Ambassador Gafoor
Excellencies, distinguished delegates, the sixth meeting of the first substantive session of the Open-ended Working Group on security of, and in the use of information and communication technologies, 2021-2025 is called to order. I apologize for beginning the meeting late, I had been engaged in informal consultations. I’d like to continue with the list of speakers that we’ve had from this morning, with regard to topic two of agenda item five, relating to rules, norms and principles of responsible behavior of states. We have a list of speakers who have yet to take the floor, and they are Switzerland, Iran, Iraq, The Netherlands, and Mexico, and I’d like to start by giving the floor to the first speaker, Switzerland, on agenda item five, topic two rules, norms and principles of responsible behavior of states. Switzerland, you have the floor please.
Switzerland
Chair, over the past 15 years, GGEs have developed a set of 11 voluntary norms. The 2019-2021 Open-ended Working Group reaffirmed these voluntary norms, and the General Assembly endorsed them. The sixth GGE developed an additional layer of understanding on these norms to help all states and stakeholders better understand and implement the norms. This is the basis for the discussions in this Open-ended Working Group. Switzerland is of the opinion that at the moment, we should focus on better understanding, promotion and implementation of the existing norms before developing new ones. This does not exclude that we could develop new norms over time, and where useful or needed. Suggestions for new norms were made in the previous Open-ended Working Group were also included in the Chair’s summary. Let me briefly address the relation between international law and voluntary norms, because it was addressed in the morning session. The norms don’t exist in a legal vacuum, in the consensus report of the previous Open-ended Working Group states reaffirmed that norms do not replace or alter states’ obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible state behavior, in the use of ICTs. International law is, in this sense, our traffic law and the voluntary norms provide guidance to help us to respect it. We see an important role for this Open-ended Working Group in contributing to further awareness raising about the 11 voluntary norms. The GGE report of 28 May provide a good basis for this. It lists the norms and provides further guidance on how to implement them. As in the other areas of the framework and good governance, private actors can play an important role. An important step towards implementing the norms at national level is the development of national cybersecurity strategies. The Open-ended Working Group is a suitable platform for the exchange of experience on this. States can report on their experiences in the development of such a strategy and its implementation and exchange information. The role of non-state actors should be given special consideration. These strategies should include objectives and concrete measures to achieve these objectives. Ideally, a review of the achievement of objectives should take place every year. Based on this review, the state receives an overview of the status of implementation of the voluntary norms. The Open-ended Working Group could help to develop good practices for the elaboration of such a strategy. The Open-ended Working Group can also contribute to the exchange of information on concrete implementation at the national or regional level. States should use the National Survey of implementation of United Nations General Assembly resolution 70/237, proposed by Australia and Mexico, as suggested by the Open-ended Working Group in its report to facilitate exchange. The Open-ended Working Group provides a good platform to share lessons learned and good practices on this too. The protection of critical infrastructures is particularly important. Unfortunately, attacks on critical infrastructure by malicious state and non-state actors have increased excessively in recent years. Of particular concern are attacks by state and non state actors on medical and research facilities, as well as deliberate disinformation campaigns during the ongoing pandemic. Attacks of this nature can pose a serious threat to international security and peace. States should use this Open-ended Working Group to share information on what measures they have taken at the national or regional level to protect or better protect critical infrastructure. A national strategy for the protection of critical infrastructure can be a means to this end. In 2017, the Swiss government adopted the second national strategy for critical infrastructure protection for the period 2018-2022. The strategy defines 17 measures with which the government intends to maintain the security of supply in Switzerland and improve it in key areas. We will be happy to share our experiences in implementing this strategy. On the basis of this strategy, Switzerland, on one hand is active in establishing and developing more in depth collaboration between critical infrastructure providers and government entities in the field of cybersecurity, such as the National Center for Cybersecurity. On the other hand, Switzerland understands as a small and interdependent nation, that acting against threats or malicious activities originating from its territory is absolutely key, not only in regarding securing our critical infrastructure providers, but also to contribute to the international effort to quench such activities early enough in order to avoid damages to other nationals critical infrastructure providers. To achieve this, Switzerland is active in numerous international groups and fora from purely technical CSIRT-focused groups to such platforms as the GFCE in the cyber capacity building domain. Having a trust-worthy collaborative and broad exchange between the government and the private sector and other stakeholders is key for norm implementation, particularly to protect critical infrastructure. So, the focus must lie on building up public, private partnerships early on to allow for efficient support and cooperation. Most of the infrastructure is not owned by the state, but by the private actors. They have a responsibility to protect their infrastructure. They must understand their responsibilities and duties, but they must also be able to rely on good cooperation with the state and on its support in case of emergency. It has often been said in the context of previous Open-ended Working Group and GGE groups that cybersecurity is a team sport, that states alone cannot guarantee security nor can non-state actors do that. Switzerland advocates for providing explanatory guidance on attribution. Attribution is a result of a process that takes into account a range of factors and information that would allow a victim state to assess malicious cyber activities. These factors could include, inter alia, the larger geopolitical context, diplomatic relations between the involved states, economic and political relations and interest. Because attribution is a complex task, taking these factors into account becomes all the more vital. Last but not least, this open working group should, on the basis of the GGE consensus report 2021, give me more specific guidance on norm implementation. States together with other stakeholders could for example, develop cooperative measures for responsible vulnerabilities disclosure or the protection of the ICT supply chain and ICT products. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much, Switzerland. I now give the floor to Iran. Islamic Republic of Iran, you have the floor please.
Iran
Thank you so much, Mr. Chairman. Since this is the first time I take the floor, I would like to thank you for all your efforts and, congratulate you on the assumption of your chairmanship of this very important Working Group. Having said that, Mr. Chairman, on the issue of norms, the views of the Islamic Republic of Iran on this very critical issue has been elaborated in detail in our second submission, dated 20 February 2020, in which, we have indicated that prior to any discussion on the operationalization of any envisaged norms, as mandated by paragraph five of the resolution 73/27, further discussion is necessarily needed to further develop change or add to the 13 norms contained In paragraph one of the resolution 73/27. We also indicated the need for the structured discussion on the 13 norms around the ambiguities associated with the understanding of the identified norms, the need to agree on terminology. We emphasize that it is very necessary to discuss terminology related to norms for their understanding on the list of terms, also the introduction of change to the identified norms to revisit all those 13 norms, and also elaboration of additional norms. We are of the view that significant reforming of current internet governance, open, free and non-discriminatory access of states to ICT technologies and the reliable cybersecurity supply chain are essential requirements for responsible behavior of states in the ICT environment. Additional norms as we have indicated in our second submission are including inter alia: the role of states with the primary responsibility of maintaining a secure safe and trustable ICT environment should be enhanced in ICT environment, governance, including policy and decision making at the global level. The internet governance should be realized in a manner that strengthens state sovereignty, and shall not affect the rights of states in making the choice of development governance and legislation models in the ICT environment. The principle of state sovereignty and international norms and principles that follow from sovereignty should be respected in the ICT environment. No state has the right to intervene through cyber means directly or indirectly, and for any reason, in the internal or external affairs of other states. All forms of interventions and interference or attempted threat against political, economic, social and cultural system, as well as cyber related critical infrastructure of the state, shall be condemned and prevented, as upon UNGA resolution 2131 the 21st December 1965. States shall not use ICT advances as a tool for economic, political or any other type of coercive measures, including limiting and blocking measures against targeted states. The same resolution as I have referred to in the previous theory that I have said. States should ensure appropriate measures to make the private sector with extraterritorial impacts, including platforms, accountable for their behavior in the ICT environment. States must exercise due control over its companies and platforms under their jurisdictional control. Otherwise, they are responsible for knowingly intervening in national sovereignty, security and public order of other states. States should refrain from and prevent abusing ICT supply chains developed under their jurisdictional and control to create or assisted development of vulnerabilities in products, services and, maintain compromising sovereignty and data protection of the target states, ensuring the balance between rights and responsibilities of the states in ICT environment. Consequently, Mr. Chairman, we regard the implementation of the norm is yet premature as the new OEWG has to discuss above mentioned key issues to come up with the comprehensive consensus-based list of norms that may lead to the implementation stage. Having said that, Mr. Chairman, I want to concur with the view that you have addressed this morning regarding the discussions. My delegation has tried utmost, based on the question that you have raised, to be articulate and concentrate on the answer that you have expected from each question. However, as we have expected this morning, and you have mentioned, other distinguished delegates, fortunately or unfortunately, they are not very focused on answering any question, but anyway they mix the issues together. My delegation has tried utmost to concentrate in answering the very question that you have asked. Thank you so much, Mr. Chairman.
Ambassador Gafoor
Thank you very much delegation of Iran, for your statement, and also, as you say, for the very focused response to the questions. I certainly would encourage all delegations to also respond to the questions as a guide. It’s a guiding question. I would welcome your comments on those guiding questions as you make your statement. I now give the floor to the delegation of Iraq. You have the floor please.
Iraq
Thank you, Mr. Chair. At the outset of the delegation of Iraq would like to reiterate its support to your efforts and to the transparency whereby you have facilitated the work of the OEWG to reach a common ground and a compromise regarding the implementation of the modalities of the group, in a manner that would optimize our participation and optimize the experience of the OEWG, according to the established practice whereby all OEWG have adopted. In the meantime, we hope that interested states should show more flexibility in order to optimize this very important substantive session to achieve the desired goals. Mr. Chairman, we do believe that the promotion of norms, rules and principles that govern behaviors at the time of peace, and the update thereof, will contribute to creating an environment and guidelines for states. This will also help stabilize the cyberspace and build partnerships. Having said that, Iraq supports the work of the OEWG into elaborating all those rules, as well as the norms and principles of responsible behavior of states, and to have the same duly updated to reflect the challenges and issues that we are confronted with in this regard. The delegation of Iraq stresses the importance of a continuous systematic dialogue under the auspices of the United Nations, and to look into all the potential risks related to cyberspace as well as all the matters of cooperation that we can delve into. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much Iraq. Delegation of Netherlands please. Netherlands.
The Netherlands
Norms are an essential part of the international community’s efforts to prevent conflict. They set the standard for the behavior of states and allow the international community to assess the behavior of states. The Netherlands considers norms to be complementary to international law. As the previous Open-ended Working Group reaffirmed, and Switzerland also just pointed out, norms do not replace or alter states’ obligations or rights under international law, which are binding, but rather provides additional specific guidance on what constitutes responsible state behavior in the use of ICTs. Norms promote predictability and reduce risks of misperceptions between states. At the same time, and this is a vital importance to The Netherlands, norms also help protect citizens, particularly those in vulnerable situations. They help to ensure that critical infrastructure can provide the necessary services to the public, and that people can have confidence in the security of ICT products. Moreover, they help ensure that citizens can enjoy the benefits of the digital era, while knowing their human rights and fundamental freedoms are protected. In this vein, the Netherlands has actively contributed to the GGE’s development of additional guidance on the norms, including on the protection of critical infrastructure. While it is up to states to determine which infrastructures or sectors it deems critical. The OEWG and GGE reports specifically referenced the health care sector, particularly amidst the current health crisis, the technical infrastructure essential to the general availability or integrity of the internet, and electoral processes. Chair, the GGE report also provides use for practical guidance. It contains suggestions for concrete policies and mechanisms at the national, regional and global level that can help states to adhere to the norms and this we believe is something we can further develop in the current Open-ended Working Group. Let me name a few examples mentioned in the previous reports. First, to develop stronger cooperation between countries involving both the CSIRTs and the diplomatic community, so that concerns and findings can be shared. Second, to develop regional arrangements with relevant infrastructure owners and operators to help detect and mitigate ICT incidents affecting such infrastructure. And third, through enhanced cooperation and decision making on vulnerability disclosures, to help curb their commercial distribution. These and other practical steps address the interconnected and interdependent nature of cybersecurity. They also help resolve misunderstandings and misperceptions between states, and therefore also support our work on confidence building, and I cannot stress this enough, they help states protect their citizens and reap the benefits of digital technologies. Chair, let me turn to the issue of new norms. In principle, The Netherlands is not against new norms, however, we are considerate of the careful balance achieved in elaborating the existing norms by consensus. Furthermore, we still have a lot of work to do to implement the existing norms. Finally, I would underline that the norms have maintained their relevance, because they are technology neutral. Based on the considerations I just outlined, we will continue to develop new proposals under this agenda item during the current process. Thank you, Chair.
