Session 2-5 Transcript
(OEWG 2021-25)

This is an unofficial transcript

Ambassador Gafoor  

Good morning distinguished delegates the fifth meeting of the second substantive session of the Open-ended Working Group on security of and in the use of information and communication technologies 2021 to 2025 established pursuant to General Assembly resolution 75/240 of 31 December 2020 is now called to order. Distinguished delegates, as I had indicated yesterday, this morning we will continue our work in informal mode on agenda item five on the sub-item relating to further develop the rules, norms and principles of responsible behavior of states and the ways for their implementation and if necessary to introduce changes to them or elaborate additional rules of behavior. In this context, I would draw your attention also to the guiding questions that I had circulated in my letter of 7 March 2022 to guide and facilitate discussions under this sub-item. Distinguished delegates, I would also like to inform you that as you know I had scheduled in the program of work. My intention to convene a virtual, Open-ended informal meeting open to all delegations and interested stakeholders. That will take place tomorrow, Thursday, but I have decided to make some changes to the timing in view of the constraints of time faced by the committee and the need for us to allocate some additional time to hear all the speakers given that there has already been considerable delay in terms of keeping with the different issues we need to address. So the virtual, Open-ended informal meeting will first of all be convened by the chair of the working group under the chairs own authority. It will be open to all delegations and interested stakeholders. It is not a formal meeting of the Open-ended Working Group. Secondly, the timing of the meeting initially scheduled for 3 to 6pm will now be held from 1:30pm to 4pm and we will come back to the meeting room here after the virtual, Open-ended informal meeting to continue with the list of speakers for the various sub-items. I wanted to keep all delegations informed of this slight change. And a letter will also be sent to all stakeholders about this change. And I look forward to all your participation tomorrow at the virtual, Open-ended informal meeting which will be on the thematic topic of capacity building, and how we can foster partnership between the stakeholder community and governments in the area of capacity building. Now with these opening words I’d like to now suspend the meeting so that we can proceed in an informal mode to continue with the list of speakers or rather to continue with the discussion on agenda item five. And I’d like to open the floor to speakers on this sub-item on rules, norms, and principles. The meeting is suspended. And we will now continue our work in informal mode as a working group. I give now the floor to Australia. Please.


Thank you very much Chair. And thank you colleagues. I would like to use my time this morning to talk to you about an initiative that Australia believes advances our implementation of the norms and adds an additional layer of understanding to the norms that was elaborated in the 2021 GGE report, and can provide a basis for concrete practical steps that this OEWG can take towards implementation. I would like to take the opportunity to talk a little bit more fulsomely about the background and the purpose of the National Survey of implementation of United Nations recommendations on responsible use of ICTs by states in the context of international security. And I’m not going to use the full title again, I’m just going to call it the survey. The framework for responsible state behavior in cyberspace that forms the foundation of our work was developed through the cumulative reports of the 2010, 2013, 2015 and 2021 GGEs and the 2021 OEWG, and it is clear that the international community expects countries to act consistently with the commitments that we have made to the framework of responsible state behavior. A core part of implementing the norms is not only sharing understanding of how to implement the recommendations, but also to self assess our actions that each of us have taken towards implementation, and what actions are still required to implement fully. In the previous OEWG, Mexico, Australia and other states identified a gap. We were lacking a simple way for states to self assess their progress against implementation of the framework and of the norms in particular. Together, Argentina, Australia, Canada, Chile, Denmark, Estonia, France, Indonesia, Kenya, Mexico, the Netherlands, New Zealand, Pacific Island Forum member states, Poland and South Africa collectively put forward a proposal for a survey. Recalling that the General Assembly resolution 70/237 called on all member states to be guided in their use of ICTs by the 2015 GGE report. The survey asks member states to take stock of the steps that we’ve taken to implement the recommendations listed in that report, as expanded upon in the 2021 GGE and OEWG reports and to identify barriers to implementation or specific gaps in capacity that limit implementation. The survey was drafted impartially drawing directly on the 2015 GGE report, which all countries have endorsed by consensus, and the current version also draws directly from the 2021 OEWG and GGE reports also endorsed by consensus by the General Assembly. We then worked with you all to develop recommendations in the 2021 GGE and OEWG reports towards adopting this survey. And this work was recognized in those reports of those groups, which recommended at paragraph 30 and 65 of the OEWG report and 21 and 89H  of the GGE report that states on a voluntary basis survey their national efforts to implement norms, develop and share experiences and good practice on norms implementation and to compile and streamline the information they present using tools like the survey, and it encouraged states to use the voluntary survey of national implementation as a means to assess their own priorities, needs and resources and to share information on lessons learned to further strengthen international cooperation and assistance in ICT security and capacity building. The structure of the survey is very simple in itself. One by one it goes through each recommendation in our acquis and it asks a small set of questions about each recommendation. So for example, for each norm, the text of the norm is set out, along with relevant extracts from the consensus reports to provide context. The survey then asks whether your government has taken action consistent with this norm, and if so whether you can provide further details of specific measures, public documents, websites, statements, etc. And whether you have identified any challenges that inhibit the implementation of this norm. These sorts of challenges can include things like: political barriers, for example if the issue is not considered a priority on the political agenda; structural or organizational barriers, for example if it’s unclear about the lines of responsibility or ownership of this issue; personnel barriers (not having sufficient human resources); knowledge barriers; or financial barriers; or many other barriers that could be identified. A similar structure is applied to all of our consensus recommendations on international law, norms, CBM and capacity building. The survey therefore provides a template a very simple, voluntary, easily followed and objective drafted step by step process for states to self-assess their progress towards implementation. But the survey doesn’t stop at self assessment. Countries are encouraged on a voluntary basis to share their responses to the survey, including through our voluntary annual reporting to the Secretary General. Our 2021 resolution and the previous resolutions all encouragement states to continue to inform the Secretary General of our views on international law, norms, CBMs and capacity building in the context of international security in cyberspace and I believe this inputs due to the ODA in May. Sharing responses to this survey serves a number of purposes. It collects the national take up of UN recommendations, with a view to assisting assessment of their further development and implementation. It allows regional organizations and others to conduct analysis of the responses to the survey to help develop targeted capacity building programs to address challenges to implementation or gaps that are identified, providing an evidence base that has been provided by the state itself of the particular needs of the state. It also provides a basis for mandate, for which we can right now begin working on a global point of contacts directory. This is because the survey has been recommended by the GGE and OEWG reports. And those recommendations have been endorsed by the General Assembly. And the survey as recommended, asks countries how they’ve implemented the recommendations of the framework. And that includes recommendations under Confidence Building Measures to develop a global point of contacts directory. And this is found in paragraph 16A of the 2015 GGE report, and paragraph 51 of the 2021 OEWG report, and 76 and 77 of the 2021 GGE report. So why you might be asking, am I talking about this survey today, when it has been developed and adopted over a year ago and included as a recommendation for states in both of our reports coming out last year and that’s because we also know that a tool that is buried in a document in the depths of a UN website, with absolutely no offense meant to the UN documents system, is unlikely to garner the uptake and the day to day use which is required for the survey’s value and usefulness to be most apparent. Instead, Australia has been working very closely with UNIDIR to provide a user friendly, easily accessible online platform for the survey, which is access through the UNIDR Cyber Policy Portal that states can easily use to self assess their progress towards the implementation. And I very much look forward to UNIDIR’s presentation tomorrow. And in the meantime, recommend all of those who have not looked at the UNIDIR’s Cyber Policy Portal to take a look at it. It’s a fantastic tool and very well designed. The survey will therefore be online. It will be easily accessible and it will be able to have the responses, if countries so wish, directly added to their entry on the Cyber Policy Portal. At lunchtime today UNIDIR will be presenting the online survey tool and providing an overview and a demonstration of it, including the collation of the global point of contacts directory through the survey. The survey is not an end in itself. It’s a tool to help all of us determine for ourselves how we implement the norms, and the other pillars of our framework. It is also improved when we do what we all say we want to do – that is to share information, to share our best practices, to share our priorities and the gaps we’ve identified in our implementation. And it’s a way to collect reliable and valuable evidence for our future work to make progress towards further development and further implementation. Australia therefore proposes that this OEWG recommend that states on a voluntary basis use the survey to self assess national take up of the recommendations of the 2015 and 2021 reports, that states on a voluntary basis use the survey to provide information about dedicated points of contact at the policy, diplomatic and technical level to be compiled as a point of context directory. That we request member states to encourage regional organizations and other stakeholders to conduct analysis on the responses to the survey with a view to developing targeted capacity building programs, which address challenges to implementation or gaps in capacity so identified, and note that the survey may be expanded or updated in the event that the General Assembly, by consensus, endorses or calls upon member states to implement the recommendations or report of this OEWG or any other recommendation, a UN mechanism or body mandated to study existing and potential threats in the sphere of information security, and possible cooperative measures to address them, and also to encourage the development of capacity building programs in accordance with national priorities and policies as defined by member states with a view to assist member states to complete the survey upon their request. Chair, colleagues before I conclude, I just want to very briefly call attention to a report that was released last week by the Australian Strategic Policy Institute on the norms of responsible state behavior and their implementation in ASEAN. This report is the outcome of a very long multi-year cyber capacity building project that was initiated by ASPI in partnership with the UK Foreign Commonwealth and Development Office, and Australia Cyber and Critical Tech Cooperation Program. And it was created following the 2018 decision by the ASEAN ministers to subscribe in principle to the 11 norms and to focus on regional capacity building to implement these norms. The report offers some practical advice on how governments can demonstrate implementation of the norms and as part of the project, including trying to make the norms a little bit more accessible for us all to understand and recall, this included translation into the 11 ASEAN languages. And it also provided a very handy resource for us all to remember at our fingertips what the norms are. So if anyone would like one of these ASPI bookmarks, please come and take one it’s very helpful to have the norms at your fingertips. I thank you Chair.

Ambassador Gafoor  

Thank you very much, Australia for that statement. Certainly I would like one of that cards that you have prepared. I think it’s good for all of us to keep it handy. I give now the floor to the European Union to be followed by The Netherlands. EU please.

European Union

Thank you very much, Mr. Chair for allowing me the floor. I have the honor to speak on behalf of the EU and its member states, the candidate countries North Macedonia, Montenegro and Albania, the country of the stabilisation and association process and potential candidate Bosnia and Herzegovina as well as Ukraine, the Republic of Moldova, Georgia and San Marino align themselves with this statement. Being derived from international law, norms, rules and principles of responsible state behavior are key to maintaining international security and stability in cyberspace. Enhancing our common understanding about these norms, rules and principles and advancing the implementation should be of core to our common efforts. The Open-ended Working Group is not the first attempt by UN member states to consolidate common rules for cyberspace. Six consecutive UN Groups of Governmental Experts met between 1997 and 2021. The most notable developments stemming from the UNGGE process was the adoption of consensus reports in 2010, 2013, 2015 and 2021, and they outline and reaffirm a set of foundational norms of responsible state behavior in cyberspace and reaffirm that international law, including international humanitarian law and human rights law apply to cyberspace. These developments serve as a basis for our subsequent discussions, including those at the Open-ended Working Group today. In this regard also the first Open-ended Working Group has elaborated on and strengthened the 11 norms of responsible state behavior, in particular by enhancing the understanding of the implications of these norms. Our continuous exchanges today should clarify our expectations on these norms and should present best practices of putting them in use. In this light, let me highlight some of these expectations. For instance, with regard to the norm 13F from the UNGGE 2015 report, reading that a state should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public. A norm that is important to the functioning of all our critical infrastructure, certainly in light of the risk of spillover if just one of us is attacked. Contrary to the expectation set Russia, who has been at the core of the development of this framework and is a permanent member of the UN Security Council, has attempted to interfere in Ukrainian elections, targeted its power grid, defaces government websites and spread malware in their systems with destructive effect, behavior that is seriously violating these norms. Also norm 13C of the UNGGE 2015 report states that states should not knowingly allow their territory to be used for internationally wrongful acts using ICT. What is expected there is that states act in line with their obligations under international law and perform due diligence, including by preventing their territory to be used by cybercriminals as well as prosecuting them. And states are in this regard expected to build a solid cybersecurity framework with a cybersecurity strategy and legislation at its core, providing measures to boost the overall level of cybersecurity and prevent cyber attacks from taking place. The EU has stepped up its efforts to adhere to the UN framework, including through the directive on security of network and information systems, as well as increasing inter-institutional and inter-EU cooperation to enhance coordination of cybersecurity crisis management. Most recently, also in light of Russia’s aggression against Ukraine in cyberspace, we have issued a set of cybersecurity best practices, and encouraged all public and private sector organizations in the EU to apply these practices to improve their cyber resilience and prevent cyber attacks from happening. To achieve these results and address the urgent needs for the security and stability in cyberspace the EU and its member states believe that our discussions in the Open-ended Working Group should urgently invest in exchanging best practices on the implementation of the recommendations provided, and to contribute to the National Survey of implementation of the UN General Assembly resolution 70/237 in this regard. We should also invest in enhancing the practical capabilities of all states in the area of implementation of norms, and the EU and its member states are ready to continue to elaborate on the implementation of the EU cybersecurity strategy addressing these norms, and our experience through capacity building programs to share on the implementation of the UN framework for responsible state behavior in cyberspace, as well as on improving overall global resilience and incident response capabilities. We look forward to work with states and other stakeholders to take forward these particular efforts, including through the establishment of a Program of Action as a permanent and inclusive platform in the United Nations to concretely cooperate on capacity building as regards the implementation of norms of responsible state behavior. Thank you very much chair for offering us the opportunity to elaborate on that later this week.

