Agenda item 5 : Day 4 Morning session

7 Mar 2024 15:00h - 18:00h

Event report

Agenda item 5

Table of contents

Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.

Full session report

International commitment to cybersecurity confidence-building measures underscored at OEWG session

During the seventh substantive session of the Open-Ended Working Group (OEWG) on Security of and in the Use of Information and Communication Technologies (ICTs), member states engaged in detailed discussions on the implementation and potential expansion of confidence-building measures (CBMs) in the realm of cybersecurity. The session was chaired by an individual who underscored the significance of CBMs in fostering international trust and cooperation.

A primary focus of the session was the Points of Contact (POC) Directory, which is designed to facilitate communication and collaboration between states in response to cyber incidents. Delegates from various countries, including the Netherlands, Ecuador, Argentina, and Australia, expressed support for the POC Directory and committed to nominating their points of contact. The directory was recognized as a crucial tool for enhancing trust and cooperation in cyberspace.

The delegates also discussed the possibility of introducing new global CBMs. There was broad support for measures aimed at enhancing cooperation, protecting critical infrastructure, and involving the private sector in cybersecurity efforts. The need for a step-by-step approach to the establishment and operationalization of the POC Directory was emphasized, with the goal of ensuring inclusivity and effectiveness.

Capacity building was identified as a key enabler for the universal implementation of CBMs, especially for countries with limited resources and technical expertise. The Chair expressed concern about potential delays in delivering capacity-building measures and urged member states to show urgency and commitment to achieving tangible results. The upcoming Global Roundtable on Capacity Building was highlighted as an opportunity to showcase progress and maintain momentum in capacity-building efforts.

The session concluded with a consensus on the necessity of implementing the POC Directory and the initial list of CBMs, while also initiating discussions on additional CBMs. The Chair summarized the discussions, noting the delegates’ commitment to building trust through dialogue and concrete actions. The Chair also emphasized the importance of proactive steps to deliver capacity-building measures and demonstrate results, rather than adopting a wait-and-see approach.

Notable points from the session included the recognition of the OEWG itself as a CBM, providing a platform for dialogue and consensus-building among states on cybersecurity issues. Additionally, the session underscored the interconnectedness of various CBMs with the broader framework of rules, norms, and principles governing state behavior in cyberspace.

In summary, the session reflected a strong commitment from the international community to enhance cybersecurity through CBMs, with an emphasis on the POC Directory’s role in building trust and the critical need for capacity building to support the implementation of these measures. The Chair’s call to action highlighted the urgency of moving from discussion to implementation to ensure the OEWG’s work contributes to a more secure and stable cyberspace.

Session transcript

Chair:
Distinguished Delegates, the seventh meeting of the seventh substantive session of the Open-Ended Working Group on Security of and in the Use of ICTs established pursuant to General Assembly Resolution 75-240 is now called to order. We will continue our discussion on confidence-building measures that we began yesterday, and we will continue with the list of speakers who have indicated their desire to speak on this item. If you wish to take the floor, and you had pressed the button yesterday, you don’t need to do that today. But if you haven’t done so yesterday, you can press the button today, and I’ll give everyone an opportunity to speak. So we’ll start with Ghana, to be followed by the Kingdom of Netherlands. Ghana, please, you have the floor. Microphone for Ghana. Ghana, could you press the button? Yeah, okay, yes. Yes, please.

Ghana:
Mr. Chair, on this thematic area, Ghana supports the following additional CBMs. Cert-to-cert cooperation, cooperation between states on capacity building to close the digital divide, protection of critical information infrastructure, and public-private sector cooperation. Regarding your guiding questions on how these CBMs can be universally implemented, we believe that strong political commitments and capacity building are essential factors in achieving this goal. Political commitments plays a crucial role as it influences the measures countries adopt, including policies and legislation necessary for implementing existing CBMs. Ghana’s cybersecurity development has been as a result of a strong political commitment, particularly demonstrated when the President of the Republic assigned the Minister for Communications to oversee cybersecurity matters and appointed a National Cybersecurity Advisor. This initiative led to the establishment of a Cybersecurity Secretariat, later evolving to National Cybersecurity Center and ultimately becoming a cybersecurity authority with a mandate to regulate cybersecurity matters. The CSA is able to put in place the necessary measures to address issues such as set-to-set cooperation and protection of critical information infrastructure, whilst also engaging in international forums, which in itself is a CBM. Regarding capacity building, we deem this equally vital, especially for countries with limited resources and technical expertise. Focusing on capacity building enhances awareness of global CBMs and boosts the technical capacity of member states, including CERT teams, critical information infrastructure teams, and law enforcement units. This understanding fosters active participation in the implementation and operationalization of CBMs. Capacity building efforts can take various forms, such as webinars, workshops, fellowships, and other related initiatives aimed at enhancing technical skills and knowledge. Mr. Chair, regarding the POC directory, my delegation mentioned in the sixth substantive session the importance of developing and implementing communication protocols with the directory. This can be done through developing standardized templates. To ensure utmost efficiency, it is also important to outline the extent to which the POC should be utilized and the circumstances under which member states are to reach out to their counterparts. Having such protocols in place will ensure that the benefits of the directory are efficiently utilized, and these are some of the elements that can be discussed in the future mechanics. Furthermore, having written down clear and coherent guidelines will ensure consistency and clarity in information exchange. Finally, having and implementing protocols for responding to incidences made to the various POCs can contribute to ensuring timely communication and responsiveness among states. Member states can also discuss and implement a feedback mechanism that will gather inputs from states on the directory’s functionality and user experience to ensure continuous improvement. I thank you, Mr. Chair.

Chair:
Thank you very much. Ghana, Kingdom of the Netherlands, followed by Kazakhstan.

Netherlands:
Thank you, Chair, and good morning to you and good morning to all the delegates. The Netherlands aligns itself with a statement delivered by the European Union, and I will make some additional remarks in my national capacity. As you named yesterday the 23 countries who have appointed their point of contact, it is great to see that this concrete initiative of the POC Directory is coming to life, and we expect to appoint our POC before the deadline and look forward to the official launch of the POC Directory in May. The Netherlands considers that we should approach the POC Directory in an incremental way and learn from experiences of the ping test that’s planned in June. During the ping test, the Open and Working Group could reflect on the capacities needed to participate and possible areas of future work. The initial list of voluntary global CBMs is a reaffirmation of our commitment to enhancing transparency and transparency. trust, and cooperation between states as well as with stakeholders. To further implement and operationalize this set of CBMs, we could look at regional experiences with the implementation of certain CBMs and the associated capacity building needed to do so. Chair, in your guiding questions, you asked our views on the possible additional CBMs, one, the protection of critical infrastructure, two, the public-private sector cooperation, and three, coordinated vulnerability disclosure. The Netherlands believes these CBMs could be a valuable addition to the initial list. Having experience with these CBMs in OSCE context, the Netherlands would be interested to hear from experiences of other regions to assess whether and how these CBMs can be applied in the global context. With regards to the suggestion of a CBM on CERT-CERT cooperation, states should be encouraged to use existing CERT-CERT channels to exchange information in addition to the POC directory once it’s operational. It would be important to see how we could complement existing initiatives, including within the form of incident response and security teams, with global CBMs. It would also be interesting to look at further examples of CBMs from other domains that may be tailored to promote transparency and prevent unintended escalation in cyberspace. The Netherlands thanks you, Chair, for having facilitated exchanges with regional organizations to enrich our works on CBMs. To this end, the informal cross-regional CBMs group co-organized a side event hosted by Germany on sharing best practices and lessons learned on the establishment, management, and use of cyber points of contact in various regional contexts. Many useful best practices transpired from the event that hopefully help delegations in approaching our future work, including the POC Roundtable on the 9th of May, an event the Netherlands very much looks forward to. I thank you very much, Chair.

Chair:
Thank you very much, Netherlands, for your statement. And I take this opportunity to also thank the Netherlands and other members of the Cross-Regional Group on Confidence-Building Measures for having organized that site event yesterday on sharing of best practices with regional POC directories. I think that aspect of our work remains very important, and I just wanted to thank all members of the Cross-Regional Group and, of course, all others who have been taking an active part, and also for the various outreach and site events that have been organized this week. Thank you for that, Netherlands. I give the floor now to Kazakhstan, to be followed by Albania. And just to be clear, if you are taking the floor and your microphone is not lit up, so you need to press the button until it turns green, which means you are requesting for the floor so the audio engineer will know where you are seated, and then when it turns green, wait for it for a few seconds, and then you can speak. So that’s the way the UN audio system works, and there are some engineers who are very hardworking at the back trying to give you the floor, so you will get a chance to speak. So Kazakhstan, to be followed by Albania.

Kazakhstan:
Thank you, Chair, for giving the floor. And good morning to all of the delegates. Kazakhstan fully supports the use of CBMs in the report. And regarding your question for the list of additional CBMs, facilitating a common understanding of ICT security terminology among participating states serves as the foundational step to enhance trust, communication, and cooperation in effectively addressing the complex landscape of cybersecurity challenges. So we consider it important to indicate the creation of list of ICT terminology as one of the CBMs. Including the ICT terminology in confidence-building measures is crucial, as the terminology resource helps in understanding key concepts in the field of ICT. The glossary is needed not only for the participating states, but also for all who would like to familiarize themselves with the text of annual reports for a more understandable text and with the content of abbreviations on it. Furthermore, we should highlight the Institute of Raising Awareness as a key component of the CBMs, prioritizing this effort. This initiative not only encourages a broad understanding of cyber threats, but also makes active participation from all stakeholders in preventive measures. On that, it would be beneficial to complete a list of outlining potential approaches of raising awareness, making it from the collective experiences of all participating states willing to share their best practices. The proposed awareness-raising measures can be made as a questionnaire and posted on the POC portal, making it more informative and increasing its importance. It’s also needed to focus on highlighting the capacity building as one of the CBM by providing states with the necessary skills and knowledge to effectively counter cyber threats and manage cyber incidents. we consider that participating states develop capacity-building initiatives aimed at enhancing their capabilities in ICT threats and vulnerabilities, promoting ICT security, and developing the skills necessary in effectively responding to cyber incidents. As for the points of contact, we support the work of POCs as it helps for improved coordination, quicker resolution of concerns, and overall strengthening the cybersecurity measures. Like many countries, Kazakhstan is currently in the process of appointing the point of contact. For our part, working with the CBMs, Kazakhstan is the only country in Central Asia within the framework of OSCE, co-curating one of the confidence-building measures together with Canada related to ensuring the open, interoperable, secure, and reliable Internet. So as the part of the CBM work, we organized sub-regional training sessions in our state last year related to the use of CBM. Furthermore, we also actively support the OSCE’s work for the POCs, and for today, Kazakhstan is actively applying this in practice. As an example, we already had a case where through the OSCE community’s portal for POC, we were able to contact representatives of another state to request information about the cyber incident. This approach contributes to quick coordination and active cooperation. Finally, we support that it’s important to highlight the role of PPP, public-private partnerships, and we also propose to reflect on the work of white hat hackers as they play an important role in this sector as a strategic mechanism for cultivating trust, enhancing communication channels, as it significantly responds capabilities in the face of evolving threats. Thank you.

Chair:
Thank you very much, Kazakhstan. Albania, to be followed by Russian Federation.

