Agenda item 5: discussions on substantive issues contained in paragraph 1 of General Assembly resolution 75/240 (continued)/3/OEWG 2025

Summary

This discussion focused on confidence-building measures (CBMs) in cybersecurity, particularly the implementation of the Global Points of Contact (POC) Directory and other CBMs agreed upon by the Open-Ended Working Group (OEWG). Many countries emphasized the importance of CBMs in reducing tensions, preventing misunderstandings, and fostering trust in cyberspace. The establishment of the Global POC Directory was highlighted as a significant achievement, with 116 countries now participating. Several delegates expressed support for the upcoming simulation exercise in March to test the directory’s effectiveness.

Numerous countries stressed the need for capacity building to enable effective implementation of CBMs, especially for developing nations. Regional cooperation and sharing of best practices were frequently mentioned as crucial for successful CBM implementation. Many delegates also emphasized the importance of including non-governmental stakeholders, such as the private sector and academia, in CBM efforts.

Several countries proposed ideas for enhancing CBMs, including standardized templates for incident reporting, regular reviews of CBM implementation, and dedicated thematic groups in the future permanent mechanism. The role of national legislation and policies in supporting CBMs was also highlighted. Some delegates called for addressing the digital divide and removing unilateral coercive measures to enable full participation in CBM initiatives.

Overall, there was broad agreement on the value of CBMs, with many countries expressing commitment to their implementation and further development. The discussion underscored the ongoing need for dialogue, cooperation, and capacity building to strengthen cybersecurity and stability in the digital realm.

Keypoints

Major discussion points:

– Implementation and operationalization of the Global Points of Contact (POC) Directory, including upcoming simulation exercises and ping tests

– The importance of confidence-building measures (CBMs) in reducing tensions and building trust between states in cyberspace

– The role of regional organizations and initiatives in implementing CBMs and sharing best practices

– The need for capacity building to enable developing countries to fully participate in CBM initiatives

– Proposals for the structure and focus of CBM discussions in the future permanent mechanism

Overall purpose/goal:

The purpose of this discussion was to review progress on confidence-building measures in cyberspace, particularly the Global POC Directory, and to gather input on how to effectively implement CBMs and structure related work in the future permanent mechanism.

Tone:

The overall tone was constructive and collaborative. Delegates expressed appreciation for progress made so far, particularly on the POC Directory, while also emphasizing areas needing further work. There was a general sense of commitment to building trust and cooperation in cyberspace through CBMs. The tone remained consistent throughout the discussion, with delegates building on each other’s points in a complementary way.

Speakers

– Chair: Chairperson of the meeting

– Germany: Representative of Germany

– Fiji: Representative of Fiji

– Republic of Moldova: Representative of Moldova

– Ireland: Representative of Ireland

– Viet Nam: Representative of Vietnam

– Egypt: Representative of Egypt

– Kenya: Representative of Kenya

– Ghana: Representative of Ghana

– Austria: Representative of Austria

– ODA: Catherine Priceman, representative from the UN Office for Disarmament Affairs

– Islamic Republic of Iran: Representative of Iran

– Tonga: Representative speaking on behalf of the Pacific Islands Forum

– European Union: Representative speaking on behalf of the EU and aligned countries

– Cuba: Representative of Cuba

– Mauritius: Representative of Mauritius

– Japan: Representative of Japan

– Kazakhstan: Representative of Kazakhstan

– Albania: Representative of Albania

– Bosnia and Herzegovina: Representative of Bosnia and Herzegovina

– United Kingdom: Representative of the UK

– Singapore: Representative of Singapore

– Russian Federation: Representative of Russia

– Pakistan: Representative of Pakistan

– Thailand: Representative of Thailand

– Republic of Korea: Representative of South Korea

– Malawi: Representative of Malawi

– Mexico: Representative of Mexico

– Vanuatu: Representative of Vanuatu

– Finland: Representative of Finland

– Malaysia: Representative of Malaysia

– Canada: Representative of Canada

– Switzerland: Representative of Switzerland

– South Africa: Representative of South Africa

– Ethiopia: Representative of Ethiopia

– Lao PDR: Representative of Laos

– North Macedonia: Representative of North Macedonia

Additional speakers:

– Secretariat: Mentioned as providing briefings and updates

Expanded Summary of Discussion on Confidence-Building Measures in Cybersecurity

This discussion focused on confidence-building measures (CBMs) in cybersecurity, particularly the implementation of the Global Points of Contact (POC) Directory and other CBMs agreed upon by the Open-Ended Working Group (OEWG). The dialogue was characterised by a constructive and collaborative tone, with delegates expressing appreciation for progress made while emphasising areas needing further work.

Key Achievements and Initiatives

The establishment of the Global POC Directory was highlighted as a significant achievement, with 116 countries now participating and nearly 300 individual POCs registered. Catherine Priceman, representative from the UN Office for Disarmament Affairs (ODA), reported on the successful ping test conducted in December 2024, which demonstrated the directory’s functionality. Several delegates, including those from Mauritius, Thailand, and Kazakhstan, stressed the need for standardised templates and protocols for POC communication to enhance its effectiveness. The upcoming simulation exercise in March 2025 to test the directory’s effectiveness was widely supported, with details provided on its purpose and format.

Many countries emphasised the importance of CBMs in reducing tensions, preventing misunderstandings, and fostering trust in cyberspace. This sentiment was echoed by multiple delegates, who noted that CBMs are essential for enhancing mutual trust and preventing conflict escalation.

Regional cooperation and sharing of best practices were frequently mentioned as crucial for successful CBM implementation. Thailand, in particular, emphasised the importance of regional cooperation, highlighting the ASEAN Regional CERT as an example. Switzerland, Thailand, and Kazakhstan suggested learning from regional initiatives and incorporating these lessons into the global CBM framework.

Capacity Building and Implementation Challenges

Numerous countries stressed the need for capacity building to enable effective implementation of CBMs, especially for developing nations. Cuba, Vanuatu, Malawi, and Ethiopia all emphasised this point, with slight variations in focus. Cuba called for technical assistance, while Ethiopia highlighted the need to address the digital divide. Lao PDR noted that capacity building itself serves as a CBM.

Ghana proposed that CBMs should be integrated into national cybersecurity policies. This approach to implementing CBMs represents one perspective on how to effectively incorporate them into national frameworks.

Future Permanent Mechanism and Structure of Discussions

Several countries proposed ideas for enhancing CBMs and structuring related work in the future permanent mechanism. Egypt suggested the need for a dedicated thematic group on CBMs, while others argued that CBMs should be cross-cutting across thematic groups. This difference in opinion on the structure of CBM discussions in the future mechanism represents an area of ongoing debate.

The European Union, Pakistan, and Canada all expressed interest in how CBMs will be addressed in the future permanent mechanism. Canada highlighted its newly published National Cyber Security Strategy and its multi-stakeholder mechanism as potential models for consideration.

Multi-stakeholder Engagement and Public-Private Partnerships

Many delegates emphasised the importance of including non-governmental stakeholders, such as the private sector and academia, in CBM efforts. Finland and Bosnia and Herzegovina both stressed the importance of public-private partnerships in enhancing cybersecurity and implementing effective CBMs. The United Kingdom, Finland, and Mexico called for exploring ways to facilitate the participation of non-governmental stakeholders.

Practical Exercises and Simulations

Several countries, including Kazakhstan and Mauritius, expressed interest in expanding practical exercises to test and improve the effectiveness of CBMs. The Republic of Korea emphasised the importance of practical exercises in cyber simulations for testing the effectiveness of CBMs in real-world scenarios.

Gender and Inclusivity in Cybersecurity

South Africa, Albania, and other countries recognised the Women in Cyber Fellowship program as a confidence-building measure that brings valuable perspectives and fosters trust. This highlighted the role of gender diversity in cybersecurity as a CBM, broadening the scope of what constitutes a CBM.

