Session 2-7 Transcript
(OEWG 2021-25)

This is an unofficial transcript

Ambassador Gafoor  

Good morning distinguished delegates. The seventh meeting of the second substantive session of the Open-ended Working Group on the security of and the use of ICTs, established pursuant to General Assembly resolution 75/240, on 31 December 2020, is now called to order. As I had indicated yesterday, before we concluded, it’s my intention to continue discussions on agenda item five sub-item relating to Confidence Building Measures. I’d like to open the floor now to invite speakers on this agenda item, and I would now like to suspend the meeting so that we continue our work in an informal mode, in accordance with the decision that was taken on the first day of the working group. The meeting is now suspended, and we will now continue our work in an informal mode. I’d like to remind delegations once again, that we are behind schedule, in terms of the work that we need to do, and therefore, I’d like to continue to apply the three-minute rule for interventions by delegations. I know this is inconvenient, but it is also an issue of managing the time we have in order to deal with all the issues on the agenda and mandate of the working group. The floor is now, therefore, open on agenda item five sub-item relating to Confidence Building Measures. The United States followed by the European Union. United States, please.

United States  

Thank you Chair. Good morning colleagues. Voluntary CBMs can increase international cyber stability. Through transparency measures, CBMs can create more predictability about state activities in cyberspace. Through cooperative and communication measures, CBMs can help states manage escalation in the event of a serious cyber incident. CBMs are an essential element of the framework for responsible state behavior in cyberspace. The 2015 GGE report offers a prioritized set of cyber CBMs, including recommendations to develop points of contact, consultation mechanisms, and transparency measures. The 2021 GGE and OEWG reports also provide robust recommendations on CBMs. To be useful, however, these recommendations must be implemented. The OEWG should review the CBMs identified in the 2015 GGE report and provide additional guidance as necessary to assist states in this implementation. This OEWG should also identify emerging best practices in cyber CBMs gleaned from the extensive work on CBMs undertaken in certain regional bodies. The United States is a member of three regional organizations with cyber CBMs programs: the Organization of American States; the Organization of Security Cooperation in Europe; and the Asian Regional Forum. Each organization is different, but some elements of success cut across all regions. First, consistency is key. CBMs take months if not years to become operational. Because of that, CBMs programs benefit tremendously from self-reinforcing arrangements. The ARF created a dedicated regional venue on cyber CBMs within the organization, which established leads, regularized discussion, and clarified reporting structures. OAS established a more permanent secretariat, with the responsibility of managing the cyber CBM group and its projects. OSCE developed and adopted a CBM program where individual member states take responsibility for putting a CBM into action. These arrangements help CBM programs maintain momentum. CBMs should be exercised. One specific activity that moves CBMs from conceptual to functional is the exercise or testing out of a specific measure. This is particularly helpful for measures intended to be used in the event of a significant cyber incident, such as point of contacts directories. Such exercises can consist of a simple confirmation that the point of contact information is up to date, and functional, or more elaborate exercises that can simulate a damaging cyber incident that affects the whole region where CBM measures could play a mitigating role. The United States continues to believe that cyber Confidence Building Measures are best implemented by regional organizations with the capacity and regional expertise to take on such programs and adapt them to the regional context. The United Nations’ primary role on cyber CBMs should be to develop global recommendations, share best practices, and encourage cross-regional dialogue and exchanges when appropriate. Only half the world has thus far pursued a regional cyber CBMs frame framework at this point. And not all UN member states are members of multilateral or regional organizations with cyber CBMs programs. We believe the UN should support cross-regional information sharing on cyber CBMs. We believe that such information sharing can be valuable. But there are limits to that value. Replicating what works in one region will not necessarily ensure success in another region. So there must be regional adaptation and ownership. We support the OEWG’s work on CBMs, but we want to ensure that such efforts do not distract from or undermine ongoing activities in regional organizations. We must also be realistic about the UN’s capacity to take on a larger role on cyber CBMs. Despite those concerns, we believe the OEWG can make substantial contributions to international adoption of cyber CBM programs. Thank you, Chair.

Ambassador Gafoor  

Thank you very much European Union, to be followed by the Republic of Korea. EU, please.

European Union

Thank you Chair and Good morning colleagues. I have the honor to speak on behalf of the European Union and its member states. The candidate countries Turkey, North Macedonia, Montenegro, Serbia, and Albania, the country of the stabilisation and association process and potential candidate Bosnia and Herzegovina, as well as Ukraine, the Republic of Moldova, Georgia, and San Marino, align themselves with this statement. The global open free, stable and secure cyberspace has become vital to the national interest of all states. It’s also essential to maintain international security and stability. International law, norms, capacity building and Confidence Building Measures forum and integrating compendium that defines and shapes responsible state behavior in cyberspace. Measures and recommendations to reduce the possibility of misinterpretation, escalation, or unintended consequences in cyberspace, are an important subject for all our discussions, and we have agreed already on such measures with the aim to improve international security and stability. Building on the UNGGE’s achievements, the previous Open-ended Working Group provided a space for all stakeholders, including regional organizations to share best practices and elaborate on their work on confidence building thus far. In the context of CBMs, the new Open-ended Working Group should continue raising awareness and elaborate on CBMs, including by taking forward the Open-ended Working Group and UNGGE recommendations to strengthen the implementation of CBMs. The Open-ended Working Group and UNGGE final reports provided clear and concrete recommendations to advanced transparency, cooperative and stability measures among ourselves. For these reasons, the European Union and the member states see the Open-ended Working Group as an opportunity to share practical tools, best practices, and examples to engage and further advance the development and implementation of CBMs. There is a clear need to implement the measures we have developed to date and to work together with the multistakeholder community to build trust and confidence in cyberspace. Firstly, we should advance cross-regional cooperation. Notably for other interested organizations to learn about existing practices and experiences to use in the development of their own sets of CBMs. It can also provide participating states with elements to support the implementation of CBMs in their own regional settings. We could share lessons learned among regional organizations developing and implementing CBMs, to identify gaps and additional measures, building on a bottom-up approach, thanks to the participation of our discussion of practitioners. Second, we should use Confidence Building Measures as a concrete area to build confidence across all actors. Many have mentioned the past Open-ended Working Group as a confidence-building in itself. It should, however, be noted that in order for trust and confidence to be built, it is foremost necessary that we see states stand behind the framework we have agreed upon, and not crossly breach it, as we are seeing Russia doing at this moment. Russia’s aggression is at the odds of confidence-building and undermine  the efforts to build regional trust, including through the development and implementation of CBMs. Trust and confidence also require compromises something else we are not seeing from Russia. One of the primary ideas behind the CBMs is to develop and maintain a system of direct communication between states, to defuse conflicts and prevent unintentional escalation. However, let me reiterate that it is more relevant than ever, and we encourage all states to continue their endeavor to promote stable and secure cyberspace, including Confidence Building Measures. It is also more relevant than ever to use the opportunity to underscore the various actors’ role in cyberspace, in view to enhance confidence among us in the value of inclusive and multistakeholder discussions. Civil society or the private sector could also facilitate the engagement with interesting stakeholders, such as private sector and technical community that have also a role in supporting the implementation of Confidence Building Measures, in particular those including public- private partnerships, particularly under the Program of Action initiative. The European Union and the member states look forward to continuing the change in the Open-ended Working Group on how confidence-building measures could provide and that value, enhancing security and stability in cyberspace.

Ambassador Gafoor  

Thank you very much for the statement. I now give the floor to Republic of Korea.

Korea

Thank you, Mr. Chair for giving me the floor. I’ll try to be succinct. Let me first address the guiding questions on one and two. My delegation would like to stress that this OEWG should focus on building an agile and flexible architecture to create networks or hubs of cooperation for Confidence-Building Measures. Listening to the presentations from the many delegations, we clearly see that there are variations in CBMs between countries and regions. We believe that linking and harmonizing the variations is the first step for the overall CBMs. And fostering a certain level of technical capacity is a prerequisite for the advancement of trust among member states. The role of existing time-tested original organizations is crucial in developing CBMs given that the gaps or variations are smaller among states of the same region, than between regions, and that we don’t need to establish any other overlapping and unnecessary platforms. As multistakeholders own and operate the vast majority of the cyber infrastructure, and are often the primary targets for cyber attacks, they possess a number of experiences and ample information to share. During the informal envoy dialogue with the multistakeholder as of March 24, many participants were eager to offer help, and some of them even show their willingness to offer training programs to member states. By systemically enlisting the multistakeholder from the incipiental stage, this OEWG will be able to best engage with original organizations. Turning to the guiding question seven, my delegation would like to propose some ways to further utilize the UNIDIR Cyber Policy Portal. After watching the presentations by the UNIDIR Cyber Portal, my delegation is of the view that the portal has the potential to further broaden its roles in CBMs. Currently, the portal has an extensive database of country profiles. This is an information CBMs similar to the budgets and organizational structures of the militaries of each country. If possible, the portal can expand its functions to encompass notification, observation, and stabilization CBMs. Notification CBMs can include incident reports of cyberspace. Observation CBMs may pertain to advanced warning measures. Stabilization CBMs are similar to crisis management. With the help of multi-stakeholders and CSIRTs of many states, the portal will be able to monitor disruptions or malignant activities in cyberspace, issue alert warnings on time, or disseminate system vulnerabilities reports as well as instructions for remediation. As for guiding question 10, my delegation believes that merely sharing point of contact is not sufficient to deal with the challenges. Member States should ensure that the POCs are readily available, and have enough authorities so that they can respond swiftly and act decisively during a time of a crisis. Given the speed of interaction and the complicated nature of disruptions in the cyber world, time and mandates are of essence. We would like to add that you need your Cyber Policy Portal can play a repository role for the POCs. Thank you.

Ambassador Gafoor  

Thank you for the statement. I now give the floor to Canada. To Canada please.

Canada

Thank you Chair. I will discuss today the work of a cross-regional group on Confidence Building Measures, and then answer some of your guiding questions. On the first point, I would like to begin by thanking Germany for convening an open-cross regional group to advance CBMs at the OEWG. Canada is very proud to be part of this group, which has already come up with many good ideas. These ideas will be presented by others in the group here today, and on a working paper that will be posted on the OEWG portal sometime between now and the July session. Within this group, Canada has been championing gender, as well as a transparency measures. On gender, we can elaborate on this later, but I will just say that the paper will encourage states to share national policies on gender perspectives in cybersecurity. Now, I’ll tell you a bit more about the transparency measure that Canada has been advocating. For those of you who are members of the 2016-17 GGE, such as Canada, we at that time tabled a transparency measure which basically would encourage states to share information about their active cyber capabilities as well as conditions surrounding their use. Unfortunately, the proposal did not enjoy consensus within that GGE. Some states felt that it would encourage them or force them to divulge confidential or even secret information, which frankly was not the intent at all of the proposal. Rather, the intent of our proposal, then, as it is now, is simply to encourage states who have an active cyber capability to say so, and then ideally, also to say that they would use it in a manner that respects the agreed norms as well as international law. Canada, and many others have already done this. At the recent GGE, which Canada was not part of, we understand that this issue was presented again by others, debated at length, and that the final GGE report included a little bit of language on this. Canada applauds the progress that was made at the last GGE on this. But we also think that more progress could be made at the current OEWG. That is why Canada raised this issue within the cross-regional group convened by Germany. The idea seems to have received support within that group, and that is why it will be included in the working paper that will be presented to the wider group that you will get to see in the coming weeks. We hope that this proposal will receive support among the wider UN membership as it did within the cross-regional group. This would be a very simple non-binding way to increase transparency about states’ capabilities and conditions surrounding their possible use. I see that the red light is already flashing, so I’ll cut my remarks a bit short. I’ll say one last point. I’ll post my full speech on the portal so you can see all my answers, but I just wanted to answer one, about how the OEWG can facilitate a cross-regional exchange of ideas, experiences, and best practices. So like my US colleague, Canada believes that regional organizations are doing excellent work to implement CBMs. For example, at the OSCE, Canada is championing CBM-4, along with Kazakhstan. It aims to promote information sharing on national approaches to ensure an open, secure, and interoperable internet. We hope that this work will help protect the general availability and integrity of the internet, an objective that was shared by The Netherlands and others who have mentioned it this week. So I’ll wrap up by saying that regional organizations have done great work on this, but they also face challenges and barriers in further progressing on their work. While previous reports laid out CBMs they sometimes provided limited guidance on how the CBMs should be translated into concrete state action. So we hope that this will be WG will focus on practical measures to help states apply and implement the CBMs and transparency measures adopted in previous consensus reports. We look forward to working with you chair and other member states in order to move forward on this issue. Thank you.

