Session 4-8 Pre-Consultation
(OEWG 2021-25)

This is an unofficial transcript

Ambassador Gafoor

Good afternoon distinguished delegates, representatives of stakeholders, friends. Thank you very much and good afternoon to all of you I’m delighted to organize this dedicated stakeholder session as agreed in the provisional or rather as agreed in the programme of work and also in accordance with the agreed modalities for stakeholder participation that we had adopted at the outset of our work. As stakeholders had been invited to register their interest in speaking and accordingly we have a list of speakers who have registered their interests to speak and I will follow that list of speakers for this afternoon. Thank you very much. We will continue with the list of speakers as has been made available to me by the Secretariat and I thank all the stakeholders for having registered their interest to speak, we have 16 speakers. And it is my hope that we can keep to a time limit of around three minutes for each contribution. I’m also delighted to see so many delegations who are present here today. Delegations who have joined this dedicated stakeholder session. And I also thank them for joining the discussion. The topic and theme of the discussion for the dedicated stakeholder session is capacity building. And it builds on the intergovernmental discussion we had this morning. And therefore, I think the timing of this dialogue with the stakeholder community is very, very useful. So we look forward to hearing from the stakeholders. And without further ado, I would like to start with the first speaker, Hitachi America to be followed by youth for privacy. Hitachi America, please.

Hitachi America

Thank you, Mr. Chair, [key keeping] inclusive multistakeholder environment. before touching upon your guiding questions, let me mention that it is very hard to find the best practice for Public-Private Partnerships in international security on ICT. As a private sector, infrastructure provider, including energy, water, and transportation, we recognize that national security and digital trust are converging. For your first guiding question, good examples observed in public private partnerships on capacity building include categorically for us: joint training, scenario-based tabletop exercise, and laboratory research; second, public-private national cybersecurity center format; third, information sharing and CERT, CSIRT and recently P-CSIRT forms; fourth, study groups and think tank forms with government industry-academia partnerships. Mr. Chair, for your second guiding question, let me address some lessons learned. First, trust in human-to-human is more important than ever, for peace, security, and resilience in critical infrastructure. Digital trust is a new normal in communication, privacy, and human rights for everyone in daily life. Realizing threats of negative use of technologies are coming with AI for misinformation, disinformation and quantum computing for hackers. Second, a multi-layer comprehensive framework is needed for policy and the law. Audit and due diligence technology and the data and the governance structure together. Just the formal structure may not work without the foundation of multi-layer trust. Third, human resources rotation between public-private sectors is encouraging. For example, experienced government officials retire and move to the private sector. Technically capable private sector people work for the government. Fourth, finding common goals are quite important for positive partnerships and participation such as digital transformation, and global digital trust to projects with sustainable development goals, like the environment. Finally, challenges observed include timely communication and actions dealing with sensitive and classified information, facilitating with intelligence and attribution which may require security clearance and a suitable level of trust in national security level. Information repository, [which] we talked [about] this week, combined with public sector the trust communication proposed for threat and the best practice can help public-private partnership further. To conclude, common goals with continuous multilayer trusted communication through workshops, training, exercise, think tanks and tools can build great public private partnerships internationally on capacity building. Thank you, Mr. Chair.

Ambassador Gafoor

Thank you, Hitachi America. Youth for Privacy, to be followed by Right Pilot. Youth for Privacy, please.

Youth for Privacy

Thank you, Chair. Youth for Privacy is glad to participate in the fourth session of the Open-ended Working Group. After advocating for more youth inclusion at the last session, we find it concerning that this room still lacks a lot of youth voices. The security of the Internet has an outsized impact on young people, as 55% of Internet users or under 35. Youth play a pivotal role in capacity building. There are two kinds of capacity building. The first is specialized capacity building, where we train future experts in cybersecurity, privacy and diplomacy. The second is general capacity building, where we educate the general population on basic cybersecurity and privacy know-how. For both of these measures, we need youth participation. One, specialized capacity building. As we are a youth-led organization, we want to highlight programs that train the next generation of leaders in disarmament. The United Nations offers the office of disarmament affairs hosted the Youth for Biosecurity initiative, sponsored by the European Union, and the Leaders for Tomorrow initiative, sponsored by the Republic of Korea. We especially appreciate the Leaders for Tomorrow initiative, as one of our members participated in the program. These programs give students and young professionals the opportunity to network with experts bring new perspectives to the table and focus on their goals. We believe that the UN can do a similar project for young leaders in cybersecurity, privacy and emerging technologies. The UN would greatly benefit from having a cohort of young tech-savvy changemakers. Two, general capacity building. While we found a lot of public-private partnerships to improve cyber capacities for businesses and public institutions, we would appreciate it if there could be more partnerships aimed at young people, as youth education is our core mission. Finland’s Office of the Data Protection partnered with civil society to develop GDPR4CHLDRN, which educates children about data protection. In addition, Global Partnership for Sustainable Development Data has launched its data values campaign, which brings young people around the world to talk about data values. These are great initiatives, but more needs to be done. In the age of AI-generated misinformation and cybersecurity threats. The best capacity building is to educate the next generation of critical thinkers and teach them not only the technical cybersecurity skills but also the ethics behind them fund more initiatives to educate young people on privacy and cybersecurity. In conclusion, children are at an age where they can be easily influenced. Therefore, it is our role to educate them about the danger and the operation of these tools. Youth for Privacy believes that we can make a safer, more inclusive Internet by including capacity building measures for young people. Thank you.

Ambassador Gafoor

Thank you very much Youth for Privacy for your contribution. Right Pilot to be followed by West Africa ICT Action Network. Right Pilot, please.