Emerging Technologies and Future Challenges

Mexico and the Republic of Korea highlighted the role of CBMs in addressing risks associated with emerging technologies like AI, suggesting a forward-looking approach to CBMs. This consensus on CBMs as tools for managing risks from emerging technologies introduced a new dimension to the discussion.

New Proposals and Initiatives

Iran proposed a new CBM related to ensuring unhindered access to a secure ICT and cybersecurity market for all states, highlighting the importance of equitable access to technology in building confidence among nations.

Unresolved Issues and Areas for Further Discussion

While there was broad agreement on the value of CBMs, with many countries expressing commitment to their implementation and further development, several issues remained unresolved. These include:

1. The exact structure for addressing CBMs in the future permanent mechanism (dedicated group vs. cross-cutting approach)

2. Specific methods for bridging the capacity gap between developed and developing countries in CBM implementation

3. Details of how to effectively include non-governmental stakeholders in CBM processes while maintaining the intergovernmental nature of discussions

4. Concrete steps for harmonising global and regional CBM initiatives

5. Addressing the challenges of inclusivity and accessibility in CBM implementation, especially for developing countries

The discussion underscored the ongoing need for dialogue, cooperation, and capacity building to strengthen cybersecurity and stability in the digital realm. It also highlighted the importance of practical implementation, inclusivity, and adaptability in developing effective confidence-building measures for the evolving landscape of cybersecurity.

Chair: Fifth Meeting of the Tenth Substantive Session of the Open-Ended Working Group on Security of and in the Use of ICTs, established pursuant to General Assembly Resolution 75-240, is now called to order. Distinguished Delegates, we will continue our consideration of Agenda Item relating to how international law applies to the use of ICTs by States, and we will continue with the speakers’ list left from yesterday afternoon. We will start with Germany, to be followed by Fiji. And after having completed the list, we will go straight into the discussions on confidence-building measures. So the floor is now open, the speakers’ list for international law is closed. We will complete the seven or eight speakers on this item before we move to the next item. I give the floor now to Germany, to be followed by Fiji.

Germany: Thank you very much, Chair, for giving me the floor. Germany aligns itself with yesterday’s statement of the European Union and would like to make the following remarks in its national capacity. Germany welcomes the opportunity to once again reaffirm, as many colleagues did yesterday as well, that international law, including the UN Charter, international human rights law and humanitarian law, is fully applicable in cyberspace. The application of those legal frameworks does not depend on the domain in which those activities take place, whether on land, at sea, north or south of the equator, offline or in cyberspace. This position has been repeatedly reaffirmed in various UN processes, including the GGE and previous open-ended working group reports. For Germany, it is vital that the final report of this open-ended working group clearly articulates the discussions we have had in this forum. The third annual progress report already clearly articulates the reaffirmation of the application of key principles of the UN Charter, such as sovereignty and the principle of non-intervention. But we also noted a growing convergence of views among states regarding other fields of international law, such as human rights law, the law of state responsibility, and international humanitarian law, and this convergence should, in our view, also be reflected in a further strengthened language in the final report. In our view, the final report should emphasize that international humanitarian law fully applies in cyberspace. The 34th International Conference of the Red Cross and the Red Crescent recently adopted by consensus a resolution on the protection of civilians and other protected persons objects from the potential human costs of ICT activities in armed conflict. This resolution explicitly recognizes that international humanitarian law rules and principles serve to protect civilian populations and other protected persons and objects, also against the risk arising from cyber operations. Germany strongly supports the inclusion of similar language to the final report of the OIG to ensure that this principle is expressed accordingly at the UN level and would like to use this opportunity to refer to the working paper submitted by a cross-regional group of 13 states on this topic in March. Furthermore, all states are already now obliged to respect their human rights obligations, both online and offline. Therefore, the final Open-Ended Working Group report should reaffirm that states must respect their international human rights obligations in cyberspace, including in areas such as freedom of expression, the right to privacy, access to information, as well as non-discrimination. Our discussions on international law at the Open-Ended Working Group are informed by our national positions on the application of international law in cyberspace. Therefore, Germany very much welcomes Colombia’s recently published national position paper on international law in cyberspace. and ongoing initiatives from other states on developing national positions on this issue. We keep on encouraging other states to publish their national position and are ready to share our own experience with developing ours. More than 100 UN member states in total have now voiced their perspective on international law via national or regional positions. This demonstrates a broad international consensus that is already existing and already provides a strong framework for states’ behavior in cyberspace. Nevertheless, we also agree with many of our colleagues yesterday that we need to improve legal capacity building. We therefore support the expansion of such initiatives, including expert briefings and scenario-based discussions, which have already proven to be highly effective, such as the UNIDIR training course on norms, international law and cyberspace, or the Italian workshop on international law and cyber operations. We have participated in both those initiatives and we have heard from many state representatives and share also their view that these discussions have contributed to significantly deepen our understanding of international law. Building on this experience, we believe that a dedicated, concrete discussion of the challenges at hand, including in relation to threats as proposed by France for the action-oriented thematic groups, would be best suited and instrumental to also further the deliberations in our group in the framework of the Future Permanent Mechanism. I thank you, Chair.

Chair: Thank you very much, Germany. I give the floor now to Fiji to be followed by the Republic of Moldova.

Fiji: Thank you, Chair, for giving me the floor. Fiji wishes to first and foremost align our statement with the statement delivered by Tonga on behalf of the members of the Pacific Islands Forum yesterday. I would like to add a few remarks in our national capacity. Chair, in addressing the issue of international law in this context, Fiji would like to recall the principles underscored in the Pacific Islands Forum Leader’s Declaration of 2024 regarding the Ocean of Peace concept. The concept of oceans of peace, which my country supports and advocates, is not merely another rhetoric, but one which embodies international law at heart. It has a deep-rooted meaning in the Pacific and beyond that will bring home the principles under this thematic focus area on international law. I would like to remind that the title of Chapter 6 of the UN Charter, titled as The Pacific Settlement of Disputes, should not be a surprise. Let me share these four principles under the Pacific Oceans of Peace Initiative. First, the need for a shared commitment to the peaceful resolution of disputes based on the Pacific way or Pacific settlement of dispute, of bringing nations together to find common ground, manage disagreements, and reduce tensions. Second, respect for international law and norms, non-interference in the internal affairs of states. Third, rejection of coercion as a means to achieve security, economic, or political advantage. Fourth, states have the right to self-defense and the freedom to determine its security policies and strategic relationships. Chair, these four principles are interwoven into Fiji’s foreign policy white paper with a view of enhancing security cooperation and peaceful coexistence in various fields to maintain regional and global stability, including in the field of cybersecurity. Chair, please allow me to say a few remarks in relation to the cross-regional group statement. Now, Fiji would like to thank Thailand for delivering the statement on behalf of a cross-regional group of states, including Fiji, on the republished paper on international law. Fiji reaffirms our commitment, as outlined in the cross-regional paper, and notes that it draws from consensus language in the previous General Assembly resolutions. The paper forms a number of pertinent language which is a good basis to be considered and included in the final report of our group. To further demonstrate our commitment to this important component of our cumulative and evolving framework, last month Fiji hosted a regional training on international law, norms, and cyberspace for Pacific Island states with the United Nations Institute for Disarmament Research, UNIDIR, and supported by Australia. Now through scenario-based discussions and expert briefings, government representatives from the Pacific explored how the principles of international law apply in cyberspace, strengthening our collective understanding and capacity in this evolving domain. And we see these types of tailored building, capacity building initiatives as confidence building measures as well. We also thank the countries and most recently Colombia and regions for sharing their common positions which are helping us think about the different considerations as we actively work on our national position paper on international law. Finally, Chair, Fiji remains committed to international cooperation in shaping a cyberspace that is accessible, open, reliable, peaceful, and secure. And we look forward to and remain engaged in the next process towards our permanent mechanism. Thank you and thank you.

Chair: Thank you very much, Fiji, for your contribution.