Ambassador Gafoor  

Thank you for the statement. I give now the floor to Netherlands to be followed by Egypt. Netherlands please.

The Netherlands  

Dear Chair. Good morning, colleagues. Chair thank you for the useful narrative summary and guiding questions on the topic of norms. I will try to build on them and be as specific as possible. But before I do so, I would like to reiterate three points that are of particular importance to my country. Firstly, The Netherlands considers the norms to be complementary to international law. They provide additional specific guidance on what constitutes responsible state behavior in the use of ICTs. Secondly, that adherence to the norms also helps to protect citizens. They help ensure that everyone can enjoy the benefits of the digital world in a secure way, while knowing that their human rights and fundamental freedoms are protected. Thirdly, that the norms are under significant pressure in the context of Russia’s illegal invasion of Ukraine. We see continued reports of malicious cyber activities targeting Ukrainian government services, banks and infrastructure. On the day the invasion began, one of these operations disrupted satellite internet connections in Ukraine and beyond. Russia’s continued crackdown against social media platforms and other outlets in Russia is an infringement on the agreed norm on the promotion, protection and enjoyment of human rights on the internet, particularly the right of freedom, the right to freedom of expression. This is an important test case for the norms we have agreed by consensus, they must be respected. Chair, the Netherlands has consistently advocated for the protection of critical infrastructure under the 11 norms of responsible state behavior. Allow me to zoom in on a key example of critical infrastructure recognized in both the GGE and Open-ended Working Group reports: the technical infrastructure essential to the general availability or integrity of the internet, or the public core of the internet. This mainly includes the physical, technical and logical infrastructure of the internet. In line with Norm 13F, the use and operation of such infrastructure should not be impaired. We view this as key pre-requisite for the internet to thrive as a catalyst for social and economic development. For The Netherlands, safeguarding the public core includes respecting its multistakeholder governance model, and preventing the introduction of standards and protocols that would undermine the open and interoperable nature of the internet. In this context, and in reaction to what was suggested yesterday, I would like to highlight that the role of multistakeholder organizations like ICANN, and regional internet registries is to ensure the technical coordination of the internet, and work to uphold a single global and interoperable internet that continues to operate at all times, and is accessible to all. And this has been and should continue to be the practice since the worldwide internet became available globally in the 90’s. Furthermore, I would like to stress that states should refrain at all times from cutting off entities from this infrastructure, for example, as a way of imposing sanctions. Chair allow me to highlight a few ways in which the Open-ended Working Group can enhance the implementation of the norms. We believe it is important for the Open-ended Working Group to recommend states to put in place mechanisms to coordinate between the CERTs and the diplomatic community, both nationally as well as regionally or globally. This will allow states to assess the diplomatic ramification of ICT incidents and exchange information with other states in this regard. Regional organizations could play an important role in facilitating such communications. I would also like to emphasize the importance of developing coordinated vulnerability disclosure policies. Such policies help prevent the exploitation of such vulnerabilities for potential irresponsible uses, and help curb their commercial distribution. As we have mentioned in December, to facilitate the implementation of the norms, the Netherlands see an important role for a future Program of Action or POA. In addition, the national survey of implementation that will be launched this week, would be a helpful starting point for states to identify their priorities and needs to implement the UN framework for responsible state behavior. And we support the points made by Australia on this and thank them and Mexico for taking the lead on this. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement. I give now the floor to Egypt to be followed by the Russian Federation. Egypt, please.


Thank you, Mr. Chair. I’d like to highlight the following remarks on our national capacity regarding the rules, norms and principles agenda item. Mr. Chair while the voluntary non binding norms of responsible state behavior on cyberspace can reduce risks to international peace and security in the short term. However, the meantime proved the urgent need to step up international efforts to develop rules of ICT security consistent with international law in order to sustain an open, secure, stable and peaceful ICT environment in the long term. In this context it might be possible to develop a compilation document to include the agreed norms and recommendations in all relevant processes, GGEs and the last OEWG, with a focus on identifying the gaps and overlaps as well as developing binding rules that take into account the complexity and unique attributes of ICTs as well as differentiated capacities of member states. These rules should set standards for responsible state behavior and prevent conflicts in the ICT environment, while avoiding any endure restrictions on the peaceful uses of ICTs or hampering international cooperation or technology transfer. It would also contribute to enhance the cooperation and trust not only between governments, but also with private sector. Addressing the implementation issue reflected in the guiding questions under this agenda item we wish to highlight that Egypt and France along with other 52 co-sponsors suggested to establish a Program of Action (POA) on the cybersecurity issues, which might help with OEWG to monitor and facilitate the implementation of agreed norms discuss emerging challenges, as well as facilitating the implementation through the coordination of a voluntary national reporting mechanism. In this context, I would like to value the national survey reporting mechanism tool highlighted by the Australian delegation, which could play a prominent role to push forward the national efforts with regards to cybersecurity. With regards to the question on regional initiatives the OEWG might consider expanding it is important to highlight that the Arab League and China have signed a Data Security Cooperation Initiative focusing on fostering an open, fair and non discriminatory business environment for mutual benefits and common development. At the same time, state parties in cooperation with private sector have the responsibility and the right to ensure that security of important data and personal information bearing on their international security, public security, economic security and social security, which would be a prominent also opportunity that the OEWG might consider to expand and benefit from. Thank you, Mr. Chair.

Ambassador Gafoor  

Thank you for the statement, Russian Federation to be followed by the United States. Russian Federation please.


Thank you, distinguished Chair. Distinguished colleagues, the further development of rules, norms and principles of responsible behavior of states in the information space is a priority of our joint work, which is clearly stated in the OEWG mandate. The first group did a lot of work on this issue and we would like to remind you that in accordance with the consensual recommendation in the 2021 OEWG report we should continue discussing the entire range of state proposals included in the chairs summary. The Russian delegation is going to present a detailed written contribution on the sub item. At the same time, I would also like to share with you the main points of my country’s position. In our view, the initial list of international rules for responsible state behavior enshrined in UNGA Resolution 73/27 is very important, however it is not exhaustive and it needs to be broadened further. While the ICT sphere is unregulated on the whole, states do not have the necessary guidance for relevant activities. Yesterday our discussion on challenges and threats only confirms this fact further. Specifically, we suggest enhancing the initial list with the following rules. One, claims that some ICT activity was launched or arises from the territory of a particular state are not sufficient to attribute this activity to a state. Any accusations made against states must be proven and substantiated by undisputable technical facts. Yes, they must be substantiated. The existing rules of behavior of states cannot serve as the basis for unproven accusations and illegal sanctions. They cannot be used for assessing conformity with standards which have not been internationally agreed. In this context, I would like to note that all delegations which are making hostile statements towards Russia, these hostile statements by the way are completely unfounded, these delegations are violating the agreed upon norms. Number two, states should not use ICT information and communication networks, mass media and transnational media companies in order to carry out hostile information campaigns to interfere in the internal affairs of other states and undermine their political, economic and social stability. Three, states should counter the use of ICTs for spreading information of a terrorist, separatist or extremist nature or any information that incites national, racial or religious hatred. Four, states that dominate the sphere of Information Technology, should not use their position to deprive other states of control over ICT products and services or to create threats to their political, economic and social security. Five, all states should play an equal role in international internet governance and bear equal responsibility for internet governance. Six, states should resolve any dispute which can arise from their ICT activities by means of peaceful settlement procedures – it is necessary to refrain from the use of military force or threat of force. We find it extremely important not simply to broaden the list of rules of responsible behavior, but also to work on increasing their status. The updated list of norms developed by the entire international community within the OEWG framework could serve as the basis and become the group’s constructive contribution to a universal international legal act that would regulate the activities of states in ICTs. We are suggesting developing a UN Convention on International Information Security. This document should guarantee the establishment of a global system in this sphere. The document should list the main challenges and threats to international peace and security in information space, a system of measures to counter these challenges and threats based on universally accepted principles and norms of international law as well as Confidence Building Measures. The document should provide for the possibility of broad cooperation between parties for the exchange of best practices and consultative and technical assistance. As the basis for such we are ready to present the concept for the relevant convention. As for the chairs suggestion to change the format of our meetings, which has been proposed by relevant stakeholders, we are ready to adopt a positive attitude to this. We believe that such an informal meeting will allow us to launch practical cooperation with NGOs to better understand how to hold a a political dialogue, not politicized dialogue, with stakeholders and it can help ensure safety and security in information technology. We believe that how the meeting will go tomorrow will also affect our decision on modalities on stakeholder participation. Thank you.

Ambassador Gafoor  

Thank you for the statement, United States to be followed by Canada. US please.

United States  

Thank you Chair. Good morning colleagues. 2021 was a culminating year for the framework of responsible state behavior in cyberspace. The GGE and OEWGs both produced robust reports and all UN member states committed to be guided by those reports. This consensus by UN member states represent a global political commitment to the framework. Over the course of two decades of negotiations states recognized that existing international law provides a sufficient legal framework for state behavior in cyberspace. States also concluded that non-binding, voluntary peacetime norms of state behavior and CBMs complement international law and complete the framework for responsible state behavior. The framework set of voluntary peace time norms in particular have captured the international community’s attention. These non-legally-binding norms serve to define a standard of conduct and when widely followed, they can enhance cyber stability. Since the norms were first adopted and affirmed by consensus in UNGA in 2015, we have sought to deepen understanding of their purpose and encourage states to adhere to them not just by supporting a resolution but in their actions. The 2021 GGE report in particular provides meaningful new guidance on each of the existing norms. It has served us well to build on existing consensus and principles, while deepening our shared understanding of that consensus. As we confront new and emerging threats our existing norms can provide guidance. These norms were designed to be technology neutral, broadly applicable and flexible, and have so far proven to be sufficiently comprehensive to address emerging challenges. For example, recent concerns about election related threats and threats to healthcare systems lead the 2021 GGE to acknowledge that states may consider such systems as critical infrastructure, and therefore relevant to several GGE norms that address protections for critical infrastructure. Similarly, the relatively recent issue of ransomware incidents affecting critical infrastructure in a manner that could impact national security may be addressed, in part through cooperation among states to address criminal use of ICTs as well as assistance in mitigating malicious ICT activity aimed at critical infrastructure. Related concerns about some states wittingly or unwittingly serving as safe havens for criminal actors may be addressed through reference to the existing norm admonishing states not to knowingly let their territories be used for internationally wrongful acts. However, there is room for the OEWG to provide more guidance on some of the norms. The 2021 OEWG report is silent on the topic of attribution, which is addressed in norm 13 B. In our view, the OEWG should provide additional guidance on this important topic. Starting with acknowledging that states may choose to publicly attribute state sponsored malicious cyber activity or to share attribution conclusions through bilateral or multilateral channels. The group could also acknowledge that publicly attributing state sponsored malicious cyber activities can shape expectations about what will not be tolerated and help build international consensus. We would also see a value in acknowledging that when a state is in a position to attribute a particular cyber incident as an internationally wrongful act to another state, the victim state has all of the rights and remedies against the responsible state permitted to it under international law. The OEWG could also consider how capacity building could improve states’ ability to attribute ICT incidents accurately. In addition, we believe the OEWG needs to address the urgent issue of internet freedom. This issue has taken on new relevance this year as we have seen numerous reports of internet outages in Ukraine, as Russia is engaging in its illegal war, which limits the people of Ukraine’s ability to receive and impart vital information. In addition, Russia’s censorship agency has blocked major social media platforms and news sites and restricted access in Russia to international news outlets in order to mislead the Russian people and the world about what it’s doing in Ukraine. Any further actions by Russia to shut off internet access or to block international platforms will only further deny the Russian people access to information, show that Russia is doubling down on authoritarianism and repression domestically, and isolate Russia internationally. These repressive actions impede or prevent people from exercising freedoms of expression, peaceful assembly, and association online. Such measures also disrupt access to essential services, such as health care, and emergency services. The United States believes that the OEWG should call upon governments worldwide to refrain from adopting or implementing laws and policies that may negatively affect the enjoyment of human rights online, including through internet shutdowns. Blocking or degrading access to internet resources, cuts off connectivity for citizens, civil society, and human rights defenders in Ukraine, severing critical channels for sharing and learning information about the conflict online. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement I give now on the floor to Canada to be followed by Belarus. Canada please.