Ambassador Gafoor  

Thank you for the statement, I now give the floor to the Russian Federation.

Russia

Distinguished Chair, distinguished colleagues, with a view to increasing the predictability and reducing the likelihood of misunderstandings as well as the risk of conflict in the IT space, states need to develop CBMs. These CBMs include the voluntary exchange of information on national strategies, legislation, and organizational structures, in order to ensure the information security of our countries. These CBMs also include, exchanging best practices when this is practicable and appropriate. We believe it is an urgent task to create a global mechanism for interstate interaction aiming to prevent computer attacks on information resources of states, including the exchange of information about computer incidents through the channels of authorized bodies. We should also consider developing a list of basic information, including technical data necessary to jointly determine the source of illegal ICT activity. In the event of a computer incident, in order to reduce tension and minimize its consequences, it is necessary to promptly eliminate the malicious activity associated with this incident. This is possible if competent experts quickly engage in these efforts, and if they are provided with the necessary technical data about the incident. Since many computer attacks today are carried out as false flag operations, the lack of relevant technical data often leads to a misinterpretation of incidents and misunderstandings between the parties. We reaffirm our readiness to strengthen contacts through National Computer Incident Response Teams or CIRSTs. On the Russian side, we have a competent agency which is the National Coordination Center for Computer incidents, NCCC. The NCCC’s experience of interaction with CIRTgroups of foreign states, shows that, to build effective interstate cooperation, it is necessary to ensure that this progress is strictly regulated. One of the ways to formalize the mechanisms of interaction between CIRT groups, is by establishing a directory of points of contact, POCs. These POCs will then carry out and coordinate interaction in the field of detecting, preventing, and mitigating the consequences of computer attacks, as well as responding to computer incidents. This tool is already being used as a CBM at regional forums such as the OSCE, via the  OSCE informal Working Group on Confidence Building Measures and information space, and the ASEAN Regional Forum on the security of, and in the use of ICTs. However, there’s no such mechanism within the UN. The establishment of a POC directory within the UN will help achieve the following goals. One, identifying POCs with which a CIRT group can communicate, and its country and other countries in the event of an incident affecting ICT security. Two reducing and overcoming tension and the threat of conflict due to misunderstandings and misperceptions of incidents related to ICT security. Three, updating the list of main contacts for the exchange of information about computer incidents that require an immediate response. In this regard as a practical measure to improve interaction and communication between the CIRTS group. We believe it is appropriate to use the existing experience of the aforementioned organizations and to establish a directory of POCs within the OEWG framework. As we develop this tool, it is necessary to define protocols and procedures for the interaction between POCs, which are responsible for the exchange of information at the technical and political levels. And to respond to the chairman’s specific questions we would like to say the following. The POCs responsible for interaction at the technical level within their competence and in accordance with their available potential and resources could do the following. One exchange information about computer incidents related to information resources within their area of responsibility. Two, to assist other states and respond to computer incidents and identify threats to information security after receiving the relevant request. Three, providing information about new threats to information security and sharing best practices. We also believe it will be useful to establish a POC directory on the basis of the following principles, a POC directory within the UN framework. One, the POC directory at the UN platform should contribute to reducing tensions and the threat of conflict due to misunderstanding and misperceptions of incidents related to ICT security. Calculations could lead to potential escalation. The directory could also facilitate communication and dialogue on the security of, and in the use of ICTs. POCs at the national level should also be authorized to carry out and coordinate work in the field of detection, prevention, and mitigation of the consequences of computer attacks, the directory could also respond to computer incidents, that is two, and number three, regardless of the international situation, the POCs will strive to maintain political neutrality, continue to work with other POCs, and responding to threats to security of and in the use of ICTs. Four, POCs, should not be subject to international sanctions. Five, POCs will opt for pragmatic cooperation and responding to threats to the security of it, and in the use of ICTs in order to avoid the risks of miss understanding, escalation and conflict which may arise from the use of ICTs. Also, lastly, in their activities, POCs should take into account the recommendations of the OEWG, and follow the rules, norms, and principles of responsible state behavior. In the information space, we also suggest discussing the possibility of exchanging national lists of areas in which Critical Information Infrastructure operates, as well as the criteria for categorizing this Critical Information Infrastructure. Thank you.

Ambassador Gafoor  

Thank you very much. I give the floor to the Islamic Republic of Iran, please.

Iran

Thank you, Mr Chair, and Good morning colleagues. Mr Chair, the ICT environment is a peaceful space and should be kept exclusively from the disarmament context. CBMs have weaponry and military history as well as connotation and shall not be applied in cyberspace. Trust and Confidence Building Measures in cyberspace shall be built into an ICT environment to address the main sources of mistrust in the ICT environment, particularly the monopoly in internet governance, anonymity, offensive cyber strategies and policies, hostile image building and xenophobia, unilateral coercive measures and the lack of responsibility of private companies, as well as platforms and their respective states for extraterritorial activities. We believe that the departure point is to realize multilateral fair and transparent internet governance. We are of the view that the monopoly in management and anonymity of persons and things are the main sources of mistrust on the internet, which necessitates relevant CBMs. The first and foremost approach is to address the shortcomings and downsides of the current internet governance system with a view to realizing long-awaited fair internet governance. Restrictive measures against other states in the ICT environment pose serious threats to the trust and confidence in the ICT environment and requires Confidence Building Measures. It is an important confidence-building measure that states refrain from adopting any measure that restricts or prevents universal access to the ICTs benefits. Lack of common understanding also constitutes a major potential source of mistrust in the ICT environment. Among other attempts to minimize the risk of misunderstandings and avoid misperceptions, the OEWG should develop an agreed-upon terminology consisting of basic terms or a type of glossary for clarification. We consider it important to develop universal terminology with regard to the security and use of ICTs. In the same vein, the lack of a legally binding framework to regulate behavior in the ICT environment constitutes to serve as a major barrier to confidence building. The scope of trust and confidence building should be extended to areas such as limiting, blocking and coercive policies and measures against other states, ICT products, services and contents, to name a few. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you for the statement. I now give the floor to India, please.

India

Mr Chair, Confidence Building Measures,  when integrated with capacity building and normative framework for responsible state behavior in cyberspace, play a crucial role in building trust, cooperation, transparency and confidence for member states. CBMs are a concrete expression of international cooperation and developing such CBMs will be a long-term and progressive commitment, requiring the sustained engagement of states. Sharing of points of contact, exchange of information, workshops, conferences, tabletop exercise, authorizing procedures to bring in national agencies, in addition to CSIRTs, exchange of professionals for training purposes, familiarizing each other on the latest developments in the use of ICTs through bilateral, regional and multilateral platforms, exchange of views on various latest issues pertaining to ICTs, need to be part of CBMs. The OEWG offers an opportunity for a neutral and objective discussion on global ICT security threats that demand new, innovative, inclusive and universal approaches. Identification and exchange of appropriate points of contact at the policy and technical levels, can facilitate secure and direct communication between states to help prevent and address serious ICT incidents and de-escalate tensions in situations of crisis. Communication between POCs can help reduce tensions and prevent misunderstandings and misperceptions that may stem from ICT incidents, including those affecting critical infrastructure, and that have national, regional or global impact. They can also increase information sharing and enable states to more effectively manage and resolve ICT incidents. In the processes of developing and implementing CBMs, the role of multi-stakeholders is vital. A close public-private partnership is a foundational need for inclusive and universal CBMs. The OEWG can discuss setting up a practical mechanism that involves the private sector, academia, civil society and the technical community. It can have resilient mechanisms for cooperation so that the stakeholders can contribute significantly to facilitating such consultations and engagement. The member states could greatly benefit from the identification of activities that can be carried out through mutual cooperation, timely exchange of information on threats targeting infrastructure located in the international counterpart constituency, and holding periodical consultations on the latest threats observed to enhance the mutual trust of international partners. To continue strengthening cooperative measures relevant to national Computer Emergency Response Teams and other authorized bodies, states could encourage the dissemination of information and good practices on establishing and sustaining national CERTs/CSIRTs, and on incident management through existing regional and global emergency response organizations and networks. In order to build a common understanding under the framework of the OEWG, a framework for the exchange of national views and practices on ICT security incidents would greatly benefit member states in building lasting CBMs. Timely exchange of threat information, ICT security advice, guidance, database studies and availability of the same, to an extent in the public domain, would help in building trust and predictability, reducing the possibility of misinterpretation and escalation and helping organizations and agencies make good risk management decisions. The OEWG needs to give priority to practical areas of cooperation in CBMs, such as exercises, training of ICT professionals, exchange of professionals and latest ICT tools, and other need-based CBMs. The OEWG may form a consensus-based list of CBMs with practical areas of cooperation that member states can explore and prepare national, regional and other multilateral organizations, to explore the same for building a universal approach to CBMs. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much. I now give floor now to Cambodia, please.

Cambodia

Thank you, Mr Chair. I had the honor to deliver the statement on behalf of the Association of Southeast Asian Nations, ASEAN. Please be assured of ASEAN’s full cooperation and support for your work as Chair. ASEAN reiterates the critical and central role of the UN in the discussion on cybersecurity, which must remain open and inclusive. ASEAN reaffirms the need to enhance cooperation to promote an open secure, stable, accessible and interoperable and a peaceful ICT environment, and prevent the risk of misperception and miscalculation by developing trust and confidence. We should continue to build on the successful outcome including the final report of the OEWG 2019-2021, and the reiteration of the GGE. In ASEAN, cooperation on cybersecurity cuts across pillars and sectors, guided by the ASEAN digital master plan 2025 (ADM 2025) and the ASEAN Cybersecurity Cooperation Strategy 2021-2035, that was adopted by the ASEAN digital ministers in January 2022. The cybersecurity cooperation strategy has been developed in response to a newer cyber development since 2017, and builds on it proceeding strategy to ensure that there are no weak links in the collective effort to secure the cyberspace for the region’s digital economy and community to grow. ASEAN highlights the importance of enhancing cybersecurity cooperation to secure ASEAN future economy and digitalization initiative, especially in view of the recent rise in global cybersecurity and supply chain attacks and threat. The development of ASEAN CERT and its core component, the CERT to CERT information exchange mechanism, aims to strengthen the region’s cybersecurity incident response and preparedness. Mr Chair, ASEAN reinforced cybersecurity cooperation and capacity building under the coordination of the ASEAN Cybersecurity Coordinating Committee (ASEAN Cyber CC) to enhance the continued development of a secure, resilient, interoperable and rule-based cyberspace, as a key component of digital transformation by encouraging policy coherence across sectors and ASEAN member states, strengthening ASEAN centrality in the region cybersecurity architectures and enhance alignment of regional cybersecurity policy. ASEAN also stress the importance of international cooperation and capacity building in this field, which will allow states, especially developing countries, to effectively implement the 11 voluntary non-binding norms of responsible state behavior in the use of ICTs. To this end, the role of work of the ASEAN-Singapore Cybersecurity Center of Excellence in Singapore, and the ASEAN-Japan Cybersecurity Capacity Building Center in Thailand, further support the common goal of enhancing the region capacity as a whole. We look forward to exploring further opportunities to work in tandem with the UN in this regard, especially through the ASEAN-UN comprehensive partnership. As you know, all efforts are driven by the ASEAN consolidated strategy on the fourth industrial revolution (4IR), which was adopted by the ASEAN leaders at the 38th ASEAN summit on the 26th of October 2021, among others. The fourth IR strategy offers a strategic framework that envisioned creating a digital ASEAN by focusing on several areas, which include promoting technology, governance and cybersecurity, with a view to realizing a digital ASEAN that is open, secure, transparent, and connected, that respects privacy and ethics in line with international best practices. ASEAN also utilize the ASEAN Regional Forum, (ARF) inter-sessional meeting on security and in the use of information and communication technologies (ARF ISM on ICTs security) to facilitate dialogue and cooperation in promoting confidence building and trust, information sharing and capacity building. In addition, through the ASEAN Defence Ministers Meeting [ADMM+] Expert Working Group on Cyber Security (EWG on CS) and ASEAN and its plus partner accomplished: one, the development of the compiled glossary of cyber terminology; two, the development of the points of contact and technical personnel; three, the conduct of tabletop exercises; and four, the set of ADMM+ EWG on CS portal. ASEAN notes that there is synergy between this initiative and one that is being proposed at the OEWG. We look forward to sharing our experience and lesson learned to further develop this idea at the global level. I thank you, Mr Chairman.

