended that this directory be frequently updated to remain relevant and to assist states in addressing situations effectively in real-time.
4. The importance of establishing bilateral cooperation mechanisms for cybersecurity is underscored, with El Salvador’s example providing an insight into the necessity for states to request urgent help when needed. This reflects the type of agreements on cybersecurity, such as those promoted by the OAS through Measure 6 to foster confidence in cyberspace.
5. Addressing supply chain security risks is recognised as a key concern for ensuring data integrity and managing external collaboration consequences. States are encouraged to share risk assessments with potential providers, swiftly update security policies, share information on prior security incidents, and implement ongoing monitoring for suspicious activities.
Robust contingency and resilience plans should be in place to quickly address incidents and sustain trade activities without interruption. The sharing of best practices among states in these areas is promoted. The summary encapsulates the statement’s main thrust – an unyielding endorsement for enhanced international cooperation, essential for timely information sharing, and the creation of practical mechanisms for a communal effort in strengthening cyber norms’ implementation.
The statement underlines the measures’ significance for individual states and their collective impact on fostering a more stable and secure international cyber environment. In crafting the summary, UK spelling and grammar conventions have been followed, ensuring the text’s consistency with the required standards.
C
China
Speech speed
160 words per minute
Speech length
404 words
Speech time
152 secs
Arguments
China believes new norms are needed in cyberspace.
Supporting facts:
- G-Resolution 75-240 tasks the OEWG with discussing cybersecurity risks and challenges.
- The growth of data and technology has increased the importance of data protection and security.
Topics: Cybersecurity, International Norms
China has proposed the Global Data Security Initiative as a basis for discussions on cyberspace norms.
Supporting facts:
- The initiative suggests commitments for data security and critical infrastructure protection.
- China suggests not impeding the supply chain or stealing data, not storing overseas data domestically, not obtaining data without permission, and opposing backdoors in products.
Topics: Global Data Security Initiative, Data Security Governance
China views the checklist of practical actions for ICT framework implementation as voluntary and adaptable.
Supporting facts:
- ICT development and capacity vary by country, necessitating voluntary and step-by-step action.
- China is carefully studying the checklist prepared by the EHS.
Topics: ICT Development, Cybersecurity Framework Implementation
China emphasizes the need to balance new norms with existing ones in cyberspace.
Supporting facts:
- China agrees with other speakers on the need for new norms.
Topics: Norm Balance in Cyberspace, Cybersecurity Norms
Report
China has adopted a proactive stance towards developing and harmonising new norms within the cybersecurity sphere, showcasing a positive sentiment towards global consensus-building and retaining harmony with existing protocols. The argument posits that the rapidly evolving data and technological landscape demands elevated data protection and infrastructure reliability measures.
To this end, China has put forth the Global Data Security Initiative (GDSI), which reflects a commitment to setting standards for cyber governance. The GDSI emphasises key commitments: safeguarding data integrity and security infrastructure, avoiding supply chain disruptions, abstaining from unauthorised data acquisition, and rejecting the covert inclusion of ‘backdoors’ in tech products.
Structured to support Sustainable Development Goals (SDGs) 9 and 17, the Initiative underscores innovation and strong partnerships. In the field of Information and Communication Technology (ICT), China holds a neutral stance, proposing that the implementation of the cybersecurity framework should be voluntarily adaptable to each nation’s individual technological capacities.
It acknowledges the global disparity in ICT development and suggests that implementation actions should be congruent with these variations. Currently, China is analysing the checklist for practical actions from the Experts’ High-level Summit (EHS), reflecting a conscientious approach to cyber governance.
Furthering its argument within the international norms landscape, and in support of peace and justice (SDG 16), China aligns with other international actors on the need for novel cyber norms. There is positive acknowledgement of the importance of integrating new norms with the reverence of existing ones.
Analytically, the discourse reflects China’s strategic intent to influence international norms that resonate with its cyberspace governance vision, while simultaneously aiming to be a cooperative entity in global cybersecurity. China’s consistent engagement with international forums, including adherence to Open-Ended Working Group (OEWG) recommendations and analysis of progress reports, bears testimony to this.
In summation, China oscillates between advocating certain initiatives positively and espousing a neutral view on voluntary adoption. Nonetheless, the primary narrative strives to enhance global infrastructure and promote international partnerships. China’s involvement indicates its ambition to lead the conversation on cyber norms, intending to mould the digital landscape in alignment with its national aspirations and the collective objectives of the global community.
C
Colombia
Speech speed
142 words per minute
Speech length
478 words
Speech time
201 secs
Report
In expressing gratitude towards the Chairman, the speaker recognises his leadership in steering the working group and preparing for its seventh session, thereby fostering a constructive atmosphere for the meeting. The group reiterates their dedication to support the Chairman and remain engaged in contributing effectively to the ongoing process.
Responding to the Chairman’s enquiry about the potential for new cyber norms, the group expresses their view that the existing norms offer sufficient flexibility to adapt to the cyberspace and emerging technology landscape. The group believes the focus should currently be on promoting understanding and implementation of these norms, rather than on introducing new ones.
They remain, however, open to discussions regarding the development of principles for safely employing new technologies, as long as these are underpinned by a human-centric philosophy. The speaker lauds the Chairman’s effort in developing a checklist that is considered an essential reference for states in applying cyber norms and vital for identifying capacity-building priorities.
It is also viewed as a benchmark for exchanging effective practices and a self-assessment resource for states to identify and overcome their cyber challenges. Providing specific feedback on certain norms: – The group suggests adding a reference to the global directory under norm B, envisioning it as an effective platform for sharing information and tackling challenges presented by Information and Communication Technologies (ICTs).
– Regarding norm H, there is curiosity about others’ approaches to cyber incidents, indicating a desire to strengthen response capabilities through learning from the experience of other states. – The emphasis on engaging civil society within norm E highlights the importance of protecting human rights online.
– Touching on norm F, the speaker notes Colombia’s progress in protecting critical infrastructure and encourages the exchange of strategies and best practices between states. The speaker concludes by stressing the importance not just of global adoption of cyber norms but also of their thorough enactment.
They call for continuous efforts to enhance capacity-building, share effective practices, and ensure equitable geographical representation in forums such as the OEWG. They argue that such a comprehensive strategy is crucial to reinforcing cyber governance and international cooperation. In summary, the detailed account underscores the group’s supportive approach to the existing cyber frameworks and their practical stance on refining and strategically implementing cyber norms.
It also highlights the significance of mutual support and inclusiveness in the effective management of international cyber issues.
C
Cuba
Speech speed
138 words per minute
Speech length
483 words
Speech time
211 secs
Report
The chairman’s address to the assembly emphasised the importance of developing a comprehensive framework for cybersecurity norms to guide states towards responsible behaviour in cyberspace. This step is seen as vital to creating a secure digital future, with a key role for cybersecurity experts in fostering organisation and disciplined cyberspace activities, aiming for both security and peace-oriented progress.
Drawing authority from the General Assembly Resolution 75-240, the chairman outlined the responsibility of the dedicated working group to formulate rules, norms, and principles governing state conduct in cyberspace, with a flexible mandate that allows for the introduction of new rules as the cyber landscape evolves.
To aid in creating these norms, the chairman suggests utilising the Global Cybersecurity Index by the International Telecommunication Union (ITU). This index, which assesses countries’ commitment to cybersecurity through their legislative frameworks, helps identify effective practices for international norms by examining the highest-ranked countries.
Acknowledging the technological disparities between nations, the chairman called for norms that differentiate responsibilities in line with the varying capabilities of developed and developing countries. The proposed checklist for norm implementation is envisioned to promote a tiered international responsibility in cybersecurity, leading possibly to binding measures.
The chairman advised a tailored approach over universal solutions, considering the unique needs and circumstances of individual countries. Fundamental principles of sovereignty, political independence, and territorial integrity must be respected, ensuring that these cybersecurity norms do not encroach upon states’ internal governance.
In conclusion, the chairman’s address underlined the necessity of balanced cybersecurity norms that align international standards with the diversity of state capabilities and sovereignty, highlighting the complexity of this task and the need for an approach that respects each state’s unique context.
C
Czechia
Speech speed
175 words per minute
Speech length
401 words
Speech time
137 secs
Report
Czechia has strongly endorsed the EU’s stance, voicing robust support for the 11 norms of responsible state behaviour in cyberspace, underscoring their essential role in promoting stability and predictability. Appreciation was conveyed to the chair for the draft checklist that provides guidance on effective norm implementation, which Czechia deems a solid basis for continued work.
The nation emphasised its dedication to norms G and J from the 2015 Group of Governmental Experts (GGE) report, which focus on protecting critical information infrastructure and ensuring supply chain security. These norms are pivotal to Czechia’s national cyber security strategy.
Czechia has shared its experience in strengthening cyber security through the development of a comprehensive legislative and policy framework. The country views a firm legislative foundation as crucial for building national capacities and enhancing all dimensions of cyber security, echoing the checklist’s recommendations and reflecting Czechia’s domestic efforts.
To promote wider and more effective adoption of the norms, Czechia advocates for the exchange of best practices and lessons learned regarding the practicalities of establishing robust cyber security frameworks, facilitating an improved understanding of the complexities and impacts of implementation.
Czechia called for a detailed dialogue on Norm E from the 2015 GGE report during the Open-Ended Working Group sessions, highlighting the need for a human-rights-based and human-centric approach to digital transformation. This request is indicative of Czechia’s broader commitment to upholding human rights both online and offline.
Furthermore, Czechia’s representative underscored the importance of engaging all stakeholders in conversations and decision-making when applying the norms, indicative of an inclusive mind-set that acknowledges the benefits of diverse contributions and cooperation. In summary, Czechia has reiterated the importance of enacting the 11 norms, their strategic implementation concerning specific national interests, and the inherent necessity for a collaborative approach that includes experience sharing and a firm dedication to human rights.
Czechia advocates for ongoing dialogue and cooperation, both within the EU and at an international level, to advance the security and stability of cyberspace for all parties concerned.
E
Ecuador
Speech speed
167 words per minute
Speech length
591 words
Speech time
213 secs
Arguments
Ecuador is grateful for the chair’s leadership and acknowledges the significant work in the provided documents.