Right Pilot

Thank you, Mr. Chair for giving us the opportunity to speak. Allow me to express our gratitude for your efforts and those of your team in the development process of the OEWG. I would also like to thank the UK Government for enabling my participation. Right Pilot appreciates the acknowledgments made by Member States to the role of Women in Cybersecurity Fellowships, and other gender-diversity initiatives and is happy to share examples of public-private partnerships in response to the Chair’s first question. Let me therefore begin by citing a successful model of public-private partnership from my region: the Cyber Resilience Omani Workforce Framework (CYROW). As was highlighted in the Oman cybersecurity conference yesterday, the Omani Cyber Defense Center and the Advanced Cybersecurity Academy worked with major employers including PDO, Omantel and NEMA to co-design and rollout a national and sectoral development sectoral approach to develop the national cybersecurity workforce with support from the UK Government through the UK-Oman Digital Hub. The initiative produced a pragmatic, user-friendly framework that both meets the unique and industry-specific skills requirements and delivers value to the development, monitoring and growth of Oman cybersecurity workforce. Its precise and comprehensive definition of cybersecurity roles helps Omanis seeking careers in cybersecurity to prepare effectively for those roles. In this process, stakeholders are drawing on international and regional standards of best practice, such as the UK cybersecurity body of knowledge, the US NIST framework, the Saudi cyber security workforce framework, and the Australian ASD cyber skills framework. This reference to international and regional models ensures efficiency of development and interoperability. It is no overstatement to say that women, including members of the Women in Cyber Security Middle East (WICSME) Oman group are playing an instrumental role in piloting this initiative. Looking at some of the lessons learned so far, it is safe to say that mainstreaming the role of women is showcasing this project as a good model of democratic and inclusive governance and cybersecurity capacity building. Secondly, it is encouraging stakeholders to take an inside and thorough look at existing and emerging cybersecurity competency requirements, with a view to arriving at a common understanding of the definition of roles across industry. This leads me to acknowledge the Singapore-UN efforts at developing the norms implementation checklist. And on the occasion of International Women’s Day, I will also highlight that women’s participation in cybersecurity should not solely be seen through the prism of their contribution to the software industry, which accounts to only 35% of the workforce, as noted by Estonia, but through their diverse participation in cybersecurity policy, regulation, law enforcement and academia just to name a few. Members of the WICSME group in Jordan, which I had the privilege to found, are working in the following fields. 32% are in cybersecurity policy. 29% are in cybersecurity training. 18% are in the provision of cybersecurity services and cybersecurity research. 11% are in information security, and the financial sector and national cybersecurity operations. And 3% in information security more broadly. The UK Gulf Women in Cyber Fellowship, of which I have the honor to act as Secretary, comprises women who are working together on a voluntary basis outside their daily jobs to make a real difference in cyber issues in the region, including such initiatives as the region’s first Arabic language cyber awareness portal Moreover, the UK Government recently committed to long-term support of this fellowship in their fifth National Action Plan on Women, Peace and Security, which highlighted the risk of women being excluded from organizations that design and monitor the safety of cyberspace, and argued that gender considerations must be at the forefront of the global response to cyber threats. In short, Mr. Chair, women must be seen as catalysts for change who will drive and place cybersecurity at the heart of development initiatives in cybersecurity capacity building. Member States should continue their commitment to gender diversity as a powerful enabler of cybersecurity, which delivers tangible outcomes. And now chair I turn to my colleague, Dr. Emily Reyes.

Ambassador Gafoor

Sorry, is that your colleague, is he from Right Pilot? Right pilot, I’ve given you five minutes more than the three minutes allocated. And I think it’s important that we be fair to the other stakeholders. So why don’t we go to the other stakeholders on the list and then we’ll come back to your colleague. I hope you don’t mind. I’ll give the floor now to West Africa ICT Action Network. You have the floor please. Press the microphone button so that the sound engineers can give you the floor. We’ll go to the next speaker on the list. Third Eye Legal to be followed by School of Journalism and Communication, Beijing Normal University. Third Eye Legal please you have the floor.

Third Eye Legal

[Unclear] Third Eye Legal. States have identified ransomware as a major threat to peace, security and stability to the critical infrastructure of their respective countries across continents. European Union, Singapore and other countries have shared an initiative to fight ransomware individually and regionally through close collaboration with the private sector. One of the notorious ransomware attacks identified as REvil ransomware can be a case in point to glean an example of a successful public-private partnership in the area of security and in the use of ICTs. REvil ransomware attacks state and private companies indiscriminately. Bitdefender, a private cybersecurity company provided consulting to law enforcement in areas of cryptography, forensics and investigation that helped reduce the impact of ransomware attack surface and aided in the eventual arrest of perpetrators. Just as malicious actors share lessons, techniques and tactics to cause harm. So should states, law enforcement, private sector and civil society collaborate to defend cyberspace especially the critical information infrastructure and critical infrastructure before the onset of an attack to effective early warning mechanism of faring threat intelligence via CSIRTs and mitigate harm after an attack by way of sharing technical, legal and forensic information through joint collaboration of critical incident response. UNIDIR’s side event that shared a project on the taxonomy of malicious ICT incidents that measures implementations of norms rules principles of responsible state behavior, in the response to cyber incidents in cooperation with stakeholders can be instrumental in providing an overview of threats against measures taken to mitigate them, thereby strengthening confidence building measures among states. The UN Cyber OEWG under the Chair’s insightful leadership has established a framework on POCs, which can be further strengthened by including civil society and private sector to provide technical, legal and other forms of key systems to states. As emerging technologies such as AI, quantum computing, 5G and so on become a reality, sharing of resources between states, civil society, especially the private sector in prototyping cybersecurity solutions, and develop research and insight into potential threats to individual and collective security and thereby suggesting appropriate technical, legal and social solutions would be instrumental in ensuring peace and stability in the pillar of ICTs. Finally, Third Eye Legal as a private entity looks forward to working with states and stakeholders of the UN Cyber OEWG in providing solutions in the information areas, including in developing a common understanding of the application of international law in cyberspace, as shared in earlier submissions. Thank you, Chair.