Ambassador Gafoor  

Thank you for the statement. I now give the floor to Egypt.

Egypt

Thank you, Mr Chair. Previous GGEs and the last OEWG reports, have recognized that CBMs strengthen international peace and security and they can increase interstate cooperation, transparency, predictability and stability in cybersecurity sphere. While states should take into consideration the guidelines or CBMs adopted by the autonomic commission in 1988, and endorsed by consensus by the General Assembly Resolution 43/78. The current international situation proves the increasing importance of connecting redress and rebuilding trust between member states. While the OEWG provides an important step toward the Confidence Building Measures there is an urgency for developing extra measures in this regard. Moreover, many delegations, including Egypt, refer to the importance of the cooperation between relevant CERTs. It is also important to underscore that there is a big number of delegations or member states might lack the basic knowledge of cybersecurity and its relevant issues, and it proves that there is an urgent need for guidance on taking the first steps towards developing their national cybersecurity strategies. In this context, it is timely to elaborate the proposal of establishing a directory of points of contact of CERTs on the technical and political levels to facilitate the bilateral, regional and international cooperation on cybersecurity issues. Furthermore, it is important to push forward CBMs through encouraging member states to have a guidance by the voluntary national survey of implementation of Cyber Policy Portal within UNIDIR. Taking into consideration that, as mentioned yesterday by the UNIDIR presentation, that it relies on the open source information, and it might be also important to consider developing a tool within the UNIDIR for interested states to allow the voluntary national reporting and also to be accessed only by member states. Addressing the question on how the OEWG would substantively engage with regional initiatives, it is possible that the OEWG would hold informal dedicated meetings with relevant regional bodies/initiatives, with a focus on trading experiences and good practices, and it might consider developing a compilation document addressing the gaps and overlaps for states’ needs. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you. I give the floor to El Salvador.

El Salvador

Thank you very much, Chairman. When it comes to CBMs, our delegation believes that we should continue to work on this issue at the sub-regional, regional and international levels. Our delegation shares the importance of these voluntary measures as a means of reducing tensions in cyberspace to bolster international trust and promote the peaceful use of ICTs. We believe that in order to continue working on existing norms that already pertain to important issues, that is an important matter, such as the means of protecting critical infrastructure, and we could also broaden the work on standardizing these steps between member states so that we have a regional balance on this important issue. We also think it’s important that the UN continue to look into other aspects related to this, including cooperation between states, so as to bolster capacity in terms of the transfer of knowledge and know how to bolster national cybersecurity. Our delegation endorses the proposal for creation of a repertory of points of contact, which could be a useful way of showing information about potential threats. This should contain names and the states that they pertain to and the relevant contact information in each state. And it should constantly be updated so that we can ensure that the contact data can be useful if an emergency arises. We could also look into the possibility of having technical operative contact points, and also contact points for those working on cybersecurity. This global directory should be made operational and it should be periodically updated. Thank you.

Pakistan

Thank you very much. I give the floor to Pakistan.

Pakistan

Thank you for this opportunity. [Unclear] CBMs for fostering trust, cooperation, transparency and predictability among the member states so much important. CBMs are important to avert misunderstanding and ensuing escalation of conflict. Pakistan supports the idea of CBMs as an interim measure that should lead to concrete legally binding rules to regulate cyberspace. Moreover, Pakistan expresses deep concern about the rising trend of cyber attacks on critical infrastructure which is getting more complex and sophisticated with the passage of time. The emergence of AI assisted cyber attacks, such as deep fakes training and data poisoning, have added no linear paths to escalation, in such circumstances, CBMs are of vital importance. Pakistan has always supported the idea of CBMs and further proposes the following measures. Increasing cooperation among the respective CERTs of member states, that investigate and trace back the origin of the cyberattacks. However, the limitations on the technical capacities of developing countries to address such requests must be kept in mind. Appointment of national POCs and establishment of outlines, this will help in averting confusion and the prompt exchange of information in case of a major cyber attack against critical infrastructure. To ensure transparency, the relevant information about military cyber capabilities may be shared and uploaded on the UNIDIR cyber portal. Voluntary and timely disclosure of hardware and software vulnerabilities by the member states, and sharing it with other countries will also be helpful and will be a key component of an effective CBM. Through joint research and investment in cyber-related projects and exchange of best practices, along with taking CBMs at regional and sub-regional levels, CBMs must be discussed and taken at the UN level to give them global recognition. Thank you.

Ambassador Gafoor  

Thank you very much. I now give the floor to Germany.

Germany

Thank you, Chair. Within the UNGGEs at the previous Open-ended Working Group, substantial progress has been made over the years to work out CBMs for cyberspace. It is the conviction of Germany and many other states that further work should be invested to enhance the operationalization of CBMs. Therefore, as already mentioned by Canada, Germany is working with partners in an open, cross-regional group to advance cyber Confidence Building Measures in the Open-ended Working Group, in order to further elaborate cyber CBMs for implementation by EU member states, in voluntary non-binding manner. Germany believes that CBMs, to be put into action at the UN level, can cover a wide range of thematic aspects, such as operationalizing points of contact, network sharing of information and best practices, and holding cyber exercises. Partners may expand on this further. A dedicated CBM should be implemented to cover cooperation with the private sector, as private IT companies and industry associations can contribute to confidence-building via sharing of information on current threats, offering technical analysis and improving standards of training. Germany welcomes India’s recommendations to form a public-private partnership. Germany looks forward to elaborating these ideas further in the Open-ended Working Group, and in preparation for this, will further substantiate ideas internationally within the open cross-regional group to advance cyber confidence building that was formed. Being open and informal, this working group welcomes any other states wishing to take CBMs to an operational level. Germany would like to echo some of the remarks made by the United States on the importance of identifying the right recurring venues, organizational setup and incentives to assist UN member states with the implementation of CBM. These very practical questions should be considered by this group as we deepen our discussion under this agenda item. UNIDIR could play a facilitating role here as suggested by the Republic of Korea and Egypt. Finally, a question to address what may be on the minds of many delegations: is this the right moment in time to consider Confidence Building Measures at the UN level? An infinite amount of trust has been destroyed over the past weeks by the war on Germany’s home continent, Europe. This very grave cause of conflict has reinforced Germany’s conviction that advancing Confidence Building Measures as part of the work of this group is of high relevance and should be further prioritized in view of allowing the Open-ended Working Group to deliver results with a tangible impact on cyber stability. Thank you.

Ambassador Gafoor  

Thank you. I’ll give the floor to Kenya, please.

Kenya

Thank you, Chair. Confidence Building Measures are essential to building trust and a common understanding of cyber threats and actions to mitigate them. The OEWG is itself a Confidence Building Measure. Kenya continues to participate in CBM initiatives through bilateral, multilateral and regional initiatives. We believe that the OEWG process that facilitates the integration of outcomes from such multilateral regional initiatives into the work and discussions here in New York, but clearly in the area of lessons learned and recommendations on best practices and global industry standards that contribute to successful CBM implementation. It is in this regard that Kenya welcomes initiatives, such as the UNIDIR Cyber Policy Portal, which contribute to confidence building among states. We urge that such platforms that deal with cyber-related policy issues continue to be guided by transparency, and consultations with member states. Kenya also supports the establishment of a shared directory of national points of contact on technical policy and diplomatic matters that is up to date, secure and operational. Kenya wishes to restate the need for cooperation in a manner consistent with national and international law, with requests from states to other states investigation activity-related crime, or the use of ICTs for terrorist purposes, or to mitigate malicious ICT activity emanating from the territory as recommended in the relevant UNGGE reports. Member States should be encouraged to exchange views, best practices, lessons learned, advisories and information on a voluntary basis on national strategies and policies to improve international and regional cooperation in the area of cybersecurity. Chair, I conclude by affirming that, just like in the other areas of ICT, the implementation of Confidence Building Measures must be undergirded by meaningful investments and enhanced capacities. Thank you.

Ambassador Gafoor  

Thank you for the statement. Netherlands, please.

The Netherlands  

Thank you, Chair. Under the current circumstances, the international community faces unprecedented risks of misinterpretation, miscalculation and escalation of cyber incidents as one key element of the framework for responsible state behavior in cyberspace, Confidence Building Measures are an essential tool in mitigating these risks. In an effort to step up global CBM cooperation, The Netherlands also joined an open cross-regional group to advance cyber Confidence Building Measures in the OEWG. It is our hope that this informal group can put forward practical ideas that bring the CBMs to life. An important first step would be to establish a global network of points of contact at the policy, diplomatic and technical levels. In addition, states might consider to establish or identify appropriate points of contact within the private sector. A global network of points of contact should be more than an Excel sheet. For it to have practical value, the network should work on the basis of clear procedures to ensure effective exchanges and conduct regular communication checks and exercises. Chair, you asked us in your guiding questions how the Open-ended Working Group may facilitate cross-regional exchanges of ideas. Regional organizations are well placed to develop effective CBMs by tailoring them to their specific contexts and priorities. As we have heard in different interventions, several regional organizations have done so successfully and managed to go beyond the global CBMs developed at the UN level. We believe cross-regional sharing of experiences and best practices can be helpful for regions to develop new CBMs or advance the implementation of existing ones. Allow us to share our experience regarding a CBM agreed within the OSCE on coordinated vulnerability disclosures. We identified that an important first step in promoting regional cooperation in this area was for states to develop national coordinated vulnerability disclosure policies. Such policies can lead to the establishment of mechanisms, in which vulnerabilities can be disclosed in a controlled manner, allowing for faster remediation and enhanced security. The Netherlands has published its policy online and would be happy to share it with the group. Finally, Chair, it should be emphasized that these practical steps by themselves will not be enough to prevent conflict in cyberspace. We continue to encourage all states to publicly reiterate their commitment to and act in accordance with the framework for responsible state behavior developed by consensus, because that, we believe, is ultimately the prerequisite for confidence building. Thank you.

Ambassador Gafoor  

Thank you. I give the floor to Ghana, please.

Ghana

Mr Chair, thank you for giving me the floor. According to the United Nations Disarmament Commission’s guidelines for appropriate types of Confidence Building Measures, adopted in 1988, Confidence Building measures are expected to reduce the dangers of misunderstandings or miscalculations of military activities, reduce the risk of surprise attacks and prevent the outbreak of war by accidents. In the field of cybersecurity, CBMs constitute an essential pillar that can help strengthen international peace and security on all fronts. Transparency measures for instance, constitute a key element of CBMs. Transparency measures such as the publication of national views on a variety of cyber concerns could help reduce tensions in cyberspace and build trust and confidence among states. Mr Chair, to further strengthen CBMs, processes and procedures for sub-regional, regional and international dialogue should be established. Regular institutional dialogue with the involvement of key stakeholders should also be encouraged. Meanwhile, workshops seminars and exercises that help refine national deliberations must not be overlooked. Mr Chair, my delegation is of the view that CBMs for crisis management, such as the establishment of a multilateral cyber hotline and a cyber attack attribution and adjudication council, could help facilitate consultation and dialogue between states in unknown or unforeseen scenarios. Additionally, discussions during this OEWG process should continue to deliberate on the establishment of the proposed global points of contact directory. We believe that states can learn from existing conventions like the Budapest convention, that makes provisions for 24/7 points of contact and also consider some of the provisions for the establishment of networks that provide legal information and technical advice, among others. Thank you.

Ambassador Gafoor  

Thank you very much. Costa Rica, please.