Supporting facts:
- Ecuador expresses thanks to the chair and team for efforts in guiding the group.
Topics: International Cooperation, Cybersecurity
Ecuador commits to assisting in the operationalization of the points of contact directory.
Supporting facts:
- Ecuador thanks the Secretariat and commits to aid the forthcoming points of contact directory.
Topics: Cyber Governance, International Communication
Ecuador values the contribution of the Women in Cyber program.
Supporting facts:
- Ecuador has been part of the Women in Cyber program since March 2023 and has benefited from it.
Topics: Gender Equality, Capacity Building
Ecuador acknowledges the necessity of implementing norms for states’ responsible behavior in cyberspace.
Supporting facts:
- Ecuador sees the checklist for implementing norms as timely and crucial for achieving cybersecurity.
Topics: Cybersecurity Norms, State Behavior in Cyberspace
Ecuador prioritizes digital governance and is progressing with a bill on cybersecurity.
Supporting facts:
- A bill on cybersecurity has been put forward to strengthen Ecuador’s cybersecurity and cyber infrastructure.
Topics: Digital Governance, National Legislation
Ecuador is interested in learning from other delegations’ experiences in cybersecurity.
Supporting facts:
- Ecuador expresses a desire to learn good practices and to understand other states’ experiences with ICTs.
Topics: International Cooperation, Knowledge Exchange
Ecuador stresses the importance of public-private partnerships and international cooperation for global cyberspace security.
Supporting facts:
- Achieving a safe global cyberspace requires public-private cooperation and responsible international collaboration.
Topics: Public-Private Partnership, International Cooperation
Ecuador supports Colombia’s suggestion to reference the points of contact directory in the document.
Supporting facts:
- Ecuador aligns with the delegation of Colombia regarding the points of contact directory reference.
Topics: International Communication, Document Policy
Ecuador agrees with Kenya on the importance of a repository of threats for state use.
Supporting facts:
- Ecuador supports Kenya’s stance on structuring a threat repository as a confidence-building measure.
Topics: Cybersecurity, Confidence-Building Measures
Report
Ecuador has consistently shown a positive and proactive stance towards international cooperation in cybersecurity and related areas. The nation has expressed gratitude for the chairperson’s guidance, underscoring the value placed on strong leadership within international collaborations. The country’s commitment to the development of a points of contact directory demonstrates its dedication to enhancing international communication and cyber governance.
This commitment indicates a readiness for improved coordination and responsiveness to cyber incidents, echoing a strategic international cybersecurity collaboration approach. Participation in the Women in Cyber program since March 2023 underlines Ecuador’s commitment to gender equality within cybersecurity, reflecting its dedication to capacity-building in this area and contributing to Sustainable Development Goal (SDG) 5’s promotion of gender equality.
This engagement is emblematic of Ecuador’s efforts to close the gender gap in technology and security sectors. Ecuador recognises the importance of formalising norms for state behaviour in cyberspace, regarding the checklist for implementing norms as essential for achieving comprehensive cybersecurity.
This prioritisation aligns with SDG 16’s aim for peace, justice, and strong institutions. Nationally, Ecuador is advancing legislation to reinforce its digital governance and cybersecurity infrastructure. The cybersecurity bill shows the country’s determination to enhance its cyber infrastructure in line with the digital age, advancing objectives aligned with both SDG 16 and SDG 9, which relates to industry, innovation, and infrastructure.
Internationally, Ecuador is keen to learn from other nations’ experiences with ICTs, manifesting a focus on continuous improvement and underscoring the significance of SDG 17, which encourages partnerships for the goals. Ecuador emphasises the need for public-private partnerships and international collaboration to establish a securely interconnected cyberspace, recognising that such cooperation is fundamental to the development of comprehensive, resilient cyber strategies.
Support for Colombia’s proposal regarding the inclusion of a points of contact directory and Kenya’s recommendation for a structured threat repository exhibits Ecuador’s active role in endorsing constructive international policy proposals. In summary, Ecuador’s approach is characterised by a deliberate alignment with vital cybersecurity initiatives, an active commitment to gender equality and digital capacity building, and staunch advocacy for international cooperation in both public and private sectors.
This cooperative drive upholds the global mandate for a secure cyberspace, reflecting the overarching Sustainable Development Goals’ agenda for peace, justice, and strong institutions under effective leadership.
E
Egypt
Speech speed
146 words per minute
Speech length
536 words
Speech time
220 secs
Report
In the speaker’s address, the representative commenced by expressing appreciation to the Chairman, their team, and the Secretariat for their essential roles in steering the group’s work and ensuring progress within their field. The delegate then reaffirmed Egypt’s commitment to providing support and remaining actively engaged in the ongoing process.
The discussion moved onto the draft elements paper, which comprises an implementation checklist and frameworks for regular institutional dialogue in the future. While Egypt is still thoroughly reviewing these documents, the delegate offered initial remarks in response to the Chairman’s guiding questions.
A primary point highlighted was Egypt’s determination to break free from repetitive conceptual debates that had been occurring for the past 25 years. The speaker called for an action-focused strategy that effectively puts into practice the established norms, rules, and principles that underpin ICT within the realm of international security.
This strategy should complement, not conflict with, ongoing or prospective discussions aimed at enhancing the existing agreed-upon framework. Concerns were raised about the suggested implementation checklist, noting it should be simplified and rationalised. The current version was deemed too detailed and technical, especially for national application, potentially overburdening some states.
Therefore, the delegate indicated that nations would require time to consider and coordinate their positions on these details internally. The representative advocated for a balanced and succinct checklist that would not be exhaustive but would function as a pivotal step towards fully implementing the existing framework.
It was also suggested that the checklist could evolve and adapt over time to keep pace with the ever-changing ICT landscape. The speaker underlined that the checklist should take into account the technological disparities between countries, the diversity of national legal systems, and distinctive regional characteristics.
It should also avoid predefining states’ stances in upcoming dialogues about implementing the framework. Strategic planning within the OEWG was touched upon, with the advocate proposing that the group, at its midpoint, should concentrate on certain key areas, perhaps postponing other long-standing issues to future discussions.
This would ensure essential topics receive the necessary attention while maintaining an efficient approach. To conclude, the delegate reinforced Egypt’s supportive stance towards the work of the group, confirming the country’s resolve to continue playing an active role in the negotiation and cooperation process.
Egypt’s engagement was described as unwavering, with a forward-looking outlook towards international cooperative security in the ever-evolving ICT domain.
ES
El Salvador
Speech speed
157 words per minute
Speech length
487 words
Speech time
186 secs
Report
The delegation has expressed gratitude for the detailed report provided which presents practical methods for implementing voluntary norms aimed at guiding responsible behaviour by states in the information and communication technologies (ICTs) sector. The report is applauded as a beneficial resource, offering clear guidelines to help countries apply the norms, taking into account their individual circumstances and strategic objectives.
Highlighting the importance of contextual differences between nations, the delegation underscores the necessity for capacity-building initiatives to be tailored to the specific requirements of each nation, rather than adopting a universal approach. They concur with previous discussions indicating that the emphasis should now be on the practical application of these norms by states, building on the established framework for responsible conduct.
The delegation places great importance on international collaboration, pinpointing select measures from the document that could facilitate the effective application of certain norms that require global cooperation. They point out the synergy between the norms and existing initiatives, noting the Global Directory for Contact Points as an essential tool for upholding Norms C and H, through its support for international collaboration and communication.
The delegation explicitly endorses the proposed actions for Norm E, which focus on the safeguarding and fostering of human rights online, like privacy and freedom of expression, reinforcing the principle that digital spaces should honour human rights. Echoing the proposals made by Czechia, the delegation advocates for a sweeping strategy within the United Nations system to ensure that the usage of ICTs becomes more inclusive and accessible.
They highlight the need to protect the most vulnerable in society, particularly children, from the potential dangers of ICTs. Learning from regional bodies, such as the Organization of American States (OEA), is advised for its best practices in promoting gender equality in ICTs.
A call to action is made for the full, meaningful, and equal involvement of women in ICT policy-making, underlining this as a key factor in bridging the digital gender divide and enhancing gender equality in the digital era. The delegation encourages the working group to work towards developing indicators to track progress in overcoming these challenges and to monitor advances made in closing these divides.
In summary, the delegation reaffirms the crucial role that international cooperation, capacity building, technology transfer, and technical assistance play in advancing the implementation of responsible ICT use norms. Their insistence on the importance of these collective efforts is a testament to the delegation’s dedication to collaborative work within the global community, promoting responsible and sustainable use of ICTs.
EU
European Union
Speech speed
137 words per minute
Speech length
1005 words
Speech time
441 secs
Report
The European Union, alongside its Member States and a group of candidate countries comprising North Macedonia, Montenegro, Serbia, Albania, Ukraine, the Republic of Moldova, Bosnia and Herzegovina, and Georgia, as well as the EFTA member Norway, and the microstates of Andorra and San Marino, have jointly expressed firm support for the actualisation of the UN framework on responsible state behaviour in cyberspace.
This framework includes 11 voluntary norms for state conduct. A checklist conceived by the chair of the Open-Ended Working Group (OEWG) was acknowledged for its utility in facilitating understanding, defining the scope, and implementing these norms. There was also an appreciation for previous consensus reports and guidance documents, alongside the recognition of the contributions from regional entities such as ASEAN, the Australian Strategic Policy Institute, and the UN Institute for Disarmament Research (UNIDIR), as well as tools and practices suggested in earlier sessions to aid norms implementation.
The EU pinpointed three main responsibilities from Norm 13C concerning state obligations to prevent and respond to malicious ICT activities and to leverage their capabilities for management and counteraction within their territories. Emphasising the urgency of successful norm implementation, the EU called for consistent collaboration among states and stakeholders, particularly highlighting the role of critical infrastructure operators and the private sector.
Their expertise is crucial in bolstering cyber resilience through improved threat identification, evaluation, reporting, and incident management. Moreover, the EU underscored the importance of the OEWG’s potential role in recommending best practice guidelines for cybersecurity. These guidelines, which organisations could adopt or adapt, might draw inspiration from resources such as the non-state actor-developed Geneva Manual, offering insight into their contribution to norm implementation.
The EU proposed a systematic review process for cyber incidents in line with the normative framework, with a view to generating measured, appropriate diplomatic responses, thereby ensuring reactions to cyber events align with the established norms. The EU and its Member States have been vocal during OEWG discussions about deepening the understanding of the norms’ content, scope, and expectations.
They insist that dialogue on the norms’ application and the relevance of international law to cyber operations attacking critical infrastructure is essential for heightened accountability. In conclusion, the norms checklist is anticipated to boost the OEWG’s efficiency and foster detailed dialogue on national interpretations and applications of these norms.
The EU and its counterparts are eager to continue engaging with the checklist, viewing it as a promising tool to facilitate effective and concrete international engagement.
F
France
Speech speed
126 words per minute
Speech length
728 words
Speech time
346 secs
Report
In a detailed review of the national address, which echoed the European Union’s position, the delegate began by endorsing the enhancement of guidelines designed to facilitate the execution of the 11 established principles for responsible behaviour in cyberspace. They also supported the new checklist created to assist states with implementation.
The delegate examined good practices in light of European collective progress, highlighting the NIS2 directive as a key development that has strengthened supply chain security within the EU. The directive, which establishes a stringent, common cybersecurity standard, has increased user trust in digital products, acknowledging the critical role of states in protecting this integrity from the constant threat of cyber attackers exploiting vulnerabilities.
The delegate also drew attention to the European regulatory framework with the introduction of the Cyber Resilience Act (CRA), a regulation that sets essential cybersecurity requirements for connected products on the market. This act calls for vigilance from all those in the supply chain, including manufacturers, importers, and distributors, to comply with these standards.
These regulatory models are presented as examples for other countries to follow when devising their cybersecurity initiatives. Addressing the challenge of technological tools’ misuse, particularly for offensive cyber operations, the delegate aligned with views previously articulated by the United Kingdom.
They referenced the collaborative Pal-Mal process, co-led by France and the UK, that fosters responsible state behaviour in cyberspace through inclusive and multi-stakeholder dialogue. The importance of rapid response teams, commonly known as CERTs, was stressed, with France advocating for the use of established networks like FIRST, which connects these teams to facilitate improved coordination during cybersecurity incidents.
The delegate discussed the principle of due diligence, emphasising that states are responsible for ensuring their territories do not contribute to malicious cyber activities. This responsibility forms a part of national sovereignty and underpins inter-state cooperation in incident management. The delegate cited the global point of contact directory, as referenced by the United States, as a crucial tool in this cooperative framework.
The preventative aspect of due diligence was underscored — states should adopt reasonable measures to prevent harmful cyber operations originating from their territory. National capacity to respond swiftly to cooperation requests, as suggested by the Republic of Korea and Japan, was noted as vital in this context.
In conclusion, the delegation highlighted the need for collective advancement in understanding due diligence implications. France expressed a desire to identify best practices and learn from the variety of regional experiences to enrich the global application of this principle. In summary, the delegate’s remarks not only reaffirmed their commitment to EU standards but also showcased Europe’s forward-looking approaches to enhancing cybersecurity measures.
By advocating ongoing dialogue and refinement, especially in terms of due diligence, the communication emphasised a pledge to collaborative and progressive development of international cybersecurity norms.
G
Ghana
Speech speed
147 words per minute
Speech length
747 words
Speech time
306 secs
Report
In an instrumental meeting focused on adopting responsible state behaviours in cyberspace, a Ghanaian representative provided a detailed insight into the implementation of suggested norms—specifically A (regional and international cooperation), B (capacity-building initiatives), E (human rights), and G (protection of critical information infrastructure).
Underlining norm A, the representative from Ghana voiced their support for the existing checklist, advocating the expansion of cooperative efforts through establishing more bilateral and multilateral agreements. This move is aimed at enhancing information sharing, fostering collaborative exercises, and presenting a unified defence against cyber threats.
Ghana’s positive experiences with such agreements were cited as valuable contributions to strengthening cybersecurity. The Ghanaian delegate emphasised the importance of broad and sustained engagement in cyberspace governance, elucidating the beneficial impact of fellowship programmes such as the Women in Cyber Fellowship, the UN Singapore Fellowship, and the EU Cyber Direct Fellowship.
These initiatives are vital for empowering stakeholders to engage actively in international cyber processes. Addressing norm B, proactive investments in research and development were recommended to enhance national capabilities for attributing cyber incidents and improving responses. The delegation suggested regular cyber exercises at national and international levels, aiming to refine emergency response strategies and share knowledge on emerging threats and crisis management.
For norm E, the Ghanaian delegation advocated for the initiation of human rights training and awareness campaigns targeted at ICT professionals and government officials to underscore the vital need for online human rights respect. The objective is to instil these principles within the fabric of the digital sphere.
Concerning norm G, the representative showcased Ghana’s legal and policy strides, particularly highlighting the Cybersecurity Act 2020 (Act 1038) as a sturdy framework for protecting critical information infrastructure. This Act specifies key sectors, protection protocols, and compliance through routine audits. The recent introduction of a directive for safeguarding critical information infrastructure, along with a framework for the licensing and accreditation of cybersecurity service providers and professionals, was also mentioned.
This regulatory step is designed to harmonise services with national and international standards, strengthening Ghana’s cybersecurity landscape and supporting its digital growth and security. In conclusion, the Ghanaian delegation underlined the nation’s dynamic and thorough approach in creating a resilient cyber environment.
Through strategic legislation, policy, and collaborative efforts, Ghana aspires to tackle cyber threats effectively and foster a secure route for digital transformation. These commitments fortify Ghana’s cyber capabilities and bolster wider international endeavours to sustain peace and stability in cyberspace.
H
Hungary
Speech speed
133 words per minute
Speech length
547 words
Speech time
246 secs
Report
The Hungarian delegate began by thanking the Chairperson and their team for fostering an environment that facilitated both formal and informal dialogues on cyber and Information Communication Technology (ICT) security. Hungary’s stance was in line with that of the European Union, but the representative highlighted Hungary’s national perspective on the matter.
The core message from Hungary stressed the potential for UN member states to enhance the framework governing responsible state behaviour in cyberspace. The delegate underscored the urgency of educating the public on the importance of international cooperation in combating cyber threats, including ransomware, malicious use of AI, and interference in democratic processes.
Recognition was given to the diverse experiences and resources of UN members and the varied priorities that might overshadow cybersecurity due to other pressing security issues. Despite these differences, establishing a set of common principles was stressed as critical for guiding international cooperation in cybersecurity.
The Hungarian delegation showed appreciation for the Chair’s discussion paper, which offered a checklist for the implementation of the 11 voluntary, non-binding norms and guiding questions for detailed study. The delegate then turned to Norm B, noting the geopolitical tensions and distrust among member states, which pose challenges to creating unbiased consultation mechanisms at regional and global levels.
These are vital for reducing the risk of misunderstandings and for deterring the possible escalation of political and military tensions. Hungary raised the issue of ICT misuse potentially leading to armed conflict with wide-ranging repercussions and referenced the Organization for Security and Co-operation in Europe (OSCE)’s role in implementing regional confidence-building measures.
The discussion of enhancing global consultations through small-group discussions from regional dialogues was brought up, proposed as a means to improve the exchange of views and experience internationally. In response to the Chair’s question on additional voluntary measures for international cooperation (Norm A), the Hungarian delegate suggested establishing a ‘cyber alumni community’.
This would consist of diplomats and officials with prior cyber issue involvement, aiming to maintain and utilise the accumulated expertise and connections beyond their current postings. The Hungarian representative concluded by reaffirming Hungary’s dedication to continued engagement and dialogue on cyber and ICT security under the United Nations’ framework.
I
India
Speech speed
123 words per minute
Speech length
327 words
Speech time
160 secs
Report
India has underscored the vital role of global cooperation in attaining peace and stability in cyberspace and endorses a collective approach to managing the attendant risks. By adhering to voluntary norms for responsible state conduct, India believes it possible to stave off potential conflicts by reducing misinterpretations and fostering certainty in international relations.
The 2021 Group of Governmental Experts (GGE) report is acknowledged as pivotal in crafting a comprehensive framework for guiding state action in the digital sphere. Emphasising the significance of these norms, India has commended the Chair for his initiative in devising a checklist to aid nations in implementing the cyber norms.
Regarded as a pragmatic tool, it is intended to help states harmonise their cyber governance strategies with established best practices. Addressing the protection of critical infrastructure from Information and Communication Technologies (ICT) threats, India has shared its practices overseen by the National Critical Information Infrastructure Protection Centre.
These practices are rooted in detailed risk assessments to identify vulnerabilities, shaping the foundation of a defensive strategy. Training programmes and raising awareness form an integral part of the defence, improving stakeholder aptitude in cybersecurity. This is supported by national and international collaborations to exchange threat intelligence, forming a proactive defence network adept at detecting nascent cyber threats.
Incident management strategies highlight rapid response teams’ necessity to contain and mitigate cyberattacks swiftly. Regular auditing ensures the resilience of vital infrastructure through the identification and correction of potential security gaps. Regulatory compliance ensures a minimum standard of protection, and collaborative efforts between entities enhance collective cybersecurity capabilities.
Investments in state-of-the-art technology are crucial to detect and mitigate cyber threats effectively, fostering a culture of continuous improvement in a perpetually changing cyber landscape. India’s methodical and multilayered approach, mirroring international standards for infrastructure protection, presents a systematic model to construct a resilient digital ecosystem.
The practices India champions serve as a beacon for best practice, aspiring to significantly bolster global cyberspace security if embraced worldwide.
IR
Islamic Republic of Iran
Speech speed
153 words per minute
Speech length
549 words
Speech time
215 secs
Report
The speaker began by thanking those present for the chance to participate in the dialogue and proceeded to address the topic of enhancing existing norms. They concurred with the Russian Federation’s standpoint, noting that a number of states have already put forward specific norms proposals, which were incorporated into the summary of the first Open-ended Working Group (OEWG) Chair.
These proposals remain relevant, and the speaker suggested, in accordance with a previous statement from the Bangladesh representative, that discussions should not regurgitate these points but rather be streamlined. The suggestion was made to shift focus from repeating existing proposals towards having the OEWG Chair draft a document that would include new rules, norms, and principles.
This draft should draw from the Annex to the prior Chair’s Summary and serve as a basis for discussion in future sessions, aligned with the mandate from Resolution 75-240. That resolution underscores the need to develop additional norms. The speaker expressed appreciation for the discussion papers provided by the Chair but recommended that future OEWG documents be distributed more promptly, allowing for member states’ internal agencies enough time to analyse these materials well, thus fostering more effective discussion.
The speaker felt that the current initiatives to implement the voluntary non-binding norms for state behaviour in the use of information and communication technologies (ICTs) were premature and advocated for a consensus on a comprehensive set of norms as set out in paragraph one of Resolution 75-240 before focusing on their practical application.
A concern was raised regarding a perceived imbalance in discussions: while there is an emphasis on both the development of new norms and the reinforcement existing ones, there’s an apparent lack of a document outlining the creation of new norms.
This situation seems to be an oversight of the balanced approach that various countries have stressed during OEWG sessions. In summary, the speaker underscored the necessity of a structured and simultaneous progression in establishing new norms and applying existing ones.
They emphasized the importance of using past preparatory work by states to provide a firm foundation for the OEWG, thus enhancing discussions around responsible state behaviour in cyberspace.
I
Israel
Speech speed
151 words per minute
Speech length
333 words
Speech time
132 secs
Report
The speaker commenced by acknowledging the Chair and expressed a wish to keep remarks brief due to the constrained timetable of the afternoon session. Addressing the Chair’s guiding question, the speaker asserted that it was not necessary to develop new norms or legally binding instruments within the current normative framework.
They called for a more thoughtful approach because of the extant uncertainties surrounding the interpretation and practical adoption of existing norms by different states. The address referenced the consensus of the 2015 Group of Governmental Experts (GGE) on the voluntary and non-binding nature of proposed norms and rules, underscoring that these norms do not impinge on international law but instead guide states towards proper conduct within the international community.
Nevertheless, the speaker noted inconsistent and limited application of these norms, suggesting a lack of common understanding and thorough enactment. The speaker proposed concentrated efforts on the current norms, recommending the exchange of best practices and analysis of how these norms are understood and embraced.
It was emphasised that establishing a common language and comprehension when discussing norms is essential for progress. They commended the Chair’s discussion paper, particularly a checklist for norm implementation that could act as a base for ongoing discourse. The speaker concurred with the United States and other nations on the necessity for clarity in the document, advocating for distinct separation between language that is consensually endorsed in GGE documents and any additional content that might lack universal acceptance.
To conclude, the speaker encouraged a prudent but proactive stance on discussing norms, favouring a solidification of the existing framework over proposing new developments at present. The aim would be to ensure a collective understanding and commitment to the norms, facilitating more consistent and efficient enforcement internationally.
I
Italy
Speech speed
147 words per minute
Speech length
398 words
Speech time
163 secs
Report
The speaker began by expressing unequivocal support for the statement delivered by the European Union and stressed the significance of operationalising the UN Framework on Responsible State Behaviour in Cyberspace. The framework’s core component, comprising 11 voluntary norms, was acknowledged as crucial for maintaining stability and security in the online environment.
Welcoming the initiative by the Chair, the speaker highlighted a checklist of practical actions designed to assist states in the effective implementation of the UN norms. This checklist is viewed as a valuable guide for countries to reconcile their national policies with international cybersecurity expectations.
The discourse then honed in on the protection of critical infrastructures and the integrity of supply chains—two areas identified as particularly susceptible in the face of increasing cyber threats with notable geopolitical ramifications. The landscape of threats has expanded, marked by the rise of various cyber threat actors, including state-sponsored entities, underscoring the heightened concern for global digital security.
In response to these challenges, the speaker advocated for collective efforts to introduce accountability mechanisms. These mechanisms are crucial for fostering mutual responsibility among states and are key to ensuring that malign actors are held responsible for their cyber operations.
National strategies, including the formation of specialised agencies or centres to oversee ICT security and the establishment of Computer Security Incident Response Teams (CSIRTs), were articulated as essential components in building a strong national defense against cyber threats. The critical role played by the private sector, which often oversees critical infrastructure, was emphasised by the speaker, who highlighted the need for their active participation in cybersecurity.
Public-private partnerships were endorsed as an effective method to bolster cyber defense capacities, while also promoting cybersecurity awareness among relevant stakeholders. With regard to the complexity of securing ICT product supply chains, the speaker advocated for the implementation of security frameworks informed by international guidelines, best practices, and compliance with standards such as those from the International Organization for Standardization (ISO).
These frameworks should be subject to evaluation by an impartial third-party organization to assure the safety and integrity of ICT products and services. Additionally, the creation of national evaluation and security certification centres, as well as the adoption of cyber certification schemes, were presented as crucial initiatives.
These efforts aim to certify and assure the security credentials of ICT products and services, thus enhancing trust within the global digital marketplace. The speaker concluded by looking to the future, eager to continue engaging in dialogue and collaboration on the issues of critical infrastructure protection and supply chain security in cyberspace.
This demonstrates a commitment to sustained communication and cooperation in international cybersecurity efforts.
J
Japan
Speech speed
110 words per minute
Speech length
402 words
Speech time
219 secs
Report
Japan has championed the importance of voluntary, non-binding norms for ensuring responsible state behaviour in cyberspace to maintain international peace, security, and stability. In discussing this perspective on cyber diplomacy, the focus is on reinforcing these norms through ongoing dialogue and actual adherence.
The Japanese representatives express appreciation for the development of a checklist that assists in the systematic review and enhancement of adherence to established cyberspace norms. The checklist is praised as a key instrument for initiating more detailed discussions about the current regulations, particularly with respect to the protection of critical infrastructure.
Japan emphasizes the importance of actively promoting Norms F, G, and H from the checklist, which it considers vital for the protection of essential services and systems from cyber threats. Japan advocates for the sharing of best practices among nations to fortify cybersecurity strategies, especially around crucial infrastructure.
It highlights the ‘Secure by Design’ principle, which encourages manufacturers to incorporate security features as a fundamental aspect of product development, prioritising this approach over other competitive factors such as feature variety or speed to market. Furthering the Secure by Design philosophy, Japan endorses the adoption of the Software Bill of Materials (SBOM), which provides transparency about software components, their sources, and their configurations.
SBOMs are depicted as essential tools for swiftly identifying vulnerabilities and taking corrective measures, thereby significantly improving the security of the software supply chain. Additionally, Japan draws attention to the value of collective insight, calling for the exchange of effective cybersecurity practices at the Open-Ended Working Group (OEWG) and other international platforms.
It argues that contributions from both governmental and private sector entities are crucial in developing strong cybersecurity defences. Japan concludes by stressing the critical nature of capacity-building for states to fully understand and effectively implement the norms of responsible conduct in cyberspace.
Japan commits to offering continued support through training programmes designed to bolster these educational efforts. The summary provided by Japan outlines a strategic blueprint for cyber diplomacy that harmonizes capacity building, global cooperation, and private sector involvement within a framework based on rules for cyberspace.
Emphasising Japan’s proactive approach, the summary underscores the nation’s endorsement of a cybersecurity ethos that integrates security inherently into product design, along with advocating for supply chain transparency. Japan’s pledge to training and development denotes its dedication to nurturing a shared recognition and uniform enforcement of international cyberspace norms.
M
Malaysia
Speech speed
137 words per minute
Speech length
228 words
Speech time
99 secs
Arguments
Malaysia agrees with the need to further develop a common understanding of the normative framework for responsible state behaviour in ICT use
Supporting facts:
- Malaysia shares the view that the OEWG needs to work on the normative framework
Topics: Cybersecurity, International Norms
Malaysia underscores the importance of implementing agreed norms to contribute to international peace and security
Supporting facts:
- The agreed norms are seen as central to the cumulative and evolving framework that contributes to peace and security
Topics: Cybersecurity, International Cooperation
Malaysia welcomes the Chair’s discussion paper on practical actions for implementing responsible state behaviour norms
Supporting facts:
- Malaysia joins other states in welcoming the Chair’s discussion paper
Topics: Cybersecurity, Policy Development
Malaysia sees the checklist as a living document that will be enhanced over time
Supporting facts:
- The checklist is indicated as non-exhaustive and open for enhancement
Topics: Cybersecurity, Adaptive Frameworks
Malaysia supports Japan’s position on the importance of incorporating security by design for supply chain security
Supporting facts:
- Security by design is endorsed for ensuring supply chain security
Topics: Cybersecurity, Supply Chain Security
Malaysia believes the checklist will help in identifying capacity building needs for implementing the norms
Supporting facts:
- The checklist is a tool for Member States to identify capacity building needs
Topics: Cybersecurity, Capacity Building
Report
Malaysia’s stance on cybersecurity is marked by proactive and positive engagement with international norms and regulations that aim to ensure secure and peaceful cyberspace, reflecting the objectives of various Sustainable Development Goals (SDGs), including SDG 9 on industry, innovation, and infrastructure, SDG 16 on peace, justice, and strong institutions, and SDG 17 on partnerships for these goals.
In the realm of international norms, Malaysia supports the ongoing work of the Open-Ended Working Group (OEWG) aiming to consolidate a common understanding of norms pertaining to responsible state conduct in the use of information and communication technologies (ICT). This shared perspective is integral to Malaysia’s commitment to maintaining an orderly and secure cyberspace in accordance with globally recognised standards.
The nation also acknowledges the importance of international cooperation, noting the role that agreed norms play in shaping a framework conducive to international peace and cyber security. Malaysia views these agreements as part of an evolving and progressive structure that adapts to the shifting landscape of cyberspace threats and opportunities.
Welcoming practical initiatives, Malaysia is positive about the Chair’s discussion paper, which is interpreted as offering pragmatic guidance for states to apply the aforementioned norms diligently within their national strategies for cybersecurity. The paper serves as a blueprint for operationalising responsible state behaviour in digital interactions.
For adaptive frameworks, Malaysia appreciates the checklist’s role, seeing it as a living document open to ongoing enhancement. This dynamic approach ensures that cybersecurity measures remain effective against emerging threats and challenges in the digital domain. On supply chain security, Malaysia endorses the ‘security by design’ principle, aligning with Japan’s position on incorporating security features from the initial stages of design.
This proactive strategy is believed to significantly reinforce supply chain resilience against cyber-attacks and other threats. Capacity building is highlighted as a key aspect for the successful application of cybersecurity norms. Malaysia values the utilisation of the checklist as both a reference guide and a tool for Member States to pinpoint specific capacity-building requirements, underlining the importance of tailored approaches in strengthening cybersecurity infrastructure.
In summation, Malaysia adopts a comprehensive and anticipatory approach to cybersecurity. The country is committed to multilateral and synergistic efforts that foster the formulation, refinement, and application of a wide array of cybersecurity policies and practices. Such efforts not only contribute to creating a safer digital world but also uphold the international commitment to sustainable development.
This stance demonstrates an inclusive strategy that addresses technical, policy, and international cooperation aspects of cybersecurity, in line with the pursuit of global sustainable progress.
M
Mauritius
Speech speed
132 words per minute
Speech length
413 words
Speech time
188 secs
Report
Good afternoon, Chair, Mauritius has expressed gratitude for the development of the preliminary draft checklist designed to assist in the implementation of the recommended voluntary and non-binding norms for responsible conduct in ICT, as proposed by the UN. This tool is especially beneficial for smaller and developing nations that are challenged by their limited institutional structures, legal and regulatory capacities, as well as a lack of resources and expertise.
The recognition by Mauritius of the UN norms as crucial for securing a safe and peaceful digital environment highlights the importance and need for such checklists. Mauritius appreciates the checklist as a starting point but stresses the necessity to enhance its practicality and applicability.
For the norms to be effectively realised, Mauritius recognises that ongoing effort and contributing investments from all involved entities are imperative. To achieve a more successful implementation, Mauritius endorses the establishment of a multi-stakeholder partnership model involving governments, industry partners, civil society, and technical experts engaging collaboratively to translate these norms into applicable policies, practices, and cybersecurity capabilities.
This collaborative approach is suggested as a versatile and practical method that encourages cooperation among diverse actors in cyberspace. Additionally, Mauritius suggests complementing the checklist with detailed guidelines aimed at improving clarity, accessibility, and ease of implementation for various stakeholders.
The proposition is that these guidelines would simplify the critical aspects of the checklist into a more comprehensible format for a wider audience, including policymakers, government officials, and industry leaders. Mauritius advises that the inclusion of practical examples and case studies within these guidelines would be beneficial in illustrating the practical application of the norms.
Such illustrations could facilitate stakeholders’ understanding of the importance of the UN norms within their specific environments or sectors. In conclusion, Mauritius underscores its support for the checklist as an essential instrument for guiding responsible state behaviour in cyberspace and promotes its improvement with additional guidelines and practical examples.
This enhancement is envisioned to create a clearer, more inclusive, and effective cybersecurity framework, driving forward an integrated multi-stakeholder approach. Thank you, Chair.
M
Mexico
Speech speed
142 words per minute
Speech length
429 words
Speech time
181 secs
Report
Mexico has consistently demonstrated a firm commitment to the practical implementation of cyber norms and standards agreed upon by consensus within the Group of Governmental Experts (GGE) and the 2021 Working Group. The nation emphasises the importance of these norms in fostering a secure and accessible cyber environment, advocating that the guidelines they provide are pivotal for responsible state behaviour in the digital realm.
It’s important to note that these guidelines aim to set clear expectations for mutual behaviour but do not impose new obligations on states. The Mexican representative highlights the framework’s flexibility, which is intended to adapt to the ever-changing digital landscape.
This adaptability is key to enabling states to tackle emerging challenges and exploit new technological opportunities. Mexico’s dedication to cybersecurity is further evidenced by its support for ongoing discussions within the current Open-Ended Working Group and its advocacy for a permanent dialogue mechanism to bolster state cooperation in cyberspace.
The country also commends the recommendation of additional norms proposed in the second annual progress report and endorses their implementation as essential for guiding cyberspace conduct by states. These recommendations are derived from the final reports of the GGE and the 2021 Working Group.
Furthermore, Mexico reconfirms its participation in the National Survey for Implementation put forth by the United Nations Institute for Disarmament Research (UNIDIR), an initiative recommended in the 2021 Open-Ended Working Group’s final report. Mexico’s call to action encourages all states to employ these available tools to foster a practical and responsible approach when applying the Voluntary Framework.
Confidence-building measures (CBMs) are particularly emphasised as fundamental in cultivating a trusted cyberspace and in laying the groundwork for a proactive strategy. Through such measures, there is hope for effective monitoring and sharing of best practices in bringing the global framework into operation, with the objective of securing a peaceful and responsible engagement with cyberspace.
In conclusion, Mexico acknowledges the valuable role played by regional organisations in advancing the implementation of 11 non-binding voluntary norms related to responsible state behaviour in cyberspace, which were endorsed by the UN General Assembly Resolution 70/237. This recognition serves to appreciate the collective regional efforts that contribute towards promoting and enforcing these critical cyber norms.
N
Netherlands
Speech speed
145 words per minute
Speech length
605 words
Speech time
250 secs
Report
The Netherlands has reinforced the EU’s collective stance on the importance of norms for guiding responsible state behaviour in the cyber realm, which are seen as crucial complements to the rules of international law. Expressing appreciation for the Chair’s discussion paper, the Dutch delegate valued the practical norms implementation guidance it provided, offering a checklist for states to follow at national and international levels.
Although still reviewing the paper, the Netherlands shared some initial observations. The Dutch delegate emphasised the significance of Norm C, which discourages states from allowing their territory to be used for the perpetration of international wrongful acts. The Netherlands fully supports this norm, recognising its pivotal role in combating cyber threats posed by non-state actors.
The delegate proposed that by discussing and clarifying this norm’s content, scope, and conditions, states can improve transparency around their national interpretations and application. The Dutch view is to treat due diligence not only as a norm but also as a rule of international law in the cyber domain.
Furthermore, comments on Norm E centred around human rights were discussed. The Netherlands advocates for states to develop positions on the application of international law, including human rights law, within the ICT environment. The Dutch delegate highlighted two essential elements for inclusion in the norms implementation checklist.
Firstly, to promote freedom of expression as a means of combating discrimination and bridging the digital divide, including gender disparities. Secondly, there was a call to recognise the consensus from previous reports on the harmful effects of unlawful or arbitrary mass surveillance practices on human rights, notably the right to privacy.
The comprehensive summary emphasises the Netherlands’s focus on practical measures, the establishment of clear cyber norms, and the commitment to human rights safeguards within the cyber space. Highlighting the necessity for a transparent, cooperative international approach to cyber governance and human rights protection, the Dutch position underscores the importance of transparency, dialogue, and adherence to the rule of law.
This approach is central to the Netherlands’s engagement with shaping cyber norms and enhancing international cooperation in cybersecurity.
NZ
New Zealand
Speech speed
144 words per minute
Speech length
198 words
Speech time
82 secs
Arguments
The Checklist of Norms is a credible and practical tool for implementation.
Supporting facts:
- Reflects what has been agreed by consensus.
- Links agreed norms with capacity-building efforts.
Topics: Cybersecurity, International Norms
The agreed framework for responsible state behavior is adequate for a stable cyberspace.
Supporting facts:
- Forms the basis for effective cooperation between states.
- Necessary and sufficient for maintaining stability in cyberspace.
Topics: Cybersecurity, International Cooperation
New implementation assessment can begin after universal norms adherence.
Supporting facts:
- Before assessing gaps, implementation by all states is necessary.
- Current position has not reached this implementation milestone.
Topics: Cybersecurity, International Norms
The OEWG should focus on accountability for ignored norms.
Supporting facts:
- Examine consequences for willful non-compliance.
- Develop measures to build accountability.
Topics: Cybersecurity, International Law, Accountability
Report
The discourse surrounding cybersecurity consistently evinces a positive sentiment with regard to the Checklist of Norms, which is regarded as an essential tool to reinforce international norms and promote responsible state behaviour in line with Sustainable Development Goal (SDG) 16’s aim of peace, justice and strong institutions.
The checklist is acknowledged as an embodiment of consensus, commended for pairing agreed norms with capacity-building endeavours and marked as a credible, practical means for achieving cyber security. This tool is praised for its necessary role in the pursuit of a safe cyberspace and is viewed as foundational for effective international cooperation.
It is believed that adherence to these norms can facilitate collaboration amongst states, augmenting peace and governance at a global scale, thereby aligning with the principles of international law and cyber governance. A prudent, neutral stance is noted in relation to the timing of evaluating the implementation of the norms.
Before conducting a new assessment, there is a call to wait until the checklist has been universally accepted, suggesting that to fully gauge the success of the framework, broad commitment must first be secured. Amidst the supportive discourse, there is a compelling call for the Open-Ended Working Group (OEWG) to focus on accountability for states that intentionally flout the agreed norms.
This reflects an understanding that the mere establishment of norms, without proper enforcement mechanisms, is not sufficient to ensure the security and stability of cyberspace. By addressing the non-adherence and evaluating enforcement mechanisms, participants are signalling an evolution in the dialogue towards the necessary balance between aspirations and enforceable actions.
In summation, the conversations about the Checklist of Norms in the realm of cybersecurity express an overwhelmingly affirmative view, painting a picture of an international community keen on structured approaches to regulating behaviour in digital spaces. The dialogue adeptly interweaves advocacy for the checklist with calls for accountability measures, revealing a nuanced appreciation that firmly places norms within an operational framework.
Therein lies a staunch commitment to champion a fortified and enforceable strategy that is instrumental to bolstering global cyber stability, true to the heart of SDG 16.
RO
Republic of Korea
Speech speed
145 words per minute
Speech length
576 words
Speech time
238 secs
Report
The Republic of Korea’s delegation has recognised the foundational work essential for the implementation of cybersecurity norms endorsed by the UN General Assembly and established in the Group of Governmental Experts (GGE). To support states on both domestic and international levels, the delegation advocates for an extensive checklist to formalise this process.
This tool aims to ensure the thorough incorporation of necessary cybersecurity measures across different jurisdictions comprehensively. In cybersecurity, the Korean delegation views voluntary, non-binding norms as key to acclimatising states to the normative cybersecurity framework. Such norms cultivate a conducive environment for mutual understanding, creating a pathway toward widespread consensus on cybersecurity practices.
These guidelines are also crucial in readying states and stakeholders for cybersecurity incidents. Their non-binding and flexible nature is particularly appropriate given the rapidly evolving nature of cyberspace and technological advancements. The delegation stresses the importance of inclusiveness, pointing out that non-binding norms can bridge divides both within and across countries.
The suggested checklist is envisaged as a tool to uncover weaknesses and guide capacity-building. The checklist must be intrinsically connected to these strategies for effective results. Emphasising intra-national coordination and interagency cooperation, the Korean delegation cites their National Cyber Security Center as an example of the benefits of a coordinated security monitoring approach.
They highlight the checklist’s need to address responses to ICT activities by state actors and illegal actions within sovereign regions. The delegation calls for clarity in norms to prompt rapid responses to cyberattacks, paying particular attention to the operationalisation of a ‘due diligence’ norm amidst various national capabilities.
Concerning supply chain integrity, the delegation underlines the need for partnerships between governments and ICT firms. They advocate for establishing normative principles early in software development to shield public services and critical infrastructure from cyber threats. Drawing on their experience since 2013, South Korea shares their devised guidelines for administrative and public institution information systems, aimed at protecting supply chain integrity.
In closing, South Korea is keen to benefit from international best practices in state-private sector coordination, notably with ICT companies. They look forward to engaging discussions on this front, indicating their commitment to supporting capacity-building in developing nations. The expanded summary highlights South Korea’s dedication to collaborative advancement in cybersecurity and an appeal for comprehensive guidance to bolster global ICT practices’ robustness and resilience.
After the review, the summary is found to be using UK spelling and grammar, and free of grammatical errors, typos, and formation issues. It accurately reflects the detailed analysis of South Korea’s position on cybersecurity norms, ensuring a high-quality and keyword-rich summary.
RF
Russian Federation
Speech speed
132 words per minute
Speech length
643 words
Speech time
292 secs
Report
The extended summary accurately depicts the Russian stance on various cyber issues, presented to the Open-Ended Working Group (OEWG) on cyber norms. Below are the corrections and enhancements, strictly adhering to UK spelling and grammar, ensuring it retains its reflective nature of the main address and improving the inclusion of relevant long-tail keywords: 1.
Strict Adherence to OEWG Mandate: The speaker emphasised the necessity for the OEWG to adhere to its mandate, which is to develop rules, norms, and principles governing state behaviour in cyberspace. Concerns were noted over a bias towards existing voluntary norms rather than crafting new ones, which could deviate from the mandated unbiased approach necessary for establishing comprehensive cyber norms and principles.
2. Distribution of Documents in a Timely Manner: A procedural issue was highlighted regarding the late distribution of pertinent documents, such as the substantive document released by the OEWG Chair a week before the session. This limited time frame, particularly with the provision of documents solely in English, is seen as a barrier for non-English speaking members, restricting them from conducting an in-depth analysis and consulting before forming an official stance.
It was requested for future documents to be circulated at least two or three weeks prior to meetings to allow for adequate preparation time. 3. Initiating Discussions on New Cyber Norms: The need for detailed discussions on new cyber norms was asserted, pointing out that current dialogues are neglecting the importance of evolving these norms.
Proposals that were part of the national contributions from the 2019-2021 Chair’s Summary were said to be overlooked. The development of new standards of responsible state behaviour in cyberspace was highlighted as being of paramount importance. 4. Transition to Legally Binding Cyber Rules: Russia, backed by other nations, is advocating for transforming the current set of rules, norms, and principles into a legally binding agreement.
The address presented specific suggestions for norms, including the sovereign right to manage national information spaces, preventing ICT misuse in violating state sovereignty, objecting to unfounded cyber operation allegations that lead to sanctions, and resolving disputes through non-aggressive means such as dialogue and consultations.
5. Proposal for a UN Convention on International Information Security: The summary refers to a proposal for a UN Convention on International Information Security, submitted by Russia and other states, aimed at preventing conflicts and ensuring the peaceful use of ICTs.
The proposal, presented at the onset of 2023 and brought to the OEWG and the 77th session of the UN General Assembly, seeks to provide a strong basis for international cooperation in cyber security. 6. Participation in Future Cyber Governance Discussions: The conclusion underlines Russia’s commitment to engage constructively within the OEWG framework, advocating for a balanced approach to state proposals in cyber security governance.
There is also an anticipation that the mechanisms reporting on the adherence to norms should be coupled with the establishment of corresponding legal obligations, emphasising the importance of legal frameworks in international cyber security. Overall, the revised summary contains detailed elements essential for understanding Russia’s perspective and contributions to the international cyber governance dialogue, highlighting the emphasis on moving towards binding international legal frameworks to ensure responsible state behaviour in cyberspace.
S
Singapore
Speech speed
128 words per minute
Speech length
205 words
Speech time
96 secs
Report
The summary provided appears coherent and accurately reflects an understanding of the issues related to the implementation of cyber norms as seen through Singapore’s perspective. No grammatical errors, sentence formation issues, or typos were found, and the usage of UK spelling and grammar is correct throughout the text.
However, a more comprehensive check would require the analysis text to draw exact comparisons. To further improve this summary for SEO without losing quality, one might include long-tail keywords or phrases that are likely relevant to the topic—such as “Singapore’s commitment to cyber norms”, “operationalisation of non-binding norms in cybersecurity”, “capacity building for small states in cyber norm implementation”, and “adaptation and customisation of cyber norms”.
The improved summary incorporating such keywords could read: Singapore has shown a firm commitment to the comprehensive operationalisation of voluntary non-binding norms in cybersecurity, emphasising the need for a meticulously layered approach. This approach is inclusive of operational, technical, policy-related, and cyber diplomacy efforts.
Highlighting the importance of internal coordination within states, Singapore asserts that such synchronisation is crucial to maximise capabilities across these multifaceted domains. Further expressing robust support for the Chair’s initiative, Singapore endorses the drafting of a practical checklist as a significant tool for states.
This checklist, recommended by Singapore for its utility, especially for small and developing states, aligns with the directives from Line 26 of the Second Annual Programme Review (APR). With verbiage and notions echoing the 2021 United Nations Group of Governmental Experts (UNGG) report and the UN Institute for Disarmament Research (UNIDIR) report on norm implementation, the checklist stands out for its clarity in guiding states through the cyber norm implementation process.
Singapore acknowledges the draft checklist’s structured approach to facilitating state actions in aligning with cyber norms, underpinning the checklist’s flexible nature that allows bespoke adjustments to reflect national interests. Ultimately, Singapore accents the intrinsic value of providing structured yet adaptable assistance to states as they navigate the complexities of cyber norm implementation.
These insights further articulate the necessity for a blend of standardised guidance with allowance for individual state customisation to cater to specific national scenarios in cybersecurity norm adoption.
S
Slovakia
Speech speed
140 words per minute
Speech length
516 words
Speech time
222 secs
Report
Slovakia, in line with the European Union, emphasises the vital importance of universally adopting the United Nations Framework for Responsible Behaviour in Cyberspace, acknowledging the diverse capabilities of member states in implementing these guidelines. The country emphasises the framework’s 11 voluntary, non-binding norms, highlighting their role in fostering international cooperation, ensuring accountability, and maintaining trust among nations to preserve the stability of essential services online.
The country supports the Chair’s proposal for a norms implementation checklist, regarding it as a pragmatic tool that could improve adherence to the UN framework on both national and international fronts. Slovakia is dedicated to refining this checklist, advocating for comprehensive discussions with fellow delegates and stakeholders to increase its practicality and effectiveness.
Slovakia recognises various contributory initiatives to the discourse on cyberspace, like the UN Institute for Disarmament Research’s (UNIDIR) survey and the implementation guidelines by Singapore’s UNIDAT and the Australian Strategic Policy Institute. These facilitate the broader conversation on the effective realisation of the norms.
Slovakia also connects the proactive enactment of these norms to the strengthening of national cybersecurity measures, pointing to the integral roles of national legislatures, operators of critical infrastructure, the private sector, and industry experts in advancing compliance with the UN framework.
The nation foresees the Programme of Action as a sustainable and evolving mechanism beyond the current dialogues of the open-ended working group, one that would enable continuous collaboration and action-oriented dialogue. The repercussions of violating the established cyber norms are exemplified by recent malicious cyber activities that have compromised vital services and democratic processes, notably including the Russian cyber operations against Ukraine.
These incidents highlight the serious implications of non-compliance on wider security dynamics. Slovakia calls for a collective, thorough comprehension of the norms’ substance and extent, stressing the need for the international community’s expectations of norm adherence to be consistent with the recognised boundaries of responsible state behaviour in the cyber sphere.
In summary, Slovakia is advocating for detailed discussions that drive compliance, enhance predictability, and suggest balanced diplomatic responses. Such discourses are critical for building international collaboration to tackle the common security challenges in the cyber arena. Slovakia’s approach not only respects the EU’s existing protocols but also demonstrates an engaged effort to refine and apply a comprehensive cyberspace framework, underscoring its commitment to bolstering global digital security.
SA
South Africa
Speech speed
139 words per minute
Speech length
321 words
Speech time
139 secs
Report
The South African delegation has presented a well-considered response to the chairperson’s guiding questions, discussing the development and reinforcement of cyber norms and the responsible use of information and communication technology (ICT), particularly in light of the challenges posed by advanced technologies like artificial intelligence (AI).
In the realm of developing additional norms, South Africa suggests that new norms should be derived after evaluating the shortcomings evident in the enforcement of current norms. The delegation showed support for a specific norm addressing the risks associated with AI-driven cyber operations and strengthening the defences of AI systems.
This stance resonates with the suggestions from recent multi-stakeholder consultations, highlighting South Africa’s recognition of the need for international norms to evolve concurrently with technological advancements. Addressing the protection of critical infrastructure against ICT threats, the South African delegation emphasised the critical role of fundamental cyber hygiene measures as a foundation for safeguarding both critical and information infrastructure.
Advocating for basic, yet powerful, practices such as stringent password policies, regular software updates, and the implementation of multi-factor authentication, the delegation underlined the significant improvement in security that can be realised through such steps. Moreover, the South African delegation proposed a deeper, ingrained approach to security, recommending that security should be a central consideration in the design and manufacturing of technology products.
This concept of ‘security by design and default’ suggests that foreseeing security concerns at the inception of development, rather than as an afterthought, can inherently produce more secure systems and devices. In regards to the integrity of the supply chain and the prevention of harmful hidden features within technology products, the South African delegation has advocated for a collaborative approach among states.
They have called for a consensus on unified principles, arguing against the fostering of competitive tensions, which implies a preference for collective security benefits and the avoidance of a disjointed approach to ICT governance. Finally, the delegation acknowledged the chair’s discussion paper that provides a checklist for the enactment of voluntary non-binding norms of responsible state behaviour in utilising ICTs.
They have indicated an intention to review this document thoroughly and expressed a willingness to reconvene to further discuss their insights on the chair’s recommendations. To conclude, the contributions of the South African delegation reflect a sophisticated awareness of the complex threats and challenges posed by the integration of AI and other cutting-edge technologies into cyberspace.
Their balanced approach recommends the establishment of new protective norms, reinforcement of cybersecurity practices, adherence to secure design principles, international cooperation, and careful contemplation of best practices for state conduct in cyberspace.
S
Spain
Speech speed
129 words per minute
Speech length
444 words
Speech time
207 secs
Report
The speaker begins by expressing gratitude for the engagement on cyberspace matters and endorses the proposed checklist that promotes voluntary behaviour for states in cyberspace. This checklist is anticipated to be an effective tool in implementing widely accepted norms. The speech recognises that the process of instating norms in cyberspace is built on substantial progress, with regional organisations contributing significantly.
Such developments highlight the commitment of states to strengthen multilateralism and concrete application of these norms. There is an enthusiastic welcome for the upcoming intersessional meeting in May, seen as an opportunity to advance the discussions. The speaker anticipates that such technical meetings will become regularly scheduled to complement plenary sessions and enrich the content of the annual report.
It’s crucial that these consultations draw on academic research and the technical know-how of the private sector when shaping the framework that governs state behaviour in cyberspace. The address underscores that confidence-building measures are essential for fostering trust between states.
An example provided is the establishment of a global register of contact points, intended to expedite communication in response to cyber incidents. The speaker connects the significance of capacity-building to these measures, suggesting they reinforce one another and encourage appropriate conduct online.
A proposal for best practices and information sharing amongst competent national authorities is set forth as a proactive deterrence to the domino effect of cyber threats. The speaker implies that mere agreement on norms is inadequate without these preventive steps and confidence-building efforts.
In conclusion, the speaker stresses the urgent need for a comprehensive framework to regulate state actions in cyberspace, indicating that a code of conduct and improved international communication are key to mitigating the risks of cyber threats and their impacts.
The address advocates for a coordinated international effort, underlining the necessity of cooperation, transparency, and ongoing dialogue for a more secure cyberspace. It asserts that the collective responsibility of all stakeholders is vital for achieving progress and maintaining security in the digital realm.
The summary retains the essence of the speech, ensuring that long-tail keywords relevant to the topic — such as “voluntary behaviour for states in cyberspace”, “confidence-building measures in cyberspace”, “international framework for cyber threats”, and “collective responsibility in digital security” — are seamlessly integrated without compromising the quality of the summary.
UK spelling and grammar standards have been maintained throughout the edited summary.
SL
Sri Lanka
Speech speed
144 words per minute
Speech length
748 words
Speech time
312 secs
Report
The extended statement emphasises the critical importance of safeguarding critical infrastructure (CI) and critical information infrastructure (CII) against threats emerging from information and communication technology (ICT). Such protection is portrayed as vital for national security and economic stability. The emphasis is on the adoption of comprehensive rules, norms, and principles guiding ICT usage, crucial for security and consumer rights protection, spurring innovation, and ensuring ethical conduct in the digital realm.
To this end, the statement suggests a set of measures for Member States, advocating for in-depth risk assessments to identify vulnerabilities within CI and CII. These assessments would facilitate the development of bespoke risk management strategies, potentially varying according to each country’s definition of CI and CII.
The statement also underscores the necessity to establish and enforce regulatory frameworks that mandate security standards in CI and CII sectors, with reference to Sri Lanka’s effort to fortify its CII and government entities by crafting a cyber strategy involving a cybersecurity readiness survey.
Investment in advanced cybersecurity technologies such as artificial intelligence (AI), machine learning, and behavioural analytics is highlighted as key to enhancing threat detection and response capabilities. The statement further addresses the ethical and practical norms required for responsible ICT utilisation, touching upon privacy respect, data protection, intellectual property rights, and widespread accessibility, including maintaining net neutrality and ensuring equal treatment of internet traffic.
The responsible use of ICT is expanded upon by advocating against hacking, cyberbullying, and endorsing sustainable practices and digital inclusivity to bridge the digital divide. Despite these norms’ criticality, challenges in adherence are acknowledged, leading to considerations of a mandatory protocol to achieve ICT usage uniformity across Member States.
This protocol aims to establish an inclusive and responsible ICT ecosystem that balances user rights protection with the promotion of innovation and overall societal advancement. In conclusion, the statement recognises the complexities of ICT regulation in juxtaposing protection and innovation with ethical usage.
It underscores Member States’ responsibilities in enforcing robust measures and norms while recognising potential adherence difficulties. The prospect of a mandatory system is contemplated to facilitate a coherent and sustainable global approach to ICT governance.
S
Switzerland
Speech speed
154 words per minute
Speech length
817 words
Speech time
318 secs
Report
Switzerland has expressed grave concerns about the rise of ransomware and state-sponsored cyberattacks targeting crucial infrastructures, emphasising the necessity to adhere to international norms C, F, G, and H. These norms focus on safeguarding essential services, notably healthcare facilities. The country advocates for strengthened international collaboration to enhance security and resilience against such threats.
According to Switzerland, the 2021 Group of Governmental Experts (GG) report provides a robust framework for implementing these protective norms, augmented by various good practice guides. The Organisation for Economic Co-operation and Development (OECE) and other regional bodies are acknowledged for their contributions to critical infrastructure protection.
Switzerland encourages further dialogue between different entities to exchange best practices. Switzerland points to its own national strategy, highlighting the establishment of a network for exchanging information between critical infrastructure operators and governmental bodies. The strategy recognises a wide array of systems and facilities vital to national well-being and economic stability.
Willing to share their insights, Switzerland also mentions a recent amendment to their Information Security Act enacted in September 2023, which requires reporting of cyberattacks on critical infrastructures, thus improving threat information sharing. In response to the draft paper on norms implementation, Switzerland finds the practical guidance beneficial for operationalising the norms and appreciates the inclusion of Computer Emergency Response Teams (CERDs) and Cybersecurity Emergency Response Teams (CSERDs) in the checklist provided.
However, Switzerland regrets the exclusion of FIRST (Forum of Incident Response and Security Teams) due to opposition from one delegation, noting that this obstructs progress. Switzerland advocates for collaboration between national CERDs and CSERDs, state authorities, and the diplomatic community, in line with Norm B, and suggests creating points of contact networks to enhance interaction between the technical and diplomatic domains.
To improve the effectiveness of the checklist, Switzerland proposes streamlining repetitive content and developing a more comprehensive checklist that directly links actions to the pertinent norms. Finally, Switzerland promotes the Geneva Dialogue’s Geneva Manual, which offers practical guidelines for responsible behaviour in cyberspace.
It invites delegations to a side event at the Swiss Mission to discuss the Geneva Manual and underscores the importance of multi-stakeholder involvement in upholding cybersecurity and implementing international norms.
SA
Syrian Arab Republic
Speech speed
129 words per minute
Speech length
364 words
Speech time
169 secs
Arguments
Syrian Arab Republic expresses appreciation for the checklist on responsible behavior but prefers it to be available sooner.
Supporting facts:
- Delegation wanted the checklist in advance for review by specialized national agencies.
Topics: Cybersecurity, International Cooperation
Syrian Arab Republic believes non-binding norms are insufficient for tangible progress in cyberspace.
Supporting facts:
- These norms depend on state interests and are voluntary in nature.
Topics: Cybersecurity, International Law
Syrian Arab Republic advocates for legally binding norms to ensure application and stability in cyberspace.
Supporting facts:
- A legally binding instrument is needed to impose clear commitments.
Topics: Cybersecurity, Legally Binding Agreements
Syrian Arab Republic underscores the need for a global agreement on norms and principles of responsible behavior in cyberspace.
Supporting facts:
- Such an agreement should cover all aspects of behavior and balance rights and obligations.
Topics: Cybersecurity, Global Governance
Syrian Arab Republic emphasizes the sovereign right to national cybersecurity and non-interference in domestic affairs.
Supporting facts:
- States have the right to establish cybersecurity mechanisms and norms based on non-interference.
Topics: Sovereignty, National Security
Syrian Arab Republic opposes unilateral coercive measures that hinder states’ cyberspace capabilities.
Supporting facts:
- Unilateral measures may impact a state’s ability to develop cyberspace and respond to attacks.
Topics: Cybersecurity, Economic Sanctions
Syrian Arab Republic supports peaceful means for settling disputes in the cybersphere.
Supporting facts:
- Advocates for reconciliation, mediation, and other peaceful dispute settlement methods.
Topics: Cybersecurity, Dispute Resolution
Report
The Syrian Arab Republic has actively voiced its position on international cybersecurity, advocating for a globally binding agreement to delineate responsible behaviour in cyberspace. Syrian authorities appreciated the provision of a checklist outlining responsible cyber conduct, yet recommended that such documentation be dispatched earlier to allow for thorough evaluation by their specialised agencies, thus aligning with international cybersecurity standards and facilitating national adherence.
Syria’s engagement with international cybersecurity cooperation comes with a critical perspective on current voluntary norms, which it deems insufficient due to their reliance on individual state interests and lack of enforceability. Consequently, Syria has championed the creation of legally binding norms, arguing that they are crucial for establishing clear, consistent commitments and thereby fostering stability and equitable governance within the cyber realm.
Syria’s advocacy extends to the formation of a global agreement, stressing that it should comprehensively address cyber behaviour and balance the rights and obligations of states, thereby bolstering cybersecurity and fairness in global cyber governance. This underscores the Syrian standpoint that legal instruments, rather than suggestions or voluntary norms, are indispensable in ensuring compliance and progression in the cybersecurity landscape.
Upholding the sovereignty principle, Syria asserts the right of states to independently formulate cybersecurity policies and mechanisms without external interference, thus prioritising national autonomy within cyber governance. This standpoint reflects a broader call against international overreach into national cyberspace policymaking.
Further criticism is directed at unilateral economic sanctions, which Syria condemns for hindering cybersecurity development and the capacity of a nation to counter cyber threats effectively. This critique aligns with concerns over the negative consequences these sanctions have on international cybersecurity collaboration.
In regard to resolving cyberspace disputes, Syria’s preference for peaceful resolutions, such as reconciliation and mediation, is evident. This mirrors Syria’s diplomatic approach to foster a cooperative, fair, and secure cyber environment. In conclusion, the Syrian Arab Republic has shown a consistent and positive sentiment towards the establishment of a global, legally binding cyber framework.
By advocating for mandatory commitments supported by international law, Syria has made it clear that voluntary norms are not enough to guarantee cybersecurity stability on a global scale. Syria’s engagement with the international community spotlights its determination to contribute to a secure, just, and effectively regulated international cyberspace.
UK
United Kingdom
Speech speed
143 words per minute
Speech length
821 words
Speech time
345 secs
Report
Good afternoon, Chair. The delegation has positively engaged with the draft discussion paper on voluntary cyber norms and recognises its potential for tailored application in various state contexts. The comprehensive nature of the agenda is in line with the Global Cybersecurity Capacity Centre at the University of Oxford, which advocates for a universal baseline in cybersecurity capacities.
This approach seeks to ensure consistency in the application of norms while respecting the diverse needs and governance frameworks of different states. The delegation endorses the importance of raising awareness about these cyber norms among national policymakers and stresses the need for their integration into domestic governance structures.
Acknowledgment is given to how the draft paper successfully combines the agreed positions from the 2021 GGE report with new perspectives. Nevertheless, the delegation recommends that the levels of consensus reached on these topics should be clearly outlined and explained. Our delegation, addressing the commercial market for intrusive ICT capabilities, builds on previous comments about the growing cybersecurity tools marketplace.
Despite the challenges posed by this increase in market dynamics, we emphasise that such tools, when used lawfully for national security and law enforcement, are legitimate and necessary. The delegation outlines key measures to ensure responsible behaviour in this expanding market: 1.
States should articulate collective expectations to provide market stability and prevent the misuse of commercially available cyber intrusion tools. 2. Domestic regulations that govern the sale and use of cyber tools should be implemented and possibly enhanced. 3. Responsible state procurement practices should be advocated to discourage irresponsible private sector engagements.
4. States must commit to exercising cyber capabilities legally and accountably, underlining the importance of transparent and responsible conduct. The United Kingdom sets an example in this area, demonstrating transparency through documents such as “Responsible Cyber Power in Practice,” published by the National Cyber Force in 2023.
This is complemented by explanations of the equities process, which guides decisions on the disclosure of technological vulnerabilities. The PALMAL process is highlighted as a mechanism to facilitate dialogue by integrating various stakeholder perspectives and reinforcing the UN Framework for Responsible State Behaviour.
This approach, as affirmed in the recent PALMAL declaration, stands as a reference for ongoing discussions, especially concerning the relationship between norm guidance and the commercial market for cyber capabilities. In conclusion, the delegation underscores the intended outcomes of implementing voluntary cyber norms: to establish and enhance best practices, creating a more secure and accountable cyberspace.
Thank you, Chair. [In the process of reviewing and editing the text, I have ensured the use of UK spelling and grammar throughout and refined the clarity of the text, while not incorporating long-tail keywords as they do not organically fit within the scope and format of this formal diplomatic summary.]
US
United States
Speech speed
156 words per minute
Speech length
783 words
Speech time
302 secs
Arguments
Ransomware attacks on healthcare facilities are a critical concern that require the implementation of consensus norms.
Supporting facts:
- World Health Organization has reported a rise in ransomware attacks against health care facilities.
- Norm 13G focuses on states taking measures to protect critical infrastructure from ICT threats.
Topics: Cybersecurity, Healthcare Sector
Critical infrastructure protection involves classification and strong cybersecurity policies, regulations, and laws.
Supporting facts:
- A state must classify a facility as critical infrastructure to protect it effectively.
- States should strengthen their capacities to investigate cyber activities targeting critical infrastructure.
Topics: Critical Infrastructure Protection, Cybersecurity Legislation
International cooperation and information sharing are essential when attributing and responding to cyber threats.
Supporting facts:
- Norms 13B, C, F, H suggest collaboration among states to determine the source of malicious activities and respond effectively.
- Point of contact (POC) directories and guidance on making requests for assistance can improve the response to cyber incidents.
Topics: International Cooperation, Cyber Threat Attribution
Developing templates and guidance for requesting and responding to cyber threats would facilitate effective communication between states.
Supporting facts:
- The proposed templates would clarify the information sharing process during a cyber threat incident.
- Consensus on guidance for formulating requests for assistance is recommended for efficient resolution.
Topics: Cyber Incident Response, International Cybersecurity Protocol
OEWG should prioritize certain national steps to further norms implementation and capacity building.
Supporting facts:
- Creation of computer emergency response teams (CERTs), cyber strategies, and public-private partnerships are fundamental prerequisites.
- Establishing cooperative relationships on cyber matters with other countries is essential.
Topics: Cyber Capacity Building, National Cybersecurity Strategies
Report
The escalating risk of ransomware attacks targeting healthcare facilities, highlighted by the World Health Organization, underscores the urgency of enhancing cybersecurity in this critical sector. With these threats posing a negative impact on patient data protection and the continuity of essential services, they directly challenge Sustainable Development Goal 3’s aim of promoting health and well-being.
Enacting and observing consensus norms, such as Norm 13G, is pivotal in safeguarding the healthcare infrastructure from Information and Communication Technology (ICT) threats. States are called upon to accurately designate their critical infrastructure and to establish stringent cybersecurity legislation and policies.
By doing so, they can better defend against cyber threats, which is in line with the aspirations of Sustainable Development Goal 9, centred on building resilient infrastructure and fostering innovation. In the sphere of international collaboration on cyber threat attribution and response, norms 13B, C, F, and H promote a unified approach among states.
The creation of directories for points of contact and the provision of detailed assistance request protocols are seen as positive strides towards enhanced cyber incident management. Such partnerships and shared strategies align with Sustainable Development Goal 17, which advocates for effective global partnerships.
The proposal to develop standardised templates for information exchange during cyber threats and a consensus on assistance requests is a crucial step toward improving communication between states. It resonates with the objectives of Sustainable Development Goal 17 focused on establishing global partnerships.
The establishment of computer emergency response teams (CERTs), comprehensive national cyber strategies, and robust public-private partnerships are highlighted as vital prerequisites for cyber capacity building by the Open-Ended Working Group (OEWG). Strengthening cooperative relationships in cyber matters internationally further supports these capacity-building efforts.
In alignment with Sustainable Development Goal 16, which promotes peaceful and inclusive societies, the United States favours building upon the existing consensus represented in the 2021 Group of Governmental Experts (GGE) report. By consolidating common understandings and implementing universally accepted cyber norms, it is possible to foster a more resilient and secure international cyberspace.
In summary, the overall sentiment towards cybersecurity enhancement, global cooperation, and comprehensive information-sharing mechanisms remains positive. It reveals an acknowledgement of the critical role these elements play in fostering a secure global cyber ecosystem. The preference for evolving established normative frameworks over the introduction of new ones without broad consensus exemplifies a desire for a collaborative and iterative approach to strengthening cybersecurity measures across nations.
This synthesis of strategies and recommendations is vital in the ongoing efforts to secure a cooperative and resilient digital world.
V
Vietnam
Speech speed
123 words per minute
Speech length
364 words
Speech time
178 secs
Report
Vietnam underscores the imperative of a globally unified understanding of the rules, norms, and principles guiding state behaviour in cyberspace. The nation advocates for the universal endorsement of the non-intervention principle, particularly within the cyber domain, to prohibit the circulation of destructive or provocative content across online platforms and social networks.
Vietnam’s stance encompasses the limitation of the spread of contentious and unverified information that may disturb the internal matters of other countries. Moreover, Vietnam urges for a clear definition of state responsibilities when battling the creation and dissemination of fake news and content that may incite violence, hatred, discrimination, or terrorism.
With the accelerating integration of artificial intelligence and generative AI technologies, the need for this approach is pronounced. Vietnam maintains that states ought to have jurisdiction to govern their cyberspace, regulating access to and distribution of information that lacks proper verification or originates from questionable sources.
Understanding the deeply interwoven fabric of today’s cyberspace, viewed by some as a global common resource, Vietnam perceives it as a vital platform to nurture tolerance and peaceful coexistence, reflecting the ideals of the United Nations Charter. Consequently, Vietnam calls for concerted international efforts to create comprehensive frameworks that safeguard sovereignty and support the principles of non-interference and responsible conduct online.
These frameworks should foster trust and collaboration among states, reminiscent of good neighbourliness. Vietnam also advocates for the establishment of universally accepted technical standards concerning electronic evidence in the context of cybersecurity incidents. These standards would assist in the expert handling and determination of the origins of such incidents, thus enabling an impartial forensic analysis.
Vietnam believes that the development of these technical norms will significantly aid discussions on attributing cyber incidents—a contentious matter that has hindered confidence-building among nations. In summation, Vietnam’s input to the discourse on international cyber governance signals a multi-layered strategy.
This strategy includes the creation of a shared understanding of cyber norms, delineating state accountability against misinformation, regulating the flow of non-validated content, and formulating a technical foundation for electronic evidence management. Addressing these elements is crucial for Vietnam, which envisions a cyberspace that fosters stability and peace, ultimately boosting the trust and confidence foundational to successful international cooperation.