Agenda item 5: discussions on substantive issues contained in paragraph 1 of General Assembly resolution 75/240 (continued)/1/OEWG 2025

18 Feb 2025 15:00h - 18:00h

Agenda item 5: discussions on substantive issues contained in paragraph 1 of General Assembly resolution 75/240 (continued)/1/OEWG 2025

Session report
Speakers
Knowledge Graph
In-depth Analysis

Session at a Glance

Summary

This discussion focused on the development and implementation of rules, norms, and principles for responsible state behavior in cyberspace. Participants reflected on the 10-year anniversary of the 11 voluntary, non-binding norms established in 2015, emphasizing their continued relevance and importance. Many delegates stressed the need to prioritize implementing existing norms before developing new ones, while others argued for the creation of additional or legally binding norms to address evolving cyber threats.


The voluntary checklist for norms implementation was widely supported as a useful tool, with suggestions to treat it as a living document. Delegates emphasized the importance of capacity building, especially for developing countries, to effectively implement the norms. The relationship between norms and international law was discussed, with most agreeing on the need to keep these concepts distinct while recognizing their complementary nature.


Many speakers supported integrating norms discussions into thematic working groups in the future permanent mechanism, focusing on practical implementation and problem-solving. Gender mainstreaming in norms implementation was highlighted as a crucial aspect. The discussion also touched on the protection of critical infrastructure, supply chain security, and the need for international cooperation in addressing cyber threats.


Overall, while there was broad agreement on the importance of the existing normative framework, divergent views emerged on the need for new norms and the best approach to evolving the framework. The Chair emphasized the importance of keeping an open mind and finding consensus as the group transitions to a future permanent mechanism.


Keypoints

Major discussion points:


– Implementation of existing voluntary norms vs. development of new norms


– The role of the voluntary checklist for practical actions in implementing norms


– How to address norms in the future permanent mechanism


– The relationship between norms and international law


– The need for capacity building to support norms implementation, especially for developing countries


Overall purpose/goal:


The purpose of this discussion was to review the current framework of voluntary norms for responsible state behavior in cyberspace, assess progress on implementation, and consider how to move forward with norms in the transition to a future permanent mechanism.


Tone:


The overall tone was constructive and collaborative. Most delegations emphasized areas of agreement and common ground, while respectfully acknowledging differences. There was a general sense of commitment to the existing norms framework, even as some called for its evolution. The Chair encouraged maintaining an open and flexible mindset as discussions continue.


Speakers

– Chair


– Colombia


– Djibouti


– Singapore


– Pakistan


– European Union


– Japan


– Kazakhstan


– United States


– El Salvador


– Islamic Republic of Iran


– Albania


– Mauritius


– Russian Federation


– Republic of Korea


– Indonesia


– Malaysia


– Democratic Republic of the Congo


– Cuba


– Mozambique


– United Kingdom


– Kingdom of the Netherlands


– Italy


– Canada


– China


– Portugal


– Thailand


– South Africa


– Australia


– Viet Nam


– Vanuatu


– Switzerland


– Saudi Arabia


– Egypt


– France


– Kuwait


– Nicaragua


– New Zealand


– Brazil


– Tonga (speaking on behalf of Pacific Island Forum members)


– Fiji


– Kenya


– Israel


Additional speakers:


– Nigeria (mentioned as speaking on behalf of the African group)


– Kuwait (mentioned as speaking on behalf of the Arab group)


Full session report

Expanded Summary of Discussion on Cyber Norms


Introduction:


This discussion focused on the development and implementation of rules, norms, and principles for responsible state behaviour in cyberspace. The dialogue marked the 10-year anniversary of the 11 voluntary, non-binding norms established in 2015, with participants reflecting on their continued relevance and importance. The discussion involved a wide range of speakers from various countries and regional groups, addressing key issues related to cyber norms implementation, development, and future directions.


Key Discussion Points:


1. Implementation of Existing Norms vs. Development of New Norms:


The discussion revealed diverse perspectives on whether to prioritise implementing existing norms or developing new ones. Countries like Switzerland, New Zealand, Japan, and the Republic of Korea emphasized focusing on implementing current norms, arguing that the existing framework is comprehensive and adaptable. The United States stressed that existing international law already provides binding rules for cyberspace.


In contrast, Nicaragua and Cuba called for new legally binding norms to address evolving threats. El Salvador, Viet Nam, and China supported developing new norms to address emerging technologies and challenges. China specifically emphasized the need for discussions on data security, supply chain security, and cybersecurity traceability.


2. Voluntary Checklist for Norms Implementation:


The voluntary checklist for norms implementation received widespread support. The Kingdom of the Netherlands, Kuwait (on behalf of the Arab group), the European Union, and Colombia endorsed its use. There were suggestions to treat it as a living document that could be updated over time.


3. Capacity Building for Norms Implementation:


Many speakers, including Kenya and Mauritius, emphasized the importance of capacity building, especially for developing countries. Kenya highlighted the technical challenges in implementing certain norms. Tonga, speaking for Pacific Island Forum members, highlighted the specific needs of small island developing states.


4. Relationship Between Norms and International Law:


The European Union and France stressed that norms and international law are distinct but complementary, cautioning against conflating discussions on the two. Brazil, however, supported an integrated discussion of norms and international law.


5. Future Mechanism for Norms Discussion:


Delegates discussed various approaches for addressing norms in the future permanent mechanism. The UK, France, and New Zealand suggested integrating norms discussions into thematic groups on topics like resilience, cooperation, and stability. In contrast, countries like Brazil and the Islamic Republic of Iran supported a dedicated group on norms and international law. Canada emphasized the need for stakeholder participation in future discussions.


6. Regional Approaches to Norms:


Several speakers highlighted regional efforts in norms implementation. Malaysia mentioned the ASEAN regional norms implementation checklist, Djibouti spoke about the African Union common position on norms, and the European Union discussed EU efforts, including the NIS2 Directive. Italy highlighted its national cyber security perimeter as an implementation example.


7. Gender Considerations in Norms:


Several countries, including Fiji, Australia, Brazil, and South Africa, supported incorporating gender perspectives into cybersecurity efforts and norms implementation.


8. Specific Implementation Efforts:


Kazakhstan emphasized zero trust approaches and defense in depth principles in their implementation efforts. Portugal highlighted the importance of due diligence in cyberspace.


Areas of Agreement:


There was broad agreement on the continued importance and relevance of the existing 11 voluntary norms. The voluntary checklist was widely endorsed as a useful tool for implementation. There was also consensus on the importance of capacity building to support norms implementation, especially for developing countries.


Areas of Disagreement:


Significant differences emerged on whether new norms are needed, with some states supporting new norms to address emerging technologies and threats, while others were sceptical. There was also disagreement on whether voluntary norms are sufficient or if legally binding instruments are necessary. Countries differed on whether norms and international law should be discussed separately or in an integrated manner in future mechanisms.


Thought-Provoking Comments:


The Republic of Korea challenged the need for new norms, arguing for a focus on implementing existing ones. Cuba proposed a roadmap for negotiating a legally binding instrument. Australia cautioned against rushing to insert new, untested norms into the framework and emphasized a bottom-up, evidence-based approach to developing norms. Egypt advocated for a flexible approach, suggesting that future discussions might reveal the need for both binding and voluntary norms.


Conclusion and Future Directions:


As the discussion concluded, it was clear that while there is broad support for the existing normative framework, divergent views remain on how to evolve it. The Chair emphasized the importance of keeping an open mind and not viewing the discussion as zero-sum as the group transitions to a future permanent mechanism.


Key action items emerging from the discussion include:


1. Considering the adoption of the voluntary checklist for norms implementation as an annex to the final OEWG report


2. Continuing discussions on how to address norms in the future permanent mechanism


3. Sharing national and regional experiences on norms implementation


4. Exploring ways to mainstream gender considerations into norms implementation efforts


Unresolved issues that require further discussion include the development of potential new norms, the exact format for discussing norms in the future permanent mechanism, and how to address proposals for legally binding instruments on cybersecurity.


As the international community moves forward, it will need to balance the focus on implementing existing norms with the potential development of new ones, while also addressing emerging challenges in cybersecurity governance.


Additional Notes:


– The European Union initially delivered their statement on international law by mistake, later providing the correct statement on norms.


– Colombia and Saudi Arabia announced side events during the discussion.


Session Transcript

Chair: Good morning, distinguished delegates. The third meeting of the 10th substantive session of the Open-Ended Working Group on Security of and in the Use of ICTs is now called to order. The group will now begin its discussion on the topic of, and I quote, further develop the rules, norms and principles of responsible behavior of states and the ways for their implementation and, if necessary, to introduce changes to them or elaborate additional rules of behavior. The floor is now open for any delegation wishing to make an intervention. And once again, I’ll make two general points. First, please do look at the guiding questions that were circulated in my letter. And second, be as specific as possible in your intervention so that I would receive and others would hear the position of delegations in terms of what could be captured in the final progress report. And I would have a good sense as to where delegations stand on this important issue. So with those general comments, the floor is now open. And I invite you to press the button. I give the floor now to Colombia, to be followed by Djibouti.


Colombia: Thank you, Chairman. On rules, norms and principles, as we’ve pointed out in previous meetings, we continue to believe that we need to have sufficient flexibility and scope to address emerging technologies and cyberspace and establish rules. They need to focus on proper implementation. We have to have a space for the discussion of these rules, norms, and principles and take into account new technologies, and these must be human-centered. On the checklist for practical actions for the implementation of voluntary CPMs, we are grateful for your efforts to draft this list and we support its adoption. We believe that in the future mechanism it could function as a platform where states would voluntarily report their progress in implementation, contributing in this way to strengthening the normative framework which is applicable in this context, and it will allow us to promote greater cooperation in implementing best practices globally. Mr. Chairman, we welcome your proposal to include in the future mechanism a group dealing with rules, norms, and principles of responsible state behavior and state intentions. My delegation believes that this proposal is in line with what we have been saying, that the binding and voluntary frameworks are complementary in nature. However, we would not object to further inclusion of these matters to cover some of the concerns expressed by states in the past. Finally, Mr. Chairman, my delegation will speak later on about international law issues and the intention of Colombia to put forward its national position on the implementation of international law and cyberspace. We would invite you to a UNIDIR meeting at 1.15 p.m. today which we are hosting along with Canada. We will put forward our position and we will tell you a little bit about the development of the document. And this will be an opportunity to discuss the national positions and to draw on lessons learned and explore opportunities for greater capacity building. Thank you.


Chair: Thank you very much, Colombia, for your statement and also for your invitation to all of us here as you present your national position. And I think one of the good things about this process is that it has really encouraged everyone to reflect deeply about their own internal national positions and to share that with every member state. So I commend you, Colombia, and I encourage all of you to attend this event, but also for each of you who have not yet put forward your own national positions to consider doing so. And if you are in need of partnership in order to do that, do reach out to the delegations because this working group has also emerged as an important network of partners and an important community of mutual support. So I’m very happy to hear your statement, Colombia. Let’s go on with the rest of the speakers. Djibouti, to be followed by Singapore.


Djibouti: Thank you, Mr. Chairman. Chairman, let me begin on behalf of my delegation by congratulating you and your team on the way in which you are guiding our work, and you have done so since the beginning of this very long trip, which began in 2021 and will end in 2025. I’d like to thank the Secretariat and the interpreters for their constant support as well. We are aligned with the African position and the Arab group expressed by Nigeria and Kuwait respectively, and I have the following to say in my national capacity. My delegation welcomes the third. annual report of the working group at the 8th session, and we believe that consensus has been arrived at on a number of issues in a difficult geopolitical environment. With regard to cyber threats, this issue has been addressed sufficiently in the third report of the working group. We are all convinced that the pace at which ICT technology has improved with the use of AI means a greater potential cyber threat, and these threats take on various forms, attacks on moral and civil persons’ privacy, attacks on critical infrastructure. Just to give you those examples, modern ICT is necessary for vital sectors but could also be used to target potential attacks by weapons of mass destruction and autonomous weapons. If these weapons are in the hands of terrorists, it will be difficult for a state to combat the illicit use of these weapons if they don’t have the appropriate technology. Ideologies such as Islamophobia and the manipulation of the media or social networks have created social tensions and repressive policies, and they continue to undermine trust among communities and states, and they worsen the existing geopolitical situation. Although ICTs have led to positive developments, they have been misused to serve political interests and ideologies, which exacerbate geopolitical tensions. However, Security and the use of ICTs is a major issue because we are facing growing cyber threats. And in order to address this, we need to bolster our technical and human capacities at the state level. That is essential. We need to have effective cooperation and sincere cooperation, in particular for developing countries. It is also important to set up programs to bolster the rules governing the use of cyber technology and raise awareness of users by setting up a collective approach under the auspices of the UN to ensure a digital environment which is safe at the national, regional and international levels. We welcome the adoption by consensus of the implementation of a permanent mechanism within the UN on global ICT security, and we encourage further multilateralism through dialogue, trust-building and diplomacy so that we can overcome these cyber wars. Thank you.


Chair: Thank you very much, Mr Cheputi, for your contribution. Singapore to be followed by Pakistan.


Singapore: Thank you, Mr Chair. While the implementation of the existing norms remains the priority, the pace of technological advancement over the last decade requires us to continue adapting to new opportunities and challenges. Thus, we welcome forward-looking discussions on the further development of norms, focused on continued stability and the responsible use of cyberspace. At the same time, Chair, it is clear that states need to build significant capacity to implement the existing norms, because, as we have highlighted before, these norms are multidimensional. Each norm has a policy, operational technical, legal, and diplomatic aspect to it. Only after developing the capacity to implement these norms will states be in a position to identify any gaps, and if not, new norms are needed to address them. This interconnected and coordinated approach ensures that we remain both grounded in practice and forward-looking in strategy. In this regard, the ASEAN-Singapore Cybersecurity Centre of Excellence in Singapore will start a new series of capacity-building workshops, titled Cyber Norms in Action – Capacity Building for Effective Norms Implementation, to further support ASEAN member states in implementing the existing norms and identifying gaps in the current normative framework in line with their individual national priorities. These workshops will entail sharing of best practices in the implementation of norms by states and stakeholders from other regions as well, to help ASEAN member states to better understand how to implement the norms and to identify and deepen the necessary capacities. At the same time, the workshops will be helpful in providing feedback to the efforts by other regions. We hope also that the feedback from these workshops will feed into the norms discussions of the future UN Cyber Mechanism for States, to further advance the development and implementation of norms to uphold responsible state behaviour. Thank you, Chair.


Chair: Thank you very much, Singapore, for your statement. Pakistan, to be followed by the European Union.


Pakistan: Thank you, Mr. Chair. Pakistan has consistently emphasised its support for the development of non-binding norms to ensure the responsible use of ICTs. We recognise the value of such norms in fostering trust. transparency, and stability in cyberspace. We maintain that while non-binding norms provide a foundation for responsible behavior, they cannot substitute for a legal framework that can ensure accountability and compliance under international law. Non-binding norms are effective during peacetime, but lose their utility during crises or armed conflicts. Furthermore, the voluntary implementation of norms is left to Member States without legal responsibility that can come with a legally binding instrument. In this regard, I would like to make the following points for appropriate reflection in the final report. First, towards our goal of making global cyberspace safe, secure, stable, and accessible, there is a need to evaluate the effectiveness of the 11 voluntary norms of responsible state behavior adopted by the GGE. For example, we have norm on supply chain security. We should ask for the effectiveness of this norm in cases such as horrendous pager attacks of last year that affected hundreds of civilians, where state actors militarized ICT supply chain. Second, non-binding norms should address critical gaps in the current framework. These include, for example, timely disclosure of vulnerabilities, protection of critical infrastructure, and secure cross-border data exchanges. Third, norms should be developed that promote global cooperation in combating disinformation, hate speech, and the malicious use of artificial intelligence in cyber operations. Fourth, enhanced capacity-building initiatives to assist developing countries in implementing these norms. more effectively. In conclusion, we look forward to further discussions on reviewing existing norms and developing new non-binding norms. This is important to advance our efforts towards ensuring a safe, secure and equitable cyberspace for all. I thank you, Chair.


Chair: Thank you. European Union, to be followed by Japan.