Albania:
Thank you, Mr. Chair, esteemed colleagues. Albania fully aligns with the Statement of the European Union. We stand resolutely in affirmation of the significance and efficiency of the confidence-building measures as instrumental in cultivating trust among nations and in diminishing the risk of conflicts within the digital domain. As underscored by OEWG in its insightful reports, CBMs are paramount in enhancing transparency, predictability and stability across states. We acknowledge with great appreciation that CBMs are crucial in bolstering transparency, fostering confidence and ensuring stability, those curtailing the likelihood of misinterpretations that could spiral into crisis. Albania views the OEWG as a pivotal platform for the exchange of practical tools, best practice and illustrative examples, which are essential in engaging and propelling the development and executions of the CBMs. In this spirit, we endorse the establishment of the Global POC Directory, a vital tool for building trust and facilitating information sharing among countries. We consider the Global POC Directory as a cornerstone for enhanced cooperation and the provision of expertise among states in times of cyber-crisis, an initiative of immense value particularly in the Western Balkans region. For tomorrow, Albania champions the development of a universally accessible U.S. UN platform. The development of such a platform is crucial for enabling states to share and identify cyber threats and malicious activities efficiently, ethically and confidentially reporting the security vulnerabilities between national and governmental certs, thereby fostering accountability and due diligence. We acknowledge the crucial role of international cooperation in the realm of cyber security. Recognizing our position as a smaller state with constrained resources, we wish to express our gratitude towards the United States, European Union, United Kingdom and Israel for their substantial contributions within the region, with a special note to Albania. The borderless nature of cyberspace, combined with the universal challenge of confronting malicious activities and threats, underscores the indispensability of global collaboration in safeguarding critical information infrastructures. In this context, the exchange of information emerged as a fundamental aspect. We have gone through very tough times not so long ago, with sophisticated threat actors targeting our critical infrastructures with the aim of disrupting everything we have built. But they say that in tough times you understand and feel the presence of real friends. This experience has illuminated the true essence of friendship, highlighting the critical need for trust, stability and transparency among nations. Albania is profoundly thankful. for its partnership with OECE in advancing CBMs. Our dedication to contributing towards regional and international efforts remain unwavering. Through initiatives under the guidance of OECE, we have facilitated bilateral exchange, including visits to and from European Union member states, thereby fostering a spirit of cooperation. We are convinced that the engagement of multiple stakeholders in cybersecurity is essential for an inclusive, society-wide strategy. This includes valuable input from the private sector through public-private partnership, businesses, industry, academia, and civil society. In closing, our heartfelt appreciation goes to the United States and the Global Forum of Cyber Expertise for their role in advancing gender diversity within the field of cybersecurity, notable through the Women in International Security and Cyberspace Fellowship, thereby enriching our team with very skilled female cyber professionals. I thank you for your support.

Chair:
Thank you very much, Albania, for your contribution. I give the floor now to the Russian Federation, to be followed by Mexico.

Russian Federation:
Mr. Chair, with regard to developing confidence-building measures, in 2023 we took an important step forward. We adopted the elements of a global intergovernmental points-of-contact directory for the purposes of exchanging information on computer attacks or incidents. In this way, the OEWG once again demonstrated its efficiency and viability as a consensus decision-making mechanism. It’s important that this directory should not remain on paper. It should be used by states in good faith to develop depoliticized cooperation with a view to reducing tensions and preventing misperception of incidents in cybersphere. This in turn will greatly reduce the risks of conflicts in information space. We welcome the efforts of the group’s chair to launch the POC directory as soon as possible. For our part, we have already submitted to the UN Office for Disarmament Affairs information on Russia’s points of contact at the technical and diplomatic levels. In our case, the diplomatic point of contact is the Ministry of Foreign Affairs, and the technical POC is the National Computer Incident Coordination Center, which is our national CERT, Computer Emergency Response Team, and Computer Security Incident Response Team. We urge all UN member states to promptly identify points of contact in their countries and submit them to the directory. This will enable us, in line with the chair’s intention, to move already starting in May to practical activities for the POC directory, including regular and virtual meetings, communication checks in the form of ping tests. In our view… Such efforts will be more effective if already at this point we further improve the directory primarily through developing standardized communication templates. Such templates could include the type of information requested, including technical data, and the nature of the request. As regards capacity building measures, we believe that collating a specific list of needs for each state participating in the POC directory is a step in the right direction. It’s important to pay special attention to the needs of developing countries, many of which do not have experience of participating in other directories of narrower membership. In our further work on the initial list of CBMs, we can’t lose sight of the main objective here, to raise the overall level of trust among states, to reduce the risk of misperception and escalation, to prevent tensions from rising into direct confrontation. In this regard, it would be useful as a priority to discuss and develop consultation mechanisms inter alia through competent agencies on activities in cyberspace that may raise the concern of states. The POC directory that we are launching could be a basis for such mechanisms, since it enables direct communication among states’ interested authorities. A fundamental point is that any current and future CBMs should not be used as a tool for interfering in countries’ internal affairs, for making biased political assessments of states’ activities and intentions in the information sphere, or various types of punishments, such as sanctions and other measures of response. Thank you very much.

Chair:
Thank you very much, Russian Federation, for your statement and suggestions. I give the floor now to Mexico, to be followed by Republic of Korea.

Mexico:
Thank you, Mr. Chairman. I begin by thanking you for the notable contribution of the stakeholders whose efforts are constantly enriching our debate. We appreciate that the chairman took into account the call by Mexico in the previous substantive meeting of the group in order to reflect the names of each organization instead of using the generic stakeholders. As we have said in other forums, we think it important that the work of the stakeholders be clearly identifiable as a just and necessary way of recognizing all representatives and to continue to promote the participation of the various sectors that work in cyberspace. With regard to CBMs, Mexico joins in the statement made by Chile on behalf of a group of countries since we believe that these measures have shown to be effective in other areas of international security and are a good and necessary element in cyberspace. Given increased concern over malicious uses of ICTs and geopolitical tensions, establishing and strengthening CBMs are vital contributions toward a secure, stable and peaceful ICT domain. That is why we must speed up the universal application of CBMs and make them operational with the cooperation of interested parties. This means expanding their scope and guaranteeing capacity development as an enabler of CBMs. We are grateful to the Chair for what it has done to compile recommendations on the global POC directory. Capacity development is essential to make progress on implementing CBMs. The points of contact must have access to formal capacity-building initiatives systematically based on the principles of international cooperation contained in Annex C of the Second APR. It is also desirable to have participation in tabletop exercises and simulations. Mr. Chairman, we want to emphasize that the voluntary and gradual nature of CBMs is not determined by the current capacities of each country. In fact, as a result of their participation in the POC networks of cyber incident responses, the operational entities in my country have established strategic cooperation based on management capabilities relative to security incidents, strengthening their technical and operational capabilities. capacity. In this regard, and considering your guiding questions, my country is open to exploring and promoting the CERT-to-CERT cooperation as a CBN, since we have witnessed the benefits of operational cooperation as part of the CECERT Americas Network. We also believe that it is essential to explore strengthening public-private associations in order to understand the implications of these technologies, focusing on guidelines which would guarantee responsible uses, including ethical considerations and supervision at all times under human control. In conclusion, Mexico appeals to all countries to continue identifying and sharing best practices which at the national or regional level have come to be known as CBNs. We must continue to exchange experiences and knowledge to strengthen the capacities of our countries in the area of cyber security. Thank you.

Chair:
Thank you very much, Mexico. Republic of Korea, to be followed by Thailand.

Republic of Korea:
Thank you, Chair. The anonymous, transboundary, and simultaneous characteristics of cyberspace make it an environment prone to disputes caused by misunderstandings among countries. In this context, confidence-building measures are paramount in preventing the escalation of conflicts. My delegation believes that establishing points of contact can serve as the groundwork for further confidence-building measures, so we welcome the initial steps towards establishing a global intergovernmental POC directory. We will cooperate in order to facilitate the necessary process in accordance with the timeline presented by the UNODA. From the experience of CERT to CERT cooperations, participating in multilevel POCs from regional to global is beneficial in itself. ROK CERT is a member of both the Asia-Pacific CERT and FIRST. Participating in multiple POCs broaden the range of networking. We would like to build on these experiences and explore the possibilities of interlinking the regional POCs. Turning to the guiding questions, my delegation is of the view that capacity building programs can be one of the incentives for states to join the POC directory. We suggest to consider linking POCs with related capacity building programs in regional and global level. ROK operates Global Cyber Security Center for Development, which delivers a series of programs mainly for policy makers and experts in the public sector. Such capacity building programs may assist countries in interagency engagement at the national level, which we hope would conclude in joining the POC directory. Also, for successful implementation of global POCs, promoting public-private sector cooperation at the national level may be useful. Korea’s Cyber Threat Analysis and Sharing System, CTAS, could be a reference in this regard. CTAS welcomes private entities to join and receive threat analysis information provided by government agencies. However, only those entities who agree to provide their own information can be accepted and can benefit from the shared cyber analysis data. Incorporating a mutually beneficial system, as illustrated in the information sharing scheme, can be helpful in promoting public-private sector cooperation. Thank you.

Chair:
Thank you, Republic of Korea. Thailand, to be followed by Qatar.

Thailand:
Thank you, Mr. Chair. On CBMs, Thailand wishes to make the following points. First, Thailand sees great value in the establishment of the global point of contract directory, which could serve as a catalyst for fostering trust. confidence among states and effective tool in response to threat in cyberspace. Second, Thailand is of the will that capacity building and technical assistance remain crucial for operationalizations of the POC directory, including providing necessary tools and skills and pre-operational trainings. Such pre-operational provisions serve to ensure that the POC are equipped with operational readiness and particularly amongst developing states, hence mitigating the risks of digital divide. In this regard, we welcome the work plan scheduled prior to the POC operationalization, including the POC meeting in May, which will be held back-to-back with a global roundtable meeting on ICT security capacity building, the POC website, and the simulation exercise. With regard to the simulation exercise, they will allow the POC to manage and respond to simulated attacks similar to the real-life cyber accidents, which will assist in evaluating the POC capabilities and readiness and identifying gaps and loopholes, if any, to help them to function better. Third, on additional CBM, Thailand supports the global third-to-third cooperation as an area for further cooperation. Thai CERT has been actively monitoring, assessing risks, and providing support and guidance to address cyber threats to other agencies. We observe that over the short span of time, cyber threats have become widespread and even more sophisticated through the integration of artificial intelligence cutting-edge technologies. Between October 2022 and September 2023, there were more than 1,800 cyber attacks. incidents, including a number of attacks by remote access trojans and Lockbit 3.0 ransomware. Thailand is convinced that fostering the global third-to-third cooperation will be key to tackling the ever-evolving threats in cyber domain by leveraging from shared information equities, facilitating collective responses, and promoting future readiness. To achieve this goal, we can build on efforts made at the regional levels, as mentioned by previous delegations, including ASEAN Regional Third, which will deepen cooperation among ASEAN National Thirds. Moreover, we believe that it is possible to synchronize between the work of National Thirds and POCs, including under the OEWG and other regional frameworks, to facilitate effective and collective responses dealing cyber incidents. Thank you, Mr. Chair.

Chair:
Thank you very much, Thailand. Qatar to be followed by China.

Qatar:
Mr. Chair, in this session, we have discussed matters pertaining to collective responsibility for cyberspace. And in that context, talking about confidence-building measures, we want to reemphasize the importance of exchanging good practices with regard to ICT in all areas. This is essential to build confidence. We should never forget the need to face up to challenges and threats in a unified manner, present a common front. if you will. We suggest that confidence building measures should include partnerships between the public and private sectors. And in Qatar, we have created what we call the digital ecosystem involving all participants, which is an important way to build confidence and also strengthen competencies and improve the human potential. Cooperation between public and private sectors is the most effective way in our experience to regulate public use of ICTs and everything that occurs in cyberspace. Mr. Chair, my country wants to share this successful experience with the international community, so that lessons learned could be applied internationally as well. So we suggested including this in the initial list of confidence building measures. We want to also welcome international efforts to promote the participation of women in the digital domain at the decision-making level. My country has made a special effort to make sure women are strategic partners with men in all areas regulating cyberspace. Women in cybersecurity fellowships is something that has been established, and again, we wanted to share that. Thank you.

Chair:
Thank you very much, Qatar. China to be followed by Canada.

China:
Thank you, Mr. Chair. China believes that the purpose of CBMs is to enhance mutual trust and predictability and to reduce misunderstanding and miscalculation, and the states should not contravene these objectives by using CBMs as a tool to cobble together small cliques, build cyber-military alliances, and proliferate advanced cyber weapons. China has consistently supported the development of CBMs by states on a voluntary basis, such as policy exchange, law enforcement cooperation, technical exchange, and information sharing, so as to gradually enhance mutual trust and reduce misperceptions through a step-by-step approach. At the same time, we wish to emphasize that guidelines are conducive to enhancing mutual trust among all parties and are in essence a confidence-building measure. CBMs and international rulemaking in cyberspace should be mutually reinforcing and complementary. China actively supports the establishment of a global POC directory and believes that the development of POC directory should be carried out in the spirit of mutual respect, equality, and mutual benefit based on the principle of volunteerism, with each country deciding on the functions of the POCs, the types of information to be received and replied to, as well as the channels to be utilized by the POCs. China submitted information on diplomatic and technical POCs. The diplomatic POC is undertaken by the Office for Cyber Affairs of the Ministry of Foreign Affairs, responsible for cybersecurity policy dialogues, international exchange, and cooperation, while the technical POC is jointly undertaken by the National Computer Network Emergency Response Technical Team, CN-CERT, and the Ministry of Public Security. The former is responsible for the prevention of cross-border cybersecurity incidents, emergency response, coordination and disposal, information sharing, and other practical cooperation, while the latter is responsible for international cooperation in combating cybercrime, as well as carrying out international law enforcement and cybersecurity notification and early warning. China believes that the POC directory, as an important CBM, can play a positive role in cybersecurity policy exchange, international exchange and cooperation, and third-to-third communication and cooperation. China will continue to actively support and participate in the work in this field. I thank you, Mr. Chair.