Ambassador Gafoor
Thank you very much, Netherlands. Mexico, you have the floor please.
Mexico
Good afternoon. Thank you, Chairman. Allow me to welcome the substantive exchange that we’ve had. We’ve heard a lot of concrete ideas and proposals that reflect the growing interest in the discussion in the United Nations on these subjects. Chairman, secondly, I’d like to reiterate that Mexico welcomes and supports the proposal for modalities that has been presented. It’s the result, the outcome of multiple discussions and informal meetings, and efforts of very many other delegations present here in the room. The voluntary norms for responsible behavior of states in cyberspace, as far as Mexico is concerned, are a key element in the international framework that we already have. It’s a result of multilateral discussions of the Group of Governmental Experts and the Open-ended Working Group, and adopted certainly by the General Assembly of the United Nations. It’s a framework which contributes to the prevention of conflicts by guaranteeing open, free, peaceful, stable and secure cyberspace. For the government of Mexico, the norms should also be considered in terms of their potential to improve access to cyberspace and to information technologies and as a catalytic force to develop national, regional and international capacities. The norms do not substitute international law in cyberspace, but what they do is complement them, and they also help in application. The first call that Mexico made to this working group is therefore, to implement the norms. It’s not enough for us to have agreed on a solid list. What we need to do is put this into action individually and collectively, in order to make these norms a reality. The voluntary nature of the norms should not be interpreted as an invitation to remain passive, on the contrary, it is a recognition of diversity and of the different capacities that states still have to step by step, make progress in their commitment to create greater trust, transparency, and cooperation in cyberspace. Another specific call that my delegation would like to issue is to, for us to document and share information on the implementation of the norms, not just documenting the progress, things that we’re doing well, but also the obstacles that we encounter on this path of implementation. They need to be documented in greater detail as well. So that we know what we’re lacking, perhaps in terms of international cooperation or capacities. Therefore, my delegation would like to insist, Chairman, on the additional value that the national survey has. The survey of national implementation proposed by Australia and Mexico, and supported by a growing number of countries, as we’ve heard. It’s a uniform way on a voluntary basis for periodic reports to be produced with regard to this implementation. So very specifically, Chairman, we are asking that under your leadership, in the deliberations of this working group, we dedicate sufficient time in upcoming meetings to share information on these implementation measures. Working on new possible norms may be positive, but in order for that to be the case we need to have clear implementation information. We need to hear about specific experiences on the ground that will make it possible for us to identify what new norms are required and in no way whatsoever should this be a condition for bringing forward the more comprehensive vision that the agreed norms already have. Some of the ideas that we have heard with regard to possible new norms, if you look at them together in a more detailed fashion, are actually proposals to operationalize an existing norm, or proposals for a new confidence building measure, or a measure for international cooperation, and that’s why Chairman, we need to dedicate sufficient time to sharing these experiences. The role of regional experiences of the regions will continue to be key in this task. Either in the OAS or the summit, or the leaders of the north recently, or the community of Latin American states, we’ve all been able to affirm that decision that we want to work on the implementation of the agreements made here in the United Nations with regard to cyberspace, and we’re also prepared to work to put a stop to things that are not responsible behavior, implement what is responsible behavior and stop what is not responsible behavior. The dissemination of the norms and their operationalization leads me to say that the involvement of other stakeholders, service providers, for example, civil society, organizations, academia, the private sector is key, and that has to be spelled out. We can affirm that they also have a role of responsibility as they accompany and join in the efforts of states in the operationalization of these norms and responsibilities. We do encourage them to join this conversation in an active and transparent way to the benefit of the working group itself. Thank you very much, Chairman.
Ambassador Gafoor
Thank you very much, Mexico. I would now like to give the floor to the Syrian Arab Republic to be followed by Estonia, Italy, Cuba, Singapore, Jordan, China, Ukraine, Indonesia, India, Germany, Australia and the UK. So we’ll start with Syria. You have the floor please.
Syria
Thank you, Mr. Chair. My delegation renews its support of you, and we do reaffirm our cooperation with you Chairman, in order to reach our desired goals. We would like also to thank you for your proposal on the participation by stakeholders. As regards the rules, norms and principles of responsible behavior of states, my delegation would like to make the following remarks. First, those norms and principles of responsible behavior of states should be promoted and this should be made a priority by the international community. Second, member states should undertake to be bound by very clear political commitments as regards the operationalization of these norms. Those norms should not be voluntary, they should be universal and binding. Finally, we have to attach more importance to those rules and norms in a balanced way. We have to forge balance between security and development. Thank you.
Ambassador Gafoor
Thank you very much. Syria. Estonia you have the floor, please
Estonia
Thank you Mr. Chair for giving me the floor. In response to your guiding questions related to norms, Estonia wishes to express the following. As a nation that has benefited immensely from digital transformation, Estonia knows firsthand the advantages of an open free, interoperable and secure cyberspace and its responsible use. Digital Services including governmental e-services are used widely in Estonia, because trust towards them and the service providers are high. This has been enabled by several factors: a long term commitment to building a secure and transparent digital society where respect for human rights and fundamental freedoms, such as the right to privacy is not an afterthought but ingrained from the very start; a holistic approach to cybersecurity; a stringent emphasis in preventing and mitigating risks; raising awareness and enhancing cyber hygiene; and endeavoring never to rest on our laurels. However, the surge in the number and sophistication of the malicious use of cyberspace, that possibility for widespread impact, including on critical infrastructure, and the potential ramifications for international peace and security, remain of real concern, Mr. Chair, esteemed colleagues, as has been emphasized multiple times during the substantive session, the work of the UN Group of Governmental Experts since 2004 has allowed to outline a degree on a solid and effective framework for responsible state behavior in cyberspace. This consists of existing international law, 11 voluntary and non-binding norms, confidence building measures and capacity building. It has also been noted by several other delegations that all these elements of this framework are interlinked, but we will focus for now on norms. The 2015 GGE consensus report building on previous GGE reports made headway by setting out 11 voluntary non-binding norms of responsible state behavior in cyberspace, including several norms pertaining specifically to critical infrastructure protection. The 2021 consensus report of the GGE furthermore, reaffirm the acquis and provide an important additional layer of understanding on these norms. While highlighting that norms do not replace or alter states’ obligations and rights under international law, but rather supplement and support it, Estonia considers that the adherence to these norms can prevent conflict in the ICT environment, reduce risks to international peace, security and stability and provide a central guidance for responsible state behavior in cyberspace. Estonia regards the agreed normative framework as a crucial footing for everything we do in the field of cybersecurity, but given the lack of borders in the traditional sense in cyberspace, we also rely on this commitment, both in word and action, to responsible behavior from other actors. Building on the rich material provided by the latest GGE report, the OEWG can play a crucial role in strengthening the 11 norms by further clarifying expectations that the norms reflect, and exploring further opportunities to support states in their implementation. We have listened carefully to the interventions made during discussion so far. Estonia believes that as a matter of priority, the international community needs to make a concerted effort to implement the existing norms, together with other aspects of the framework. While we appreciate the temptation of the new, we believe that the most appropriate course of action need not be the one that is the most tempting. It needs to be the one that ensures transparency, flexibility and scalability. This approach focused on behavior rather than technology in itself is appropriate in our view, for reasons outlined by a number of delegations already. One concrete example includes discussions that would contribute to the further development of the National Survey of implementation of the UN General Assembly Resolution 70/237, which emerged as one practical outcome from the latest OEWG and GGE reports at the initiative Australia and Mexico or other such initiatives that are allowed to identify existing efforts and needs for new implementation. Supporting states and reporting their implementation efforts through better utilizing existing resources such as UNIDIR could prove invaluable. We also emphasize the importance of bringing in the regional dimension wherever possible, to support the development and operationalization of Confidence Building Measures with the aim to support norm implementation. While all 11 norms are important and form a sufficient package, given the urgency of preventing damage to critical infrastructure stemming from malicious cyber activities we welcome that chairs guiding question raised specifically initiatives related to the norms pertaining to critical infrastructure protection. Supported by stringent legislative basis and a broad definition of essential services, Estonian authorities have close communication and information exchange with essential service providers. Our national cybersecurity center, the Estonian Information System Authority, offers free of charge security tests to essential service providers, facilitates the exchange of best practices and offers advice to the private sector. Penetration testing, such as to the healthcare sector and the energy sector help to keep standards high. We believe that the OEWG could provide a helpful space to share best practices and lessons learned related to critical infrastructure protection, including on topics such as public private partnerships, mentioned also by other delegations such as Switzerland. Mr. Chair, one of the key issues under focus during this week has been the engagement of the multistakeholder community. We want to stress our deepest gratitude and support to you in your efforts to find a solution on this matter swiftly and support the updating modalities you put forward for consideration at the informal consultations yesterday evening. Estonia also welcomes your question on the role of the private sector and technical community norm implementation. We believe that while the norms pertain to state behavior, the effective implementation of norms make close cooperation with other stakeholders indispensable. We believe that the role of different stakeholders should be further elaborated with the aim of advancing common understandings on respective responsibilities and providing further guidance. The contributions from the technical community will be particularly important to help us identify the most pertinent areas, it will also be important to take into account gender considerations in cybersecurity. In this regard, we welcome the options papers submitted by Canada, which provides a very constructive menu of options for mainstreaming gender in the work of the OEWG. We look forward to continuing conversations on how to implement the existing norms, including through capacity building and initiatives that support it, which will be under focus later this week. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much, Estonia. Italy, you have the floor please.
Italy
Thank you, and good afternoon. At the outset, let me express my appreciation for your efforts in the question of participation of stakeholders, and like Estonia has just said, we support the proposals as amended last night and I trust we will be able to move forward soon. I would like also to offer some very succinct views on the discussion on norms after of course I have aligned myself to the EU statement. As I said in my initial intervention, the acquis of previous reports of OEWG and GGE indicate the direction this group could take in helping states to operationalize non-binding norms, that as such don’t replace international obligations, and this implementing effort towards implementation of the existing norms should be our priority. Now coming to your questions, as already indicated by the EU, the OEWG could elaborate on and strengthen the 11 norms of responsible state behavior. Such exchanges could allow clarifying the expectations that the norm set and should offer insights in best practices how these norms could be put in practice. The discussions within the OEWG could therefore help states to contribute to the national survey of implementation of the UN General Assembly resolution 70/237. Possible meetings with representatives of regional organizations could be organized as it was said earlier in another segment. As a member of the EU, Italy contributes to the common effort to create a solid cybersecurity framework at the union’s level, but at the same time it has also recently embarked on advanced and sustained effort to revise and strengthen its national cybersecurity architecture. This effort is based on two main pieces of legislation: the national cybersecurity perimeter law of 2019, on the protection of assets and services that ensure vital and essential functions of the state; and the establishment of a dedicated cybersecurity agency this summer. Also, it is worth recalling the recent publication of our national views on the applicability of international law to cyberspace where many aspects intertwine with the application of norms. We stand ready also to further elaborate on our efforts and implementation. You also asked about the role of stakeholders, and here once again it is important that they are involved in our discussions. They have an important role in many aspects related to norms. Think about the norm on supply chain. And in addition, our national legislation takes into account the role of other stakeholders, because part of the entities that fall within our perimeter are private sector. That will be all for now, and I look forward to contributing further to other agenda items. Thank you, Chair.