Ambassador Gafoor

Thank you Third Eye Legal for your contribution. I give the floor now to the School of Journalism and Communication, Beijing Normal University, to be followed by Global Partners Digital. School of Journalism, please

Beijing Normal University

Chair and dear colleagues thank you for giving me the floor. So my intervention will focus on public-private partnerships, and providing online literacy and safety education training for youth, especially for primary and middle schools, students and their parents. So we believe youth education is vital for promoting and ensuring the security of and in the use of ICT. The Beijing Normal University is a leading institution of higher education in China, known for teacher education and training and education science. The School of Journalism and Communication has established a Cyber Literacy Research Center for minors, which is a development partnership with various government departments, social organizations and the private sector for providing educational and training programs for youth. So our best practices include: [One], partnership with both governmental departments, social organizations and the private sector in designing and delivering our program. Secondly, we’ve built up a coordinating mechanism to mobilize multi-stakeholders. Third, to provide the government with assuring mechanisms for youth online literacy resources, such as information resources, financial resources, alliance resources. Fourth, we’re providing the government with research reports and databases. Fifth, we provide training for teachers and university students. Six, we established the 50 online literacy education phase at the primary and middle schools in the country, especially in remote areas in China. So our policy input contributes through three channels. First, we engage with government experts and agents. Second, as government’s consulting experts. Third, through formal policy recommendation channels, for instance we submit policy proposals to the Chinese People’s Political Consultative Conference, which is taking place in Beijing this week. So the lessons we learn from our practice, include: First, law and the government’s policy providing the foundation for online safety and literacy education in China. For instance, the law of minors’ protections stipulates the role of the state, society, school and the family in providing and strengthening the online literacy education for minors and also raising their awareness and capacity in online safety. Second, safety education must be integrated into the national information technology education curriculum as a whole. Third, we are stressing on both the online literacy compositing development and the protections. Fourth, effective integration of the various policy mechanisms, resources and experts are important. Fifth, education is guided by the academic community, led by the government and participated by the private sector and the schools. So, actually what we need in the future, first of all, we think we need information of international and regional best practice in protecting youth in ICT safety and security. Second, we also need some kind of expert database, and especially we need knowledge of tackling cross-border online fraud and crimes which attack the minors and the youth. Finally, we welcome the collaboration from other organizations and experts in the field of minor and youth online safety. Thank you.

Ambassador Gafoor

Thank you very much School of Journalism for your contribution. Global Partners Digital, to be followed by Red en Defensa de los Derechos Digitales. Global Partners Digital, please.

Global Partners Digital

Chair, distinguished delegates, Global Partners Digital is a human rights organization dedicated to building a digital environment underpinned by human rights and we are pleased to address you on the topic of capacity building. We agree with the many inputs so far that have highlighted the fundamental links between capacity building and the implementation of the other elements of acquis. For example, uneven cyber security capacity can present a threat in and of itself due to the nature of cyberspace, which reflects a complex and interconnected ecosystem of technologies and networks, as well as the coexistence of rapidly evolving technologies with the continued reality of the need to address the digital divide and build cyber resilience. We have heard the recognition of the need to link cybersecurity with the global development agenda. So for example, Sustainable Development Goal 16 is about promoting peaceful and inclusive institutions. In the digital age this requires strong cybersecurity practices, supported by holistic governance frameworks, like national cybersecurity strategies to ensure strong institutions that are effective, accountable and inclusive. This is just one example. So more focused discussion on these interlinkages in an inclusive manner is necessary and welcome. And stakeholders also play a fundamental role in facilitating such discussions and in providing expertise. On the roles of civil society and capacity-building, as noted previously in our interventions in this forum civil society play a very wide range of roles in the implementation of capacity-building efforts. We’ve outlined these in a series of resources that unpacks acquis from a human-centric approach, whether it relates to the development of cybersecurity policy, incident management, cybersecurity awareness and skills, partnerships between states and the multistakeholder community, including civil society is essential. And so public private partnerships should not be understood narrowly, but rather incorporate an understanding of the roles that all stakeholders play. Civil society plays an important role in implementing the capacity building principles that were adopted in the Open-ended Working Group 2021 report, including those related to people. Namely, that capacity-building should respect human rights and fundamental freedoms, be gender-sensitive, inclusive, universal and non-discriminatory. For example, at Global Partners Digital, we are a partner of the Global Forum on Cyber Expertise and we’ve supported members to conduct inclusive processes for national cybersecurity strategy development and implementation. We also agree that it’s critical that more states provide their views on how international law applies in cyberspace, as was said yesterday, and there’s capacity-building work related to that. Our brand new guide on assessing state positions on the applicability of international law and cyberspace can help in this effort, with guidance on ensuring human-centric and rights respecting approaches. I’m very happy to share that with anyone interested. It is not possible to do justice at the moment, to the range of roles that civil society plays and capacity building with the time that we have, but we’ll provide written input with further examples of the roles civil society play in capacity building and in partnerships. Finally, considering all the above, it is deeply regrettable that so many stakeholders were unable to attend this session due to their participation being vetoed. Going forward, these discussions including any intersessional rules should be inclusive of all stakeholders with modalities like hybrid and interactive formats that promote meaningful inclusivity. The report of the working group could recognize the essential role of stakeholders in building capacity, and recommend that states ensure that the experience and the expertise of stakeholders be better integrated into all areas of capacity building to operationalize the agreed framework, thank you for your attention.

Ambassador Gafoor

Thank you, Global Partners Dgital and I do encourage all the stakeholders to share your remarks with me or any other relevant material that you wish to share with me, I’m happy to look through them just to understand the different contributions and roles that you’ve been playing, and of course, to see how it fits into the work that we are doing. The next speaker is Red en Defensa de los Derechos Digitales. Thank you, Chair. Members.