Thank you chair. I will start with some general remarks on norms, and then I will seek to answer some of your guiding questions. So first my general remarks, which also actually answer the last of your guiding questions. As others have said today, Canada strongly supports the framework for responsible state behavior in cyberspace. This framework includes several key components, including the voluntary norms of state behavior that we are discussing here today. As others have mentioned, these norms were reaffirmed by the international community in the 2021 reports of both the GGE and OEWG. As my US colleagues just mentioned, the 2021 GGE report also provided some guidance on the implementation of these 11 non binding norms. Let me be clear, for Canada there is no need for new norms. We believe that existing norms are sufficient to guide state behavior in this space. I would respectfully disagree with my Russian colleague on the need for new rules or for a binding instruments. Rather than seek to develop new norms, or a binding instrument, Canada believes that we should focus on implementing the agreed norms in a human-centric way, while also taking into account issues such as gender. From our perspective, the issue now is not a lack of norms, but rather the disrespect of norms by some states, including by Russia in Ukraine, where Russian cyber operations routinely violate the existing agreed norms. I outlined our more detailed thinking on this yesterday during the threat section. And I would also associate with the remarks made this morning by my colleagues from The Netherlands and the European Union, who eloquently explains how the norms are being violated. Turning to an issue that my Australian colleagues mentione, Canada has always been a very strong supporter of the survey proposal and we are extremely pleased that it is now coming to fruition. We believe that this proposal may also help states to implement the norms. Back at the previous OEWG, I had the pleasure of drafting a very long statement on how Canada has implemented the norms. It is available on the old OEWG portal, I believe a few others had done so as well. There was only a handful of us but I think now the survey proposal will help a much broader range of states outline their views and also how they have implemented the existing agreed norms. In so doing, this will provide an example to others of states who have had a chance to provide their submissions and will hopefully help others develop ideas on how they could do so as well. Those were my general remarks, I will now turn quickly to answering some of your other guiding questions chair. The first one was about proposals to facilitate the implementation of the norms and national and regional initiatives, which the OEWG can consider expanding on. Regional organizations such as the ARF, OAS and OSCE have played a key role in encouraging member states to implement the norms. Several of these have explicitly endorsed the 2015 GGE norms. Others have held very useful discussions with states on how to implement them. We believe that this useful work should continue. We also believe that it might be useful for you to consider chair, doing what the last GGE did, and having consultations with regional organizations, which were very useful in ensuring proper coordination of the work of regional organizations and states in this regard. The last question that I’ll answer chair, was your question about gaps in the framework and how they would best be filled. I think I’ve answered that one in part already when I stated that Canada believes that the existing norms as well as international law are sufficient to guide state behavior in this space. As I mentioned, what is needed from our perspective is a implementation of the existing norms rather than new ones. And this brings me to my last point about the need the possible need for further guidance on this issue. As some of you may recall, at the last OEWG Canada tabled some norms guidance text which was consulted with many states also stakeholders. We received the support of approximately 40 states for that text, which was reflected in the chair’s summary of the previous OEWG. We are considering internally and having discussions with many of you about the usefulness of re-tabling an updated version of that text here at this OEWG. This guidance could elaborate on the role of non-state actors in implementing the norms. It could address human rights and gender aspects of norms implementation. And it could also address some of the excellent points that my US colleague just mentioned in her remarks. If we choose to proceed, that is if we feel that there is support in the room to do so, we would consult the private sector and stakeholders before re-tabling the text. So another key objective, moving on to previewing some of the remarks that will be made later in the week by Canada, will be building the capacity of states who have the will but not necessarily the capacity to implement the existing norms. My colleague will expand on that point during his remarks. And finally, some others have mentioned that possible role of the UN Program of Action. Canada is a co-sponsor of that excellent proposal put forward by France and Egypt. And my colleague will expand on how we view that the POA could also play a role in implementing the norms. Thank you.

Ambassador Gafoor  

Thank you for the statement. I give floor now to Belarus followed by India. Belarus, you have the floor.


Distinguished Chair, distinguished colleagues, given the importance of the information field in our lives and in the life of society, Belarus has taken a number of measures to ensure that we have a systematic approach to managing these kinds of processes. The main decision we made was in 2019, we adopted a conception for information security, which laid out our main policies with respect to ICTs. We are also constantly updating and changing our national legislation to keep up with the times in developing rules, norms and principles for responsible state behavior, and on their implementation, we believe it is important to do the following. To first ensure that the state’s position is also represented online. Two, establish that there are feedback channels. They would help the population address issues because their opinion would be taken into account and also the residents of the country would be involved in the decision making processes. Next, we need to more actively identify and stop extremist, fraudulent or other illegal behavior while also improving the populations information literacy. We need to consider ICT development, which can help improve people’s lives. We need to also improve the legal foundation on ICTs. As for regulations, we believe that we need to develop conceptual documents on ICT security, and expand existing documents. As for media, we need to provide additional information resources to create more high quality content that would be in demand. We need to fight fakes, leaks, other manipulations of public opinion, we need to build an information immunity in the population and develop rules for information hygiene. As for science, technology, and education, we need to emphasize projects on increasing information security. This would help build up regional digital infrastructure as well. We need to create smart platforms to identify contextual risks related to multimedia materials, pictures, videos, audio files, destructive information, for example, promoting suicide, gambling, narcotics etc. We need to identify communication risks which have to do with personal relations between internet users. So for example, cyber bullying, etc. Consumer risks that have to do with the abuse of consumer rights. For example, low quality counterfeit goods, loss, fraud that leads to loss of money and other digital assets. We need to address manipulation risks involving minors in dangerous groups, so called suicide groups, etc. We need to also improve the national legislation while taking into account information sovereignty – a state’s right to independently create as information policy to direct information flows to ensure information security free of external meddling. We also need to account for information neutrality, which means that the government should not interfere in the information sphere in other states. We also need to set up clear red lines to create a healthy national media sphere. We hope that we will have dialogue rather than confrontation on this issue, so that we can achieve constructive decisions and create a platform for problem solving and new opportunities. Thank you.

Ambassador Gafoor  

Thank you for the statement, I give now the floor to India to be followed by Korea. India, please.


Mr. Chair, the 11 voluntary non binding norms of responsible state behavior can reduce risks to international peace, security and stability and play an important role in increasing predictability and reducing risks of misperceptions, thus contributing to the prevention of conflict. With an increasing number of threats to critical infrastructure emanating from the use of disruptive ICT tools and ICT vulnerabilities, the norms provide a guiding part in ensuring stability and security in the use of ICTs. The norms in the existing form need a complementary framework to outline the mechanisms of cooperation, information exchange, trust building initiatives, sharing best practices to protect critical infrastructure and protect them from malicious ICT activity. The use of ICTs by non-state actors for terrorist and criminal purposes needs to be reported to the state that the malicious activity is directed to in order to take appropriate measures. The OEWG may further discuss the deep interconnected nature of the norms to build a comprehensive understanding of the essential elements of cooperation between member states. Cooperation between member states in areas of sharing latest vulnerabilities and their remedies in ICT dependent infrastructure. The integrity of supply chains is of utmost importance to build trust and confidence at the end user level in the ICT environment. Mr Chair. Excuse me, I’m having problems in my computer. Mr. Chair, Confidence Building Measures and capacity building are the two key areas that can encourage member states to cooperate with each other in practical ways. The OEWG can discuss the initiatives to enhance capacities of the member states that enable them to be prepared for taking appropriate measures whenever information of malicious activity of ICT supply chain vulnerabilities are reported. This working group must consider building an additional layer of understanding on the existing norms, rules and principles that form the basis for responsible behavior of states and may develop additional norms, rules and principles on need basis. For adoption of a normative framework it is necessary for the OEWG to discuss the basic mechanisms for information exchange, sharing best practices and enhancement of capabilities of computer emergency response teams at national level. Mr. Chair in the GGE and OEWG final reports it was mentioned that states were called upon to avoid and refrain from the use of ICTs not in line with the norms of responsible state behavior. While the use of ICTs by non-state actors for terrorists and criminal purposes itself is a threat that can result in significant risks to critical infrastructure, the state’s use of harmful ICT activities may pose significant risks to international security, peace and stability. The use of cloud ICT infrastructure for such harmful practices by a member state targeting other member state causes transnational conflicts, undermining international peace and security, trust and stability between states and may increase the likelihood of future conflicts between states. The OEWG needs to discuss the fine elements incorporated in each of the 11 voluntary non binding norms for realizing the potential they offer to member states through cooperation and dialogue in ensuring stability of ICT dependent infrastructure. Thank you, Mr. Chair.

Ambassador Gafoor  

Thank you for the statement. Republic of Korea, followed by Vietnam. Please.


Thank you chair. Let me address the third guiding question first: how can we feel any gaps in the framework? I’d like to first mentioned the process of norm making. The current 11 agreed norms were made by independent experts and then later endorsed by the General Assembly. In terms of rulemaking in the area of both technical and political nature, I found this process to be most appropriate. For that very reason, however, we have to ask whether this OEWG setting can make comparable achievement. Furthermore, we are aware that the last GGE failed to make further progress. So our advice is prudence against the creation of new norms unless we face a manifested gap and compelling reason to fill such a gap. Thus, the priority should be placed on implementation and then clarification of the 11 norms. This leads me to guiding question four: are there any rules, norms and principles which can currently be further elaborated in any specific way? When reviewing the current norms my delegation tries to put one question in mind: whether and to what extent the norm is useful and effective in protecting any potential or real victim state, many of which are exposed but less equipped with technical capacity. In other words, how the afflicted states can make use of this norm in seeking cooperation from other states. My delegation would like to suggest in this regard that the current agreed framework can be elaborated in a way that an affected state can take procedure steps to seek cooperation, and other states have such a cooperation. We thus support the Canada’s initiative of developing a guidance on norms implementation in this direction. Many of our agreed norms are pertinent to the so called due diligence. The Republic of Korea has proposed a set of steps to take in case a state finds itself a target or victim of cyber attacks. We are willing to suggest and discuss the details of such a procedural approach. In this regard, my delegation wishes to underline that this duty of due diligence is getting increasingly important in both preventing and responding to cyber incidents. Sovereignty has another side of coin, the duty not to allow it to be used for harming another’s self sovereignty. Turning now to the first guiding question with regard to the specific action we can take, my delegation believes that wider participation of the National Survey of implementation, as Australia laid out this morning, would be the first step in the right direction as a basis of knowledge and also it can serve as a tool for internal checking. We also support the exchange of national implementation of the agreed normative framework, Korea found the entire experience of internally drawing up the implementation paper to be instructive and helpful in terms of coordinating and integrating relevant agencies under this normative framework. On a broader perspective, I believe we can get some cues and ideas for instance from international civil aviation, such as the information sharing system among governments and industry, the way standards and recommended practices are distinguished, and the mechanism of helping states better comply with those norms with practical and procedural guidance in order to enhance the safety and security of navigation. One obvious caveat would be that the traditional this triangular roles of governments to regulate industry to be regulated, and consumers to be protected are not clear cut in cyberspace. In this sense too multistakeholder participation is critical for our efforts. Lastly, my delegation agrees with the Chair’s approach that the OEWG does not have to wait until the end to forward some progress. We can operationalize what we can do at this stage and build momentum. The proposals of national survey and a repository of national implementation and norms guidance, I believe, are those we can begin doing at an early stage. Thank you.