Ambassador Gafoor
Thank you very much, Estonia. Cuba, you have the floor, please.
Cuba
Mr. Chairman, Cuba reiterates the need to strengthen the normative framework to regulate matters in the area of security and the use of ICTs, and in that regard, resolution 72/240 [?] of the General Assembly establishes the priority nature of the elaboration by the Open-ended Working Group of rules, norms and principles of responsible behavior of states, as well as the modalities that correspond to them, and if necessary, the introduction of changes in the preparation of additional norms of behavior. We would recall that the norms contained in the report of the GGE of 2015, does not meet with the approval of all member states. We feel that the annex to the report of the Chair of the Open-ended Working Group for the 2019-2020 period, which contains the proposals of norms that were put forward by member states, should be the initial basis for discussions of the group on this subject. We reiterate the need to elaborate and implement additional norms for responsible behavior of states in cyberspace ensuring full respect for the principle of sovereignty, sovereign equality, political independence and territorial integrity, and that it promote peaceful coexistence and international cooperation for all of our mutual equitable benefit. But we also need are norms that refer to the prevention of militarization in cyberspace and the non-use of unilateral coercive measures. Cuba believes that these norms are the way and the point of departure to making progress towards the adoption of a broad, legally binding instrument, in the framework of the United Nations that will complement existing international law and would provide a response to the existing legal vacuum that exists, with regard to security as it pertains to the use of ICTs. Likewise, we also need to stress that the preparation, drawing up of these norms requires cybersecurity terminology that is accepted by all member states, we would stress that all of the norms, rules and principles of responsible behavior of states should be discussed, and adopted by consensus in the Open-ended Working Group, irrespective of the framework in which they were adopted. The joint efforts of states in the formulation and implementation of norms to ensure security in the use of ICTs is fundamental to preserve peace, international peace and security. Thank you very much.
Ambassador Gafoor
Thank you very much, Cuba. Singapore you have the floor please.
Singapore
Thank you, Mr. Chair. Singapore is a strong advocate for the strengthening of a rules-based multilateral system, including in cyberspace. We’re pleased that the international community has endorsed the rules, norms and principles set out in the consensus reports of the inaugural OEWG and past GGEs. This framework of rules, norms and principles is critical to defining responsible state behavior in the digital realm and prevent a might makes right situation in cyberspace. I’d like to speak on two areas on this topic, understanding and implementation, and these will both address the questions you asked us, as well as echoed many of the points that representatives have made already. First in understanding, the Singapore delegation believes that it would be useful for the OEWG to engage on the additional layer of understanding on norms in the 2021 UNGGE report, as well as useful proposals set out in the report of the inaugural OEWG, as part of a broader and deeper discussion on implementation of norms by all UN member states. However, we recognize that the wider UN membership has only been participating in international cybersecurity discussions since 2018, and some delegations have raised legitimate concerns about the varying level of cyber maturity, which will make it difficult for all states to implement the norms at the same pace or the relevance of certain norms at a particular stage of a states’ cyber development. We therefore think that this OEWG focus in its first year should be on the implementation of existing norms before considering if further norms may be useful to tackle the evolving cyber threat landscape. Next on the implementation specifically, regionally ASEAN has subscribed in principle to the 11 voluntary non-binding norms of responsible state behavior in the use of ICTs, and has several ongoing work streams, which enhances ASEAN’s ability to implement the norms in a more concerted and deliberate manner. These include the ASEAN regional action plan on the implementation of norms, and the ASEAN cybersecurity cooperation strategy from 2021-2025, which takes into consideration how the norms can support ASEAN wider digital ambitions, such as the ASEAN Smart Cities Network and (ASEAN) digital master plan 2025. These work streams have been useful exercises to break down high level principles into workable steps that have been contextualized to the needs of the Southeast Asian region. Every region faces its unique set of challenges and, taking a regional approach will result in more targeted implementation of norms. There’s also value in conducting cross regional exchanges to share experiences and best practice, and we would welcome such collaboration with other regional organizations. The OEWG would be a good platform to facilitate such conversations and future collaborations to help each other implement these norms. Thank you.
Ambassador Gafoor
Thank you, Singapore. Jordan, you have the floor, please.
Jordan
Thank you, Chairman for your efforts to achieve consensus between member states with regard to engagement with stakeholders, with regard to the preparation of rules, norms, UN principles for responsible behavior of states. We call for international commitment in this regard which word list international efforts to prevent non-peaceful use of ICTs or their offensive use. And we would call for digital use of ICTs to go hand in hand with international law and the UN Charter. This requires, of course, that everyone share their expertise on the collective challenges that countries are facing with regard to cybersecurity. Also, we believe that international cooperation is a fundamental pillar in the interests of all countries to address anything that could be a threat to international peace and security. International mechanisms need to adopt mechanisms which will strengthen the capacity of all countries in the area of cybersecurity, that will have positive effects on the elaboration of rules, norms and principles for responsible behavior of states. Thank you.
Ambassador Gafoor
Thank you, Jordan, for your statement. China, you have the floor please.
China
Thank you Chair. China has always supported the formulation of international norms on cyberspace under the UN framework. They’re universally accepted by all countries. And we welcome the previous reports of OEWG and GGE. As many delegations, China also believes that the current working group should focus on translating previous consensus into political commitments on norms in cyberspace, and establish a clear commitment to this norms, which is crucial for their effective implementation. In the long run, the international community should also reach a legally binding norms. To this end, China supports the proposal in the Programme of Action put forward by some countries that I quote “political commitment based on recommendations, norms and principles already agreed” unquote, should be established. Some countries deliberately emphasize the voluntary nature of existing norms. This stance runs counter to the common aspiration of the international community. At present, data security risks and challenges are becoming increasingly prominent which necessitate urgent global solutions in accordance with the mandate of resolution 75/240, countries should conduct in-depth discussion on data security issues, including cross border data flow, supply chain security, personnel information protection and so forth. China calls on all countries to adopt a comprehensive, objective and facts-based approach on data security issues. Efforts should be made to foster an open, fair and non-discriminatory business environment and maintain an open, secure and stable supply chain of global ICT products and services. Countries should take actions to prevent and stop the use of ICT to jeopardize the security of personal information, or to conduct mass surveillance against other countries, or to connect collect personal information from countries without authorization. Countries should require their companies to strictly abide by the laws of the countries in which they are located, and must not require domestic companies to store data generated or obtained overseas within your borders, and must not directly retrieve data located in other countries from companies or individuals without a permission of other countries. ICT products and services providers should abide by laws and regulations of the countries in which they are located, and refrain from installing backdoors in your products and services to illegally obtain user data or to control or manipulate user systems and devices. ICT companies should not seek illegitimate interest by taking advantage of users dependence on their products, nor force users to upgrade their systems and devices. Product providers should commit themselves to notifying their partners and users of serious product security flaws or vulnerabilities in a timely fashion and to provide remedies. Last year, China submitted the Global Data Security Initiative to the UNGA that contains the above mentioned propositions, and has put forward constructive solutions for maintaining global data and supply chain security. Over the past year, China held in depth discussion with other countries on this initiative and has received positive feedback from many countries. This year, China and the Arab League issue the China Arab Data Security Cooperation Initiative. China believes that this initiative, can serve as a preliminary basis for relevant discussions. We stand ready to work with all parties to promote the conclusion of global rules of digital governance, and that reflects the wishes and interests of all parties. Regarding the protection of critical information infrastructure, countries should strive to protect the security of their own critical information infrastructure, and must not use ICT to damage other countries’ critical infrastructure, or to destroy or steal important data from other countries. China supports efforts to strengthen legislations on the protection of key information infrastructure, experience and technology exchange and the promotion of international cooperation on training, technological innovation, early warning and prevention, emergency response, standard setting and information sharing. In addition, countries should not use their own advantage to interfere the normal operation of key global public information infrastructure, such as top level domain name servers and international communication optic cables. I thank you Chair.
Ambassador Gafoor
Thank you very much, China. Ukraine, you have the floor, please.
Ukraine
Thank you, Mr. Chair. Ukraine aligns itself was the statement delivered by the European Union. The voluntary non-binding norms of responsible state behavior can reduce risks to international peace, security and stability. Norms and standards for responsible state behavior help to prevent conflict in the ICT environment as well as contribute to its peaceful use. To enable the full use of ICT to increase global social and economic development it is of utmost importance for all states to be guided in their use of ICTs by 11 norms. Ukraine believes that we should focus our efforts on advancing the implementation of these norms that will allow us to assess the activities of states in cyberspace in order to prevent conflict and increase stability and security. In our view, both norms and confidence building measures are crucial for maintaining peace and preventing conflict. In connection with guiding questions provided by you Mr. Chair, we would like to recall a norm 13g, according to which states should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199. This norm reaffirms the commitment of all states to protect critical infrastructure under their jurisdiction from ICT threats and the importance of international cooperation in this regard. In this context, we would like to stress that being a target of regular cyber attacks and considerable global trends in the rise of malicious use of ICTs, including against the critical infrastructure, Ukraine has been developing an effective cybersecurity ecosystem within its territory. In particular, since 2016, the national security and defense council of Ukraine has been coordinating and controlling the activities of the security and defense sector entities that ensures cybersecurity of Ukrainian, through the national cybersecurity coordination center. The National Cybersecurity Coordination Center plays a crucial role in Ukraine’s national cybersecurity ecosystem as well as coordinating the work of all governmental security cybersecurity agencies. The National Cybersecurity Coordination Center has been also actively forming and improving mechanisms for assessing the current state of cyber protection of states information resources, and critical infrastructure facilities identification of threat factors aimed at strengthening of cybersecurity of our country. Today, the National Cybersecurity Coordination Center is the primary national hub for cooperation between the public and private sectors. Therefore, an important task of the center is to unite the efforts of the state, the private sector, foreign partner companies and countries to build joint an effective cooperation. In September 2020, a new national security strategy of Ukraine was enacted by the decree of the President of Ukraine. This document contains the government’s vision of threats to national security and steps to minimize or neutralize them. Later on the new cybersecurity strategy has been adopted. The document is fully aligned with the national security strategy and based on such key principles as deterrence, cyber resilience and cooperation. I thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much, Ukraine for your statement. I give now the floor to Indonesia.