Republic of Moldova: Thank you, Mr. Chair, for giving me the floor. Esteemed colleagues, I appreciate the opportunity to contribute to today’s discussions on the application of international law to cyberspace because this issue is of paramount importance as we navigate an increasingly interconnected world where malicious cyber activities are on the rise, challenging both the sovereignty of states and the stability of global order. The application of international law to cyberspace remains an evolving process, but the principles set out in paragraph 39 of the third APR provide a firm foundation. To build on this understanding, we must emphasize the principles of sovereignty, non-intervention, due diligence, and the prohibition of the use of force as essential pillars. As highlighted in the European Union’s Declaration on the Common Understanding of International Law in Cyberspace, state sovereignty in cyberspace involves states exercising jurisdiction over ICT infrastructure within their territories, ensuring that harmful cyber activities do not spill over into other states’ jurisdiction. We must also address the importance of due diligence in ensuring that states do not allow their infrastructure to be used for malicious cyber activities. This is an obligation not just of result but of conduct, requiring states to take proactive measures to prevent activities that could harm other states. Furthermore, discussions should explore how the principle of non-intervention applies to cyberspace, with a particular focus on the prohibition of coercive cyber activities that infringe upon another state’s sovereignty. As Switzerland emphasized last year and other delegates pointed out, we are not starting from scratch. We have the valuable work of the GGE and the Open-Ended Working Group reports, along with an increasing number of national and regional cross-regional positions that help us interpret and understand how international law applies to ICTs. The growing body of national and regional positions is vital in enhancing our collective understanding, identifying where positions diverge, and, importantly, where there is significant convergence. Additionally, I would like to emphasize the Republic of Moldova’s commitment to the United Nations Framework for Responsible State Behavior in Cyberspace, reaffirming that international humanitarian law and international human rights law must be fully applicable to cyber operations, ensuring that human rights are respected in this digital realm. We must further clarify how these legal frameworks can be effectively applied to new cyber threats without contributing to the militarization of cyberspace and legitimizing of cyber warfare. As many countries in this meeting have demonstrated their support for various capacity-building initiatives, whom we thank, more must be done to help states develop the legal, technical, and diplomatic capacity to address cyber threats within the framework of international law. Expanding access to educational resources, technical assistance, and diplomatic expertise is crucial for ensuring that all states are able to effectively navigate the challenges of cyberspace governance. The creation of accessible, inclusive platforms for training and knowledge sharing, whether through the UN, regional organizations, or other multilateral institutions, can help bridge the digital divide and ensure that states have the tools necessary to uphold their international legal obligations. As we move forward in our discussions, it is essential that we remain committed to upholding international law in cyberspace. The principles outlined in the EU’s declaration provide a clear and practical roadmap for the application of international law in cyberspace, ensuring that we maintain stability, security, and respect for human rights in the digital age. In its efforts to actively contribute to shaping the future permanent mechanism, in this domain at the United Nations, the Republic of Moldova has joined the cross-regional group of states which proposed the text presented on behalf of the group by my esteemed colleague from Thailand yesterday for conclusion in the 2025 Final Report at the International Law Section. We emphasize the importance of continued discussions, including through structured and scenario-based exchanges, to enhance legal clarity and build capacity of all States. We look forward to seeing these efforts reflected in the 2025 Final Report and to furthering cooperation in this crucial area. Thank you, Mr. Chair.

Chair: Thank you very much, Moderator, for your statement. Ireland, to be followed by Vietnam.

Ireland: Go raibh maith agat, go raibh maith agat, go raibh maith agat. Thank you, Mr. Chair. Ireland aligns itself with the statement of the European Union and we would like to make a number of further remarks in our national capacity. We’ve come a long way over the lifetime of the OEWG in advancing our collective understanding of how international law applies in cyberspace. It is particularly notable that over half the UN membership has published formal position papers, whether individually or collectively. We wish to warmly commend Colombia on the publication of their national position. We would consider it important that the OEWG’s Final Report acknowledges the significant number of individuals and regional positions published to date and their contribution to advancing our understanding of how international law applies in the use of ICTs. I thank the Chair for noting this already. Mr. Chair, it has been agreed in all three APRs that the OEWG’s discussion on international law should focus not just on identifying areas of consensus, but also areas of convergence. If we cannot agree certain consensus language in the Final Report due to the objections of a small number of states, it is essential that, at a minimum, areas of significant convergence be recognised. In particular, we call for language on the applicability of international humanitarian law in the cyber context, as well as the need to comply with obligations under international human rights law online, just as offline. In this regard, we reiterate our strong support for the cross-regional working paper on areas of convergence presented yesterday by Thailand. We also call for an acknowledgement in the final report of the important resolution adopted by consensus at the 34th International Conference of the Red Cross and Red Crescent on protecting civilians and other protected persons and objects against the potential human cost of ICT activities during armed conflict. As others have already noted, some of the resolution’s language may be usefully drawn upon for the purposes of the final OEWG report. Mr Chair, turning to the future permanent mechanism, we fully support the inclusion of international law as a pillar of the new framework. It is important that the new mechanism allows States to continue to consider how international law applies and the use of ICTs in the most effective way possible. International law should be a substantial part of the plenary discussions afforded an equal amount of time to other pillars. Ideally, approximately one full day should be devoted to consideration of international law at each annual plenary session. A number of States, in particular France and Canada, have outlined how international law could be effectively incorporated into the work of a small number of dedicated, cross-cutting thematic groups. We support these proposals, which would allow us to build common understandings on how international law applies with a practical, action-orientated approach. Like others, we do not consider that a thematic group on international law is necessary or desirable. Our concern would be that such a group could be stifled by being overly outcome-focused and that it would duplicate efforts and divert resources and attention from more dynamic engagement on legal issues within the other thematic groups. We also see difficulties in combining international law with consideration of norms and principles of responsible State behaviour. It is essential that we maintain a clear distinction between these areas and to do otherwise risks creating confusion, uncertainty and undermining international law. We also wish to emphasise that the work of the Future Permanent Mechanism should be focused on considering how existing international law applies in the use of ICTs. Proposals for additionally legally binding obligations remain a minority position, and this should be reflected in the mandate of the future mechanism. Finally, Mr Chair, we wish to reiterate our support for a future mechanism that is designed in such a way as to facilitate attendance by legal experts from capitals, so that the international law elements of our work receive appropriate expert input. In closing, Mr Chair, we wish to assure you of our full support in guiding us towards a successful conclusion of the OEWG’s work on international law. Thank you.

Chair: Thank you Ireland for your statement. Vietnam to be followed by Egypt.

Viet Nam: Mr Chair, Vietnam reaffirms that the existing international law applies to cyberspace and ICTs. It is essential that States uphold the fundamental legal principles in their cyber activities, particularly the sovereign equality, the peaceful settlement of disputes, and non-interference in the internal affairs of other States. We support continued discussion on this topic in the future mechanism. Furthermore, the future mechanism should keep the momentum for the progressive quantification of international cyber law and have a concrete outcome of this topic, such as a guideline or declaration or a set of understandings on the application of fundamental norms in cyberspace. A shared understanding on how international law applies to cyberspace is crucial. While Vietnam continues formulating our national position, we believe that voluntary exchanges of national and regional perspectives on the implementation of international law, norms, and responsible state behavior will help identify the areas of of convergence and divergence, ultimately fostering greater international consensus. In this regard, we are pleased to co-sponsor for the working paper on the areas of convergence on international law. And in it, there is a group of states, including Australia, Chile, Colombia, the Dominican Republic, El Salvador, Estonia, Fiji, Kiribati, Moldova, the Netherlands, Papua New Guinea, Thailand, Uruguay, and Vietnam. And we support the inclusion of such agreements in the final report. Mr. Chair, we recognize and encourage the further capacity building initiatives that enhance the understanding of international law in cyberspace. We condemn the irradiance workshop on international law, norms, and cyberspace held in Thailand last January as a valuable contribution to these efforts. Finally, we would like to take this opportunity to extend the invitation to all OEWG delegates to the side event, The Road to Hanoi, open for signature of the UN Convention Against Cybercrime, co-hosted by the Permanent Mission of Vietnam and UNODC, and co-sponsored by Australia at conference room yesterday from 1.15 PM. We will present the up-to-date arrangements for the signing ceremony of the first ever United Nations legal instrument on cyberspace. I thank you for the kind attention.