My name is Greece Macias. I represent R3D the network to defend digital rights. R3D is a Mexican NGO, which has been protecting human rights in the digital landscape for nine years. The inclusion of human rights in these discussions is vital to promote and preserve peace and security in digital landscapes. We are pleased to hear an increasing number of delegations mentioning the need for a people-centric cybersecurity policy with a human rights perspective. To achieve such a perspective, it’s necessary for us to have an open multistakeholder space that includes all the voices of cybersecurity experts, both men and women from various sectors. Civil society, in particular organizations with a focus on human rights are vital for cybersecurity capacity building. Organizations such as R3D provide a technical perspective, research and legal analysis to each discussion on the new policies or legislations that nations are developing in this area. For example, in the Mexican case, R3D has been insisting on establishing a cybersecurity policy that effectively protects the whole population and not just a few. Civil society organizations promote a critical vision of defending cybersecurity, so as to ensure that there is a people-centered vision as a priority. This includes analysis of policies, which could have a disproportionate effect on some groups facing vulnerabilities such as women, and LGBTIQ activists. Likewise, we build capacities through conferences, workshops, and advocacy. We do this to raise awareness amongst legislators and decision-makers. Such measures are focused on sharing experiences and best practices, so as to create legislation and policies which effectively respect human rights, and do not restrict the freedoms of the population in the digital landscape. Another vital contribution from civil society is the early detection of threats, which jeopardize the security of vulnerable groups. For example, the documentation of incidents where malicious players use spyware to illegally spy on human rights defenders and journalists and their communications. In this regard, civil society serves as a bridge between various protagonists, who have systematically been forgotten in these conversations such as the technical sector, academia, and vulnerable groups who also must be listened to, so as to understand their needs in cybersecurity. We, therefore, hope that this process reflects the need to include civil society at each stage of the process implementing the framework of work that we have agreed upon in this field. Finally, I welcome the fact that there is an increasing emphasis on the need for a cybersecurity policy that has a gender perspective and that policies are being discussed to challenge the patriarchal vision of the technological sector. No more cybersecurity policies without women. Thank you.

Ambassador Gafoor

Thank you very much. Red en Defensa. The next speaker is Association for Progressive Communications. You have the floor, please.

Association of Progressive Communications

Thank you, Chair, delegates, and colleagues. We welcome the opportunity to engage in this informal segment. APC is an international civil society organizations, a network of members working for human rights, gender and social justice and protection of the environment through the strategic use of digital technologies. In our statement, we wanted to focus on gender-sensitive capacity building as we did in previous interventions. Firstly, we welcome all the remarks by the Chair and states this week expressing the importance of gender considerations in the group discussions. I wanted to start with some remarks on what it means to have a gender-sensitive approach to capacity building in our view. This approach considers the gender impacts and implications of cyber threats and makes specific steps to address needs priorities, capacities of women and people of diverse sexualities, gender expressions and identities. Gender-sensitive approaches to capacity building should include principles such as participation, transparency, diversity and accountability and ensure meaningful inclusion of women and LGBTQ+ people in projects, activities, approaches and outcomes. A gender-sensitive approach will also allow rethinking of cybersecurity education methodologies for all stakeholders. And lastly, a gender-sensitive approach should be intersectional, identifying and responding to how multiple aspects of identity work together with gender to reduce marginalization and exclusion. So on the question of how states can raise awareness of the gender dimensions of cybersecurity and promote gender sensitive capacity building, we wanted to share a few suggestions based on APC’s work on this issue. At the policy level, states should recognize that a gender approach to cybersecurity is closely linked, as other colleagues mentioned, to other agendas and principles such as human rights and development. States can draw up relevant tools and frameworks such as the Woman, Peace and Security Agenda, the Sustainable Development Agenda, but also the Human Rights Council reports and resolutions among others. It is also important that states find the voices that can help understand how gender is a relevant factor in cybersecurity in each country. So how can civil society support? Civil society, in particular women’s rights groups and organizations, can enrich the group discussions on how to address the gender dimensions of cybersecurity. As my colleague just mentioned, civil society has extensive experience in bringing human rights and gender perspectives to national cyber policy discussions in developing digital security trainings for women rights activists and defenders in producing pioneering research on the intersections of gender and cybersecurity, in exploring the dimensions of gender-based violence connected with cybersecurity, and also in implementing capacity building activities that convene different stakeholders. So we encourage the group to have a more focused discussion on the gender dimensions of security in the use of ICTs and we support the recommendation in the progress report that suggests that experts could be invited to make presentations on this topic. We encourage these consultations to be broadly representative and inclusive, both in their coneving and format. And we look forward to keeping engaging with the group on this important topic. Thank you for your attention.

Ambassador Gafoor

Thank you very much APC for your contribution. I give the floor now to Kenya ICT Network, please.