European Union: Thank you, Chair. I have the honour to speak on behalf of the Unit’s member states, the candidate countries North Macedonia, Montenegro, Albania, Ukraine, the Republic of Moldova, Bosnia-Herzegovina and Georgia, the EFTA country Norway, member of the European Economic Area, as well as San Marino align themselves with this statement. Our discussions on international law within the Open-Ended Working Group have proven to be highly valuable and have also significantly deepened throughout the process. National and regional positions have contributed to shaping a shared understanding of how international law should be interpreted in relation to activities in cyberspace. In conjunction with the declaration recently adopted by the European Union and its member states on a common understanding on the application of international law in cyberspace, as well as the African Union’s common position on the application of international law in cyberspace, over a hundred states have now individually or collectively published their positions on international law, making this a significant and encouraging milestone. The broad agreement that activities in cyberspace are regulated by international law, including in situations of armed conflict, must be reflected and articulated clearly in the Open-Ended Working Group final report. Additionally, the report should highlight the central importance of binding obligations found in a UN Charter, such as the prohibition of threat of use of force and those on peaceful settlement of disputes, as well as the customary principles of sovereignty and non-intervention. Additionally, it’s important to note that states continue to confront essential questions regarding the prohibition on the threat of the use of force in the context of states’ use of ICTs. In our third APR, states observed that activities involving ICTs that do not violate the prohibition on the threat of the use of force might, depending on the circumstances, contravene other principles of international law, such as state sovereignty or the prohibition of intervention in the internal or external affairs of states. It is crucial that we do not shy away from addressing these complex legal issues, but rather confront them head-on and in the context of the actual threat, as they are central to shaping the future understanding of how international law applies in cyberspace. States have also recognized the application of the law of state responsibility, international human rights law, and in situations of armed conflict, international humanitarian law. We would also wish for the final report to include a clear reference to IHL’s applicability in cyberspace, as well as international human rights law and state responsibility. In a similar vein, the EU strongly supports this open-ended work in deepening our understanding of the application of customary international law on state responsibility and to their activities in cyberspace. Chair, now let me turn to the future mechanism. International law will be an important part of the future mechanism’s substantive plenary discussions, and is relevant also across several thematic groups. The participation of stakeholders beyond those representing member states of the UN will be essential to those discussions, as they have both expertise and responsibility. For example, international law provides for the protection of critical infrastructure, which is often owned or operated by private entity. Therefore, any discussion in the working group on critical infrastructure would inherently involve considerations of international law. We would also like to note that international law and capacity building are at the very heart of the discussions of the protection of critical infrastructure and on cooperation on cyber incidents. Similarly, discussions on stability and conflict prevention in cyberspace also require references and engagement to relevant international legal frameworks. It is so that we propose that each dedicated thematic group should have a standing item on international law and on capacity building to assess the implications. This cross-cutting approach ensures not only one but three groups with a specific discussion on international law, as well as on capacity building, in a more operational conversation than a group merging norms and international law, which could also create confusion between the pillars and that would be discussed in the plenary sessions. Cross-cutting dedicated groups would also give all member states the relevant information and solutions drawn from the discussions grounded in the reality of cyber challenges that all nations face through a regular debrief in the plenary. Chair, this agenda item has been one of the most challenging areas of our work over the past years. Nevertheless, in each successive annual progress report, we have been able to reach consensus, which has helped to maintain momentum and keep the conversation moving forward. Yet all what has been discussed has not been reflected in the reports and we would like to drive this home in the final version. A key step forward is ensuring that the final report indeed accurately and coherently reflects the various discussions held in the room over recent years, while taking into account different levels of support received by specific proposals. We welcome your call to reflect on and build upon the progress we are making within this group on international law and avoid settling for the lowest common denominator. nominator. Thank you very much.


Chair: Thank you very much, European Union, for your statement. Japan, to be followed by Kazakhstan.


Japan: Thank you, Mr. Chair. First and foremost, regarding rules, norms, and principles of responsive behaviour of states, we would like to reiterate the paramount importance of concrete actions to steadily implement existing norms, including the 11 voluntary, non-binding norms of responsible state behaviour in the 2015 GGE report, which was subsequently endorsed by consensus at the General Assembly. Japan shares the view expressed in paragraph 31A of the third APR that voluntary and non-binding norms of responsible state behaviour can reduce risks to international peace, security, and stability, and play an important role in enhancing predictability and reducing the risk of misperception, thus contributing to conflict prevention. In order to further accelerate action by the international community, we should focus on promoting existing norms rather than simultaneously working to identify additional norms. With regard to the voluntary checklist of practical actions, it is essential to actually use the checklist in order to identify where we are, how we go forward, and what we need. It is also beneficial when we go through the checklist to share feedback with each other and collectively learn about the lessons learned. Those discussions related to rules, norms, and principles are policy-oriented, tool-focused ones, and best suited to a policy forum such as disciplinary meetings. I thank you, Mr. Chair.


Chair: Thank you, Japan, for your statement. Kazakhstan to be followed by the United States.


Kazakhstan: Thank you, Chair, for giving the floor. Kazakhstan reaffirms its commitment to strengthening cyber norm implementation and advancing the voluntary checklist as a practical tool for enhancing cyber posture. Recognizing increasingly sophisticated cyber threats, Kazakhstan advocates for a norm-on-zero trust approach, ensuring continuous verification and strict access controls. Combined with defense in depth principle, this enhances resilience through multiple security layers, translating voluntary commitments into action. We believe that prioritizing the enhancement and practical implementation of existing norms is more effective than introducing additional new ones. Under norm C, Kazakhstan supports a structured real-time incident response mechanism. The global POC directory should serve as a rapid response tool, enabling immediate coordination to mitigate cyber threats, including zero-day vulnerabilities. Regional coordination centers integrating national CERTs and C-CERT teams will improve cross-border cooperation. With over 40 active CERTs, Kazakhstan engaged with international partners to strengthen incident response. Regarding norm F and G on CI and CII protection, Kazakhstan emphasizes committing cybersecurity exercises. Red Team and Blue Team simulations might test preparedness against threats. Additionally, sector-specific cybersecurity frameworks aligned with ICO and NIST standards should ensure comprehensive threat modeling and risk assessment. A risk-based regulatory approach should be promoted for CI operators, integrating regulatory sandboxes to test policies before full-scale implementation. Security by design and privacy by design should be foundational in cyberspace. Security must be implemented into ICT infrastructure from the outset. Ethical hacker programs should support vulnerability management, identifying security flaws before exploitation. Kazakhstan actively promotes public-private bug bounty platform, demonstrating proactive cybersecurity. AI-driven security solutions require clear governance frameworks to prevent unintended risks. Robust identity and access management helps to control system access based on least privilege. It should enforce data minimization strategies, collecting only essential information to reduce risk exposure, including cross-border data exchange. Kazakhstan views voluntary checklist as a living document, evolving with cyber threats. It should integrate best practices for threat sharing, incident response, and public-private collaboration. We encourage deeper engagement with academia and industry to foster cybersecurity innovation, recognizing multi-stakeholder cooperation as a key to global resilience. By advancing cyber norm implementation, Kazakhstan strength international cooperation through CBMs. Enhancing cyber resilience at national and regional levels will mitigate state-sponsored and non-state cyber threats, contributing to a secure, stable, and rules-based cyberspace. I thank you.


Chair: Thank you very much, Kazakhstan, for your statement. United States to be followed by El Salvador.


United States: Thank you, Chair. Chair, you and member states have advanced the framework through over 10 years of consensus endorsements of the GGE and the OEWG reports, which include a robust set of 11 peacetime norms. These reports were endorsed by consensus by the General Assembly, which called on all states to be guided in their actions by their recommendations. Eight of the 11 cyber norms norms describe best practices and positive commitments that, if undertaken, benefit not only Internet users within the implementing state, but all member states by improving stability and security of their ICT environment. To further that goal, we recommend the 2021 GGE report’s explanatory text on the consensus norms be included as is in the final OEWG report so that the future mechanism can build upon this existing foundation to further common understanding and guidance on how to implement the consensus norms. Chair, we continue to hear some states point to the voluntary non-binding character of the 11 norms and suggested that new binding norms are necessary. We would like to remind those states that we already have binding rules that apply in this context. As UN member states have repeatedly confirmed by consensus, existing international obligations apply to state conduct in cyberspace. These non-binding norms are intended to complement, not replace, these obligations. Legally binding instruments are highly resource-intensive to negotiate. Involving in such an exercise would be a significant distraction with an uncertain outcome. States can more effectively address evolving cyber threats by examining how the consensus norms and confidence-building measures can be actioned. The dedicated thematic groups in the future mechanism will be particularly valuable given their issue-oriented and practical approach that can drive outcomes. Further participation will also be critical to developing implementable solutions given the unique expertise they bring to the dedicated thematic groups. The strong and consistent support of the norms by the UN General Assembly Assembly underscores the unity of will among member states to act responsibly in cyberspace. Thank you.


Chair: Thank you, United States, for your contribution. El Salvador, to be followed by the Islamic Republic of Iran.


El Salvador: Mr. Chairman, 2025 is the 10th anniversary of the 11 responsible norms in cyberspace. My country reaffirms the fact that norms, the applicability of international law, and the development of cyber capacities, as well as CBMs, are the UN framework on responsible behavior of states in cyberspace. This framework is the founding structure which should guide the behavior of states in their cyber activities. However, 27 years after the UN began to address ICT security in Resolution 53 Stroke 70, this enables us to see how far we’ve come and what the future of these norms is, while we believe that the Chairman’s proposal on a list of practical actions is a key step for moving forward in implementing these norms. We also believe it is necessary to go through further thought and discussion as to what norms these should be. The current world is much more digitalized than it was a decade ago, and the landscape of cybersecurity has radically changed. As El Salvador has said in previous sessions, the intersection between emerging technologies such as AI and quantum computering have meant a greater potential threat, which don’t just impact international peace and security, but they also pose significant challenges at the national level. In light of recent discussions in the UN forum, in particular the last session that was held, it’s important to point out that a number of states, including my delegation, have proposed qualifying existing norms and exploring the adoption of new norms. El Salvador is a firm defender of a robust implementation of the current framework. However, looking at its structure should not be seen as an exclusive proposal, but rather an exercise in ongoing reflection, in particular in view of discussions on the future permanent mechanism. We therefore reiterate our proposal put forward at previous sessions to update norm E on the right to privacy in the digital era. We suggest having a focused approach on personal data throughout the life cycle, allowing for the adoption of protection laws on data which address the misuse or illegal use of their data. We also believe it is relevant to include principles such as minimizing the collection of personal data, greater transparency on their use, and the implementation of security measures in processing this information and accountability and corrective measures if errors are made. We believe that we should look at the updating of other norms to align them with the use of emerging technologies such as AI. Finally, Mr. Chairman, we would like to underscore the importance of international cooperation, bolstering building capacity and ensuring transparency, or rather, sorry, says the Speaker, the transfer of technology as key pillars for the effective implementation of norms, in particular. We recognize the Women in Cyber Program, which is a platform to improve the technical know-how of women in the diplomatic sphere when discussing cyber issues in an international context. Thank you.


Chair: Thank you very much, Salvador, for your contribution. Islamic Republic of Iran, to be followed by Albania.


Islamic Republic of Iran: Mr. Chair, my delegation has consistently emphasized that the broad and inclusive participation of all nations in the development of comprehensive, universally accepted international norms and regulations achieved through consensus is crucial for their effective implementation. Additionally, it is important to acknowledge that a uniform approach to implementing norms is not practical. Each nation has unique circumstances, and developing countries often lack the same technical and technological resources as developed ones. While responsibilities are shared, they must be adopted to reflect these differences. During this process, many states have proposed new ideas, including new norms and rules that have merit for further consideration, and the OEWG should base its work on these proposals. My delegation has submitted a full list of its proposed norms to the group. Among those, we believe the concerns with regard to data security, cross-border data flows, as well as the availability of a secure supply chain are crucial and need to be addressed and regulated in terms of new norms and rules. Concerning the voluntary checklist of practical actions attached to the third APR, Iran recognized the need for substantial enhancement to the proposed checklist to foster broad consensus. As stated before, this document is based entirely on the recommendations of the 2021 GGE report. a process in which the majority of the OEWG members did not participate. Further, the State’s proposals on new norms as put forward and reflected in the 2019 OEWG Chair Summary are ignored. Many of the terms used in the checklist are ambiguous, open to interpretation, or unnecessary. Additionally, there are legitimate concerns about the approach of linking the implementation of capacity building commitments to the fulfillment of checklists, which is counterproductive and unhelpful. We believe it would be reasonable to delay negotiations on this document until discussions take place within the framework of the permanent mechanism and until States agree on a method for establishing a comprehensive list of norms. Meanwhile, to fulfill the OEWG’s mandate before 2025, we recall our proposal for you, Excellency, as the Chair of the Group, to draft an initial document incorporating all proposed rules, norms, and principles as a basis for future discussion. This task has been taken in by the Chair of the 2019 OEWG as well. In this regard, we propose the establishment of a dedicated thematic group within the future permanent mechanism to address the outstanding mandate of the OEWG, namely, to introduce change to current norms or elaborate additional rules of behavior as established in Resolution 75-240. In conclusion, we are ready to collaborate with all Member States to develop global ICT governance rules that are inclusive, representative, and respectful for all interests of the countries. I thank you, Mr. Chair.


Chair: Albania, to be followed by Mauritius. Thank you, Chair.


Albania: Albania fully aligns with the European Union Statement. Since its founding in 1945, the United Nations has stood as a bedrock of the international rules-based order, guiding nations towards peace, security, and sustainable development. While the world has evolved in extraordinary ways, the fundamental principles embedded in the UN Charter remain as relevant today as they were in their inception. At the heart of the UN Charter lies the principles that all states, regardless of size, power, or wealth, pose equal rights and responsibilities under international laws. Respect for national sovereignty is the foundation of peaceful coexistence. However, in the era marked by rapid technological advancements and emerging threats, states must not only uphold their sovereignty but also embrace cooperation to address the complex challenges of the digital age. Albania reaffirms its steadfast commitment to advancing global cybersecurity norms, fostering international cooperation, and enhancing resilience against cyber threats. As cyberspace becomes an increasingly contested domain, it is imperative that we further develop the rules, norms, and principles of responsible state behavior while ensuring their effective implementation. Where necessary, we must adapt existing frameworks and establish new mechanisms to address emerging risks and vulnerabilities. Albania remains a dedicated participant in global security initiatives, particularly through its engagement in open-ended working group, actively contributing to the development of universally accepted norms of responsible state behavior in cyberspace, the implementation of UN norms reinforcing state accountability, the protection of critical infrastructures, and international collaboration to counter cyber threats. Using the over-evolving cyber threat landscape, Albania has taken important steps to fortify its legal and institutional frameworks, aligning with the EU and UN cybersecurity standards. Key initiatives include the adoption of the new cybersecurity law in May 2024, in line with the NIS2 directive, expanding protections for 289 critical infrastructure entities through a newly developed impact-based methodology, deepening cooperation with NATO, the EU, and the UN, including Albania’s firm stance against state-sponsored cyber attacks. Notably, Albania has consistently raised concerns over malicious cyber operations targeting national security, exemplified by the collective NATO response following the state-sponsored cyber attack on February 1, 2024, advocating for accountability mechanisms to deter violations of established cyber norms. Albania remains aligned with the EU, US, and NATO policies on countering cyber aggression, as evidented by coordinated responses to cyber threats against sovereign states. As cyber threats grow in complexity and scale, Albania supports ongoing discussions to enhance enforcement mechanisms within existing frameworks to ensure compliance with international cyber norms, developed new binding agreements that hold states accountable for malicious cyber activities, and strengthened confidence-building measures to promote trust and cooperation in cyber diplomacy. In 2024, Albania overtook two significant initiatives, joined the Hybrid Center of Excellence as its 35th member, reaffirming its commitment to countering hybrid threats, cybercrime, and disinformation, and establishing a special parliamentary commission to combat disinformation and foreign interference, addressing the increasing influence of information operations that seek to undermine public trust in democratic institutions. Albania’s experience in the cyber domain has been shaped by sophisticated state-sponsored cyber attacks over the past two years. We have encountered cyber operations ranging from destructive attacks to espionage campaigns and information campaigns as well. These experiences have underscored the fundamental truth, resilience in cyberspace can only be achieved through close international cooperation. Transparency is a cornerstone to this process, furthermore, in line with our unwavering commitment to transparency and responsible state behavior, Albania publicly releases a comprehensive report on 2022 destructive cyber attacks. This decision reflects not only our dedication to openness and accountability, but also our resolve to share insights that can strengthen collective cybersecurity resilience. By sharing our experiences, we aim to foster trust, enhance international cooperation, and contribute to global efforts to combat cyber threats. The United Nations was built on the principles of peace, equality, cooperation, and respect for international laws. In today’s interconnected world, these values must guide our approach to cybersecurity and the broader digital domain. To uphold these principles, states must engage in multilateral diplomacy, respect sovereignty, promote human rights, and contribute to global security and development. As UN Secretary-General Antonio Guterres has rightly stated, the United Nations must remain true to its founding principles to uphold human dignity, equality, and the sovereignty of nations, while promoting peace and cooperation in an increasingly complex and interdependent world. Albania stands firmly committed to this mission, and we call upon the international community to work together to strengthen cybersecurity, reinforce accountability, and ensure a safer, more resilient digital future for all. Thank you.


Chair: Thank you very much, Albania, for your statement. The next speaker is Mauritius, to be followed by the Russian Federation.