Ambassador Gafoor  

Thank you for the statement, Vietnam to be followed by Indonesia. Thank


Thank you, Mr. Chair. Mr. Chair, Vietnam aligns itself with the statement of ASEAN to be delivered by the distinguished representative of Cambodia, and the statement of the Non-Aligned Movement delivered by the distinguished representative of Indonesia. As this is the first time that Vietnam makes a statement at this substantive session, let me reaffirm our full support for you Mr. Chair throughout this important process. We highly appreciate your efforts in convening and steering the work of the session. We understand that the working group will proceed with the question on each semantic issue. In the interest of time, however, allow me to touch up on various aspects on the discussion. Mr. Chair, Vietnam shares the view that the emerging and potential threats emanating from the harmful use of ICTs in cyberspace are becoming more and more complex endeavors. Cyber attacks have been increasingly more forthcoming with the availability of more sophisticated tools and measures. They are posing more challenges in economic, political and security fields. With multiple dangerous purposes. The fragilities of states, entities and individuals to the threats from digital space continue to deteriorate while their cybersecurity readiness has not been timely improved. It is of utmost importance to ensure the security of Critical Information Infrastructure as a number of speakers emphasized earlier. Regarding the new rules, norms and principles of responsible behavior of states. Vietnam acknowledges the outcomes of the GGE report of 2015 and the OEWG report of 2021, which were endorsed by the General Assembly. The norms mentioned in this report contribute to the formulation of a future framework to regulate behavior in cyberspace, including that of state and non state actors. In Southeast Asia, ASEAN members have put forth practical measures, which promote member state capacity in response to cyber threats, including implementation of the 11 norms outlined in the GGE report of 2015. In this regard, it is our hope that member states continue to discuss constructively to develop more effective measures to regulate the state behavior in cyberspace. This should be undertaken within a regular institutional dialogue under the auspices of the UN. This OEWG plays an important role towards this end. Relevant initiatives should be complementary to each other. My delegation looks forward to further details regarding new proposals. Pending further progress in the development of rules and norms regarding this issue, we are of the view that international law applies to the use of ICTs by states. All cyberspace activities need to be conducted in accordance with the fund open mouthed principles of the UN charter and international law. This includes respect for national independence, sovereignty, non-interference in internal affairs, non-use of force and peaceful settlement of disputes. This our expectation that in the long term member state will discuss constructively to develop an international framework of rules and norms to regulate all activities in the ICT environment, in line with international law, so that we can collectively address cyberspace issues. In the meantime, all states should observe widely acknowledged norms, including those developed within the GGE process. At the same time, Vietnam believes that confident buildings measures plays an important role in ensuring the security of and in the use of ICT technologies. Such measures may include exchanges of views on relevant experience and best practices in implementing CBMs at the national and regional level. In Southeast Asia, ASEAN regularly organizes the ASEAN Regional Forum intersessional meetings on ICTs and security in the ASEAN Defence Minister meeting plus experts working group on cybersecurity. The group has developed a number of joint products including the combined glossary of cyber terminologies and the points of contact and technical personnel directory, and conducted tabletop exercises. Besides, ASEAN developed ASEAN Computer Emergency Response Teams with various regional activities. In pursuing all such aims, Vietnam believes that capacity building is critical, especially for developing countries. We would also like to reiterate the principles regarding capacity building agreed upon by the last OEWG and the outline in paragraph 56 of its 2021 report. Vietnam calls for continued efforts by states and international organizations toward this end. Mr. Chair, over the past few years the COVID-19 pandemic has laid bare our increasing dependence on digital technologies. Our development relies on technologies, but at the same time the more dependent, the more vulnerable we are to cyber attacks. It is therefore high time for us to redouble efforts to secure our cyberspace through responsible behavior and compliance with international law. We hope that the working group can come up with concrete outcomes in this regard. Given our ongoing international challenges, it is in our interest to focus on the substantive issues on the agenda. In conclusion, Vietnam reaffirms its commitment to engaging constructively in the discussion of the OEWG towards an open, secure, accessible and peaceful ICT environment for the common interests of the international community. Thank you, Mr. Chair.

Ambassador Gafoor  

Thank you for the statement. I give the floor now to Indonesia to be followed by Kenya. Indonesia, please.


Thank you chair on behalf of the Non-Aligned Movement, while we call that during the 2019 and 2021 OEWG NAM had put forward language suggestion on the rules, norms and principles of responsible state behavior. The suggestion is enlisted on the specific language proposal contained in the annex of the chair summary. So as stated in the paragraph 80 of the final substantive report, we hope that this proposal could be further considered in future UN process, including the current OEWG. Chair, on Indonesian national capacity, we wish to reiterate the important role of this forum to maintain its consistent efforts in promoting the role of existing norms on cyberspace considering that there are many challenges faced by multiple states on the aspect of awareness and implementation. We emphasize on the importance of the OEWG to develop guidance on the implementation of cyber norms referring to the various layers of understanding which was adopted by the UNGGE in their 2019 report. We are of the view that the OEWG can utilize specific indicator or parameter to measure the level of effectiveness of cyber norms implementation by using voluntary national survey. We believe that the implementation of norms at the technical and non governmental level should also extend beyond government efforts. We need to explore various experiences and take stock of inputs of other stakeholders in this regard. Strong commitment and adequate capacity of states, again Chair, are required as the enabler for the successful efforts by the OEWG in the implementation of existing norms. Mr. Chair, I want also to reiterate the importance the role and experience of regional and sub regional organization and other international forums in supporting efforts related to norms implementation. Allow me to share also the information related to the workshop on the norms implementation within the framework of ASEAN Regional Forum intersessional meeting on ICT security, which was held virtually from 9 to 10 March 2022, hosted by co-chairs Indonesia and Australia. The workshop provides an opportunity to exchange the best practices and share experiences of all participants on norms implementation, including with other stakeholders from think tanks and private sectors. The workshop also successfully identify challenges, such as the importance to raise our state awareness on existing norms as well as state capacity for the implementation of the norms. Chair, we encourage states to advance their efforts within their respective regions in this regard. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement. Kenya to be followed by China. Kenya please


Thank you, Mr. Chair. Kenya has made significant steps towards implementation of rules, norms and principles as guided by the earlier process of the Open-ended Working Group and GGE and our national priorities. We know that states are at different capability levels when it comes to norm formulation, implementation and enforcement. We also recognize the need to implement and operationalize the agreed framework while noting the importance of differentiated guidelines on the enforcement of norms. Further discussions of additional norms, if any, could be considered, but the process should not delay the implementation of the existing agreed framework. There is indeed room to build further understanding on the non-binding norms and the responsibility of states in their implementation. Specifically, on the issue of what constitutes critical infrastructure, and how better to navigate the challenge of attribution and obligations of states to ensure proper use of ICTs. Kenya proposes the setting up of special working groups seeking recommendations to explore specific ways of operationalizing norms that may be considered as a means to facilitate implementation of their agreed normative framework. Kenya would support the setting up of the repository, through which nations can share their understanding, best practices, implementation and applicability of agreed rules, norms, principles and international laws within their specific context of cybersecurity. Kenya also notes the usefulness of agreed procedures for incident notification and coordination of national points of contact. These processes should be accompanied by templates and standard operating procedures for timely notification and acknowledgement. We believe the Open-ended Working Group inclusive mechanism is well placed to offer a platform where states and other regional stakeholders can exchange views on good practices on norms implementation and how they already agreed normative framework applies. The international community should rally around efforts and practical mechanisms that will address any act that knowingly and intentionally utilizes offensive ICT capabilities to damage or impair the use and operation of our state’s critical infrastructure in a manner that would have a debilitating impact on the security, economy, public health and safety of the country. In conclusion chair it is also our view that implementation of the agreed rules, norms and principles could contribute in streamlining the technical collaboration and mutual legal assistance processes in handling of cyber incidents across borders in real time. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement, China to be followed by Portugal. China please.


Mr. Chairman, thank you for giving me the floor. Based on the requirement of the agenda in this segment our delegation wishes to elaborate on two topics in further details. The first one is data security. Data security is a major issue that concerns national security and socio economic development, affecting not only economic growth, public interest and personal privacy, but also national security, as states give a high priority to the development of digital economy through ICT. Data security continues to gain prominence as an issue of international concern. In light of this, the formulation of global data security rules on the basis of broad participation will contribute to enhancing mutual trust between states and promoting the healthy and sustainable development of digital economy. To this end, China has proposed the global initiative on data security, with a view to providing a blueprint for possible global rules and contributing to the maintenance of global data security. This initiative builds on the maximum common denominator focuses on major issues that have attracted wide attention, such as the protection of critical infrastructure and personal information, the storage and access of corporate data overseas as well as supply chain security. In addition, the initiative proposes constructive concepts and solutions regarding the code of conduct for governments and businesses in the realm of data security, and comprehensively captures the latest international development and consensus in data and supply chain security. The initiative is proposed by China and open to all states. Since the launch of the initiative, China has had in depth discussions with other countries and have received support and positive feedback from many countries, especially developing countries. In March 2021, the China-League of Arab States Cooperation Initiative on Data Security was announced. China welcomes the efforts of governments international organizations, IT companies, technology community, civil society and private citizens to work together on the basis of joint development, with wide consultation and shared benefits, provide constructive inputs and promote data security. According to our mandate conferred by 75/240. Data security is an important topic of the current OEWG. China looks forward to having in depth discussions with all delegations on data security and make joint contribution to the development of global data security rules. Today, China has submitted the text of the initiative to the OEWG as a position paper. The second issue I’d like to elaborate on is the security of Critical Information Infrastructure. Ensuring the security of Critical Information Infrastructure or CII is a general consensus. We are of the view that states have jurisdiction over the ICT infrastructure resources as well as activities on their territories. No country should sabotage the critical infrastructure of other states with ICT or engage in the destruction or theft of important data of such an infrastructure. States should improve legislation on the protection of CII exchange best practice and technology and promote international cooperation in such areas as training, innovation, early warning, emergency response, standard formulation and information sharing. On September 1st 2021, China’s regulation on protecting the security of Critical Information Infrastructure came into effect. According to the regulation, Critical Information Infrastructure is defined as important networks and information systems of key industries and sectors, such as public telecommunication and information services, energy transportation, hydraulic works, finance public service, e-government and defense science and technology, as well as other such networks and systems whose compromised loss of function or data breach may seriously jeopardize national security, national economy and public interests. China welcomes in depth discussion at the OEWG on the definition and protection of critical infrastructure based on the principle of sovereignty. Mr. Chair, I noted that just then some colleagues made reference to the framework of responsible state behavior in cyberspace. I would like to make additional comments on this issue. Regarding this issue, I would like to reiterate China’s position which Italy elaborated yesterday, namely it is inappropriate and undesirable to adopt a selective approach when applying the framework. This framework is a hard won consensus of our process and should be implemented in a comprehensive and accurate manner. Shortly after the adoption of the consensus regarding the development and implementing globally interoperable common rules and standards for supply chain security, and driven by its narrow geopolitical agenda, intentionally cobbled up close exclusive circles for discussing supply chain issues. This framework emphasizes that any attribution of cyberspace incidents should be based on substantiated evidence. China is of the view that given the virtual nature, and the plethora of actors, it is very challenging to achieve attribution in cyberspace, because there are a multitude of actors in the cyberspace. In the investigation of cyber incidents, any conclusion should be supported by complete and sufficient evidence. The publication of attribution conclusions will not contribute to solving the problems, instead it will aggravate misunderstanding and miscalculation among states and even lead to confrontation. At the same time, the international community should be vigilant against the attempts of a certain state in introducing politicized attribution into the cyberspace. Based on the 2021 GGE report, relevant attribution activities should be based on substantiated evidence, “such aspects supported by substantiated effects,” unquote. At the same time, I have noted that a colleague made reference to the notion of so called peace time, and the notion that the current framework as well as existing international law are sufficient in this area. In a spirit of trying to be comprehensive and accurate I’m compelled to point out that this is a misrepresentation of the consensus report adopted in the past. The international community has never reached a consensus on the so called notion of peacetime. At the same time, it is possible based on the characteristics of ICT to discuss the formulation of new international legal instruments. I would like to quote the text in the 2021 GGE report. I quote, “given the unique attributes of ICTs the group reaffirms the obliteration of the 2015 report that additional norms could be developed over time and separately, notes that the possibility of future elaboration of additional binding obligations if appropriate” unquote. Thank you, Mr. Chairman.