Thank you chair and distinguished guests. The Kenya ICT Action Network (KICTANet) is a multistakeholder platform and think tank, whose overall mission is to promote an enabling environment in the ICT sector that is robust, open, accessible, and rights-based through multistakeholderism. We’d like to thank the Chair and all member states for their work in advancing the mandate of the Open-Ended Working Group and welcome the various proposals made on the topics discussed during this fourth session. As we commemorate International Women’s Day, we welcome the measures directed at promoting gender equality, and women’s empowerment in the field of ICTs. Further, we highlight challenges in the global south countries, including the rise of cyber threats such as malware, ransomware, DDoS attacks, and social engineering targeting mobile money services, increased privacy risks associated with ICT, IT supply chains that facilitate data breaches, data mining and surveillance, coordinated disinformation campaigns especially during election periods, and rising digital threats to human rights defenders, including women, journalists and online activists. In response to the questions provided by the Chair, this is our response. To question one – are there good examples of public-private partnerships In capacity building? – we avow that NICTANet has collaborated with sate agencies such as the Communications Authority of Kenya, the ICT Authority of Kenya, the Kenya Film Classification Board, development partners such as FCDO and Ford Foundation, non-state actors such as ISPs, telcos, civil society, media and academia to promote cyber hygiene awareness in Kenya. In particular, the awareness program targets the often digitally marginalized and excluded populations and vulnerable groups such as children, women, farmers, persons living with disabilities, and persons living in rural and informal settlements. KICTANet in partnership with various state and non-state actors, continues to host the Kenya School of Internet Governance and has participated in the Africa School of Internet Governance. Also as part of Africa Cybersecurity Experts community, we have contributed to the development of a cybersecurity curriculum under the auspices of the AU-Global Forum on Cyber Expertise (AU-GFCE) project. These national and regional initiatives are useful platforms for stakeholders based in the region two have a common understanding of internet governance issues, build synergies, share information, identify and make concrete recommendations for actions. Multistakeholder convenings, such as the Internet Governance Forum, at the national level and regional level, are very useful for stakeholder engagement, learning and sharing of best practices. In terms of what lessons can be gleaned, Chair, cybersecurity is everyone’s responsibility and we all have a role to play given our various skills and responsibilities in the cyber ecosystem. Consequently, the meaningful participation of all stakeholders in the design, development and implementation of various cyber initiatives cannot be overemphasized. We believe that multistakeholder engagement between governments and all relevant stakeholders such as experts, civil society, the private sector and academia at the national and regional levels is critical. And finally, we call upon delegates from member states, especially from those from Africa to cascade these conversations at the national and regional levels to ensure all are brought on board in particular to encourage them to utilize the African Union and regional economic blocs including facilitating greater multistakeholder engagement. We thank you Chair.

Ambassador Gafoor

Thank you very much, Kenya ICT Network. I give the floor now to Paris Peace Forum. You have the floor, please.

Paris Peace Forum

Thank you, Mr. Chair, distinguished delegates. The relevance of public-private partnerships for cyber capacity building has been extensively justified in theory and successfully experienced around the world. The Paris Peace Forum would however like to address a common limit in approaching public-private partnerships in this area. Public-private partnerships for cyber capacity building are indeed often approached at the stage of policy implementation as a strengthening of states’ and stakeholders’ legal and technical capacities. They are yet as relevant at the stage of policymaking by leveraging the expertise and the experience of the large stakeholder community, including the private sector, organizations from the civil society and in particular academic institutions, as well as technical experts to increase states’ policy capacities, especially when it comes to tackling emerging threats. The Paris Peace Forum will focus on recalling the successful example of a large multi-sectoral cooperation in the making of cyber policies and strategies. Cooperation undertaken in the framework of the Global Forum on Cyber Expertise, whose achievements have been acknowledged by many delegations this morning, are a good example. While providing comprehensive resources and support to strengthen legal and technical capacities across the globe, GFCE Working Group A specifically focuses on increasing policy and strategy-making capacities. This, for instance, led to the development of the online catalog of project options for the national security strategy cycle – a detailed framework and a set of resources to help national actors designing their national cyber policy. [Unclear] example of ransomware threats, the Ransomware Task Force established in 2021 and hosted by the Institute for Science and Technology is another example of successful public-private partnerships in cyber policy capacity building. The task force aims to unite and build trust between key stakeholders across industry, government and civil society to innovate new solutions, break down silos, and find an effective new method to counter ransomware threats. This led to the making of a large range of actionable policy recommendations, increasing public authorities’ ability to build strategies and policies to address the ransomware phenomenon. In this endeavor, the role of informal diplomacy should finally be emphasized. Non-institutional fora and nongovernmental organizations such as the World Economic Forum, the Raisina Dialogue or the Paris Peace Forum, enable states to benefit from informal engagement with stakeholders, even on sensitive policy issues related to internal security. In this regard, they are critical resources to increase states’ cyber policy capacities and are complementary to formal negotiation and processes are undertaken in the framework of the United Nations. In the same vein, existing multistakeholder frameworks, such as the Cybersecurity Tech Accord or the Paris Call for Trust and Security in Cyberspace, can be leveraged to increase political awareness on cyber policy and confirm priority directions to build robust and resilient national cyber strategies. I will conclude by thanking you Mr. Chair for your commitment to engage meaningfully with the stakeholder community as part of, but also beyond, the substantive session of the OEWG, Thank you.

Ambassador Gafoor

Thank you, Paris Peace Forum for your contribution. The next speaker is from the European Union Institute for Security Studies, you have the floor, please..

Distinguished Chair, excellencies, esteemed delegates, thank you for this opportunity. As we continue to navigate the challenges posed by the rapid technological advancements and increasing confrontations in cyberspace, public-private concerted activities are an essential component of efforts to build capacity. Echoing the statements made by the Philippines, Bangladesh, Canada, Croatia, and many others, we want to emphasize the need to bolster multistakeholder engagement. In response to the guiding question, we would first like to highlight that there are a vast host of EU public-private partnerships on capacity building that have yielded positive results. They are traceable back to four main priorities, supporting legal frameworks in the fight against cybercrime, enhancing the reach and capacities of criminal justice authorities, increasing third-country cyber resilience and preparedness and contributing to international cyber policy cooperation. As implementers of the EU Cyber Diplomacy Initiative, the EUISS also recognizes and promotes the intrinsic value of horizontal platforms to endorse responsible state behavior and to foster international cooperation on cyber issues. We want to highlight that public-private partnerships are not only relevant in the context of capacity building, but are also key mediums for progressing on the overall multilateral agenda. On our own bilateral engagement with partner countries as well as multistakeholder platforms such as the Let’s Talk Cyber consortium or the European Cyber Agora have provided a space for the research community, civil society and the private sector to engage with states on everything from international law, threats, digital sovereignty, norms, and CBMs. While it is true that many useful guidance texts and input papers have come from states in this forum, organizations and projects, including our own, have also consistently developed research and thought leadership that can help states generate ideas, positions and substantive contributions. Reference to those activities are provided in the written statement. The multistakeholder community can and should be viewed as an essential resource and partner in the implementation of responsible state behavior in its entirety. In that vein, and given the extremely limited group of stakeholders in the room today, we would like to invite states to engage with and make use of such expertise in this distinguished forum and in other occasions. Thank you.