Chair:
Thank you very much, China, for your contribution. Canada to be followed by Singapore.

Canada:
Thank you, Mr. Chair. Canada welcomes the ongoing process towards the operationalization of the Global Points of Contact directory. Mr. Chair, Canada believes that an effective implementation is key to developing trust and transparency. We support the work being conducted to help developing states to continuously implement the CBMs, including looking at capacities and onboarding activities that can help them during the process of nominating their POCs. In this way, capacity building supports CBMs and can be considered as an element relevant to the CBMs in and of itself. We have witnessed the benefits of such an approach through cybercapacity building projects that we are funding, which have implicitly supported the implementation of the agreed CBMs. Canada encourages all members to work towards the timeline encouraged by the Office of Disarmament Affairs to nominate their POCs, that is, hopefully by the 15th of April 2024, and we are pleased that we have done so already. Mr. Chair, the main purpose of the POCs, as identified in Annex A of the Second Annual Progress Report, is to facilitate coordination and communication between states, including in the event of an urgent or significant ICT incident. to build confidence between states and to reduce tensions and prevent misunderstandings that may stem from ICT incidents. In line with this main purpose, POCs could facilitate secure and direct communications between states to help prevent and address serious ICT incidents, de-escalate tensions in the situations of crisis. POCs can also help increase information sharing. It’s for this purpose that Canada has nominated both its diplomatic and technical POCs. Canada underscores the importance of operationalizing the CBMs listed in the Second Annual Progress Report by taking inspiration from what is already done at the regional level. This is why we have agreed to share our experiences as part of the OAS and the OSCE and the ASEAN Regional Forum with regard to CBMs and this is also why we were pleased to join the joint statement delivered by Chile earlier this session. We wish to re-emphasize here the role of the multi-stakeholder community in the implementation of CBMs as highlighted in that joint statement. Canada is dedicated to strengthening the synergy between regional forums and the ongoing work at the OEWG. Indeed, Canada has significant experience in this regard. As I noted, we are party to CBMs in three regional groups and we are honored to have been appointed vice-chair of the OAS CBMs Working Group in 2024. With regard to the role of a diplomatic POC as the diplomatic POC to three different or now four different organizations, I would be happy to share my experience. One regional forum of experience that we could consider for the OEWG is the development of communication protocols including for the handling of information and the creation of templates and interactive procedures. Our commitment is to foster an environment where best practices are shared and harmonized, tailoring them to fit to the unique cyber landscape of all the states and regions. Mr. Chair, Canada remains engaged in the process of work on CBMs at the OEWG, and looks forward to working with all other states on the development and implementation of CBMs at the global level. Thank you.

Chair:
Thank you very much, Canada. I’m delighted to know that you are also the diplomatic point of contact, so you can be a very valuable point of contact to everyone else here in terms of sharing your lessons. Thank you very much for that. Singapore, to be followed by Brazil.

Singapore:
Thank you, Mr. Chair. Given the transboundary and rapidly evolving ICT threat landscape, cybersecurity discussions should not be viewed only from a technical or operational lens. We need to take into consideration the geopolitical dimensions and encourage dialogue in support of our efforts to enhance our collective confidence-building measures. In this regard, we welcome the option to nominate both a diplomatic POC and a technical POC in the Directory. We are pleased to update delegations that, as announced earlier, Singapore has nominated both diplomatic and technical POCs, and we look forward to participating in the initial meeting of POCs on 9 May. Given the unique systems of each state, we believe an onboarding mechanism would be useful to support states to further prepare the relevant POCs to take on this role. Regional organisations such as the OAS, OSCE, OARF and AARF, as mentioned by several delegations, have rich experiences with their respective POC directories. States can share the best practices on how the POC directories are operationalised. The sharing of perspectives and best practices at various levels between states, Mr. Chair, can itself be a valuable system. In our region, the ASEAN cybersecurity leaders engage in regular dialogue at the annual ASEAN Ministerial Conference on Cybersecurity to exchange information, threats and trends. This high-level dialogue helps our region to build a clearer idea of the cybersecurity landscape in ASEAN, allowing us to implement norms and conference building measures more effectively. Mr Chair, in terms of new CBMs, we suggest that some of the prevailing regional best practices could be expanded to the intra-regional level, such as a simple intra-regional high-level dialogue or an intra-regional simulation exercise for the POCs. We also support the suggestions for additional CBMs contained in the Chair’s revised guiding questions, including third-to-third cooperation, capacity building, protection of critical infrastructure, public-private sector cooperation and coordinated vulnerability disclosure. We encourage further elaboration of these possible CBMs in the coming months, with a view towards including additional CBMs on these issues in our next Annual Progress Report. Singapore stands ready to contribute to the onboarding of POCs and to share our experience in developing conference building measures. Thank you, Mr Chair.

Chair:
Thank you very much, Singapore, for your statement. Brazil, to be followed by Cuba.

Brazil:
Thank you very much, Mr Chair. Brazil aligns itself with the statement delivered by Chile yesterday on behalf of a number of American countries, and would like to also add a few remarks in its national capacity. CBMs are key to promoting an open, secure, stable, peaceful, accessible and interoperable cyberspace. Regional organizations have played an extremely important role in advancing this issue, and Brazil has actively participated at the regional level in the OAS CBMs Working Group, which met last year. last week, as well as in CISRT Americas, as well as in CBMs within the context of Mercosur. It is crucial, however, to ensure that bilateral and regional CBMs continue to feed into our debates here at the UN, ensuring progress on the subject also on a global scale. We welcomed the creation last year of the Global Points of Contact Directory and the steps taken to operationalize it this year. We are currently finalizing the nomination process of our points of contact and should submit their name shortly, well ahead of the April 15th deadline. We look forward to taking part in the first meeting on May 9th. We thank you and your team for presenting substantive guiding questions on this issue for this session, including proposals for additional CBMs. Many of those appear extremely productive and are indeed already adopted by Brazil, both at national and international levels. On CIRT-to-CIRT cooperation, for instance, in addition to its participation in first and CIRT Americas internationally, Brazil has established domestically a federal cyber incident management network, a fully collaborative and trust-based network coordinated by our national CIRT with the purpose of improving coordination and collaboration with public and private CSOs to prevent, treat, and respond to cyber incidents in order to raise the level of national resilience and maturity in cybersecurity. Other delegations have also mentioned the value of adopting a common terminology. In this regard, we take note of the ongoing work by the Mercosur Technical Group to elaborate and implement a common taxonomy of cyber incidents. Another CBM the bloc has adopted is normative mapping, compiling each member’s set of regulations, laws, and decrees relating to information and cybersecurity to foster a better understanding of one another’s legal and institutional cyber architecture. Finally, Mr. Chair, Brazil also highlights the role of capacity building as a CBM and has participated in many initiatives in this regard, both as a recipient and as implementer. We highlight in this sense, the importance that capacity building initiatives. Continue to adopt a collaborative approach between recipient and donor parties in line with the agreed principles of capacity building adopted last year. I thank you.

Chair:
Thank you very much, Brazil, for your statement. Cuba to be followed by Switzerland.

Cuba:
Mr. Chairman, this is one of the items on which the group has reached the greatest consensus, which shows our willingness to make progress. The speed with which the global POC directory is operationalized will be important. We will not repeat our considerations on how to succeed with this initiative, but we are certain that the role of the secretariat of the group will be crucial in organizing the directory and will be an observatory so that, with the consensus of the group, we will perfect the exchange platform and add value. This will no doubt contribute to confidence building. We agree with the CBNs included in the list, and although the global directory is one which involves us all in the same way, there are regional initiatives and initiatives by groups of countries or by countries individually. There are many basic elements which have to do with confidence building, and we must make use of them to cooperate to protect cyberspace. Finally, we consider that the real confidence relationship will be achieved when every state, in addition to cooperating with one another, will act responsibly so that we avoid there being attacks of others from one’s cyberspace. Thank you.

Chair:
Thank you very much, Cuba, for your statement. Switzerland, to be followed by El Salvador.

Switzerland:
Mr. Chair, thank you for your guiding questions. But before I turn to the questions, I’m pleased to inform you that Switzerland informed the Secretariat this morning about the nomination of its diplomatic and technical contacts. Switzerland is of the view that the first step to accelerate the implementation of the CBMs listed in the initial list of voluntary global CBMs is the nomination of exactly national diplomatic and technical points of contact by participating states on a voluntary basis. The existence of a POC network and national POCs will facilitate the implementation of all further CBMs. Based on the experience of creating the POC network in the OSCE, we recommend starting out with a basic structure containing contact details of the diplomatic and technical point of contacts. Overloading the elements will most probably have the result that it will take more time to establish the network and less states participating from beginning. Equally, with regard to the communication protocols and templates, we would recommend that they should remain voluntary and flexible to allow for exchanges and cooperation even if some information is unavailable. Let me add that we believe that close cooperation and regular dialogue between the operators or managers of the global POC directory and the existing regional POC directories can make an important contribution to the proper functioning of the respective directories. Mr. Chair, at the occasion of the sixth session of the Open-Ended Working Group, the cross-regional group of Open-Ended Working Group confidence builders presented a very useful working paper. The paper contains valuable examples of regional practice in the implementation of the four CBMs included in Annex B. of the second annual progress report. Switzerland supports the approach of learning and benefiting from experience at the regional level. Continuous exchange between various regional organizations, but also between regional organizations and the open-ended working group, is therefore important. Promoting such exchanges is one of the aims of the OSCE CBM 12, of which Switzerland is a co-adopter together with North Macedonia, Poland, and the EU. Mr. Chair, with regard to the question of additional CBMs, Switzerland proposes to adopt a step-by-step approach. We see merit on focusing on the implementation of the first set of CBMs we have agreed on. As mentioned, the establishment of the POC network and nomination of national POCs is a first step. Such a network will help to implement the second and third CBMs on our list, exchanging good practices for responsible behavior in cyberspace, national views and practices in ICT security incidents, and other related threats or vulnerabilities. ICT security advice, guidance, national strategies, or national and regional approaches to risk management and conflict prevention, including national approaches to classifying ICT incidents in terms of the scale and seriousness of the incident. Exchange on such topics will lead to better cooperation and dialogue, as well as transparency. The focus on an initial set of global CBMs does not preclude us from adding other CBMs to the initial list of voluntary global CBMs over time. While discussing such additional CBMs, the State should continue to work towards the implementation of CBMs in particular at regional level. Collaborating at regional and bilateral level will allow us to benefit from this experience and synergies when developing further global CBMs. In this context, and on the basis of its experience within the OSCE, Switzerland would find it useful adding the following CBMs, Critical Infrastructure Protection, Public-Private Partnerships, and Coordinated Vulnerabilities Disclosures. During the discussion on threats and norms, Switzerland and many other delegations emphasized the importance of protecting critical infrastructure. A dedicated CBM on the protection of critical infrastructure could help raising awareness on the importance of critical infrastructure protection, promoting information sharing among critical infrastructure stakeholders, and sharing of good practices and guidance. Doing so will help implementing Norms 13F, G, and H, and underscores the interrelationship between norms and CBMs. Cooperation between states and private actors is also essential for a free, open, and secure cyberspace. States cannot achieve this on their own. Cybersecurity is a shared responsibility of all actors concerned. This brings me to the multi-stakeholder initiative I mentioned in our statement on Rules, Norms, and Principles yesterday, the Geneva Manual. Among other things, it was developed with the aim of supporting the implementation of the Norm on Vulnerabilities Disclosures. CBMs on Public-Private Partnership and Coordinated Vulnerabilities Disclosures would allow us to get a better understanding of the important role multi-stakeholders play in making cyberspace open, free, and secure, for example, by mapping existing models, practices, or lessons learned. Equally, exchange on good practices, lessons learned, or the use of an online course on Coordinated Vulnerabilities Disclosures, like the one developed in the framework of the OEC, will help implement Norm 13J. Thank you, Mr. Chair.

Chair:
Germany.