Indonesia
Mr. Chair, Indonesia reaffirms that voluntary and non binding norms of responsible state behavior in the use of ICT spy states can reduce risk to international peace, security and stability. Following the adoption of General Assembly resolution 70/237, states have agreed by consensus to be guided in their use of ICTs by the 11 voluntary non-binding norms from the 2015 Group of Governmental Experts report. To date, we know that challenges in implementing the state norms persist and still faced by many states. The OEWG plays an important role in this regard to promoting the awareness, understanding and implementation of norms of responsible state behavior in the use of ICTs. We are pleased to be among the co-sponsors of the initiative of voluntary national survey of implementation of UNGGE resolution 70/237, which has been included in paragraph 65 of the 2019-2021 OEWG report, and consider this as a fruitful and practical outcome of our work. Together with fellow 2019-2021 GGE members, Indonesia has also contributed to the formulation of report, which was adopted by consensus, thereby marking a successful achievement of mandate contained in a GA resolution 73/266. We invite states to be guided by the report, as contained in the UN document a slash 76/135, which provided layer of understanding to the findings and recommendation of previous GGEs. There are a few practical ways in which we can collaborate through the framework of the OEWG in promoting the aspects of rules norms and principles. First, OEWG may consider developing a guidance as well as joint indicator or parameter to ensure the lever of effectiveness of the implementation of norms, which can be used as a reference for states in conducting the voluntary national survey. Second, to conduct various informal consultative mechanism with stakeholders, to provide opportunities, to explore inputs, efforts and experiences related to the implementation of norms from technical and non- government perspectives. Third, exploring opportunities regarding stock-taking of efforts and initiated by states or norms implementation to be further published on the UN related websites. My delegation also proposes the inclusion of initiative and experiences, taken by the regional and sub-regional organization, as well as other international forum while noting the important role and contribution from the regional organization in the operationalization of norms. Finally, while our priority remains on the universalization of the norms and their implementation by all states, Indonesia acknowledges the growing needs to discuss possible need for additional norms. In this regard, the efforts in promoting implementation of the existing norm shall not hinder our efforts to formulate new norms in light of the development, as well as dynamic of ICTs and the growing threats associated with their misuse. In this regard, we propose that our work in the current OEWG to also focus on stocktaking and compiling proposals related to additional norms or expansions of each existing norm. I thank you.
Ambassador Gafoor
Thank you, Indonesia. India, you have the floor please.
India
Mr. Chair, India believes that voluntary, non-binding norms of responsible state behavior can reduce risks to international peace, security and stability, and play an important role in increasing predictability and reducing risks of misperceptions, thus contributing to the prevention of conflict. Norms, rules and principles for responsible behavior of states in cyberspace emanate from the international law. They ensure stability, security peaceful use and resilience in cyberspace. As an important element in discussions on norms, rules and principles, we need to emphasize the need for universalizing the recommendations outlined in the previous GGE reports and OEWG report of 2021, and to develop mechanisms for ensuring adherence and implementation. The norms, rules and principles, elaborated in the GGE report of 2021, forms an excellent foundation to build the superstructure for responsible behavior of states. Following of these norms, rules and principals in their letter and spirit will help to secure international peace and security. This OEWG during its mandate ’til 2025, may further refine the existing norms, rules and principles that form the basis for responsible behavior of states and may develop additional norms, rules and principles on a need basis. As outlined in the final OEWG report of 2021, my delegation underscores the importance of integration between norms, confidence building measures, application of international law to cyberspace, international cooperation and capacity building. Mr. Chair, considering the mandate and the time duration that the OEWG has at its hand, my delegation believes that our deliberations in the group should focus on further developing an additional layer of the existing understanding to these norms, underscoring their value with regard to the expected behavior of states in the use of ICT in the context of international peace and security, and provide the requisite institutional arrangements that states can put in place at the national and regional levels to support their implementation. In this regard, India would like to highlight the need to discuss the obligations between member states that could help with fixing responsibility for malicious activities, especially as we confront the challenge of attribution in the cyberspace. We all appreciate that attribution is a complex exercise, we need to go further in elaborating upon the obligation of states to alert the victim state of possible attacks that may emanate from the territory and which have come to its notice, while monitoring the activity within one’s own territory. Mr. Chair, the norms, rules and principles for advancing responsible state behavior should go in tune with the conventional peace process and should consist of the following three stages. One, conflict avoidance measures that enable avoidance of unwanted and unintended conflicts arising particularly from misunderstandings, number two, confidence building measures, and the last, the peace building measures. My delegation would like to take this opportunity to bring to your attention that there is an increasing need to capture the activities of non-state actors in a focused manner, as the constitute majority of the current cyber threats and cyber incidents that happen, and also provide an alibi and a degree of deniability for non-compliant states. States should therefore take the obligation to provide guidance regarding internationally wrongful acts to non-state actors within their territory, and undertake not to knowingly allow such activities from non-state actors from their territory. Mr. Chair, to this effect, states should also not impose obligations on the private sector operating in the territory of another state, from respecting the laws of that state in ensuring stability and maintenance of law and order in the state. Non-state actors should not engage in offensive cyber operations, and state actors should prevent such activities and respond suitably if they occur. In the due course of the OEWG , we need to discuss the obligations for not conducting or knowingly allowing attacks upon public core of internet, that include packet routing, and forwarding elements naming and numbering systems, the cryptographic mechanisms of security and identity transmission media, software and data centers. States should create procedurally transparent frameworks to assess whether and when to disclose, not publicly known vulnerabilities or flaws that they are aware of with regard to information systems and technologies. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity. To have an action-oriented approach in this regard, the OEWG may focus on developing framework for cooperation to deal with cyber incidence and its associated actions by creating point of contact database from each country. Such an integrated database would help the member states to ensure timely response to the incidents and developing a framework for mitigation of supply chain attacks. I thank you Mr. Chair.
Ambassador Gafoor
Thank you India for your statement. I now give the floor to Germany, please.
Germany
Germany is fully aligned with the statement delivered by the European Union and would like to offer some additional remarks in a national capacity. The consensus reached in the GGE and OEWG reports, that’s a strong framework for responsible state behavior in cyberspace. Germany would welcome focusing discussions in this OEWG to expand and deepen this framework by means of mutual exchange. One concrete example is the dure diligence principle as set out by the UN norms in 2015, and mentioned by my Korean colleague this morning. Agreeing on guidance of what this principle entails, in terms of obligations placed on states could make a direct contribution to international peace and stability. Very specifically, this norm could help states deal with the current trend of ransomware attacks. Another example is the role of different stakeholders in the implementation of norms. The consensus report of the OEWG underlines that all stakeholders have a responsibility to use ICT in a manner that does not endanger peace and security, spelling out how this responsibility is to be implemented, and how the interplay between states and stakeholders should look like, is another area meriting exploration. Talking about ways to implementation of existing norms, Germany would like to highlight the initiative for a Programme of Action. The POA seeks to express states’ most urgent needs to help them implement their commitments and contribute to peace and stability in cyberspace. Germany’s committed to advancing the POA together with the co-sponsors and would like to encourage other states to join and contribute to its further elaboration. Thank you, Chair.
Ambassador Gafoor
Thank you very much, Germany for your statement. I give now the floor to Australia, you have the floor please.
Australia
Thank you chair. It’s clear that the international community expects countries to act consistently with their commitments made in the UN, to the framework of responsible state behavior in cyberspace, including the 11 norms of responsible state behavior. These norms have been developed over time, not imposed top down from the United Nations, but collected together as the best practice examples of how countries were addressing cyber threats on the ground. The report of the 2021 group of government experts provides a significant step forward. Not only do we have the norms themselves, but also in depth guidance to all countries and how they can be implemented and applied. I commend this norms guidance in the 2021 GGE report to all negotiated and adopted by consensus and endorsed in the General Assembly only a few weeks ago. We heard yesterday and this morning from many states about the significant and increasing threat to critical infrastructure from cyber threats. Three of our agreed norms provide commitments by us all relevant to critical infrastructure. Paraphrasing, these are to protect our critical infrastructure, to refrain from causing damage, and to assist each other in the face of malicious cyber activity targeting critical infrastructure. In the 2021, OEWG and GGE, and in the face of an unprecedented global health crisis. We saw recognition that medical services and healthcare infrastructure are captured by these norms. I hope that our work here can explore further and advance common understandings of how these norms can protect healthcare infrastructure from malicious cyber activity. I use this as an example for one aspect of norms implementation that this group can focus on. I’ve heard many others put forward today by delegations that may benefit from further discussion. The logical next step is affecting the embedding of norms. This requires increased awareness in government and civil society. Regional organizations have a positive role to play here. Increased resources through capacity building, and sharing and availability of best practice, sharing the understanding and value of norms and how countries and regions are implementing them. A core part of implementation of norms is not only sharing standards of how we implement them, but also to self assess what actions each of us have taken to implement the norms, and what actions are still required to implement them fully. The 2021 OEWG report recommends that states on a voluntary basis survey the national efforts to implement the norms. We have not been idle since that report was adopted and hoped to have an official announcement before our next session in March. But as an update, Australia is working in close partnership with Mexico and with other states to provide an online platform through the UNIDIR Cyber Policy Portal that states can easily use to self assess progress towards implementation of the consensus recommendations of the 2015 GGE report, as set out in UNGA resolution 70/237, with the additional guidance provided by the 2021 OEWG and GGE reports, including norms of responsible state behavior. The survey of national implementation collects national take up of the recommendations of the 2015 report, with a view to assisting assessment of their future development and implementation. Surveying implementation through self assessment provides several benefits. Not only can states identify how they have identified the norms, and, I’m confident that every country when we all look at our own systems will see that we have implemented these norms in some capacity. No one here is starting from scratch, but also where the gaps in implementation may be, and identifying the barriers to implementation, with a view to developing targeted cooperation and capacity building programs, which might be appropriate to overcome any barriers to implementation, or gaps in capacity, so identified. Implementations of norms is not a once and done thing. It requires review and updating as threats change, technology evolves, and behaviors adapt. In 2019, Australia published a comprehensive review of how we, across all our government agencies implement these norms. I was struck when preparing for these meetings, how much has changed in the way Australia implements the norms, and in the way we use the norms to address cyber threats since 2019. I take it as homework for Australia to update this review, as a display of our commitment to sharing best practice and national experiences through the survey of national implementation. Australia also published the results of consultations we held with our private sector, our civil society and our technical community to identify cross sector best practice implementation of the norms as part of our contribution to the 2020 UNGGE. The invaluable input of the multi-stakeholder community to identifying and sharing that best practice was tangibly demonstrated in that review, and I’m sure similar input and experience will significantly contribute to our discussions here. Finally, chair, there have been some comments today on the voluntary nature of norms, and I associate with the comments of my esteemed colleague from Mexico on this issue, and I’d like to make the following points. I want to emphasize the intrinsic interrelation between norms and law. If norms stood alone, then their voluntary nature might be concerning, but norms don’t stand alone. If we focus primarily on the voluntary nature of norms, we risk missing another significant part of our framework. Norms sit alongside international law, norms are voluntary and non-binding, but the law that they sit alongside is binding. This point is often lost in conversation about voluntary norms. We have by consensus agree that existing international law including the UN Charter applies in cyberspace. Our work here and our next agenda item is to elaborate how international law applies. International law is only effective when it is implemented adhered to and enforced. Many have referred in their remarks of the last few days to aspects of international law including state sovereignty, non intervention, refraining from the use of force, the law of state responsibility, international humanitarian law and international human rights law. The path forward is to take the existing frameworks provided by current international law, and fill it with deeper, clearer and more practical understanding of how these rules and principles apply to state behavior in cyberspace, and I very much look forward to continuing that discussion tomorrow. Thank you very much Chair.
Ambassador Gafoor
Thank you, Australia for your statement, I now give the floor to the United Kingdom. UK you have the floor please.
United Kingdom
Thank you, Mr. Chair. Realizing the recommendations of previous reports, is crucial to progress. We are grateful to those who have brought the national survey mechanism to fruition to help hold states accountable for enbedding our framework in their national approaches. Critical infrastructure protection is a priority. Norm G encourages states to take appropriate measures to protect their critical infrastructure. Since consensus resolutions 58/199 and 64/211 were published on this topic, the principles they contained have been widely developed to support implementation of appropriate measures. In particular, the focus has been on three core aspects: one, the proper identification by states of their critical infrastructure; the existence of national regulatory requirements specific to the cybersecurity of that infrastructure; and the implementation of good cybersecurity practice by national critical infrastructure operators. As states grow capacity they implement appropriate measures and increasingly sophisticated ways. They may begin with consideration of what constitutes critical infrastructure, but not all have a list of these national assets. They made them formalize a list, identifying relevant operators in the process, updating the list regularly identifying cross border dependencies, maybe the next step and so on. For each of the core aspects, there are measurable, identified steps that states can take. This OEWG could focus on promoting progress against some of those steps. With regard to capacities and structures, we believe a focus on CERTs, CSIRTs, and in particular incident management processes, will promote the realization of both CNI related norms and Norm C, which says states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. To meet this norm, states are required to take appropriate and reasonably available and feasible steps to detect, investigate and address the situation. These steps may include both the actions the state takes in advanced prepare itself to deal with the relevant incident, as well as the action it takes in response to such an incident occurring. This may include putting in place a system for identifying and categorizing national level incidents, establishing a national body for incident response and integrating cybersecurity incident management into national crisis management, both as a factor in its own right and as an element of other crisis scenarios. Again, the OEWG could promote progress against these. But responsible states protect their citizens as well as their infrastructure. The same rights that people have offline must also be protected online. All states must know how to embed human rights into their national approach. The OEWG can assist by ensuring states recognize the role of human rights impact assessments in preparing cybersecurity legislation,and we can ensure states know where to find relevant advice, including on the broader range of relevant rights such as the applicability of freedom of expression, regardless of frontiers, and through any media of one’s choice, and the protection of civil space as it extends online and into digital spaces, through the right to freedom of peaceful assembly and of association. Mr. Chair, whilst focusing on implementation, the UK remains open to developing new norms over time. Our starting point is that any proposals for new norms must find consensus and not duplicate, rewrite or undercut those which have already been agreed. Further, we know the Russian call for mandatory rules of the game. We wholeheartedly agree that international law which binds states in their actions is crucial. That is why multiple reports including that of the previous OEWG have affirmed the applicability of existing international law to states activity and cyberspace, and it is also the reason that the General Assembly has adopted all of these reports by consensus. So the assertion that there is no legally existing regulation of cyberspace is clearly incorrect. In our view, it will be a mistake to ignore and undermine the protection provided to all states by existing international law in a rush to write new rules. We look forward to discussing this further under the appropriate section of the mandate. Chair, the position of the UK shared today has been developed from the extensive contributions of the Oxford Global Cyber Security Capacity Building Center of the Freedom Online Coalition. In doing so, the UK aims to deliver on previous recommendations that call for engaging stakeholder voices in policymaking processes. Thank you.
Ambassador Gafoor
Thank you very much, UK. France. You have the floor peace.
France
Thank you, Mr. Chairman. The norms of responsible state behavior and cyberspace are among the vital elements of the normative framework which we inherited from the previous processes on the international security challenges related to ICT. Of course, there’s an important need to emphasize that they do not substitute international law, and nor do they limit the right of states to act in line with international law. This reminder is important in that responsible conduct is of vital importance for the maintenance of international security and stability, by complementing international law as was recalled by a number of delegations they contributed to defining legitimate expectations and standards vis a vis the conduct and responsible behavior of states in ICT, they also thereby encourage the development of cooperation and contribute to greater predictability, transparency and trust in cyberspace. They also are a reminder, it behooves us to note, that states while maintaining security in the use of ICT should under no circumstances disregard human rights, including freedom of expression on the internet. France wishes to reiterate our commitment to these norms of responsible behavior. We reiterate our commitment to their effective implementation. In this regard, my delegation welcomes the tremendous work done by the first OEWG, as well as the GGE, which concluded its work in May of 2021. The reports of these two working groups helped to shed light on, and provide greater detail for the content of these norms, and have built a structured and substantive body recommendations for their national implementation. For example, in comments on norms 13, F, G, and H. The report of the GGE provided to states to guide them in the national decisions in this regard, provided states with an informative list of infrastructure that can be deemed to be critical. This emphasizes the vital importance of healthcare infrastructure, as well as the importance of infrastructure guaranteeing integrity and availability of internet in a large number of states and their protection which requires incoperation at both the regional and international levels. We encourage this new Open-ended Working Group to build upon these efforts of clarification and operationalization of the norms of behavior to continue to highlight best practices in order to best guide states in implementation. In line with a point set out this morning on existing and potential threats, France specifically encourages states to share recommendations and best practices, vis a vis, fighting against proliferation and normalization of malicious cyber tools. Sir, in the guiding questions which you address to states to guide states in preparation of interventions, you asked what mechanisms will help to ensure better follow up to national implementation efforts for agreed to norms, we wish to recall France’s support for the proposal of the national survey of implementation. This was presented in the previous group by Australia and Mexico. We welcome the fact that paragraph 65 of the report of the previous OEWG encouraged states to harness this model, which should be made available online shortly to report on their national implementation measures, this tool should help to facilitate a greater overview of progress in the implementation of the norms, as well as persistent gaps. It can also help the OEWG to identify the priority areas which should be considered during discussions, recommendations and exchange of best practices, and can provide a map of the needs to best calibrate capacity building initiatives, for example, under the Programme of Action, which France alongside 53 other states has proposed to be set up. Sir, in line with the mandate of this group, France stands ready to proactively contribute to exchanges to help draft and expand the scope of the norms of behavior. To that end, we can base ourselves inter alia on the proposals that were made on the previous work OEWG, and set out in Ambassador Lauber’s chairs summary under norm 13-C. We encourage states to agree on an understanding of the due diligence, including an obligation to adopt measures to prevent malicious activities of private actors located on their territory. With respect to the development of additional norms, we do not rule this out In principle, however, we emphasize that the potential development of new norms should be rooted in consensus and should reflect the agreed upon normative framework. Mr. Chairman, in the questions you addressed to us, you invited us to state our positions on the role that other stakeholders can play in contributing to the implementation of the norms and building upon the messages that we convey during the debate on threats. We believe that the private sector can be brought in specifically involved in discussions on securing supply chains and non-proliferation, which are addressed in norm 13-I. Thank you for your attention.
Ambassador Gafoor
Thank you very much, France. Pakistan, you have the floor please.
Pakistan
Thank you so much, Mr. Chairman. My delegation believes that application of norms of responsible state behavior can reduce risk to international peace and security. However, arriving at a common understanding how much norms apply to state behavior, and use of ICTs by state remains a critical task that requires constructive and sustained engagement with the member states in this set of Open-ended Working Group. The complex nature of cyberspace marked by stealth, anonymity, interconnectivity and difficulty and attribution necessitate a cautious interpretation of existing norms international law as well as the gradual expansion evolutions of the norms, and to political and legally binding instrument through a consensus based approach. The elaboration of these norms would help in strengthening cooperation and trust between governments as well as between governments and the private sector. Mr. Chairman, as discussed and shared by many delegation, we should continue to strengthen measures to protect all critical infrastructures from ICT threats, and increase exchanges on best practices with regard to critical infrastructure protection. My delegation also believes that it is important to address the challenges associated with attribution in ICT environment. Developing a common approach to attribution universal setting under the United Nation auspices remains the most effective way forward in this regard. At the same time, it is also important to avoid any undue restrictions on the peaceful uses of ICTs, international cooperation in this field or technology transfer, which could undermine economic and social development and hamper the efforts, particularly in countries in realization of their sustainable development goal. The United Nations has a central role in promoting dialogue, international cooperation among member states to develop common understanding on key aspects, including on the application of international law, norms, rules and principles of responsibility. I thank you, Mr. Chair
Ambassador Gafoor
Thank you very much. Pakistan. Malaysia, you have the floor, please.
Malaysia
Chair. Thank you, Mr. Chair. Malaysia recognizes that voluntary non-binding norms of responsible states behavior can reduce risk to international peace, security and stability. Malaysia welcomes the report of the last OEWG and GGE on the topic and deliberations of rules, norms and principles of responsible state behavior. It still serves as good guidance for every state to deepen the understanding and implementing the norms at the national and regional level. At this stage, Malaysia believes that having a plan or strategic paper on the voluntary non-binding norms at the national level will provide a practical insight on the current state of implementation in the domestic level, and it could also serve as a guidance for every stakeholders to prioritize on the implementation of the norms, based on the current capacities and resources of the states. Continuous and closely engagement with private sectors, industries and technical communities as well as civil societies is important. Further, states could establish a domestic coordination by identifying the lead agency or sectoral body for each initiative and establish an evaluation mechanism through a periodic survey, or report, on the implementation of all the norms at promoting the stability in cyberspace. This would also enable the states to align and streamline all the efforts at the national, regional and international levels, especially in protecting the critical infrastructure scene. It is a key enabler to the economic growth of the states. This can be done by using the National Survey of implementations of the norms posed by Australia and Mexico. Some of the examples that Malaysia could share on our efforts at national level on the protection of national critical infrastructure are by introducing a new national security council directive on national cybersecurity management, enhancing the national cyber coordination and command center, strengthening our national CERTs, reviewing the national cyber crisis management plan, developing an integrated cybercrime information management system to increase the performance of cybercrime investigation process by law enforcement agencies domestically and conducting the feasibility study on the requirement to enact cybersecurity specific legislations. Mr. Chair, promoting the implementation of norms at regional level will give bigger impact to the operationalization of norms. With that in mind, as mentioned by my other ASEAn delegates, ASEAN has developed metrics of ASEAN regional action plan on the implementation of the UNGGE norms to assist the ASEAN member states to understand and stocktake on the initiative to implements the norm, the metric which focus on capacity building areas and low hanging fruits initiative that could be implemented at the regional level. By referring to the metrics, ASEAN member state could identify partners in implementing the initiatives. The metric is a living document that will be updated from time to time. For the purpose of sharing of experience and best practices between states, Malaysia is of the view that states can use the bilateral, multilateral regional and international platforms to exchange views and information on national approaches, including the lesson learned from such implementation. The OEWG could also take note and do the mapping on the initiative which later could promote a strategic approach on any areas of improvement on the norms. To conclude, Malaysia wishes to reiterate that there is a need for every state to embed and implement the rules, norm and principle of responsible behavior, not only in every national strategy plan, policy standard, but also in the bilateral and multilateral agreement, as well as take it down to the businesses level in order to have a clear and common understanding on the implementation of the norms. In addition, considering to the further elebrate of existing norm or develop additional norm would become one long term plans for the state as technology is rapidly growing, and they might be areas that the existing norms do not cover in the future. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much, Malaysia for your statement. Distinguished delegates, I do not have any more speakers for topic number two, at this point, so I intend to move on to topic three, which is agenda item five, topic three, how international law applies to the use of information and communication technologies by states. And, of course, under this cluster, there are also a series of guiding questions that I have put forward and I would very much welcome delegations making their comments and contributions at this stage. So the floor is now open for interested delegations. European Union, thank you for being the first, you have the floor please.
European Union
Thank you very much, chair. Indeed, first I am very happy to talk about this new subject that is on the agenda, and I’m looking forward to share the views of the EU and its member states, as well as of the candidate countries, Montenegro, The Republic of North Macedonia, and Albania, the country of stabilisation and association process and potential candidate, Bosnia and Herzegovina, as well as Ukraine, the Republic of Moldova and Georgia, which align themselves with this statement. Let me start by reiterating our commitment to the application of international law in cyberspace. As one of the pillars of the framework for responsible state behavior, the application of international law together with rules, norms and principles of responsible state behavior, confidence building measures and capacity building provides stability in international relations in cyberspace. The EU and its member states see the Open-ended Working Group presents an opportunity to seek further understanding and consensus, building on the UN framework for responsible state behavior and on proposals to address the use of ICTs in the context of international security. Taking the existing, acquis on international law as its starting point, the Open-ended Working Group could clarify how international law applies in cyberspace, including human rights law. Additionally, the Open-ended Working Group could elaborate on how international humanitarian law, including the principles of proportionality, distinction, and precaution apply to the use of ICTs by states. Working on these modalities of application of international humanitarian law in cyberspace will advance transparency and common understanding among states. Such endeavor should not be misinterpreted as encouraging the militarization of or legitimizing the use of force in cyberspace. On the contrary, it would strengthen the application of international humanitarian law in cyberspace, which restricts cyber operations and sets clear boundaries to states, during an armed conflict by protecting civilians and civilian objects against cyber attacks. By focusing its discussions on how existing international law regulates states conduct in cyberspace, the Open-ended Working Group could identify possible challenges in the application of international law. These exchanges could also contribute to all states building capacities on international law and cyber, as well as related national legislation and policies. The EU and its member states encourage states to articulate national positions on the matter, as we are working on that ourselves. With regard to the proposal contained in the Chair summary to develop legally binding measures, the UN member states strongly underlined the need to make sure that the achievements of the international community of the last decades on international security in cyberspace are not undermined and will not be lost. The UN consensus reflected in the respective UNGGE and in the Open-ended Working Group reports and numerous UNGA resolutions, that existing international law, notably the charter in its entirety, international humanitarian law and international human rights law, apply in cyberspace and apply to states conduct in cyberspace is the basis on which we have to build our discussions. The UN and its member states view attempts to undermine these prior achievements as destabilizing, and we know that the Open-ended Working Group should continue to build on our existing work, on the UN framework, and exploring ways to enhance its implementation and strengthen its pillars. To this end, we underline the importance of multilateral discussions in the Open-ended Working Group, as well as a practical implementation and capacity building in the context of regional and bilateral efforts, including by the EU and its member states, and in view of further multilateral cooperation on practical implementation, foreseen under a Programme of Action to advance responsible state behavior in cyberspace. Thank you very much, Chair.
Ambassador Gafoor
Thank you very much European Union for your statement. I’ll now give the floor to Ukraine, to be followed by Ireland, Israel, Austria, UK, Japan, Colombia, Switzerland. Ukraine, you have the floor, please.
Ukraine
Thank you, Mr. Chair. Ukraine alligns itself with thie EU statement just delivered, and now I would like to make a statement in our national capacity. We believe that international law is an essential framework for responsible state behavior in cyberspace. It is of utmost importance that the previous OEWG as well as GGE reaffirmed that international law the UN Charter in its entirety is applicable and is essential to maintaining peace and stability as well as promoting an open secure, stable and peaceful ICT environment. Ukraine reaffirms the importance for states to observe in their use of ICT principles of international law. In particular state sovereignty, sovereign equality, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other states. Existing obligations under international law are applicable to states’ use of ICTs. In addition, states must refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations. We would like to emphasize that when a state cyber operation is in violation of its obligations under international law, it constitutes an internationally wrongful act, which entails an international responsibility and give rise to an obligation to make full reparation for the damage that may be caused by the act. We fully concur with the conclusions of the previous OEWG and GGE, that states must not use proxies to commit internationally wrongful acts to using ICTs, and as well as states should take all actions to ensure that their territory is not used by non-state actors to commit such acts. At the same time, we all know that cyberspace constitutes an area with much room for speculation, doubt, and ambiguity. The problem of attribution adds to the complexity and increases the potential for tensions between states. However, Ukraine firmly believes that it is the international community’s, including national governments’ task and responsibility to identify and hold accountable individuals entities, groups or governments responsible for the use of ICT with hostile purposes and the question of attribution can and should be discussed in the UN. Ukraine shares the view that international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, applies to cyber operations within an international conflict. For its part, international human rights law is also applicable in cyberspace. Under human rights law, states have obligations to protect human rights of individuals, including in the digital domain, namely the right to privacy, the freedom of opinion and expression, the right to access to information and other rights. Hence, states are bound by their human rights obligations, both online and offline. In conclusion, Mr. Chair, Ukraine remains open and ready to contribute to further deliberations on how international law applies to state use of ICTs, which is important for promoting an open, secure, stable, accessible and peaceful ICT environment. I thank you.
Ambassador Gafoor
Thank you very much, Ukraine. Ireland, you have the floor please.
Ireland
Thank you chair. Ireland underlines the statement of the EU and reaffirms our commitment to a rules-based multilateral approach and the application of international law to cyberspace. This applicability of international law is one of the key foundations of the framework for responsible state behavior, together with norms of responsible state behavior supplemented by and strengthened through capacity building and Confidence Building Measures. With regard to the proposals in the Chair’s summary, Ireland strongly supports the UN consensus, that existing international law, notably the UN charter in its entirety, and international humanitarian human rights law, apply to state actions in cyberspace. Previous UN consensus reflected in the GGE, OEWG and numerous UNGA resolutions, should form the basis of our discussions which we can build upon. At this OEWG, Ireland looks forward to building on what has been agreed by consensus at the past GGE and OEWG meetings, and advancing in practical and tangible ways, the promotion of common understanding and consensus on the particulars of how international law applies to cyberspace, including international human rights and humanitarian law. Applying international humanitarian law to cyberspace does not legitimize the militarization of cyberspace and instead provides transparency and protection for civilians and critical infrastructure. As stated in our opening remarks yesterday, targeted capacity building measures will be key to promoting greater understanding of the application of international law in cyberspace. In addition, efforts to support the practical implementation of international law by all states should form an essential part of our discussions. The Programme of Action will support these efforts. Ireland also looks forward to building greater common understanding on International law with this OEWG through discussions with other states on the development of national legislation, policies and strategies, which helps to build trust and confidence. For our part, Ireland looks forward to contributing to this discussion through a national position paper on the applicability of international law to cyberspace, which we hope to publish early next year. Ireland would again like to highlight the value of multistakeholder participation informing, from a legal and technical perspective, our discussions on the application of international law to cyber. Thank you, Mr.Chair.
Ambassador Gafoor
Thank you very much, Ireland. I now give the floor to Israel, please.
Israel
Thank you Chair. It is important for Israel and other states to continue with the discussion on the application of international law to cyberspace. Building a common understanding of how international law applies to the use of ICTs by states forms part of the broader agenda shared by the international community of developing a common understanding of responsible behavior of states in the cyber sphere. It complements other important efforts, chiefly among them, the practical cooperation in preventing and mitigating attacks. Understanding states’ positions of existing international law in this contex,t should be dealt before elaborating new rules and norms. Israel’s position, that international law is applicable to cyberspace has been consistently expressed over the years. Having said that, traditional rules of international law, which mainly evolved in the physical world, and often in domain specific contexts, do not always lend themselves to application in the cyber domain, which has certain distinctive charcteristics, hence the need for further study. For example, data travels globally across networks and infrastructure located in multiple jurisdictions, transcending national borders and lacking meaningful physical manifestations. Moreover, cyber infrastructure is, to a large extent, privately owned and decentralized both at domestic and international levels. The cyber domain is also highly dynamic, with technological developments and innovation, advancing at a rapid pace. When considering the applicability of specific rules of international law to cyberspace, it is important to be mindful of such distinctive features and to carry out a meticulous examination of the rules at play and the context in which these rules emerged. Concepts, rules and principles of international law that apply in principle to ICTs, such as sovereignty, non-intervention, due diligence, state responsibility, attribution, and countermeasures merit further study. Given the specialized and context-specific nature of these issues, the OEWG can take a broader role of promoting and facilitating discussions of a more general nature. In this context, we believe the most promising avenue for discussions on the application of international law within the framework of the OEWG would be to explore how international law can enhance and streamline confidence building, capacity building and international cooperation. The OEWG can and should play a role by acting as a repository of state views on the application of existing legal rules and concepts that are pertinent to cyber activity. To conclude Mr. Chair, before engaging in a new path of developing norms, we believe it is more prudent to have a better understanding of states’ positions regarding the application of the existing international law. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you very much, Israel. Floor now to Austria. You have the floor please.
Austria
Mr. Chairman, the Austrian delegation fully aligns itself with the statement by the European Union, and would like to add the following remarks in response to the questions that you have raised on this topic. Austria attaches great importance to the respect of intent and adherence to international law by states in cyberspace. We strongly believe that a rules-based international system with clear and predictable rules is an essential precondition for lasting peace, security, economic development and social progress. It is essential to preserve trust and reliability in international relations. In this regard, it is of particular importance that in the final report of the first Open-ended Working Group, all UN member states agreed by consensus, that existing international law, and in particular the UN Charter, applies in cyberspace. We highly welcome this recognition of the rule of law in cyberspace and we appreciate that our further discussions in this Open-ended Working Group can build on this consensus. The development and use of new technology is advancing so rapidly, that new questions about how to interpret international law and how to apply it to new realities arise every day. Any legal assessment depends on the examination of the relevant circumstances in each individual situation, especially given the complexity that the cyber context often entails. We firmly believe it is central for ensuring legal certainty that states jointly clarify how the rules of international law must be interpreted and applied in cyberspace. In our view, the elaboration of guidance notes or principles on the application of specific rules of international law in cyberspace would be most useful in this context. We should also have further detailed discussions to see whether the any divergences in the application of international law to cyberspace that need to be overcome. Past UN processes have already identified the most important areas of international law which merit more detailed exchanges in order to consolidate our common understanding on how to apply them in the cyber context. Such areas include the principle of non intervention, the rules of state responsibility, the principle of due diligence, and the obligations under international humanitarian law and international human rights law. We suggest that future sessions of the Open-ended Working Group should focus on these areas to allow for a more in depth discussion. For each respective topic, a discussion paper with guiding questions and background documents could be compiled and made available. This should be done in due time before the meetings, so that all delegations have sufficient time to prepare. In this respect, we reiterate our view that expert advice could feed into such preparation and that close cooperation with academia would be helpful in advancing our discussions. We agree with others about the importance of capacity building on international law and cyber. We continue to support the proposal of a voluntary survey of national views and practices that summarize information from could facilitate the assessment of whether there are actually divergent views, and how to keep our common understanding on how international law applies in cyberspace. This could also feed into UNIDIR’s Cyber Policy Portal. Mr. Chairman, let me reiterate that we believe that it is of utmost importance that the rule of law is upheld in cyberspace. Please rest assured that the Austrian delegation will fully support you in your efforts, and actively participate in the discussions of this working group. Thank you.
Ambassador Gafoor
Thank you very much, Austria. UK, you have the floor please.
United Kingdom
Mr. Chair, in adopting by consensus the report of the OEWG, all member states reaffirmed that international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. From here, the departure point for our discussions must be elaborating how existing international law applies to state activity in cyberspace, in order to build a deeper, clearer and more practical understanding. In May this year, 15 states participating in the Group of Governmental Experts process, took the step of putting forward their national views on how international law applies to state activity in cyberspace to be published as part of an annex to our consensus report. The UK published our own national statement through this process. Other states took the opportunity to build on their participation in the 2019-2021 Open-ended Working Group to publish their own positions. We welcome all these statements, and thank those states, both for furthering the discussion on how international law applies in this context, but also for actively sharing their views to enhance transparency, predictability, and stability as the key to strengthening international peace and security in cyberspace. As we heard in the OEWG last year, other states are still developing their own positions on this issue. We must ensure that these and future publications contributing to the development of this debate are readily accessible to those states as they develop their thinking. To realize our commitment to promoting the important work of encouraging all states to develop and publish their national positions, we are pleased to announce that the UK and close partners France, Italy, Germany, the US, Canada and Japan, will support a package of development for UNIDIR’s Policy Portal, increasing inclusivity and transparency and enabling it to act as a repository for national positions on the application of international law to state behavior in cyberspace. This support will migrate the portal to a more advanced content management system, build basic content search functionality, and the development of a searchable database, and allow for translation of both the portal’s interface and content into other UN official languages. This will foster transparency, confidence and capacity building for all through ensuring that the portal remains widely recognized as the primary digital platform for sharing information on the national policies and laws regarding cybersecurity. We will continue to welcome the sharing of national views on this crucial issue as the most practical way to build consensus on how international law applies to state activities in cyberspace. In this regard, we encourage states to action the recommendation from paragraph 50 of the consensus OEWG report, that states voluntarily engage in transparency measures by sharing relevant information and lessons in their chosen format and fora as appropriate, including through the Cyber Policy Portal of the United Nations Institute for Disarmament Research. But we recognize that some states are not yet in a position to develop and share such positions. Generating one, requires careful consideration of a state’s wide ranging interests, from economic to security, from legal to policy, from human to technical. We note that paragraph 39 of the GGE report recommends that states in a position to do so, continue to support in a neutral and objective manner additional efforts to build capacity in the areas of international law, national legislation and policy. Alongside supporting states in developing human capacity to participate in these conversations, as the UK does through the women in Cyber fellowship, we recognize the importance of supporting states to improve their understandings of the key differences of opinion in this area. In this regard, the OEWG can action paragraph 39 of the OEWG report and continue discussions of specific rules and principles of international law, and how they apply in this context in order to raise awareness of and support the development of national positions. Issues of particular importance to the UK include building upon the work of the UNGGE and developing a deeper understanding between states on how international humanitarian law and international human rights law applied to states activity in the cyber domain. Thank you.
Ambassador Gafoor
Thank you very much, UK. Japan, you have the floor please.
Japan
Thank you Chair for giving me the floor. The Government of Japan hopes that the announcement of a basic position on international law applicable to cyber operations by the governments of many states, and the application of international law in international and domestic courts and tribunals will deepen the shared international understanding on how international law applies to cyber operations. The Government of Japan also hopes that the deepening of a shared understanding, particularly regarding which activities in cyberspace constitute a violation of international law, and which tools are available on the international law for states whose legal interests have been infringed by cyber operations will deter malicious activities in cyberspace. Publicizing its position on the application of international law in cyberspace will increase the transparency of cyber operations by each government, and it is important that more countries publicize their positions. It is effective to publish the position on the Cyber Policy Portal of UNIDIR and the OEWG website, in addition to the websites of respective governments, for states which have not written their positions, other states published position will be highly useful for publicizing their own position, and Japan will also support development for the Cyber Policy Portal of UNIDIR. In parallel with the publication of each state’s position, discussing the similarities and differences across the positions will further promote mutual understanding. The positions of each state should not be considered fixed, and can be developed through future discussions. Therefore, any countries [who have] already announced its position are invited to revise it as necessary. Thank you, Chair
Ambassador Gafoor
Thank you very much, Japan. Colombia. you have the floor please.
Ambassador Gafoor
Microphone for Colombia, please.
Colombia
Chairman, adding to what my delegation pointed out in the general exchange of views, we’d like to refer now to how international law applies to the use of ICT by states. Colombia presented the corresponding reports to the Secretary General, and we think it’s important to continue to have an exchange on national practices, such as through the portal of UNIDIR on cybernetic practices. There’s always the possibility for improvement, and that’s why we think that as far as possible, the information should be disseminated in various languages, and be accompanied by events that will make it possible to have an open dialogue with the participation of academia, so that the debates can be more in depth and constructive. So now that the possible implications of the effects of international law as applied to ICT by states undoubtedly requires more in depth study. In particular, we think it’s fundamental that the most technologically advanced states share their practical experience in this area, so that the general legal provisions can be better understood in terms of their scope with regard to cyberspace. International law applies to cyberspace and there is consensus on that. Nevertheless, the interpretation and application of the law is still something that has to be studied in depth. So if we’re able to identify the existence of gaps in the application of international law on ICTs then we can make progress in developing new norms to fill those gaps. For example, with regard to international humanitarian law, which only applies in situations of armed conflict, we still need to study how and when the principles of proportionality, humanity and distinction would apply to the use of ICTs by states. Also, it’s important to stress that these principles should not in any way promote conflicts, and that’s why we need to promote common understanding, avoid misunderstandings, and promote stability and predictability. Chairman, we don’t feel that at this time, we need to negotiate an internationally binding instrument, but what we do need to do is stress the effective implementation of international law. In that regard, we re-iterate our support for the proposal to prepare a guide that will enable member states to better understand the effects of implementation in cyberspace. The strengthening of capacity in this area is an absolute necessity in the area of international law and legislation and national policy, so that all states can continue to contribute to building a common understanding as to how international law is applied to the use of ICTs by states. Thank you very much.
Ambassador Gafoor
Thank you very much, Colombia. Switzerland. You have the floor please.
Switzerland
Thank you, Mr. Chair. Switzerland, welcome the opportunity to discuss how international law applies to the use of ICT by states in cyberspace in the context of the Open-ended Working Group. Switzerland welcomes and supports the consensus that has been reached by the UNGGE, and the Open-ended Working Group reports earlier this year, that the existing body of international law and international humanitarian law applies to the activities of states in cyberspace. Switzerland welcomes the principle-based approach chosen in the GGE reports of 2015 and 2021. To clarify how international law applies in the cyber context. I would like to recall in particular the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the prohibition of the use of force, non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms. The results reached throughout the last GGE and Open-ended Working Group represent the common acquis and should form the basis of work for our group. On the basis of this shared understanding, we should strive to further develop and dependency discussion on how international law applies in cyberspace. Switzerland underlines that in order for all state to deepen and contribute to the common understanding on how international law applies in cyberspace, there is a need for additional, neutral and objective efforts to build capacity in the areas of international law, national legislation and policy. Switzerland welcomes the publication of national position on how international law applies to cyberspace in a compendium annex to the last GGE report. We would like to invite all states that have not yet published a position to consider to do so. Understanding the views of other states is a first step towards reaching a common understanding on how international law applies to cyberspace and will contribute to its further operationalization. Mr. Chair, for Switzerland, the following five topics are of particular importance when discussing international law in the framework of the Open-ended Working Group. First, it is of seminal importance to distinguish between binding international law from non-binding norms, rules and principles of responsible state behavior. This distinction should be enhanced and clearly be respected in the work of the Open-ended Working Group. Second, Switzerland sees great merit in discussing international humanitarian law (IHL) as one of the priorities within the Open-ended Working Group. The Open-ended Working Group should thereby build on the consensus of previous outcome documents. IHL applies in the context of an armed conflict, including two cyber operations. Why do we think that discussing IHL is important and timely? IHL addresses the realities of war without considering the legality of war. It does not deal with the reason for the legality of the use of force, nor does it in any way encourage or legitimize the possible use of force between states in any situation or context, including in cyberspace. Existing IHL places important limits on cyber operation in the context of an armed conflict. It regulates the conduct of hostilities and protects those who are not or are no longer taking part in hostilities, such as civilian or the wounded and sick people. Thus, IHL reduces risk and potential harm to both civilians and civilian objects as well as combatants. This is also the case for cyber operations with a nexus to an armed conflict. While we believe that in most cases, it is clear how IHL applies to cyber operations in the context of an armed conflict, some questions deserve clarification amongst states. In our view, the Open-ended Working Group constitutes an appropriate setting to study how and when exactly IHL applies in cyberspace, and should set aside some time to do so. Such a discussion within the Open-ended Working Group would be an important contribution to facilitating the further study on how international law applies to state’s use of ICTs. It will also allow us to deepen our common understanding in that regard. The third aspect of importance is that human rights apply offline but also online. States are responsible for respecting and protecting the human rights of holding individuals within their jurisdiction on their territory as well as in cyberspace. A number of international human rights are of particular importance in the context of cybersecurity, namely, the rights to privacy and freedom of expression and information, as well as the principle of non-discrimination. However, some technology is used and measures taken on the ground of ensuring national security, both considerable risk for the full enjoyment of human rights. This is for instance, the case for mass surveillance, network shutdowns, facial and emotional recognition and so forth. Therefore, states in ensuring the secure use of ICT must guarantee human rights and fundamental freedoms by fully complying with their obligations and commitments under international human rights law, when considering, developing and applying national cybersecurity tools, policies, and legislation. Switzerland considers the applicability of human rights to cyberspace to be an unequivocal principle. However, new questions may arise when considering how human rights in cyberspace apply in individual cases. Human rights is a key pillar in the international regulatory framework for digitalization must be respected and further elaborated in the work of the Open-ended Working Group. Fourth, Switzerland welcomes that the responsibility of states is reaffirmed in the 2021 report, including that states should not knowingly allow the territory to be used for internationally wrongful act using ICTs. Switzerland would like to underline that legal attribution is governed by the law of states responsibility and the International Law Commission draft articles on state responsibility are applicable in that regard. States may take measures that are legally available in response to ICT activities that constitute an internationally wrongful act. However, it is important to underline that countermeasures are subject to several important pre-conditions and procedural requirements. These legal constraints should be further analyzed in the work of the Open-ended Working Group. Fifth, and last one, Switzerland is of the view that due diligence is a general principle of international law and is applicable to cyberspace. In accordance with this principle, states should not knowingly allow and must do everything possible to prevent, that their territory or cyber infrastructure under their exclusive governmental control is used for internationally wrongful acts for criminal or other malicious activities using ICT that produces adverse consequences for other states. Switzerland would encourage that the principle of due diligence is reflected in the future work of the Open-ended Working Group. Mr. Chair, allow me to conclude, we look forward to contributing constructively to the discussion on international law and in particular, in those five areas that I mentioned. By focusing on these issues, Switzerland hopes to contribute further to the clarification of how international law can be operationalized in the ICT environment, I thank you.
Ambassador Gafoor
Thank you very much, Switzerland. I now invite the delegation of Netherlands. You have the floor, please.