Mauritius: Good morning, Chair and colleagues. The discussion on norms of responsible state behavior in cyberspace remains a cornerstone of the work of the Open-Ended Working Group. As cyber threats continue to grow in complexity and scale, the establishment, reinforcement, and implementation of norms have become essential to maintaining international stability and security in the digital realm. The OEWG has reaffirmed that voluntary, non-binding norms provide a practical and effective framework for guiding state conduct and mitigating cyber risks, even as discussions continue on their refinement and operationalization. While there is broad consensus on their value, practical steps to integrate them into national policies and international cooperation mechanisms tend to remain a challenge in small and developing states. These nations often lack the resources and technical expertise to implement cyber norms effectively, making them more vulnerable to cyber threats. Congress thus encourages states that require support in that area to capitalize on the self-explanatory checklist of practical actions that will guide them in their implementation process. Alternatively, there is a need for sustained investment in capacity-building initiatives, including knowledge sharing, training programs, and international partnerships that equip all states with the tools necessary to defend against cyber threats. Mauritius firmly believes that the OEWG must continue to prioritize inclusive approaches that ensure no country is left behind in the global effort to enhance cyber security. Chair, in previous discussions, some member states have called for new norms to address emerging threats. Mauritius is of the opinion that the rapid advancement of technology, including artificial intelligence and quantum computing, presents new challenges that may require a slight adaptation of the existing normative framework, taking into consideration technology neutrality. Looking ahead, the OEWG must build upon its progress by fostering continued dialogue, strengthening methods for norm implementation, and enhancing international cooperation. Mauritius comments the establishment of the Future Permanent Mechanism. on cyber security under the auspices of the United Nations. We strongly believe it is a positive step towards ensuring that discussions on cyber stability, including on rules, norms and principles of responsible state behavior, remain ongoing. By reinforcing commitments to responsible state behavior, promoting inclusivity in capacity building efforts and adapting to new challenges, we can work together to shape a cyberspace that is secure, stable and beneficial to all nations. I thank you, Chair.


Chair: Thank you, Mauritius, for your contribution. Russian Federation, to be followed by the Republic of Korea.


Russian Federation: Mr. Chair, in accordance with the mandate enshrined in UNJ resolution No. 79-237, adopted by consensus, the succeeding body of the OAWG will continue to develop the framework for responsible behavior of states in the area of international information security. Realizing this goal will require two equally important components, the implementation of voluntary rules and the development of new norms, including legally binding norms. We believe that the second part of this important formula should not be overlooked when drafting the final report of the OAWG. We believe it is impossible to ensure peaceful use of information and communication technologies by states through political commitments alone without formalizing them into legally binding norms. This conclusion is based on the Russian experience of implementing the relevant provisions in our national legislation. To illustrate this fact, we distributed, at the night session of the OAWG, a thematic review of the compliance of the laws and regulations as well as the doctrine of the Russian Federation with the voluntary rules of behavior. We call on other countries to follow our example. which may serve as a guidance for states that need capacity-building in this area. We have been sharing our experience and stand ready to further assist in providing our colleagues with information on our legislative and law enforcement practices. The key goal of the universal international legal instrument in the ICT field should be the establishment of mechanisms to prevent and to peacefully settle conflicts in the information space. This is especially in demand in the context of the Pager incident in Lebanon, which demonstrated the vulnerability of supply chains to organized malicious activities via the use of ICTs. The relevant provisions are included in the concept of a UN Convention on International Information Security, submitted as an official document of the 77th Session of the General Assembly, which remains relevant. This initiative builds upon the fundamental principles of the UN Charter, including the prohibition of infringing upon the sovereignty of states and interfering in their internal affairs. This document may serve as a starting point for the establishment of a fair international legal regime in the field of international information security. Thank you for your attention.


Chair: Thank you, Russian Federation, Republic of Korea, to be followed by Indonesia.


Republic of Korea: Thank you, Chair. The 11 voluntary non-binding norms currently reflected in the Third Annual Progress Report and specified in the 2015 UNGA Adopted GG report are widely recognized and remain highly relevant in addressing emerging threats. As the deadline to adopt the final report approaches, we believe that establishing new norms is unnecessary. This relevance is particularly evident in discussions on emerging technologies. The OEWG has acknowledged that technology itself is neutral while expressing concerns on its malicious usage. In this context, strengthening the application of existing norms would be more effective than creating technology-specific norms every time there is a breakthrough. For example, if a specific non-state actor were to use AI to attack critical infrastructure of another country, states should recall norms C, F, and H and not condone such illegal activities. As the 11 norms are structured quite comprehensively, they remain robust and well-suited to addressing emerging threats in the rapidly evolving cyber landscape. To reinforce the implementation of 11 norms, we would like to remind the Annex A of the Third API provides a living non-exhaustive checklist that offers practical guidance for states to translate commitments into action. In line with the implementation of Norm G, which calls for taking appropriate measures to protect critical infrastructure from ICT threats, we consider it crucial to emphasize the importance of cyber resilience. It could also be helpful to increase the cost of attacks for malicious cyber actors. Thank you.


Chair: Thank you, Republic of Korea, for your contribution. Indonesia to be followed by Malaysia.


Indonesia: Thank you, Mr. Chair. Indonesia reaffirms its commitment to the 11 norms of responsible state behavior in cyberspace, and we have aligned these 11 cyber norms into our National Cyber Security Strategy established through Regulation 5 of 2024. This strategy serves as our national blueprint to enhance our cyber security resilience, to ensure a safe, secure, and inclusive digital environment. With the strategy as a foundation, our National Cyber Security Agency ensures the effectiveness of Indonesia’s national cyber security incident response. through the establishment and reinforcement of the National Cyber Incident Response Team, Cyber Crisis Contingency Planning and Simulations, Information Sharing and Analysis Center, and Voluntary Vulnerability Identification Protection Program. These initiatives not only demonstrate our commitment to mitigating cyber threats, but also highlight the importance of capacity-building programs as a cornerstone of cyber security resilience. Mr. Chair, Indonesia believes that the 11 cyber norms must remain the guiding principles underpinning the future permanent mechanism. It is essential to advance the implementation at the global, regional, and national levels to effectively address emerging and future cyber threats. And to support this effort, Indonesia underscores the urgency of capacity-building programs that equip states with the necessary tools and expertise to enhance cyber security preparedness. We also emphasize the potential role of a voluntary checklist of practical actions to be embedded within the global ICT security cooperation and capacity-building portal and to assist member states in tracking and operationalizing the 11 cyber norms. By serving as a practical guide, this voluntary checklist will not only help streamline national implementation efforts, but also strengthen the portal’s role as the primary platform for confidence-building measures, dialogue, and cooperation among member states. Therefore, we look forward for the emphasis in capacity-building, as also voiced by our delegation, by distinguished delegations from Singapore and Mauritius, among others, and the importance of assistance to national implementation efforts of the norms for those to be appropriately reflected in the recommendation of the final progress report. Indonesia encourages all member states to continue engaging in an open dialogue, seeking common ground, and exploring consensus-driven solutions, not only on the potential new norms that reflect the evolving cyber landscape, including a legally binding norm. And we look forward to constructive exchanges that will advance these efforts to ensure an inclusive, effective and forward-looking process. Thank you, Mr Chair.


Chair: Thank you very much Indonesia for your contribution. Malaysia to be followed by the Democratic Republic of the Congo.


Malaysia: Mr Chair, Malaysia welcomes the Voluntary Checklist of Practical Action for the Implementation of Voluntary, Non-Binding Norms of Responsible State Behaviour in the Use of ICTs as referenced in Annex A, Third APR of the OEWG. Paragraph 3 of Annex A indicates that the implementations of voluntary non-binding norms as a whole may require states to take some common practical actions. In this connection, ASEAN has selected two specific practical actions to guide implementations of norms and promote stability in cyberspace at the regional level. First, development of the Regional Action Plan metrics on the implementations of norms of responsible state behaviour in cyberspace as recommended by the 2015 GGE report. These metrics consolidate key initiatives by cybersecurity-related ASEAN sectoral bodies and working groups, supporting the implementation of the cyber norms and enhancing the capacity of ASEAN member states to uphold them. Second, development of the ASEAN Norm Implementation Checklist to provide actionable steps for all states to consider, including small states with limited capacities. States do not need to implement every step but should consider the suggested action in line with their respective national priorities and capacity. This checklist organises the steps for each norm into five pillars, which is policy, operational, technical, legal and diplomatic, as mentioned by Singapore earlier. to clarify how various domestic agencies can contribute to norm implementation. The ASEAN Norm Implementation Checklist was endorsed at the 5th ASEAN Cyber Security Coordinating Committee and noted by the 5th ASEAN Digital Ministers’ Meeting last January. Malaysia thanks Singapore for the introduction of Cyber Norms in Action Workshop Series to raise ASEAN member states’ understanding on how to implement the norms and to identify and deepen the necessary capacities. Malaysia joined others to emphasize the importance of capacity building in the implementation of norms. As is the case with the OEWG’s Voluntary Checklist of Practical Actions, the ASEAN Norm Implementation Checklist is a living document. States may choose to undertake particular steps as appropriate to their national context. Chair, you ask whether the OEWG’s Voluntary Checklist of Practical Action needs further improvement? Malaysia believes the checklist serves as a strong foundation and a good starting point to guide the implementation of voluntary, non-binding norms, much like steps in our journey toward establishing the UN Global POC and the Global CBNs. In this regard, Malaysia supports the checklist and hopes states will be able to reach consensus in the final report. This document may guide focused discussion in future permanent mechanisms by adding actionable steps and fostering common understanding, as it is a living document. Moreover, Malaysia emphasizes that implementing existing norms and developing new ones are not mutually exclusive processes. They can proceed in tandem. We should remain open to discussion on the possibility of new norms. Thank you, Chair.


Democratic Republic of the Congo: Mr. Chair, first and foremost, allow me to echo other delegations in commending your leadership and your commitment, as well as to congratulate you and your team for your tireless and continuing efforts since the outset and up until now. You can count on the support of the DRC as we continue these discussions until the very end of the process. We here would also like to thank the Secretariat for its support and its unwavering efforts to provide us with the various tools it has put at our disposition. The DRC aligns itself with the statement made by Nigeria on behalf of the African group and makes the following statements in its national capacity. Mr. Chair, for five years, 2021-2025, the OEWG on ICTs has made significant strides and we can list, for example, the adoption by consensus of three annual progress reports, the establishment of the global points of contact directory, as well as the holding of its first meeting. And this proves that delegations place great importance on this process. In light of these positive points, my delegation hopes that this will toward consensus will continue to drive us and allow us to adopt by consensus the outcome report of our OEWG in July this year. Mr. Chair, my delegation takes note of the Chair’s discussion paper as well as its recommendations regarding the participation of stakeholders and the proposed thematic groups. We believe that this is an excellent foundation for in-depth exchanges in order to reconcile differing points of view and allow for a smooth transition from the current working group to the future permanent mechanism. after July 2025. As this 10th session takes place, challenges to international peace and security stemming from the use of ICTs continue to grow. Incidents of malicious use of ICTs by state and non-state actors are being documented increasingly frequently. There also is concern about the rapid development of AI. These varying forms of threats in cyberspace are not only harmful, but also hinder the capacity of countries, especially developing countries, to pursue development. And that is why my delegation believes that these growing and evolving threats must continue to be the focus of discussions in one of the future current mechanisms and thematic groups. Mr. Chair, as we’re speaking about responsible behavior of states, there unfortunately are some states that are notorious in this area for attacking critical infrastructure in other countries. And that is the case in the DRC, which is suffering attacks from the terrorist M23 movement, supported by the Rwandan defense forces in the east of my country, where information systems have been attacked. There have been serious incidents of jamming and GPS spoofing that have been documented. These have caused disruptions in the functioning of our services, entailing risks of aircraft accidents and crashes. This not only undermines protection of civilians, but it also jeopardizes the safety and security of the UN mission in the DRC. To this day, the Goma Airport remains closed. It cannot be used to evacuate the wounded or support humanitarian efforts. Mr. Chair, my delegation welcomes the documents proposed by the Secretariat. on the Global ICT Security Cooperation and Capacity Building Portal. We believe that this portal will effectively address our collective need for a global platform used for sharing information on existing and emerging cyber threats. We hope that this portal will be based on mutual trust and commitment and that it will serve as a communication channel, a safe channel for providing reliable, timely, and accurate information on ICT threats through an information repository. This portal can also help to bolster confidence and transparency between Member States through sharing data on incidents, mitigation strategies, and effective interventions, as well as facilitating discussions on threats facing specific critical infrastructure, especially in the healthcare, energy, and finance sectors. It will also, we hope, strengthen collective efforts to anticipate and coordinate responses to these threats. In closing, Mr. Chair, my delegation would like to reaffirm its support and encourage all delegations to continue to strive to reach the necessary consensus for the establishment of the future permanent mechanism so these discussions can continue in an open, inclusive, and sustainable way. Together, let us work to build an open, free, and safe cyberspace for all. Thank you.


Chair: Thank you very much, DRC, for your statement. Cuba to be followed by Mozambique.


Cuba: Mr. Chairman, we reaffirm the importance of this working group in promoting a normative framework to guarantee security and the peaceful use of ICTs. As is well known, we believe that non-binding norms, while they may be useful in some contexts, are not sufficient to address the growing challenges and threats in cyberspace. Their voluntary nature limits their usefulness because they do not ensure a truly coordinated and effective response to cyber-threats impacting states, and at the same time, their non-binding nature means that there are no consequences for non-compliance, and no mechanisms for implementation and oversight, making it possible impartially and objectively to determine the origin of the incidents, and this leaves the door open for politicization. All of that, together with a lack of clear definitions or common terminology, will simply extend the status quo, and namely, follow the wishes of the great powers. We recall that rules, norms, and principles previously drafted by the GGE, that during those discussions, not all member states participated, and that these norms, rules, and principles are not universally accepted, and therefore, while establishing a checklist, a voluntary checklist for practical actions could be useful domestically for some states who decide to use this approach, it cannot be seen as the sole global standard for implementing specific norms, much less should it be used to classify or assess the performance of states and whether or not they comply with these voluntary norms of so-called good behavior, because this concept could be manipulated for political interests and in political contexts. Every country has its specificities, and in general, developing countries do not have the same technical and technological conditions as developed countries. Globally, we believe we should not be duplicating efforts to measure this commitment and the preparation of countries in cybersecurity, and we should not just be using the ITU cybersecurity index, regardless of whether or not these methods could be improved upon. We believe that the final report of this group should include clear recommendations for the drafting of rules, norms, and principles that are legally binding. These norms need to refer to preventing militarization of cyberspace, promoting international cooperation, reducing technological gaps, and the peaceful settlement of disputes in the cyber landscape. We believe the final report must include a roadmap for moving forward on negotiating a legally binding instrument and set up obligations on states. It should also have a standing follow-up mechanism. Russia’s initiative, which proposes the drafting of a future international convention on security and the use of ICTs, could be a useful tool to guide the international community’s efforts in this direction so that we can set a more robust and effective global normative framework. These global norms must be inclusive, transparent, and universal, and they must reflect the needs and the concerns of all states, regardless of their level of technological development. Only in this way can we ensure that we have a safe cyberspace for everyone. Thank you.


Chair: Thank you very much, Cuba, for your contribution. Mozambique, to be followed by the United Kingdom.


Mozambique: Thank you, Mr. Chair, for giving us the floor. In general, Mozambique delegation aligns itself with the general statement made by representative of African group. and with the view expressed by many other member states before us, and would like to highlight the following points. Mozambique strongly supports the consistent application of UNDG norms, ensuring that states refrain from cyber activities that will harm critical infrastructure, and reaffirming that international laws apply to cyberspace. As mentioned by Singapore, Albania, Malaysia, and others, cyber threats are evolving and norms and rules must adapt accordingly. But most importantly, implementation is key. We believe that stronger cooperation, capacity building, and joint response mechanisms are crucial in tackling cross-border cyber threats effectively. At the same time, states must respect each other’s sovereignty when addressing these threats. That means working in close cooperation and coordination with relevant authorities of affected states to ensure that responses are effective and respectful of national jurisdiction. We also cannot overlook the importance of accountability and transparency. Regular reporting and peer review mechanisms will not only strengthen trust but also enhance resilience in cyberspace. Mr. Chair, Mozambique remains fully committed to working towards a secure, resilient, and inclusive digital future for all. I thank you.


Chair: Thank you very much, Mozambique. United Kingdom, to be followed by the Kingdom of the Netherlands.