Costa Rica

Mr Chairman, Costa Rica will respond to points 1, 3, 4, 7 and 8, in relation to Confidence Building Measures. The first guiding question which we’ll discuss is, how the OEWG can substantively engage with regional and sub-regional organizations. The OAS, ASEAN and the OSCE could brief the OEWG and share their experiences with implementing Confidence Building Measures, and the OEWG secretariat could compile the recommendations relevant to implementing CBMs on an international level. When it comes to the fourth question, the current prevailing consensus seems to be, that due to the nature of the cyber domain Confidence Building Measures that focus on cooperation, information sharing and transparency, are most adaptable to the cyber context. Many of these are already reflected in the existing acquis, such as exchanging information on national policies, sharing threat information and cooperating in response to attacks on critical infrastructure. It’s possible that other security domains with CBM regimes, such as nuclear security, biological weapons or outer space may have other measures to add. Whether or not there are specific measures that can be adapted, in any case, it should not be discounted that trust and confidence built between states in one area can lay the foundations for stronger trust relationships and engagement in other areas. When it comes to the seventh guiding question, we believe that states reporting updates in national cyber strategies or policies, or identifying the relevant positions within agencies responsible for ICT matters in the UNIDIR Cyber Policy Portal is per se a confidence-building measure because it promotes transparency and improved mutual understanding between states. States can proactively submit updates to UNIDIR and the group can create a template for submissions as part of a CBM reporting regime, for instance. However, imposing reporting requirements or requesting regular updates from states, if doing that the group should be mindful of capacity challenges. On the eighth question, we believe that the establishment of points of contact directory should be guided by principles of trust, cooperation and functionality. States must be committed to working together to create a directory to enhance trust and to reduce misperceptions in the digital space. The establishment of a global point of contact directory is an opportunity to just take a step beyond verbal commitments to cooperation and to cooperate at a basic level. That is to say opening up a channel of communication. The directory must also be functional, that is to say, it should contain the names, contact information and positions of relevant contacts, and it should specify if they are responsible for the technical policy, diplomatic domain or another area. It should also be updated regularly to ensure that contacts are not out of date. Running tests and joint exercises can help ensure that the network is actually functional, as has been done in the case of both the OSCE and the ASEAN regional forum networks. On the ninth question, we believe that a study that compiles the experience of these kinds of networks at the regional level, as well as looking to the technical community for guidance, will be very useful for offering lessons and best practices to ensure operability and facilitating participation. Particularly if we look at regions, where such directories have been operationalized and are currently in use it may be useful to understand how participating states view these directories, and in which situations they are most useful. This could help focus the efforts to create an international directory and design it with the best practices in mind. Thank you.

Ambassador Gafoor  

Thank you for the statement. Brazil, please.

Brazil

Thank you, Mr Chairman. Brazil supports the implementation of the existing CBMs as reflected in the acquis. They are conducive to the implementation of the voluntary non-binding norms of responsible behavior of states. The 2021 GGE report describes several important cooperative and transparency measures that can be taken voluntarily by states. These should be the basis of our work, regarding your guiding questions on how to better support their implementation, my delegation believes that this group should start by making operational the network of national focal points for the voluntary exchange of information. To avoid fragmentation of efforts, we could use the UNIDIR Cyber Policy Portal for that purpose. To better define the information to be collected by the platform, as well as other relevant operational details, we would welcome a study by the Secretariat on the different solutions found in this regard by existing regional CBM platforms. This study, which should be technical and neutral, would give member states more concrete elements to move forward with the POCs database. Mr Chair, my delegation would like to point out the need when implementing existing cyber CBMs to safeguard advances made in the following aspects of the trust ecosystems that underpin cyberspace. Firstly, the regional dimension of CBMs. In the case of the Americas, they have be discussed within the framework of the Organization of American States. This group should facilitate cross-regional dialogue and exchange of experiences for mutual learning, convening meetings and briefings for that purpose. Secondly, the bilateral dimension of CBMs. In Brazil’s case, the Cabinet for Institutional Security of the Presidency of the Republic, has been exchanging experience for security policies with interested countries – an exercise that has been an important source of learning for my own country. Thirdly, the non-state dimension of trust-building between Cyber Incident Response Teams acknowledged in paragraph 46 of the first OEWG report. Those teams coordinate at the international level through the Forum of Incident Response and Security Teams (FIRST) and apply the CSIRTs services framework. Our efforts as states should be informed by that reality. In this regard, I am happy to inform that the Brazilian Government Center for Prevention’s Treatment and Response to Cyber Incidents has just joined the FIRST network this week, Mr Chair. Another step ahead in the strengthening of our Cyber Framework. As this group moves forward on the implementation of the existing CBMs, it can also discuss new ones as needed. In doing so, regional experiences are a valid reference. Of course, we are not proposing to adopt one or the other regional standard but to exchange views between them aiming at a global understanding. Brazil will be happy to further discuss CBMs, including through the open cross-regional group to advance cyber Confidence Building Measures in the OEWG, mentioned by Canada, Germany and others. This group will be happy to take more interested countries on board. Finally, Mr Chair, I would like to point that in accordance to paragraph 43 of the previous OEWG  report, states recognized that dialogue within the OEWG is itself a CBM. In line with that, we believe strongly, that the first CBM this group must implement is agreeing on its own modalities of work by consensus before the next session. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much, Brazil, you’re absolutely right, that CBMs like diplomacy starts at home. So, before we talk about CBMs, we must ourselves be able to have sufficient trust to agree on many things within this working group with consensus. So, I hope that will be possible in the days and months to come. Botswana, you have the floor, please.

Botswana

Thank you, Chair. And good morning to you and colleagues. We wish to address your specific questions on Confidence-Building Measures. We share this (chest estimates) that the OEWG is a confidence-building measure in itself and from the onset, align ourselves with those who spoke before us, that the states must be guided in the implementation of existing CBMs, as Brazil has indicated. In addition to that, we strongly advocate for the inclusion of regional bodies and organizations right from the inception of the OEWG work and through a framework that can be developed for this purpose. The regional bodies have the potential to offer advice as they fully appreciate the situation at the regional levels and can offer independent perspectives on the status of security and use of ICTs, and can be used as vehicles for oversight support and advice for member states. However, we need to know that some regional bodies and organizations at this moment may be pursuing other agendas not aligned necessarily to the developments in the field of information and telecommunications in the context of international security, as in the case of SADC presently. We therefore proffer that a program be developed that will empower these regional bodies on the question of developments in the field of information and telecommunications technology in the context of international security and they be provided with the necessary capacity and support to contextualize the CBMs that they are currently pursuing. At the SADC level, we know that the forum focused on ICTs already exists, albeit for purposes of exchange of ICT developmental ideas, enhancing dialogue between member states and disseminating the information on common strategic issues, resource mobilization and harmonization, alignment and mutual accountability. This we believe, Mr Chair, goes a long way in confidence building among states. Based on CBMs of transparency cooperative instability fostered during times of peace [unclear], and calculated in programs of regional and international bodies, Mr. Chair, we believe in terms of difficulty and apprehension it would become a lot easier for dialogue to resolve whatever uncertainty or difficult situation arising between states. However, we believe it is conditional upon continuous dialogue between states, dialogue between regional bodies at the global level, looking at policy, technical and policy dimensions, recognizing these are interrelated. We believe this will augment the work of the OEWG. Botswana acknowledges the Cyber Policy Portal and it provides an interactive reference tool for policymakers, and it will be useful for that purpose. And we believe that the portal provides information on country profiles, summarizing and linking key cyber initiatives. In this way, it is a valuable platform for building and fostering confidence and transparency between states. We thank you, Chair.

Ambassador Gafoor  

Thank you very much. Thailand, please.

Thailand

Thank you, Mr Chair. Thailand associates itself with the statements made by Indonesia on behalf of NAM and Cambodia on behalf of ASEAN, and would like to make a few points in a national capacity. Throughout the session, several states have recognized the important role of regional organizations in forging trust, predictability and stability in the use of ICTs by states. Thailand would like to echo that notion and having carefully reflected on the Chair’s guiding questions, would like to focus this intervention by highlighting some examples and lessons on CBMs at the regional level, particularly from our region. First, a notable initiative that has been highlighted by several delegations throughout this meeting is a multi-year cyber capacity building program focused on supporting the effective implementation of UN norms of responsible state behavior in cyberspace throughout ASEAN. The initiative provided ASEAN member states with a valuable opportunity to share and discuss good practices and policies. We invite all states to draw on examples and lessons from this initiative with hopes that it may inspire similar efforts in other regions. We thank the governments of the United Kingdom and Australia and the Australian Strategic Policy Institute for their support and partnership. Second, drawing from Thailand’s experience we believe that regional efforts in promoting CBMs should be centralized and guided by a comprehensive yet flexible plan. As in the case with ASEAN, the ASEAN Cybersecurity Coordinating Committee is key to advancing the region’s efforts in cyberspace, which reinforces ASEAN centrality. In January 2022, ASEAN adopted its latest cybersecurity cooperation strategy. The update enables ASEAN to respond to new developments in ICTs and advance our incident preparedness. At the global level, states may consider establishing similar mechanisms or cybersecurity strategies to serve as global CBMs. Third, Thailand and other ASEAN Regional Forum member states have seen merit in regularly updating and testing points of contact directories. We also support the establishment of a POCs directory at the technical, policy and diplomatic levels and also at the global level. Fourth, Thailand supports the establishment of a platform to enhance voluntary information exchange and cooperation among national CERTs. We believe this to be useful to strengthen trust among states and subsequently result in strengthening our collective capacity to respond to the evolving cross-border challenges in cyberspace. Finally, Thailand continues to benefit from several other noteworthy and shifting initiatives that seek to bring together cross-regional actors to exchange experience and information, including the women and international security in cyberspace fellowship, organized by UNITAR and its partners, and also the UNIDIR’s Cyber Policy Portal. Thailand will continue to support the ongoing efforts of various states and stakeholders that aim to foster and broaden opportunities and spaces for discussion. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much. Mexico, please.

Mexico

Thank you very much, Mr Chairman. We recognize the statements that have been delivered so far this morning and we would like to add some additional points. We particularly like to touch on the relevance of Confidence Building Measures as a key part of the UN framework. The framework that we have built up both in the context of the GGE report and within the Open-ended Working Group. At the same time, as we have previously indicated, in regional organizations we think that progress can be made on joint concerns being addressed but we also think that can be an inter-regional dialogue, and additional efforts can be made to roll out Confidence Building Measures. We must also have dialogue between regions, between organizations as this will allow us to make headway in identifying potential Confidence Building Measures. These regions will allow us to make progress in designing and ultimately adopting these measures and as part of this dialogue, we would also like to underscore the initiative that a group of member states has taken – this includes Germany, Canada, Brazil and other states; Mexico is also an active part of this – this is an open trans-regional group that attempts to make headway on these CBMs within this area OEWG. Of course, we are open to broader participation in the group and we hope to come up with a framework and we think that should be of interest for the entire working group. We will continue to work on this of course, Mr Chairman, and we’re very grateful for your kind attention. Thank you.

Ambassador Gafoor 

Ambassador Gafoor  

Thank you very much. I now give the floor to the OAS, please. Organization of American States, please.

Organization of American States  

Thank you very much, Chair, and thank you for the opportunity to address the member states, even in this informal setting. Given it’s the first time that we are taking the floor, we wanted to thank you for your astute leadership in this working group. Chair, we would like to take this opportunity just to highlight to member states how the OAS on CBMs has certain lessons that can be learned through its working group and cooperation and Confidence-Building Measures. As an example, I’ll try to give you three quick ones. The OAS member states have recognized the work of the UN, particularly the UNGGE and Open-ended Working Group. At its highest meeting the General Assembly and resolution of 2021, member states agreed to call on our working group to actually study the ways that we could implement the norms for responsible state behavior, as highlighted in the GGE report and the Open-ended Working Group report. They also called on member states to endorse the 2021 consensus reports of the Open-ended Working Group and to commit to supporting an implementation framework for responsible state behavior. Chair, this mandate highlights that at the regional level, adopting more proactive cybersecurity approaches by taking into account the international applicability to our regional context, create an environment that can foster regional and global harmonization. As context, as early as 1991 the OAS has been implementing and creating CBMs and have also agreed as early as then that we should work at the regional and cross-regional level with entities such as the OSCE, ASEAN and African Union. Since the formulation of the CBMs Working Group in 2018, we have since developed a portal which seeks to emphasize the CBM measure number one and two, which asked OAS member states to identify points of contact, both policy and technology. The working groups portal brings together on one platform, contact details of its members, consolidates a repository of relevant policies and documents on cybersecurity, and serves as a resource of information for member states on training. The cybersecurity program also uses this platform to allow member states to email each other directly with their designated email addresses. Finally, through this platform, the cybersecurity program has also been able to offer targeted training on cyber diplomacy and international law. Finally, we think it’s important to highlight to member states that, as the OAS, we have a mechanism that facilitates inter-regional cooperation, which is evidenced by our permanent observers. The OAS currently has over 71 permanent observers who have been actively participating in our activities. We believe that even through their work in our region we have been able to stage several capacity building programs and we have seen that this cross-border collaboration with our permanent observers, namely, as an example the EU, we have Estonia, we have Spain as observers, we have been able to have an impact in our region. Therefore, we would like to state specifically, Chair, similarly to the last Open-ended Working Group, to be the OAS’s pleasure to act as the original convener of future meetings around this topic and to facilitate for the member states here involvement of stakeholders as determined by the member states. Chair, thank you for allowing us to share our thoughts on this, and we wish you a very fruitful conclusion to your deliberations this week.