El Salvador:
Thank you, Chairman. El Salvador joins in the statement made by Chile on behalf of a group of countries. For my country, we are pleased to see the tangible progress made on the development and operationalization of the Global POC Directory. We recognize the 23, well, now 24, with the addition of Switzerland, which has nominated its POCs. El Salvador is making progress here. We believe that that directory is a significant step in increasing confidence internationally on ICTs. In terms of your guiding questions of possible new measures, we highlight the possibility of developing measures which have to do with protecting critical infrastructure, in keeping with norms F, G, and H of our framework for responsible behavior. This would be an important way in which to relate these norms to voluntary measures which include transparency and predictability in cyberspace. Interstate cooperation in the area of ICTs through technical assistance, capacity building, and technology transfers can also contribute to confidence building. Therefore, the consideration of measures in this area could be valuable and would connect this pillar with that of capacity building. The Organization of American States, through CITGE, recently carried out the fifth meeting of the working group on cooperation and confidence building measures in cyberspace. These practices could be replicated in other regional contexts or could be used within our own working group. We recognize that not all countries belong to these regional organizations. However, this group could provide a platform in which to articulate important efforts in these formats. While several of the confidence-building measures of the OAS are included in the initial list of global measures, which are part of the second APR, Annex B, it is possible to analyze the possibility of additional measures in areas such as capacity building, the establishment of working groups, promoting dialogue with other stakeholders in a more articulated manner, and also to deepen, in practical terms, promoting inclusion and full, significant, and egalitarian participation of women in all ICT processes. In this regard, the chair could submit to the consideration of member states additional measures based on these discussions, which could be included in preparing the next APR, in addition to the four CBMs which have already been developed on the basis of the group’s work. Thank you, sir.

Chair:
Thank you very much, El Salvador, for your statement. Germany, please, to be followed by Ethiopia.

Germany:
Thank you, chair. Germany is fully aligned with the statement of the European Union and wishes to make the following remarks in a national capacity. After much progress, this group has achieved in advancing cyber confidence-building measures. Germany now looks forward to the year of advancing implementation. The global points of contact directory is set to take off this year and will provide the starting point for existing and for exercising a whole range of CBMs for the first time ever at the UN level. I’m also happy to report that Germany Germany has just transmitted to UNODA its national points of contact for the Global Directory, both technical and diplomatic, nominating two experts in each category. Germany encourages all UN member states who have not already done so to also nominate their national points of contact in order to establish a truly universal and inclusive network. The capacity building and onboarding measures outlined in the Dedicated Assistance Plan, which was agreed as part of the 2023 Annual Progress Report, will be of crucial assistance to all UN member states which are not part of regional CBM arrangements so far and which will be joining such a network for the first time. To encourage widest possible participation in the Global Directory, the Open Informal Cross-Regional Group of the OEWG Confidence Builders held a side event for all OEWG members at the German House yesterday under the title Getting Ready for the Global POC Directory and CBM Implementation. The objective was to provide space for discussions on what is needed at the national level, to engage in cyber confidence building measures, and to also learn about available assistance for all states wishing to join the Global Points of Contact Directory as a starting point for CBM implementation. We also received many valuable insights on operationalizing and encouraging the use of POC directories from the lessons learned of regional organizations, namely the OAS, ASEAN, and the OSCE. While much of our focus this year will inevitably be on CBM implementation, this group should also advance the discussion on the elaboration of further CBMs at the UN level. Chair, many states highlighted the role that capacity building can play as an enabler of CBMs. In addition to that, realizing the important link between cyber capacity and confidence building, the Open Informal Cross-Regional Group of the OEWG Confidence Builders is currently discussing a possible dedicated CBM on capacity building. This CBM could join the list of four CBMs which have already been endorsed by last year’s APR and provide a platform for sharing information on available cyber capacity building measures as well as on national capacity building needs. Thank you.

Chair:
Thank you very much, Germany, for your statement. Also, congratulations on making your nomination for Points of Contact Directory. And second, I also want to thank Germany for its leadership within the Confidence Builders Group, for organizing the side event yesterday at German House, and for your continuing role in building the Cross-Regional Group as a way to reach out and further understanding on the important issue of CBM, as well as POC directory implementation. Thank you very much, once again, to the Cross-Regional Confidence Builders Group. I give the floor now to Ethiopia, to be followed by Ecuador.

Ethiopia:
Thank you, Chair. As I am taking the floor for the first time since the start of the session, allow me to start by thanking you for expertly steering the work of the group. We’re confident with your leadership that the work of the group continues to bring us together in our search for the consensual outcomes that we are after. Chair, as part of its digitalization strategy, the government of Ethiopia is exerting a vigorous effort to integrate the nation’s critical infrastructure with ICT services. We’re working to maximize the multifaceted benefits of ICT to unlock growth potentials and propel our path toward sustainable development. At the same time, cyberattacks targeting Ethiopia’s critical infrastructure, such as energy, financial, education, and other vital services, are on the rise. Therefore, the expansion not only of ICT infrastructure, but also the security of critical infrastructure continues to be a priority for the government. The challenges of securing critical infrastructure are understandably the preoccupation of member states, developed or developing. It should, however, be noted that investments to develop infrastructure are as expensive as investing in their security, and thus immensely challenging for developing countries such as Ethiopia. The need for capacity-building measures is thus enormous. We therefore welcome the Working Group’s recommendation on the urgency of working towards narrowing the digital divide, including through universal, inclusive, and non-discriminatory access to ICT and connectivity. Additionally, we welcome the recommendation on the need to stipulate additional mechanisms for further strengthening international cooperation and capacity-building measures, as this can be instrumental in helping address gaps in policy, legislative, technical, and physical cybersecurity domains. Lastly, we believe more emphasis should be given to regional approach to capacity-building due to their potential to evolve into regular co-learning, knowledge exchange, and expertise-sharing mechanisms while addressing the needs of states which are at a rather similar stage of development in cybersecurity. I thank you.

Chair:
Thank you very much, Ethiopia, for your statement, and also would very much encourage Ethiopia to come on board the POC directory. You can take this opportunity of this meeting to reach out to other friends who have already done so and see how you can come on board. And on that point, I wish to make the observation that among the 25 countries that have come on board as of today, I think certainly nominations from the developing countries will require further outreach and assistance and onboarding, as some of you have said. So this is something that I also wish to share with all of you so that we can help countries, especially smaller countries, countries in Africa, small island states, LDCs, so a whole range of countries that would certainly need help. So it’s not just about a numbers game of getting the numbers up, but also we need to get a diverse group of countries on board to the POC directory. And this week could well be an opportunity for those of you who are here from capitals to also reach out and talk to others if you need guidance or support in any way. This week is also a good opportunity to do that. Thank you very much, Ethiopia, for your statement. Let’s go on with the speaker’s list. I have Ecuador to be followed by Japan.

Ecuador:
Thank you, Mr. Chairman. My delegation joins in the statement made by Chile on behalf of a group of countries of the Americas. For Ecuador, it is a particular pleasure to be able to discuss confidence-building measures, since this is one of the items where we see tangible progress in the group. On the operationalization of the global POC directory, and as you yourself indicated, Mr. Chairman, yesterday afternoon, Ecuador has named its points of contact, one diplomatic and one technical, and we hope that this global CBM will be welcomed by many delegations and that it will become a catalyst of confidence so that we may learn and communicate with each other intra and inter-regionally through simulation exercises and other. With regard to the proposal of a point of contact meeting, which would take place next May, my delegation favors a hybrid format available to all delegations. Ecuador would be grateful if the chair could provide information on what is expected in terms of the agenda for that meeting. Finally, Mr. Chairman, I would like to highlight and praise the programs and initiatives of regional and sub-regional organizations, which allow states like Ecuador to benefit from programs such as the OAS SICTE program on cybersecurity, and this could be of reference to other regions. Ecuador trusts in the dialogue and commitment to a secure, stable, and peaceful cyberspace for the benefit of all will be the main premise in the deliberations of this working group so that we can continue to take positive steps with regard to our mandate and toward the next APR. Thank you, sir.

Chair:
Thank you very much, Ecuador, for your statement. Japan to be followed by South Africa.

Japan:
Thank you, Mr. Chair. Japan would like to reiterate the importance of confidence-building measures, such as sharing cyber threat awareness. strategies, policies, and best practices with other states. Through dialogues at all levels, including among leaders, we aim to foster trust, reduce threats, and most importantly, reduce miscalculations. Among initiatives related to the CBMs, the establishment of the Global POC Directory is one of the achievements of this open-ended working group to promote confidence building among us. The initial operationalization of the directory should be achieved as quickly as possible by nominating POCs for each country, and Japan is now working on its own nomination by the end of the deadline prepared by the Secretariat. We look forward to continuing the discussion on the Global POC Directory based on the views of member states on the capacities required to participate in the directory, such as the capacity building experiences and lessons learned through participating in other directories. Mr. Chair, in addition to the operationalization of the directory, it is indispensable to accelerate the implementation of CBMs listed in the initial list of Voluntary Global CBMs. In this regard, many countries, including Japan, conduct bilateral and regional dialogues, and we must continue such dialogues and initiatives at all levels, again to foster trust, reduce threats, and reduce miscalculations. Participation in multilateral discussions itself, including this one, would also be a CBM. Furthermore, it is important to consider adding more CBMs to the list to enhance confidence building. The examples of additional CBMs suggested by the Chair in the guiding question can be the base of discussion for this. Among suggested examples, for instance, Japan believes that cooperation among CERTs is highly effective since a wide range of different countries participate in the CERT community. 33 CERT teams from 24 economies are participating in the AP CERT, the Asia-Pacific CERT community, to ensure reliable points of contact, conduct international cyber exercises, and share the threat landscape. More than 700 CERTs from government, private sector, and academia are members of the FIRST, the Forum of Instant Response team. Japan, through the activities of JP CERT Coordination Centre, contributes to maintaining the activities of these two communities. Finally, Mr. Chair, Japan believes that CBMs are ideally suited for the discussion and implementation through the future POA. The POA as an action-oriented, inclusive, and permanent mechanism should eventually be a good institution to serve as a platform for the implementation and further elaboration of CBMs at the UN level. Thank you very much.

Chair:
Thank you. Japan, South Africa, to be followed by Czechia.

South Africa:
we recognize that participation in this OEWG is a confidence-building measure between states. As noted in both the 2021 OEWG and GGE reports, as the world’s dependence on ICTs continues to increase, the responsible behavior of states in the use of ICTs is of vital importance to the maintenance of international peace and security. South Africa is pleased that the proposal for a voluntary global points-of-contact directory under the UN Office for Disarmament Affairs has been adopted by the General Assembly. We regard the POC directory as a first step to greater cooperation between states on identifying and responding to ICT security threats. We are in the process of appointing our POC representatives. It is crucial to operationalize both the diplomatic and technical levels of the global POC directory to facilitate secure and direct communications between states to help prevent and address serious ICT incidents expeditiously and de-escalate tensions which can potentially lead to conflict. We should ensure clarity of the expected roles and responsibilities of the POCs, coordination functions to be performed, and clear understandings of the readiness requirements. Chairperson, the support of the United Nations regional and sub-regional bodies to member states would accelerate the universal implementation of the CBMs listed in the initial list of voluntary global CBMs as adopted in the second APR. This support could take the form of workshops and roundtable discussions to share experiences and expertise. Cooperation between states on capacity building is critical, provided the agreed principles of the first OEWG are considered. That is, capacity building should be evidence-based, politically neutral, transparent, accountable, and without conditions. The first OEWG noted in its final report the necessary resources, capacities, and engagement would allow CBMs to strengthen the overall security, resilience, and peaceful use of ICTs because CBMs would also support implementation of norms of responsible state behavior. In this regard, the proposals for public-private partnerships would support national implementation and development of CBMs. Cert-to-cert cooperation would also enhance confidence between states. Chairperson, we support collective effort by all member states and relevant stakeholders to ensure an open, secure, stable, accessible, and peaceful ICT environment. Thank you.

Chair:
Thank you very much, South Africa. Czechia to be followed by Australia.