Ambassador Gafoor

Thank you very much. European Union Institute for security studies. The next speaker is Nuclear Age Peace Foundation. You have the floor, please.

Nuclear Age Peace Foundation

Honorable Chair, distinguished delegates, ladies and gentlemen. My name is Sean Becker, and I am a youth activist with the Nuclear Age Peace Foundation. NAPF is a nonprofit, nonpartisan, 501(c)(3) organization recognized by the UN as a peace messenger organization. We delivered two interventions to this working group during the intersessional meeting last December. Honorable Chair, capacity building within developing states is critical to achieving a safe international cyberspace, where all states have the means to ward off cyber attacks that might otherwise have irreparable consequences for their stability. Partnerships with the private sector have proven themselves capable of playing a key role in capacity building, specifically being uniquely equipped to educate a new generation of ICT professionals. To tackle the growing threat of cyber attacks. While we recognize the roles of both the private sector and states in capacity building, it is also crucial for states to engage with youth activists and young professionals from ICTs. For example, a few hours ago, we convened a side event on youth engagement and access to ICTs. At this virtual side event, we explored how youth access to ICTs can be made more equitable, how youth can be better included in policymaking decisions regarding ICTs and how states and the private sector can collaborate to encourage youth engagement with ICTs. The international community must address these questions when determining which examples of public-private partnerships for capacity building in the area of security and in the use of ICTs are worth emulating. Young people are especially important for establishing responsible ICT practices, as they will be involved in future work in this field, such as assisting the development of cyberinfrastructure within developing states. The growing threat of large-scale cyber attacks should act as an incentive for states and private entities to invest in the digital capabilities of our young people through the funding of youth initiatives and programs targeted at developing relevant skills. By investing in the cyber skills of the younger generation, states and non-state actors alike will be able to secure a future that includes safe cyberspace for all. We urge states to not only examine the viability of establishing partnerships with large private entities but also with young individuals like myself, who are eager to play a role in addressing many of the challenges that new cyber technologies present, including those embodied by ICTs. Proper youth partnerships with states and organizations could prove a vital asset. For those looking to combat future threats to our digital spaces. This body must take youth into account in further discussions around cybersecurity policy. Thank you.

Ambassador Gafoor

Thank you very much Nuclear Age Peace Foundation for your contribution. The next speaker is Derechos Digitales. You have the floor, please.

Derechos Digitales

Thank you Chair. Mr. Chair, distinguished delegates, Derechos Digitales is grateful for the opportunity to address this working group on the topic of capacity building. We are a human rights organization focused on the impacts of the use and regulation of digital technologies and the effects of cyber threats on the enjoyment of all human rights and social justice in Latin America. These impacts are compounded when knowledge gaps prevent effective prevention and mitigation of harm from those threats. We concur that capacity building is essential to foster peace and security in cyberspace and a condition for the effective operationalization of agreed norms. We recognize the breadth of subjects where capacity and knowledge gaps may yet exist and support proposals by states to allow further discussion and foster common understanding regarding many of the topics discussed in this working group. Partnerships among states and non-governmental actors are key for the success of those efforts. Derechos Digitales commends the efforts conducted by states, international organizations and academics to fund and organize formal training programs, including those on cybersecurity and gender, as it happened at the University of Chile just weeks ago, and recognize the efforts to include expertise from members of the private sector and civil society. But there is still complementarity with other contributions from non-governmental actors including our own work. Derechos Digitales conducts, funds and supports the development of digital security training in Latin America, in partnership with local experts, directing efforts towards groups including women, LGBTQI individuals, indigenous groups and others. We facilitate a nascent network of nongovernmental organizations exchanging information on cyber threats and developing distributed capacities for threat response. We have collaborated in gender-sensitive training on cybersecurity by the police in Chile and more examples abound. We believe this experience in substantive issues and information exchange across countries and groups is a fundamental source of knowledge to understand the lived experience of developing countries in the face of cyber threats, and can help identify the need for further capacity-building efforts. Finally, we join recommendations to include in the upcoming report of the working group, the recognition of the role of non-governmental stakeholders in capacity building efforts, and the integration of their expertise in all areas of capacity-building, nationally and internationally to operationalize the agreed framework. In summary, cooperation and capacity building is by itself a means to bridge knowledge gaps, as well as to enhance the role of capacity building to build an open, secure, stable, accessible and peaceful cyberspace. Thank you, Chair.

Ambassador Gafoor

Thank you very much Derechos Digitales. The next speaker is the Center of Excellence for National Security from the Rajaratnam School of International Studies, NTU Singapore, you have the floor please.