Ambassador Gafoor  

Thank you very much, OAS, for bringing us regional perspective. Jordan, please.

Jordan

Thank you, Chair. I would like to underline the importance of CBMs related to the use of ICTs by states in both peaceful times and times of war. This allows us to ensure stability and to avoid escalation and miscalculations. This, in turn, guarantees cybersecurity. The OEWG may present recommendations on this issue and promote the portal for cyber policy. Distinguished Chair, we are pleased that states are sharing best practices on this portal. States should also identify POCs for both diplomacy and technical issues through the portal and using a single form they can then submit the necessary information. We support the proposals bearing on the need to regularly communicate with the POCs. The POCs should also undergo regular training and maintain regular contact. We must ensure the exchange of information for everyone in order to increase transparency and trust. Distinguished Chair, dialogue is important and sharing information between states and regional and international organizations, which strengthens transparency, trust and international cooperation. The OEWG could also involve stakeholders from civil society, from the public sector, from academia to share experiences and participate in the discussions. CERTs should share information and best practices through bilateral and multilateral agreements, and address official requests for interaction with the cyber portals. The OEWG could turn this portal into an interactive platform similar to other platforms working on these issues. Thank you, Chair.

Ambassador Gafoor  

Thank you very much. I give the floor to Singapore.

Singapore  

Singapore aligns itself with the statement delivered by Cambodia on behalf of ASEAN. Confidence Building Measures are important in reducing the risk of misunderstandings preventing and de-escalating conflicts. It is timely to operationalize the inaugural OEWGs recommendation of establishing a global directory of national points of contact at the technical, policy and diplomatic levels. This would facilitate expedient communications in real-time and improve response coordination in the long run. POC directories and regional organizations serve as useful models for a larger UN Global POCs directory. We welcome Australia and Mexico’s proposal of a voluntary national survey that would facilitate the identification of national points of contact by member states. As Singapore proposed during the first substantive session, and was noted by delegations such as the United States, tabletop exercises could be a practical way to quickly translate this directory into an active network that provides value to states. Such exercises have been organized at the regional level already, but they are not necessarily accessible to all member states, especially those outside of established regional CERT networks. To address this, Singapore has proposed a TTS program that is open to all United Nations member states that have nominated POCs in the operational or technical domain. Future iterations of the TTS could be extended to include POCs in the diplomatic policy and other relevant domains. The TTS program will consist of a series of standalone exercises that will increase in complexity over a three-year cycle. Exercises will be based on real-world scenarios to hone and refine the skills needed by national POCs. We expect the program to also complement networks from the technical community, like FIRST or regional groupings such as APCERT. We welcome feedback and expressions of interest from member states to work with us on our proposal. We intend to circulate the concept note for the TTS program and publish it on the OEWG website shortly after the end of this session. Regional organizations can play a significant role in collectively operationalizing CBMs. Within the framework of ASEAN, the ARF inter-sessional meeting on ICT security focuses on the adoption of CBMs and capacity-building initiatives. During our co-chairmanship of the ASEAN Regional Forum ISM on ICT security, Singapore worked with other coaches in Japan and Malaysia to facilitate inter-regional information sharing, awareness-raising, as well as the exchange of best practices on the protection of CII. The OEWG could request regional organizations to share their CBMs and experiences in their implementation. The UNIDIR cyber policy is a helpful resource for states and regional organizations to share information about the existing CBMs. It will be useful for the Secretariat and UNIDIR to work with organizations such as the Global Forum on Cyber Expertise, or other stakeholders to conduct a study on existing regional level CBMs. We can identify synergies and commonalities in operationalizing  the existing CBMs, and these findings could be shared with the OEWG. Singapore is part of an open cross-regional group to advance and operationalize cyber CBMs in the OEWG led by Germany, and mentioned by Canada, among other states earlier. We welcome the participation of more member states in this initiative to advance our collective cooperation on CBMs at the OEWG. Thank you.

Ambassador Gafoor  

Thank you very much. Malaysia, please.

Malaysia

Thank you, Mr Chair, distinguished delegates, ladies and gentlemen. Malaysia aligns itself with the statement delivered by Cambodia on behalf of ASEAN. We would also like to put forward certain points in our national capacity. Malaysia strongly supports Confidence Building Measures as tools to address misunderstanding and misperception of events, which may lead to miscalculation, escalations of tensions, and potential conflict. The distinct contributions of CBMs in instilling trust and confidence among states are widely recognized. Mr Chair, Malaysia is of the view that this OEWG can facilitate the cross-regional exchange of ideas, experiences and best practices in the development and implementation of Confidence Building Measures, by unpacking and assessing CBMs which share commonalities and have the potential to be harmonized. Sustained conversations and voluntary sharing of information, as well as the conduct of practical exercises, could be explored by relevant parties. The exercise of collating and analyzing CBMs can subsequently be documented as reference material for all the states. The UNIDIR Cyber Policy Portal functions can further be extended to record the result with a view to setting up a repository of CBMs. Malaysia believes that the establishment of global points of contact directory are among the most immediate CBMs which states can collectively implement. In this connection, the UNIDIRs Cyber Policy Portal may be utilized. On the question of whether new CBMs are required, Malaysia is of the view that we should review and strengthen existing common CBMs. With the effective implementations new CBMs will naturally be identified, having due regards to the new and emerging technologies. Emphasis should be placed on how best to extend or create linkages between states as well as other stakeholders in the CBMs framework. Such linkages are indeed important as the cybersecurity architecture exists in a multistakeholder ecosystem where all stakeholders should engage in an atmosphere of trust and confidence. Mr Chair, Malaysia and Australia, under the platform of the ASEAN Regional Forum, have called it the development of ARI Cyber Point of Contact Initiative – an important CBM for our region. Following the establishment of the directory, email testing has been conducted to assert workability among ARF participating members, which had voluntarily submitted their respective national point of contacts. Such periodic testing has been undertaken at strategic and working levels and with the involvement of representatives from diplomatic strategic technical and law enforcement agencies. The directory has been rendered sufficiently flexible to accommodate the differential government system of the ARF. A tabletop exercise has also been conducted to demonstrate the practical utility of the directory, prior to the consensus on the development of the ARF point of contact. Key takeaways from the exercise are as follows: the importance of effective communication between the policy and technical bodies in the context of cyber crisis management, the need to identify and address gaps in capacity building, particularly in terms of technological and human resources. In this regard, most advanced states will need to provide the necessary assistance to states that are still behind. The role of simulation exercises in cyber crisis management; the importance of private sector involvement in similar cyber crisis exercises conducted in the future; the need to improve communication among states, including designated policy point of contact to facilitate inter-governmental interaction and coordination in the event of a cyber crisis, as mentioned earlier; the need to establish clear linkages between industry and regulators, as well as CIRTS building on the policy, point of contact; and the need for a regional framework on cyber incidents and response protocol. Mr Chair, from Malaysia’s perspective, these key takeaways are of great relevance to our deliberations, taking into account similar experiences shared by colleagues from various other regions. The establishment of a global point of contact directory will allow the OEWG to perform more comprehensive cyber exercises, which will encompass the diverse perspective of relevant diplomatic strategies, probably to law enforcement, technology and sectors. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you for the statement. I now give the floor to Denmark, please.

Denmark

Thank you, Mr Chair. Denmark fully aligns with the statement given by the European Union, but we would like to make some brief remarks in our national capacity. As we have stated before, the development and use of information and communication technology have benefited the world in countless ways, and has been a principal driver for economic and social benefits to our societies. However, the increase use of ICTs in our digitized societies also comes with increased vulnerabilities. Hence, the rapid transformation of ICTs not only transforms our societies but it also transforms international relations. As we all know by now, cyberspace is the domain with much room for uncertainty and ambiguity, which increases the risk of misinterpretations between states and thereby also the risk of unintended escalation of conflict. This makes our collective efforts to enhance trust and counter misinterpretation even more important in order to promote international stability and security in the digital age. For this reason, Denmark’s strong support of the OEWG as a forum to share views on the threat landscape, best practices, contact information, as well as other relevant information could increase transparency, break down misconceptions, build trust, in order to prevent unintentional escalations between member states. As the Chair mentioned during his opening statement, OEWG is indeed a confidence-building measure in itself. We, the member states, should thus in good faith and in willingness to compromise continue to build upon the achievements of the previous GGEs and OEWGs by identifying additional measures that can further advance transparency and raise awareness. Allow us to give a few suggestions on how this could be done. First, the OEWG should engage actively with the multistakeholder community with a view to strengthen the protection of private assets and enhance transparency in order to build trust and protect the benefits of digital innovation. Second, the OEWG should advance cooperation with regional organizations in order to learn about the Confidence Building Measures established in these organizations and share lessons learned. As has been said before, the Organization for Security and Cooperation in Europe, which has established 16 Confidence Building Measures to reduce the risk of conflict stemming from the use of ICTs, is a natural place to begin. Third, it is Denmark’s view that the national survey piloted by Australia and Mexico and co-founded by many member states, including Denmark, could contribute significantly to information sharing and increased trust between member states if properly integrated into the general work of the OEWG. Fourth, we also think that the Program of Action initiative presented by France could also serve as catalyst for confidence-building by strengthening regional cooperation and capacity building. And finally, and perhaps most importantly, it is essential that all states respect international law and adhere to the UN framework for responsible state behavior as agreed unanimously by all member states. Trust takes years to build, but only seconds to break, and Russia’s military aggression against Ukraine, including use of malicious cyber operations is therefore not only illegal or not justifiable, it is also a breach of its international commitments and directly contrary to confidence-building efforts of this OEWG. We therefore, once again, call on Russia to respect Ukraine’s territorial integrity, sovereignty and independence by withdrawing its forces and to respect its international commitments. I once again reiterate our full solidarity with Ukraine and its people. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much. I give the floor to Switzerland.

Switzerland  

Thank you, Mr Chair. I would like to echo the statements of many delegations on the useful role of regional organizations in the area of CBMs. This Open-ended Working Groups should benefit from the experiences of regional organizations concerning CBMs, so that all members of this Open-ended Working Group can profit from them. At the same time, this Open-ended Working Group can also provide a platform for exchange between different regional organizations. For example, the Open-ended Working Group could invite representatives of regional organizations to one of its sessions. A particular segment could be foreseen in the program of work. For that purpose, we were convinced that this would lead to fruitful exchange in the long term and exchange with regional organizations could be organized on a regular yearly basis, location of a session and thus, contribute to regular dialogue. This could also provide the platform for the exchange of experiences on best practices in norms implementation. Mr Chair, it has been said before, the OSCE has taken a pioneering role in developing CBMs. The Open-ended Working Group should draw inspiration from the 16 CBMs developed by the OSCE. The OSCE has established a network of political and technical points of contact. The first step could thus be the establishment of such a network on the global level. It could provide the basis for a set of other CBMs. The report of the UNGGE 2021 provides useful guidance on how to establish such a network. Among other things, states could consider appointing dedicated POCs at the policy, diplomatic and technical levels and providing guidance on the specific attributes of the POC. Creating intragovernmental procedures to ensure effective communication between POCs during crisis, regular communication checks should be performed. Drawing lessons and good practices from regional POC networks, the secretariat of the OSCE informal Working Group on cyber security could provide useful information on this. Such a network would allow for CBMs to focus on information exchange, such as threat information sharing, cross-border cooperation, national strategies, policies, structures and programs or to prevent political or military tensions, stemming from the use of ICTs. We also see value in a CBM on public-private partnerships. Cyberspace is a playing field, not only for states but for numerous actors. And we welcome India’s proposal in that regard. Non-state actors play a critical role in defending against cyber incidents and to help keep cyberspace free, open, secure. This group could draw inspiration from the initiative to adopt the CBM that the Hungarian Chair of the OSCE informal working group launched in 2008. Thanks to this initiative, participating states have volunteered alone or in groups to explore how CBMs can be best implemented. In this context, we welcomed the initiative to create a cross-region group mentioned by Canada and Germany. And we also welcome Australia’s and Mexico’s initiative, to create a national survey. And finally, I support Brazil’s call to this Open-ended Working Group, that the first CBM to be decided by this group should be to adopt the modalities of this group before the next session by consensus. I thank you.