Ambassador Gafoor  

Thank you for the statement, I give the floor now to Portugal followed by the Islamic Republic of Iran. Portugal please.


Thank you, Mr. Chairman. Portugal aligns fully with the statement by the representative of the European Union, but would like to add some brief specific considerations on a national basis. As we have stated last December, Portugal upholds the applicability in cyberspace of the rule of due diligence, and therefore that states should not knowingly allow ICT devices on its territory to be used by another state to attack a third country thereby hiding the real origin of the attack. We also uphold that the rule of due diligence should imply that a state promptly investigates and shares the results of that investigation with the state that alleges that those ICT devices were used to attack its critical infrastructures. Manipulation of IP addresses of internet connected ICT devices in foreign countries, sometimes residential devices of innocent citizens, is unfortunately also common practice among cyber criminals, but the risk increases exponentially when IP addresses of government ICT devices in a third country manipulated in order not only to hide the true national origin of cyber attacks to critical infrastructures, but to lead the country that was attacked to believe that it was conducted deliberately by that government. In this particular instance, the risk is that in self-defense a country may legitimately feel entitled to explore such attacks against its essential services and thereby unknowingly involve innocent parties. Due diligence in cyberspace should therefore be upheld by a plurality of states and promoted by the dissemination of their best practices in order to increase confidence that a request for an investigation would always be followed through. We understand that countries with higher intensity of internet traffic through their territories would fear the burden of due diligence in cyberspace if it was codified. However, the risk of not acting in search of a solution is very high, specially now that with the general introduction of 5G technologies, things as opposed to people are themselves connected to the internet. Serious increases of manipulation of government IP addresses have been identified in the context of armed conflicts and that trend should of course require our utmost attention. But IP manipulation in the context of attacks against the internet core or against the integrity of electoral processes can also be paramount. Due diligence is thus one of the most important rules of responsible state behavior in cyberspace. And thus, Portugal calls on all states to acknowledge its obligation and share their best practices in the course of the work of these Open-ended Working Group with a view to increase the overall level of security. Thank you, Mr. Chairman.

Ambassador Gafoor  

Thank you for the statement, Islamic Republic of Iran to be followed by Tanzania. Please.

Thank you, Mr. Chair, the OEWG’s involvement with all the state actors regarding an issue with overarching influence on all aspects of human life was long awaited. This intergovernmental process is a place to comprehend the outcomes and products of other mechanisms and align them with the international community’s will and aspirations in an inclusive and transparent manner. Therefore, while the OEWG does not start from scratch, nothing prevents it from further working on the previous findings. In fact, resolution 75/240 has entrusted the OEWG to continue as a priority to further develop the rules, norms and principles of the responsible behavior of states, and if necessary to introduce changes to them or elaborate additional rules of behavior. We recall that the norms contained in the GGE report in 2015 are not comprehensive. Since the rules of behavior agreed in the past are not sufficient for the full [unclear] regulation of the ICT environment in line with the attributes of the ICTs and the needs of the evolving situation, it is necessary to continue to develop a comprehensive universal list of rules, norms and principles for the responsible behavior of states. The annex to the Chair’s summary of the first OEWG on additional proposed norms allude to the incomplete work previously done on norms. It has been clearly recognized in the paragraph 80 of the substantive report of the previous OEWG, this should be the initial basis for the group discussions on this topic. In our view, the idea of implementing rules of behavior is premature and will not have the expected effect if the list of rules, norms and principles will not have the universal and obligatory character. Prior to any discussion on the operationalization of the set norms, the OEWG needs to agree on the final and comprehensive list of norms. In the framework of norm making activities it would be reasonable for the OEWG to elaborate on possible ways of regulating the activities of IT companies in the digital sphere and formulate rules of responsible behavior of business in the information space. Any list of norms will not be completed if it lacks norms on the behavior of digital platforms and companies and social media networks in the ICT environment, either by their own responsibilities or responsibilities of their respective governments. Stakeholders rather than states also need to observe the principles, rules and norms for their responsibly behavior in the ICT environment. The private sector and social media platforms should observe the rules, norms and policies of their countries where they operate. States should also consider ways and means to hold them responsible. The views of the Islamic Republic of Iran regarding this critical issue have been elaborated in detail in our second submission data 20th of February 2020, wherein we have indicated that prior to any discussion on the operationalization of any envisage norms, further discussions is needed to develop, change or add to the 13 norms contained in paragraph one of the UNGA resolution 73/27. We also indicated the need for the structured discussion on 13 norms around their ambiguities associated with their understanding of the identified norms. They need to agree on the terminology for their understanding on the list of terms as well as introduce change to the identified norms in order to revisit all 13 norms and elaborate on additional norms. It is the Islamic Republic of Iran’s priority to formulate new norms in light of existing and potential threats in the ICT environment. During the previous OEWG our delegation has put forward specific proposals on new rules related to threats arising from content, unilateral, coercive measures and the responsibility of the private sector and other stakeholders among others. We are ready to engage in detailed discussions perhaps in a subgroup format, with a view to reaching consensus on a set of concrete norms as mentioned in the chair summary attached to the final report of the previous OEWG. The additional norms including inter alia are as follows. One, the roles of states with the primary responsibility for maintaining a secure, safe and trustable ICT environment should be enhanced in the ICT environment governance including policy and decision making at the global level. The envisaged governance should be realized in a manner that strengthens the state’s sovereignty and shall not affect the rights of the states in the decision making for the development, governance and legislation models in the ICT environment. Two, no state has the right to intervene through cyber means directly or indirectly and for any reason in the internal or external affairs of other states. Three, all forms of interventions and interference or attempted threat against political, economic, social and cultural systems as well as the cyber relative critical infrastructure of the states shall be condemned and prevented based on UNGA resolution 2131 of the 21st December 1965. Four, states shall not use ICT advances as a tool for economic, political or any other type of course of measures, including limiting and blocking measures against target states based on UNGA resolution 2131 of 21st of December 1965. Five, states should ensure that appropriate measures are taken to ensure that the private sector with extra territorial impacts, including platforms, are held accountable for their behavior in the ICT environment. Six, states must exercise due control over their companies and platforms under their jurisdiction and control, otherwise they are responsible for knowing the intervening in the national sovereignty, security and public order of other states. Seven, states should refrain from and prevent the abuse of ICT supply chains developed under their jurisdiction and control to create or assist in the development of vulnerabilities in products services and maintain compromising sovereignty and data protection of the target states. Further to our previous proposals, my delegation would like to propose structured discussions on the 13 norms around the following lines. One, ambiguities. To further develop the norms that OEWG should address ambiguities associated with the understanding of the identified norms. Two, terminology. The OEWG may work on a list of agreed terms to improve understanding and avoid further ambiguities. It is necessary to highlight that the elaboration of norms requires a cyber security terminology that is accepted by all member states. Three, introduction of changes. To ensure a comprehensive consensus based OEWG outcome on the norms and given the fact that most of the OEWGs participating states were absent in the GGE processes, it is necessary for the OEWG to allocate sufficient time on revisiting each and every one of their 13 identified norms. Four, elaboration of additional norms. There are issues not sufficiently covered by the 13 identified norms. Therefore, the OEWG needs to focus on additional norms necessary to address other areas of responsible behavior. We believe that a conflict free, development oriented, transparent, fair, moral and peaceful cyberspace will not be guaranteed only through a set of voluntary non-binding norms. It requires a legally binding instrument that would, among others, specify the commitments and responsibilities of those states that have dominance in technology and cyber related resources vis a vis their own behavior, as well as the behavior of companies and platforms registered on their jurisdiction. I thank you, Mr. Chair.

Ambassador Gafoor  

Thank you for the statement. Distinguished delegates, I want to point out that we have about 18 speakers left. It’s almost 12 noon. We have one hour left for the session. At this rate, we’ll have to extend the session by another week. Which clearly is not going to be possible. I have not tried to impose a time limit on statements. But we may be compelled to do so. I had also not discouraged delegations from making long interventions because I wanted to let the 1000 flowers bloom, so to speak, and get as many specific ideas as possible on the table as material for our annual progress report. But it is also important that we get to all the agenda item and at this pace given the fact that we did start agenda item only yesterday, it is important that we speed up. So I’d like to appeal to all delegations that have taken the floor, thank you very much for registering to speak, but I would really urge each one of you to find ways to summarize your statement and get to the most essential points that you think are important for your delegation while uploading your statement on e-delegates platform so that all of us can have access to your statement and certainly as chair, me and my team will certainly go through all the statements that are uploaded in their entirety. So of that I want to assure you, but certainly at this rate, in the last two hours, we have only been able to take about 16 statements. And we have another 18 statements with one hour left for the morning session. So we are clearly not catching up. But the gap is widening in terms of what we need to do given the time ahead. So I just wanted to register that appeal. And I appeal to all delegations to be very conscious of the time we have left as a working group. I now give the floor to Tanzania to be followed by Germany.


Thank you Chair for giving me the floor. Good morning, everybody. It’s almost afternoon. I would like to, I’ll try my best to be brief as being the first after the chair has registered you’re conscious on time. So the United Republic of Tanzania would like to thank you for your commended leadership since the beginning of the second substantive session of the Open-ended Working Group on security of and in the use of information and communication technologies 2021 to 2025. Tanzania aligns itself with statements delivered by Indonesia on behalf of the Non-Aligned Movement NAM, however, wish to compliment them with following remarks. The United Republic of Tanzania recognizes the initiatives undertaken by the various states and international actors to limit the misuse of information technology by the criminals. Tanzania has embarked significantly on strengthening both institutional and legal frameworks that aim at preventing and combating cyber crimes. Among the measures we’ve undertaken is to develop a national cybersecurity strategy, enacting robust and comprehensive laws including the Cyber Crimes Act of 2015, the Electronic Transactions Act of 2015, and the Electronic and Postal Communications Act of 2011. Our Cyber Crimes Act of 2015 under Section 28 provides for powers to the responsible minister to designate and register Critical Information Infrastructure, a process which has commenced this year and mainly it’s a legal framework to protect the Critical Information Infrastructure. Currently, we’re in the process of enacting the Personal Data Protection Act. We have also established a number of parastatal instruments to deal with different aspects of cyber crimes. There is also a designated Cyber Crimes Unit within the police force mandated with powers to investigate cyber crimes and conduct forensic analysis of devices used in the commission of cybercrimes. Further, we’ve established the Tanzania Computer Emergency Response Team, which is a CERT which is mandated to detect and deter illegal criminal activities in information communication platforms and has been operational since 2014. Mr. Chairperson, in the recent past the scourge of cyber crimes has had devastating effects in all aspects of life across the globe. Cybercrime has become a catalyst for escalation of emerging threats such as terrorism, and transnational organized crime and cross border crimes. Among the impacts of cybercrime are violation of individual privacy, growth of terrorist groups and their networks and expansion of drug trafficking and human smuggling, others are expansion of international corruption networks, theft of intellectual property, human trafficking, etc. Generally, cyber crimes poses a significant and growing threat to national and international security. In this regard, we urge member states to consider emerging threats as comparable aspect to cyber crimes. Mr. Chairperson, generally the United Republic of Tanzania agreed with a number of inputs from various member states. However, we stressed that the following five measures should be adopted by this Open-ended Working Group. Number one, Tanzania agrees with other member states that protection of human rights, individual privacy and freedom of speech and expression should be should be a priority. However, the protection measures should not be in contradiction to the existing laws, policies at national level. We also insist that the protection measures should not undermine the capability of legal and security instrument to investigate and contain security threats in the country. We urge member states to take the necessary precautions so that to avoid creating measures which may be used as a hiding platform, by the criminals such as terrorists, drug smugglers, human traffickers and the like. We stress that international measures should not hinder ethical investigations and operations. Number two, we also agree that the measures against the misuse of ICT should intend to prevent cyber bullying, intolerance, hate speech and terrorism activities, rather, should also protect critical information infrastructures and prevent crimes related with cross border data. Number three, Tanzania is also convinced that cooperation and sharing of information between states security instruments is a necessary measure against transnational inorganized crimes. It’s disappointing to say that while countries are reluctant to share information about the threats posed by various groups, non-state actors are increasing to use the limited resources and opportunities they have to exchange information and know how regardless of the existing legal barriers. Based on this fact we urge all member states to consider adopting measures which are recognized and enhance sharing of security information. Moreover, we insist that sharing of information between security instruments should not be regarded as illegal. Number four, one of the factors which hinder efforts against cybercrimes is inadequate of uniformity in terms of methods, expertise and means of preventing and combating the state’s threats. Some countries are more capable to prevent and contain the set threats while others are struggling. Developing countries are subjected to this shortcoming as they are insufficient in terms of resources finance, technology and human capital. Due to this obstacle, their capability to effectively tackle cyber crimes is limited. Based on this shortcoming, we urge member states to use this gathering as an opportunity to adopt the necessary measures which enhance capacity building and international cooperation as a means to enhance the capability of developing countries. Number five, as a means to enhance national readiness against cyber threat. Tanzania concurs with the idea of establishing a National Cyber Risk Assessment machinery in each country Mr. Chairperson, in conclusion, the United Republic of Tanzania reaffirms its commitment to this charging its obligations to prevent and suppress cyber crimes. We further reaffirm our assurance to protect and safeguard the rights of victims of cyber crimes. Thank you, Chair.