S Rajaratnam School for International Studies

We thank the Chair for the opportunity to speak to this informal inter-sessional meeting of the Open-ended Working Group on the theme capacity building and in particular the role of public-private partnerships. We further thank the Chair for your efforts to continue including all stakeholders in formal and informal and hybrid formats of the OEWG. We wish to respond to your guiding questions from our perspective as an independent national security policy research think tank from Singapore based on what we have observed while conducting cyber capacity building workshops and events in ASEAN and beyond. Your first question – are they good examples of public-private partnerships on capacity building in the area of security often in the use of ICTs – we share examples of what we have assisted in: the UN-Singapore cyber program and the UN-Singapore Cyber Fellowship, which other delegates have spoken about. In these programs, non-government stakeholders have provided an objective, textured and non-political approach to topics relevant to this OEWG, such as the norms implementation checklists, and the applicability and scope of international law to the use of ICTs. Non-government stakeholders can therefore facilitate difficult discussions such as state sovereignty, sovereign equality, non interference, definitions are what amounts to threat or use of force in cyber operations, principles of due diligence, whether there is a need for a binding legal instrument, operationalization of the points of contact directory and [unclear] of cyber threats. As part of capacity building activities, non-government stakeholders can bridge gaps in international law understanding by convening in depth discussions and study groups for both track one and track two, and assisting states in developing position papers for the OEWG to consider even on topics that may be controversial. The OEWG, in turn, can support non-government stakeholders to engage other regional groups that are not yet engaged in the process, but have relevant expertise, such as multinational companies or think tanks provide capacity building on transnational issues, such as protection or transnational critical infrastructure. The OEWG can also invite non-government stakeholders who have assisted in these programs to present lessons learned and best practices to the OEWG so that all member states can benefit. This can be done irrespective of accreditation status to the substantive sessions. Second question, are there lessons that can be gleaned from these examples? We have found that participants learn best when non-government stakeholders present in depth technical assessment case studies in an academic matter, without political finger pointing over the actions of any state. We observe from the public-private collaboration in the UN-Singapore cyber program that states that pursue an approach of engaging non-government stakeholders create systemic confidence through the mutual building of capacity between states and non-state stakeholders. Public-private cooperation also helps threat intelligence sharing when states and private sector have issued advisories on vulnerabilities. This also strengthens the norm of responsible state behavior in managing vulnerabilities and helps confidence building. For states to gain the most benefit, we encourage all to take advantage of programs like the UN-Singapore Cyber Fellowship, and actively engage stakeholders like us, within and outside the framework of the OEWG. We are keen to share our research through briefings, workshops, papers, and more. And we hope that states are also open to receive. Thank you, Chair.

Ambassador Gafoor

Thank you very much. Center of Excellence from Singapore. The next speaker is Fundacion Karisma. You have the floor please. Thank you, Chair.

Fundacion Karisma

Chair we thank you for your work and that of your team in this Open-ended Working Group and for the opportunity to participate today. I come from Fundacion Karisma, a Colombian civil society organization working in digital rights and we have a digital security laboratory specializing in looking after civil society members. I wish to present an example of a public-private partnership for capacity building which we belong to. Since 2016, Karisma belongs to an advocacy project on said websites and state apps. looking for vulnerabilities and privacy issues. We use nonintrusive methods and if we find any problems we directly report to the Technology Ministry and then the respective entities responsible in other words, the ICT Ministry in Colombia and Karisma are drawing up a road map regarding vulnerabilities. This includes protocol and responses and allows us to establish vulnerabilities found within state institutions in a safe way, while the state helps those responsible to provide an adequate response. This changes the culture of fear in the state with regard to this kind of report, and it protects the data and privacy of citizens. Also, once the breach gaps have been closed, and if there is any risk, we communicate publicly and safely, so that the process can serve others in the future. Since 2020, the state took the first step to develop a roadmap for institutional vulnerabilities and disseminating this through the Colombian cybersecurity policy. In 2021, the OECD recognizes this as an example of good practice in reporting vulnerabilities. We built this up informally between Karisma and the ICT ministry. Currently in 2023, Karisma and the ministry, the ICT ministry, has been starting discussion meetings to draw up a roadmap for vulnerability dissemination and identification so as to ensure that we have more complex ITC systems which are also covered. We hope that the private sector in the future and cybersecurity investigators can use this new route for vulnerability dissemination in the future, and then you can use it more directly. We are building up this incidence response system, we know it’s complicated, but we have to accept that states are vulnerable. We also are aware that reporting breaches and gaps in the digital world must be done responsibly, and meeting international standards if we wish to avoid causing further damage. So for these reasons, cooperation between stakeholders, and with other stakeholders is fundamental since this helps us to build trust and helps with capacity building, which is a key tool in coming up with simple effective tools to meet the challenges faced in cybersecurity. We are interested to hear other responses from various stakeholders, and particularly from civil society. Thank you.

Ambassador Gafoor

Thank you very much for Fundacion Karisma, I’d like to come back to West Africa ICT Action Network, I think you missed the opportunity earlier. Can I confirm that you’re still interested? Or perhaps you no one’s available to speak? Well, that’s well noted, then, I don’t have any other speakers from stakeholders. And we might have about 10 minutes to get some comments from some delegations on the specific issues raised with stakeholders. But I just wanted to say as well, first of all, I want to thank the stakeholders who are here, not only this afternoon but who have been here throughout this week for your engagement and for your contribution and for bringing a very valuable perspective into the work of the Open-Ended Group. And I want to say that, right from the beginning, I have been committed to engaging with you, because I think it’s important that member states don’t operate in their own bubble, but also have ideas from outside. And I think that is what you do. Your contribution is valuable. Second, of course, because this is an inter-governmental process, we have to operate within the modalities as agreed by governments. And that’s exactly what we are doing. So although the number of participants from the stakeholder community today is limited, that is the result of some of the decisions that have been made at the inter-governmental level. But whatever the modalities it has been my determination to find different ways to engage with stakeholders, which I will continue to do so. So I assure the stakeholder community present here physically, but also those who might be following the discussions virtually. I want to assure them that I will continue my efforts to reach out to you. And this brings me to my second point, because I think the stakeholder community also has a responsibility in terms of your engagement, which is that as the work of the Open-ended Working Group evolves, with each passing meeting, it is important that the stakeholder community find its own way to add value to the discussions that are taking place in the working group. And as you would know, the work of the working group has shifted into a more focused phase with a lot of attention paid to details implementation operationalization and therefore, it will be used. We’ll also hear from the stakeholder community comments that are very focused, very specific, related to the implementation of the framework of norms, rules and principles, as well as the operationalization of the framework. So I would also say that the extent to which you are able to shape the discussions in the working group will also depend on how focused and how connected you are with the work as it evolves with each passing session. And I was very happy to hear that many of you made, indeed very detailed comments that will be relevant for the work. So I wanted to thank you for that. The third thing I want to say is that, even if you hadn’t been able to speak today, for much longer than the time allotted, I want to assure you that you can put your contributions on the website of the OEWG. In a sense, that is already this opportunity for you. I know it can be very stressful to try and squeeze your interventions into a three to five minute opportunity, but I want to assure you that you can send us your written contributions is not going to be any less attention paid to that, we will do that, at least as the team that I have made, I and my team will will look at your contributions. The last thing I want to say, also to the stakeholder community is that in terms of your outreach, do reach out to the delegations. And do reach out to delegations that you normally may not reach out to, because that’s how you can also persuade them of your ideas, and suggestions. I think at the United Nations, everyone recognizes the role of stakeholders because they are stakeholders involved in different processes. But ultimately, governments tend to be busy with their own work. In such processes, they are busy running from meetings to meetings. So I think the reaching out has to be also from the stakeholders and to of course, member states, let me conclude with the point that please be welcoming of the stakeholders, please reach out to them to. And so it’s not just the comments and interactions that take place, but also at the margins of these discussions. Now, we may have about five to six minutes for any specific comments from delegations with regard to what has been said by stakeholders. So we are not going into stakeholder or rather, we are not going into national statements on capacity building, we’ll come to that. But I wanted to check whether there are any specific comments from delegations with regard to the specific points that have been raised by the different stakeholders. Okay, we’ll take two delegations, then Canada and Colombia. Canada, please, succeed. comment, please. Thank you.