Ambassador Gafoor  

Thank you very much for the statement. I give now the floor to Indonesia, but before I do that, let me also add once again, that we, as a working group can also demonstrate that we are capable of taking small steps, and that we have the trust that is needed to take the small steps, not just to agree on modalities, but I also hope to be able to adopt our program of work by consensus, which is one of the most basic and fundamental documents in any UN meeting. The fact that we have not been able to adopt a program of work, let alone the modalities for stakeholder participation really shows that there is a lot of work that we need to do in terms of building trust, or rebuilding trust, and having all the conversations that are needed, and I hope that this week has been also fruitful for all of you to have those in-person conversations in order to find solutions, in order to find common ground, so that we can take small steps before we even talk of taking giant leaps forward. Sorry for that digression, but I have been listening very carefully to all the statements that have been made and I think this discussion today shows how important this platform is for us to come here and share ideas, and I’m really taking very careful notes, and so is my team. Many, many things that come to my mind, in terms of what we can do potentially, at the next session in July, in order to follow up on the various ideas that have been put forward. And in a sense, I think there is again, a lot of expectation on us as a working group for us to follow up indeed, with very concrete ideas, some of the very concrete ideas that have been put forward. All that is only going to be possible if all of us are able to work together and understand each other, of course, have some trust in each other. I’ll continue with the speaker’s list now. Floor to Indonesia, please.

Indonesia

Thank you, Chair. On behalf of the Non-Aligned Movement, I would like to underscore the importance of Confidence Building Measures and cooperation among states to prevent conflict in cyberspace from erupting in the first place. In line with the principle of transparency, states are encouraged to make public their policies or doctrines with regard to the use of ICTs in the context of international security. This will provide better understanding and confidence among states. In our national capacity, Indonesia believes that the misuse of ICT can further exacerbate international conflict, and the most effective measures to prevent and address potential ICT threats and conflict are through mutual cooperation among states. In that spirit, we place a high priority on trust and confidence building measures between states in order to alleviate tensions and minimize the dangers of misperception regarding the use of ICT. During the last session, we noticed that a number of states have taken a similar approach in considering numerous avenues for successful CBMs, in order to further advance efforts and discussion in this topic, Chair. And in responding to the guiding question, let me share some points. Firstly, Indonesia believes that we must continue to develop and support the governor mechanism efforts to implement CBM. In this regard, the OEWG may dedicate an informal dialogue session to share best practices and experiences in CBM by inviting officials from regional organizations such as ASEAN, the OAS and the African Union. We hope that the session will promote the cross-regional exchange of ideas, best practice, and experience, while taking into account the region’s varying levels of trust, environments and circumstances. Additionally, we should enhance the existing UN efforts to expand our work on this issue. In this issue Indonesia encourages all states to make full use of the UNIDIR Cyber Policy Portal to increase transparency and openness about National Cybersecurity policy. Finally, Chair, we welcome the establishment of a global point of contact under the auspices of this group to disseminate information that facilitates cooperation, transparency and emergency response in the event of an ICT incident. We emphasize the need of defining specific criteria and processes when developing the contact, including how the contact should be updated and maintained to ensure its effectiveness. The contact may include critical contacts at the technical, diplomatic and policy levels, as well as critical information for emergency situation, and will be maintained by the Secretariat or other appropriate agency or body to ensure its information sustainability. Thank you, Chair.

Ambassador Gafoor  

Thank you very much. I give the floor now to Djibouti, please.

Djibouti

Thank you, sir. As this is the first time that my delegation is taking the floor in this meeting, I would like first of all, to congratulate you on your devotion and commitment as you steer the work of this group. We align ourselves with a statement of the Non-Aligned Movement delivered by Indonesia. And in our national capacity I would just like to add that Djibouti has since July 2019, really focused on this issue as we hosted a seminar on the issue of cybersecurity. This shows that there is still a digital gap between states. Thanks to our policies, we have striven to ensure that we can be a hub for telecommunications and we have submarine cables linking us with other countries in our region and beyond. This has led to large-scale investment that has had to be involved and we are convinced that the abuse of ICTs can harm national infrastructure and also the infrastructure of countries with whom we are interconnected. Mindful of the swift development of technologies we must swiftly find the ways and means of facing up to potential threats on the Confidence Building Measures, while respecting the principles enshrined in the United Nations Charter and human rights. And under the aegis of the UN, we would like to submit the following proposal, which could perhaps be in addition to the proposal already made by other states during the course of our work. Drafting a ICT security program, which is inclusive and transparent, and which can be implemented in four stages, could enhance Confidence Building Measures. This program should include national awareness raising and capacity building with experts, including the establishment of an institution responsible for implementation; the adoption of a legal framework to establish good practices by all those who make use of ICTs; and finally, the establishment of a follow-up and assessment framework on the use of ICTs and the exchange of good practices at the regional and international levels. Without shared confidence, it will be impossible to protect the world from vulnerabilities and that is why our working group can continue to work further on this important issue of strengthening confidence between states. Thank you.

Ambassador Gafoor  

Thank you very much for your contribution. Cuba, please.

Mr.Chairman, exchanging information and engaging in dialogue in this Open-ended Working Group is in and of itself a Confidence Building Measure. Adopting these measures is important as an additional way of promoting cooperation and transparency, reducing the risk of conflicts and contributing to peacefully solving disputes. Each region and each sub-region is unique, hence, measures implemented at these levels cannot necessarily be replicated everywhere else, they must be voluntary in nature. Establishing contact points or any other initiative in this domain must also be voluntary. Foundations for confidence building must be assessed by the Open-ended Working Group, and they must include respecting the country’s sovereignty and non- interference in state’s internal affairs. Confidence is based on the transparent and respectful exchange of information, respect state’s right to establish, in this area as in other bilateral cooperation that they believe to be pertinent, considering binding norms under the aegis of the United Nations and their subsequent subsequently complying with them as one of the pillars of international [unclear]. Closing the digital gap and ensuring universal inclusive and non-discriminatory access to information and knowledge through the use of information and communication technologies also contributes to beefing up confidence. That is why we must have internet governance that allows states on an equal footing to discharge their roles and responsibilities in international public policies that are relevant in this domain. Another important CBM is for states to refrain from adopting any unilateral coercive measure that might restrict or prevent universal access to the benefits provided by ICTs. Lastly, we recall that Confidence Building Measures alone, cannot guarantee the strictly peaceful use of ICTs. However, they are a useful tool in the light of the absence of a legally binding instrument in this domain. In its working document, which was submitted to the previous Open-ended Working Group, Cuba submitted proposals that can still be useful for the discussions that we are currently having within this Open-ended Working Group. Thank you.

Ambassador Gafoor  

Thank you very much. I now give the floor to South Africa.

South Africa  

Thank you Chairperson. South Africa supports the establishment of national points of contact as a confidence-building measure between states. This would enhance state’s abilities to have regular exchanges of information on current risks and emerging risks to the security of ICT infrastructure, as elaborated on by the delegation of India. This could be complementary to the work of this OEWG. South Africa believes that this measure could be implemented without competition with the OEWG. We also note that the proposal for a tabletop exercise to test the effectiveness of the points of contact. We believe that such an exercise should aim at identifying any gaps and challenges with the view to addressing them through necessary capacity building and support for member states without discrimination. South Africa fully supports a coordinated approach to the development and implementation of Confidence Building Measures by member states in the context of this OEWG. I thank you.

Ambassador Gafoor  

Thank you very much. I’ll give the floor to Austria.

Austria

Thank you, Mr Chair. Austria fully supports the remarks made by the European Union. In addition, let me add some points in our national capacity. Regarding Confidence Building Measures, there has been a consensus in past sessions that such measures can contribute to trust, predictability and stability in the use of ICTs by states. This session, further example could build on this consensus by exploring how this group can make use of good practices that already exist at the regional and sub-regional levels. As a participating state of the OSCE, Austria, like other participating states that spoke earlier, attaches particular importance to the set of 16 CBMs, elaborated by the OSCE, which allow its participating states to increase their communication, gain clarity in their positions with regards to the use of ICTs, and also add their preparedness to respond to incidents and challenges in the cyberspace. The OEWGs engagement with the OECD, but also other regional organizations with similar CBMs, could be the subject of a future session of the group similar to what my Swiss colleague just proposed earlier. This would benefit the member states in that we’ll be able to compare and contrast the various existing models and CBMs, identify similarities and thus areas that could provide suitable to expand to the global level. But there could be also added benefits for the regional organizations themselves, as they will be in a position to exchange with representatives from other regional organizations. To maximize the added value of such an endeavor, all the relevant stakeholders tasked with implementing the CBM should have a voice in such a process in order to gain a holistic picture, as our Jordanian and other colleagues have pointed out. While underscoring once more the value of Confidence Building Measures, let me add that confidence is not an outright given. It needs time to be built and it can very quickly be lost. It is very difficult to place confidence in an actactor like the Russian Federation, which through its aggression against Ukraine has undermined international trust, acted highly unpredictably, and in blatant violation of international law, thus threatening international peace and stability in the most heinous way. We repeat our call to Russia to live up to its international obligations under the UN Charter and OECD commitments, to immediately cease its use of force against Ukraine to fully respect Ukraine’s territorial integrity, sovereignty and independence within its internationally recognized borders and to withdraw its military forces from the territory of Ukraine. I thank you.

Ambassador Gafoor  

Thank you. Australia, please.