Ambassador Gafoor  

Thank you for this statement. I’d like to request all delegations to make their statements within three minutes. Thank you very much for your understanding and cooperation. I give the floor now to Germany to be followed by Cuba. Germany, you have three minutes and I’m sure you will set a good example. Thank you.


Honorable chair. Germany believes that discussions in this Open-ended Working Group should be used to expand and deepen the existing UN framework of responsible state behavior by means of mutual exchange and with a view towards building a stronger joint understanding of how international law applies to the use of ICTs by states. As part of the EU statement, we have already underlined Russia’s breaking of UN norms in the context of the current war against Ukraine. These recent breaches of UN norms and international law provide a powerful reason why Germany sees the most urgent focus of work under this agenda item in the area of advancing norm implementation in order to strengthen cyber stability. The proposed UN Program of Action can be understood as an inclusive and transparent platform in this regard, as the POA seeks to address states’ most urgent needs to help them implement their commitments and contribute to peace and stability in cyberspace. Another avenue towards strengthening norm implementation is via practicing Confidence Building Measures, which Germany will expand on further under the dedicated agenda item. Germany welcomes existing practical measures advancing norm implementation, such as the National Survey of Implementation as outlined by Australia. UNIDIR’s role in facilitating use and sharing of the survey is an excellent example of how trusted UN institutions can play a key role in assisting member states with norm implementation. With regard to future work of this group, Germany supports the suggestion made by the Republic of Korea to further spell out ways for the implementation of the due diligence principle as captured by UN norm 13C.  Germany fully endorses the strong call delivered by Portugal in this regard. Germany has also taken a number of measures at the national level in implementation of UN voluntary norms. I will just mention one. Germany has contributed to the attribution of recent cyber attacks against European targets at the EU level, and has publicly attributed cyber attacks against German democratic processes, acting on the basis of solid technical evidence in all cases. On this exact topic, Germany welcomes the recommendation made by Kenya to do further work on how to conduct attribution of cyber incidents in this working group. As a country that has recently adopted a more active stance on this Germany is happy to support measures for norm implementation in this regard. Thank you.

Ambassador Gafoor  

Very good Germany, you kept within the time limit. I give the floor now to Cuba followed by Singapore, please Cuba.

Chair, we are aligned with the statement of Indonesia on behalf of the Non Aligned group of states. We believe that it’s important that we strengthen the normative framework when it comes to the use of ICTs within the context of international security. Rez 75/240 of the GA establishes the priorities when establishing rules, norms and principles of responsible behavior of states. The OEWG is a space for us to define the corresponding modalities and define its new rules. We believe that all rules, norms and principles of responsible behavior of states should be discussed and adopted by consensus within the OEWG independent of what the context within which they were developed or proposed. The OEWG should use this process, which is a part of its mandate, and not allow it to be delayed. Norms agreed upon by the GGE cannot be the only basis for discussion. We remind that the norms contained in the GGE 2015 report do not have contributions by all states. We reiterate the need to develop and implement new norms for the responsible behavior of states in cyberspace, based on full respect of the principles of sovereignty, equal sovereignty and the integrity of states and that they promote peaceful cooperation at the international level for mutual benefit. We also need norms that will refer to prevention of militarization in this area and the non imposition of coercive unilateral measures. These norms should be binding and should establish guidance for states when it comes to protecting cyberspace. Cuba believes that these are the path end starting points toward a legally binding broad instrument within the UN framework that will allow for us to respond to the current legal gap in the area of use of ICTs. We find that relevant areas concerning threats, the protection against loss of data, the protection of personal data and institutional data facing cyber crimes, the guarantee of supply chains, the guaranteeing of all kinds of services, intellectual property, culture and awareness raising. Evaluation of cybercrime, certification of technology security, among others are important measures for establishing our norms. The interpreter cannot hear you.

Ambassador Gafoor  

Sorry, we’ll give to Cuba. Take the floor to wrap up the statement please.

Thank you. Simply to conclude we are in agreement with the revision, adoption and updating of the GGE recommendations of resolution 73/27 as shown in the Compendium prepared by the previous president of the OEWG and all that is contributed during our current session only this kind of revision will allow us to reach the conclusion we need previous to any operationalization process. Thank you.

Ambassador Gafoor  

Thank you very much. Cuba. I hadn’t requested that delegations be cut off at the three minute mark, but I think the technicians were very effective and efficient. I don’t intend to impose the guillotine but I do request that delegations do their best to keep within three minutes and you will see the light flashing after two and a half, two minutes. When the red light flashes on your microphone that is a signal for you to sum up. So I don’t particularly enjoy doing this but I think it’s important that we are fair to all delegations which have asked for the floor. And also we need to be fair to the mandate, it’s important that we have time to address all the issues under the mandate of the working group. So thank you very much. So floor now to Singapore, followed by Estonia, and I have no doubt Singapore will be exemplary. Thank you.


Thank you, Mr. Chair. In response to the guiding questions, Singapore is of the view that the most practical way for the OEWG to support the implementation of the existing framework, including the rules, norms and principles of responsible state behavior would be through capacity building efforts, which I’ll elaborate on later. One of the guiding questions was on regional initiatives, so allow us to share an example from our region. In ASEAN, together with the UNODA, Singapore is developing a norms implementation checklist through a series of workshops. The checklist aims to be a guide for a set of practical, simple and tangible actions that member states could take to implement the 11 norms taking into account the additional guidance on norms implementation provided in the final consensus reports of the 6 GGE and the inaugural OEWG. It will also identify the capacity needed to help member states implement such norms. Just last week, we had a workshop to develop the checklist together with the ASEAN member states. And the workshop focused on ways in which we can implement norms 13g on critical infrastructure protection, norms 13j on vulnerability reporting and 13k on the protection of CERTs and CSIRTs. Through the conversations we got valuable feedback in terms of specifics like identifying CIs and CIIs, determining asset classification and evaluating them through risk assessments. Conversations on proposals for establishing the national CERTs and publishing advisories, posting vulnerabilities on social media. So specific, tangible and practical actions that states can take. The checklist helps to focus the conversation on these, to help countries implement the norms. We look forward to engaging other regional groupings and countries in subsequent workshops. Moving on to protecting electoral processes and the integrity and the availability of the internet, which is something that other members have spoken about. As we seek to make further progress on implementing existing norms. We should consider strengthening our efforts to protect critical infrastructure as set out in norms 13f, g and h. One example of critical infrastructure could be the technical infrastructure and systems essential to the general availability or integrity of the internet. Another example of a norm that we can elaborate on would be the ICT infrastructure essential to the political and electoral processes as raised by colleagues from Timor Leste, Nicaragua, cyber attacks on such ICT infrastructure can threaten political outcomes including compromising the integrity of election data. It is crucial therefore that we ensure that this type of infrastructure does not fall prey to malicious activity. Member States should agree not to conduct knowingly or support ICT activity that damages, disrupts, impairs or undermines the electoral critical infrastructure. Thank you.

Ambassador Gafoor  

Thank you very much for keeping within the time. Estonia to be followed by Chile, Estonia, please.


Thank you so much, Mr. Chair. In response to your guiding questions I would like to express the following. Building on the work already done, the OEWG and the international community needs to make implementation of the norm as a matter of priority. In order to have concrete results, our efforts need to be transparent, flexible and scalable. This approach, namely our process focusing on behavior and not technology itself, is most suitable as mentioned by some delegations before. One concrete example includes discussions that would contribute to the further development of the National Survey of implementation of the UN General Assembly resolution 70/237, which emerged as one practical outcome from the latest OEWG and GGE reports at the initiative of Australia and Mexico, or other such initiatives that allow to identify existing efforts and needs for norm implementation. Estonia believes that these options have to be considered and applied. At this moment, we don’t see any need for additional new norms, as the Russian Federation has shown by [unclear] including during the current aggression against Ukraine, any new norms would simply widen the opportunities to do and deny these. Let me also take this opportunity to support the US statement, especially the points about interim freedom. In our view, free, open and secure internet is a core part of a functioning society and measures to restrict access to information go beyond basic rights and principles. Thank you

Ambassador Gafoor  

Thank you very much for the statement. Chile to be followed by Brazil. Chile, please.


Thank you very much Chair. This is the first time that we take the floor and so we thank you for your arduous work as the Chair of this working group and the flexibility of the other member states, as we seek to progress in our agenda. We will be brief to respect the time limit. The norms and rules for responsible behavior of states can reduce threats to international peace and security, we should improve the predictability of these threats and thereby reduce further threats in cyberspace. We know that these norms should not alter the sovereignty of states in this area, it should, if anything, allow for greater definitions that will increase responsibility by states when they use ICTs. In this regard, it’s important that states are able to move forward in the implementation of the non binding 11 norms which have been enshrined within the report of 2013 and 2015 by the GGE. In that regard, we believe that we could use the voluntary survey mentioned by the Australian delegation, as well as other states. As it was recommended by the 2021 OEWG and the GGE. We find that guidance for the implementation of the norms from the 2021 GGE report would be great guidance for us to implement these norms in our own national capacities. This could represent an important opportunity for all states in this area, we could also implement measures where countries have been able to make significant progress within the framework that has been agreed upon and use that to improve our measures in other countries through plans and strategies that have been used to implement these norms in various states. We also would like to mention the Global Forum of Cyber Expertise and the work that has been done within the Program of Action, which we believe could be an important contribution to the work of our group. Thank you very much.

Ambassador Gafoor  

Thank you, for the statement, Brazil to be followed by France. Brazil, please.


Thank you, Mr. Chairman. Brazil would like to reaffirm its commitment to the agreed framework of voluntary, non-binding norms of responsible state behavior, as described in the 2015 GGE report and detailed by the 2021 GGE report, both endorsed by the General Assembly. Those complement international law, which is applicable to cyberspace. And this is the basis for this group’s work. In order to best facilitate the implementation of those norms it is our view that this working group must adopt an evolutionary approach regarding the OEWG’s and the GGE’s 2021 reports. For the sake of consistency and continuity, the starting point should be their conclusions and recommendations. Therefore, and in response to your guiding questions, Mr. Chair, we would like to thank Australia, Mexico and other countries working on the survey on national implementation, a constructive effort of which we take note with interest. It could be a possible concrete an early result of this group, delivering on paragraph 30 of the OEWG report, as well as supporting the provisions of paragraph 32 on the need of support implementation, a topic that we will discuss better tomorrow. Furthermore paragraph 95 B of the GGE report identifies as potential areas for future work further sharing and exchanging views on norms. In paragraph 33 of the OEWG report takes note of proposals made by states in this regard. My delegation is open to discussing in this OEWG possible improvements of the normative framework, given that they aim towards filling possible gaps as needed and don’t represent any setback to what we have already achieved. Finally, Mr. Chair, we thank you for the effort for ensuring our delegations to speak today and we would like to suggest that tomorrow we use this time limit for all delegations since the beginning, because it is important to ensure that more delegations speak the better and it’s easier for us to coordinate with capitals a speech that is already in three minutes. Otherwise we are here with our big speech and we just need to deliver them. Thank you.