United Kingdom: Thank you, Chair. I would like to begin by reiterating the United Kingdom’s commitment to working with you towards a positive conclusion of this OEWG. This year marks a decade since the UN General Assembly adopted the 2015 report of the GGE, containing the 11 voluntary and non-binding norms of responsible state behaviour. This was a remarkable and important achievement. Reading the list of norms today, it is clear that they continue to provide an impressive articulation of the collective expectations of states in relation to a range of international cyber behaviours. When combined with international law and the other pillars of the consensus framework, the norms provide the basis for stability in cyberspace. Norms implementation guidance, such as that contained in Annex A of the Third Annual Progress Report of this OEWG, has an important role to play. My delegation takes the opportunity to congratulate ASEAN nations on the endorsed ASEAN norms checklist. Monitoring implementation of the norms, including via voluntary updates by states, will be an important way of assessing progress under the future mechanism and can help states to further their understanding of best practice. In this context, we would like to draw attention once again to the proposals made by my delegation and supported by a number of states in December for an additional voluntary practical action under Norm I to safeguard against the potential for the illegitimate and malicious use of commercially available ICT intrusion capabilities. We would also like to highlight the proposals for Annex A, made in a non-paper by Australia, Chile, Colombia, Fiji and the United Kingdom. in relation to gender equality and the future permanent mechanism. The UK recognises the important contributions of women and the value of encouraging diversity to national and international cyber security, including here at this OEWG. We should seek to maintain this momentum under the future permanent mechanism. Chair, my delegation will use the remainder of this statement to consider the treatment of norms in a flexible programme of action with reference to some of your guiding questions. We judge that all 11 norms can be captured within the themes of cooperation, resilience and stability. For example, norms A, D and H are relevant to cooperation, norms G and J are relevant to resilience and norms B, C, E, F, I and K are relevant to stability. How could the treatment of norms work in practice under these three themes? We would like to offer the following potential example. Several of the norms in CBMs address the value of information sharing, including information sharing on threats and vulnerabilities and information sharing in relation to incidents. The topic of information sharing could be subject to deeper discussions within a dedicated thematic group on cooperation. This might begin with expert briefings on available cyber information sharing platforms and an exploration of the gaps in international information sharing on threats and vulnerabilities. Subsequently, the Secretariat could present to States on the latest progress in the implementation of the POC Directory. These opening briefings would set the scene for a State-led discussion. Guiding questions for States could invite reflections on good practice as well as gaps and areas for improvement. In doing so, States may frame their remarks in the context of voluntary norms or CBM implementation. Any emerging next steps among States could then be discussed further in the dedicated plenary session. or even taken forward in the agenda of the Global Roundtable on Capacity Building. In this way, capacity building organisations would be able to better understand and respond to the demands of States, and Member States’ access to information-sharing capabilities would be enhanced. All of this activity would also contribute to the implementation of specific norms. Chair, in conclusion, this is just one possible example of how we could use cross-cutting discussions to apply the consensus UN framework in a practical way. There are, of course, other topics that could be considered under the themes of cooperation, resilience and stability, while still respecting the consensus framework. Thank you.


Chair: Thank you very much, UK, for the statement. Kingdom of the Netherlands, to be followed by Italy.


Kingdom of the Netherlands: Thank you, Chair. The Kingdom of the Netherlands aligns itself with the statement delivered by the European Union, and I would like to add the following in our national capacity. The 11 voluntary, non-binding norms of responsible State behaviour in the use of ICTs play an important role in reducing risk to international peace and security. These norms reflect the expectations and standards of the international community and allow the international community to assess the activities of States. International law complemented by these norms provide a comprehensive framework capable of guiding States’ behaviour responsibly, if implemented and adhered to. This is why it is our view that our focus at this point should be on the implementation of existing norms, before we look towards the development of new norms. Chair, to further support the implementation of the norms, the Netherlands believes the voluntary checklist in Annex A of the 3rd Annual Progress Report represents a positive step forward. It makes valuable use of the norms guidance from the 2021 GGE report. and can serve as an effective capacity building tool for states. We agree with others that the checklist could be updated periodically as a living document, including in the future mechanism. At the same time, the Netherlands would encourage the adoption of the initial checklist in the final report of July 2025. This will provide a firm consensus baseline for states to be able to support and continue surveying their national implementation efforts and take concrete action to further implement the norms going into the future mechanism. Chair, my delegation further supports the proposal put forward in the paper of Australia, Chile, Colombia, Fiji and the United Kingdom to mainstream gender equality within the norms implementation checklist. The Netherlands is one of the co-sponsors of the paper, as we believe this is a crucial step towards ensuring an inclusive and effective approach to norms implementation. As the checklist serves as a capacity building tool, the paper also represents an effort to implement gender-responsive capacity building commitments, as we agreed in the second APR. Finally, Chair, the 11 voluntary non-binding norms continue to be a key component of our cumulative and evolving framework for responsible state behavior in the use of ICTs, and we reiterate our commitment to the current normative framework. I thank you, Chair.


Chair: Thank you very much, Netherlands, for your contribution. Italy, to be followed by Canada.


Italy: Thank you, Mr. Chair, for giving me the floor. Italy fully aligns with the statement delivered by the European Union. We support the concrete implementation of the UN framework on responsible state behavior in cyberspace. In our national capacity, we would like to focus on the protection of critical infrastructures and supply chain integrity. by also sharing some practical examples in the implementation of such norms. Cyber attacks on critical infrastructures are increasing, often involving state and non-state actors, posing a serious threat to international security. According to the data gathered by the Italian National Security Authority, the most hit sectors are public transport, central public administration, and financial services. Particular attention should also be paid to the healthcare sector, which, although not the most affected in terms of cyber events, stands out for the severity of the impacts, with significant effects on operations and confidentiality, as well as on the sensitivity of exfiltrated data. To address this, we believe in strengthening our accountability mechanism to foster mutual responsibility among states. National measures, such as dedicated cyber security agencies and CSIRTs, are also essential for detecting, defending against, and responding to cyber threats. The private sector, which manages much of the critical infrastructures, plays a crucial role in enhancing cyber security. Public-private partnership and increased stakeholder awareness are key to building stronger cyber resilience. In 2019, Italy established a national cyber security perimeter, ensuring the security of essential networks and services, entities within this perimeter must adopt strict security measures and assess supply chain dependencies. These efforts align with the EU regulatory framework, including the NIS2 Directive, which imposes strict incident reporting and risk management requirements, overseen by the National Cyber Security Agency. The NIS2 Directive also established the so-called EU Cyclone Network, a cooperative framework comprising the national authorities of EU member states responsible for managing large-scale cyber crises. This network serves as a key example of interstate cooperation in responding to cyber security incidents and strengthening critical infrastructure. Mr. Chair, supply chain security is a very important principle and one of the objectives Member States committed to achieve with the Global Digital Compact. However, ensuring safety and integrity of all products can be a very complex task to achieve. We encourage the adoption of specific frameworks for the assessment of supply chain security of ICT products, based on guidelines and best practices and adherence to international standards, such as ISO. Software bills of material, formal records containing the details and supply chain relationships of various components used in building softwares, are also key, as they provide visibility into software dependencies and strengthen supply chain security. We consider that the establishment of national security evaluation and certification centres and adoption of cybersecurity certification schemes could also represent useful measures to implement. Finally, Italy stresses the importance of fully implementing existing norms before introducing new ones. Further regulatory developments should build on concrete progress in applying the current framework. Thank you, Chair.


Chair: Thank you very much, Italy, for your contribution. Canada, to be followed by China.


Canada: Thank you, Chair. As the UK noted, we mark the 10th anniversary of the UN norms, first established within the GGE, but subsequently adopted by all UN member states. These norms, combined with the remaining framework, including the applicability of international law, have served us well and have proven adaptable to a changing cyber environment. Yet we recognize that work still remains on the implementation of the norms, and our short-term efforts are best invested on that front. In a future mechanism, dedicated cross-cutting thematic groups should enable us to address practical policy challenges. This may identify gaps in norms implementation, and we must then seek solutions to the gaps. These solutions may include additional guidance on norms implementation. but potentially new norms and certainly capacity-building activities. As a leader on norms implementation, ASEAN’s regional experience can be an excellent example for us in this regard at the UN level. When it comes to our work for these last miles of the OEWG, we want to focus our attention today on our immediate priority, crossing the finish line as a group. We need to take time to discuss how the future thematic groups will help us dive deeper on addressing policy challenges including norms. It is well established that non-binding norms are distinct and independent from binding international law. This is why they are dealt with separately in the OEWG and why the plenaries of a future mechanism should include time to discuss norms and time to discuss international law. Within dedicated thematic groups, there is space to discuss all of the elements of the OEWG together. We have a solid long-standing ECI, including guidance on how to implement existing norms. Now we must make use of that ECI. Your voluntary checklist contributes to this work and should be reflected and further elaborated in the final report. Turning to how we could address norms in a future mechanism, the thematic group on resilience and critical infrastructure could clearly have a role at looking at Norm G on appropriate measures to protect critical infrastructure. Your checklist identifies practical actions to implement this norm and these track our previous agreements in the General Assembly Resolution 58-199 and in the 2021 GGE report adopted by consensus. However, none of these actions have been discussed in any depth in plenary over the last years. Mentioning the text of a given norm or action only moves us forward so much. If we want to walk faster in order to eventually run, we need a theme and we need time to practice. We also need to understand What specific capacity-building activities are needed to implement the norm and such discussions will be possible in the thematic group format? For example, in Canada, a large segment of the ICT systems that form part of our public service delivery is owned and operated by non-governmental stakeholders. We could share best practices in working with these stakeholders. We could detail how we set up a plan to respond quickly and in a coordinated way across the various governmental and non-governmental actors. A thematic group would allow us to elaborate on the design and functioning of this plan, beyond the short mention of its existence today. Of course, such discussions would not be fit for purpose if stakeholders were excluded. Not involving our stakeholders would be the equivalent of trying to use only our brain and not our legs when going for a run. As such, we need certainty and clarity on how stakeholders will contribute to thematic groups. To make a similar point very quickly on how the participation of stakeholders is not only extremely useful, but also necessary for our second thematic group on cooperation in the event of cyber incidents. A key element of cooperation is the responsible reporting of vulnerabilities to each other, alongside related remedies. Yet the participation of the top world expert organization on this issue, FIRST, has been vetoed by two states. The future mechanism, including thematic groups, must enable the participation of stakeholders such as FIRST. In a future mechanism, if certain states want to prevent all other states from hearing from experts, and benefit from their associated capacity building, they should have to explain why. Other states should have the opportunity to explain why they wish to include them. And the group must, if we need to, take a decision on the basis of these arguments. Thank you, Mr. Chair.


Chair: Thank you, Canada, for your statement. China, to be followed by Portugal.


China: Thank you, Chair. With regard to the norms, it is an important pillar of the framework. China believes that under this agenda item, the following elements should be reflected in the final report. First, we must reaffirm full compliance with and implementation of the framework of responsible state behavior in cyberspace. The previous APRs all mentioned that. We hope that in the final report it will be reaffirmed. Second, data security is an important element of the OEWG’s mandated discussions and a prominent issue in the current cyber and digital space. The final report should make it clear that the working group and the future mechanism will have in-depth discussions on the development of universal non-discriminatory international norms on data security, and that issues such as data storage, cross-border data flow, and data security related to AI can be topics of subsequent discussions. Thirdly, specific measures should be taken to promote the development and implementation of globally interoperable common norms and standards for supply chain security, which is of common concern, so as to ensure an open, safe, and stable global supply chain for IT products and services. Fourthly, we must further prioritize the protection of critical infrastructure. It must be emphasized that states should not use ICTs to undermine the critical infrastructure of other states, destroy or steal important data on the critical infrastructure of other states, or spread disinformation about certain states. There is a need to make further targeted recommendations on how to enhance the protection of critical infrastructure. Fifthly, cybersecurity traceability is an important element of the norms. Considering the continued prominence of online disinformation, we encourage member states to actively consider the establishment of an authoritative and impartial mechanism of multilateral cooperation for traceability under the UN framework. Sixthly, we commend the efforts to develop the List of Actions for Responsible State Behaviors. The final report should make it clear that the implementation of the list is voluntary and based on existing consensus and that it does not include non-consensual elements or elements outside the UN information security process. Lastly, some delegates mentioned that the existing norms are complete and there’s no need to develop additional norms. Obviously, the existing norms do not include data security and many of the recommendations that Chinese delegation mentioned. It should be pointed out that the 2015 GTE report is the foundation for the current framework, which is based on broad consensus. And the 2015 report specifically specifies that, I quote, “…attributes of ICTs, additional norms could be delivered over time.” China believes that disapproving of the consensus made in the 2015 report is about disapproving the GTE report itself. Additionally, if there’s no need, why would member states agree that the existing OEWG mandate includes development of new norms? Given that, we hope that all parties can fully and completely implement the norms so as to contribute to the improvement of the norms. Thank you.


Chair: Thank you very much, China, for your contribution. Portugal to be followed by Thailand.


Portugal: Mr. Chairman, Portugal aligns fully with your statement, but would like to emphasize a few points on due diligence, which we believe could easily become ready for universal implementation. As we repeatedly underlined, among the 11 non-binding norms of responsible state behavior in cyberspace endorsed by the UN General Assembly since 2015, due diligence is, in our view, one of the most deserving of a further layer of common understanding. The growing use of proxies by hackers, including of official proxies, is very worrying and can precipitate the use of unjustified countermeasures, which will be especially dangerous in the context of an armed conflict. Thus, before resorting to cyberweapons to retaliate against malicious operations launched from the territory of another state, namely when apparently originated in a device belonging to a government agency, this state should be immediately called upon by the victim, through the POC directory which you have successfully facilitated, to confirm if digital devices on its territory have indeed been manipulated. A state should take all measures within the limits of its technological capability in order to avoid the use of devices on its territory and, in case it took them but devices were still used, it can be called to conduct an investigation. and to share its results with the third state, as opposed to merely replying that it was unaware of the attack and of its authors. The cyber diligence duty also encompasses the obligation to take into account the known risks that those operations may take place in the future, and thus, it is violated when a state, knowing that devices on its territory can be used against the critical infrastructure or the rights and freedoms of the citizens of another state, does not act within the limits of its technological capabilities to avoid it. In sum, Mr. Chairman, the cyber diligence obligation requires that states be vigilant and guarantee the security of the ICT networks existing on their territories, whose devices can be intruded and abused to launch attacks against other states. In this regard, the norms checklist which you have timely put forward will be an indispensable tool to be used in the framework of the future permanent mechanism for regular institutional dialogue to monitor the implementation of the duty of cyber diligence. The cross-cutting Working Group on Cooperation and Stability proposed by France as one of the three main expert legs of the Programme of Action on Responsible State Behaviour in Cyberspace will as well be the right place to have a meaningful pragmatic discussion on a further layer of understanding on due diligence and the practical ways and means necessary for its wide implementation. Though the technical obstacles are many and hard to overcome, we should not desist from agreeing on a set of standards that increase the attractiveness of due diligence as a means to afford a pause before precipitating a crisis generated by an unlawful act against a critical infrastructure. Thank you, Mr. Chairman.


Chair: Thank you very much, Portugal, for your statement. Thailand to be followed by South Africa.


Thailand: Mr. Chair, since this is the first time Thailand is taking the floor, we’d like to extend our appreciation to you and your team for the dedication and hard work which has resulted in the success of this framework. Thailand believes that in spirit of consensus and under your guidance, we will achieve the results throughout the course of this week, which will lay a strong foundation for our future work. Mr. Chair, Thailand would like to highlight a few points in the discussion on the topics of rules, norms and principles of responsible state behavior as follows. Firstly, Thailand reaffirms the importance of the 11 voluntary, non-binding norms of responsible state behavior. Together with international law, these norms significantly contribute to the maintenance of international peace and security. Secondly, Thailand believes that these norms serve as confidence-building measures among states. Therefore, we encourage regional organizations and frameworks to adopt and implement these norms where appropriate as part of the global confidence-building efforts. ASEAN, as the first regional organization to have subscribing principle to these norms, has recently adopted the ASEAN norms implementation checklist, which identifies practical steps in five pillars, policy, operation, technical, legal and diplomacy, to assist ASEAN member states in their implementation of such norms. Thirdly, it is essential to promote the adoption and implementation of such norms at the national level. Thailand is currently working on developing our 2028 to 2032 national policy and action plan on cyber security. This plan, to be guided by the ASEAN Norms Implementation Checklist and the OEWG Voluntary Checklist of Practical Actions, will explore how to effectively implement the norms at the national level. This includes awareness-raising of such norms among the public sector as well as the relevant stakeholders. Lastly, norms implementation efforts will not be possible without capacity-building efforts and support of the new Permanent Mechanism. Last month, Thailand and the UNIDIR co-hosted a regional workshop on international laws, norms and cyberspace for Southeast Asian states. We believe that our new Permanent Mechanism must not only serve as a platform for states to discuss these norms, but also as an action-oriented mechanism to assist states to translate these norms into practice. We support the proposal of certain Member States that the future mechanism should assist states on a voluntary and needs-based basis in identifying capacity-building needs in the application of norms. We will continue to discuss these issues under a relevant agenda. Thank you, Mr. Chair.


Chair: Thank you very much, Thailand, for your contribution. South Africa to be followed by Australia.