Czechia:
Thank you, Mr. Chair, for giving me the floor. Czechia aligns itself with the EU yesterday’s statement on CBMs, and we wish to emphasize a couple of points in our national capacity. As part of my today’s statement, I would first like to share how Czechia approaches the nomination of POCs. Czechia decided to nominate POCs to the Global POC Directory based on its experience from regional organizations, specifically the OSCE. Our experience shows that it is appropriate to nominate two diplomatic and two technical POCs. In this way, the contacts can replace each other if one of them is not present for some reason. In addition, we believe that technical POCs does not have to be directly from CERT. It is sufficient if the technical POC is in regular touch with the specific technical experts to whom the information sends through the POC’s directory concerns. In the Czech case, the technical POCs are representatives of the International Cooperation Department of the National Cyber Agency. We welcome that the first meeting of POCs will take place in May and is sensitively planned in relation to other May’s meetings, including the Global Roundtable on Cyber Capacity Building. Regular once-a-year, ideally in-person meetings of POCs are important CBMs that improve mutual communication. Czechia also welcomes that the first PING test is scheduled already for this half-year. We believe that this test will show that the majority of states have already nominated their POCs and that we as a community of states are ready to move to the next stage and start actively using the POC directory. Czechia already indicated during the previous OEWG session that we actively contribute to good functioning of the regional OSC POC directory, where we share and regularly update relevant information regarding cybersecurity. And we are ready to do so also on the UN level. We believe that sharing practical information such as national ICT concept papers, national strategies, policies, and programs is the best way to further enhance the effective functioning of the POC directory and improve the directory’s ability to facilitate communication between states. To answer your guiding questions, Mr. Chair, I would like to respond to whether there are additional CBMs to be added to the initial list of voluntary CBMs. Czechia repeatedly mentioned that we should first focus on elaborating and implementing already agreed CBMs so we don’t have them on paper only. However, there are definitely more CBMs that could be discussed and potentially added to the initial list. Czechia is specifically a strong supporter of measures aiming at the protection of critical infrastructure and coordinated vulnerability disclosure. In response to your next guiding question, Czechia would like to highlight that the link between CBMs and capacity… Czechia would like to highlight the link between CBMs and capacity building. In our understanding, these issues are interconnected and CBMs and capacity buildings enforce each other mutually. Another guiding question that we want to respond to is related to the communication protocols and the possible further development of interaction procedures. In this context, Czechia would like to note that in this stage it would be counterproductive to overhelm the initiation of the POC directory. with topics concerning specific procedures, the form of protocols, development of templates, and so on. According to us, the appendix to Annex A of the 2023 APR that mentions procedure for inquiry and procedure for responding to an inquiry is sufficient in this regard. Finally, Czechia wishes to commend our German colleagues for initiating and leading cross-regional group of states that Czechia is a member of and that continuously brainstorm for novel ideas and practical suggestions in regards to the POC directory and other CBMs. I kindly thank you very much.

Chair:
Thank you, Czechia, for your statement. Australia, to be followed by Mauritius.

Australia:
Thank you, Chair. Australia would like to highlight and endorse the work that continues to be undertaken by the open, informal, cross-regional group of confidence builders, in particular the side event that the group hosted during lunch yesterday at the German House on getting ready for global POC directory and implementation of CBMs. The side event focused on sharing best practices on the establishment, management, and use of cyber points of contacts in various regional contexts and provided information about existing support mechanisms and resources, including UNITY’s report on operationalising a directory of points of contact for cyber CBMs. The global points of contact directory represents a valuable signal of our joint commitment to building confidence. We thank you, Chair, and the Secretariat, for your efforts to breathe life into this POC directory, including the briefing that was provided on 31 January. Australia has provided its diplomatic and technical contacts to the Secretariat for the Global POC Directory. And to echo the comments you made in your opening remarks, Chair, we strongly encourage all members, where they can, to nominate their points of contacts as soon as practical. We recognise that not all states will be in a position to nominate their POCs immediately, so support the Chair’s request to encourage all states to nominate what details you do have with scope to provide updates at a later stage. The work undertaken to discover the right contact points within our own systems can be an internal confidence-building measure in and of itself, particularly as offices rotate across responsibilities and domestic government structures shift over time. Building upon a theme of our meeting this week, Australia encourages all states to continue to share concrete examples of how we implement cyber CBMs, and particularly the initial list of global CBMs elaborated in our 2023 APR. A collection of some examples are set out in the joint working paper of the Cross-Regional Group of Confidence Builders, published on the OEWG website ahead of our sixth session in December last year, which the delegate from Switzerland also highlighted. This paper strives to further advance the elaboration of the first set of CBMs at the global level by drawing on and transparently sharing best practice and implementation examples from existing regional and national contexts, including partaking in regional POC directories, of which Australia and Malaysia manage the ASEAN Regional Forum POC Directory, by providing a more practical angle to our discussions and serving as encouragement for member states less familiar with CBM implementation. Australia has listened carefully to the proposals from some states to develop new CBMs in our group, and we are interested and open to building upon many of these ideas. In particular, we consider that any new CBMs should be explored and if appropriate, elaborated in the context of our framework for responsible state behaviour in cyberspace. And always with reference back to the core aim of a confidence-building measure, that is, endeavour to build relationships and procedures in times of peace and stability that can be used for de-escalation in times of crisis. In doing so, CBMs aim to diffuse tensions and the risk of destabilising misperceptions between states. To this effect, and in response to your guiding question, Chair, about what additional CBMs could we potentially add to the initial list, Australia continues to support further discussions on the 2021 GGE report recommendation for transparency regarding ICT security agency mission and functions and the legal and oversight regimes under which they operate. These transparency measures can be effectively operationalised through another proposal of the 2021 GGE, which encourages states to voluntarily use UN resources, such as the UNIDIR cyber policy portal, including the National Survey of Implementation of UN Recommendations on Responsible Use of ICTs, to consolidate information and good practices provided voluntarily by states on national strategies, policies, legislation and programs that address ICT security issues relevant to the international security and stability. Thank you, Chair.

Chair:
Thank you very much, Australia, for your statement. Mauritius to be followed by Colombia.

Mauritius:
Good morning, Chair. In an increasingly interconnected world where the threat landscape is constantly evolving, no single entity or organisation can combat cyber threats alone. The interconnected nature of cyberspace necessitates collaboration and coordination among thirds. across national borders, sectors, and industries. It is through collective action and information sharing that we can effectively confront the challenges posed by cyber adversaries and protect our shared digital assets. In terms of confidence-building measures, let me highlight that Mauritius is working closely with the local, regional, and international communities, including government, law enforcement, academia, research community, CERTs, and cybersecurity partners in terms of incident response, cyber threat information sharing, and capacity building. Mauritius fully supports CERT to CERT cooperation as such collaboration facilitates the exchange of information in a timely manner for preventing cyber incidents as well as providing support in incident response activities to enhance the cybersecurity posture of countries. I would also like to highlight that the national CERT of Mauritius is a member of various international organizations such as Forum of Incident Response and Security Teams and trusted introducer TI. Moreover, Mauritius is also a member of the SADC CERT Task Force along with six other countries. To further promote the CERT to CERT collaboration, Mauritius would like to extend its support and cooperation with regional and international CERTs through memorandum of understanding in different aspects of cybersecurity, including incident response, cyber threat information sharing, and capacity building. Mauritius believes that such cooperation would also help to close the digital divide. Coming up to the protection of critical infrastructures, it is crucial to note that vulnerabilities in these systems pose significant risk to national security, public safety, and economic stability. In this regard, we believe that POCs could be a concrete way to enhance the sharing of critical information, which is particularly relevant in cyber events with the risk of potential escalations. Moreover, we support the inclusion of the private sector as it is important and in line with promoting public-private partnership and practical cooperation with relevant stakeholders. With regard to coordinated approach to vulnerability disclosure, Mauritius supports that such approach will help to identify and remediate vulnerabilities in critical systems, such as energy, transportation, or healthcare before they can be exploited by cyber threat actors. Many international cybersecurity frameworks and standards, such as ISO 29147 and ISO 30111, recommend or require the establishment of coordinated vulnerability disclosure processes as part of good cybersecurity practice. In this perspective, Mauritius is of the opinion that by incorporating CVD into their respective cybersecurity strategies, states can demonstrate its commitment to transparency, accountability, and proactive risk management in cyberspace. Thank you, Chair.

Chair:
Thank you very much, Mauritius, for your contribution. Colombia, to be followed by Argentina.

Colombia:
Mr. Chairman, Colombia joins in the statement made by Chile on behalf of a group of countries from the Americas on CBMs. In the framework of the fifth meeting of the working group on in the OAS, the countries of the region were able to establish a dialogue and share up-to-date information on policies on cybersecurity at the national level. We discussed the implementation of CBMs in the hemisphere, and we learned about the experience and national positions on the application of international law to cyberspace. With regard to the question about additional measures which could be added to the initial list of voluntary global CBMs, and taking into account the work of the OEWG, we think that the initial measures are good, in particular CERT cooperation and interstate cooperation and building capacity to close the digital divide, critical infrastructure and public-private partnerships. We also suggest including CBM7 of the OAS on the promotion of the inclusion, participation and leadership of women in decision-making processes with regard to ICTs in order to approach gender equality and closing the gender divide. We are aware of the fact that to have new CBMs doesn’t necessarily mean a safer cyberspace unless they are implemented, thus we must understand CBMs as an enabler such – for things like exchanges of information, experiences and responses from states. All of this will contribute to ensuring that all states will achieve the right levels in critical infrastructures and adequate management and incident response activities in – also in cases of malicious activities in their territories. or vicinity. Chairman, in response to your question on the Global Directory, we are convinced that its operation will be an important step in confidence-building among states globally. Thus, and in order to contribute to that purpose, Colombia already named its POC technical and diplomatic. While we understand that the initial format is to have an updated Global POC Directory, we think that it has the potential of being a platform to make progress on the implementation of global CBMs and to develop protocols of universal communication to facilitate information sharing and cooperation. This last point is particularly relevant for our delegation, since Colombia is interested in expanding and improving mechanisms on information sharing on cyber incidents, including processing and analysis. With regard to the meeting on POCs for the month of May, we suggest that it be in hybrid format with the participation of all states, including those who have not named a POC. We think that there should be the maximum possible representation and participation so that states, especially those which are not members of regional directories, maybe become familiar with the format. And responding to your request about views about participation in the Global POC, the CBM group led by Germany yesterday led an event in order to exchange experiences and good practices in the establishment, management, and use of POCs in regional contexts. Thank you.

Chair:
Thank you very much, Colombia, for your statement. Argentina to be followed by Malaysia.

Argentina:
Thank you, Mr. Chairman. My delegation joins in the statement made by the distinguished delegation of Chile yesterday on behalf of a group of 17 countries, and I would like to add the following comments in my national capacity. Argentina supports the development of CBMs at all levels, and we believe that this working group is a key – is key, and it represents in and of itself a confidence-building measure. My delegation firmly promotes the adoption of transparency measures and information sharing on cybersecurity. This leads – and this is in Mercosur, with Brazil, Uruguay, and Paraguay, and also in the context of the OAS. We have designated our points of contact for the global directory. We welcome the 25 delegations that have made their designations, and we encourage delegations that have not yet done so to name points of contact as priorities in their cybersecurity agenda. We also encourage the chair to continue its efforts to help states that have not yet done so to identify the best possible points of contact. The global POC directory will only be able to work effectively and lead to the expected results when it is truly inclusive and universal. We also recognize the potential of the directory in facilitating the adoption of other global CBM initiatives and strengthening other matters which are being discussed in this group. By way of an example, the exchange of information that will take place in the global directory could be used in a future repository on threats as proposed by the delegation of Kenya. We also believe that the directory could include spaces in which to exchange confidential information and mechanisms to interact with the private sector, academia, and civil society. We also encourage the chair to carry out activities and simulation exercises in virtual format or hybrid to guarantee that the points of contact of all the regions of the world, especially developing countries, will become familiar and benefit from the mechanism. With regard to the POC meeting in May, we support the proposal by Ecuador and Colombia that it be carried out in hybrid format. Chairman, my delegation would also like to stress the complementarity between technical cooperation at the international level on capacity building and infrastructure, taking into account regional realities and the specific needs of each country, and confidence-building measures. As an example, a fundamental CBM, such as the designation of POCs for the Global Directory, could represent a considerable challenge for those countries which are beginning to build their capacities, including obtention of necessary software and hardware to detect vulnerabilities. My delegation, therefore, supports the proposals of other delegations to create a specific CBM on capacity building to take into account the specific national and regional needs. Recognition of the common and shared responsibility for mitigating cyber threats and concrete measures being taken internationally to create a more resilient cyberspace, especially in regions which are exposed to greater vulnerabilities in their infrastructures, will greatly contribute to created trust globally. Thank you.

Chair:
Thank you very much, Argentina, for your statement. Malaysia, to be followed by the Islamic Republic of Iran.