Ambassador Gafoor  

Thank you very much, Brazil. It’s a very good point, I think it should certainly be evenly applied and right from the beginning. I wish I had done that right from the beginning. But I hadn’t realized that the plan of work that I had in mind could not be executed as intended. So we are now dealing and improvising. So, once again, I thank all delegations for the understanding to keeping within the time limit. France followed by Japan please, France.


Thank you. This will be a shortened version of our statement, which was far too long. In the face of potential and existing threats which we discussed yesterday, if we no longer have the need in this group to support and promote behavior, norms agreed upon by the previous group the Chair mentioned the eventual need to develop new norms and my delegation in this context believes that it is not something that we wish to do. We do not believe that this is desirable. We believe that our debate needs to be based on the work of the previous groups as recommended by Rev 7619. The past norms need to be a solid foundation for our discussions in our work, we need to identify priorities, and as you mentioned in your questions chair we need to agree upon a common understanding of these norms and then implement them. My delegation would like to formulate the following recommendations. First, we support deepening exchange on the scope of specific applications and on the implementation of norm 13c on due diligence. As the OEWG and the GGE have begun to formulate expectations to avoid malicious activity on their territories as part of this group states need to make efforts to strengthen mutual comprehension of this norm. France is ready to contribute to these discussions by basing itself on the proposals which we supported during the previous OEWG and which were included in the Chair’s summary. We can promote due diligence by encouraging states to adopt measures to prevent malicious cyber activity on their territories by private actors, for example, through malware. We promote dialogue with the private sector in order to strengthen implementation of 13e as well on supply chains and non-proliferation of malicious tools. We also need to clarify the modality of applications of some behavior norms. Additionally, my delegation would like to express its support for a platform that would support states in their implementation efforts in the normative framework. We support the National Survey of implementation promoted by Australia and Mexico with the support of multiple states including France. Also, as you are aware, Mr. Chair, France with the support of an increasing number of states and the EU, France is promoting the establishment of an Action Plan on cybersecurity. It can complement the work of this working group and strengthen the implementation of responsible behavior norms. Based on the National Survey of implementation a voluntary follow up mechanism will be created for state behavior. It will allow us to identify their priorities and to strengthen the capacity building program. Also, it will promote the use of good practices by states within their national abilities to do so, it will also create a permanent institutional framework that will support the OEWG and its work on norms and to examine challenges brought about by technological change. As a consequence, we will be able to identify consequences for our actions. I will be happy to provide additional information on this during the discussions on capacity building. Thank you.

Ambassador Gafoor  

Thank you for the statement Japan, followed by UK, Japan please.


Japan is strongly of the view that voluntary and non binding norms of responsible state behavior can reduce risks to international peace, security and stability. The recent reports of malicious use of ICTs in conjunction with military activities is a flagrant violation of the agreed norms. A state must not violate the sovereignty of another state by cyber operations. Japan is of the view that the 11 norms of responsible state behavior and the report of the last Open-ended Working Group as well as the report of the last Group of Governmental Experts, provides states with enough guidance on how to act responsibly in cyberspace. We do not believe there is a need for new norms. It is important for states to understand and implement the 11 norms of the responsible state behavior guided by the two reports. The Program of Action proposed by France in Egypt has over 50 co sponsors including Japan. The main objective of this program is to facilitate implementation of the consensus framework for responsible state behavior in the use of ICTs. The POA proposes to establish a permanent, inclusive and action oriented instrument aimed at advancing concrete cooperation against malicious use of ICTs. The Program of Action will support capacity building efforts, develop exchanges of best practices and experiences and foster meaningful multistakeholder engagement. We hope to be able to establish the Program of Action with the support of as many countries as possible. We also appreciate and support Australia’s initiative that will assist states to implement the 11 norms of responsible state behavior. Thank you very much.

Ambassador Gafoor  

Thank you for the statement. UK followed by South Africa, UK please.

United Kingdom

Chair, Indonesia, Vietnam and Singapore have highlighted that ASEAN member states have been working hard on norm implementation. The UK has worked in partnership with Australia and ASPI and the member states to promote development of national pathways to the implementation of norms of responsible state behavior in cyberspace. ASPI’s contribution to this process can be found on the stakeholder submission webpage and offers participants region-specific perspectives based on real and observed examples of good practice. It’s further supported by a GFCE research report which looks at the unique formula each country has taken in implementing the norms. This work shows there are many steps to implementation from building awareness and buy-in across government to assessing implementation strengths and weaknesses and to taking action domestically. Drawing lessons from ASEAN member states efforts in this regard would be informative for all OEWG participants, as well as inspiring possible similar efforts in other regions. Chair we fully support the progress that has been made on the survey explained by Australia and supported by so many states as a tangible step towards working together in this area and we thank them for that. The activity we are currently seeing in cyberspace emphasizes the importance of implementation. Norm E, the respect for human rights, is a current priority for the UK, the same rights that people have offline must be protected online. This includes rights such as the applicability of freedom for expression, regardless of frontiers and through any media of one’s choice, and the protection of civic space as it extends online and into digital spaces through the right to freedom of peaceful assembly and of association. We propose a theme discussion in the OEWG of how these rights can be impacted, intentionally or unintentionally, when states make cybersecurity policy. Civil society experts are able to share their expertise of analyzing and assessing the impact of cybersecurity policies and propose actions states can take to protect against these impacts. Finally, on Iran’s proposal to agree a final list of norms before proceeding to implementation, we do not consider that to be practical. Whilst we do not see a requirement to add to the 11 norms at this time, we would not be able to agree that new norms would never be needed. The fast-paced development of ICTs led to the agreement quoted by our Chinese colleague to consider new norms in the future. We consider this to be a practical position. We cannot predict the future. And we therefore cannot hold back implementation awaiting this unattainable objective. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement South Africa to be followed by Ukraine, South Africa please.

South Africa  

Thank you chairperson. South Africa aligns itself with the statement delivered by Indonesia on behalf of the NAM. South Africa believes that voluntary norms add an additional layer of understanding of the applicability of international law in cyberspace and is therefore an important aspect of the OEWG’s work and outcomes. Whatever the outcome of this OEWG, South Africa believes that nothing prevents states from implementing new possible norms prior to the end of its mandate in 2025. In this regard, the acquis of the first OEWG and GGE reports has been accepted as the basis for the Working Groups work. South Africa has also stated before that implementation of the existing work that has been done will reveal both effective practices and potential gaps which will enrich the discussion of norms and possible principles of responsible behavior in this forum. Persuing regular information sharing between states even before concluding an international agreement is a viable norm and principle along which to operate, some states may be in the process of building their national cyber threat infrastructure, particularly developing countries and some enhancement from the international community at large would provide practical steps that could later become part of a larger international agreement. The development of new norms should not detract from the implementation of existing norms. The further development of norms, rules and principles should be understood as a process of evaluating, updating when necessary, and refining rather than seeking to develop a completely new set of norms. At a practical level, South Africa believes that it is important for member states to document their implementation in a standardized template so that gaps may be identified and addressed. For this reason South Africa supports the use of the model of the National Survey of implementation of the United Nations General Assembly resolution 70/237. Thank you.

Ambassador Gafoor  

Thank you for the statement, Ukraine, followed by Switzerland. Ukraine, please.


Mr. Chair, Ukraine aligns itself was the statement delivered by the European Union and would like to make a statement in our national capacity. As our delegation stated at the opening of the second substantive session of the OEWG, Ukraine’s critical infrastructure, governmental agencies and citizens have been suffering from cyber attacks of the Russian Federation for eight years. The Russian Federation attempted to interfere in Ukraine’s elections. It has also been conducting fake news campaigns to spread panic among Ukraine’s population and cut off our citizens from the official information sources. Many of those attacks are massive and indiscriminate. And the hacker group behind those attacks is a special project of one of Russia’s intelligence agencies. Among the main objectives of such cyber operations are the following: to get control over the objects of critical infrastructure of Ukraine; theft of intelligence information, including classified information: conduct information and psychological campaigns: blocking of information systems. A few weeks before and right after the launch of the new wave of large scale Russia’s aggression against Ukraine, Ukraine’s banking’s sector and governmental agencies were suffered from additional cyber attacks. As an example, just for the last week, Ukraine’s authorities reported around 60 cyber attacks. Mr. Chair, Ukraine reiterates the importance of advancement of the understanding and implementation of norms, rules and principles of responsible behavior in cyberspace. The protection of critical infrastructure remains one of the key priorities for Ukraine. Recently, Ukraine has adopted a new cybersecurity strategy and the plan of action on its implementation, which envisages at least of measures aimed at strengthening critical infrastructure protection. Ukraine supports the National Survey initiated by Australia and Mexico, being one of the co sponsors of the Program of Action and responsible state behavior. Ukraine believes that the POA could play a crucial role in further enhancing the implementation of those norms. Thank you, Mr. Chair.

Interpreter (Arabic)  

Thank you for the statement. Switzerland, followed by Malaysia. Switzerland, please.


Thank you, Mr. Chair. Switzerland strongly supports the framework for Responsible state behavior in cyberspace. Norms form an important part of this framework. Switzerland is of the opinion that at the moment we should focus on better understanding, promoting and implementing existing norms before developing new ones, especially in times when existing norms are being violated on a large scale. This Open-ended Working Group could on the basis of the GGE consensus report 2021 give more specific guidance on norms implementation. States, together with other stakeholders could for example develop cooperative measures for responsible vulnerabilities, disclosures or the protection of the ICT supply chain and ICT products. An important step towards implementing the norms at national level is the development of a national cyber security strategy. The Open-ended Working Group is a suitable platform for the exchange of experience on this. States can report on their experiences in the development of such strategy and its implementation, and exchange information. The role of non-state actors should be given special consideration. These strategies should include objectives and concrete measures to achieve them. The Open-ended Working Group can also contribute to the exchange of information on concrete implementation and shape in state should use the National Survey of implementation of United Nations General Assembly resolution 70/237 proposed by Australia and Mexico, as suggested by the Open-ended Working Group in this report in its report. We thank the Australian delegation for their statement of the purpose of the National Survey, and all states who have worked on its development and are looking forward to the presentation by UNIDIR.  Mr. Chair, the protection of critical infrastructure is particularly important. Unfortunately, attacks on critical infrastructure by malicious states and non state actors have increased excessively in recent years. Of particular concern or attacks by state and non state actors on medical and research facilities, as well as deliberate disinformation campaigns during the COVID pandemic and the ongoing armed conflict in Ukraine. Attacks of this nature can pose a serious threat to international security and peace. Like other delegations before we would like to emphasize the fundamental importance of the due diligence norm in this context, and welcome the suggestion of the Republic of Korea and the statement of Portugal in this context. States should use this Open-ended Working Group to share information on one measures they have taken at the national regional level to protect or better protect critical infrastructure. Switzerland is ready to share his experiences in this field. Mr. Chair, I welcome the statement made by Canada and the Asian states on the important role of regional organizations. They can play a useful role in the implementation of the volunteer norms, and this group could offer a platform for an exchange with regional organizations on their experiences and recommendations in this area. Finally, a number of delegations have mentioned the proposal for the creation of a Program of Action. Switzerland is a co sponsor of this program. As others, we think that this program could play a useful role for capacity building in the area of norms implementation. Thank you.

Ambassador Gafoor  

Thank you, Malaysia, followed by Costa Rica. Malaysia, please.