South Africa: Thank you, Chairperson. South Africa believes that implementation of existing norms contributes to a better understanding of the gaps in existing norms, if any, thus informing the need for new or additional norms to be developed. As such, we believe that implementation of the existing norms should continue in the Permanent Mechanism while the possibility of developing additional norms is left open. Acting from that perspective will inform Member States of any gaps and assistance needed to build the requisite capacity. It will also allow the international community to organically identify new areas where norms could be developed in the future. The third APR has reiterated increasing concern that threats in the use of ICTs in the context of international security have intensified and evolved significantly in a geopolitical environment that remains challenging. It has become very clear from the threats section of the first, second, and third annual progress reports that while incidents involving the malicious use of ICTs manifest themselves differently across regions, their effects can also be global. Despite the many benefits emerging technologies such as AI bring, the associated risks exacerbate existing vulnerabilities. Thus, our delegation believes that in these cases, the discussion on the development of additional norms to complement existing norms on threats to ICT security should be left open for member states to attend to when it becomes necessary. South Africa believes that the cumulative and evolving framework on ICT security, which includes the 11 agreed norms and 8 confidence-building measures adopted by the OEWG, should allow for voluntary implementation by member states to avoid overburdening developing countries. We also welcome discussion on the voluntary checklist for implementation of norms, and we believe that agreement on the checklist in its current form should be on the understanding that member states will continue to use it as a guiding tool and report on its implementation on a voluntary basis. Before we conclude, Chairperson, South Africa believes that not only is gender equality crucial to international peace and security, it is crucial to all multilateral matters. South Africa can therefore support the proposals by the working paper drafted by Australia, Chile, Colombia, Fiji, and the United Kingdom to include gender mainstreaming. in the voluntary checklist of norms implementation. I thank you.


Chair: Thank you very much, South Africa. Australia to be followed by Vietnam.


Australia: Thank you, Chair. I was reminded by the United Kingdom yesterday and by several others this morning that 2025 marks the 10 year anniversary of our norms and the adoption of our norms. And I think it behooves us not only to reflect upon the progress that we’ve made since then, but also on the process by which those norms were agreed. When we really look at the text of the context of our norms, we can see that they’re not revolutionary in content. They’re things that most countries were already doing to some extent in 2015. And this is because the norms were developed from the bottom up. The GGE looked at what states were already doing to promote peace and stability in cyberspace. And they spent two years collecting that best practice into the norms that we have before us. During that negotiation, some GGE member states had national priorities that they were keen to include in the norms. But the process through which the norms were negotiated meant that those national priorities needed to be first identified in evidence of existing conduct and practice across a large number of states. It was bottom up, not top down. And then in 2019, when 193 member states came together in our first OEWG, for the first time we looked as a group at the collected work of the GGEs. And as a group, we carefully assessed the norms that were developed in 2015 by the GGE and their relevance and their value. And we decided by consensus in 2021 that the 2015 agreed norms would form a fundamental pillar of our framework. When this group discusses what next. when it comes to norms, we can’t ignore that some countries think new norms are appropriate, though I can’t help but note that a small number of those countries calling for new norms and obligations are the same countries that oppose frameworks of accountability for our existing expectations and obligations. But whether new norms are needed or not, and as you know Australia has not yet been convinced that new norms are necessary, how we evolve our framework should reflect the careful and evidence-based process that has brought our framework about. Australia would consider a rushed exercise to insert new norms that are potentially untested into our framework in the next four months and I think 21 days. It doesn’t provide the respect that we owe to our work in our framework. But what we can do in the next four months, in Australia’s opinion is threefold. First we can work to improve and adopt our proposed checklist for implementation. Australia welcomes new proposals to help us all in our guidance on implementation of the norms. A proposal that Australia is strongly supportive of is to add additional guidance on how gender mainstreaming can be incorporated into norms implementation. And we do encourage countries to consider the proposals for gender mainstreaming in the working paper that was drafted by Australia, Chile, Colombia, Fiji and the United Kingdom and co-sponsored at this point in time by Belgium, Canada, Cyprus, Czech Republic, Finland, Germany, Ireland, Japan, Kiribati, Latvia, Lithuania, Malta, Mexico, Moldova, Netherlands, Norway, Papua New Guinea, Spain and Uruguay. We want to work with all states on all the proposals that we have for this checklist and also any potential issues that states have applied because we think it’s really important that we’ve put a lot of work into this checklist and that we adopt it in July. Secondly we need to ensure that the design of our future mechanism effectively and practically takes our norms forward in an evolutionary capacity. reaffirming what we’ve already agreed in our framework, and providing a forum that translates these norms into practice. And Australia has been very attracted by the proposals put forward on how to meaningfully do this this morning by the United Kingdom, Malaysia, Albania, Thailand, Canada, and several others. Thirdly and finally, in the four months we have left, we can continue our own homework on increasing awareness and understanding of the norms in our own systems. While I have absolutely no doubt that every single person in this room could recite all 11 norms verbatim if we are tested, I have a confession to make. My cybersecurity agencies, my cyber capacity building officers, and even my cyber ambassador would probably all fail that test. More capacity building across regions, between countries, within countries, between our internal agencies is needed. Because while many of our cybersecurity agencies and other government agencies are already implementing our norms, some of them don’t know it. We have a lot of homework already, both in this room and at home, to accomplish in the next four months. So we’d like to concentrate on that. Thank you.


Chair: Thank you very much, Australia, for contribution. Vietnam, to be followed by Vanuatu.


Viet Nam: Mr. Chair, Vietnam reaffirms the important role of voluntary non-binding norms of responsible state behavior in mitigating the threats to international peace and security, promoting the stability, and fostering trust amongst states. They serve as essential guidelines reflecting the expected standards of conduct by international community in the use of ICTs and endorsed by ASEAN leaders in its 2018 statement. Accordingly, the checklist for the implementation of voluntary non-binding norms should be considered a living document. the critical role of capacity building, technical assistance, and international cooperation, including the technology transfer and technical support in ensuring the effective implementation of norms, particularly for developing countries. Mr. Chair, with a view to promote the multilateral platform for continued discussion, Vietnam supports the establishment of a dedicated thematic group within the Future Permanent Mechanism to focus on both rules, norms, and principles of responsible state behavior, as well as international law. The Future Mechanism should work with the UN members to establish a clear framework of enforcement norms for action in cyberspace, moving beyond the voluntary norms of the United Nations group of governmental experts. Along this line, these delegations strongly support the inclusion of international law into the session on norms, rules, and principles. Mr. Chair, in terms of substantive norms and principles, given the rapid development and expansion in the digital landscape at both international and national contexts, Vietnam is aligned with the establishment of new norms that keep peace with. that keep pace with the emergence of disabling technologies and address the widening digital divide reality. This demonstrates the commitment of international community as a whole to strengthen the legal and normative frameworks that govern cyberspace. In this context, we emphasize the principle of common but differentiated responsibility for cybersecurity cooperation as a new manifestation of good faith and solidarity principles. It is essential to ensure that the new norms are inclusive and adaptable to the diverse technological and economic conditions of different countries. I thank you for your kind attention.


Chair: Thank you very much, Vietnam. I give the floor now to Vanuatu to be followed by Switzerland.


Vanuatu: Mr. Jet, Vanuatu strongly supports the continued development and implementation of voluntary non-binding norms for responsible state behavior in cyberspace. These norms play a vital role in reducing risks, preventing conflicts, and ensuring that cyberspace remains stable and secure for all. However, for norms to be effective, they must be actionable and inclusive, providing clear guidance to all states, regardless of size or technical capacity can implement. As a small island developing state, Vanuatu emphasizes that norms must also account for the unique vulnerabilities of developing countries, particularly in ensuring the security and resilience of critical infrastructure and essential services. In line with Vanuatu’s National Cybersecurity Strategy 2030, we are working to enhance national cybersecurity frameworks. strengthen public-private cooperation, and improve incident response mechanisms, efforts that align directly with existing UN norms on protecting critical infrastructure, ensuring supply chain security, and fostering international cooperation. To move forward, Vanuatu calls for a greater focus on the implementation of agreed norms, particularly through capacity-building support for developing states. Norms must not remain aspirational statements. They must be translated into practical measures that enhance national and regional cyber resilience. As discussions on a future mechanism continue, we emphasize that norms development should remain an inclusive and transparent process, ensuring that all states, not just those with advanced cyber capabilities, have a voice in shaping the future of responsible state behavior in cyberspace. Thank you, Mr. Chair.


Chair: Thank you, Vanuatu, for your statement. Switzerland, to be followed by Saudi Arabia.


Switzerland: Thank you, Mr. Chair. Switzerland is of the opinion that before developing new voluntary norms, we should focus on the implementation of the existing ones. The argument that the norms are only voluntary, which is why we need new binding obligations or norms needed, is not convincing in our view. Firstly, we already have binding norms, as also the U.S. delegation mentioned earlier. States agreed that existing international law is applicable to cyberspace. Secondly, the voluntary norms were confirmed and adopted by all states by consensus, including by adopting General Assembly Resolution 76-19. States stressed that such norms reflect expectations and standards of the international community regarding the behavior of states in the reuse of ICTs. This does not exclude that we could develop new norms over time and were useful or needed. However, in our view, many of the proposed new norms can be subsumed under the existing ones. From our point of view, this does not contradict the discussions about the rapidly changing threat landscape we had yesterday. The 11 voluntary norms are formulated in general terms and offer flexibility so that they can also be applied to new developments. Yesterday, many states referred to the increasing intensity of ransomware attacks and state-sponsored cyberattacks against critical infrastructures. We therefore see merit in focusing on norms 13c, f, g, and h, calling for the protection of all critical infrastructures supporting essential services to the public, in particular medical and healthcare facilities, as well as cooperation between states for this purpose. The Portuguese delegation has very well explained the importance of the principle of due diligence in this regard. With regard to ransomware attacks, it is important that states do not serve as safe havens for criminal groups and take measures against them. Chair, like other delegations, we see the proposal for a checklist as an important step that we took in the last APR. It is a useful instrument for states in their efforts to implement the voluntary norms and can serve as a capacity-building tool. Switzerland believes that cooperation with non-governmental stakeholders is essential for the implementation of the voluntary norms. For that reason, Switzerland has established the Geneva Dialogue on Responsible Behaviour in Cyberspace. The Dialogue analyses and maps the roles and responsibilities of various actors in ensuring the security and stability of cyberspace. The Geneva Manual is a product of this Dialogue. The inaugural edition of the Manual focuses on two norms related to supply chain security and reporting of ICT vulnerabilities. In the coming years, the Dialogue will continue discussing the implementation of other norms to expand the Manual. Based on this experience, we are firmly convinced that broad and meaningful participation of stakeholders in the future permit mechanism is not only necessary, but also to the advantage of all States. Like Canada, we believe that we need modalities that allow us to do just that without a single country being able to be to it. Thank you, Chair.


Chair: Thank you, Switzerland, for your statement. Saudi Arabia to be followed by Egypt.


Saudi Arabia: Thank you, Mr. Chairperson. The Kingdom of Saudi Arabia reaffirms and supports the statement of the Arab group. Allow me to add the following in our national capacity. Mr. Chairperson, at the outset, we thank you for your efforts in managing the work of the working group, and we reaffirm the need to build on what was achieved in the work of this working group in the permanent mechanism that will be established. Furthermore, the Kingdom of Saudi Arabia believes in the importance of international cooperation when it comes to cyber security. We need to continue in our discussions in this regard. We also need concerted efforts. Therefore, we established a center for cyber security in 2023. This institute is to support cyber security at the national level and to support international cooperation, economic and social development in this regard, and to keep up with international efforts when it comes to cyber security. cybersecurity. This institute will also work with the Saudi mission here in New York in order to organize an event on the sidelines of this session. Today at 1 p.m., 1.05 p.m., this event will include a dialogue with His Excellency Mr. Inglis, the head, the former head of the cybersecurity office here in the U.S. entitled Joint Effort in Cybersecurity Changing Challenges into Opportunities. In this regard, I would like to invite everyone to attend this event and to have lunch with us on the fourth floor of this building. Thank you, Mr. Chairperson.


Chair: Thank you very much, Saudi Arabia, for your statement as well as for your invitation to your side event. Egypt to be followed by France, please.


Egypt: Thank you, Mr. Chair, and I took the floor to share an update with you on the floor. Egypt and Germany were engaged over the past two weeks in a capacity-building program for the African diplomats at the level of New York. I personally found this capacity-building program very useful, the last session of which was held yesterday. It was a simulation exercise for a real-life incident of a threat against a critical infrastructure. The discussions that took place in this simulation exercise resemble the discussions that will take place in the thematic group to be formed over threats and how to deal with them. And I would like to share those four takeaways from this simulation exercise. First, the theoretical discussions that take place here. I guess will be so different from the practical discussions that will take place in the thematic working groups to be established. Second, analyzing the real incidents yesterday made it clear that the norms we have are very useful because they actually reflect principles that nobody could oppose, like due diligence, cooperation, sharing information, and as well accountability. That said, having cross-cutting discussions and scenario-based deliberations proved to be very useful and necessary, but they are not sufficient. Mr. Chair, the discussions that we had yesterday generated so many questions that I believe will be difficult to be addressed in one thematic group. I will be sharing Egypt’s position on the thematic groups in the relevant agenda item. However, I would like to conclude my remarks by this. Egypt believes that it’s important to have an open mind and adopt a flexible approach until we engage in the real discussions in our future permanent mechanism. And I believe when we have those real discussions, we’ll find out that we need more norms and different types of norms, some binding and some voluntary. I believe as well we will need more application mechanisms to the current existing norms. And maybe instruments. So at the end, I guess it might be appropriate not to preempt the discussions. And more importantly, not to make them more skewed to certain threats. Because it might give the impression that, yes, all threats are equal, but maybe some threats are more equal than others. This is counterproductive. So again, let’s have an open mind and be flexible, because things might change when we have real discussions on certain incidents in our real life. Thank you so much, Chair.


Chair: Thank you very much, Egypt, for your statement. And thank you also for updating. the working group here about your partnership with Germany in terms of the capacity building exercise that was convened for African Union diplomats and I think as I said at the beginning of this morning this working group has led to so many productive partnerships across regions across continents that in itself is a very important outcome of this process beyond the outcomes we might have on a piece of paper so very happy to to hear that and there is no doubt many other partnerships that are occurring not just here at the UN but also bilaterally regionally all this is something that we we must continue to encourage and I of course echo what you said Egypt about keeping an open mind and being flexible that is very important for the work of the UN not just for this working group but across the board because ultimately the world as we know it is shifting under our feet it is not an exaggeration to say that and therefore it’s important that we have an open mind be flexible and respond to the needs and respond to the situation as it evolves which is why we have a cumulative and evolving framework even as we accumulate or accumulate we need to evolve as a community and as a working group in terms of what we need to do so thank you very much once again Egypt for sharing with us your experience with that partnership with Germany France, to be followed by Kuwait.


France: Mr. Chairman, the delegation winds itself with the statement made by the European Union and would like to make the following remarks in its national capacity. This year, we are celebrating 10 years of norms for responsible behavior in cyberspace. I’m fortunate to have participated personally in the 2015 DG negotiations and to have followed the subject closely for 10 years. In this regard, I would like to share with the rest of the group my observations as a norms veteran, so to speak. Yes, it is a thing. On the one hand, I can only welcome the fact that the continued discussion on norms over the past 10 years have led to an improvement in the common understanding of them by states. I also note the efforts made at the national and regional levels to advance their implementation. On the other hand, I can only measure the distance that remains to be covered to achieve a satisfactory level of implementation. Our compass in this regard should be a sustainable strengthening of cyber resilience at the global level. Unfortunately, this is not the direction we’re taking collectively. As for this distance to be covered when it comes to implementation, my delegation believes that our priority should not be the creation of new norms, which risk casting doubt on the credibility of our work. This is why our priority remains to implement these norms in all of their dimensions at the political level as well as the technical level, which the Singapore delegation highlighted so usefully. I listened to the many delegations that have proposed avenues for reflection on the treatment of norms in the future mechanism. Echoing these proposals, we propose that norms continue to be discussed within the norms, rules, and principles pillar. of the plenary of the future POA. However, this first level of discussions must be complemented by a problem-solving approach aimed at the concrete problems that states face in implementing norms. To achieve this, over the next 10 years and beyond, discussions within the dedicated thematic groups on resilience, cooperation, and stability could therefore be organized in three stages. Firstly, a briefing by experts on the topic. Secondly, discussions on the normative framework, including norms and good practices related to their implementation. And thirdly, exchanges on the needs of states and capacity-building solutions. Finally, France supports the United Kingdom’s proposal on Norm 13, Roman numeral 1, or 13i, which covers the nonproliferation of malicious tools. If opposed, additional voluntary action would be very relevant, and we are counting on its addition to the checklist in July. Thank you.


Chair: Thank you very much, France, for your statement. Kuwait, to be followed by Nicaragua, please.


Kuwait: Mr. Chairperson, the state of Kuwait is delivering the statement on behalf of the Arab group when it comes to the responsible state of state behavior and the application of international law. The Arab group commends the importance of trust-building measures so that we can guarantee a cooperation between countries and to bring opinions together to reduce tensions and to de-escalate any situation in the cyber space. We believe that building confidence will allow us to build on the current norms. We do not believe we need additional norms, rules, and principles through binding instruments. The group welcomes the consensual agreement of cyber security norms and this is the first step that was adopted through the working group. We look forward for the adoption of the voluntary checklist in a way that would respect the voluntary exchange of data. We believe it is important to have further discussions and dialogue at the bilateral, regional, and sub-regional levels on how the international law will apply to cyberspace. We believe that we need further discussions in this regard and we encourage countries to hold workshops and trainings for their contact groups so that we can exchange expertise and best practices. We also need to look at how we can benefit from confidence-building measures that are drafted at the regional and sub-regional levels in case there is no consensus at the UN level. Thank you.


Chair: Thank you very much, Kuwait. I give the floor now to Nicaragua to be followed by New Zealand.


Nicaragua: Thank you, Mr. Chairman. One of the priorities of our group must be to draft an appropriate and modern normative framework to regulate threats and challenges in the security landscape and the use of ICTs. It has been established that although existing voluntary and non-binding norms of behavior are a positive step for effectively regulating the use of ICTs, they are not enough, nor do they guarantee an effective response to these threats. For that reason, since this group was established, we have called for an international legally binding instrument to regulate behavior. This is our ultimate goal. Our delegation endorses the initiative of a UN Convention on International Information Security put forward by the Russian Federation as a starting point for establishing an effective international legal framework in the area of international information security. The purpose of these norms is to guarantee an environment for international cooperation and understanding to benefit everyone equally while respecting the purposes and principles of the UN Charter. It is vital to adopt legally binding norms that prevent the militarization and politicization of cyberspace, that aim to promote international cooperation and the peaceful settlement of disputes in cyberspace. These norms must also bear in mind the different conditions and responsibilities that exist in the development and technological know-how between developed and developing countries, reflecting the needs and concerns of all of our states on an equal footing. Thank you.


Chair: Thank you very much, Nicaragua. New Zealand to be followed by Brazil.


New Zealand: Thank you, Chair. We have consistently maintained that the existing framework for responsible state behavior, if fully implemented, provides a solid foundation for states to collaborate in maintaining a stable and peaceful cyberspace. We acknowledge that there is a desire among some to explore new norms. We understand, in most cases, that This is based on a genuine wish to enhance the current framework and address potential gaps, particularly in the light of rapidly developing technology. However, we believe it remains beneficial to first undergo a period of consolidation and informed assessment through the implementation of existing norms. As Switzerland noted, this does not equate to, and should not be viewed, as dismissing the idea of developing new norms over time. We acknowledge and understand the concerns regarding emerging, evolving, and new threats and their impact on norm development. Nevertheless, there are practical reasons for adopting a deliberate approach. This includes making the best use of our limited resources and avoiding the pursuit of initiatives that may duplicate existing norms or fail to significantly improve the current framework. By taking a deliberate and evidence-based approach, we can more effectively identify and address potential gaps, if any. Australia gave a good history of how the current norms were developed, with a well-informed bottom-up approach which led to a durable consensus outcome. And Chair, looking ahead to a future mechanism, a permanent mechanism, we believe the same principle applies. Such a mechanism should prioritise the implementation of the current framework, enabling us to better understand what additional measures, if any, are necessary. As noted in our previous statement on threats, we think it could be possible to streamline the proposal for dedicated thematic working groups, including by weaving the discussion around rules, norms, and principles of responsible behaviour of states into the other proposed groups on resilience, cooperation, and stability. We support the comments by the United Kingdom and France, who in their interventions gave some very useful examples of how this might work in practice. We think this approach would provide states with specific practical contexts to discuss issues around rules and norms, and that would complement the more general plenary discussions that would continue to take place under a future mechanism. We believe this approach has the potential to enhance our discussions around implementation of the current framework and which could also help states in identifying where any gaps may exist, if applicable. Thank you, Chair.


Chair: Thank you, New Zealand, for your contribution. Brazil, to be followed by Tonga.


Brazil: Thank you very much, Mr. Chair. My delegation thanks you and your team for your work in guiding our debates on this issue. Brazil is a staunch supporter of the acquis of previous UN processes on ICTs and international security, particularly the voluntary norms of responsible state behaviour, which, as many delegations have already reminded us, are reaching their 10th anniversary this year. Their continued relevance, after a decade of exponentially accelerating technological innovation, is a testament to how well they were drafted, by focusing on behaviour rather than on specific technologies. The norms have guided us in the establishing of our national norms and policies to secure our critical infrastructures and critical information infrastructures. In this regard, we welcome efforts to facilitate their implementation, including the Voluntary Checklist of Practical Actions you drafted and which was included as Annex A to the Third APR. We support the proposal made by other delegations that it be included as an Annex to our final report, with the acknowledgement that it is a living document and will be updated as necessary. The promotion of gender equality is a key component to the adequate implementation of the norms. Promoting the inclusion of women to the cybersecurity workforce, as well as having policies that address the differentiated impact of cyber threats to women and other vulnerable groups in our society, is an important component of our new National Cybersecurity Strategy, which is expected to be published in the coming months. In this regard, we can support the proposals contained in the working paper presented by the United Kingdom with a number of other delegations to mainstream a gender perspective to norms implementation. Mr. Chair, we have heard throughout our debates the arguments for advancing implementation of the existing norms and for the adoption of new ones. In our view, those positions are not in any way mutually exclusive, and our future mechanism must allow for both. Any efforts aimed at eventually developing new norms of behavior in the cyber domain must be inclusive and therefore take place within the UN, where the needs of all countries are duly taken into account. The truth of the matter is that there are many initiatives currently underway outside of our multilateral process that aim to shape state behavior in areas that clearly fall within the purview of this OEWG and the future permanent mechanism. Finally, my delegation would like to stress that, in light of the complementarity between hard law and soft law, we appreciate your inclusion on the RID discussion paper of our proposal on a thematic group on international law and on norms, rules, and principles. As we mentioned on the February 6th town hall, debating them in an integrated manner does not in any way grant them equivalent legal status, but simply recognizes their complementary nature. The working group could discuss them under separate agenda items to highlight their distinction, but discussions on one of these items must not ignore the existing body of work of the other. In any case, we will continue to work constructively with other delegations to reach a consensus solution to this issue. I thank you.


Chair: Thank you very much, Brazil, for your contribution. Tonga, to be followed by Fiji.


Tonga: Thank you, Chair. Tonga is pleased to deliver this statement on behalf of the Pacific Island Forum members represented here in New York. As it is our first time to take the floor, we wish to thank the Chair and the Secretariat for the continuous great work and for the development of the implementation checklist. The Pacific Island Forum members reaffirmed the importance of implementing existing agreed norms of responsible states’ behaviour in cyberspace. By promoting the adherence to international law and norms in cyberspace, we can promote an open, secure, stable, accessible and peaceful ICT environment. The norms are fundamental to reflect the expectations of the international community and support international peace, security and stability. We reiterate that these norms are intrinsically interrelated with international law and do not seek to limit or prohibit actions that is otherwise consistent with international law. We would like to reiterate our thanks to the Chair and your team for developing an implementation checklist to bolster implementation of the norms. We seek the checklist as a useful and practical guidance tool that builds our understanding of the norms and enables all states to achieve greater implementation of our framework of responsible state behaviour in cyberspace. However, we draw attention to the gaps in awareness in both the implementation and operationalisation of existing norms. The Pacific community is diverse and there is no one-size-fits-all approach for implementation of the norms. We encourage all states and relevant stakeholders to continue to share ongoing guidance and best practices provided by the OEWG. To support implementation of the norms, we propose that the OEWG’s final report could also encourage targeted capacity-building programmes to address challenges to implementation and gaps in capacity that are identified, provided an evidence base which has been provided by the state itself. We encourage that the OEWG to continue to build upon the norms implementation checklist to provide a consolidated and consensus guidance for all states. As a meaningful way forward, states should also continue to share their own experience on implementing norms because this provides a way to help others understand how we interpret the norms. We consider that the full mainstreaming of the norms to be a precursor to a conversation on any gaps and possible identification of additional voluntary non-binding norms that might advance our framework of responsible states’ behavior. The Pacific Island Forum members here in New York remain committed to working with all member states in the OEWG and multi-stakeholders to further progress our work on implementation of our existing norms. And before we end, we beg your indulgence, Chair, that we will be coming back at a later stage of the day to share some of our sentiments on threats. Thank you, Chair.


Chair: Thank you very much, Tonga, for the statement. Fiji, to be followed by Kenya.


Fiji: Thank you, Chair. Chair, Fiji Alliance itself with a statement delivered by Tonga on behalf of the Pacific Island Forum members and would like to deliver the following remarks in our national capacity. Fiji reaffirms its commitment to the evolving framework for responsible state behavior in the use of ICTs. We recognize that voluntary non-binding norms play a crucial role in enhancing international peace, security, and stability. And thank you, Chair, for the voluntary checklist as the next in our third APR. Chair, Fiji notes that for the 11 voluntary norms for responsible state behavior in cyberspace, the journey from agreement to implementation is complex and multifaceted. Therefore, priority in information sharing on how nations or regions are implementing the voluntary checklist for the 11 voluntary norms is welcomed. On that note, we also thank the ASEAN Regional Group for sharing the ASEAN checklist for the implementation of the norms of responsible state behavior in cyberspace. This provides further information on how it is implemented. as a region and at different levels, operational, legal, technical and so on. Chair, Fiji is in the process of designating our CI and CII and in standing up our national CERT and therefore welcomes support in this regard. We cannot protect what we cannot designate. Strengthening cooperation, sharing best practices and capacity building are key priorities in ensuring resilience against cyber threats. Fiji supports inclusive and adaptive approaches that reflect national and regional specificities, recognizing that no one-size-fits-all model exists. Furthermore, we highlight the criticality of embedding gender into the implementation of the 11 non-binding norms. As spotlighted in yesterday’s side event on gender and cyber norms bridging policy and practice, there remains a significant gap between policy commitments and their operationalization, particularly in ensuring that cyber security measures are inclusive, adaptive and aligned with human rights principles. Acknowledging this reality, Fiji finds value in the efforts to build gender-responsive cyber security policies, develop gender-sensitive technical standards and ensure the collection of gender-dissegregated data to better understand cyber security impacts across different groups. We also refer to the working paper by Australia, Chile, Colombia, my country and the United Kingdom, co-sponsored by 28 countries and supported by a number of other states. We encourage delegations to review the proposals in the cross-regional paper and would like to see these proposals in our upcoming final report. Chair, Fiji reaffirms our commitment to gender mainstreaming in policy and legislative frameworks, including in national cyber security strategies, to ensure a more inclusive approach. This commitment is cemented in Fiji’s National Development Plan 2025-2029 and Vision 2050. We are also in the process of drafting our National Cybersecurity Strategy and finalizing our National Digital Strategy, whereby gender mainstreaming is a key cross-cutting pillar. Finally, Chair, Fiji encourages continued dialogue, cooperation, and tailored capacity-building efforts to translate commitments into tangible outcomes that promote international security, stability, peace, and gender equality in the digital age. Thank you, Chair.


Chair: Thank you very much, Fiji, for your contribution. Kenya, to be followed by Israel.


Kenya: Thank you, Chair. This is the first time Kenya is taking the floor. Kenya commends you, Chair, for your team and your continued leadership and efforts in facilitating this OEWG process with an action-oriented program of work. I also thank the UK government and GFCE in facilitating our participation in the Women in Cyber Training Forum and this particular session. Kenya is dedicated in the implementation of the existing norms and how they can be applied. Understanding the norms is a precursor to identifying gaps and, if necessary, possible identification of additional non-binding norms that may contribute to responsible state behavior. Kenya welcomes the Voluntary Norms Checklist as provided in the third APR and will prioritize furthering this work with your guiding questions. We encourage the availing of practical tools and mechanisms to enable states in the implementation efforts. The checklist actually points to the work that has been done by this group and its predecessors with the 2021 GGE report in providing direction on the implementation of the voluntary land binding norms. The checklist is useful in collating national adoption of the norms, sharing of best practices and information, and identifying challenges that impede implementation. This will aid in tailoring capacity building programs to aid in addressing the challenges or gaps as identified by states. The implementation of norms, however, remains a challenge due to the varying degree of technical know-how of states. Norm C, for example, requires that states should not knowingly allow their territory to be used for internationally wrongful acts. To implement this norm, a country requires necessary tools and skills. Norm F and G underline the importance of the protection of critical infrastructure and critical information infrastructure. To protect critical infrastructure and critical information infrastructure, a nation must have appropriate tools, skills, national policies, and laws. An integral part of the implementation of the norms of responsible state behaviour is not only in sharing common understandings, but also an opportunity to assess inwardly on appropriate actions each of us should take towards full implementation. As we wind up this OEWG process and move to the future permanent mechanism, we reiterate that capacity building of states, especially technical capacity, to enable implementation of the voluntary non-binding norms should be discussed and implemented. Kenya uploads various initiatives by multiple stakeholders in advancing understanding and implementation of the norms. I thank you, Chair.


Chair: Thank you very much. Kenya, Israel, to be followed by the European Union, which is the last speaker. Israel, please.


Israel: Thank you, Chair. Thank you for giving us the floor to comment on the important issue of the normative framework. I will do my best to be very concise. Since 2015, the norms have been taking much of our discussions and rightly so. With some member states calling for new or revised norms, Israel at this point remains very skeptical of the need for further development of the norms we have, when in reality the basic norms of responsible state behavior in cyberspace are being flouted by certain states, as we have elaborated yesterday when discussing the existing and potential threats. Israel believes that a more cautious approach with respect to norms is required. As things currently stand, there is still a lack of certainty as to the manner in which existing norms and rules are implemented and understood by states. Let us also recall that the 2015 GGE norms and rules and principles that many delegations reminded us this week we are marking soon 10 years since their adoption are voluntary and non-binding in nature and do not detract from or extend beyond international law. Thus, norms are intended to signal expectations of the international community regarding appropriate state behavior, and from what we have seen thus far, their implementation has been, at best, short and uneven. In order to ensure the relevancy and efficiency of all of these norms, we must ensure that they are properly implemented. our hard work so far, we should strive for better track record before further development of new norms. As for the future mechanism is concerned, we are of the view that the international law and norms pillars of our plenary discussions can be best related also in the two or three cross-cutting dedicated thematical working groups, as the French suggestion elaborates. And through the deliberations on matters like building better global resilience, best practices to protect our critical infrastructure and services, or dealing with international cooperation in an event of major cyber attacks, if done cautiously by recalling the appropriate focus on achieving compliance with norms before rushing to further development of the normative or legal frameworks, integration of these important pillars norms and international law into the future dedicated working groups discussions may help us to may help cross the cross-cutting working groups be more effective, operational and relevant. To conclude, Mr. Chair, we wish to restate that at this point in time there is no need in our opinion to develop or elaborate any new norms, nor do we see now a need for developing any legally binding instruments. Thank you.


Chair: Thank you, Israel. Contribution, European Union, please.


European Union: Thank you, Chair, for allowing me the floor again to actually deliver our statement on norms. You have heard my colleagues align with the EU statement on norms. However, I must admit, as you have noticed, that by mistake I delivered earlier this session our statement on international law. What can I say, barely being an object of human intelligence. But thank you for allowing me to spawn to the evolving situation and step in again at this time after my EU member states, allowing me to emphasize their statements. I will try to keep it brief, and please note that we will publish all our statements, including on norms as well as international law, on the UN website, including also the alignment of partners. Chair, on norms, as a meaningful way forward, we should continue sharing our experiences in implementation of norms. It helps us to understand how we can enhance and review the implementation efforts and promote continued exchanges of experiences and best practices, including on a new mechanism. The EU is working on a non-exhaustive list of examples regarding the steps taken by EU member states and the EU in the implementation of the 11 agreed norms, including through the work of the EU cybersecurity agencies on the revised Network and Information Security Directive or by the EU Cybercrime Centre and its work to combat cybercrime. Chair, we see the norms checklist as a valuable tool to take our work forward in the current format. We acknowledge the efforts to capture the detailed and useful information on the norms section of the UN GGE21 report, but agree that more can be done. For example, by including certain elements such as working with the private sector to protect critical infrastructure, considering their role in this context. The voluntary checklist should be treated as a living document and serve as the primary reference as states continue to implement the framework. An initial version of the checklist could be adopted and attached to the final Open End Working Group report, and this would ensure that states have a clear starting point to survey implementation efforts. In the future programme of action, with its emphasis on concrete implementation and related needs to capacity building, we could have an ideal platform to further develop the voluntary checklist. We also welcome the idea by Kuwait on the online portal to support and track the implementation of the 11 norms of responsible state behaviour. And furthermore, we suggest looking at other examples of norms implementation guidelines, for example, projects by UNIDIR, Oxfords and others. to provide further guidance on minimum baselines for norms implementation by states. Such efforts could be also incorporated in a norms checklist. Chair, despite me reading the international law statement under the norms section, let me emphasize that for the EU and its member states, it’s crucial not to conflate the discussion on binding international law in cyberspace, to which all states are bound to comply, with the discussions on norms of responsible state behavior. While these discussions should be viewed as complementary, they should, in our view, be treated also as two distinct elements. And the cross-cutting dedicated thematic groups that we propose should allow for both sufficient time and space to discuss how international law and norms applying to cyberspace can be applied to specific cyber challenges, as also is for the other elements of the pillars. To take one example, international law prohibits the use of ICTs, including ransomware, to intervene coercively in the internal or external affairs of other states. Additionally, then, the norms and confidence-building measures both provide normative and practical guidance on how states subject to an attack can, for instance, seek assistance from others in the event of a ransomware attack. We should not forget that voluntary norms do not exist in isolation, but they sit alongside the obligations established by international law. While norms are voluntary and non-binding, the law itself is actually binding. Chair, the EU is committed to mainstreaming the norms we have agreed upon and will continue to raise awareness of them across governments and beyond the UN. We are dedicated to advancing the implementation at domestic and regional as well as state levels and will continue to contribute to this. Thank you.


Chair: So yes, thank you for that statement on norms. Friends, we have about 10 minutes or less before we wrap up this part of our agenda and move on to international law, which we will do this afternoon. Not sure I can really give you a summary of the discussions. You have all heard yourselves. It is quite clear that we have all become non-veterans. Some of us have listened to these discussions for over 10 years. The norms are 10 years old, but in some ways they are timeless. They continue to be very, very important in terms of the guidance it offers for responsible state behavior. While the diplomats have become older, the norms remain timeless. And I think everyone agrees that it’s really important that we continue to support the implementation of the norms. I think on that part, I don’t think there is agreement. No one is objecting to norms implementation. So there is some degree of commonality with regard to the implementation of norms. I think all of us at the same time want the normative framework to be implemented and to raise the awareness of it, raise the understanding of it. And we also all accept that it’s cumulative and evolving. It will evolve through various ways, through norm guidance, through explanatory text. And then, of course, in that 2015 report, we also acknowledged and continue to acknowledge in our annual progress reports that new norms could be developed over time. So in some ways, it has become the norm in this working group to talk about developing new norms. But ultimately, it’s a question of finding consensus as to how we want to take further steps as we transition to a future permanent mechanism. I think that’s where we are at a crossroads, because we are transitioning from this working group, hopefully, to a future permanent mechanism. And how do we want to evolve this discussion on the development of additional norms? We also have to acknowledge that in the course of the work of this working group over the last few years, some additional proposals and ideas have been put forward. It’s there on the table. The discussions are continuing. It is bottom-up. No one is imposing any norms from the top. The discussions are continuing. And it’s incumbent on all of us to see if we can find common ground and build common ground. So in that context, it is cumulative and evolving in an inclusive, transparent, and open-ended way, because this is the open-ended working group. So, we need to reflect carefully on how this will be captured in the final draft, so that our work in the future permanent mechanism doesn’t start again in 2015. I think that’s important, that we continue the work that has been done over the last ten years, we transition into a future permanent mechanism, and how do we build and continue this discussion on norms implementation, as well as the question of potential new norms, how do we continue that discussion into and beyond 2025. And we should do in a way that recognises the discussions that have come thus far, as opposed to going back to 2015, in which case we would not do justice to the discussions, not just in this working group, but over the last ten years. The question of the voluntary checklist, I think a lot of you had mentioned it. Again, it is a way of providing additional guidance on norms implementation, but it can also help in many other ways, in terms of capacity building, in terms of practical application in the context of a simulation exercise, for example, so I would like you to reflect on that. I think it is a living document, as many of you said, so it is not cast in stone, and I think we need to see how we can capture the discussions on the voluntary checklist this year, but also over the last year. The final point I would say is… It’s the point that some of you had made, which is that we need to keep an open mind. And I would also suggest that we should not look at this discussion as a zero-sum discussion, where we can try and define in a very black-and-white way as to where we are. It is an evolving discussion we have had over the ten past years. We need to capture that discussion. We need to reflect some of the ideas and proposals that have been expressed over the last few years. And we have to do it in a way that commands consensus. So that is our challenge for the final progress report. I won’t say anything more at this stage, but I do invite all of you to keep an open mind as we transition to the next discussion this afternoon, which is international law. In some ways, the two topics are distinct and separate. A lot of you have said that. I think no one disagrees with that. In fact, that, too, was a common point that came up in the town hall and here, the need to separate the discussions on international law as well as on norms, or rather how the two are two distinct concepts. But I think we can all have that conceptual distinction in our mind, even as we discuss the issue in a broader context. Because a lot of you, while we were talking about norms, were talking about international law, and while we will be talking about international law this afternoon, we will no doubt be going back to the relationship with norms. So, again, it’s not zero-sum, but to keep an open mind, and we’ll come to the discussions on international law starting this afternoon at 3 p.m. But thank you very much for the positive and constructive tone for the discussions this morning, and I wish you a pleasant lunch. The meeting is adjourned. Thank you. Thank you.


S

Switzerland

Speech speed

142 words per minute

Speech length

494 words

Speech time

208 seconds

Focus on implementing current norms before developing new ones

Explanation

Switzerland argues that priority should be given to implementing existing norms rather than creating new ones. They believe that the current framework is sufficient if properly implemented.


Evidence

Switzerland mentions that many proposed new norms can be subsumed under existing ones.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– New Zealand
– Japan
– Republic of Korea
– United States
– Israel

Agreed on

Implementation of existing norms should be prioritized


Differed with

– New Zealand
– Japan
– Nicaragua
– El Salvador
– China
– Viet Nam

Differed on

Development of new norms


N

New Zealand

Speech speed

151 words per minute

Speech length

406 words

Speech time

161 seconds

Existing norms are sufficient and adaptable to new challenges

Explanation

New Zealand contends that the current framework of norms, if fully implemented, provides a solid foundation for maintaining stable and peaceful cyberspace. They argue that existing norms are flexible enough to address emerging issues.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Switzerland
– Japan
– Republic of Korea
– United States
– Israel

Agreed on

Implementation of existing norms should be prioritized


Differed with

– Switzerland
– Japan
– Nicaragua
– El Salvador
– China
– Viet Nam

Differed on

Development of new norms


M

Mauritius

Speech speed

107 words per minute

Speech length

383 words

Speech time

212 seconds

Need for practical steps to integrate norms into national policies

Explanation

Mauritius emphasizes the importance of translating international cyber norms into concrete national policies and practices. They argue that practical implementation at the national level is crucial for the effectiveness of these norms.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Kenya
– Tonga

Agreed on

Importance of capacity building for norms implementation


K

Kenya

Speech speed

122 words per minute

Speech length

395 words

Speech time

193 seconds

Importance of capacity building to implement norms, especially for developing countries

Explanation

Kenya highlights the need for capacity building initiatives to help countries, particularly developing nations, implement cyber norms effectively. They argue that technical know-how and resources are crucial for norm implementation.


Evidence

Kenya cites examples of norms C, F, and G, which require specific tools, skills, and national policies to implement effectively.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Mauritius
– Tonga

Agreed on

Importance of capacity building for norms implementation


K

Kingdom of the Netherlands

Speech speed

160 words per minute

Speech length

386 words

Speech time

144 seconds

Voluntary checklist is a useful tool for norms implementation

Explanation

The Netherlands supports the voluntary checklist as an effective tool for implementing cyber norms. They view it as a practical guide for states to assess and improve their implementation efforts.


Evidence

The Netherlands refers to the checklist in Annex A of the 3rd Annual Progress Report.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Kuwait
– European Union

Agreed on

Support for voluntary checklist as a tool for norms implementation


J

Japan

Speech speed

126 words per minute

Speech length

215 words

Speech time

102 seconds

Norms implementation should be prioritized over new norms development

Explanation

Japan emphasizes the importance of implementing existing norms rather than developing new ones. They argue that concrete actions to implement current norms should be the focus of international efforts.


Evidence

Japan refers to the 11 voluntary, non-binding norms from the 2015 GGE report.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Switzerland
– New Zealand
– Republic of Korea
– United States
– Israel

Agreed on

Implementation of existing norms should be prioritized


Differed with

– Switzerland
– New Zealand
– Nicaragua
– El Salvador
– China
– Viet Nam

Differed on

Development of new norms


R

Republic of Korea

Speech speed

128 words per minute

Speech length

241 words

Speech time

112 seconds

Existing norms framework is comprehensive and robust

Explanation

The Republic of Korea argues that the current framework of 11 norms is comprehensive and well-suited to address emerging threats in cyberspace. They believe that existing norms are sufficiently flexible to cover new technological developments.


Evidence

The Republic of Korea mentions that the 11 norms are structured comprehensively and remain robust in addressing emerging threats.


Major Discussion Point

Implementation of Existing Norms


Agreed with

– Switzerland
– New Zealand
– Japan
– United States
– Israel

Agreed on

Implementation of existing norms should be prioritized


N

Nicaragua

Speech speed

123 words per minute

Speech length

235 words

Speech time

114 seconds

Need for new legally binding norms to address evolving threats

Explanation

Nicaragua argues for the development of new, legally binding norms to effectively regulate the use of ICTs and address emerging threats. They believe that voluntary norms are insufficient to guarantee an effective response to cyber threats.


Evidence

Nicaragua endorses the Russian Federation’s initiative for a UN Convention on International Information Security.


Major Discussion Point

Development of New Norms


Differed with

– United States
– Cuba

Differed on

Legally binding vs. voluntary norms


E

El Salvador

Speech speed

119 words per minute

Speech length

484 words

Speech time

243 seconds

Support for developing new norms to address emerging technologies

Explanation

El Salvador advocates for the development of new norms to address challenges posed by emerging technologies such as AI and quantum computing. They argue that the current cyber landscape has changed significantly since the existing norms were developed.


Evidence

El Salvador proposes updating norm E on the right to privacy in the digital era to include principles of data minimization and transparency.


Major Discussion Point

Development of New Norms


Differed with

– Switzerland
– New Zealand
– Japan
– Nicaragua
– China
– Viet Nam

Differed on

Development of new norms


B

Brazil

Speech speed

171 words per minute

Speech length

527 words

Speech time

184 seconds

Openness to discussing potential new norms in future mechanism

Explanation

Brazil expresses openness to discussing the development of new norms within the future permanent mechanism. They argue that efforts to develop new norms should be inclusive and take place within the UN framework.


Major Discussion Point

Development of New Norms


Support for integrated discussion of norms and international law

Explanation

Brazil supports an integrated approach to discussing norms and international law, while recognizing their distinct legal status. They argue that discussing these elements together can highlight their complementary nature.


Evidence

Brazil refers to their proposal for a thematic group on international law and norms in the future mechanism.


Major Discussion Point

Relationship Between Norms and International Law


Differed with

– European Union
– France

Differed on

Approach to discussing norms and international law


Need to address differentiated impact of cyber threats on women

Explanation

Brazil highlights the importance of addressing the differentiated impact of cyber threats on women and other vulnerable groups. They argue that this consideration should be part of national cybersecurity strategies and policies.


Evidence

Brazil mentions that this commitment is included in their upcoming National Cybersecurity Strategy.


Major Discussion Point

Gender Considerations in Norms


I

Israel

Speech speed

136 words per minute

Speech length

432 words

Speech time

190 seconds

Skepticism about need for new norms at this time

Explanation

Israel expresses skepticism about the need for developing new norms at present. They argue that there is still a lack of certainty about how existing norms are implemented and understood by states.


Evidence

Israel points out that the implementation of existing norms has been short and uneven so far.


Major Discussion Point

Development of New Norms


Agreed with

– Switzerland
– New Zealand
– Japan
– Republic of Korea
– United States

Agreed on

Implementation of existing norms should be prioritized


C

China

Speech speed

120 words per minute

Speech length

487 words

Speech time

243 seconds

Support for new norms on data security and supply chain integrity

Explanation

China advocates for the development of new norms focusing on data security and supply chain integrity. They argue that these areas are of common concern and require specific normative frameworks.


Evidence

China proposes in-depth discussions on universal non-discriminatory international norms on data security and globally interoperable common norms for supply chain security.


Major Discussion Point

Development of New Norms


Differed with

– Switzerland
– New Zealand
– Japan
– Nicaragua
– El Salvador
– Viet Nam

Differed on

Development of new norms


V

Viet Nam

Speech speed

110 words per minute

Speech length

332 words

Speech time

180 seconds

New norms needed to keep pace with technological developments

Explanation

Vietnam supports the establishment of new norms to address the rapid development and expansion of the digital landscape. They argue that new norms should keep pace with emerging disruptive technologies and address the widening digital divide.


Major Discussion Point

Development of New Norms


Differed with

– Switzerland
– New Zealand
– Japan
– Nicaragua
– El Salvador
– China

Differed on

Development of new norms


E

European Union

Speech speed

162 words per minute

Speech length

1564 words

Speech time

578 seconds

Norms and international law are distinct but complementary

Explanation

The European Union emphasizes that discussions on non-binding norms and binding international law should be treated as distinct but complementary elements. They argue that both have important roles in regulating state behavior in cyberspace.


Evidence

The EU provides an example of how international law prohibits certain uses of ICTs, while norms provide guidance on how states can seek assistance in case of attacks.


Major Discussion Point

Relationship Between Norms and International Law


Differed with

– France
– Brazil

Differed on

Approach to discussing norms and international law


EU efforts on regional norms implementation

Explanation

The European Union mentions its work on developing a non-exhaustive list of examples regarding steps taken by EU member states in implementing the 11 agreed norms. This demonstrates a coordinated regional approach to norms implementation.


Evidence

The EU cites the work of EU cybersecurity agencies on the revised Network and Information Security Directive and the EU Cybercrime Centre.


Major Discussion Point

Regional Approaches to Norms


Agreed with

– Kingdom of the Netherlands
– Kuwait

Agreed on

Support for voluntary checklist as a tool for norms implementation


C

Cuba

Speech speed

128 words per minute

Speech length

494 words

Speech time

231 seconds

Need for legally binding instrument in addition to voluntary norms

Explanation

Cuba argues that non-binding norms are insufficient to address growing challenges in cyberspace. They advocate for the development of legally binding norms to ensure a coordinated and effective response to cyber threats.


Evidence

Cuba points out that the voluntary nature of current norms limits their usefulness and leaves room for politicization.


Major Discussion Point

Relationship Between Norms and International Law


Differed with

– United States
– Nicaragua

Differed on

Legally binding vs. voluntary norms


U

United States

Speech speed

125 words per minute

Speech length

332 words

Speech time

158 seconds

Existing international law already provides binding rules for cyberspace

Explanation

The United States emphasizes that existing international law already applies to state conduct in cyberspace, providing binding rules. They argue that non-binding norms are meant to complement, not replace, these legal obligations.


Evidence

The US refers to repeated consensus confirmations by UN member states that existing international obligations apply to cyberspace.


Major Discussion Point

Relationship Between Norms and International Law


Agreed with

– Switzerland
– New Zealand
– Japan
– Republic of Korea
– Israel

Agreed on

Implementation of existing norms should be prioritized


Differed with

– Cuba
– Nicaragua

Differed on

Legally binding vs. voluntary norms


F

France

Speech speed

146 words per minute

Speech length

432 words

Speech time

176 seconds

Importance of not conflating discussions on norms and international law

Explanation

France stresses the importance of maintaining a clear distinction between discussions on non-binding norms and binding international law. They argue that while these elements are complementary, they should be treated as separate in discussions.


Major Discussion Point

Relationship Between Norms and International Law


Differed with

– European Union
– Brazil

Differed on

Approach to discussing norms and international law


Support for continued norms discussion in plenary of future mechanism

Explanation

France proposes that norms continue to be discussed within the norms, rules, and principles pillar of the plenary in the future mechanism. They argue this approach maintains the importance of norms discussions at the highest level.


Major Discussion Point

Future Mechanism for Norms Discussion


Proposal for problem-solving approach to norms implementation in thematic groups

Explanation

France suggests a problem-solving approach to norms implementation within thematic groups of the future mechanism. They propose a three-stage process involving expert briefings, discussions on normative frameworks, and exchanges on capacity-building needs.


Major Discussion Point

Future Mechanism for Norms Discussion


I

Islamic Republic of Iran

Speech speed

124 words per minute

Speech length

452 words

Speech time

217 seconds

Support for dedicated thematic group on norms in future mechanism

Explanation

Iran proposes the establishment of a dedicated thematic group within the future permanent mechanism to address the development of norms. They argue this group should focus on introducing changes to current norms and elaborating additional rules of behavior.


Evidence

Iran refers to the mandate established in Resolution 75-240.


Major Discussion Point

Future Mechanism for Norms Discussion


U

United Kingdom

Speech speed

150 words per minute

Speech length

671 words

Speech time

268 seconds

Proposal for cross-cutting approach to norms in thematic groups

Explanation

The UK proposes a cross-cutting approach to discussing norms within thematic groups of the future mechanism. They argue this approach would allow for practical application of norms to specific cyber challenges.


Evidence

The UK provides an example of how information sharing norms could be discussed within a thematic group on cooperation.


Major Discussion Point

Future Mechanism for Norms Discussion


C

Canada

Speech speed

156 words per minute

Speech length

739 words

Speech time

282 seconds

Need for stakeholder participation in future norms discussions

Explanation

Canada emphasizes the importance of including stakeholders beyond member states in future discussions on norms. They argue that stakeholder expertise is crucial for addressing practical policy challenges related to norms implementation.


Evidence

Canada cites the example of FIRST, an expert organization on vulnerability reporting, whose participation has been vetoed by some states.


Major Discussion Point

Future Mechanism for Norms Discussion


M

Malaysia

Speech speed

129 words per minute

Speech length

463 words

Speech time

213 seconds

ASEAN regional norms implementation checklist

Explanation

Malaysia highlights ASEAN’s efforts in developing a regional norms implementation checklist. This checklist provides actionable steps for states to consider in implementing cyber norms, organized into five pillars: policy, operational, technical, legal, and diplomatic.


Evidence

Malaysia mentions that the ASEAN Norm Implementation Checklist was endorsed at the 5th ASEAN Cyber Security Coordinating Committee.


Major Discussion Point

Regional Approaches to Norms


D

Djibouti

Speech speed

114 words per minute

Speech length

452 words

Speech time

237 seconds

African Union common position on norms

Explanation

Djibouti refers to the African Union’s common position on the application of international law in cyberspace. This indicates a regional approach to understanding and implementing cyber norms.


Major Discussion Point

Regional Approaches to Norms


K

Kuwait

Speech speed

106 words per minute

Speech length

232 words

Speech time

130 seconds

Arab group position on norms implementation

Explanation

Kuwait, speaking on behalf of the Arab group, emphasizes the importance of confidence-building measures in implementing cyber norms. They support the voluntary checklist approach to norms implementation.


Major Discussion Point

Regional Approaches to Norms


Agreed with

– Kingdom of the Netherlands
– European Union

Agreed on

Support for voluntary checklist as a tool for norms implementation


T

Tonga

Speech speed

144 words per minute

Speech length

456 words

Speech time

188 seconds

Pacific Island Forum members’ approach to norms

Explanation

Tonga, speaking on behalf of Pacific Island Forum members, reaffirms the importance of implementing existing agreed norms of responsible state behavior in cyberspace. They emphasize the need for targeted capacity-building programs to address implementation challenges.


Major Discussion Point

Regional Approaches to Norms


Agreed with

– Mauritius
– Kenya

Agreed on

Importance of capacity building for norms implementation


F

Fiji

Speech speed

128 words per minute

Speech length

488 words

Speech time

228 seconds

Importance of gender mainstreaming in norms implementation

Explanation

Fiji emphasizes the need to embed gender considerations into the implementation of cyber norms. They argue that gender-responsive cybersecurity policies and practices are crucial for effective and inclusive norm implementation.


Evidence

Fiji mentions its commitment to gender mainstreaming in policy and legislative frameworks, including in its National Cybersecurity Strategy and National Digital Strategy.


Major Discussion Point

Gender Considerations in Norms


A

Australia

Speech speed

162 words per minute

Speech length

800 words

Speech time

295 seconds

Support for gender-responsive approach to cybersecurity

Explanation

Australia expresses strong support for incorporating gender mainstreaming into norms implementation. They argue that a gender-responsive approach is crucial for effective and inclusive cybersecurity measures.


Evidence

Australia refers to a working paper on gender mainstreaming in norms implementation, co-sponsored by multiple countries.


Major Discussion Point

Gender Considerations in Norms


S

South Africa

Speech speed

135 words per minute

Speech length

376 words

Speech time

166 seconds

Proposal to incorporate gender perspective in norms checklist

Explanation

South Africa expresses support for proposals to include gender mainstreaming in the voluntary checklist for norms implementation. They view this as an important step towards ensuring gender equality in cybersecurity efforts.


Evidence

South Africa refers to the working paper drafted by Australia, Chile, Colombia, Fiji, and the United Kingdom on this topic.


Major Discussion Point

Gender Considerations in Norms


Agreements

Agreement Points

Implementation of existing norms should be prioritized

speakers

– Switzerland
– New Zealand
– Japan
– Republic of Korea
– United States
– Israel

arguments

Focus on implementing current norms before developing new ones


Existing norms are sufficient and adaptable to new challenges


Norms implementation should be prioritized over new norms development


Existing norms framework is comprehensive and robust


Existing international law already provides binding rules for cyberspace


Skepticism about need for new norms at this time


summary

These speakers agree that priority should be given to implementing existing norms rather than developing new ones, arguing that the current framework is sufficient if properly implemented and adaptable to new challenges.


Importance of capacity building for norms implementation

speakers

– Mauritius
– Kenya
– Tonga

arguments

Need for practical steps to integrate norms into national policies


Importance of capacity building to implement norms, especially for developing countries


Pacific Island Forum members’ approach to norms


summary

These speakers emphasize the need for capacity building initiatives to help countries, particularly developing nations, implement cyber norms effectively. They argue that practical implementation at the national level is crucial for the effectiveness of these norms.


Support for voluntary checklist as a tool for norms implementation

speakers

– Kingdom of the Netherlands
– Kuwait
– European Union

arguments

Voluntary checklist is a useful tool for norms implementation


Arab group position on norms implementation


EU efforts on regional norms implementation


summary

These speakers support the voluntary checklist as an effective tool for implementing cyber norms, viewing it as a practical guide for states to assess and improve their implementation efforts.


Similar Viewpoints

Both Nicaragua and Cuba argue for the development of new, legally binding norms to effectively regulate the use of ICTs and address emerging threats. They believe that voluntary norms are insufficient to guarantee an effective response to cyber threats.

speakers

– Nicaragua
– Cuba

arguments

Need for new legally binding norms to address evolving threats


Need for legally binding instrument in addition to voluntary norms


These speakers advocate for the development of new norms to address challenges posed by emerging technologies and evolving cyber threats. They argue that the current cyber landscape has changed significantly since the existing norms were developed, necessitating new normative frameworks.

speakers

– El Salvador
– Viet Nam
– China

arguments

Support for developing new norms to address emerging technologies


New norms needed to keep pace with technological developments


Support for new norms on data security and supply chain integrity


These speakers emphasize the importance of maintaining a clear distinction between discussions on non-binding norms and binding international law, while recognizing their complementary nature in regulating state behavior in cyberspace.

speakers

– European Union
– France
– United States

arguments

Norms and international law are distinct but complementary


Importance of not conflating discussions on norms and international law


Existing international law already provides binding rules for cyberspace


Unexpected Consensus

Gender mainstreaming in norms implementation

speakers

– Fiji
– Australia
– Brazil
– South Africa

arguments

Importance of gender mainstreaming in norms implementation


Support for gender-responsive approach to cybersecurity


Need to address differentiated impact of cyber threats on women


Proposal to incorporate gender perspective in norms checklist


explanation

There is an unexpected consensus among these diverse speakers on the importance of incorporating gender considerations into the implementation of cyber norms. This agreement spans across different regions and levels of technological development, indicating a growing recognition of the need for inclusive and gender-responsive cybersecurity measures.


Overall Assessment

Summary

The main areas of agreement include the importance of implementing existing norms, the need for capacity building to support implementation, and the usefulness of a voluntary checklist for norms implementation. There is also emerging consensus on the importance of gender mainstreaming in cybersecurity efforts.


Consensus level

The level of consensus is moderate. While there is broad agreement on the importance of norms and their implementation, there are significant divergences on whether new norms are needed and whether legally binding instruments should be developed. This split opinion suggests that future discussions on the evolution of cyber norms may be challenging, potentially impacting the development of a unified global approach to cybersecurity.


Differences

Different Viewpoints

Development of new norms

speakers

– Switzerland
– New Zealand
– Japan
– Nicaragua
– El Salvador
– China
– Viet Nam

arguments

Focus on implementing current norms before developing new ones


Existing norms are sufficient and adaptable to new challenges


Norms implementation should be prioritized over new norms development


Need for new legally binding norms to address evolving threats


Support for developing new norms to address emerging technologies


Support for new norms on data security and supply chain integrity


New norms needed to keep pace with technological developments


summary

There is a significant divide between countries that believe existing norms are sufficient and those advocating for the development of new norms to address emerging challenges and technologies.


Legally binding vs. voluntary norms

speakers

– United States
– Cuba
– Nicaragua

arguments

Existing international law already provides binding rules for cyberspace


Need for legally binding instrument in addition to voluntary norms


Need for new legally binding norms to address evolving threats


summary

There is disagreement on whether voluntary norms are sufficient or if legally binding instruments are necessary for effective cybersecurity governance.


Approach to discussing norms and international law

speakers

– European Union
– France
– Brazil

arguments

Norms and international law are distinct but complementary


Importance of not conflating discussions on norms and international law


Support for integrated discussion of norms and international law


summary

Countries differ on whether norms and international law should be discussed separately or in an integrated manner in future mechanisms.


Unexpected Differences

Regional approaches to norms implementation

speakers

– Malaysia
– Djibouti
– Kuwait
– Tonga
– European Union

arguments

ASEAN regional norms implementation checklist


African Union common position on norms


Arab group position on norms implementation


Pacific Island Forum members’ approach to norms


EU efforts on regional norms implementation


explanation

While not a direct disagreement, the emergence of distinct regional approaches to norms implementation was an unexpected development. This highlights potential challenges in achieving a truly global consensus on norms implementation.


Overall Assessment

summary

The main areas of disagreement revolve around the need for new norms, the legal status of norms (binding vs. voluntary), and the approach to discussing norms in relation to international law.


difference_level

The level of disagreement is significant, particularly on the development of new norms and their legal status. This implies potential challenges in reaching consensus on the future direction of cyber norms and could impact the effectiveness of global cybersecurity governance efforts.


Partial Agreements

Partial Agreements

These speakers agree on the need for a more practical and inclusive approach to norms discussions in the future mechanism, but differ on the specific structure and format of these discussions.

speakers

– United Kingdom
– Canada
– France

arguments

Proposal for cross-cutting approach to norms in thematic groups


Need for stakeholder participation in future norms discussions


Support for continued norms discussion in plenary of future mechanism


Proposal for problem-solving approach to norms implementation in thematic groups


Similar Viewpoints

Both Nicaragua and Cuba argue for the development of new, legally binding norms to effectively regulate the use of ICTs and address emerging threats. They believe that voluntary norms are insufficient to guarantee an effective response to cyber threats.

speakers

– Nicaragua
– Cuba

arguments

Need for new legally binding norms to address evolving threats


Need for legally binding instrument in addition to voluntary norms


These speakers advocate for the development of new norms to address challenges posed by emerging technologies and evolving cyber threats. They argue that the current cyber landscape has changed significantly since the existing norms were developed, necessitating new normative frameworks.

speakers

– El Salvador
– Viet Nam
– China

arguments

Support for developing new norms to address emerging technologies


New norms needed to keep pace with technological developments


Support for new norms on data security and supply chain integrity


These speakers emphasize the importance of maintaining a clear distinction between discussions on non-binding norms and binding international law, while recognizing their complementary nature in regulating state behavior in cyberspace.

speakers

– European Union
– France
– United States

arguments

Norms and international law are distinct but complementary


Importance of not conflating discussions on norms and international law


Existing international law already provides binding rules for cyberspace


Takeaways

Key Takeaways

There is broad agreement on the continued importance and relevance of the existing 11 voluntary norms of responsible state behavior in cyberspace.


Many states emphasize prioritizing implementation of existing norms over developing new ones at this time.


There are differing views on whether new norms are needed, with some states supporting new norms to address emerging technologies and threats, while others are skeptical.


The relationship between voluntary norms and binding international law is seen as distinct but complementary.


There is support for continuing norms discussions in the future permanent mechanism, though views differ on the exact format.


Regional approaches to norms implementation are seen as valuable complementary efforts.


Incorporating gender considerations into norms implementation is gaining support.


Resolutions and Action Items

Consider adopting the voluntary checklist for norms implementation as an annex to the final OEWG report


Continue discussions on how to address norms in the future permanent mechanism


Share national and regional experiences on norms implementation


Explore ways to mainstream gender considerations into norms implementation efforts


Unresolved Issues

Whether and how to develop potential new norms


Exact format for discussing norms in the future permanent mechanism


How to balance focus on implementation vs. development of norms


How to address proposals for legally binding instruments on cybersecurity


Suggested Compromises

Treat the voluntary checklist as a living document that can be updated over time


Allow for both implementation of existing norms and discussion of potential new norms in future mechanism


Use cross-cutting thematic groups to discuss practical application of norms alongside other framework elements


Maintain conceptual distinction between norms and international law while allowing for integrated discussion of their practical application


Thought Provoking Comments

The 11 voluntary non-binding norms currently reflected in the Third Annual Progress Report and specified in the 2015 UNGA Adopted GG report are widely recognized and remain highly relevant in addressing emerging threats. As the deadline to adopt the final report approaches, we believe that establishing new norms is unnecessary.

speaker

Republic of Korea


reason

This comment challenges the idea that new norms are needed and argues for focusing on implementing existing norms, which is a key point of contention in the discussion.


impact

It reinforced the position of countries advocating for implementation over developing new norms, shaping subsequent comments from other delegations.


We believe the final report must include a roadmap for moving forward on negotiating a legally binding instrument and set up obligations on states.

speaker

Cuba


reason

This comment introduces a concrete proposal for moving towards legally binding norms, which contrasts with the voluntary nature of existing norms.


impact

It sparked further debate on whether binding or non-binding norms are more appropriate and effective, with several subsequent speakers addressing this point.


Australia would consider a rushed exercise to insert new norms that are potentially untested into our framework in the next four months and I think 21 days. It doesn’t provide the respect that we owe to our work in our framework.

speaker

Australia


reason

This comment provides a pragmatic perspective on the timeline and process for developing new norms, cautioning against hasty action.


impact

It shifted the discussion towards considering the practical aspects and timeline of norm development, rather than just the content of norms.


Egypt believes that it’s important to have an open mind and adopt a flexible approach until we engage in the real discussions in our future permanent mechanism. And I believe when we have those real discussions, we’ll find out that we need more norms and different types of norms, some binding and some voluntary.

speaker

Egypt


reason

This comment advocates for a balanced and open-minded approach, acknowledging the potential need for both binding and voluntary norms in the future.


impact

It encouraged a more nuanced discussion about the future of norms, moving beyond the binary debate of new norms vs. implementation of existing ones.


Overall Assessment

These key comments shaped the discussion by highlighting the main points of contention regarding the development and implementation of cyber norms. They revealed a spectrum of positions, from focusing solely on implementing existing norms to advocating for new, legally binding instruments. The discussion evolved from initial statements of positions to more nuanced considerations of practical implementation, the process of norm development, and the need for flexibility in future discussions. This progression allowed for a more comprehensive exploration of the challenges and opportunities in developing an effective normative framework for responsible state behavior in cyberspace.


Follow-up Questions

How can the voluntary checklist for norms implementation be further improved and updated?

speaker

Multiple speakers including Malaysia, Thailand, and the European Union


explanation

The checklist is seen as a living document that needs ongoing refinement to serve as an effective tool for implementing cyber norms.


What are the best approaches for integrating gender perspectives into cyber norm implementation?

speaker

Fiji and other supporters of the Australia/UK working paper


explanation

There is a recognized need to mainstream gender considerations in cybersecurity policies and norm implementation.


How can states effectively implement the principle of due diligence in cyberspace?

speaker

Portugal


explanation

Due diligence was highlighted as a key norm that requires further elaboration on practical implementation steps.


What mechanisms can be developed for tracing and attributing cyber incidents?

speaker

China


explanation

China proposed exploring an authoritative and impartial mechanism for cybersecurity traceability under the UN framework.


How can the protection of critical infrastructure be further prioritized and strengthened?

speaker

Multiple speakers including Italy and China


explanation

There is ongoing concern about cyber attacks on critical infrastructure and a need for enhanced protection measures.


What are the best practices for public-private partnerships in implementing cyber norms?

speaker

Multiple speakers including Italy and Canada


explanation

The role of the private sector, especially in critical infrastructure protection, was highlighted as crucial for norm implementation.


How can capacity building efforts be tailored to support norm implementation, especially for developing countries?

speaker

Multiple speakers including Kenya, Fiji, and others


explanation

There is a recognized need for targeted capacity building to enable all states to effectively implement cyber norms.


What are the potential impacts of emerging technologies like AI on the existing normative framework?

speaker

Multiple speakers including El Salvador


explanation

There is interest in understanding how new technologies might necessitate updates to existing norms or creation of new ones.


How can data security and cross-border data flows be addressed in the normative framework?

speaker

China


explanation

China proposed developing universal non-discriminatory international norms on data security.


What modalities can be developed to ensure meaningful stakeholder participation in the future permanent mechanism?

speaker

Multiple speakers including Canada and Switzerland


explanation

There is interest in finding ways to include non-governmental stakeholders in discussions while respecting state concerns.


Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.