Thank you, Chair, I’ll be very succinct. Just wanted to really thank the stakeholders who are here today, and who made some really, really excellent presentations. You’ve all heard me say this before I said it in the lunch side event today, and I said it on norms the other day, we don’t just sort of listen to check a box, we listen for good ideas. And I’ve noted some of the good ideas that I’ve heard, that I’ve incorporated in various text proposals that Canada has made, whether the norms text or others. I took some detailed notes here today and I’m going to take these home and the ones that I think can get through my system, we’ll get into our proposals, and I think other states should consider doing that as well, because that’s the real value. There’s the modalities, there’s the vetoes which were unfortunate, but I think we’ve managed to hear from stakeholders, whether it’s at the event that you organize chair last week or the one today. So nothing’s perfect, right? It’s the UN, wouldn’t it be nice if things were perfect, but they aren’t, but it’s good enough. We’ve heard some really strong statements today. And I can say that for my delegation, we plan on actually actioning some of these and including them in our proposals. Thank you.

Ambassador Gafoor

Thank you very thank much Canada, and I agree with you absolutely. Some excellent contributions made, and I’ve taken careful notes as well. So I think there’s a lot of follow up, we can do. Colombia, please.


Thank you, and very briefly as well, I’d also like to express gratitude for the participation and contributions from the many interested parties and stakeholders. And reiterate, as you have already been saying that they, in my delegation’s view, also have a responsibility and supporting states in implementing the responsible behavior norms. In fact, they’re sharing some of their successful experiences with us and this public-private partnership, for example, gives added value to the discussions that we’re having here. And my delegation hopes that we can continue working hand in hand with the many stakeholders. Thank you.

Ambassador Gafoor

Thank you very much, Colombia. I agree with you as well, yeah. Maybe one more speaker, and then we can wrap up. Okay, well, two more speakers, and then we’ll wrap up and then have a break before we resume. Our formal meeting. So ICC, sorry, Russian Federation, followed by the ICC. Russian Federation, please.


Mr. Chairman, distinguished colleagues, thank you for giving me the floor. I’ll also be very brief. I just wanted to once again draw attention to the fact that in the run-up to the fourth session of the OEWG, the application for visas was denied for all Russian organizations that are accredited to the OEWG, we would have been able to hear a lot more interesting statements today but unfortunately we see a discriminatory policy against NGOs representing the Russian Federation. We see this as a glaring attempt to cut our academic community, which has the necessary expertise in information security, off from the discussions within the OEWG and we would be grateful Chair, we actually are grateful to you Chair, for the appeal that you made on Monday to not be discriminatory and to allow for participation on an equal basis. For participation for all those that want to participate. NGOs that have every right to do so and participate in the work of our group. And we hope that in the future, such practice will not be repeated. Thank you.

Ambassador Gafoor

Thank you, Russian Federation. You know, I really hope one day that the back chambers of this meeting room will be filled such that we don’t have enough seats for stakeholders. We have the modalities to make that happen. And the fact that we don’t have the back chambers filled with hundreds of stakeholders is in some ways a commentary on the work that needs to be done in this working group. This working group is about building trust and confidence among member states. It is not that the modalities are imperfect. Honestly, I think the modalities are as good as we need them to be. The modalities for stakeholder participation is as perfect as the UN Charter. We have what we need. It’s possible that with these modalities, we can have hundreds of stakeholders in this room. And one day we’ll get there, because in processes like these, it takes time. And I have the patience at least and as chair of the process and as Chairs’ of UN processes, we must have patience and the hope that it will happen. So it is also my hope that we will have stakeholders from different parts of the world, every part of the world to be filled in this dedicated stakeholder dialogue, and we will get there. So let’s make incremental progress even on that front, on a step-by-step approach, as we rebuild confidence, which will then allow the modality is to be implemented in a way where the non-objection procedure will become a relic of the past and will not be used. Very good then I see that the International Chamber of Commerce has pressed the button and I would give the ICC the floor when we come to the formal meeting on capacity building. But I want to ask are you wishing to make a specific comment on the stakeholders. Okay, I see you shaking your head. So we will come back to you ICC after we hear the state comments, thank you very much for your understanding. So the representatives of the stakeholder community once again, thank you so much please don’t give up on us or on this process. Your contributions are very much valued and your engagement is appreciated, your ideas are needed and thank you for being part of this journey of 1000 steps and with that note, I’d like to also thank all the member states who are present here and then we will adjourn now we will I’ll close this meeting we’ll take a 10-minute coffee break and we’ll resume at 4.30. The meeting is closed. Thank you very much.

Leave a Reply

Your email address will not be published. Required fields are marked *