Mr. Chair, distinguished delegates, ladies and gentlemen. Malaysia will be brief. In Malaysia’s intervention yesterday, we highlighted the importance of cybersecurity baselining that is capable of being understood by all stakeholders as part of efforts to achieve a more accurate assessment of cyber maturity. In this connection, Malaysia would like to propose that the OEWG assists in determining and building cybersecurity baselines by mapping the agreed norms in a manner that is comprehensible to all the relevant stakeholders. I would like to return to your guiding questions yesterday on how states can enhance the protection of critical infrastructure from existing and potential threats. In our view, critical infrastructure owner should institute and maintain proper controls measures. And it is in line with norms 13 f, g and h recommended in 2015 report of the UNGGE as well as norm 13 i on ensuring the integrity of the supply chain. The control measures suggested yesterday are also in line with the National Institute of Standards and Technology NIST cybersecurity framework of identification, detection, response and recovery. Malaysia also recognizes and support the importance of measuring the implementation of the recommendations of the National Survey of Implementation of United Nations on responsible use of ICT by state in the context of international security, as demonstrated in initiative by Australia and Mexico. Further, we see value in having the OEWG work together with the Global Cybersecurity Index team of the International Telecommunication Union team in assessing the possibility of linking together the commitments of state at national level in the area of legal technical, organizational capacity development and cooperation on the one hand, with the 11 norms of responsible state behavior in cyberspace on the other. Thank you, Mr. Chair.

Ambassador Gafoor  

Thank you very much for your statement. Costa Rica, please.

Costa Rica

Thank you chair. In addition to the adoption of national legislation and the establishment of certs, Costa Rica believes that specific action that the group could use to support the concrete and practical norms within this framework would be solidifying modalities of participation for various stakeholders in the work that we carry out. Applying the normative framework can not only be carried out by states. A focus that does not take these stakeholders’ knowledge and contributions into account will not be successful. In general, the application of this normative framework should be carried out in a coordinated fashion. Which means that states should consider the bridges between all of the different components like trust building measures, skills building and norms in particular. As was said by Singapore in potentially better terms, we think that it’s worth mentioning that skills building is important to application and we should start by developing cyber capacities through activities that will reflect the principles of procedure and purpose. Cyberspace measures that are focused on human beings should be a foundation for implementing a broader normative framework in that regard regional organizations can be of great help. Initiatives for digital transformation and sustainable development can be an additional link with this normative framework, because they are often priorities for states that seek to grow their digital economies. Such intersections are particularly relevant for developing necessary capacities when it comes to managing ICT infrastructure. And we could also see the rise of other intersections with those who work particularly in the area of sustainable development. We’ve suggested focusing on one particular area a priority area like health, where all of the working groups areas like skills building, understanding threads could be applied when it comes to advancing our implementation. This will allow us to better address threats more specifically, and we’ll be able to better understand how these norms should be applied. Thank you.

Ambassador Gafoor  

Thank you, Colombia please.


Thank you chair. This working group seeks to address its work going forward based on what has been achieved thus far in our process. My delegation’s priority is to advance our adoption of measures to guarantee responsible behavior by states. This must be consensual and thereby in support implementation of these norms, guaranteeing essential services as something fundamental to our actions. We have to guarantee various ways of implementing these norms. We may have to implement campaigns for educating people on cyberspace at an inter-institutional level and with various stakeholders. We must take into consideration the proper interpretation and implementation of these norms for responsible behavior and in order to do that, we have to carry out analysis and adaptation processes within all different countries with respect to institutionalization and management of cyber events among others. We also have to position this normative framework at the highest possible level of decision making in states in order to raise awareness and guide responsible behavior among those who make decisions in this area. This could help us to further analyze and implement these norms through the promotion of methodology, experience and best practice exchange. In that regard, we reiterate the value of the National implementation Survey as such a space for this kind of exchange. We must reiterate the important role of international law and say that no voluntary norm to be developed can go against that, it must be in conformity with it. We would like to see greater implementation of the norms that we’ve reached and the concrete actions that have been advanced thus far. We should move forward with actions that would help us to implement these norms we have to advance when it comes to actions that will help us to implement the framework that we’ve agreed already, because this will help states to move forward in an inclusive and efficient way. Colombia like other states believes that the Program of Action, which we support and sponsor, would play an important role in that regard. Thank you.

Ambassador Gafoor  

Thank you, Jordan, please.


Thank you, Mr. Chair. The rules and norms agreed upon in previous reports address a number of important topics in order to prevent conflicts and promote stability in order to have a safe and secure cyberspace. This working group can support the implementation of these norms through the support of the Program of Action as indicated by a number of delegations under the auspices of the UN, we should elaborate and provide the further details on the implementation mechanisms. We need to support developing countries to implement these norms, especially when it comes to CERTs. In order to put an end to malicious cyber activities in line with national and international law, we should encourage countries to have entities working on cybersecurity to follow up on these incidents. We need to urge and help countries to evaluate on a regular basis the situation in consultation with the public and private sector. We need to urge countries to share information regarding attacks that were launched from their own territories because that would help us abort other incidents. We need to help countries to develop legal frameworks, striking a good balance between protection and confidentiality. Thank you, Mr. President.

Ambassador Gafoor  

Thank you, Pakistan, please.


We believe that there is always a possibility that we may have to face certain threats, but we cannot ignore the fact that we need a proper structure within this context. The complex nature of this matter requires a proper approach when it comes to international norms. And a legally binding document that is based on consensus. And this is the only possible option when we might need a potential alternative in a time of crisis. We may need additional technologies for addressing technology issues going forward. And we will need additional measures to. It is important to address the challenges associated with attribution in the ICT environment. Developing a common approach to attribution in a universal setting under this group in UN auspicious remains the most effective way forward. At the same time, it is important to avoid any undue restrictions and peaceful uses of ICT international cooperation in this field of technology transfer which could undermine economic and social development and hamper the first particular developing countries realizing their SDGs. Pakistan believes that adherence to the non binding norms is contingent upon equipping the member states with required skills and technologies and clearly defining the modalities for the implementation. I thank you, Mr. Chair.

Ambassador Gafoor  

Thank you. Argentina please.


Thank you very much Chair. I will now be giving a summary statement and we will send our full statement later on. We believe that we must continue to strengthen our normative framework, the one we currently have, in order to better work on achieving our goals. With respect to what different countries hope for, we need to implement a practical analysis of the norms that the states have already reached a consensus on. We believe that the initiative of a National Implementation Survey promoted by Australia and Mexico is something that we support and we find it to be a very valuable tool for implementation of norms and rules of responsible behavior going forward in various countries. This is a reflection of the learning that we’ve seen so far and that will certainly benefit the development of guidance for use and behavior relating to ICTs. This will allow us to understand the realities that affect us and will also allow us to learn lessons from other countries and thereby enrich our perspective going forward. We believe that this is a well focused approach concerning the norms that currently have consensus. This questionnaire is well structured and the questions are innovative. We find that this kind of instrument will help to generate the proper approach as we go forward without adding additional burden to various states. We also support the proposal of France and Egypt on a Plan of Action that we believe will represent a fundamental space for international dialogue for the systematization of these measures, and will produce greater efficacy for the measures implemented by states in cyberspace. These measures should facilitate actions within cyberspace and cooperation among different states at various levels of capacity and with different infrastructures that respond to their different realities. As a result of continual cooperation we’ll be able to better identify gaps that the development of ICTs inevitably produce. Regional organizations will help us to arrive at a better understanding and will help us to  promote greater cooperation among Member States. Thank you very much.

Ambassador Gafoor  

Thank you, El Salvador, please.

El Salvador

Chair, the delegation of El Salvador believes that we should continue to develop the rules, norms and principles of responsible behavior of states in cyberspace in order to lead to national development through the opportunities that come about via technological advances. We also recognize the challenges that these technologies present and that’s why we need to establish principles that could be the basis for legally binding instruments going forward. In that regard El Salvador is currently working on developing its cybersecurity legislation and is particularly interested in these 11 norms of responsible behavior of states in cyberspace from the GGE reports as well as the previous OEWG. One of the lessons we’ve learned from COVID-19 is the need for all states to have critical internet infrastructure. It must be resilient, functional and long lasting. We cannot allow attacks to generate the instability in cyberspace. This is something our country finds to be quite important and it must be discussed further. We also would like to highlight the need to continue looking at global supply chains because in a deeply interconnected world interruptions at one point or another will affect other players in ways that might be difficult to predict. We have to create a safe cyberspace and work together to mitigate the threats that affect us in cyberspace. That is why we must continue our conversations in this working group. To conclude, we believe that the analysis of the OAS on this matter is important when it comes to advancing this subject matter in the Western Hemisphere. We support further conversations to address the relevance of this matter going forward. Thank you.

Ambassador Gafoor  

Thank you. Nicaragua, please.


Thank you chair. My delegation aligns itself with the statement given by Indonesia on behalf of the Non Aligned group of countries. In our opinion, the priority of all countries in this moment is to focus our efforts on the joint effort of developing norms, principles and rules of responsible behavior by states in ICT spaces, especially when it comes to developing new norms or new technologies. When we look at the rules, norms and principles of responsible behavior of states enshrined in the General Assembly Resolution, which includes the 11 norms developed by the GGE in 2015, these are not exhaustive and should be expanded. My delegation believes that it’s important that we continue to debate the relevant proposals including in the revision of the current OEWG. And we believe that the status of these norms should change based on norms that are not necessarily legally binding currently. An updated list could become a foundation for greater contribution within this working group to the development of a universal framework on ICTs. The development and implementation of new norms concerning responsible behavior of states must take into consideration peaceful and joint cooperation in the international space and this must be mutually beneficial. We should adopt norms that look at preventing the militarization of cyberspace and look at the non imposition of unilateral coercive measures. We believe that debates on norms in these groups will allow us to move towards the adoption of an instrument of consensus that will be broad and equally binding within the framework of the United Nations. Thank you very much Chair.

Ambassador Gafoor  

Thank you very much. Haiti, you have the floor please.


Thank you very much chair for giving me the floor. The Haiti delegation is honored to participate in the second session in the discussions of the OEWG on ICT security and principles. I would like to thank you for your leadership and the professionalism and organizing the discussion. Distinguished Chair, cybersecurity is not simply an issue of information security, it is a major challenge. That is true both for individuals and organizations. Of course, this is not a physical space that we’re talking about, but it can have real world consequences and take on many forms. ICTs are all around us and are constantly changing. Cyber attacks are harming confidentiality, equality, the availability of information systems, databases, critical infrastructure, they take on various forms. They are spread through paraphilia, various images, multimedia formats. Cyberspace promotes counterfeiting, money laundering and other issues. Distinguished Chair, with the development of cyberspace, criminal activity is starting to take place on digital platforms. The transnational character and speed of these violations is a challenge to the traditional mechanism for identifying, preventing, and for launching legal cooperation around the world. It is difficult to localize these attacks and to address them. This is a major challenge for our domestic legislative systems especially with respect to punishment and establishing jurisdiction. Distinguished Chair, Haiti believes it is extremely important to address the issue of cybersecurity. Just like other countries Haiti is concerned about legislation on this issue. Nevertheless, the discussions that we are holding within our state are ongoing. Government institutions, for example the National Telecommunications Council and the National Police of Haiti, have already established a national team for responding to incidents, an IT incident response team that also fights cybercrime within the central police department. Distinguished Chair, over the past 20 years IT technology has been evolving, it has affected social and state ties. We need to promote sustainable development through this and ICTs contribute to this but nevertheless there are many concerns that we have. Distinguished Chair in conclusion, my delegation recommends the implementation and strengthening of an exchange framework for good practices and information on critical infrastructure. To this end, states can exchange good practices on industry and international standards on the protection of critical infrastructure. This relates to the second and third questions submitted to the delegations. In conclusion, Distinguished Chair in accordance with rev 75/240. My delegation hopes that continuing discussions on this in depth question will allow us to establish rules, norms and principles for responsible state behavior, and to identify effective measures to apply them to non state actors and state actors as well. Thank you.

Ambassador Gafoor  

Thank you very much, Haiti. That was the last speaker under the item of rules, norms and principles. We have completed consideration of this sub item of agenda item five. This afternoon, we will proceed to consider agenda item five sub item relating to how international law applies to the use of information and communication technologies by states. I resume the fifth meeting of the second substantive session and I adjourn the meeting and I thank the interpreters. See you at 3pm. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *