Agenda item 5: discussions on substantive issues contained inparagraph 1 of General Assembly resolution 75/240 (continued) – session 1

Second Meeting of the OEWG on ICT Security Reviews Annual Progress Report and Honours Late Ambassador Sergio Duarte

The Open-Ended Working Group (OEWG) on Security of and the Use of ICTs convened for its second meeting, focusing on the review of the third annual progress report (APR). The session opened with a tribute to the late Ambassador Sergio Duarte, a distinguished diplomat from Brazil and former UN High Representative for Disarmament Affairs, whose contributions to disarmament and international security were honored with a minute of silence.

Delegates from various countries and organizations took the floor to provide their insights and suggestions on the APR. The discussions centered on the need for the APR to accurately reflect the collective progress made, the importance of addressing the threats posed by malicious cyber activities, and the application of international law in cyberspace. Delegates emphasized the significance of protecting critical infrastructure and critical information infrastructure from cyber threats, with many supporting the inclusion of ransomware and cryptocurrency theft as threats to international peace and security.

Several states highlighted the positive potential of emerging technologies like artificial intelligence (AI) in enhancing cybersecurity, while also acknowledging the risks they pose. The importance of capacity building, particularly for developing countries, was underscored as a means to bridge the digital divide and strengthen global cybersecurity.

The Chair’s proposal for a checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior was welcomed, with the understanding that it should serve as a living document adaptable to national contexts. However, there were differing views on the need for the development of additional norms, with some delegations suggesting that the focus should remain on implementing existing norms before considering new ones.

The Chair addressed the logistical challenges of accommodating requests for dedicated intersessional meetings, highlighting the need for a balanced approach across the range of issues and the limited time available for meetings within the OEWG’s mandate. The Chair invited feedback on the number and frequency of meetings desired by member states for the following year.

The session also featured calls for strengthening the APR’s language on international humanitarian law (IHL), with some delegates proposing specific textual amendments to clarify the protection of civilians and civilian objects during armed conflict. The role of the private sector in cybersecurity, the need for public-private partnerships, and the involvement of stakeholders in the OEWG’s work were also discussed.

In conclusion, the meeting was marked by a collaborative spirit, with delegates expressing their commitment to reaching a consensus on the APR. The Chair’s invitation to a reception at the Singapore Mission was extended as a confidence-building measure, providing an informal setting for further dialogue. The session was set to continue the following day, with discussions on confidence-building measures, capacity building, and regular institutional dialogue.

Chair:
Distinguished Delegates, the second meeting of the eighth substantive session of the Open-Ended Working Group on Security of and the Use of ICTs is now called to order. Distinguished Delegates, before we continue our discussions under Agenda Item 5, I’d like to inform you that this morning I heard of the sad news of the passing away of Ambassador Sergio Duarte, who was High Representative for Disarmament Affairs here at the United Nations for the period 2007 to 2012, and as a distinguished and accomplished diplomat from Brazil, as well as a UN official in his capacity as High Representative for Disarmament Affairs, Ambassador Sergio Duarte made great contributions to the work of the United Nations. He worked hard and tirelessly to advance the cause of disarmament, and his work and contributions strengthened also the United Nations and the multilateral system at large, and made a contribution to peace and security. So today we remember his legacy, and I invite you now to rise and observe a minute of silence Thank you very much. Distinguished delegates, the group will now continue its discussion under agenda item five. We will continue our reading of rev one of the third annual progress report. And as I said, we will look at sections A, B, C, as well as D. We’ll begin with the speakers who remain on the list from this morning. And the first speaker on my list is Australia, to be followed by New Zealand. Australia, please.

Australia:
Thank you very much, Chair. Given how short our time is, I will try and be quite brief. I do want to start off, however, by thanking you and your team and the Secretariat for the very difficult work to pull together so many various and varied strands of our discussions into one place, into the annual progress report we’re discussing this week. I note, Chair, this morning that you said that this APR should not be a compilation of our national positions and priorities, and I agree very much that this must be our landing zone to accurately reflect the discussions and the work we’ve done as a group, and the things that we can all agree on, and the concrete progress that we have made over the last 12 months. In this vein, Australia can support the proposal made by both the United States and Iran to be very careful about the verbs we use across the entire report, replacing the word agree, which can apply obligations, with something that reflects the political commitment status of this document. I also note in opening remarks, Nicaragua, on behalf of a group of states, said that they oppose attempts to rewrite consensus, and I really hope that this is a fundamental principle that we can all agree with, and I take to heart the words that you closed our morning session with as well, Chair. And I do think that if we take this principle as a starting place, then we can avoid, in the main, the risk of mutually assured deletion. And for these reasons, Australia supports the proposal to amend paragraph five that has come from Switzerland and the United States, among others, to ensure that this paragraph accurately reflects the agreed framework of responsible state behavior and doesn’t unintentionally mischaracterize the pillars of our framework. We see the intention of this paragraph is to emphasize the cross-cutting and mutually reinforcing approach that we should use and to take with our framework to address cyber threats. And with some restructuring, we think this paragraph should better reflect that intention. Finally, on the overview, Australia joins South Africa, Moldova, the Republic of Korea, and others who have supported the importance of the introductory paragraphs eight on the meaningful contribution of stakeholders and 10 recognizing the high level of participation of women delegates and the importance of narrowing the gender-digital divide. Noting that this text in paragraph 10 is based on consensus, I am not going to propose an amendment, but I will signpost that I think that this is based on 2021 text. And we are seeing language across the UN updating that calls for greater ambition to close the gender-digital divide rather than just aiming to narrow it. And we hope that we can see this reflected in future. Turning to the threats chapter, Australia has some specific proposals to make and we will respond to the proposals made by others. And I will take this paragraph by paragraph and try to be as brief as possible. In paragraph 12, Australia supports the European Union proposal to add a reference to the threat posed to human rights by malicious cyber activity. And we can also support the proposal of Uruguay to call for the international community as a whole. help address these threats. In paragraph 13, we support the EU proposal to add additional text recognizing the risk of cyber threats during times of armed conflict. In paragraph 14 and 15, Australia very much welcomes these paragraphs and reflecting the lengthy discussions that we’ve had over the past year regarding the threats of malicious cyber activity to critical infrastructure. We do, however, request a very important technical amendment to bring this in line with our key and the consensus that clearly recognizes that it is the sovereign prerogative of each country to determine for itself what it considers its own critical infrastructure and that this group is not attempting to impose a top-down designation. To do this, we would suggest adding verbatim language from our 2021 open-ended working group report, which is taken from paragraph 18. We would insert this after the first reference to critical infrastructure and critical information infrastructure and start it as a new sentence. So the paragraph would read, as a whole, states expressed concern regarding the increase in malicious ICT activities impacting critical infrastructure and critical information infrastructure. While it is in each state’s prerogative to determine which infrastructures it designates as critical, such infrastructures may include health care, maritime, aviation, and energy sectors. And then the paragraph continues. We consider that a similar issue is raised in paragraph 15. And to avoid having to add additional text, we would simply suggest the deletion of the words ICT-related CI such as before the reference to undersea cables and orbit communication networks so that we don’t have to include the entire caveat on state designation of critical infrastructure there. Turning to paragraph 18, Australia has a proposal to add references to vendors as well as products. We think that there is important to acknowledge that product vulnerabilities can be exploited. There is also a risk that vendors of those products can be exploited as well. So, we would suggest that the opening of this paragraph read states expressed concern regarding the exploitation of ICT vendor and product liabilities, vulnerabilities. And then the paragraph would continue. In paragraph 19, Australia would like to thank the Republic of Korea for your recent UN Security Council open debate on this incredibly important issue of cyber threats posed by cryptocurrency theft by malicious actors. And we would support the proposal by the United States and the Republic of Korea to better reflect this using the text drawn from that 20 June joint statement from that debate. Regarding paragraph 20, we support the proposal by the Netherlands to reinsert the second sentence that was in the zero draft. And we have a question for Pakistan, who I believe requested that we include a reference to hardware and software capabilities. We are open to this, but we’re not sure which hardware capabilities might in fact fall into this category. So, if Pakistan has further information on that issue, we’d be very open to considering that amendment. On paragraph 22, we support the calls that we’ve heard this morning for clarifying that the artificial intelligence language be specific about its impact on cyber issues within our mandate and to clarify that AI may also hold positive outcomes for cyber security. This I believe was also raised by the Netherlands. We would like to retain the reference to security by design. We consider this a well-known and well-discussed principle. And we could go along with the proposal by El Salvador and China to also include a reference to the full lifecycle of artificial intelligence technologies. Finally, on this paragraph, Australia supports Malaysia’s proposal to amend ICT systems to new and emerging technologies. On paragraph 23, we note that this is drawn from consensus language from the 2022 Annual Progress Report, but it doesn’t include the entire paragraph. What we’ve lost here is the introduction of the issue of emerging technologies more generally, which acknowledges both the opportunities and the risks. We’re not asking to reinsert that, the entire paragraph, but we do think it is important to reflect in this text the key link between these issues and our mandate to promote peace and security in cyberspace. So we would suggest drawing from the preceding sentence to this text from our 2023 Annual Progress Report, paragraph 17, and adding that to the end of the paragraph. So that the end of the paragraph would read, machines or objects that constitute Internet of Things are not exploited for malicious purposes, which could potentially have implications on the use of ICTs in the context of international security. And that text is drawn from the paragraph that this was also drawn from in our previous APR. On paragraph 24, Australia strongly supports this paragraph. We do have a technical amendment to request, which is coming from our development lawyers. The 2030 Agenda is the overall framework to include the Sustainable Development Goals. So we would like to request reference to the 2030 Agenda and its Sustainable Development Goals so that we’re accurately reflecting that issue there. Turning finally to the recommended next steps of the threats chapter, Australia supports the proposal in these paragraphs. On paragraph 28, we do suggest that we try and link this back to the pillars of our framework. We’ve talked about raising an understanding of the existing and potential threats and identifying possible cooperative measures and capacity building initiatives. Those cooperative measures and capacity building initiatives are really what we are talking about in the rest of the report when we are talking about norms, when we are talking about law, when we are talking about CBMs. So we would like to make sure that we are referring to the pillars of the framework when we are saying that we will address these threats through cooperative measures. Chair, I am going to beg your indulgence. I was unfortunately not able to pull together Australia’s proposals on rules and international law over the lunch break. It wasn’t a German lunch, it was a Belgian lunch that I was attending, but we beg your indulgence to come back on those chapters later in this afternoon. Thank you.

Chair:
Thank you very much, Australia, for your contribution. New Zealand to be followed by Mexico.

New Zealand:
Kia ora, everyone, and thank you, Chair, to you and your team for your efforts ahead of this eighth substantive session. I will make some brief overarching comments before turning to the overview and threats sections. Firstly, we recall that last July we achieved a consensus text on the second APR, and this was not easy to achieve, but we did so because we reaffirmed consensus language and we accurately reflected on discussions over the previous year and progress made. This included reflecting the weight of discussions in the room and avoiding false equivalence. That is, we avoided granting equal weight to proposals supported by just a few states with proposals that garner much wide support. This is an important distinction if we are to reach common understandings, and there are several important elements where momentum is building, including the many states who have now published their position on how international law applies to cyberspace. and support for a permanent action-oriented mechanism, the POA, that will draw on the valuable discussions from each of the OEWG pillars into practical cross-cutting work streams that support meaningful implementation of the framework. It is only by learning from our collective implementation of the framework that we will be able to assess whether any gaps in the framework exist, and this is why New Zealand supports the POA. We agree with your judgment about not reopening consensus text, and this, together with accurately reflecting on progress made, provides a helpful roadmap for achieving a third consensus APR this week. We note that the REV1 draft contains several proposals and ideas which interest us and merit further consideration and discussion by states to enable us to move towards a common understanding. In some cases, we are not there yet, and we will need more detailed information to better understand these elements, but we offer assurances that we will work constructively this week to realize the ambition laid out before us. A few specific comments now on the overview and threat sections. In paragraph five of the overview section, states must comply with international legal obligations, and we therefore support changing the word adherence to compliance. In the current and emerging threat section, we appreciate the emphasis given to ransomware as a threat impacting stability and international security, and we also support the inclusion of cryptocurrency theft as a threat to international peace and security. Likewise, we can support the EU proposal to recognize threats to human rights. In paragraph 14, we agree with the concern expressed regarding the impact of malicious cyber activity impacting critical infrastructure, and note that it is up to individual states to identify and designate critical infrastructure at a national level, and therefore support the tech suggestions that Australia has helpfully outlined. On tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities, We would emphasize our concern with the threats, threats to cyber stability, human rights, and national security, which can be contrasted with legitimate and responsible use, consistent with international law. We therefore agree that the deleted sentence should be returned to the text. While recognizing the risk that cyber security threats may be exacerbated by AI, we should also acknowledge the benefits that AI brings to the cyber security landscape, and along with many others, ask for this to be reflected in the APR. Finally, we thank the Republic of Korea for hosting the recent debate on cyber security in the UN Security Council, and support inclusion of a factual note highlighting this development in the APR. Thank you, Chair, and we will return later with brief comments on section C and D. Thank you.