Malaysia:
Thank you, Mr. Chair, for giving me the floor. Malaysia would like to share our views on confidence-building measures. Mr. Chair, you asked how to accelerate and further operationalise the universal implementations of the CBM listed in the Initial List of Voluntary Global CBMs. With the four agreed initial CBMs, the CBM 1 UN Global POC, as agreed by others, will serve as the basis for the implementations of other CBMs, and Malaysia looks forward to the operationalisations of the POC. We promise you, Chair, that we will submit the nomination accordingly. Malaysia thanks Australia for the explanation on the ASEAN Regional Forum POC. Malaysia also shares the view of many other states, supporting the incremental approach to the establishment and operationalisations of the POC directory. Yesterday, during the discussion on norms, Vietnam reminded us of the UN Charter’s call for us to be good neighbours. Just like Vietnam, Malaysia believes that being a good neighbour is as relevant today as it was seven decades ago. In fact, it is more important today than ever before. This is because today’s neighbourhood boundaries are not confined to physical limits. Instead, they also depend on the technology platforms that we use and where our infrastructure and data reside, whether on physical premises, in a hybrid environment, or on the cloud. Although we are geographically located in different regions, if we reside on the same technology platforms, we may inherit the same vulnerabilities and threats. Mr. Chair, cybersecurity is also about how well best effort that we have done to ensure our cyber hygiene and assist others in needs starting from information sharing, incident responding, awareness, exchange of experience and many more. This is about being good neighbours. In this regard, Malaysia shares the view of Republic of Korea on public-private partnership at national level that will further increase national visibility to cyber threats and vulnerabilities. Increasing national threats and vulnerabilities require not only technical capabilities to detect, defence against and respond to and recover from ICT incident, but also a national coordination procedure in enhancing cooperation of cybersecurity matters at policy and diplomatic level. In this regard, Malaysia aligns with India that CBMs is the enabler for the implementations of norms by fostering trust, predictability and stability in ICT use. It is also demonstrating what is expected from a good neighbour. At national level, we know that many organisations face cyber threats and although technical experts can often trace the origins of these threats, acting against the perpetrator extends beyond technical challenges and requires global collaborations. As mentioned by Malaysia during the discussions of existing and potential threats, the true test of trust is verifiability. The element of verifications in this regard, technical verification, will provide a level of confidence and assurance in this trust-building exercise. On the other hand, CBMs is a tool in building trust that is verifiable to strengthen the framework of responsible state behaviour. Mr Chair, with regards to the additional CBMs that can be added, Malaysia supports others for protections of critical infrastructure. public-private partnership, set-to-set co-operations and coordinated vulnerabilities disclosure to be considered as additional CBMs. This is also aligned with the voluntary, non-binding norms of F, G and H. Thank you, Chair.

Chair:
Thank you very much, Malaysia, for your statement. You are absolutely right that technology has made all of us neighbors. And the idea of the OEWG and the POC directory and the CBM is for all of us to be good neighbors to each other, because everyone automatically, because of technology, ICTs, everyone is a neighbor to everyone else almost instantaneously. Thank you for your statement. I give the floor now to the Islamic Republic of Iran, followed by France.

Islamic Republic of Iran:
Mr. Chair, thank you for giving me the floor. In response to your guiding question about additional CBMs that can be added to the initial list of voluntary global CBMs, my delegation would like to propose the following measures. First, developing a consensus universal terminology on technical ICT terms. The lack of common understanding constitutes a major potential source of mistrust in the ICT environment. In paragraph 42 of the second APR, states are encouraged on a voluntary basis to share national views on technical ICT terms and terminologies to enhance transparency and understanding between states. While sharing national views in themselves could serve as a confidence-building measure as the next concrete and important step forward, these national views could be the basis for further discussions by the OEWG at its upcoming sessions to develop a consensus universal terminology in the field of ICT security. Developing a consensus terminology is one of the concrete and specific CBMs that are currently adopted by some regional organizations in the ICT security domain, and could be expanded to the global intergovernmental context. A step-by-step approach could be applied to the elaboration of a universal terminology in the field of ICT security. OEWG could start by preparing a list of terms that are used in consensus UN documents, and then proceed to agree upon definitions of the basic terms from this list. In this regard, we share with the statement made by Kazakhstan and Brazil concerning the importance of developing terminology in technical ICT terms. Second, cooperation between states on capacity building to close the digital divide. In line with many other delegates who have taken the floor before my intervention, we also welcome this important confidence-building measure as outlined in the Chair’s guiding questions based on discussion at recent sessions of the OEWG. Since the very act of collaborating to implement joint projects could build confidence and trust, my delegation has underscored throughout previous OEWG sessions that cyber security capacity building could be a constructive confidence-building measure. In the second APR, the OEWG recognized that capacity building is an important confidence-building measure and is a topic that cuts across all the pillars of its work. Third, unilateral coercive measures against other states in the ICT environment pose serious threats to trust and confidence in the ICT environment. Therefore, it is an important confidence-building measure that states refrain from adopting any measures that restricts or prevents universal access to the benefits of ICT. Fourth, developing a legally binding instrument within the United Nations. This measure, which effectively promotes the exclusively peaceful use of information and communication technologies, ensures the prevention and settlement of of interstate conflicts in the global information space and provides a framework for cooperation among states holds particularly significant potential as a confidence-building measure. Such an instrument can substantially enhance mutual trust and understanding among states, thereby contributing to a more stable and secure global information environment. Mr. Chair, during the current and previous OEWG, states concluded by consensus that the OEWG itself serves as a CBN, providing a forum for discussing issues on which there is agreement and issues on which there is not yet agreement. As a result, what other significant confidence-building measures could be recommended in addition to the evolution of the OEWG into a permanent mechanism for ensuring the security of information and communication technologies? The OEWG that has proved in practice its efficiency and relevance is the most appropriate format for future regular institutional dialogue under the auspices of the United Nations. In this regard, we would like to recall that concept paper on a permanent decision-making open-ended working group on the security of and in the use of information and communication technologies proposed by a group of countries. I thank you, Mr. Chair.

Chair:
Thank you very much, Islamic Republic of Iran, for your statement. France, to be followed by Pakistan.

France:
Thank you, Mr. Chair. My delegation aligns itself with the statement of the European Union and would like to thank the confidence builders of the open-ended working group presented by Germany in this session. I will speak about two issues, which we have shortened in the interest of time, but we’ll include it in our written presentation. First, France would like to welcome the work of operationalizing the directory of points of contact. This is a very valuable step for international cooperation. France has submitted its own national points of contact. We have called on OEWG to be inspired by regional experience. For example, Interrelia OSC’s experience in improvement and in further development. I will share a recent instance of where French points of contact were contacted by members of the regional organizations to which we belong. France usually has limited operational contacts with this country. It was hard to find sources to obtain information without a directory available of points of contact. This is a specific example of the operational value of the points of contact directory as a CBM that was put in place at the regional level and, of course, is valuable internationally. Secondly, I would like to dwell on the long-term plans. for which we fully support this activity. The normative framework is the foundation for our work and has been implemented in the various processes that took place within the United Nations system, in the same way as structural initiatives such as the Directory of Points of Contract put in place by OEWG will also have long-term value for its activity in terms of future mechanisms. Thank you very much.

Chair:
Thank you very much, France, for your statement and also for sharing your experience with the regional POC contact directory. Pakistan to be followed by Djibouti.

Pakistan:
Thank you, Mr. Chair. Pakistan has remained supportive of the idea of confidence-building measures in cyberspace. In view of emerging threats emanating from cyberspace, Pakistan considers establishment of a global directory of point of contact as an important CBM, which could help in averting mistrust among member states during a cyber attack or in a related situation. The global directory of POCs would also help in fostering trust, cooperation, transparency among the member states. We support the operationalization of POCs and will be submitting our details of diplomatic and technical POCs soon. We are also looking forward to participation initial meeting of POCs in May this year. To accelerate the universal implementation of CBM listed in the initial list of Voluntary Global CBMs, it is crucial to prioritize capacity-building efforts, including equipping the member states with the required tools, necessary technology and expertise to make their national cyberspace secure and stable. Tabletop exercises, cyber drills, the exchange of best practices and continued dialogue could be useful in achieving the desired result. We also support facilitating the real-time sharing of threat information through digital platforms. Chair, regarding the additional CBMs, we also support the idea of a step-by-step approach. While reaffirming the voluntary nature of CBMs, we believe the State can exchange views on side-to-side collaborations, digital divide mitigation, safeguarding critical infrastructure fostering public-private sector partnership to enrich the existing framework and address emerging cyber threat effectively. We also propose discussions on the adoption of CBM areas such as research investment and cyber security related projects and countering fake news and disinformation. In conclusion, my delegation also supports the development of shared and clear definitions of various cyber security terminologies. I thank you, Mr. Chair.

Chair:
Thank you, Pakistan. Djibouti to be followed by Botswana.

Djibouti:
Thank you, Mr. Chair. Chair, this is the first time that I’m taking the floor in this session and therefore I’d like to congratulate you on your excellent leadership of our work and thank you for the document you put at our disposal to guide our discussion. I would also like to thank the Secretariat and the interpreters. For Djibouti, cyberspace and the emerging new technologies present a chance to advance in our plan for development. We’ve made it a national priority. For that reason, a special ministerial department headed by a woman was created and put in charge of digital economy and innovation in 2021. With the support and cooperation of our international partners, we’re working hard on capacity building to train young engineers so that they are up to speed on what is needed in terms of meeting our concerns, making our infrastructures secure, our critical infrastructures secure, and to constantly monitor potential malicious activity in cyberspace. Let me on this occasion to dwell on the issue of applying international law to cyberspace. My delegation joins the common African position in that regard. We also emphasize the importance of taking into account the specificity of cyberspace. Based on our discussions, our exchanges, we would recommend that we continue this multilateral dialogue to make sure that a consensus based approach emerges, which will make it possible for us to truly make cyberspace secure with a global and consensus based activities. Regarding confidence building measures, my delegation believes that this platform for discussion in our working group and particularly the development of a director of points of contact are effective approaches. We’d like to take this opportunity, the opportunity offered by this new platform for discussion to better understand the concerns of everyone. And we will very shortly submit our own points of contact. Mr. Chair, in view of the current geopolitical situation, the arms race involving new technologies, the digital threat is inevitable. Therefore, we believe that peace in the world is the primary requirement to make sure that we reach our objectives, create protected cyberspace, strengthen confidence and trust among states. Strengthening the capabilities of developing countries through training and funding with international cooperation would allow us to bridge existing gaps, and this would also be a contribution toward confidence-building measures. Still, we must never lose sight of the fact that developing countries need to find sustainable solutions by addressing the deep roots of the digital gap, such as insufficient electricity resources for some countries and conflicts in other countries remain a priority. Thank you very much.

Chair:
Thank you very much, Djibouti, for your statement. Botswana, to be followed by Israel.

Botswana:
Thank you, Chair. Since this is Botswana’s first time to take the floor, we wish to thank you, Chair, and your team for steering the work of the OEWG. Botswana pledges its unwavering support to the process. Confidence-building measures are intended to improve trust and understanding between states. And the annual progress report adopted by consensus in July 2022 indicates the importance of coming up with specific confidence-building measures and calling for states to make concrete action-oriented proposals on CBMs. The OEG has been touted as a confidence-building measure in itself in this regard. Chair, in your guiding questions, you inquired how we can accelerate the universal implementation of the CBMs listed in the initial list of voluntary global CBMs. Our delegation is supportive of using regional organizations to accelerate universal implementations of these CBMs and to leverage on the accessibility and influence over its members. The same regional organizations should be employed to further operationalize the CBMs through related capacity building and the global POC directory. The Botswana delegation supports the addition of the following CBMs, set to search cooperation to enhance effectiveness of combating threats, vulnerabilities, and security incidents. Botswana also supports the inclusion of CBMs on cooperation between states on capacity building to close the digital divide. The protection of critical infrastructure to preserve essential services as well as public-private sector cooperation, which allows the public and private sector to share resources and information so as to advance effective strategies to counter cyber threats. Chair, we have heeded your call to appoint point of contacts, and Botswana is currently undertaking the national process of appointing contacts on technical and policy levels and will be submitting in the very near future. We also look forward to the initial meeting of the POCs in May. Chair, our delegation knows that capacity building efforts present an important contribution to building confidence and trust between states. Capacity building can assist states in developing their national strategies, policies, and procedures for effective cyber security and to strengthen capacities to protect critical infrastructure and in that, building trust and confidence between states. Thank you, Chair.

Chair:
Thank you very much, Botswana, for your statement and also for your indication that you would be submitting your nomination and that you are considering the issue very carefully. It is very much appreciated. And I also took note of statement by Djibouti earlier that they too are considering and looking at the question of nomination. I think these are very important. Do let your friends know if you need help. There are many in this room. And after you have done your nomination, please look for another friend from your region to bring on board. Thank you very much. Israel, to be followed by Fiji.

Israel:
Thank you, Chair, for giving us the floor to present our national perspective on the important pillar of CBMs. Israel regards the discussion on confidence-building measures as an essential and significant part of the open-ended working group work. Developing effective and sustainable international cooperation requires, in our view, a solid base of trust. In this context, exchanges of know-how, a global POC directory, the sharing of best practices, cybersecurity methodologies, risk assessment models, threat analysis, trends, patterns, et cetera, can play an important role. CBMs attempt to build relationships and procedures in times of peace and stability, elements that can be used for de-escalation in times of crisis. On the global POC directory, Israel will nominate its POCs in the very near future to meet the traditional UNODA deadline. And we look forward to work together with all the POCs to operationalize the directory and looking to make it serve as a useful and meaningful tool. Enhancing Trust, and the International Cooperation. Mr. Chair, in order to offer a concrete suggestion that can be elaborated within the open-ended working group process, and with a view to advanced CBMs that can be operationalized in a voluntary, non-binding manner at the U.N. level, Israel, together with an open group of cross-regional states, continue to hold joint discussions and to brainstorm for ideas aiming to present some novel and practical suggestions, and we wish to join others that commended and also commend our German colleagues for continuing to lead this group, as well as thanking all the group members for their very active participation and useful contributions. During recent sessions of the open-ended working group, considerable progress has been achieved on the way to operationalize CBMs at the global level. In order to use this positive momentum, the group’s work is dedicated to discuss and advance ideas, how we can learn from the national experiences and the multifold regional expertise on how CBMs can be used at the global level to build the needed trust, reduce chances of misunderstanding, and assist in making cyberspace more secure and stable. The group has been extensively working on advancing the global POC directory and operationalizing it and also circulating other ideas that will be presented to all member states. In addition to extensive bilateral information sharing, Israel supports CBMs’ efforts on the regional and cross-regional levels. Israel supports the important work that has been carried out by the OECE, and Israel as a Mediterranean partner also contributes its vast experience in that field. Furthermore, Israel is an active partner of the GFC framework. A multi-stakeholder and cross-regional forum like the GFC can contribute and assist states. and all stakeholders to better share and build the needed trust. To conclude, Mr. Chair, at the heart of Israel’s international cyber strategy, we have stressed our efforts to help building and advancing global cyber resilience, and we are ready to work together with all partners. Thank you.

Chair:
Thank you very much, Israel, for your contribution. Fiji, to be followed by the OSCE.

Fiji:
Mbula Winaka, Chair and colleagues. Chair, in your opening remarks earlier this week, you reminded us that we need to continue to build and rebuild the baseline of confidence between delegations. Chair, this reminds me of a trust-building concept and a traditional tool that we use in Fiji known as the Spirit of Talanoa. This is also used in the Pacific, and it usually requires Tanoa and Kava or Yangona, and this can also be easily arranged, Chair, later. But I’d really like to hone in on the three core components in order for the Spirit of Talanoa to truly take place, and that it needs to be inclusive, it needs to be participatory, and there needs to be genuine dialogue. Chair, drawing from the Spirit of Talanoa and pursuant to the annual progress reports in doing our part to continue to build trust, confidence, and transparency, Fiji would like to highlight a number of initiatives that we’re undertaking with great priority and urgency in implementing the global CBMs. Fiji notes with appreciation the enhanced cooperation efforts that have already been taking place within this OEWG with member states and multilateral agencies, and which continues to build common understanding and confidence. Like many countries, Fiji is also actively assessing the designation of a point of contact, and being part of the CBM cross-regional group has really enabled Fiji to develop our understanding on the characteristics and the purpose of such points of contacts. We thank Germany for leading this group, and the members of the CBM group and other states for sharing their experiences in this regard. Chair, Fiji commits to submit our points of contact details at the earliest as well, Chair. And with regards to the meeting in May, we also support the meeting to be in a hybrid format, as stated by Colombia and Ecuador, and request that the respective time zones also be considered. We also urge all countries to continue to progress in our collective efforts and to designate their points of contacts as well within the timeline that has been set for all of us. At the international level, Fiji’s implementations of CBMs includes the co-sponsoring of cross-regional proposals, invitation and participation at global cybersecurity forums, including the Singapore International Cyber Week as well, invitation to participate at side events with a number of member countries or group of countries, and further developing our understanding during our OEWG sessions, and particularly the meetings outside of our formal meetings in this room. Within the Oceania region, our cybersecurity mandate is underpinned as a region by the 2018 Boer Declaration and our 2050 Strategy for the Blue Pacific Continent, and its recently launched implementation plan of last year. Cybersecurity is one of the key priorities. In September of last year, Chair, the regional ICT ministers also met, and they signed the Lakotoi Declaration. And two of the key pillars are digital trust and security, and capacity building, and also representation. The senior officials are currently drafting the action plan of the Lakotoi Declaration, and Fiji values drawing from the OEWG work that we’re progressing, including… including the POC directory, and to operationalize these CBMs in the regional context. Fiji is committed to synergizing the global and regional efforts. Now, as demonstrated in Fiji’s hosting of the regional cyber leaders at the inaugural Pacific Cyber Capacity Building and Coordination Conference that was held last October, the region really looked at better understanding and recalibrating the priorities of the Pacific island countries, and understanding what’s working, what’s not working, why isn’t it working, and to better streamline the capacity building and CBM efforts. And we look further to further collaborate to ensure that we fast track our collective efforts. Chair, nationally, we have a Cybercrime Act, which is aligned to the Budapest Convention on Cybercrime. We’re eagerly looking forward to the work that the UN Ad Hoc Committee is also doing, and also participating in that regard. And we’re in the process of reviewing our national cybersecurity strategy due to the rapid acceleration of digital technologies and due to evolving threats. In fact, Chair, last week, we commenced our second cybersecurity maturity model assessment for states. And we convened tailored focus group sessions with over 70 stakeholder groups and entities nationwide. We’ve also started the development of our national digital strategy and national e-commerce strategy, and improving our national cyber well-being and collaborative methods, our core focus areas in these strategies as well. Moreover, the forthcoming national set that we’re establishing underscores our commitment to enhancing incident response, coordination, and safeguarding critical infrastructure services for all Fijians. Last December, and as a domestic confidence building measure, we commenced the process of better understanding the characteristics of critical infrastructure and critical information infrastructure, and the identification and categorization of how states have done this. We welcome further collaboration in this regard, and these efforts continue to be a priority for us. Fiji is committed to continuing to progressively implement the initial list of voluntary global CBMs, and as per your guiding question, Chair, Fiji welcomes the additional CBMs, which we see can be progressed in parallel to the existing ones. For example, the cooperation between states on capacity building to close the digital divide is of significant importance, and Fiji refers to our statement earlier this week made in that regard. With regards to a second proposed CBM, Chair, we propose to amend the additional CBM of protection of critical infrastructure to identification and protection of critical infrastructure and critical information infrastructure. Chair, equally important, given that half of the global population are women, in order for this group to continue to forge ahead sustainably, it is crucial, and as stated by other delegations, that we need to ensure that the full, equal, and meaningful leadership and participation of women continues to be championed in our work, and evident across the cumulative and evolving framework for responsible state behavior in the use of ICTs. This is fundamental. In closing, Chair, and coupled with this, and to ensure that no one is truly left behind, we strongly advocate for the meaningful participation of the multi-stakeholders, as they offer immense value and expertise to the work that we’re doing, and we remain committed to this global objective. Thank you, Chair.

Chair:
Thank you very much, Fiji, for your statement and for sharing with us in a very detailed way your national efforts and also your regional efforts, and I think your efforts is a good example of how a small country like Fiji, by participating in the process, is also able to share with all of us your own experience, but at the same time use this process to hopefully get greater support and partnership for your efforts nationally. I’m also very encouraged to hear that the Pacific leaders have met and endorsed a cyber strategy. I hope that you will follow the example of the African Union. We look forward to seeing inputs from the Pacific, and I think Fiji’s role in that regard would also be very important. And lastly, I endorse certainly the Talanoa spirit. I think it’s good to have some kava around, especially on a Friday evening. Thank you very much, Fiji, for your statement. So I think it’s just as well we are hearing from OSCE as the last speaker. There’s been a lot of talk about regional organizations, and so OSCE, over to you. We look forward to hearing what you have to say.

OSCE:
Thank you so much, Chair, for giving me the floor and also putting a little bit of pressure on me regarding my statement. And indeed, many of the OSCE participating states and also other states have mentioned the OSCE, so I’m very grateful for that. The Organization for Security and Cooperation in Europe has a 10-year experience in developing and implementing regional cyber confidence-building measures. And the OSCE participating states are committed to operationalizing the 16 cyber-ICT security CBMs. The OSCE Secretariat supports states in these efforts, and I would like to share some examples of this experience. Chair, in your guiding questions, you mentioned the possibility of developing additional global CBMs, amongst others related to public-private partnership, critical infrastructure protection, and coordinated vulnerability disclosure. I would like to inform you that the OSCE… OSC participating states have adopted regional CBMs on these three topics. Implementation of the CBMs creates trust and confidence, and at the same time builds capacities and creates national cyber resilience. The work done related to these OSC confidence building measures might inform the discussions here in the OEWG. I would like to share some tools the OSC participating states have developed regarding the above mentioned three topics. A report on emerging practices in cybersecurity-related public-private partnerships and collaboration in the OSC participating states. This report is a result of research conducted on concrete examples of public-private partnerships for cyber ICT security. It presents emerging practices in PPPs as baseline recommendations and promote public-private collaboration as an important element in strengthening national cyber resilience and international cyber stability. The report is publicly available on the OSC website in English and recently also in Arabic. Related to critical infrastructure protection, we have published a report titled Cyber Incident Classification, a report on emerging practices within the OSC region. The report highlights emerging practices in and provides recommendations on national classification of cyber incidents by underlining commonalities in existing approaches to cyber incident classification among OSC participating states and identifying limitations in this process. The OSC has also developed a publicly available e-learning course on coordinated vulnerability disclosure. It provides an overview of CVD as a tool to strengthen national, regional, and international cybersecurity. Over six modules, it gives an overview of the coordinated vulnerability disclosure process, the main stakeholders, and their roles and responsibilities, as well as look at some of the main challenges of the process. The OSC Secretariat follows the deliberations at the OEWG and encourages all OSC-participating states to engage in and contribute to these discussions. During our training events, we give regular updates on the development in the OEWG. Furthermore, we conduct every year a cyber diplomacy training for OSC-participating states with the aim to create better understanding on the framework of responsible state behavior in cyberspace and to enable them to meaningfully engage in international cyber policy deliberations, both at the OSC and the UN. In this spirit, we have continuously updated the OSC Cyber Points of Contact about the establishment of the Global Points of Contact Directory. With the aim to raise awareness and encourage nominations, we have forwarded to all the OSC CBM-8 Points of Contact UNODAs noteworthy on the call for the nominations for the Global Points of Contact Directory. I hope you will receive many nominations from the OSC-participating states. At the same time, we will continue to keep OSC-participating states updated on the developments on the Global POC Directory. I was delighted to hear Kazakhstan and France share concrete examples how they have used the OSC Points of Contact Network to reach out to another participating state. As the manager of the network, I’m usually not informed about exchanges between POCs, so it’s good to receive such feedback. To conclude, I would like to reconfirm the OSC’s statement Secretary’s continued support for your efforts, Chair, and our readiness to share experiences, as well as our commitment to cooperate with UNODA on these issues. Thank you.

Chair:
Thank you very much, OSCE, for your statement. I think that’s a good note to, in a sense, wrap up this discussion on confidence-building measures. I have no other speakers. Once again, I’m not going to make a summary, but just share some reflections. So if you think I omit anything important that has been said, please forgive me. It’s not meant to be a summary. But I want to once again say that this has been a very deep and productive discussion on CBMs. Many of you spoke. Many of you were very concrete. And some of you spoke for the first time, at least this week. And it shows the commitment and engagement in this working group, but also specifically with regard to CBMs. Second, as many of you said, CBMs builds trust. And implementing the CBMs that we have agreed to helps to build trust. And trust, in turn, allows for more dialogue to take place. And more dialogue could hopefully lead to agreement and concrete actions. So in a sense, it’s an iterative cycle that can go on for a long time. As with each time we meet and have dialogue, that leads to greater understanding and action. And when we implement what we have agreed, there’s even greater levels of trust. So, I see this as an iterative process, not as a sequential process, because we need to constantly improve our dialogue, improve and build on levels of trust, and take a step-by-step approach to making decisions and taking action. So, this discussion has been useful in that respect. Thank you also for responding to all the questions, the guiding questions. I think that helps not just me, but all of you get a sense of where some of the common elements are. I think there were many, many common elements under this section, and I will reflect on it carefully to see how we can structure our next discussion. Now, the first specific point that I think came across very clearly is that we definitely need to implement the POC Directory, operationalize it, and make it a success. And therefore, getting all the nominations this week and the indications that all of you are working on submitting your nominations, I think is a very good sign. Thank you very much for that. The first meeting of the POC will be held on the 9th of May. I’ll give some careful thought about how we can structure the meeting so that it’s useful and meaningful for all of us. Now, at the same time, in addition to the POC Directory, there was also discussion about implementing the set of CBMs we have already agreed, which in some ways is related to the POC directory as well, because that’s one of the global CBMs nominating points of contact directory. So implementing the CBMs, initial list of CBMs, is also an important task for us this year, and at the same time starting a discussion on additional CBMs is something that I think we need to do as well at the same time, because it will take time to build convergence. I think there are many calls and indications of support for the new CBMs that I had identified in the questions list, third-to-third cooperation, of course capacity building itself as an enabler of trust and confidence. Many of you agreed that it is important to have it as a dedicated CBM, protection of critical infrastructure, public-private sector cooperation, coordinated vulnerability disclosure, as well as multi-stakeholder dialogue has been very important elements of possible future global CBMs. So that gives us a lot of material to continue our discussions and I think this sets us up quite nicely for us to go deeper at the intersessional meeting in May with regard to CBMs, potentially new CBMs as well. There were many suggestions and ideas. With regard to the POC directory, I think there was also quite a number of you who spoke about templates or standardized formats to help the work of the POC, but some of you also said that it should be flexible and some of you also said that we should not be moving too fast. But I think it’s important that we start a discussion, because starting a discussion does not mean that we will agree on everything immediately, but we need to have that discussion, especially on this question of standardized communication templates. And as part of that, there were also ideas and suggestions as to whether we should have any specific mechanisms for consultations in the context of the POC directory. I think the POC directory will bring people together, but as we heard from the OSCE, sometimes when the contact is made between two parties who perhaps do not interact very frequently, they take it offline, they continue their discussion, the manager of the POC doesn’t know what’s happening. In some ways, that’s by design a good thing, because the manager of the POC, whether regional or global, does not need to know what exactly members are discussing. But it’s also important that we share at some point how we are using the POC framework, because that’s also the question of how we improve it and how we can show that a global POC can be useful to all countries. And of course, the POC directory in some ways can facilitate CBMs, can facilitate capacity building. If we say that capacity building is a CBM… capacity building is a cross-cutting issue, then the POC directory becomes more and more important as a framework, as a structure for dialogue and context between countries on a range of issues. And then there’s the old question, capacity building for what? We are building confidence for what? Because of the emerging and evolving threat landscape. And so the POC directory could also in some ways become contact points for exchanging information on threats. And I think there was also a suggestion that perhaps it could be used as a framework or a platform to share real-time threat information. I think that was a proposal that one of you had put forward. I think it was Pakistan who mentioned that. So my point is that the POC directory is something that we need to operationalize, something that we need to make sure it becomes alive. It is something that we need to nurture in a careful way. We cannot overload it too much and too fast. But we also need to demonstrate that the structure of the POC directory can be beneficial. So that comes back to proceeding in a step-by-step, incremental way. Some of you want to do a lot. Others are saying let’s not do anything. But I think we need to find a middle path where we can continue discussions about how we can implement the POC directory, how we can encourage communication, how we can use it as a platform, not just for capacity building but exchanging information on various issues. In terms of new CBMs, I mentioned that there was a lot of support for third-to-third cooperation, private sector partnerships, coordinator vulnerability disclosures, systematic dialogue with stakeholders. Some of you had mentioned that. There was also a suggestion for bringing together inter-regional arrangements because OAC is there, ARF is there, OAS is there, but not every region is involved, but we need to find a way to make it inclusive. The idea is how can we learn from the experiences of regional organizations, and then protection of critical infrastructure, of course. And capacity building as an enabler of CBMs is something that there was a very strong, strong support. The question of ICT terminology, a few of you mentioned that. This is an issue that has been with us for some time, but again, this is something that I think is perhaps useful to continue discussing in the context of the POC directory. So there’s a lot of work to do, my friends, in the area of CBMs. That’s a good sign, but for the May session, we need to be focused again. We need to see how we can have a discussion that will allow us to build some common ground in terms of taking some next steps in July at the third annual progress report, but some of the issues may have to go beyond July to next year, maybe for the final progress report. It’s important that when we have some common elements, it’s important that we find agreement and try and make a step forward. Even if it’s half a step, it’s important, because it’s also important for the OEWG. Between now and the next session, the final session in next July, in the next 16 months, we can’t say that we are just going to be doing implementation, which is important, but we also need to continue discussions and find common ground and show that this working group is capable of delivering results, capable of building trust, and capable of continuing the discussion. So as I said, it’s a virtuous iterative cycle. So thank you very much for that discussion. It’s ten minutes to one, and we need to get to capacity building. So perhaps, given the time limit, we should start in the afternoon. But I want to say that on capacity building, in my opening remarks on Monday, I have already explained how important it is. And by now, you would have noticed that every issue we have discussed, the question of capacity building comes up. Threats, if we want to understand the evolving threats landscape, we need capacity building. Members are saying they need capacity building. Norms, implementation, it’s about capacity building. New norms, discussion, also will require a discussion on how we can facilitate experiences and how we can provide support. International law, capacity building was a big theme. And then confidence building measure, where it is very clear that capacity building itself is a confidence-building measure, because capacity-building is not something that you put in a box and send it across the border. It requires a partnership, it requires dialogue between two countries, or more than two countries. That builds relationships, partnerships, builds trust, builds mutual respect, because capacity- building has to be based on the capacity-building principles, where it’s demand-driven, results-focused, people-centered, driven by governments themselves. So capacity-building is so foundational, and I want to, before we adjourn for this morning’s session, want to share with you a concern that I have. The concern that I have is that we have talked a great deal about capacity- building. The concern that I have is that we may not end up demonstrating results quickly, and that concerns me, because in order to build trust, we have to show results. We have to start implementation, we have to deliver, and we have to show urgency with regard to capacity-building. The concern I have is that if we take a wait-and-see approach, then delivery of capacity-building may not begin as soon as it should. If we take the approach that let’s wait and see what happens in 2025 before we actually deliver capacity-building, then we are wasting an opportunity to build trust in 2024. Now, we should use this period between now And July 2025, when we wrap up in this working group, our work, and pass it on to a future mechanism, we should use this opportunity to build trust, build confidence, and show results. So that’s the concern I have, that we may end up taking a wait and see approach. So I’d like to once again urge all of you, having heard everything that you have heard this week. It’s almost at the tail end of the meeting this week. Because capacity building is so foundational, it’s really important that we show results and show urgency. Now, the good news is that a lot is happening. So the secretariat’s report on the mapping exercise made that clear. A lot is happening. The secretariat will also release a report in June on capacity building needed for the POC directory. And that report is going to be made available in June. But a report on capacity building is not in itself capacity building. It’s capacity building on paper. So that’s good. So that’s the good news. A lot is happening. And I know even the stakeholders are here. They have been doing a lot. They’re very active in the field. So I just want to encourage all of you to see what we can do in a step-by-step way. What is it that we can do this year by July? And that’s where the global roundtable on capacity building comes in. It is an opportunity to show results. It’s an opportunity to build partnerships. It’s an opportunity to build new partnerships. Because as I said, the good news is we have a good, rich landscape where partners are doing a lot of things, where institutions are doing a lot of things. a lot of things, where stakeholders are being very committed. But we need to show results here at the UN. We need to reach out and build partnerships. We need to give a sense of momentum and a sense of urgency. So I once again urge all of you to take the Global Roundtable on Capacity Building. Look at it as a very strategic opportunity to show results, but show results not for its own sake. Show results to demonstrate urgency, to demonstrate your commitment to partnership, to build trust and to broaden the engagement and participation in this process, and to bring people on board the framework of rules, norms and principles. When we talk about mainstreaming the framework of rules, norms and principles, that also begins with capacity building. So I don’t want to belabor this point. I think I’ve been belaboring this point, but that’s by design. I have to belabor this point to some extent, because that’s my responsibility as the chair. And I wanted to share this concern that I have as well, that we should not end up waiting and seeing as to what we can do, let’s see if we can discuss further, but let’s start looking at what we can do in a very concrete step-by-step way right now at this stage, and using the Global Roundtable on Capacity Building as an opportunity to show results, show urgency, show commitment, and maintain the momentum, help to build convergence and take the next step forward before we wrap up this working group. in 2025. I think the window is a very short one. 1259, just in time to wrap up. So I wish all of you a pleasant lunch. We will begin this afternoon with capacity building, with the speaker’s list, and I think some delegations have asked to make presentations, and as is the practice, I’ll let them start first to make presentations. So the meeting is now adjourned. See you this afternoon. Thank you.

D

Djibouti

Speech speed

121 words per minute

Speech length

476 words

Speech time

236 secs

A

Albania

Speech speed

109 words per minute

Speech length

590 words

Speech time

325 secs

A

Argentina

Speech speed

134 words per minute

Speech length

545 words

Speech time

244 secs

A

Australia

Speech speed

159 words per minute

Speech length

710 words

Speech time

268 secs

B

Botswana

Speech speed

161 words per minute

Speech length

385 words

Speech time

144 secs

B

Brazil

Speech speed

183 words per minute

Speech length

503 words

Speech time

165 secs

C

Canada

Speech speed

163 words per minute

Speech length

585 words

Speech time

215 secs

C

Chair

Speech speed

130 words per minute

Speech length

4370 words

Speech time

2022 secs

C

China

Speech speed

151 words per minute

Speech length

379 words

Speech time

150 secs

C

Colombia

Speech speed

128 words per minute

Speech length

529 words

Speech time

248 secs

C

Cuba

Speech speed

134 words per minute

Speech length

217 words

Speech time

97 secs

C

Czechia

Speech speed

125 words per minute

Speech length

687 words

Speech time

330 secs

E

Ecuador

Speech speed

129 words per minute

Speech length

290 words

Speech time

135 secs

ES

El Salvador

Speech speed

133 words per minute

Speech length

424 words

Speech time

192 secs

E

Ethiopia

Speech speed

150 words per minute

Speech length

346 words

Speech time

138 secs

F

Fiji

Speech speed

166 words per minute

Speech length

1153 words

Speech time

416 secs

F

France

Speech speed

94 words per minute

Speech length

300 words

Speech time

192 secs

G

Germany

Speech speed

154 words per minute

Speech length

490 words

Speech time

191 secs

G

Ghana

Speech speed

148 words per minute

Speech length

472 words

Speech time

191 secs

IR

Islamic Republic of Iran

Speech speed

146 words per minute

Speech length

679 words

Speech time

279 secs

I

Israel

Speech speed

151 words per minute

Speech length

529 words

Speech time

210 secs

J

Japan

Speech speed

114 words per minute

Speech length

466 words

Speech time

246 secs

K

Kazakhstan

Speech speed

152 words per minute

Speech length

598 words

Speech time

236 secs

M

Malaysia

Speech speed

139 words per minute

Speech length

585 words

Speech time

253 secs

M

Mauritius

Speech speed

120 words per minute

Speech length

480 words

Speech time

241 secs

M

Mexico

Speech speed

116 words per minute

Speech length

513 words

Speech time

264 secs

N

Netherlands

Speech speed

138 words per minute

Speech length

500 words

Speech time

217 secs

O

OSCE

Speech speed

134 words per minute

Speech length

722 words

Speech time

324 secs

P

Pakistan

Speech speed

153 words per minute

Speech length

312 words

Speech time

122 secs

Q

Qatar

Speech speed

87 words per minute

Speech length

261 words

Speech time

180 secs

RO

Republic of Korea

Speech speed

156 words per minute

Speech length

363 words

Speech time

140 secs

RF

Russian Federation

Speech speed

106 words per minute

Speech length

530 words

Speech time

301 secs

S

Singapore

Speech speed

143 words per minute

Speech length

394 words

Speech time

166 secs

SA

South Africa

Speech speed

125 words per minute

Speech length

388 words

Speech time

186 secs

S

Switzerland

Speech speed

151 words per minute

Speech length

860 words

Speech time

341 secs

T

Thailand

Speech speed

128 words per minute

Speech length

417 words

Speech time

195 secs