Chair: Thank you very much, Vietnam, for your statement. Egypt, to be followed by Kenya.

Egypt: Thank you, Chair. So in the spirit of brevity, which you had been calling for yesterday, my statement is limited to two points. The first is on substance, and the second is on procedure. So on substance, my only comment is to say that Egypt’s position is entirely aligned with the common African position in its full depth and breadth. on questions of process. We firmly believe that we need a dedicated platform on international law in the permanent mechanism. The exact modalities, mandate, structure, those are things we can talk about and I’m absolutely sure we can reach consensus on those issues. And whether that platform would be dedicated to scenario-based discussions or doctrinal discussions, that’s also a matter that we can reach consensus on. In fact, our view is that these two things are complementary. They’re not mutually exclusive. And in fact, they have to come together. You have to have scenario-based trainings, practical application discussions on how the doctrine applies in the real world. But more importantly, why do we need a dedicated platform for international law? Really for the following simple reasons. First, the conversation of international law in cyberspace is fragmented. It’s happening in multiple forums that sometimes don’t really talk to each other. So we have an incredibly fruitful conversation that is led by the ICRC, like the 34th International Conference of the Red Cross Red Crescent Movement, which Egypt wholeheartedly supports and endorses. That’s one forum. You have regional organizations that are having a different conversation and issuing regional decisions or regional common positions or regional understandings. Then you have national positions, but you also have international law being created by unilateral action by states. That terrain is too fragmented. And the second reason is we simply have no other forum. There’s no other place at the United Nations where we can have a conversation on international law and cyber. As maybe the few legal advisors in the room know, the Sixth Committee is a barren land. It’s very difficult to get anything done or to have any constructive conversations there. And so to put it simply, what we need is a place where we can have a synergy and a consolidation to be able to reach common understandings on how international law applies. And then finally, the reason we need this platform is sort of a strategic reason, which is. This conversation on international law and cyber is incredibly important. It’s reshaping the content of international law. It’s reshaping its trajectory. And so we need to have a place, a space within the United Nations where we have a multilateral conversation with the participation of stakeholders. We need the incredibly important voice of non-state voices who are able to inform this conversation. So that’s the strategic reason. This conversation is changing all of international law, and it would be a loss. It would be, we would be abdicating part of our responsibility to make sure that cyberspace remains peaceful and open and secure. International law is one of the tools, and I don’t see any incompatibility between having a dedicated platform in international law with having law conversations in other thematic groups because that’s the nature of law. It’s pervasive. It applies to all areas of conduct. Thank you, Chair.

Chair: Thank you. Thank you very much, Egypt, for your contribution. Kenya, to be followed by Ghana.

Kenya: Thank you, Chair. Kenya underscores the importance of common understanding on the application of international law in the use of ICTs. The continued publishing of detailed and specific national and regional position papers on this subject matter is essential. As has been said by numerous delegations, capacity building for states to enable them elaborate their position on applicability of international law is a practical way to move discussions forward. The proposed United Nations Voluntary Fund to support capacity building, if operationalized, will bolster state-led initiatives. Further, the proposed global ICTs security cooperation and capacity building will offer a platform for nations to share good practices on the provisions and application of international law in complementarity with national legal frameworks. To build uniformity in application of principles of international law in various contexts, states may consider continuing discussions on international law in the future permanent mechanism to further enhance. cyber resilience. I thank you Chair.

Chair: Thank you very much Kenya. I give the floor now to Ghana to be followed by Austria.

Ghana: Thank you Mr. Chair for giving me the floor. Mr. Chair, further to the discussion on international law during the ninth substantive session of the OEWG, Ghana reaffirms its full commitment to the common African position on the application of international law to the use of ICTs in cyberspace. To this end, Ghana believes that as we seek to forge convergence on the principles that touch on the applicability of international law to the use of ICTs, we must perforce embrace the well-established and relevant principles of international law as well as the Charter of the United Nations. These include respect for the sovereignty of states, non-interference in the internal affairs of other states, the need to conform to peaceful means for the settlement of disputes in cyberspace, and the prohibition of the threat or use of force as situated in Article 2.4 of the Charter. In recognition of the damaging consequences of the misuse of ICT on entire populations or individuals, Ghana affirms the applicability of international humanitarian law in cyberspace and believes that even in the instances of disputes either deriving from cyber warfare or actual physical warfare, it is necessary to preserve critical services to populations and the integrity of critical infrastructure within full accordance of established legal concepts such as humanity, necessity, proportionality, and distinction. Furthermore, Ghana underscores the importance of international human rights law in cyberspace, the rights and freedoms individuals enjoy offline must be upheld online as affirmed by the UN Human Rights Council. These include the right to privacy, freedom of expression, and protection from arbitrary surveillance. These rights are integral to maintaining trust in the digital space and ensuring the responsible conduct of states in cyberspace. Mr. Chair, Ghana continues to believe that further constructive discussions are required in the area of due diligence to better define how wrongful acts attributable to a state can be expressed in a manner that engenders common understanding. The area of state responsibility and attribution of wrongful acts is also corollary to the principle of sovereignty. Although on account of its cooperative and shared nature, the operationalization of this principle in relation to cyberspace must be carefully framed to avoid unintended consequences. Before closing, let me mention in the light of the evolving offensive posture of cyber operations by some, Ghana is of the view that an effective response in that area of concern should be prioritized or should prioritize efforts to strengthen the global resistance of such operations that affects national security and international stability. Finally, as we look forward to further engagements with other delegations, my delegation emphasizes the need for continued engagement and capacity building to address the myriad of technical, legal, and political issues arising from our shared aspirations regarding the applicability of international law. Indeed, the effective implementation of international law in cyberspace requires multi-stakeholder cooperation. We would encourage the inclusion of academia, civil society, the private sector, and technical communities in advancing our collective understanding of cyberspace governance as each community has a unique role to play. Additionally, platforms that facilitate dialogue between these stakeholders will be essential in building legal expertise, promoting accountability, and ensuring the responsible use of ICTs. We believe that discussions on how international law applies to the use of ICTs should be a priority for the international community within the future mechanism. I thank you.

Chair: Thank you very much, Ghana, for your contribution. Austria, please.

Austria: Mr. Chair, Austria fully aligns itself with the statement delivered by the EU and would like to make some additional remarks in its national capacity. Let me start by reaffirming a view that international law as a whole, including the UN Charter, international human rights law, and international humanitarian law, applies to state cyber activities. Austria welcomes the increasing number of national and regional positions on the application of international law to cyber activities that have been published so far. We are confident that more states will follow, and we look forward to studying all future contributions with great interest. In this context, we want to join others in congratulating Colombia on the recent publication of its national position paper. We are particularly delighted to see clear emphasis on international humanitarian law and its core principles therein. Similarly, we acknowledge the cross-regional paper presented by Thailand yesterday and co-sponsored by 13 other states. This paper sets out further common ground. Mr. Chair, as many other states, we believe that this OEWG has achieved great progress, particularly on international humanitarian law. Therefore, we would like to see a clear reference to IHL in the final report to properly reflect this progress. Affirming the applicability of IHL to cyber activities in connection with an armed conflict does not encourage or legitimize cyber warfare. Austria would like to echo Brazil, the Kingdom of the Netherlands and many other states that have drawn our attention to the resolution adopted during the 34th ICRC Conference in autumn last year. We consider this resolution as a step in the right direction and that agreed language on the applicability of IHL to cyber activities could be drawn from there for the final report. Finally, with respect to the future permanent mechanism, Austria, as many others, sees international law as a priority. We firmly believe that discussions on international law must be scenario-based, practice-oriented and separated from discussions on voluntary non-binding norms. We agree with Canada that trust and good faith among states are and will be crucial for the success of our work. Austria remains confident that we will be successful in fulfilling our mandate and meaningfully continuing our work in the future. My delegation remains committed to this issue and thanks you again for the opportunity to share our views on these important matters. Thank you.