Chair:
Thank you, New Zealand. Mexico to be followed by Japan.

Mexico:
Gracias, Senor. Thank you, Chair. Thank you for convening this meeting. We will be very brief. We also know that there are many other delegations waiting to take the floor. First, in section A, on the overview, we agree with most points, and so we have no further comments on that. As regards section B, the threats, it is timely for the specific mention of malicious activities in cyberspace to be kept aimed at international and humanitarian organizations. That was less explicit in the previous version, and so we support the change requested by the United States hamper to disrupt, which I think is in line with this concern. discussion on artificial intelligence, this has been improved to include concerns about new vectors and exploitation of vulnerabilities and data that is used to train AI models and the potential risk of autonomous cyber attacks. We can see that this is also in line with the concerns of various delegations who’ve commented on this. It’s clear that the market for insecurity is constantly growing and therefore it’s imperative that we implement and strengthen the security by design approach over the course of the lifespan of these technologies. We also agree with maintaining the emphasis on the growing importance of data protection and data security in relation to the proliferation of new technologies. I’d also like to respond briefly to proposals from other delegations over the course of the text. Paragraph 5, we feel that we can strengthen the reference to fulfilling international law. We’ve heard some suggestions to swap adherence for compliance. We agree with any formulation that lets it be understood that complying with international law means a restricted compliance. I’ve also already referred to paragraph 17, hamper for disrupt. We agree with that change. Paragraph 19, we heard some proposals to broaden the references. They also include financing of terrorism and weapons of mass destruction. We’re prepared to be flexible provided that the reference is broad and does not refer only to specific cases. That’s all for now and we look forward to responding to the other sections of the document. Thank you.

Chair:
Thank you, Mexico, for your comments. Japan to be followed by Canada.

Japan:
Thank you, Mr. Chair. I will be brief, but at the outset I cannot help but express my delegation’s appreciation for all the efforts you and your team made to prepare the draft of the Annual Progress Report, which serves as a good basis for discussion this week. That said, regarding Section B, Japan considers that it is important to highlight increasing ransomware attacks and rising cryptocurrency theft. Japan welcomes the reference to those threats. And stolen cryptocurrency has been a major source of funding, unlawful WMD and ballistic missile programs, and this poses a great threat to international peace and security. So Japan wishes this issue be addressed in the report, as suggested by the United States, Republic of Korea, and other delegations. Japan also supports the mention of the risk posed by commercially available ICT intrusion capabilities. Going on to the Section C and D. First, Section D, Japan considers that it is important to focus on deepening discussion on the existing norms and the steady implementation of those norms, rather than the development of additional norms. In this context, regarding Paragraph 30i and 33, Japan does not believe the idea of submitting of working papers on proposals for the development of additional norms. is appropriate, as it does not reflect the majority opinions expressed in the previous sessions. With regard to paragraph 32, Japan supports the checklist of practical actions for the implementation of voluntary non-binding norms. Regarding section D, international law, with regard to paragraph 35Bi, Japan does not believe that there has been merging of views regarding future consideration of additional legally binding obligations in the UN processes. Japan thinks we should continue to focus on how existing international law applies to the cyberspace. On paragraph 39, Japan welcomes the call for sharing national regional views and positions on how international law applies in the cyberspace. Such efforts would be useful to deepen discussions not only in the current OEWG, but also in the future mechanism. Finally, with regard to paragraph 41, Japan supports the idea of scenario-based exercises. We believe that accumulating such exercises will help us develop common understanding on how international law applies to cyberspace. Thank you, Mr. Chair.

Chair:
Thank you, Japan, for your contribution. Canada to be followed by Chile.

Canada:
the effort of capturing this rich discussion over the past year and the progress we have made, or as we have previously called it, your work in steering our birchbark canoe. We do believe there’s a growing, wide, cross-regional space for consensus as to where this canoe should land, and we hope we can maintain our balance over the coming week to shape this space into a final document. Before addressing our substantive points, I would like to touch briefly on your opening remarks. Canada, for its part, remains committed to working constructively towards consensus this week. However, fundamental for Canada as a committed multilateralist is that we develop good policy. This need for good policy surpasses the specific document on RID, but also includes the APR, elements of which will shape the future of our work. Many of us have either served in or heard of multilateral bodies that were not designed right, and where states and substance bears the consequence of its creators not having put in place the right structure, form, and modalities. As such, we bear a great responsibility not only to get an outcome, but to get the right outcome. We support France, Germany, and the EU’s call therefore to reflect where elements of the APR would continue into a future mechanism. Turning to the substance at hand, on the overview, like Colombia, I would first like to highlight that Canada is very supportive of paragraph 5, which reflects our discussions that have highlighted the importance of engaging in cross-cutting discussions to deepen our conversations. This is something we continue to hope to see reflected in the coming year, and particularly in a future mechanism, as outlined in the proposals for a program of action. With regards to the threat section, overall, our assessment is that this section provides a good overview of the discussions held last year. Under paragraph 14, to move to consensus, we would agree with Australia, Canada, and the EU, and to move to consensus with Australia, we would agree with Australia, Canada, and the EU, and to move to consensus with Australia, that while retaining the examples of critical infrastructure sectors, we include a line that reflects that the identification of critical infrastructure is a decision that belongs to each individual state. We support references in paragraph 15 to the consequences of the threats to critical infrastructure which undermine trust in electoral systems, public institutions, or that impact of the general availability or integrity of the Internet. We support U.S. proposals on paragraph 16 and 19. With regard to paragraph 25 on gender, retention of this language is critical to my delegation, and we support proposals to strengthen ties with the Women, Peace, and Security agenda. With regards to AI, we too share the view that this should reflect both the risks and the positive role that AI can play in supporting states in their cybersecurity. In the spirit of contributing further to the text, as you have asked, we believe that we have seen over the past year important discussions of and demonstration of the value-added of stakeholder engagement when it comes to threats, and this should be captured in the AAPR. One means to do so would be to invite stakeholders to submit working papers in paragraph 29 as they are invited in paragraph 33. On norms, we have heard a number of delegations argue that this section is not balanced because of an overemphasis on implementation. We disagree. Indeed, there is very little said in the AAPR proper on the implementation of norms, and we would like to see more. That there is an annex focused on implementation of norms is because that was the focus of this body over the last year. To claim that a checklist you were tasked to develop not be reflected for the sake of balance makes little sense. The text must reflect the work this body has done. To be clear, we do not oppose the idea that at some point we would discuss new norms. Indeed, we see this as part of the virtuous circle. virtuous circle we have described as part of the program of action that could identify gaps through norms implementation and discussion of international law and the application of capacity building to identify if there are gaps and whether these gaps could in the future be addressed through future norms. We do question however whether the last year of the APR is the best time to open what could be another contentious issue and put consensus in 2025 at greater risk. On the basis of this concern we would ask that the second sentence of paragraph 30a be removed. With regard to paragraph 30i we are concerned that the language confuses the status of the 2021 consensus report and the non consensus chair summary and risks the interpretation that both are consensus documents. We would ask that this be amended to be clearer on the status of each and that the reference to the 2021 annex use the full content from that document namely written proposals made by states at the OEWG on the elaboration of existing norms guidance on implementation as well as new norms. These comments are important context for the proposed recommendation in paragraph 33 which should call for working papers on guidance to implement existing norms as well. On a different note Mr. Chair Canada notices the removal of in rev 1 of wording on cyber hygiene and we would ask that this be returned to the text. Finally for norms Mr. Chair Canada adds its support to your efforts to on having the norms checklist annexed to the APR as a voluntary tool that you were tasked to develop and that we have been working on that could be used to further capacity building. We therefore support paragraph 30c. On international law I would note that while my delegation did manage to pull together some points for this period space They are preliminary and we would ask your indulgence to provide further information in writing or to take the floor again if needed. We do welcome the revised draft report which in our view provides strong basis for consensus this week. It reflects the growing progress on building common understandings on international law in accordance with the OEWG’s mandate and past APRs. We welcome the draft’s affirmation that international law principles and rules are applicable in cyberspace as well as the recognition of the rich and increasingly inclusive discussions taking place. Turning to the details, we believe that paragraphs 36F and G require clarification. We believe these are meant to refer to situations of armed conflict and thus to engage international humanitarian law which has been a subject of continuing interest and discussion for many states. We would support proposals to clarify these paragraphs and welcome further discussion on international humanitarian law. Finally, one overall drafting point from an international law perspective. We would suggest replacing the term cyber attacks throughout the document with malicious cyber activity for clarity and consistency in international law including international humanitarian law. Finally, Mr. Chair, we think it is important that our APR reflects as the current draft does a commitment to continued discussion, capacity building, and briefings on international law right through to the end of our mandate next year. Thank you.

Chair:
Thank you Canada. Chile, to be followed by Singapore.

Chile:
Thank you. Chair, please receive my best wishes for a successful session. I would like to take this opportunity to welcome the work of the secretariat, this This APR is a good basis for discussions this week and we hope that it will help us achieve consensus. As regards my delegation, we work constructively aimed at results. We welcome and are grateful for the document for its action-oriented approach, as highlighted by France and other delegations. As regards the introductory section, I agree with your proposal not to open a debate on previously agreed wording. We think it is positive that we include previously agreed wording in the present document to help us recall the achievements so far and as a way of not slipping backwards. We also agree with boosting capacity building as an important CBM, as highlighted by Argentina and Uruguay. This is cross-cutting across the work of the group and a comprehensive approach to cyber security and ICT is critical. We also want to highlight the relevance of the inclusion of high-level participation of delegations and gender as a cross-cutting issue for our efforts, also reducing the gender gap and the meaningful participation of women in decision-making relating to ICT in the context of international security. This should be a natural step forward. It also represents a step towards justice in the work of this group. On the section on new and emerging threats, this is a reflection of a major part of the discussion that we’ve had at previous sessions, especially as regards paragraph 16. We can accept the proposal from the US, as supported by a number of other delegations switching out hamper for disrupt. On paragraph 22, we agree with what has been said by US and the Netherlands and others in relation to AI and its potential contribution to innovations for promotion and the use of ICTs. Also, new and emerging technologies for peaceful purposes and ethical uses based on human rights. In line with what has been proposed by Canada, on paragraph 29, next steps and recommendations. We could consider including other stakeholders for documents as a way to understand existing and potential threats and identify possible cooperative measures and capacity building initiatives to enable states to detect, defend against or respond to malicious ICT activities. As we’ve said before, Chile believes that the contributions of stakeholders such as civil society, academia, the technical community and others always constitute a important contribution, not just to the debate, but to dealing with the threat of ICTs, thank you.

Chair:
Thank you very much, Chile. Singapore to be followed by Belgium.

Singapore:
Mr. Chair, my delegation would like to thank and express our appreciation to you and your team for the hard work in preparing this draft APR and in facilitating this week’s discussions. I’ll be offering some comments and remarks on sections A to D. Given the transboundary nature of cyber-threats, Singapore welcomes the APR’s comprehensive focus on the diverse cyber-threats faced by states. Such comprehensive discussions on cyber-threats can help states, especially small and developing ones, better understand the global threat landscape facing us today, and as highlighted in Paragraph 5 and 6, prioritise capacity building in areas where it is most needed. For example, recent ransomware attacks on healthcare services globally have shown how threats to essential services can be immensely costly and disruptive to the effective functioning of society. Together with many of the delegations today, we echo the salience of these threats as reflected in the APR, with Para 14 noting an increase in threats to CII, and Para 19 noting an increase in frequency, scale and severity of ransomware and ransomware-as-a-service. Addressing the vulnerabilities in operational technology and interconnected devices in Para 24 is relevant here, as they are often entry points to attack on critical infrastructures. Noting the evolving nature of threats, we support Para 20, 21 and 22 in considering both the opportunities and security of emerging technologies, including security of AI and commercially available IC3 intrusion capabilities. While there may be legitimate uses for these tools, the growing irresponsible and uncontrolled use makes it more difficult to mitigate and defend against the threats they pose. Given the cross-cutting nature of the emerging threats, Mr Chair, a whole-of-ecosystem approach to securing such technologies should be explored in future discussions. Given the above, we fully support the concrete measure in Para 29 to raise awareness, cooperative measures and capacity building in understanding threats. Singapore stands ready to contribute ideas to advance our collective efforts in these areas. For international law, we are heartened that the progress made at this OEWG is reflected by the reaffirmation in paragraph 36, sub-paragraphs A to D of the UN Charter, and its key underpinning principles. These include the principles of state sovereignty, the sovereign equality of all states and non-intervention, and the peaceful settlement of disputes. We are also of the view that paragraph 36, sub-paragraphs E to F, also highlight important points which could be further explored and fleshed out as appropriate. We support paragraph 37 as a very good basis for discussion, as it describes the proposals that have been made by various states in a sensitive manner, which seeks to find consensus. We further support the recommended next steps in paragraphs 38 to 41, as they are both logical and practical. Mr Chair, the ICT landscape is unique and rapidly evolving. Therefore, under the Norms section, Singapore appreciates the Chair’s acknowledgement of this reality, and supports paragraph 30A on the need for further development of norms over time, so as to keep up with the evolving landscape. Singapore further supports the understanding by many states that the implementation of the existing acquis and the discussion on new norms are not mutually exclusive, and need to move hand in hand, as captured in paragraph 30A and 30I of the third APR. To discuss new norms meaningfully, we also need to understand existing norms. The implementation of existing norms helps states, especially those new to these discussions, work on their national capacities and bring the global resilience up to a baseline level. In that regard, Singapore supports paragraph 32 as one of the recommended next steps. The Checklist of Practical Actions for the Implementation of Voluntary Non-Binding Norms of Responsible State Behaviour in the Use of ICTs proposed by the Chair can be used as a reference guide for strengthening the capacity of developing and small states. As part of this guidance and reference work, ASEAN, the region where I come from, will be continuing our regional norms implementation efforts. Singapore, together with our colleagues in Malaysia and our colleagues in all ASEAN Member States, will be co-organising a regional workshop with UNIDIR on the ASEAN norms implementation checklist to be held in Malaysia at the end of this month. This will ensure synergy between our regional and global efforts on norms implementation. Overall, we are of the view that the current formulation in the norms section of the third APR strikes a good balance between acknowledging their key and the mandate to discuss new norms. Singapore looks forward to the retention of these elements in the final version of the third APR. Thank you, Mr Chair.

Chair:
Thank you very much, Singapore. Belgium, to be followed by Brazil.

Belgium:
Mr Chair, my delegation aligns with the statement delivered by the EU and would like to make the following remarks in its national capacity. Regarding section B on threats, Belgium remains concerned by the intensification and complexification of cyber threats, which pose increasing risk for both national security, particularly critical infrastructures, and international peace and security with increasing use of ICTs in armed conflict. We appreciate that the draft APR mentions a particular risk related to ransomware, the malicious use of new and emerging technologies, the malicious and irresponsible use of cyber intrusion capabilities, the threats to political and electoral processes, as well as the need to secure critical information infrastructures such as undersea cable and orbit communication networks. This global threat landscape stresses the urgency to increase cyber security and enhance international cooperation. Our discussion on potential and existing threats cannot ignore that malicious cyber activities are a reality with consequences and negative impact. Harm to civilians is another aspect which has been discussed in this group this year that could be added to our APR. Harm done by cyber attacks is partly reflected in Para 17, 19, and 22. People increasingly suffer from malicious cyber activities, people die in hospitals because of ransomware, and are deprived of basic services because of cyber attacks. In some cases, it poses risks to national security. Belgium, Australia, Costa Rica, Finland, and the Cyber Peace Institute organized this Monday lunchtime a side event on a victim-based approach. We heard moving testimonies by the respective ambassadors on the harm caused by recent cyber attacks in Australia, Costa Rica, and Finland. The Cyber Peace Institute presented its methodology on how to measure harm. It was said that, one, ransomware are not an ICT issue, they are a threat to peace and security. Our mission is not only protecting our computers and networks, but also to protect our people. Cyber attacks and other cyber malicious activities, even not sophisticated, can cause permanent and disproportionate harm to civilians. Belgium recommends a continued focus on the development of a methodology to measure harms and impacts of cyber attacks and incidents to increase knowledge and a focus on the harms to victims, and leverage this within this open-ended working group, and carrying this focus forward into the future regular institutional dialogue. My delegation therefore recommends adding language on a victim-based approach to our APR. Concretely, we suggest to add to the following language to PARA 28. I quote, state continue exchanging views at the open-ended working group on existing and potential threat to security in the use of ICT in the context of international security, and we suggest to add, as well as on the harm to individuals and society caused by malicious cyber activities. The rationale is that harm is mentioned in the backward-looking section on threats, PARA 17, 19, and 22 already, and we need to increase understanding of this important aspect with a view of exchanging best practice to mitigate that harm. Mr. Chair, under your leadership, our group has covered great grounds in increasing and deepening our common understanding on the norms of responsible state behavior. As stressed by the EU, there is now a need to build on this momentum to further promote and fully implement the existing 11 norms of responsible state behavior before engaging in further discussion on developing additional norms if gaps are identified. Implementation is key. This is why we affirm our support to the POA, which focuses on this goal. The existing norms that we could further examine are norms 13C, F, G, and H, which call for the protection of all critical infrastructure, supporting essential services to the public, in particular medical and health care facilities, as well as cooperation between states for this purpose. My delegation welcomes a checklist of practical actions for the implementation of these norms, and your encouragement, Mr. Chair, for states to use that list as part of their implementation efforts. We also welcome your invitation for states to submit additional material during our work next year. We wish to support the call to invite next year relevant experts from regional and sub-regional organizations, businesses, and non-governmental organizations and academia. to brief us and thus to receive the second sentence of formula 30. I thank you, Mr. Chair.

Chair:
Thank you, Belgium. Brazil, to be followed by Argentina, please.

Brazil:
Thank you very much, Mr. Chair. Good afternoon, colleagues. First of all, Chair, I would like to take a brief moment to thank you for the very kind words that you just said at the beginning of the session on Ambassador Sérgio Duarte, former High Representative for External Affairs and career Brazilian diplomat. His legacy is an inspiration to all Brazilian diplomats, and we very much appreciate the remembrance that you so kindly dedicated to him today. Regarding our APR, we thank you very much, you and your team, for one of our third APR, the last one before the final report of our working group. We are overall very supportive of your draft, which we believe strikes a very good balance among the different views expressed by delegations throughout our discussions and helps us move forward. In the overview section, we are very supportive of paragraph 6, which recognizes the cross-cutting role of capacity building efforts to all pillars of the group’s mandate. We also welcome and support the retention of paragraph 10, which recognizes the importance of a gender perspective to our discussions and the role of women in the group’s work. Moving to the threat section, we support the proposals made by some other delegations to bring paragraph 16 in line with Security Council Resolution 2730, replacing hamper by disrupt and adding at the end of the sentence, and undermine trusts in their work. In paragraph 20, we would request the deletion of the word irresponsible, given that this term has no agreed definition and could be open to a wide range of interpretations. If there is a need for another qualifier in addition to malicious, we would suggest illegal, whose meaning is much clearer. Furthermore, given that proliferation is a term traditionally associated with weapons and technologies that are inherently unlawful, instead of those with a dual use, we propose replacing proliferation with uncontrolled dissemination. On paragraph 22, in our view, it is key that the legality of the use of artificial intelligence is also duly highlighted, along with the proposals made by other delegations on their possible positive impacts to cybersecurity. In this regard, at the end of that paragraph, we would support adding after, so as to fully seize the opportunities presented by such systems and ensure their eventual use is in full compliance with international law. As you’ve requested our comments to also encompass section C and D, we would like to express our strong support for the retention of paragraphs 36F and G, and would further support including a specific reference to international humanitarian law in both cases, so as to provide greater clarity to our text. The applicability of international humanitarian law in situations of armed conflict has been recognized – it was recognized, sorry, by the last GGE in a report that was endorsed by consensus by the General Assembly in Resolution 7619. We highlight more broadly the importance of preserving the acquis of our previous discussions on ICT security without prejudice to further progress in our discussions. The GGE substantive reports have been endorsed by consensus General Assembly resolutions, and the first OEWG’s outcomes are extremely important to our work and should be referenced where relevant. Brazil remains a steadfast supporter of the OEWG’s mandate and is committed to the investment of our discussions. You can count on our active and constructive engagement to help bridge positions and reach consensus with a view to adopting our third annual progress report. I thank you.

Chair:
Thank you very much, Brazil, for your contribution. Argentina, to be followed by Indonesia.

Argentina:
Thank you, Chair, to you, to your team, to the Secretariat, for all of the efforts in developing this draft, our thanks. We wish to make the following remarks on Power of 21 and 22 in order to balance the wording and the general understanding. We would like to suggest that new emerging technologies and AI, as already highlighted by Australia, Chile, the US and the Netherlands, they have a positive impact to AI, not just in cyber security, but also as part of our efforts to close the digital divide. We would therefore like to add the following to the beginning of Power of 21. States indicated that new emerging technologies are broadening opportunities for development, which is fundamental in order to achieve the shared goal of closing the digital divide. In the same vein, my delegation wishes to include the following wording for Power of 22. States also highlighted the utility of artificial intelligence in creating cyber resilience and in the prevention of cyber attacks. We suggest that this paragraph can proceed. The one that begins states also highlighted that it is in the interest of all states to promote the use of new emerging technologies for peaceful ends. We will speak later. on C, D, E, and F, and for the proposals for wording for Section B will be sent in writing to yourself and the Secretary. Thank you.

Chair:
Thank you very much, Argentina. Indonesia to be followed by Czechia.

Indonesia:
Thank you. Thank you, Mr. Chair, for giving us the floor. First of all, allow me to convey our high appreciation to you, Mr. Chair, for your great work in preparing this OEWG session. We also thank the Chair, his team, and the Secretariat for preparing the draft of the Third Annual Progress Report and its unaccessed documents. Indonesia also extends its support for your leadership, and second, the notion of the importance of achieving consensus to reflect the commitment of Member States in strengthening cooperation on the matter of ICT security. Mr. Chair, Distinguished Delegates, Indonesia views the draft of the Third APR has included elements that reflect the progress of our deliberation within the OEWG over the past year, including proposals for concrete and action-oriented actions to address ICT threats and to promote an open, secure, stable, accessible, and peaceful ICT environment. The willingness of States to continue discussions and exchanging views as recommended in each pillar now becoming more significant as it will give support for the OEWG in providing rooms for States for dialogues and cooperation. Allow me to share with you that Indonesia has just recently experienced a threat on cyber security, where last month a ransomware attack infected Indonesia’s temporary data centre. and disrupted the systems of Indonesia’s public services, including immigration services. Mr. Chair, while Indonesia has conducted recovery efforts for this matter, this incident reflects new threat of ransomware that might be happening to states. This incident also reiterates our view of the importance of international cooperation. Which includes, amongst all, capacity building through the establishment of capacity building funding and the enlargement of global POC for information sharing and best practices to help the states prevent and address ICT incidents and threats. Indonesia, therefore, encourages the Third APR to be able to answer the needs of the states. Mr. Chair, Indonesia re-emphasizes the importance of this session to establish a single-track, state-led, and action-oriented forum to discuss ICT security issues on the discussions of RID within the OEWG and encourage all of us to find convergence for establishing future regular dialogue. Indonesia reaffirms its commitment in supporting the work of the OEWG, which has provided a space for countries to share views and ideas concerning a secure and stable cyberspace at a pace comfortable to all with the step-by-step and incremental approach. We look forward to the constructive dialogue with distinguished delegates at the finalization of the Third APR, and my delegation stands ready to extend our support to the Chair and his dedicated team to facilitate this process. Thank you.

Chair:
Thank you, Indonesia, for your statement. Czechia to be followed by Vietnam.

Czechia:
Thank you, Mr. Chair. The Czech Republic Alliance itself is the EU statement and wishes to emphasize a couple of points in its national capacity concerning Sections A, B and C. I would like to assure you that I am not going to repeatedly present the positions of the Czech Republic. My comments will be solely focused on making sure the annual progress report reflects our discussion as objectively as possible. In principle, I have three points where we see some potential for a constructive improvement of the text. First of all, I would like to emphasize that during the last year we have intensively discussed the future institutional framework and we have reached a considerable progress concerning program of action, which enjoys the support of the majority of countries. This should be better reflected in the EPR and in this context, the Czech Republic fully supports the proposal presented by France and already supported by other countries. Second, we appreciated the discussion we had on human rights protection and I also hear we would like to see it better reflected in the text. We might have many proposals in this line, but in the spirit of constructive discussion, I would like to constrain myself to strongly support the EU proposal for amendment of PRA 12. Third, as was already mentioned, the geopolitical environment has only deteriorated further last year and unfortunately we have to note that the use of ICT in the context of armed conflict is a reality today. In this context, we consider it very important our discussion during the past year on development of common understanding of how international humanitarian law regulates the use of ICT by states in order to limit the effects of the use of ICT in armed conflict. In this context, we also strongly support a contextual proposal for paragraph 13 presented by the European Union. We also support a proposal of us for amendment of paragraph 16 concerning malicious activities. Thank you. Mr. Chair

Chair:
Thank you very much check here for your statement Vietnam to be followed by Vanuatu Vietnam are you here microphone for Vietnam

Vietnam:
and good afternoon dear colleagues Vietnam would like to commend you and your team for your great efforts in preparing the draft report and its analysis and organizing informal meetings prior to this OEWG section to accommodate all member states concerns and priorities in the text the draft report laid a solid basis for member states to wrap up what we have achieved through substantive discussions in previous sections Vietnam acknowledges that despite differences in member states positions we have made great achievements over the last year we hold the view that the APR needs to reflect these achievements and at the same time in a balanced manner the core pending issues and based on these common interests to overcome controversial issues the report should reflect our all proposals initiatives by member states clearly identify newly proposed and under discussion at once mr. chair we have comments on the section a and in section B with regards to a section by of the a of the report Vietnam strongly support to reaffirming the mandate of the group in paragraph a a practical for assigned in the GI resolution 75 to 40 that guidelines our discussion in previous and current section we share the same view with previous from Colombia and South Africa’s and other delegation in the integrated connected and cross-cutting nature of all issues addressed under the OEWG in paragraph 5. We can go along with the proposal to shorten the paragraph but wish to retain its core spirit. We support the emphasis of capacity building as an important confidence-building measure, which are essential for countries, especially in developing countries, in narrowing the digital gap, conducting digital transformation, and implementing the sustainable development goals. We welcome the inclusion of paragraph 10 that highlights the issue of gender parity in the discussion of the use of ICT in the context of international security. And in this context, we’d like to thank the donors of the Women in Cyber Fellowship Program for their continuous support to promote women’s participation in the OEWG. With regards to section B, existing and potential threats, we support to highlight the threats of malicious use of ICTs towards critical infrastructure and critical information infrastructure in paragraph 14 and 15 that are in accordance with the UNSC Resolution 2573 in 2021 on protection of objects indispensable to the survival of the civilian population, where cyber infrastructure is also covered. We also support the proposal by Malaysia with regards to the use of the term new and emerging ICT technologies in paragraph 22, which is also supported by other delegations. Mr. Chair, Vietnam remains in support and commitment to work with you and other member states to adopt the API by consensus by the end of this week. We will have further comments on the sections ahead. I thank you, Chair.

Chair:
Thank you very much, Vietnam, for your contribution. Vanuatu to be followed by Portugal.

Vanuatu:
Mr. Chair, congratulations to you, your team, and the Secretariat for this draft APR. It sets us on a good path, and please be assured that as a delegate from Vanuatu, I come here in the spirit of multilateralism and cooperation. Vanuatu is committed to reaching a substantive consensus report by the end of the week, or hopefully, indeed, by Friday morning. Mr Chair, I have a couple of quick comments on Section A and B. In Section A, paragraph 6, we suggest adding the phrase, quote, demand-driven, end quote, to the last sentence on capacity building. It is important to reflect that capacity building efforts can only be successful if they are designed and implemented at the direction of the member states set to benefit from them. In paragraph 10, we are happy to see the gender gap being addressed. While this paragraph reflects agreed language and we do not want to open discussions about the specific language in it, we do want to strongly express our support for the, quote, Women in Cyber Fellowship. Throughout the sixth and seventh substantive sessions on the OEWG, numerous member states, including Vanuatu, raised its importance in allowing them to meaningfully participate in these proceedings. And as such, it stands as one of the most important measures to close the gender gap in this very forum. In Section B, on existing and potential threats, we welcome the language on an extended list of threats. In paragraph 19, Vanuatu is happy to see ransomware listed as a threat to international peace and security. And we welcome the strengthening of this paragraph in Rev. 1. However, we could support strong language on ransomware in this paragraph. In paragraph 22, we believe that the APR should also reflect on the need for dedicated capacity-building efforts on AI to ensure that a new digital divide does not open up between the developing and developed countries. In paragraph 25, Vanuatu supports the inclusion of quote, digital awareness and skills as a means to achieve sustainable development goals. Thank you, Chair.

Chair:
Thank you very much, Vanuatu, for your contribution. Portugal to be followed by Syrian Arab Republic.

Portugal:
Thank you, Chair. And thank you for preparing the REV1 draft of our annual progress report. My delegation fully aligns with the statement delivered by the European Union and we wish to add the following in our national capacity. Regarding the overview provided by section A, we fully support paragraph seven on capacity-building, which plays a central role in the future permanent mechanism. We also see a need to reinforce the language on stakeholder participation for the reasons previously mentioned by other delegations. Regarding section B on existing and potential threats, it is worth noting that although no major hostile cyber activity was recorded in Portugal during the two elections held this year, due in great part to prior efforts in terms of cyber prevention, network resilience and awareness raising, we have continued to face cyber threats arising from a multitude of hostile actors. We therefore support paragraph 15 referring to malicious ICT activities affecting critical infrastructure that undermine trust and confidence between states, in particular when directed against political and electoral processes or targeting undersea cables. Threat actors today have new levels of sophistication and anonymity. deriving from the delocalization of their hostile activities and from the adoption of new tools and methodologies such as AI and AI-powered LLMs. We thus concur with other delegations that AI should be referenced comprehensively in paragraph 22 of the draft APR. The current threat landscape represents a severe challenge to public and private institutions and indeed to civilians in a context of conflict. This is why in paragraph 13, we support reinforcing the language by adding a clear reference to international humanitarian law and to the protection of civilians and civilian objects. The malicious activities of hostile actors are coupled by the increasing threat of cyber criminals from ransomware operations to the evolving ecosystem of CEO and business email compromise frauds that cause substantial financial losses to both public and private institution. We thus welcome the reference to ransomware attacks in paragraph 19. In closing, please count on our continued constructive engagement in reaching consensus on this year’s APR, building on the draft that you have provided us with. Thank you very much.

Chair:
Thank you very much, Portugal, for your contribution. Syrian Arab Republic, please, to be followed by Fiji.

Syrian Arab Republic:
Thank you, Mr. Chairman. First of all, we would like to thank you and the team and your secretaries. Thank you for organizing this session. And thank you for having provided a revised APR. We thank you for your leadership, which we need in order to move forward within this working group. We support the statement made by Nicaragua. on behalf of the like-minded countries, and we would like to make the following proposals. With the end of the mandate of the open-ended working group, we need to also make sure that we revert the labeling of the paragraphs from last year to make sure that we have targeted language so the delegations can participate in a focused way. We therefore support their proposal made by the Russian Federation when they spoke about deleting a number of paragraphs. We think that in the current state, the draft is not a good foundation for progress. The draft has to be based on preceding consensus and not move the group away from consensus. The draft is not balanced, generally speaking, and gives great weight to the criteria of responsible behavior of states. This is not in line with the mandate of the group. The group is linked with new criteria, including binding, legally binding measures need to be included. We call for a document which reflects national positions when it comes to the new criteria. When it comes to threats, we think it’s important to improve this in order to have the balance that we all want. It does not sufficiently mention certain. threats. Some of them are not mentioned. Whilst we know that they’re urgent, we need to be more precise and at the same time more comprehensive here. When it comes to the draft convention presented by the Russian Federation of Like-Minded States, there we have other threats. For example, the monopoly of certain companies in cyberspace internet governance, the repercussions they can have on the sovereignty of states, possibility of conflicts, accusations of cyber attacks, the placement of equipment and resources in third countries without their authorization, which undermines sovereignty, the capacity of having cyber attacks by terrorist groups and using their capacity so as to counter extremist activities and terrorist goals and their recruitment. International cooperation is an important tool to reduce the digital gap and provide states to counter cyber threats. And this has to be a priority for us. So it is therefore necessary to narrow the gap when it comes to technology access. The importance of technology transfer towards developing countries comes into play here to make sure that developing countries can counter cyber threats. Unilateral coercive measures, illegitimate measures impede true progress when it comes to information security. As regards responsible behavior, I will revert to this issue later, Mr. Chairman. And lastly, let me say that we are ready to work constructively to make sure that our deliberations are successive. and that we can rise to the current ICT challenges. I thank you.

Chair:
Thank you very much, Syrian Arab Republic, for your contribution. Fiji to be followed by Ireland.

Fiji:
Good afternoon, Chair, distinguished colleagues and dear friends. Firstly, Chair, thank you, and in our indigenous language, a big vinaka for your exceptional leadership in guiding us and with the support of your team in producing the draft for one of our annual report for our discussions this week. Chair, this draft demonstrates the significant progress that we’ve made. We also note your call to action in your opening remarks in that we need to take a further step forward this week, and Fiji reiterates our commitment in reaching consensus for the collective good. Chair, we are particularly appreciative of the report’s focus on bridging the digital gender divide. It’s a critical issue that directly impacts our ability to achieve sustainable development, and we would like to echo previous delegations in retaining paragraph 10. Furthermore, we commend the report’s emphasis on capacity building as a pivotal and cross-cutting thematic area, as identified by several delegations like South Africa, France, Greece, Malaysia and Moldova, to name a few. Building common understanding and capacity is essential for addressing the unique challenges that are faced by small island developing states, and we believe that this should remain a central theme in our ongoing efforts across the various sections of our report. In saying this, we echo previous delegations in the retention of paragraph 6 and 7, and Fiji also appreciates the important role of stakeholders and welcomes paragraph 8 and its retention in our report. With regards to section B, Fiji welcomes the paragraphs including the recommended steps in paragraphs 28 and 29. We support the proposal by the European Union regarding paragraph 12, recognizing the grave risk to human rights in the attainment of sustainable development, and the proposal on paragraph 13. Fiji welcomes paragraph 15, which highlights the need to secure ICT-related critical infrastructures such as undersea cables. Now this is significantly important given the recent increase in the building of submarine cables in the Pacific region, and to bring this to context, within Fiji we have two additional subsea cable networks that are being built, which will enhance connectivity and resilience, not just for Fiji, but for the Pacific, as it is a transit hub. Therefore, spotlighting the need to secure this critical infrastructure is supported. We also agree with the proposal by the United States and the European Union regarding paragraph 16, and it’s also been supported by other states, including the Netherlands. And with regard to paragraph 19, we agree with the proposal by the Netherlands on how ransomware attack impacts services to the public. For paragraph 22, we support the proposal from Vanuatu, and we also support the proposal from the United States on the positive use of artificial intelligence in boosting cybersecurity capabilities. We also support Malaysia’s proposal on substituting new and emerging ICT systems with new and emerging technologies. To conclude, Chair, we support the proposal from the Netherlands for paragraph 25 regarding the linkage to women, peace and security work, and we’ll also seek further time later in the afternoon for the other sections of the report. Thank you.

Ireland:
your detailed work on the latest draft of the APR on its annexes. It’s positive that we’ve begun pragmatically today and specifically discussing the text given our very limited time. I propose in that spirit just to react to some of the perspectives that we’ve heard already today in my national capacity, noting Ireland’s full alignment with the statement of the European Union delivered this morning. Firstly on reducing the length of the text, Ireland can support that as long as key priorities and substantial topics are not sacrificed at the expense of brevity. At a minimum, the APR should reflect the agreed perspectives of member states and present a balanced representation of our work over the last year. On that point, including additional national discussion papers on norms, for example, would not help with brevity nor reflect a representative contribution to the OEWG from the last year. Like Canada, Ireland’s perspective is that our discussions have never precluded the future development of new norms, nor has there been any impediment to states raising their views on this, as is their right, but as your implementation checklist attests, we have focused on implementation of existing norms and the shortcomings that we have already experienced in that task, which is the fundamental through-line to the considerations around capacity building too. So the inclusion of the checklist as an annex to the report reflects that approach. Chair, Ireland is happy for the most part with the approach of the APR and the overview on sections A and B, and my delegation appreciates the necessity of the relevant annexes. In that context, deletions that detract from an accurate documentation of our work will not help us find consensus this week. You’ve alluded to that yourself this morning. Reacting specifically on proposals we’ve heard for sections A and B, in paragraph 5, Ireland can support the U.S. suggestion of modifying adherence to compliance in regard to the reference to international law, particularly given it better articulates the obligations of states under the agreed international framework. In paragraph 13, we can support the perspective of Uruguay to reflect the reality that ICTs are already in use in active armed conflicts. Similarly, the application of IHL to the CSIRO domain is not abstract or theoretical. The value of a future mechanism, if properly designed, should be such as to articulate this application more effectively in more detail through dedicated discussion groups. In paragraph 15, Ireland welcomes the approach of the current draft. There is real value in enumerating the particularly important and vulnerable elements of our critical infrastructure that we have discussed in some specificity over the course of the OEWG. The APR should reflect what has been discussed by states and what common interests we’ve shared. In particular, on subsea cables, I was very glad that Fiji just raised this and the practical importance of this reference to my delegation, given that we were pleased with the enthusiastic engagement with the side event that Ireland led in March, and we don’t see a reason why we would not refer specifically to something on an issue of concern that affects all of us. In paragraph 16, Ireland can support a strengthening of the term hamper to disrupt regarding the work of international organisations as proposed by the United States. And finally, Chair, we’ve heard some calls for deletion to references to ransomware, to cryptocurrency theft, and gender. Ireland supports the references to cryptocurrency theft and ransomware as currently drafted in paragraph 19. The language is a factual statement of what states have discussed in this working group, and failing to acknowledge these common preoccupations of many states would be a disservice to the APR and to the function of the group itself to address the most prominent and concerning threats to states. On gender, I’d note a similar concern that if we were to ignore acknowledging a gender perspective in the multilateral work on cybersecurity, we would be ignoring a major achievement of this working group. It is an achievement that is unfortunately rare across the disarmament landscape, that our contributions, and more notably, our contributors, have been more equitably gender-balanced and have helped to better reflect the societal considerations that influence the use and security of ICTs. On that basis, Chair, Ireland supports the reference to the gender perspective in paragraph 25 and in ensuring appropriate reference throughout the APR. Thank you.

Chair:
Thank you very much, Ireland. Israel to be followed by Italy.

Israel:
Thank you, Mr. Chairperson. At the outset, allow me to thank you and to express our gratitude and appreciation to you and your team and to the UNODA Secretariat for the hard work in preparing and steering this process. Israel also appreciates the extensive work undertaken to present us with the Rev. 1 of the APR that can serve, in our view, as a good basis for this week’s work. As is our common practice, the annual report should be based on a solid foundation laid out by the reports of previous GGEs and open-ended working groups and other relevant General Assembly resolutions and the extensive discussions we have conducted through the passing year. Mr. Chair, I will be referring now to the Section B on potential and emerging threats. In our interconnected world, no nation is immune. The recent surge in cyber incidents across the globe, from ransomware attacks tripling critical infrastructure to disinformation campaigns undermining public trust, underscores the urgency of our shared responsibility. These threats not only jeopardize our technological achievements and impact our economies, but also threaten the very fabric of our democratic institutions, our communities, and the global stability. Focus on critical infrastructure, including essential critical information technology, as well as essential services such as hospitals, water infrastructure, and energy supply, are more prevalent. and create a growing risk to human lives and enormous economic losses when they are not properly secured. Building resilience to thwart them and mitigate their effects requires stronger political will, clear vision, concrete actions, and increased cooperation across organizations, sectors, and borders. Considering these threats and challenges, Israel welcomes the reference in the text of the APR to malicious use of ICTs by terrorists and criminal groups in paragraph 13. We are witnessing an intensifying threat posed not only from terror-sponsoring states, but also directly by terrorists, proxy organizations, and other malicious users. The spectrum of malicious actors in this respect has increased significantly. Israel also welcomes the reference made to ransomware, white malware phishing, and Trojan in paragraph 19 of the APR. Israel supports further expansion on these threats in the text to accurately represent the discussions that has taken place in this room, as well as the prominence of these threats, in particular ransomware, that crosses the threshold and becomes a threat to national security. Mr. Chair, now I will be presenting some specific remarks on the paragraph of threat section. Per paragraph 20, we wish to echo remarks made by the Netherlands, Switzerland, Australia, and others that have highlighted the need to reintroduce the sentence recognizing that these tools have also an important and legitimate purposes, and we suggest adding the following language. States recognized that commercially available ICT capabilities have legitimate purposes and contribute significantly to law enforcement and counter-terrorism efforts. Furthermore, in this para, we wish to add the phrase if used in an irresponsible and a malicious manner after the sentence ending with could have implications for ICT security, as well as to suggest to switch between the words use and proliferation so it will read proliferation and use before the phrase potentially malicious as it reflects in our view the right order of things, and we wish to support the Brazilian delegation’s suggestion to exchange the term proliferation in this para with uncontrolled dissemination or any other similar term as we agree using proliferation in this context isn’t suitable. As for para 22 on AI systems, in line with the Australian delegation’s remark and taking into consideration that there are few UN dedicated processes and other professional and special forums dealing currently with AI and its various implications, we suggest limiting the scope of this para as to avoid duplications and to focus only on the AI and cyber nexus. Also we wish to support the Netherlands and others that made remarks on adding a reference to the potential benefits and positive contributions of AI systems to cyber security and cyber resilience. An additional issue we have in the context of threats referred to paragraph 26. Israel would like to join the U.S. and other member states and repeat its position expressed in previous meetings that voluntary norms, international law and CBMs cannot all be characterized as obligations. Voluntary norms by their very definition and nature are not obligatory. CBMs in the context of this open ended working group are also voluntary. We therefore suggest a tweaking of the text that would differentiate between Voluntary norms and CBMs, on the one hand, are obligations under international law. Additionally, we suggest deleting the word any in the first sentence of this para and adding the word could or may before the sentence starting with undermine international peace and security. Finally, Mr. Chairperson, Israel supports the comments made by a few delegations that we are not here to pass judgment on a technology, but rather address its misuse. I thank you.

Chair:
Thank you, Israel, for your contribution. Italy, to be followed by Dominican Republic.

Italy:
Thank you, Mr. Chair, for giving me the floor. Let me first express my gratitude and appreciation for the excellent work done by you, Chair, and by your team. We have one of the third annual progress report is an improvement and provides a good basis for discussion. Italy is committed to a positive outcome of our meeting in order to secure the common ground that already exists and that will be further developed during the current session, while being aware that we would need to continue discussion on a number of issues in 2025 and beyond the mandate of the open-ended working group in order to achieve further convergences. While aligning itself to the EU statement, Italy wants to make the following remarks on a national capacity. First, on the general approach, we want to add our voice to those who have pleaded for more time to be devoted during this session to the POA and to the inclusion in the POA of action-oriented proposals. Second, in paragraph eight and throughout the APR text, there should be a better acknowledgement of the significant contribution of stakeholders to the outcome of our work. Third, concerning threats, in addition to the request of amendments presented by the EU, which we support as a state, we would like to add the following comments. In paragraph 19, concerns about the increasing level of ransomware and their impact, including in the health sector, should be further highlighted. In paragraph 20, as stated by some delegations, it should be clarified the fact that there are legitimate and responsible uses of commercially available cyber intrusion capabilities. In paragraph 22, the positive contribution of artificial intelligence in providing security is worth to be mentioned, as stated by U.S. delegation, Australia, and others. The fourth and final point is about norms. The implementation of norms and the development of new norms cannot be considered at the same level. There are differences in the level of commitment required by member states, and there must be a sequence, starting from an assessment of the implementation, followed by the identification of possible gaps, and closing with evaluation if and how there is room for better elaborate or integrate existing norms. This is to say that this fundamental difference should be reflected in paragraph 30A and elsewhere in the document where appropriate. Thank you very much.

Chair:
Thank you very much, Italy, for your contribution. Dominican Republic to be followed by Switzerland.

Dominican Republic:
for all of the hard work carried out by you and your team throughout the whole process of this open and working group since 2021. Especially, we thank you for the complicated and delicate task of preparing the REV1 of the draft annual progress report of this working group, which we value. We consider that, in general, it is well-balanced and good document. We agree with most of its elements. We also wish to express our best wishes to everyone that we shall achieve this much sought after and yet elusive consensus within the allotted time. As regards some proposals to reduce the size of the document, excluding references or use of the previously agreed text in the first and second progress reports, we don’t see the harm in including this in the report. In addition, given that it is already agreed, as this document grows and evolves, it will accumulate elements that, at the end of our mandate in 2025, will be part of the total work. On sections A and B, we only have three comments for the moment. We will revert to section C and D in a separate intervention. We can support the proposal from the delegations of the US, Mexico, and others on paragraph 16 about replacing the term hamper with the term disrupt. We also do not understand the phrase, such attacks should be tackled by their source means of dissemination and methods of monetization, and so we would appreciate clarification on that. On the matter of AI and other emerging technologies, we think it is very important to implement and strengthen the security by design approach. And finally, we reiterate our commitment to working constructively in order to achieve a consensus document by the end of this session on Friday morning. Thank you very much, Chair.

Chair:
Thank you very much, Dominican Republic. At this stage, I can say that there is an emerging consensus that we should reach consensus by Friday morning. Quite a number of you have referenced that, so that gives me some hope and optimism that we can actually get it done in time. Now, let’s continue with the list of speakers, and that will hopefully get us to as many the rest of the list this afternoon in the time that we have left. Switzerland to be followed by South Africa.

Switzerland:
Thank you, Chair, for giving us the floor again. We would like to comment on the sections on rules, norms, and principles of responsible state behavior and on international law. With regard to the section C on rules, norms, and principles of responsible state behavior, our general view is that we should focus on norms implementation rather than elaborating new norms at this time. The mandate of the OEWG is clear on this point. The group should introduce changes to the existing rules, norms, and principles, or elaborate additional rules of behavior only if necessary. In our view, the draft, particularly in paragraph 30E and J, places too much emphasis on the development of new rules or norms. Many countries have spoken out in favor of implementing the existing norms before developing new ones. This should be presented in a more balanced way in the report. We are also of the opinion that the letter J is partly a repetition of what has already been said in letter I. We, therefore, propose deleting the first sentence of letter J and adding the second sentence at the end of letter I. We welcome that paragraph 30H mentions the crucial role that the private sector plays in promoting openness and ensuring the integrity, stability and security of the supply chain and in preventing the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions. However, private actors not only play an important role in protecting supply chains, but also in protecting critical infrastructures, which should be mentioned accordingly. A large number of critical infrastructures are owned and operated by private actors. We, therefore, propose that the paragraph 30E should also mention trust-based cooperation and exchanges between public authorities and private actors. The second sentence would read as follows. States highlighted that specific protective measures for CI and CII may include the classification of CI and CII, comprehensive risk assessments, ICT awareness and training, adherence to relevant national regulatory requirements and guidelines, as well as trust-based cooperation and exchanges between public authorities and private actors. Mr. Chair, allow me now to turn to the section of international law. With regard to the chapter on international law, we have to conclude that the revised draft has still not managed to reflect the rich discussions that have been taking place during the year and that the text is not yet balanced. In paragraph 36A, the last sentence is a direct citation from the GGE report 2021, paragraph 71B. We would like to have this reflected in a footnote. In letter B of the same paragraph, the POC is reflected as a potential avenue to facilitate dialogue between states for the settlement of disputes by peaceful means. It is surprising for us to have the POC first of all mentioned in this section with such a prominent place. And secondly, Switzerland cannot remember that the POC was discussed by states as a potential instrument for the settlement of disputes. We would therefore like to have this sentence deleted here. What has been discussed by a big number of states and worked on in more than one cross-regional working paper is the need to respect and protect human rights and fundamental freedoms and the application of IHL. Both aspects are a priority for us. I would like to mention especially the working papers on IHL submitted by a cross-regional group of 13 states as well as the cross-regional working paper that proposed concrete text for this year’s APR and that was submitted by Colombia, El Salvador, Uruguay, Australia and Estonia. Even though these two working papers have been submitted by a significant number of states and have also been discussed and referenced a lot, neither of them has been reflected in the REF 1. This is a surprise, an unpleasant surprise. With regard to international humanitarian law, it is of paramount importance to my delegation that the rich discussions and the many voices for the application of IHL during armed conflicts are better reflected in the APR and that there should be a clear reference to IHL. While we welcome the efforts to include references to the protection of civilians and critical infrastructure in the new Paris 36F and G, we deem this language not ideal as it mixes different concepts, usually not applying during armed conflicts. The wording as it currently stands leaves the impression that they may apply at all times. Moreover, the wording should not be limited to activities by states. We just propose to replace them with the following language, which is based on the report of the 2021 GGE and the General Assembly resolution adopted by consensus. It would read as follows. States affirmed that in the context of the use of ICTs, international humanitarian law applies only in situations of armed conflict. They recalled the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality, and distinction that were noted in the 2015 GGE report, and underscored the recalling these principles by no means legitimizes or encourages conflict. States underlined that international humanitarian law applies to cyber operations executed in the context of and in relation to an armed conflict. They reiterated their shared commitment to protect, in particular, civilian objects, such as critical civilian infrastructure, as well as medical and humanitarian facilities. States recognized the need for further study on how international humanitarian law applies to ICT operations in situations of armed conflict, acknowledging the particularities of the digital domain and of the proposal. This reflects, in our view, factually, the discussions on IHL as part of a broader description of the discussions on other aspects of international law under Para 36. We will gladly send you this language proposal. Finally, we believe that in Para 37, an action-oriented proposal should be included, reflecting that states discussed how IHL applies to cyber operations executed in the context of and in relation to an armed conflict, and that they made concrete proposals to engage in further discussions on how international humanitarian law applies to ICT operations in situations of armed conflict, acknowledging the particularities of the digital domain. In Para 37a, we would like to have reflected that states not just welcomed the active participation of other states. at the discussions on international law, but also of an increasing number of stakeholders. Also, the constantly growing number of legal experts that are participating in the discussions on international law is an important development that needs to be reflected in this paragraph. Also in subsection A, we would like to have the could replaced with should, with regards to the convention of additional intersessional meetings on international law. In subsection B of the same paragraph, could should be replaced with should, with regards to the need to discuss the application of international law with regards to the specificities of the ICT environment. Also in B, the second part of the last sentence that proposed that the discussions on international law may include the question on when malicious ICT activity rises to a level of an armed attack on the international law was deleted. Switzerland is against this deletion. We should not limit the level of ambition of our discussions, especially as this is an aspect of the discussion that is already consensus language. I would like to finally finish with the topic of intersessionals and expert briefings. Switzerland and many other states have often asked for it, and we have had, especially in May, important and rich discussions during the intersessionals based on expert briefings. Therefore, we cannot understand that the recommendation on future intersessional meetings on international law have been deleted. Thank you, Mr. Chair.

Chair:
Thank you very much, Switzerland. I’ve got a list of speakers, but I wanted to address the specific point about intersessionals that some of you have raised. If we are to have dedicated intersessional meetings, we have to take a balanced approach and have them across the board. Next year, we have six months. We meet in December, March, and July. And already the same proponents who had advocated additional dedicated intersessionals meetings were also saying that there are too many proposals and too many meetings, or rather too many proposals for meetings. It’s a question of how many meetings this process can bear collectively. And there were a range of views on that point that was expressed at our last discussions. So there are two things to keep in mind. One, if you want dedicated intersessional meetings, you can’t pick and choose as to what kind of dedicated intersessional meetings. Some of you want dedicated intersessional meetings on international law, and perhaps just on international law, perhaps. Others want international meetings on new norms, for example. Others would also want new, or rather dedicated, intersessional meetings on capacity building. Yes, we did benefit from the participation of experts and stakeholders. But how much time can you collectively give this process? That too is a question you need to answer. Do you wish to have a one-week meeting every month in a period of six months? So we meet in December and conclude in July next year. December 2025 to July – rather, December 2024 to July 2025. Six months. We have three meetings. And that does not preclude additional informal international meetings that we will need, because we have to negotiate the final progress report. And that’s going to become… a huge priority for next year. So if each one of you can guarantee me one week of meetings every month for six months, yes, I’m prepared to countenance dedicated intersessional meetings, provided we have dedicated intersessional meetings across the range of issues. So that is the nub of the problem with dedicated intersessional meetings. It’s not a problem, but it’s an issue that I’m highlighting to you. I’m based in New York. I can have meetings at any time you want. But the signals I’ve been getting is that just too many meetings to handle. Some of you may be able to handle that because you have dedicated experts for dedicated topics. And Switzerland would be a good example of that. Your lawyers, especially in the field of international humanitarian law, are legendary. There are so many of them. So you can send different people to different dedicated intersessional meetings. But there are so many smaller delegations who are not able to deal with all the different meetings, intersessionals, informal sessions, town halls, virtual consultations that may be needed next year. So give some thought to that. How many meetings do you want next year? How often do you want to meet each other? Let me know, and we can sequence it in a time schedule. But keep in mind we have exactly six months. So Switzerland, since you said you could not understand why it was deleted, I’ve made an effort to explain to you. Hopefully you and others can understand. But if you have a consensus on the number of meetings you would like to hold next year, then we can revisit that question. So let’s continue with the speakers’ list. South Africa to be followed by UK, and then El Salvador and the United States. South Africa, please.

South Africa:
between the implementation of the voluntary non-binding norms and the development of additional ones. And in this regard, we support the inclusion of paragraphs 30I, 32, and 33 in the draft third APR. We are encouraged by the common interest of all member states to strengthen measures to protect critical infrastructure and critical information infrastructure. We view the checklist of practical applications for implementation of voluntary non-binding norms attached as Annex A as a useful guidance tool that a state may choose to use or not depending on their capacity and specific needs. We support the adoption of this annex on the condition that it is voluntary and non-binding. We agree with the recommendation that interested states and regional organizations could submit further information on their experiences in implementing the norms. Chairperson, member states have reaffirmed in both the first and second OEWGs that international law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace, security, and stability and promoting an open, secure, stable, accessible, and peaceful ICT environment and have continued discussions on how international law applies to the use of ICTs. With regard to international law, the principle of non-intervention, directly or indirectly, in the internal affairs of other states is one of the foundations of the UN Charter. In addition to this, the link to international humanitarian law is critical to our understanding of how a state can claim protection under international law. The safeguarding of CI and CII are fundamental government responsibilities. And we support your recommendations to continue discussions between member states and include presentations by academic and research institutions in developing understandings of international law. We thank you for the inclusion in 37A of a reference to the International Law Commission. We look forward to engaging further in intersessionals with legal experts, including during the mandate of the future permanent mechanism. I thank you.

Chair:
Thank you. South Africa. UK, please.

United Kingdom:
Chair, as it is the first time I have taken the floor, may I begin by thanking you and your team for your work developing this APR and emphasize our commitment to seeking consensus this week. The existing and potential threats section of the APR demonstrates the high quality of our discussions this year and is an important illustration of the range of challenges faced by states globally. Chair, we support the amendment to paragraph 16 on the threat to international and humanitarian organizations suggested by several states. In relation to ransomware in paragraph 19, after the third sentence we would like to insert the following sentence. Stealing and encrypting data is the primary tactic cyber criminals use to maximize profits. However, data extortion attacks in which data is stolen but not encrypted are a growing trend. Full stop. In paragraph 20, we support the reference to commercially available ICT intrusion capabilities. We had a rich and substantive discussion on this topic this year with many states expressing concern with the potential misuse of commercial capabilities and acknowledging that this is a new and growing challenge requiring an international response. Regarding proliferation of ICT intrusion capabilities by states raised by Nicaragua, Quote, state and non-state actors, end quote, is already included in the paragraph and we have an agreed norm addressing proliferation by states. The particular concern raised by many states this year was in relation to the recent growth of the commercial market for such intrusion capabilities and possible impacts on international stability. We support the reinsertion of the previous text regarding legitimate use already requested by several states or the amendment proposed by the Netherlands to recognize legitimate use of such capabilities consistent with international law. We welcome Pakistan’s suggestion to include hardware and software in this paragraph and propose this could be further strengthened by referencing the market for hardware and software vulnerabilities specifically. In the last sentence of paragraph 21 on emerging technologies, we would like to replace the word combinatory with intersection, so the full sentence reads, risks could also be exacerbated through the intersection of new technologies. We feel this language better describes the nature of the possible cyber security risks from new technologies. In paragraph 22 on the cyber security of AI systems, after the first sentence ending with the words ICT security, we would like to add the following sentence. States noted that ICT security is an essential precondition for the safety of AI systems and also recognized that AI may offer opportunities to improve ICT security. This could address the request made by several states to reflect the positive impact of AI on ICT security. The next sentence reads, furthermore, states also highlighted that artificial intelligence could be harnessed to enhance the speed and accuracy of ICT. operations and to enable autonomous ICT attacks over which the initiators may not have full control. The UK’s technical assessment is that this sentence mischaracterizes the future impact of AI on cyber security threats. We would like the second half of this sentence to read, furthermore, states also highlighted that artificial intelligence is likely to increase the volume and heighten the impact of cyber attacks through the evolution and enhancement of existing tactics, techniques and procedures. In the next sentence we would like to add the word may as a qualification so the sentence reads such operations may increase the risk of cascading effects. On norms, the drafting of a practical norms implementation checklist is a positive step to advance the implementation of the framework. Whilst we understand the drafting choices made to create a straightforward checklist we note that there is valuable content in the 2021 GG report that is not replicated in full. We propose an additional sentence is added to the end of paragraph 30C reading states also recognized the guidance on implementation provided by the 2021 GGE report as a useful tool for states. Regarding the norms section in the main body of the report, in paragraph 30H regarding the role of the private sector we propose to add the following sentence. In this context, states outlined the role of the private sector in preventing the introduction of harmful hidden functions and the exploitation of vulnerabilities in ICT products that may compromise the confidentiality, integrity, and security of ICT products. and availability of systems and networks, including in critical infrastructure. In 30J, in the opening sentence, we propose replacing the words had an in-depth discussion on the need to further develop with continued to discuss and inserting an additional sentence at the end, which would read many states considered that the existing voluntary non-binding norms continued to be sufficient and the need for the development of additional norms had not been demonstrated. This, in our view, is a necessary reflection of the discussions that we have had over the past year and would not involve amending a consensus paragraph. We propose deletion of paragraph 33. States have a right to submit working papers at any time on any topic and can always submit such proposals for the consideration of this OEWG. Those states that wish to provide detailed proposals for new norms are free to do so and some already have. The proposals that we have seen to date have received limited momentum at this OEWG. In this context, we do not think it is necessary to have a dedicated exercise. My delegation would like to make a statement on international law, but with your indulgence, and given I have already spoken at some length, we will make those remarks tomorrow. Thank you, Chair. With your indulgence, Chair, we would request to make our international law statement at a later time. Thank you.

El Salvador:
We express condolences to Brazil with the loss of Mr. Duarte, which is a loss also to the international community. As expressed in March, we welcome the list of the practical checklist for implementation, especially we recognize the technical gaps, especially in developing countries, which slows down effective application of norms. We recognize that implementation of norms can be complementary to the gradual development of additional norms, as highlighted in the report. The implementation and development are not mutually exclusive and can take place in parallel. For us, multi-factor authentication and software updating are basic safety procedures and they can significantly increase the security of ICTs. We note that this has been removed from Rev. 1 and we would ask for your consideration to reintegrate this into the report. On international law, we welcome the inclusion of paragraphs 36A to G that address ICT that may be a violation of international obligations and protection of civilian goods, such as critical infrastructure and critical information infrastructure. We also recognize as being significant the separate mention of the obligation of states on the protection of civilians under international humanitarian law and we hope this will be reflected in the final report. For my country, deepening debates on emerging issues and how the trans-boundary nature and anonymous nature of some ICT operations fit into the framework of international law is extremely relevant. However, we also think it is important to continue deepening discussions on how malicious use of ICTs can reach the level of armed attack according to international law as covered in the Zero Draft. What I have just said fits in with the proposal for debates based on scenarios drafted by academic institutions and UNIDIR. Thank you.

Chair:
Thank you, El Salvador, for your contribution. United States to be followed by Nigeria.

United States:
Thank you, Chair. As many states have noted, we still have much work to do to implement the existing consensus norms. There has been a deep emphasis from states this year on norms implementation, including the recognition that the existing consensus norms are useful in dealing with emerging cyber threats. To reflect this active focus on implementation, we propose adding a paragraph to follow the current paragraph 30B that uses consensus language from paragraph 27 of the 2021 OEWG final report. That new paragraph would read as follows, quote, in this regard, states affirmed the importance of supporting efforts to implement norms by which states have committed to be guided at the global, regional, and national levels, end quote. We also welcome the inclusion of the voluntary norms implementation checklist in this year’s report and fully support the call in paragraph 32 for interested states and regional organizations to submit additional materials. We suggest adding to this paragraph an invitation for states to share information about their national experiences implementing specific norms with a priority focus on the critical infrastructure norms, 13F, G, and H. These experiences and lessons learned can help guide and deepen our conversation on this topic over the next year and transition our group to the more practical conversations on norms. implementation that we also envision will be a feature of the future mechanism. Chair, in contrast to the interest we’ve heard on implementation of norms and related capacity building, we have seen very little traction for new norms proposals. From a practical standpoint, we consider the introduction of proposals for new norms with a mere six months’ working time remaining in the mandate of this OEWG to be unproductive. We suggest that paragraph 33, which cites to the non-consensus 2021 OEWG chair’s summary document, be deleted to avoid introducing a time-consuming distraction. Our efforts will be better spent in 2025, ensuring the continuity of institutional dialogue within the UN on norms and the other elements of the existing consensus framework. We are also concerned by the sequencing of the paragraphs in this section, which implies that norm development should happen before implementation. To more accurately reflect discussions this year and the natural chronology of work, the norms section should be reordered to make clear that the development of any new norms would flow from the implementation of the existing consensus norms. States have observed that the need for and identification of new norms will become clear once we engage in more fulsome efforts to implement our existing norms. Therefore, paragraph 30A should be moved to follow paragraph 30C. We also support Canada’s proposal to delete the second sentence of what is currently paragraph 30A, as this is neither consensus language nor a reflection of consensus generated this year. Finally, Chair, we agree with Switzerland that the text in paragraph 30J is a rephrasing of the language and a repeating of the concepts at the end of paragraph 30I, making it unnecessary. We request that paragraph 30J be deleted. Moving on to international law, we appreciate the Chair’s efforts to reflect the robust discussions that have taken place within the OEWG this year. on international law. In particular, states’ reaffirmation that international law applies to their use of ICTs, that we would have liked to see greater reflection of the working papers on international law in IHL, submitted by cross-regional groups of states. We respectfully request the following edits. On paragraph 30A, we do not understand why consensus language from paragraph 71B of the 2021 GGE report has been edited, and request that the phrase, quote, and international norms and principles that flow from sovereignty, end quote, be reinserted. Regarding paragraph 36B, we appreciate the important role that the UN POC network can play in facilitating communication between states for a variety of cyber purposes. However, we do not believe it is appropriate to include a reference to the POC network in this paragraph, as the POC directory is primarily intended to facilitate effective management of specific ICT incidents that may still be unfolding. As reflected in Article 33 of the UN Charter, dispute settlement involves diplomatic engagement, such as inquiry and negotiation, and potentially such tools as mediation, conciliation, arbitration, or judicial settlement. The POC directory is not the appropriate mechanism for engaging in dispute settlement, and the APR should not suggest it has some special status in this regard. The United States strongly supports the importance of critical infrastructure protection, and states’ compliance with their international legal obligations in their use of ICTs. However, and as others have noted, the language in paragraph 36F is overly vague, as it appears to gesture towards states’ obligations under IHL, without actually making that clear. We suggest clarifying the paragraph by inserting, quote, and civilian objects. unquote, after the word civilians and inserting the word humanitarian between the words international and law. These edits would clarify what appears to be the intended meaning of this paragraph and would avoid the potential confusion that could arise from a less precise reference to the applicable law. In addition, as others have noted, paragraph 36G appears to incorrectly assert the existence of a specific international law obligation to protect critical infrastructure. We support Switzerland’s proposal to clearly reference IHL in this regard. Discussions on international law within the OEWG have been engaging and productive, and we support the report’s inclusion in paragraph 37A of the proposal for an additional intersessional meeting on the topic. We also recognize the value that briefings from experts with legal expertise can contribute to these discussions. For that reason, we believe that the APR should specify that experts briefing any additional intersessional meeting on international law should be legal experts. We would also support a reference to legal experts from academia and think tanks in addition to experts from the ILC as potential resources for this group’s discussion of international law. Finally, we believe paragraph 37B’s reference to the transborder nature and anonymity of some ICT activities incorrectly implies that existing international law does not address transborder ICT activity. In fact, international law, including the law of state responsibility, does already address transborder activity, including when such activity involves attempts at masking the identity of the actor. More to the point, however, the challenge presented by malicious actors’ use of anonymizing techniques is a technical issue, not a legal one. Accordingly, we request deletion of this line. Thank you, Chair.

Chair:
Nigeria, to be followed by the European Union.

Nigeria:
Mr. Chair, allow me to commend you and your team for the laudable efforts in producing this reversed draft of the Todd Annual Progress Report of the Open-Ended Working Group on Security of and in the Use of Information and Communication Technologies 2021-2025. You can count on Nigeria’s support and cooperation throughout this process. This latest draft annual report has indeed demonstrated the powers of negotiations and consensus in achieving our mutual interest of safeguarding global cyberspace. The document encompasses cross-cutting issues and touches on agreed languages. However, there is room to improve on the document, especially to encapsulate the overall objective of protecting the cyberspace from malicious actors. Chair, in line with paragraphs 14 and 15, my delegation suggests a comprehensive international framework on harmonizing existing and potential cyber threats through collaboration among states’ computer emergency response teams. The collaborative framework would include strategic planning in anticipation of attacks to aid in reduction and mitigation of future attacks. This would require constant observation of new technological intruder activities and related trends to help identify future threats. An intrusion detection system would also be installed in a system of critical infrastructure and critical information infrastructure to detect suspicious activities. Vulnerability assessments and penetration testing are equally crucial to aid early detection of intruders. The implementation of the above suggestion would require capacity building for the SET personnel in developing countries to enable early detection of vulnerability in order to deploy preventive tactics to safeguard the information system of their CI and CII. Such capacity building under the auspices of international framework would in the long run reduce the technological dependency gap between the countries of the northern and southern hemisphere. Finally, Mr. Chair, we recommend the development of indigenous technology among emerging economies to reinforce local knowledge in protecting their cyber domain against malicious activities. I thank you, Chair.

Chair:
Thank you very much, Nigeria, for your contribution. European Union to be followed by Morocco. EU please.

European Union:
Thank you very much, Chair. Please allow me to bring you both the comments by the EU and its member states on the norms as well as the international law section. The EU and its member states would like to thank you, Chair, for driving the open-ended working group discussion on the implementation of the norms of responsible state behavior and for enabling us to deepen our common understanding on these norms. While we have made significant progress, as should be reflected in the APR, we still have work to do on implementing the existing norms and to incorporate its implications and practices into our national policies and legislation. Against this background, we strongly support the proposals made to incorporate the implementation of the norms of responsible state behavior in the APR as well as welcome the reflection of the checklist of practical actions for the implementation of these norms of responsible state behavior. Also as mentioned by other delegations, the 2021 GGE report provides a good basis for further efforts to implement and therefore needs to be flagged in this report. Our urgent task now is to absorb what we have agreed until now, and the implementation of existing norms will also determine if and whether a reflection on developing new norms is actually needed. In order to make sure that we set our priorities, the report should present these distinctions in the right order, and we therefore suggested redraft paragraph 30A and I and delete 33. Regarding existing norms that we could further examine, we underscored a need to focus on norms 13C and 13C. F, G, and H, calling for the protection of all critical infrastructure supporting essential services to the public, as well as the cooperation between states for this purpose. Malicious cyber activities require a whole-of-government response, as they have the potential to affect a nation’s economy, society, and national security, as well as individuals. We therefore welcome the recommendation in the checklist to put in place cooperation between national cybersecurity authorities and the diplomatic community, such as under Norm B. As regards Norm’s implementations, regional organizations have already done a lot of valuable work on which all states can benefit. For example, the work of the ARF and the OSCE on the protection of critical infrastructure, and the work of ASEAN on the Norm’s roadmap, as well as the work of the OAS in continuously enhancing the resilience of their membership. A continued in-depth change between the open-ended working group, as well as regional organizations, is therefore essential. And we would like to see the second sentence of the former paragraph of 30 to be reinstated. In this regard, the open-ended working group chair could invite relevant experts from regional and sub-regional organizations, businesses, non-governmental organizations, and academia with due consideration given to equitable geographic representation to give briefings at these discussions. We also welcome the recognition of the crucial role that the private sector plays in strengthening cyber resilience, as the vast majority of ICTs and related services are provided, maintained, and used by private actors and civil society. One of the key elements to protecting and identifying critical infrastructure from ICT threats is therefore establishing a trusted exchange between critical infrastructure operators and relevant government authorities, which ultimately must be involved in the effort to successfully implement norms. Also, the regular institutional dialogue should therefore give high priority to the cooperation with and involvement of the multi-stakeholder. community. Mr. Chair, these are just mere examples of where we see the possibility to further strengthen our cooperation, building on your norms checklist. Discussions on the implementation of norms will not only make exchanges more effective, but will also enable us to increase our concrete efforts to enhance cybersecurity. Dear Chair, with regard to international law, we underline, as many others have done before, that activities in cyberspace are subject to law, and that international law applies online as it does offline. Denying the existing constraints on state’s activities in cyberspace undermines the work of the UN to date, and risks international security and stability. Our task ahead is to implement and to consider how the existing obligations apply, rather than to rush into more obligations. Needless to say, not undertaking malicious cyber activity that run counter to these obligations is our first task. In this light, Mr. Chair, let me turn to some specific textual proposals. International humanitarian law occupied a significant place in our discussions on international law in our last year’s work. Of particular note in this regard is the cross-regional working paper submitted by 13 UN member states in March 2024, which underlined that IHL applies to cyber operations executed in the context of, and in relation to, an international or non-international armed conflict. We welcome the cross-regional paper submitted by Australia, Colombia, El Salvador, Estonia, Uruguay, which very well captured the key elements of what have been discussed in the Open-End Working Group, including those related to IHL, international human rights law, and the law of state responsibility. To further reflect our discussions and make progress on this important issue, reflecting the discussions over this last year, we propose the additions of a paragraph under paragraph 36, between the letters E and F. Quote, reaffirmed that international humanitarian law, including the established international legal principles of humanity, necessity, proportionality and distinction, applies to cyber operations executed in the context of and in relation to an armed conflict. Consistent with IHL, parties to an armed conflict must not conduct cyber attacks against civilian objects or civilians. Acknowledging that international humanitarian law applies to the use of ICTs in armed conflict does not in any way encourage or legitimize armed conflict.” And to add an initial paragraph that the Open-Ended Working Group, quote, reaffirms the uses of ICTs by states that breach their international legal obligations amount to international wrongful acts, for which those states bear international legal responsibility. Responsible states are under an obligation to make full reparation for the injury caused by international wrongful acts, unquote. We would also like to include the language in the section on concrete action-oriented proposals, paragraph 37, quote, States made proposals on how to continue discussions on the application of international humanitarian law to cyber operations in situations of armed conflict. These proposals are crucial to ensure that states find common understanding of how IHL applies to cyber operations incurring in that context, unquote. Further regarding paragraph 36, in the subparagraph A, we would like to extend the paragraph with a sentence, quote, The exercise of such jurisdiction is subject to state obligation under international law, including international human rights law, unquote. And in addition to international humanitarian law, the Open-Ended Working Group devoted significant attention to the principle of due diligence in its deliberations. And we call upon you to also reflect these deliberations in the 2024 APR. Furthermore, we support paragraph 8, which calls for a full intersessional meeting with the participation of legal advisors that have to further discussions and build on the current momentum. We are of the view that a dedicated international meeting over several days on this issue later this year would help carry it forward. The detailed and focused discussions held in this room over the past years, together with the volume of national statement detailing national views on the application of international law to cyberspace, as well as the consensus view in the 2021 Open Ended Working Group report on its application, show the need and willingness to continue exchanging detailed views on how international law applies in cyberspace. We also like to add our voice to the many others who have called for scenario-based discussion on how international law applies, as it provides a practical way to continue to build common understandings. It is a valuable exercise to exchange these views and ascertain these common understandings regarding our legal obligations. Mr. Chair, we look forward to our continued discussions on this important matter and thank you again for your efforts on this.

Chair:
Morocco to be followed by Slovakia.

Morocco:
Mr. Chair, allow me at the outset to thank you for convening the eighth substantive session of the OEWG and congratulate you, your able team and the Secretariat for the considerable progress that we have been able to achieve during the last years in terms of promoting an open, safe, secure, stable, accessible and peaceful ICT environment. Morocco welcomes the rev1 of the third annual progress report that captures different views of Member States in terms of progress made and proposes a set of concrete actions and cooperative measures to counter threats related to ICTs. In this regard, we would like to share the following comments. Besides the traditional forms of cybercrime that were perfectly mirrored in the APR tree, we recognize the rise of new technologies such as AI, quantum systems, and cloud computing representing new security challenges that need to be anticipated. In this regard, Morocco recognizes the importance of protecting and securing sensitive data, essential services, and critical infrastructure. Given their changing and evolving nature, it is understood that our common efforts must continue to raise awareness and improve the understanding of these threats while promoting the development and implementation of more cooperative measures and initiatives to strengthen the cyber capabilities of member states, namely in Africa. Regarding the norms, rules, and principles related to the responsible behavior of states, Morocco is aware of the unique and evolving characteristics of ICTs and considers that the development of new measures and the implementation of the existing ones can occur simultaneously. This dual approach would address emerging challenges while strengthening the current framework, thus ensuring comprehensive and agile protection. My country welcomes the development of a checklist for the implementation of the 11 non-binding norms. However, we believe that it is essential to take into account national specificities and the level of maturity achieved during the upcoming evaluation exercises that will be conducted based on this list. Hence, allowing the appropriate and gradual adaptation of the norms to national context and needs. We took note also of the fact that the APR 3 emphasizes particularly two main norms at the expense of others. One, the protection of critical infrastructures, and two, ensuring the integrity of supply chain. This choice could lead to imbalance in the structure of the report. We believe that addressing the other norms would not lack relevance. Regarding CBMs, Morocco fully supports the adoption of the Global Directory of Points of Contacts as an essential action-oriented CBM, considering it as one of the flagship achievements of the OEWG. My country has already nominated its diplomatic and technical POCs, convinced that this mechanism will be the appropriate platform to enhance interaction and cooperation between member states, ensure coordination, and improve the effectiveness of interventions in cybercrisis, and also assessing countries in conflict resolution by promoting dialogue and minimizing undersendings. Concerning the list of voluntary global CBMs outlined in Annex B of the APR, it is important to emphasize that given the constantly evolving digital environment, these CBMs will need to be periodically reviewed and adapted. In terms of capacity building, Morocco welcomes the initiative for developing a global cyber security cooperation portal presented by India, as well as the initiative for creating a cybercapacity building catalogue presented by the Philippines. We also encourage the initiative to establish a voluntary UN Special Trust Fund for ICT Security aimed at supporting the participation of national representatives and experts, particularly those from developing countries, during the OEWG upcoming meetings. Regarding regular institutional dialogue, Morocco believes that recurrent and structured discussions under the auspices of the UN on the security of ICTs could promote conflict prevention in the digital environment and enhance trust between Member States. It is therefore crucial that countries action beyond 2025 on this matter, aiming to monitor decisions and commitments made within the current OEWG on a conscious basis for establishing a framework for responsible state behavior in cyberspace. The international community must progress on several fronts to ensure a secure and resilient cyberspace. In this regard, it is critical to focus on protecting critical infrastructures, assessing risks and threats, and building capacities, promoting regional and international cooperation and information sharing. These areas of action are aligned with our national security strategy and are considered as priorities to be included in the agenda of the future mechanism. To conclude, Mr. Chair, I can assure you of Morocco’s full support and constructive engagement to adopt the APR3 by consensus and ensure a seamless transition that we all hope from the current OEWG to the future permanent mechanism. I thank you, Excellencies.

Chair:
Thank you, Morocco.

Slovakia:
Slovakia aligns itself with both statements delivered by the European Union. Still allow me to make some further remarks in my national capacity. We welcome the proposal to adopt a third annual progressive board of the Open-Ended Working Group. Slovakia, as many other countries since the adoption of the second APR, has faced an increase in ransomware attacks, which targeted at various sectors. We have also seen efforts to improve the attackers’ techniques for the purpose of faster and more effective data exfiltration, among others. We are increasingly dealing with incidents of ransomware being used as a service, and the fact that manuals as to how a ransomware attack can be carried out are now more widely accessible. We therefore welcome this mention in the report, as the threat of ransomware today cannot be separated from our discussions about a global ICT environment. Still on threats, Slovakia would welcome an addition to the paragraph 22 on the use of artificial intelligence. While the paragraph outlines ways in which new and emerging technologies could be misused to carry out malicious activities, the text warrants a bit more balance in what the AI could do for the enhancement of national cyber ecosystems and what we can expect from it moving forward. These could include possible improvements in fields such as, but not limited to, data and incident analysis and identification of potential vulnerabilities. Now moving on to the section C, specifically referencing paragraphs 30I and 30J. With the repeated call for a full adherence to the normative framework and implementation of existing commitments, the question of development of new norms appears rather premature, as it is also in the middle of our discussions on how best to draft a norms implementation checklist for the existing norms. In this sense, we would like to propose a small amendment to the text in paragraph 30I, where it says, quote, states further propose that a current OEWG could continue its discussions on the need to develop additional norms, unquote. We propose replacing the word need with possible development of additional norms. This way, the text would draw on the last year’s APR, would reflect the discussions we have had on the topic since its adoption, and would better align with the overview section as well. We support a proposal made by the U.S. on the reordering of the paragraphs in this section to emphasize the implementation element. We would also like to add our voice to those statements that suggested incorporating the mention of the program of action to this very section. Finally, we would like to commend the various relevant stakeholders for their work in elaborating the existing norms and for being active in raising awareness in this area. Therefore, we would welcome the addition of a mention of interested stakeholders to paragraph 32, where it says, quote, interested states and regional organizations are invited to submit to the UN Secretariat any additional materials which states could use along with the checklist to assess their implementation of rules, norms, and principles, end of quote. To this end, I will save Slovakia’s comments regarding the regular institutional dialogue and proposed cyber capacity building initiatives for later when we can discuss those sections of the report in a greater detail. Thank you.

Chair:
Thank you very much, Slovakia, for your contribution. Malaysia to be followed by Belarus.

Malaysia:
We would like to comment on section C and section D of this third APR report. First, on section C, rules, norms, and principles of responsible state behavior. Malaysia supports Switzerland’s proposal for inclusion of public-private partnership in paragraph 30E. Malaysia welcomes the language in paragraph 30G on the importance of security by design. Nonetheless, we take note of the proposal by China earlier in section B to replace security by design with security through life cycle and are open to exploring suitable language in this regard. Malaysia also welcomes Paragraph C on the Checklist of Practical Action for Implementing Voluntary Non-Binding Norms of Responsible State Behaviour in the Use of ICTs. We share the view that checklists in the NXA should be regarded as a living document. Malaysia further supports the recommended next steps in Paragraph 32 in order for the checklist to serve as a voluntary capacity building tool and guidance for states to further implement the norms. We believe the checklist is sufficiently broad and flexible to allow for implementation by states according to their respective priorities and interests. Mr Chair, in support of the implementation of the Voluntary Non-Binding Norms and the development of related capacities, ASEAN has developed the Regional Action Plan metrics. As mentioned by Singapore, we are planning to complement this initiative by completing the ASEAN Norm Implementation Checklist, intended as a reference for all the ASEAN Member States vis-à-vis actionable steps in building common understanding regionally on mutual expectations. Furthermore, the checklist includes suggested capacity building activities to support the implementation of norms by the ASEAN Member States. A workshop in collaboration with UNIDIR is scheduled for the end of July and finalisation of the checklist will be reported at the upcoming ASEAN Cyber Security Coordinating Committee meeting later this year. Malaysia believes the steps taken by ASEAN to implement the norms as instructed by the ASEAN leaders in 2018 could also help identify gaps in the existing norms and further assist in the development of new norms in the future. Like Canada and El Salvador, we would like to request reinstatement of the paragraph on basic ICT hygiene. The widespread of adoptions of ICT hygiene best practices will enhance state’s ability to detect, defense against, and respond to and recover from ICT incidents. Moving to the section on international law, Malaysia appreciates the reflections of the rich deliberations on international law we have pursued under this OEWG. We support the proposal in paragraph 37 and are pleased with the emphasis on capacity building in ensuring the equitable participations of states in the development of common understandings on how international law applies in the use of ICTs. This includes the continuations of track 1.5 scenario-based exercises. In this regard, Malaysia supports the recommended next step in paragraph 38 to 41. Thank you, Chair.

Chair:
Thank you very much, Malaysia. Belarus, please.

Belarus:
Mr. Chair, first of all, please allow us to thank you and your team for the very important work you have done to ensure the conditions for the continued negotiating process within this working group and also for a timely dissemination of the draft third APR of the open-ended working group on security in the use of ICT for 21, 22, and 25. Please be assured of the full support to you from the Republic of Belarus. We are convinced that under your leadership, states will be able to reach the needed progress in the course of the current session. We agree with what was said by the distinguished representative Nicaragua on behalf of like-minded states when he talked about the revised draft third APR. The text is voluminous. We propose it be streamlined, inter-alias so as to make the negotiating process easier and to emphasize the provisions on the future of the permanent mechanism which we have in Annex C. Given all of that, we’d like to say that we support Russia’s proposals to delete or abridge some of the provisions. We are concerned by a certain imbalance in the draft towards the rules, norms and principles of responsible behaviour of states in the ICT. We have nothing against the chair’s proposal of a checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behaviour on the ICT in Annex A as was recommended in line with the second APR, but this issue in our view is something that needs to have a more detailed discussion in the course of the upcoming session of the Working Group. We therefore propose that this be postponed to next year so that we have a possibility to complete its analysis nationally and then let it be introduced to the OEWG for its consideration. The existing widely acknowledged norms and principles of international law enshrined in the UN Charter could be applied in the ICT, but they did not contain the specific conditions for such applicability. We therefore think that the practical aspects of their use in ICT should be regulated in a special universal international legal document which would specifically provide for the criteria of the use of existing international law norms in ICT and would state specifically that there is a need to develop new provisions under contemporary conditions. We continue thinking that the IHL norms in situations of armed conflict are not sufficient for ICT use. We would like to recall here that a number of states, including Belarus, put forward the idea of a UN Convention on International Information Security. The use by individual actors of numerous instruments in ICT as a means of information counteraction gives rise to unprovable accusations, deniability, and leaks and fakes. And systemic ignoring of disinformation, a responsible approach to databases, improper security for ICT products is the reason for many criminal acts. We share China’s concern when it comes to what they said about disseminating information attributing malicious ICT. This could undermine trust and lead to confrontation. We therefore think that the relevant wording should be reflected in the section we have on current and existing potential threats. We also think that the transfer of cyber weapons and other weapons technology by governments of some countries is a source of crimes in the ICT area. The norms having to do with the concern with such behaviour should be more clearly reflected in the report. We are against wording which leads to politicised rhetoric and which could also potentially be grounds for interference in the internal affairs of states. When it comes to the new mandate of the Open-Ended Working Group we support the existing scope within the framework of existing potential threats, rules, norms and principles of responsible behaviour, international law, confidence building measures and capacity building. These components are a result of a fragile and precious balance arrived as a result of many years of intensive negotiations. The structure of future mechanisms should be based on agreed and widely accepted elements. Mr Chair, we are committed to achieving consensus on the draft annual report and Belarus is ready to constructively participate in the negotiations. I thank you for your attention.

Chair:
Thank you very much, Belarus, for your contribution. It’s almost six and I want to wrap up in time but I want to give the floor before we close to the ICRC which has asked for the floor.

ICRC:
Ambassador Gafoor, Ambassador Gafoor, Excellencies, dear colleagues, the International Committee of the Red Cross is grateful for the opportunity to take part in this eighth formal session to share its views on the draft of the annual progress report. Mr Chair, as reflected in the section on existing and potential threats, A number of states are developing ICT capabilities for military purposes. Such capabilities have already been used in conflicts in different regions, and the use of ICTs in future conflict is becoming more likely. As the draft report states, ICT capabilities are used by states and non-state actors and pose particular risks to critical infrastructure, including medical facilities. The report’s description of ICT threats reflects today’s reality. In the interest of international peace and security, and to protect civilian population during armed conflict, however, we urge delegations to strengthen the report on two points. First, the ICRC welcomes the expression of concern by malicious ICT activities targeting international and humanitarian organizations. If our ICT systems are disrupted, and if trust in our services is undermined, our ability to provide humanitarian services to people affected by armed conflict and violence is severely compromised. We support the requests by several delegations for the APR to be clear on this point. As agreed by the Security Council in a recent resolution 2730, malicious ICT activities can disrupt relief operations and undermine trust in humanitarian organizations. This language is clearer and stronger than the current paragraph 16. We are heartened and would encourage the proposals by states to adapt paragraph 16 accordingly. Second, on the section on international law, the ICRC strongly supports all mentions of the UN Charter rules and principles that prevent armed conflict, in particular the prohibition of the threat or use of force between states, and the obligation to settle international disputes by peaceful means. We believe a stronger reference to the legal rules that protect civilian populations in armed conflict is needed and would strengthen the report. Over the past years, many delegations have stated in this group as well as in the written positions that in times of armed conflict, civilian objects are protected against all types of attack, whether cyber or kinetic. In this respect, we believe at a minimum that paragraph 36F should be strengthened to refer to civilians and civilian objects and be clear that in times of armed conflict, their protection comes from international humanitarian law. In a report in which all states recall that malicious ICT activities are conducted by belligerents, reaffirming international humanitarian law rules is a necessity. As the draft report emphasizes, reminding all those who conduct cyber operations of their obligations cannot be seen as encouraging their conduct or justifying a violation of the UN Charter. Finally, the draft report also notes the possibility of future elaboration of additional binding obligations. This is an important topic that requires careful consideration. As we emphasized in March, in our view, additional rules may be needed to strengthen the protection of civilian populations in armed conflict if existing rules of international humanitarian law are interpreted in ways that undermine the protective function of IHL in the ICT environment. To conclude, Chair, discussions over the past year have provided you with a strong basis to include a clear statement on the protection of civilians during armed conflict. We have heard strong statements on this issue from regional groups, from cross-regional groups, and from many individual delegations. I thank you.

Chair:
So, a few quick, brief comments. First, I want to thank everyone who has taken the floor today, morning as well as afternoon. I think it’s a very good, productive, constructive beginning to our week-long process this week. Thank you very much. I also want to thank all of you and commend you for coming with very specific textual comments and proposals and edits. And I think that is the kind of approach that we need to adopt if we are to find convergence. Now, this does not mean that every textual amendment that is proposed can be accommodated, but that is the frame of mind that we need to be in, in order to get to consensus. Now, there have also been proposals for deletions and reinstating previously deleted paragraphs from the Zero Draft. Now, what was deleted from the Zero Draft was deleted because of comments, objections received from delegations. So there was a reason behind the changes made to Rev. 1. And some of you have asked for reinstating paragraphs, which will introduce again the whole challenge of if we introduce deleted paragraphs, what then? Will that make it more acceptable? Will that bring us closer to convergence? Will that bring us closer to balance? I mean, that is the challenge. So keep that in mind as well as you prepare for tomorrow’s comments and interventions. But I want to thank all of you for your very constructive engagement today. And I also… I want to thank all of you for the very concrete suggestions. Let’s keep that going, and because all of you have been so good, so wonderful, I’d like to invite you all to a cocktail reception this evening. It was previously circulated, so it’s agreed language in the invitation. All of you are invited today to a reception at the Singapore Mission at 318 East 48th Street. So I’ve always said that receptions and lunches are also confidence-building measures. It’s an occasion to talk to each other, so I look forward to seeing you all at the Singapore Mission at 6.30. We’ll give you some time to wrap up and get over to the reception. So tomorrow morning we will begin with the speaker’s list, and tomorrow we will transition as well to sections E on confidence-building measures and section F on capacity-building in the morning, and in the afternoon we will take the section on regular institutional dialogue. Those of you who are speaking tomorrow, please come prepared to address the relevant sections, and please be succinct in your interventions, and also please keep the option of sending your more detailed comments directly to the Chair and the Secretariat so that you don’t feel obliged to read out the entirety of the statements that you have prepared or your lawyers have vetted for you from Capitals. You can send the full text to me, but you can present a succinct version and share it with the working group tomorrow. So with that comment, I once again thank all of you, and I also want to thank the interpreters for giving us a few extra minutes. Thank you all and have a good evening.