Australia  

Thank you, Chair. CBMs, Confidence Building Measures, endeavored to build relationships and procedures in times of peace and stability can be used for de-escalation in times of crisis, and I think that’s very important for us all to remember as we have this conversation today. As, Brazil, Canada, Germany, Mexico, and several others have mentioned progress efforts on CBMs, Australia is also part of the open cross-regional group to advance cyber Confidence Building Measures in this Open-ended Working Group. The group is comprised from nations that span ARF, the OSCE, and the OAS membership and we’re very keen to invite others prioritizing the development and implementation of CBMs, especially from other regional organizations, and also those countries that may not be part of a regional organization to work with us on these important matters. Australia believes that broad engagement will enable strengthened linkages between regional groups and states from all regions to share lessons learned from our regional experiences with CBMs and as others have mentioned, we’re currently working on a paper that we plan to circulate in the context of this session. Australia will continue to develop and promote risk reduction measures to build confidence in the state’s ability to respond to specific instances of a malicious cyber activity without escalation. And we welcome the proposal made by India on the inclusion of the multistakeholder community in this work. We also appreciate the acknowledgement in our current work and in the 2021 reports of the OEWG and the GGE, on the leading role played by regional organizations to build and implement Confidence Building Measures in cyberspace. For Australia, this has been made most evident in the progress being made through the ASEAN Regional Forum and in particular, its ICTs security workstream. Australia and Malaysia proposed an IRF cyber points of contact directory and this was approved by ministers in 2020, and we see the directory as a foundational risk reduction measure. It seeks to facilitate near real-time communication in the event of an ICT security incident of potential regional security significance. And I want to thank the Malaysian delegate for her intervention, and align fully with Malaysia’s very important points made on the development, the procedure, and the continual updating of this directory. As my Malaysian colleague mentioned, establishing this regional POC directory was not necessarily a simple process. Malaysia and Australia worked for over five years from concept to operation to garner the agreement from all ARF member states, to establish the directory working to provide appropriate security and set in place the relevant protocols for the use of that POC directory that met the comfort thresholds of all ARF member states, and I raised these difficulties not to dishearten or dissuade the OEWG on the development of a global POC directory, quite the opposite. I want to bring our attention to the very specific and practical issues that we will need to address in our pursuit of this goal for the global POC directory, and to provide an example of ultimate success. And after such a lengthy process to establish this ARF POC directory, Australia can very much support Costa Rica’s proposal to study further the experiences of regional organizations in this work as a source of learning for our own work. Chair, colleagues. Much has been said over the last day or two, and yesterday in particular, regarding the launch of the online portal for the National Survey of implementation through UNIDIRs Cyber Policy Portal. I only want to very briefly note that this survey and its responses conserve the core CBM objectives of transparency, and also procedures for cooperation. On transparency, clearly signaling our domestic policies, our interpretations of our framework of responsible state behavior, and their recommendations for implementation and acknowledging areas for further attention, helps build mutual trust between countries. And on cooperation through providing an avenue to collect and collate a global point of contacts directory, the importance of which is made stark when we acknowledge that not all states are members of regional organizations, and not all regional organizations have CBMs or POCs, in place. And in this regard, I very much welcomed Singapore’s proposal to conduct tabletop exercises to promote and test such a global POC directory, which we hope can address some of the points very eloquently made by Costa Rica on functionality and by the Netherlands on the procedural exercising and the importance of that. Finally, Chair, I do want to thank you for your digression and reiterate Australia’s support for you and for your team and echo your hope that all countries can come to our work constructively and flexibly and demonstrate our commitment to the OEWG. Thank you, Chair.

Ambassador Gafoor  

Thank you very much, Australia. Israel, you have the floor.

Israel

Thank you, Mr Chair. Since it’s the first time I take the floor, I’d like to join other delegations and commend you and extend our delegations appreciation and thanks for your tireless efforts. We can also join others and you in hopes that our process will soon go back on track. Mr Chair, Israel regards the discussion on Confidence Building Measures and capacity building as intertwined and as an essential and extremely important part of the Open-ended Working Group work developing effective and sustainable international understanding requires, in Israel’s view, a solid base of trust. In this context, exchanges of know-how cybersecurity methodologies, risk assessment models, threats, trends, trends patterns, etc, can play an important role. In addition to extensive bilateral information sharing, Israel supports CBM efforts on the regional and cross-regional levels. Israel supports the important work that has been carried out by the OSCE. As a Mediterranean partner, Israel also contributes its vast experience in this field. Furthermore, Israel is one of the founding members of the Global Forum on Cyber Expertise (GFCE) and is an active partner in developing various CBMs and capacity-building initiatives in the GFCEs framework. In addition, Israel hosted last year the OECD Global Forum For Digital Security promoting CBMs and global security. Moreover, in order to offer concrete suggestions that can be further elaborated within the Open-ended Working Group process, with a view to advance CBMs that can be operationalized in a voluntary non-binding manner at the UN level, Israel, together with a group of cross-regional member states, held joint discussions aiming to present some novel and practical ideas, and we wish to commend our German colleagues for initiating this process. As information sharing is in the heart of cybersecurity and can assist building trust, Isreal can emphasize the need of making info-sharing processes faster and more efficient. Israel has introduced and is operating Cybernet, an info-sharing system built for cyber professionals that allows a many to many sharing of relevant practical information. Israel launched this initiative to allow cross-country sharing of information and we believe this model can serve as a good basis for further and further introducing practical ways in the context of CBMs. Mr Chair, at the heart of Israel’s international cyber strategy are its efforts to build global cyber resilience, and we are actively sharing best practices with many countries and organizations who wish to build their own national cybersecurity capacities, and Israel is ready to collaborate with other states and organizations on this important matter. Cyber does not entail only threats, it holds possibilities and opportunities. Israel proved that cyber could also serve as a social and economic mobility means. Israel has been investing in capacity building and continues to build its cyber ecosystem while reinforcing its periphery, bringing together government, academia and the private sector. And we are gladly sharing our experience in this field. To conclude Mr Chair, cyber has created a novel policy and regulatory challenges due to among others the involvement of the private sector. So it merits a broad discussion that requires thinking out of the box, breaking existing silos and strengthening multinational cooperation. Though we tend to speak about technology, it is really people-driven and it should be treated as such, trying to minimize existing gaps. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much. Japan.

Japan

Thank you, Chair. Japan strongly believes it is important to promote mutual understanding of each state’s policies and strategies to prevent the escalation of tension in cyberspace. CBMs promote better understanding of each other’s policies and lessen the possibility of misunderstanding and miscalculations. Japan carries out bilateral dialogue with many countries, which is an important CBM. Bilateral dialogues offer an opportunity to explain their respective cyber policies to each other and exchange views on threats and issues of concern. Sometimes, the mere act of having a dialogue is a confidence-building measure in itself. Japan also has cyber dialogues in regional frameworks, such as the ASEAN Regional Forum. At a recent meeting of cyber dialogue within the ARF, the Chair of the OEWG gave a briefing on the current status of the OEWG. We believe it was beneficial for both the members of the regional group, as well as the Chair, and services important CBM. Japan appreciates the presentation by UNIDIR yesterday. It is useful for governments to share their cyber policies and experiences through UNIDIR and post it or post them on the Cyber Policy Portal. Japan has posted such documents as the cybersecurity strategy, the basic position on international law applicable to cyber operations, international strategy on cybersecurity cooperation, and national legislation related to cybersecurity. Government positions related to cybersecurity are listed as well. I have just noticed that my predecessor is still on the UNIDIR site – we will make sure to reach out to UNIDIR to update the information. Japan also believes information sharing through the existing CERTs and CSIRTS is an important CBM as well. Japan supports the creation of the global contact list. We believe that title and name of the point of contact and email addresses should be included, a brief description of the issues that a point of contact has the responsibility over, may be contained as necessary. To keep the list as up-to-date as possible, UNIDIR should have a point of contact responsible for updating the list at least once a year. Thank you very much.

Ambassador Gafoor  

Thank you very much. Philippines, please.

Philippines  

Thank you for giving me the floor, Mr, Chair. The Philippines aligns itself to the ASEAN statement Confidence Building Measures delivered by Cambodia. Allow me to deliver some brief remarks in our national capacity. Mr Chair, we need to avoid duplicating efforts and concentrate on putting previously successful Confidence Building Measures into action. The Philippine threat rates the importance of Confidence Building Measures as tools to reduce tension, minimize the risk of misperception and build trust. CBMs can operate as a pressure valve, allowing critical circumstances to be de-escalated. Notable agreements in this realm include the various sets of cybersecurity CBMs agreed to by the ASEAN. As many have mentioned before me, a mechanism like our OEWG can be regarded as a CBM in and of itself. Mr Chair, in the previous OEWG, states concluded that establishing national points of contact is a CBM in itself, as well as a helpful measure for the implementation of many other CBMs. Moving forward, this current OEWG should agree on the modalities of establishing a directory of such contact points at a global level. For instance, we can utilize the UNIDIR’s Cyber Policy Portal, where the directories of POCs, inter alia, at the technical policy and diplomatic levels will be made available to allow states to easily access this information, including during uncertain or unexpected situations. The secretariat will consolidate all the needed details according to the categories and regularly update these directories. Routine call-out exercises to keep the directories up to date can also be explored. The ASEAN Defense Ministers Meeting ADMM plus experts working group on cybersecurity has developed a point of contact and technical expert personal directory. We can explore audience experiences and lessons learned to further develop our own modalities in this regard. Aside from this, a compendium of lessons learned and best practices related to CBMs can also be made in the UNIDIR’s Cyber Policy Portal. Since states are encouraged to continue and inform the Secretary-General of their views and assessments, they include additional information on lessons learned and good practice related to relevancy CBMs, both at the bilateral, regional, or multilateral level, the UNIDIR can use this information on the member states permission to compile this information and have it posted regularly in the website. I thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much. I give the floor now to Colombia.

Colombia

Thank you, Mr Chairman. Colombia advocates a free open, peaceful and safe digital environment. To have this, we need to continue to develop and implement Confidence Building Measures in cyberspace, geared towards enhancing transparency, promoting stability and reducing the risk of misunderstandings, escalation and conflicts. To build confidence, cooperation, transparency and predictability, we need to translate CBMs into specific actions, as we have already said, to implement the framework for the responsible behavior of states in using ICTs and to broaden the implementation of CBMs we need to have greater cooperation assistance and capacity building, and we need to have the support of all stakeholders. This would ensure that all states can achieve the appropriate levels of protection and security for their critical infrastructure and can manage any incidents that do arise and can request assistance or respond to other countries’ requests, if there are ill-intentioned activities that may be carried out in their territory or affect them. Mr Chairman, I will now make some comments to respond to your guiding questions in terms of how the working group can commit to working with sub-regional and regional organizations to learn from their experiences in the implementation of CBMs, we think that tools can be drafted, such as surveys, that will allow us to understand the experiences of countries that have implemented digital tools to build confidence. It would also be useful to know what shortcomings there have been and how they have been circumvented and how progress has been achieved. As other delegations have already said, we should also make sure that we establish inter-regional networks, for instance by establishing an inter-regional platform that can allow for direct contact between member states, including the  24/7 network system, where states can have direct communication if there is an emergency. This would, in and of itself, be a CBM, and it could also strengthen assistance and cooperation in responding to incidents. This group could also support CBMs by supporting the holding of bilateral fora and regional and multilateral fora, as well as setting up a response repository for measures and related documents. We also need to have a protocol for the management of information and we need to have clear and open databases. Mr Chairman, we reiterate the benefits of a network of focal points at the technical, political, and diplomatic level to facilitate safe and direct communication and on measures to increase  transparency, the value of exchanging information on cyber incidents and other threats and the public dissemination of information, such as white papers, strategies, legislation and national policies. In terms of regional experience, we would highlight the experience of the OAS and the representative of that organization has provided a lot of information about that. Building confidence is a progressive, long-term commitment. Thank you.

Ambassador Gafoor  

Thank you for this statement. Uruguay, please.

Uruguay

Thank you very much, Mr Chairman. We recognize that the United Nations has a critical role to play in drafting Confidence Building Measures and in supporting their implementation at the global level. As has happened in previous reports of the working group, and the previous reports that were adopted by consensus. Like many other delegations, we also believe that regional and sub-regional organizations have made major efforts to design CBMs and to adapt them to their specific priorities and contexts. We also highlight the work that has been done by the OAS in our country. We believe that the group should look into potential initiatives to boost this cooperation and the exchange of experiences and good practices between different organizations. We also agree with many delegations who have mentioned various mechanisms that can be particularly useful for this group, but we agree with you when you say that we shouldn’t just refer to the modalities, but that we should also ensure that we have Confidence Building Measures alongside them. Thank you.

Ambassador Gafoor  

Thank you very much for your statement. Chile, please.

Chile

Thank you very much, Mr. Chairman. Confidence Building Measures, including measures to foster transparency, cooperation and stability can contribute to preventing conflicts, avoid misperceptions and misunderstandings and reduce tensions. They are also a specific expression of international cooperation with the necessary resources and capacity CBMs can strengthen the security, resilience and peaceful use of ICTs in general. The Open-ended Working Group can in and of itself be considered to be a CBM and that is why we echo what Brazil and other delegations have said in this regard. We attach major importance to the development of CBMs. We highlight the work undertaken by international organizations in this context, in particular the work carried out by the working group working with the OAS confidence-building group. This has made it possible for six measures to be adopted in our region. The representative of the OAS has already spoken about the progress that has been made in strengthening cyber diplomacy and we think that this is something that could be replicated in other parts of the world. The group can also consider inviting regional organizations that can share their experiences. We could have a special meeting, for instance, in this group or conferences and inter-agency dialogue. Inter-regional dialogue is critical and we agree with what Colombia said about that. Establishing national contact points or focal points is also a CBM and this can help with implementing other measures. A directory for global contact points could and should be a genuine community and network. And it can also be built up from networks that already exist at the regional level. Mr Chairman, our experience has shown that these contact points provide valuable assistance in exchanging information notifying about incidents and allowing for coordination between states. To establish a directory of POCs, we must make sure that we focus on its goals and the inclusion of relevant experts at the technical and political level, we must bear in mind the gender approach, and we must ensure that there is training provided, and we must also look into the possibility of sharing experiences. We still have a lot of work to do, and CBMs are a critical way of allowing us to make the headway that we need to make together. Thank you.

Ambassador Gafoor  

Thank you. I give the floor to Ecuador.

Ecuador

Thank you very much, Chairman. What a privilege to be following so many other delegations from my region. We fully align ourselves with what all of those delegations said. There’s not anything that they said that we disagree with. Building competence is critical to overcoming security challenges posed by transnational threats. Dialogue is critical at the bilateral regional and international and inter-regional levels. To do this, a multilateral platform would also be extremely useful. And that is why we continue to support the French-Egyptian initiative, and we note that more states including from my region continue to join this effort. Given the asymmetries in terms of countries capacity in ICTs, dialogue without cooperation will not be fruitful. We need to have an active dialogue to build up confidence and to close the existing gaps so that we can have universal minimum standards in this domain. The frequency with which cyber threats appear and the rapidity with which they evolve adds extra complexity to this challenge. That is why we need to strengthen where necessary the mechanisms to exchange information about cyber threats and indeed alternatives to how they can be countered. We need to have the POC directory as well, as Singapore has supported, that is a critical matter. Transparency and accountability are also critical. The working group should consider that there are not just many different threats but there are different perceptions about those threats. And this is why we need active coordination and the implementation of the norms for responsible behavior. The different effects that the threats pose for different people, in particular for the most vulnerable people, must also be considered in efforts to build confidence, as Brazil said, and as you highlighted, sir, confidence begins at home. Ecuador rejects the militarization of the cyberspace in particular when this goes hand in hand with military operations of aggression and violating the territorial integrity of states. That is why the valuable work carried out by this group is not isolated from what is going on outside the group. And that is also why the most effective measure to build confidence is to honor the United Nations Charter, to exercise tolerance, and to live in peace, like good neighbors. Thank you.

Ambassador Gafoor  

Thank you, for the statement. I give the floor to Timor-Leste.

Timor-Leste  

On the Confidence Building Measures, more or less the view that there are already several processes that promote Confidence Building Measures between states in the realm of cyberspace. As many have stated before, this Open-ended Working Group, in its form, is a Confidence Building Measure process where many have shared their views and positions on the matter and regional cooperation programs or other means of trust and confidence-building process. In this regard, Timor-Leste welcomes initiative by Australia and Mexico together with UNIDIR, in launching the online self-assessment tool of a national survey of implementation of United Nations recommendation on responsible use of ICTs by states in the context of international security in which Timor-Leste considers to be useful for all. Chair, given the recent establishment of a national body that regulates the operation of ICT in the national level, it is our view that the establishment of international coordination mechanisms, which include the specialized government authorities, can be used as another form of Confidence Building Measures. Timor-Leste views that this working group can facilitate the work of national security operation centers in establishing of its playbooks policies and procedures for cyber threats, and with established establishment of National Computer Emergency Response Team. This will also facilitate least developed and developing states in addressing cyber threats and will pave the way to the right forum for the mapping of existing needs, coordination, implementation and monitoring purposes. Under this, the development of criminal investigations in cybersecurity capabilities in the law and order agency, may also be considered. Chair, as previously stated, the involvement of stakeholders is important in this process. Thus, the development of awareness for government officials, citizens, business and private sectors must also be put into consideration. As international security dimension of ICTs cuts across multiple domains, establishing platforms for information exchange, including legal and administrative good practices may prove valuable with the contributions of other relevant stakeholders to capacity building activities proposed by Member States. Thus we of the view that the role of UNIDIR can continue to serve as the repository portal that can benefit member states. In addition, Timor-Leste the wish to emphasize that, to reinforce the Confidence Building Measures, capacity building process should also be based on the assessment of the need of states, especially the least developed and developing states. Thus, a capacity building program dedicated to expert and technical staff from the least developed abs developing state, is one of the aspects which can be considered. In this regard, Timor-Leste appreciates the capacity building Fellowship provided by the government of Australia on women in cybersecurity, in which Timor-Leste support of. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement. China, please.

China

Mr Chair, the purpose of CBM is to promote mutual trust and predictability. Fuelled miscalculations were contributed to the maintenance of cybersecurity. At the same time CBMs alone, cannot effectively maintain cybersecurity or replace international rulemaking in cyberspace, due to reinforce and complement each other. We support countries in carrying out, on a voluntary basis, Confidence Building Measures such as policy exchange, law enforcement cooperation, technical change and information sharing to enhance mutual trust and reduce misunderstanding, through a step by step approach. It should be noted that countries should not use CBMs as a reason for cyber weapons proliferation or form cliques of various sorts including of supply chains. This is contrary to the purpose and the goal of CBM and undermines the security and stability in cyberspace. Thank you, Chair.

Ambassador Gafoor  

Thank you for the statement. Brunei Darussalam, please.

Brunei

Mr. Chair, Brunei Darussalam aligns itself with its respective statements delivered on behalf of ASEAN and NAM. Since this is our first time taking the floor, allow us to thank you for your commendable efforts in leading this process. Mr. Chair, Brunei Darussalam established the Cybersecurity Brunei in 2020, that monitors and coordinates national efforts in addressing cybersecurity threats as well as cybercrime. It is through CSP that strategies, policies, and frameworks governing cybersecurity are formulated and implemented with the relevant Critical Information Infrastructure as the main constituents. This reflects its priority to ensure a safe and secure cyberspace for the country, as well as one of the key strategy enablers in its digital transformation journey towards being a smart nation. The CSPs’ main services include BruCERT, national digital forensic laboratory and cyber watch center. At the regional level, we continue to support the need to strengthen cross-sectoral cooperation in ICT security, reinforced under the coordination of the ASEAN Cybersecurity Coordinating Committee. We are also pleased with the dialogue and broader cooperation demonstrated at the ASEAN Regional Forum through the ARF ISM on ICT security in further promoting confidence building and trust, information sharing capacity building and the voluntary and non-binding norms of responsible state behavior. Mr Chair, Confidence Building Measures and capacity building are important in enabling, as well as empowering member states and relevant stakeholders to mobilize ideas and translate them into concrete action. This may include in enhancing the protection of the critical information infrastructure and law enforcement capabilities, as well as the ability to identify what constitutes as threats and opportunities. We have been listening to the proposals by colleagues and we thank them for the active ideas, we look forward to studying them more in detail. As aforementioned, we echo the value of sharing information and experience among ourselves at all levels. In this regard, Brunei welcomes the UN tabletop exercise program by Singapore, as early steps in establishing a reliable and effective network and addressing cyber threats and challenges, particularly in responding to cyber incidents. We believe that such a global network could be key in nurturing continued trust and confidence to further mobilize our common goals and objectives. We support this proposal and look forward to receiving more information in due course. Mr Chair, please be assured of Brunei Darussalam’s full support to you and your team. Thank you.

Ambassador Gafoor  

Thank you very much, for the statement. Argentina, please.

Argentina

Thank you very much, Mr Chairman. First of all, we would like to echo what Ecuador said, on all of the proposals that our region has put forward, we join those proposals. We are a staunch promoter of the adoption of Confidence Building Measures, because they enhance cooperation, predictability and stability between states in general. And in particular, the methods for responsible behavior of states in an unstable world. Any exercises to consolidate Confidence Building Measures will certainly contribute to enhancing the security of cyberspace, enhancing cooperation, transparency and predictability. We need to continue to boost the development of the UNIDIR portal and the list of contact points, we need to continue to work on these issues going forward. We need to generate synergies to make the most of the work of different regional and sub-regional organizations in this domain. Additional measures could be to establish a repository of information and glossaries for common definitions to facilitate the learning of experiences and the adoption of a common language. We could also have databases on incidents and therefore having a network of technical focal points or a network on CERTs would be extremely useful from a practical point of view. We could also establish guidelines for the protection of critical infrastructure and how those guidelines can be implemented. We appreciate the work carried out by the OAS who have all already taken the floor. Like many other delegations, we are coming forward with practical proposals. We need to work on these proposals so that we can they can feed into pilot projects with countries that have different capacities in this domain. One way of building confidence is to publish some of the briefings that have been given here, because a lot of information has been provided about the different proposals or actions that have been carried out in different areas of states or regions. Ensuring the active exchange of information is the basis for building up confidence. The rapid evolution of ICTs requires states to work together. We need to work together on this issue and we think that this working group is a key forum for making headway. Thank you.

Ambassador Gafoor  

Thank you, Argentina. Iraq, please.

Thank you, Chair. My delegation believes that the Confidence Building Measures and capacity-building measures should be taken in the context of information sharing on the threats of cyber activity, this can be done by setting up a joint POC. Member States should also strive to strengthen international cooperation and information exchange, and to identify the means that we can use to identify and detect cyber attacks. We also need to identify defense measures that can be taken to prevent any such threats. Our delegation has been following with great interest the initiatives proposed during this meeting by the member states. We hope that these initiatives may contribute to strengthening Confidence Building Measures as well as capacity building measures in order to create a secure cyberspace. We would also like to underscore the importance for these initiatives to take into account the priorities of states and the threats they face. In conclusion, we believe it is important to work together for a united overall vision that would culminate in initiatives, and these initiatives would allow us to make progress on the work of the OEWG. Thank you, Mr Chair.

Ambassador Gafoor  

Thank you very much, Iran, for the statement. I have no more speakers for this sub-item. I see Venezuela, you’re last for the floor. Venezuela, please.

Venezuela  

Thank you, sir. My delegation didn’t intend to take the floor, but I wanted to refer briefly to the statement delivered by the distinguished delegates of one of the regional organizations present in this meeting. In 2016, the Bolivarian Republic of Venezuela denounced the charter of, followed all of the procedures to conclude its membership of that regional organization. Given that Venezuela therefore does not belong to the OAS anymore, and given that it’s not an organization that represents our region, our delegation does not consider itself to be represented by the regulations on cyberspace that were mentioned by that organization. And this includes their link to the other organizations, including the UN. Mr Chairman, I’d be grateful if this statement could be included in the minutes of this particular meeting. Thank you.

Ambassador Gafoor  

Your statement is noted. Cuba.

Senior president. Mr. Chairman, just very briefly, my delegation shares the concerns that have just been expressed by the distinguished representative of Venezuela, relating to the statement delivered by an observer organization. In addition to this, Mr Chairman, we believe that in our region, there are other forms such as CELAC, that can be used for consultations on the issues that we are discussing in the context of this Open-ended Working Group. Thank you.

Ambassador Gafoor  

Thank you for that statement. I see no other requests for the floor. I want to say that, in the few minutes that we have left, we had a very good discussion this morning, very detailed and very concrete proposals have been put forward. I’m very encouraged by that and I also take note that there is a cross-regional group of countries that is working on CBMs and I welcome that initiative. I see that as a good sign. I hope that this conversation on CBMs, this morning has been helpful to all of you and to each one of you I think there’s a lot of ideas on the table on which we need to reflect on how we can follow-up. And I think one of the delegations today said that the issue of CBM is interrelated with capacity building and this naturally leads us to the next sub item, which I intend to take up this afternoon. Now, I had originally envisioned that this afternoon will be devoted to an informal, open-ended meeting that I will be convening under my own authority. That will proceed but I have decided to adjust the timing, such that we can come back this afternoon to continue with our discussion on the agenda item five, sub item relating to capacity-building. So, the virtual open-ended informal meeting will be convened by me, under my own authority, from 1:30 to 3:00 pm, and we will resume our meeting here at 3:30 pm. I know it’s a very tight schedule but I am not able to see how we can complete all the issues on the agenda and mandate unless we make some adjustments to the program, as I had originally envisioned. So, I resume the meeting to a formal meeting. And I adjourn the meeting. And I look forward to seeing all of you here at 3:30 and also at the virtual open ended informal meeting at 1:30. Meeting is adjourned.

Leave a Reply

Your email address will not be published. Required fields are marked *