Chair: And updates on recent developments, including updates in the form of cross-regional papers, as well as updates since the adoption of the Annual Progress Report in July, updates in terms of the resolution adopted by the ICRC regarding international humanitarian law, which many of you have also echoed. But it is also quite clear that on international law, the ground has not shifted fundamentally. of delegations are fundamentally similar to what they have been for some time. And therefore, it is important that in the final report of the Open-Ended Working Group, we find a way to capture the richness of the discussions, the updates and the developments, even as we respect that positions may not have fundamentally shifted. And I think it’s important that the final progress report reflects the reality of the landscape with regard to international law, reflects the state of the discussions as we have had it in this working group over the last few years, and also reflect the commonalities where we have them, and also reflect the ideas that might have been surfaced even if we are not yet in the position of reaching consensus. So that, I think, is what we need to do with regard to international law in the final report. It’s important that we reflect the state of the discussions so that the future permanent mechanism can build on the discussions we have had, but more importantly, can build on the understandings we have built in this process over the last few years. And I also agree with a lot of the comments that have been made that over the last few years this working group has provided a space for lawyers to come here. express their views, but also talk to each other. So build that common understanding or help to build that common understanding and in the process also build a certain level of confidence and trust with each other. Now building confidence and trust is is always a constant work in progress because there’s always more confidence to be built and it is therefore important that the future permanent mechanism takes the bet on from where we leave things in July. Hence the need to capture the richness of the discussions with regard to international law. I think with regard to how we organize the discussions on in the future mechanism, my sense is that everyone is of the view that a discussion on international law is important and urgent and is a matter of priority. So the future mechanism will have to continue that discussion on international law. Everyone also agrees that we need to go deeper into international law in order to precisely have that common understandings on how international law applies in cyberspace. The debate or difference in position relate to how we structure the discussions in the future permanent mechanism with regard to international law. Everyone seems to think that we need to allow for more time. The question is how do we allow for more time in a way that will build understandings with regard to how international law, but there is also a difference of views as to whether there should be a separate space, a separate platform, as opposed to a cross-cutting space where the issues of international law are discussed in the context of other issues. That seems to be the debate. How best to organise the discussions on international law in the future, permanent mechanism, and that comes back to the structure of the dedicated thematic group. So we will take up those issues under regular institutional dialogue, but I thought that many of you in a sense got into that discussion on regular institutional dialogue in the context of international law because there are a range of views on how we should structure the discussions on international law. And of course I think we can find consensus in terms of organising our discussions on international law in the best way possible that will build on what we have done here, but also allow for time, but to have a discussion in a way that everyone is comfortable. And so those are some thoughts I have, and perhaps at this stage we can make the shift to the next agenda item, which is confidence-building measures. And I have received a request from the delegation of the Islamic Republic of Iran, which wishes a working paper that it has submitted with regard to CBMs, and in keeping with the practice of our working group, I’ll give them the floor. If there are others who wish to present any particular proposals or paper, I’m also happy to give them the floor. And then we will open the speaker’s list, so please feel free to press the buttons now. We’ll start with the delegation of Tonga, which is making a speech or statement on behalf of the Pacific Islands Forum. So if you’re presenting any particular paper, please indicate to us. Thank you very much, Secretariat. I think I was reminded that I forgot to say something. So yeah, so what we will do now is, of course, we’ve opened the discussions on confidence-building measures. We’ll start with a presentation from the Secretariat, from ODA, Catherine Priceman, who will give us a short briefing on the points of contact directory, the ping test, and the simulation exercise, which is being planned. So we’ll start with a briefing from the Secretariat, and then Islamic Republic of Iran, and then Tonga. And then we’ll go over the rest of the speaker’s list from there. So thank you, Catherine, for your presentation, and over to you, please.

ODA: Thank you very much. Mr. Chair and good morning, dear colleagues and friends. I’m pleased to provide a short briefing on developments related to the Intergovernmental Points of Contact Directory. Firstly, on the outcome of the latest ping test and the communication check, as well as the planned simulation exercise. So firstly, in the second annual progress report, of course, adopted by consensus in July, 2023, the Open Ender Working Group decided to establish the POC directory. And in the annex of those modalities related to directory maintenance, the directory manager, UNODA, is requested to conduct, quote, ping tests every six months to verify information in the directory. As part of the ping test, POCs will be contacted by us, the manager, and requested to respond with a message indicating receipt within 48 hours. In the absence of a response to the ping test, the directory manager would make every effort to contact the relevant authorities to encourage them to update their information. So pursuant to this request, UNODA has so far conducted two ping tests in 2024. The first was on the 10th of June, and the second was on the 10th of December. The methodology of the ping test was such that an email was issued from our dedicated email address, which I apologize is quite complicated with lots of letters, but it’s a dedicated email for the POC to all diplomatic and technical POCs registered. So for those that did not respond on behalf, as in the capacity of POC, a note verbal was issued to the permanent mission, the respective permanent mission, indicating the outcome of the ping test. And of course, this is not to censure any state in particular, but just to inform of the outcome and ensure that there should be any updates to the contact information. So in terms of the results, bearing in mind 10 December is quite close to Christmas holidays, we apologize for that. But nonetheless, a total of 112 states at the time were registered with 281 individual POCs registered, and of the 281 POCs, 179 responded by the 48-hour deadline, 22 responded after the deadline, and 67 did not provide a response. So 46 states, all POCs responded, 46 states some but not all responded, and of 20 states, none of the POCs responded. As of today, we have 116 states and just under 300 POCs registered. So again, the point of these ping tests is not to censure any states with no verbals or formal demarche, but just to make sure that that communication gets to the right place and the information is up to date. So we will be doing these ping tests, of course, going forward every six months. We will not be announcing the exact time, of course, to simulate real-world communication. So we thank you in advance for your cooperation. And please do put that email address in your known context, just to make sure it doesn’t go to junk mail. And so just a brief word then on the scenario-based exercise, which is part of the Dedicated Assistance Plan for Capacity Building Activities for the POC Directory. That was included in the second annual progress report. So, first, this will be convened by our chair, of course, for points of contact in March 2025, so next month. And we are, as UNODA, are supporting the chair together with our partners, UNIDIR and ITU. An invitation was issued to all missions from the High Representative for Disarmament Affairs dated 23 January. So if you do not have that communication, please do let us know. And it indicates that the POC simulation will take place over a three-hour time period via virtual platform, again, to simulate the kind of communication between POCs that would take place. And member states that have already nominated their POCs will be invited to designate up to two POCs to participate in the exercise. And participants are requested to participate as either diplomatic or technical POCs. And should a POC be designated both roles, to kindly choose which profile in which they’d like to participate. For member states that have not yet nominated a POC, they are invited to participate in the simulation. But kindly specify, again, either technical or diplomatic role. To accommodate disparate time zones, the simulation will be held over several sessions. So you’re invited to participate in one session. We will have two sessions for Americas, Europe, and Africa. And two sessions for the Asia-Pacific colleagues. Those dates are Monday, 10 March, Tuesday, 11 March, Monday, 17 March, and Tuesday, 18 March. Again, all of this is in the invitation letter. So again, if you haven’t had a chance to see that, please let us know. The simulation, just a word or two on the exercise, it will allow participants to experience the practical aspects of participating in the global directory and better understand the roles of diplomatic and technical POCs. The simulation will be conducted in English. We apologize for the lack of multilingualism. We are hamstrung by certain logistical and financial challenges. Representatives of UNODA, UNIDIR and ITU will be in a supportive role as facilitators and it will all be based on a fictional incident related to ICTs and participants will have the chance to establish communication with other participants to exchange information simulating how information would be collected between POCs in this in the fictional circumstances. So again we invite member states to to please register their POCs. We will be conducting registration via online link which is also in the letter and we’ve set a deadline for the 25th of February which is next week and we very much look forward to this being the first of future simulation exercises that I’m sure this first time will give us many lessons learned to enhance and improve those exercises in the future and we’re grateful to our partners UNIDIR and ITU for their indispensable support for this exercise. Thank you very much Mr. Chair for the opportunity.

Chair: Thank you very much Catherine for all the hard work. Thank you also to UNIDIR and ITU for their assistance. I think this is an excellent start to the POC directory. We can recall that we had only established it Fairly recently, we now have 116 countries which have nominated or designated points of contacts, and we have had two ping tests, as Catherine just briefed us, and we are planning a simulation exercise, as we had agreed, and this is to be done in March. The numbers in terms of the response to the ping test are good but can be better, of course, but this will come with continued raising of awareness of these ping tests and the work of the POC directory as each one of us update and brief our own systems and institutions back in our capitals. So I would encourage all of you to do that, so that the next ping test would see an increased level of response and participation, plus, of course, the upcoming simulation exercise will give everyone an opportunity, our officials back in capital, to be engaged and contribute to the gradual strengthening of this mechanism that we have, the POC directory, which fundamentally is an exercise in building confidence, building channels of communication, so that it will serve us, if needed, with a view to building trust and confidence and managing situations of conflict, or avoiding situations of conflict. So, thank you very much for that, Catherine. So, let’s go to the Islamic Republic of Iran, to be followed by Tonga.

Islamic Republic of Iran: Thank you, Mr. Chair, for giving me the floor to present our working paper on CBMs. Mr. Chair, many states from various cross-regional groups within the OEWG format and beyond have consistently emphasized the importance of access to ICT technology, products, and services by all states, particularly developing countries. This access is critical to bridging the digital divide and achieving sustainable development goals. The international community also recognizes the role of a secure supply chain as a crucial component of cybersecurity. Part 19 of the third annual progress report acknowledged concerns regarding the exploitation of ICT products vulnerabilities and the use of harmful hidden functions, noting the significant ICT threat posed to the integrity of supply chains. As the group approached the conclusion of its mandate and based on the extensive discussions among member states, my delegation, during the last OEWG session, proposed new language to be incorporated as an additional measure to the existing non-exhaustive list of voluntary CBMs. Following this proposal, we submitted a working paper on 10 February 2025, elaborating on different perspectives of the proposed language. Our proposed CBM emphasizes cooperation among states to ensure unhindered access to a secure ICT and cybersecurity market for all, fostering global trust and confidence. The proposed language is aimed at highlighting the role of a secure ICT and cybersecurity market and a healthy and resilient society. supply chain for related products in enabling states to implement integrated cyber risk management effectively. It also underscores the need to address and mitigate the risk associated with compromised products. Indeed, implementing an integrated cyber risk management is crucial to managing cyber security risk across an entire system. Meanwhile, countries’ capability to take this approach relies on their access to essential tools throughout all stages of system design and operation. Maintaining secure access to the supply chain is crucial in achieving a healthy design system as it involves third-party vendors and partners who can be potential entry points for cyber attacks. Relying on trustworthy suppliers and adhering to international security standards are critical to maintaining a secure ICT market. A secure supply chain is protected against any factors, attributes, or exposures that could increase the risk of emerging vulnerabilities, including those stemming from both technological and human risks. Obstacles to global information and communication supply chain and product trade would involve unauthorized vendors and create unwanted loopholes in systems, ultimately endangering global trust and cooperation. Therefore, adopting a proactive approach to managing these risks not only protects the assets and reputation of individual systems, but also strengthens resilience against the constantly evolving ICT threat landscape. Effective cyber risk management fosters robust ICT security measures, creating a safer digital environment. enhancing international cooperation and strengthening a country’s resilience and capacity to adhere to international standards. Consequently, it can enhance confidence among states in participating in digital transactions and collaborations, thereby promoting greater trust on the international stage. Therefore, we believe it is essential that the confidence-building measures developed within the current OEWG reflect this reality. We hope this will be acknowledged in the final report as an additional CBM. We kindly request all delegations to review our working paper, which provides detailed insights into the language and definitions. Our delegation remains fully available and flexible for further discussions on the proposed CBM’s wording. I thank you for your kind attention.

Chair: Thank you, Islamic Republic of Iran, for your paper and your presentation. I would also welcome other delegations to respond and give their views on the proposal just made. I give the floor now to Tonga, speaking on behalf of the Pacific Islands Forum, to be followed by the European Union.

Tonga: Thank you, Chair. Thank you, Chair. I have the honor of speaking on behalf of the member states of the Pacific Islands Forum with a presence here in New York. We would like to express our thanks to the Chair and Secretary for the operationalization of the Global Points of Combat Directory. The directory demonstrates how information sharing can make a direct contribution to strengthening security and stability in cyberspace and represents a valuable signal of our joint commitment to building confidence. While there is still work to do, the directory is an important step in supporting better communication and co-alternation of efforts. all levels and between and across diplomatic and technical sectors. The directory acts as a mechanism to support the sharing of information to prevent, detect, respond to and recover from urgent and significant cyber incidents. We look forward to the tabletop exercise next month to assist states in their use and operationalization of the directory. More broadly, we would like to reiterate the importance of ongoing exchange of best practices and lessons learned in cyber confidence building, including examples of the development and successful implementation of CBMs in the regional context. Supporting inclusive dialogue and sharing best practices enhances mutual understanding and security in cyberspace. The sharing of best practice also supports capacity building within the AWIC and is an important confidence building measure. This forum also serves as a confidence building measure and in this regard we express the need for all stakeholders, regardless of size or resources, to be able to participate in an inclusive manner and on equal footing. We look forward to continuing to work constructively with you all and all member states on how to integrate CBMs in the future permanent mechanism, including the participation of all delegations in an inclusive manner and on equal footing. I thank you, Chair.

Chair: Thank you. Tonga, European Union to be followed by Cuba.

European Union: Chair, I have the honor to speak on behalf of the EU and its member states, the candidate countries North Macedonia, Montenegro, Serbia, Albania, Ukraine, the Republic of Moldova, Bosnia-Herzegovina, Georgia, and the EFTA country Norway, member of the European Economic Area, aligned themselves with this statement. I speak on behalf of 36 states. It’s worth noting that in just the past year alone, we have made significant progress in launching concrete initiatives to contribute to trust and confidence, such as developing and operationalizing the Global Point of Contact Directory, thanks to you. And additionally, we have adopted several confidence-building measures at the global level. We have observed how incremental steps can foster dialogue between states. And these measures are crucial for deepening common understandings, preventing misunderstandings, reducing the risk of misperception and escalation, and increasing the predictability of state behavior, ultimately contributing to greater stability in cyberspace. EU member states have fully engaged with the operational requirements of the Global Point of Contact Directory, as we believe it truly represents a valuable signal of our joint commitment. We would also like to add our voice to the calls that encourage all member states, where they can, to nominate their own POCs as soon as practicable. We note our thanks once more to you, Chair, and to the Secretariat, for taking such clear leadership on this initiative. The EU has made a peaceful development of cyberspace a key priority for its EU cybersecurity strategy. This includes supporting regional confidence-building measures processes, advancing bi-regional dialogues, and working towards a stable and secure cyberspace by consistently providing funding for capacity-building and partner countries. For example, in line with CBM6, the EU continues to deliver and support a variety of capacity-building programs related to ICT security. Currently, the EU is working with partners on 21 projects with a value of over 100 million euro. And we will continue to invest, recognizing that capacity-building is an essential pillar of security and stability in cyberspace. of the current open-ended working group, as well as the future mechanism. In support of CBM 7, the EU and its Member States have stepped up their efforts to protect critical infrastructure from ICT threats, including with new regulation. Most visible examples are the Network and Information Security Directive 2 and the announced revision of our Blueprint for Cyber Crisis Management. We look forward to continuing to share our best practices and lessons learned in multilateral and regional fora, as well as through our capacity-building and engagement and dialogues. In particular, we have observed that cooperation through consultations and engagement at all levels can improve understanding, transparency and reduce distrust between States, supporting the peaceful resolution of cyber incidents. Moreover, we see a need to ensure the implementation of CBMs, including under the Future Permanent Mechanism. In this, we see a need to implement the CBMs in a cross-cutting and actionable way, such as agreed in the third APR, discussing the applicable CBMs in each working group alongside the other pillars, with a focus on effective implementation. And that should ensure that we address all the challenges at hand. We also believe that connecting the PUC Directorate with the Future Mechanism is crucial for ensuring its long-term sustainability and ownership. The EU supports the approach of learning from experiences at regional level, and we therefore welcome the presence of representatives from regional organizations, as they can make valuable contributions to our discussion. Promoting such exchanges is also one of the objectives of the OSCE CBM 12, which the EU adopted alongside Switzerland, North Macedonia and Poland. And we will also continue our work with Singapore on CBM 3 on the protection of critical infrastructure in the ASEAN Regional Forum. We should also aim to leverage the significant technical and organizational expertise of relevant actors. in the private sector and civil society to ensure that CBMs are developed and implemented with input from the appropriate stakeholders. One way to benefit from the specialized knowledge and expertise of these non-state actors is by sharing current threat information which can inform both present and future confidence-building initiatives. Another approach to incorporating stakeholders and the private sector into our work on CBMs would be to expand the POC directory. Building these linkages is essential for ensuring that CBMs are fit for purpose and as effective as possible in our efforts to maintain international peace and security in cyberspace. Thank you very much.

Chair: Thank you very much European Union for your statement. Cuba to be followed by Mauritius.

Cuba: Mr. Chairman, we agree that this open-ended working group is in and of itself a confidence-building measure. Its results demonstrate the shared interest that exists in maintaining dialogue around security and the use of ITCs open. The very same spirit should prevail as we seek to establish a future mechanism which will build on the work of this group and for the functioning of that mechanism. One of the most significant results of this open-ended working group was the creation of an intergovernmental global POC directory. We have the challenge of ensuring that that directory is genuinely effective, such as to allow expeditious communication between states should cyber incidents occur. It should also allow adequate processing of information that is exchanged so that it makes a genuine contribution to building confidence. In our view, the directory could be linked to the global portal for capacity building in ICT security. The design of that portal is something that Member States together are working on. As such, we agree with what is said in the initial report issued by the Secretary regarding the proposed portal, insofar as the fact that that portal can act as a central access point and a core knowledge hub for resources related to the future permanent mechanism, such as the Points of Contact directory. In order to forge ahead with the operationalisation of the directory, we need to agree upon a clear protocol which defines the content of the information to be exchanged, as well as the circumstances in which such information exchange would take place. We also need to establish the equitable conditions which would govern that information exchange. This is a question that could form part of the discussions we are to hold under the confidence building measures pillar in the future permanent mechanism for institutional dialogue to take place periodically. At the same time, in line with the previous OEWG reports, we advocate the continuation of work on the establishment and implementation of additional confidence building measures. We emphasise that there is a need for measures which foster cooperation and capacity building. This is particularly true for measures to narrow the digital divide and measures to guarantee equitable access to ICTs. We cannot ignore the fact that the effective implementation of CBMs requires us to It is vital that those countries receive capacity-building assistance, as well as technology transfer, so that they are able to fully participate in the Global Points of Conduct Directory, as well as in other CBM initiatives, and in general, so that we can guarantee security in the use of ICTs. With this in mind, we take note of new proposals for confidence-building measures that have been presented by other delegations and which are worthy of due consideration. Moreover, we must eradicate all of the obstacles and unilateral coercive measures currently in place imposed against developing nations, measures which limit their capacities to build cyber security and which hinder international cooperation. The most unequivocal way that we could build trust would be to eliminate such UCMs. To conclude, we should underscore that confidence-building measures, despite the fact that they are useful, cannot substitute the use of ICTs or circumvent the need to apply binding norms to ensure the peaceful and safe use of ICTs. It is only through the establishment of an obligatory normative framework that we will be able to build a cyberspace of benefit to all states. Thank you very much.

Chair: Thank you very much, Cuba, for your statement. Thank you very much, Cuba, for your statement. Mauritius, to be followed by Japan. Thank you.

Mauritius: Distinguished Chair and colleagues, good morning. The effective implementation of confidence-building measures in cyberspace is crucial for promoting stability, preventing conflict and fostering trust among states. Mauritius firmly believes that the eight global CBMs agreed upon in last July’s annual progress report served as a foundation for enhancing transparency, communication, and cooperation in the digital domain. However, moving from agreement to full operationalization requires concrete steps at national, regional, and international levels. Mauritius welcomes the establishment of the Global POC Directory, which is a stepping stone for expedited communication during cyber incidents and policy discussions. We believe that this measure could go the extra mile if states ensure that their designated POCs are active, accessible, and properly trained. Mauritius shares the views that voluntary information exchange on national cybersecurity policies and legal frameworks is another critical CBM that can build mutual understanding and predictability. To facilitate this, states could regularly publish and share their national cybersecurity strategies, policies, legislations, and threat assessments. UNIDIR’s cyber policy portal could be leveraged to streamline voluntary reporting on cybersecurity policies. Chair, a major challenge in cyberspace is the absence of standardized procedures for notifying other states about significant cyber incidents. Mauritius believes that establishing a structured voluntary reporting mechanism is essential for ensuring that states can share relevant information in a timely manner. A standardized template for incident reporting agreed upon by states would help create consistency in how cyber incidents are communicated. Furthermore, defining clear thresholds for what constitutes a reportable incident would ensure that the information exchanged remains actionable and relevant. Encouraging bilateral or regional agreements on cyber incident notification can also enhance cooperation and build trust over time. Effective implementation of CBMs requires robust collaboration in sharing cyber threat intelligence. In this regard, regional organizations can play a pivotal role in facilitating structured exchanges of threat intelligence among member states. Public-private partnerships should also be encouraged as cybersecurity companies often have valuable insights into evolving cyber threats. We recommend developing secure communication platforms where states can share real-time threat intelligence while maintaining confidentiality. We also see value in practical exercises in cyber simulations for testing the effectiveness of CBMs in real-world scenarios. We believe these serve as evaluation exercises for crisis response mechanisms, improve coordination between POCs, and identify gaps in their cyber incident management frameworks. Cross-border participation in these exercises would enhance interoperability and build confidence among states. Additionally, scenario-based policy discussions on cyber threats and diplomatic responses could help countries align their approaches to international law and norms, ensuring a coordinated global response to cyber security challenges. We look forward to the simulation exercise in March, as mentioned by Secretariat earlier. Ultimately, to ensure sustained commitment to CBMs. we propose regular reviews and progress assessments through a voluntary reporting mechanism where states provide updates on their CBM implementation efforts. Annual review virtual meetings could serve as a platform to assess progress, share best practices, and discuss ways to address implementation gaps. Thank you for your attention, Chair.

Chair: Thank you very much. Mauritius, Japan, to be followed by Kazakhstan.

Japan: Thank you, Mr. Chair. Japan attaches importance to dialogues aimed at preventing conflicts and reducing tensions and will conduct such dialogues to promote mutual understanding among international partners. In this regard, Japan supports the view expressed in the third report that confidence-building measures are essential for enhancing mutual trust and predictability between states in reducing tensions, misunderstandings, and miscalculations. Sharing situational awareness, policies, and best practices regarding cyber threats with other countries through dialogues at all levels, including OEWG itself, is important. With regard to the progress made so far on the global POC directory, in order to promote such efforts in a meaningful way, we would like to continue discussing how best we can properly utilize the directory. In order to promote participation in the directory, it would be effective to clarify the real benefits of participation, such as sharing the good practices gained through each country’s participation in the directory. Thank you, Mr. Chair.