The Netherlands
Chair, international law applies in cyberspace, as was confirmed by both the Open-ended Working Group and the GGE report. The Netherlands is of the view that the current and upcoming Open-ended Working Group is the most appropriate, multilateral and inclusive forum for further exploring how international law applies in cyberspace. Much progress has been made in previous inter-governmental processes under UN auspices, and The Netherlands is very much committed to contributing to this discussion. In this regard, The Netherlands encourages all states participating in the Open-ended Working Group to publish their interpretation of how international law applies in cyberspace. Doing so, helps deepen our common understanding of the applicability of international law, and increases stability in cyberspace. Chair, there are a number of topics that are in need of further elaboration in our view, the first one on the law on state responsibility and response options. As stated in the 2021 GGE report, states must meet their international obligations under international law. In accordance with the law on state responsibility, a state is responsible for an internationally wrongful act, when it first breaches an international obligation that can be, second, legally attributed to the states, unless an internationally recognized justification applies. Important binding obligations for states under international law in this respect, include, respect for sovereignty, non-intervention, the prohibition of the use of force, the due diligence principle, the obligations related to armed conflict, and international human rights law. International law provides states with various options for responding to conduct by other states in cyberspace, such as retortion, countermeasures, necessity and self defense. The options available in a particular case depend on the specific circumstances, and when considering a response, states must fully respect the conditions international law attaches to any such options. Second, on international human rights law, the General Assembly has agreed by consensus that human rights and fundamental freedoms apply online as well as offline, which means they should be respected, protected and promoted in cyberspace. The Open-ended Working Group should deepen the understanding of the application of human rights in cyberspace. A good start would be to recognize the interdependence and complementarity of human rights and cybersecurity, and the needs to fully respect international human rights law when designing, developing and implementing cybersecurity laws and policies. All of this has been recognized in the acquis, but it needs further operationalization. Human rights do not stand alone, but should inform our discussions on threats, norms, law and capacity building. There is a wealth of expertise and documentation available to us in this respect. For instance, from the Freedom Online Coalition, but also UN special procedures, UN general comments and views from human rights treaty bodies. We can, indeed must, also greatly benefit from input from civil society on this. Moreover, we would also emphasize that all human rights are implicated in states behavior in cyberspace, not only the rights of privacy and right to freedom of expression. Another important element of ensuring respect for human rights in cyberspace, is the role of the private sector. Adherence to the UN guiding principles on business and human rights should be ensured by all businesses active in the digital realm, and we as governments should hold them to account on this. Finally, it is important to recognize that women and vulnerable groups including human rights defenders, journalists, LGBTIQs, children and ethnic minorities are at particular risk of human rights violations in cyberspace. This deserves more thought and should be taken on board in our discussions as well. As our lives become more and more digitalized, and normal participation in society becomes more and more dependent on one’s access, or mastery of the internet. There is more and more pressing needs to ensure that fundamental rights are fully respected, protected and promoted online, and that vulnerable groups, in particular, are assisted and taken into account into consideration. These discussions are ongoing, but there’s a real urgency to make more progress, to better understand the human rights implications of ongoing digitalization, and to devise interventions that make sure that digitalization does not develop into a human rights nightmare. The Netherlands therefore commits itself to deepening the understanding of the applicability of all human rights in cyberspace. On international humanitarian law, The Netherlands strongly supports the application of IHL in cyberspace and welcomes the GGE reports reference to IHL in the context of international cybersecurity. The Netherlands encourages other states to further deepen understandings of the application of IHL to cyber operations in the context of armed conflict. The purpose of IHL is to regulate the conduct of hostilities, and to protect those who are not or no longer taking part in hostilities, such as civilians or the wounded and sick. In particular, by restricting the use of certain means and methods of warfare. IHL reduces risks and potential harm to both civilians and civilian objects, as well as combatants in the context of an armed conflict. Existing IHL, particularly its fundamental principles, places important limits on cyber operations in the context of an armed conflict. In this regard, it is important to note that IHL does not deal with the legality of war, which is governed by the UN Charter, nor does it in any way encourage or legitimize the possible use of force between states in any situation or context, including in cyberspace. Thank you very much Chair.
Ambassador Gafoor
Thank you very much, Netherlands, and I’ll give the floor to the Philippines.
Philippines
Mr. Chair, At this juncture on the applicability of international law in cybersecurity issues, the Philippines would like to highlight the following points and raise some issues that we need to take into account as we delve into this subject, further. We already have consensus on the applicability of international law to cross border cyber operations, but there is a need to further study the precise application and interpretation of many of these international law principles and the rules that govern them. We should also strive to balance the applicability of international law in cyber operations so as not to unduly restrain peaceful activities in cyberspace by states and non-state actors. International law provides a number of legal basis on how states should lawfully respond to harmful or malicious cyber operations during peacetime. The OEWG may further discuss certain aspects such as in self defense – this is anchored on Article 51 of the UN Charter, which provides that “nothing, in the present charter shall impair the inherent right of individually rule or collective self defense if an armed attack occurs against a member of the UN”. This response requires as a condition president of the right to engage in self defense, that an armed attack is present. What needs to be discussed thoroughly by the OEWG is the concept of what constitutes an armed attack in the context of cyber operations to justify resort to self defense. Does it require a resulting harm? What is the threshold of severity for the cyber operation to amount to an armed attack? Another aspect which needs to be considered is the nature of cyber operations. We know that the general rule in international law is that a state is only entitled to respond in self defense if an armed attack is either imminent or ongoing. However, malicious cyber operations by its very nature, may be executed in seconds or even less, and it leaves the target state with no warning or time to respond to the cyber attack. Will highly reliable intelligence that an armed attack will be launched against a state be sufficient to justify resort to self defense? How about a situation where a victim state reasonably concludes that further cyber attacks will be launched against it, and we also need to consider countermeasures. These are responses by a state to the unlawful cyber operations of, or attributable to another state. The purpose is to cause the responsible state to desist in malicious cyber operations against the victim state. The question, however, is what if the identity of the actor causing the malicious cyber operation is uncertain? And how certain must a state be in attributing a malicious cyber operation before launching a countermeasure? If the cyber operation is indeed attributable to a state, countermeasures are available as a remedy when the responsible state is in breach of an international legal obligation, such as respecting the sovereignty of the victim state. By permanently affecting the functionality of cyber infrastructure, there is a breach of sovereignty, and therefore the victim state may launched countermeasures against the responsible state. But how about in situations where the damage is not of a permanent nature, or the damage is not grave enough, but has somehow affected or altered a state’s critical infrastructure. Mr. Chair, in our succeeding meetings and sessions among members and stakeholders, The Philippines looks forward to thrashing out these issues with a view of forming consensus on how existing international law may prove to be responsive, and how other proposals for binding instruments would prove to be necessary to address cybersecurity threats and issues. Thank you, Mr. Chair.
Ambassador Gafoor
Thank you, the Philippines for your statement. I give now the floor to Argentina, you have the floor please.
Argentina
Thank you very much Chairman. Argentina believes that the application of international law in cyberspace is very important for transparency and international stability. Each state can think about how it understands that it will apply international law to cyberspace. Just as the responsable behavior of states and the consensus opinions of the General Assembly, we feel that international law includes the UN Charter in its entirety, international human rights law and international humanitarian law. In particular, we believe that we need to avoid anything leading to armed conflict and affecting humanitarian values, and that not be covered by international humanitarian law. This will require us to determine the norms that apply, the conditions for applicability of the norms, and the object of these norms, what their goal is, the definition of the principles involved, amongst other things. This framework we believe, means that we need to think about possible alternatives from a legal point of view in order to achieve the goal that we have set ourselves. Argentina believes that we need consensus on binding and non-binding norms applying to cyberspace, that’s an effective and legitimate way to deter harmful practices on the part of states, and in that way preserve international peace and security. As in very many other areas, a system based on rules is of systemic interest, it reduces uncertainty and cost as well. We believe that the National Survey Instrument on national policies promoted by Australia and Mexico that my country supports is a very valuable tool to help countries in terms of good practices, and we would also highlight the important role of regional and sub-regional organizations in producing greater clarity with regard to the implementation of international law. We believe that all of these processes are progressive, and should be implemented in a holistic manner. Nationally, it’s important that we create structures and norms, and raise awareness in all areas amongst the general population, up to the decision making level and discussions in parliament, and in that effort, we think it’s very important to include civil society, the private sector and academia. The challenge of the digital divide is cross cutting to all the issues that we are discussing, that should always be present and borne in mind, we always need to try to reduce that digital divide. We believe that this group can and should cooperate to promote better understanding of the implementation of international law in cyberspace and work towards consensus among member states in the process, and therefore produce good practices for the implementation of voluntary norms. Thank you.
Ambassador Gafoor
Thank you very much, Argentina. Russian Federation.
Russia
Thank you, Mr. Chairman. As part of this item of our agenda, I wanted to state the following. Given the absence of a universally recognized understanding as to how international law applies to the realm of ICTs by states, we believe it would be wise for the OEWG to organize an in depth discussion about specific unregulated matters. Questions that have not been fully resolved, specifically, how is current international law, specific international legal principles for cooperation, how does this apply in the use of ICT, given their specific features? What relations in the area of ICT use between the subjects of international law, remain unresolved and unregulated, and how can a regulation in this area be carried out at the global level? What specific actions by states in the area of ICTs are viewed as illegitimate, in terms of international law? How, and on what basis could from the standpoint of international law could computer attacks targeting information resources of states be qualified? Which international legal mechanisms are necessary to address the task of de-anonymization of the information space? As we see it, there should also be attention drawn to a discussion of the principle of cooperation in international law vis a vis ICT and this should include the development of specific international mechanisms and algorithms for cooperation, for example, between a contact points on international information security, or quick response groups responding to computer incidents. Given all of these gaps, as well as given the lack of an international legal instrument in the area of the use of ICT, we believe that it would be wise to consider the international legal regulations for ICT in this area, as well as the progressive development of international law in the use of ICT in a manner that fully reflects the specific features of this technology. The priority of objective as we see it should be developing a universal convention to ensure international information security. In light of the difficulties which delegations frequently encounter reaching agreement on documents at the United Nations, as well as at regional and multilateral fora, we believe it is important to establish universal terminology in the use of ICT and ICTs themselves. To begin, it would be possible to establish a list of terms used in consensus documents of the United Nations and subsequently to reach agreement on a definition of key terms from this list, for example, information communications technology, information communications infrastructure, information communications space, and so on. At this juncture, the international community has no consensus on the question of qualification of malicious use of ICT in as an armed attack in the sense of Article 51 of the Charter of the United Nations. Consequently, there is no basis for assessment of the legitimacy of the use of ICT from the standpoint of international humanitarian law as well. Given that modern methods and means for identification of sources of malicious activity in information space, given that this does not allow for a prompt and verifiable identification of subjects carrying out malicious activities and their geographic coordinates, use of the right to self defense in response to attacks could result in armed escalation. As we see it in discussions on international law at the OEWG it would be wise to bring in international legal experts and other representatives from academia, in order to have a more in depth consideration of these matters. Thank you for your attention.
Ambassador Gafoor
Thank you, Russian Federation. Distinguished delegates, I still have about a dozen speakers who have inscribed and certainly we will not be able to continue this evening any further. So I intend to come back to this issue tomorrow. And tomorrow, we will be meeting in conference from one to three, we will meet at 10am. And I intend to begin tomorrow’s meeting by providing an update on Agenda Item three, relating to organizational matters specifically with regard to where we are on the issue of modalities for stakeholder participation. After having provided that update, I will then proceed to Agenda Item five, to continue the discussions that we have begun today on topic three, which is how international law applies to the use of ICT and we will take up the remaining speakers, and after we have handled topic three, for the rest of the day it is my hope that we will go to the very important issues of Confidence Building Measures and capacity building, which is topic number five. Now, I do encourage delegations to come prepared with your statements, not only for international law, and how it applies to the use of ICTs, but also with regard to Confidence Building Measures and capacity building. We have a long day ahead and it’s three days of very fruitful discussions. I thank you all for your participations and presence this evening. I wish you a pleasant evening. I’ll see you tomorrow morning. The meeting is adjourned.