Kazakhstan: CBMs are a key tool in cyber diplomacy, reducing risk of misunderstanding, escalation and conflict, and they should be supported and implemented globally, regionally and sub-regionally. We propose workshops, roundtables and scenario-based cyber simulation discussions to exchange experiences, identify contentious and non-contentious issues, and build understanding and trust. CBM recognizes the Global POC Directory’s crucial role in building confidence and supports efforts to define its functions clearly and acknowledge its importance as a cross-cutting and action-oriented measure. We thank the Chair and Secretariat for their ongoing efforts to operationalize POC Directory and welcome publication of updates of states to enhance awareness. Effective CBM implementation relies on capacity building to narrow capability gap among states and ensure its wide participation in the Global POC Directory. We emphasize the importance of regional cooperation in advancing CBMs. Overseas experience demonstrates how exchanges between national POCs prevent misperceptions and improve coordination. Aligning global CBMs with regional mechanisms ensures coherence and avoid duplication. We are pleased to announce that as part of a regional initiative with the OSCE, workshop on gender consideration in cyber security will be held in Kazakhstan on 9th and 10th of April. This event will bring together diplomats, policymakers and members of the technical community from different states and aims to facilitate the exchange of experience and develop recommendations for integrating gender aspects into cyber diplomacy. Transparency and communication are central to confidence building. To optimize communication through the POC Directory, as highlighted in paragraph 47 of the third APR, we propose developing standardized templates for various critical scenarios, such as incident escalation, threat intelligence sharing, and cyber capacity building requests. These templates will facilitate structured and timely exchanges, enhance trust and transparency, answering to your guiding questions on stakeholder modalities, establishing special platforms for engagement with stakeholders as part of the CBM, such as working groups and expert consultations as part of the thematic groups could ensure their contributions while maintaining the intergovernmental nature of discussions. CBMs could develop clear participation guidelines for stakeholders, aiming at a structured approach for the global POC directory. The conference Digital Almaty 2025, held in February in Kazakhstan, brought together cyber experts from around the world and highlighted the importance of the multi-stakeholder collaboration, demonstrating that technology campaigns, research institutions, and policymakers play a crucial role in strengthening global hyperconnected cybersecurity. With CBMs and the global POC directory, thematic groups could focus on incident information exchange, POC verification mechanisms, and strengthening regional cooperation. Each thematic group could cover subtopics such as standardized incident response procedures, information sharing through POCs, and capacity building initiatives for national POCs. Unlike plenary sessions, thematic groups could engage in more detailed technical discussions on implementing CBMs and optimizing the global POC directory mechanisms for effective information exchange. Kazakhstan believes confidence-building in cyberspace requires structured policy frameworks, technical cooperation, as well as ongoing dialogue. By engaging with the OEWG and leveraging regional experiences, we can build a more inclusive and inclusive cyber world. a stable and resilient cyber environment. I thank you.

Chair: Thank you very much, Kazakhstan. Albania, to be followed by Bosnia and Herzegovina.

Albania: Thank you, Mr. Chair. As this is the first time I am speaking, please allow me to use this opportunity to thank you for your leadership and the excellent work in chairing the Open Ended Working Group and guiding the discussions, and express deep appreciation for your dedication since the outset of this OEWG mandate. I also extend my heartfelt thanks to the Government of Germany and the Netherlands for their support which enabled the participation of Albanian delegation in the 10th substantive session of OEWG. I firmly believe that Women in Cyber Fellowship has significantly contributed to the advancement of the agenda of this Open Ended Working Group. The countries supporting this fellowship should take pride in their investment, knowing that women’s active participation in the Open Ended Working Group has brought valuable perspectives and foster a more resilient cyberspace in the world stage, and I am a believer that women in cyber in itself is a confidence-building measure. Albania fully aligns with the EU Statement on Confidence-Building Measures and would like to present some insights on the national capacity. Albania considers discussion on confidence-building measures in cybersecurity of a high importance. We recognise the crucial role of CBMs in reducing misunderstanding, preventing conflict and enhancing trust between States. Strengthening CBMs implementation remains essential in fostering international cyber stability and security. Albania reaffirms its commitment to the UN Framework for Responsible State Behaviour in Cyberspace. particularly the implementation of voluntary, non-binding CBMs that facilitate trust, cooperation and accountability among States. Albania recognizes the potential in improving communication and coordination during a cyber incident, therefore it actively supports further development and operationalization of the UN Global POC Directory. Albania also believes that in good times, cooperation, coordination, sharing the best practices and training together is crucial and very important in building trust which is needed in times of cyber attacks. Beyond UN, Albania has actively engaged in international and regional organizations, including OSCE, EU, NATO, ITU and other international initiatives, thus contributing to CBMs implementation. Albania actively engaged in the OSCE informal working group on cyber, regularly sharing updates on the implementation of OSCE confident building measures, particularly with regard to protecting critical infrastructures. Moreover, Albania’s participation in joining exercises and training programs play a key role in enhancing national cyber capacity and strengthening cyber security cooperation. Especially from late 2024 and onwards, Albania has intensified its efforts through strategic partnership and technical cooperation with international organizations and regional cyber security entities. One of the events was a technical workshop with UNDP, organized in the beginning of November in Tirana, which gathered cyber security agencies from the Western Balkans, Georgia and Moldova to enhance cooperation on critical infrastructure protection and data security strategies. Shortly after, the Western Balkan Cyber Dialogue by the end of November 2024, co-hosted with the Ministry of Foreign Affairs of the Netherlands, Observer Research Foundation America, and the Centre for the Study of Democracy, facilitated in-depth discussion on policy advancement, security threats, intelligence sharing, and capacity-building effort among government, businesses, and civil society. This year, we have started with Enhancing Cybersecurity Cooperation in Southeast Europe event, which was held in Tirana last week, with the participation on 13 countries. Another one, the CERT Poland and Western Balkans CERTs, training and peer exchange, which was organized also in Tirana during the first week of February, as well as an upcoming hybrid CEO conference with participation of 36 countries, EU and NATO members, are among the extending partnership initiatives which we are putting forward as part of confident building measures and working together. Looking ahead to 2025, Albania will continue to drive regional cybersecurity initiatives, with a particular focus on strengthening public-private partnership and operational coordination. A highlight event is the Western Balkan Cybersecurity Camp, which will flagship an event which includes a capacity-building program dedicated to young experts on cybersecurity, who will be trained together with cybersecurity professionals and government agencies across the region of the Western Balkans, and which will build an alumni network of cybersecurity professionals from one year to another. With events like this, we aim to apply CBMs, including young people, also in the Western Balkans. A key milestone event later in the year is the NATO Cyber Defense Conference, which will be held in Tirana in September. in October 2025. This high-level event will bring together NATO allies, cyber security experts, and policymakers to discuss emerging cyber threats, collective defence strategies, and the future of cyber resilience within NATO countries and partner countries. With the support of the German government, we are developing a network of cyber diplomats in the Western Balkans, and we are confident that this will increase the confidence of countries working together on cyber issues, in addition to a number of joint training and exercises which will be organised through 2025 with the support of the EU, further strengthening and increasing the cyber resilience for Albania, the region, and beyond. As we all aspire to become EU members, we are working to make the Western Balkans a proactive and collaborative cyber security hub in the European stage. As much as we want to cooperate with the rest of the world, it is important that they also place confidence in working with us. Through all what we are doing, Albania underscores the need for cooperation and engagement in applying CBMs, ensuring that capacity-building efforts also support the effective implementation of CBMs. In addition, confident building measures must also be supported by national policies. For example, Albania’s legal and policy framework creates a conducive space for implementing CBMs, thereby promoting international cooperation, information sharing, and capacity building. Albania supports the integration of CBMs, which is a future cyber security mechanism, and we are expecting that through each dedicated thematic group, we work with confident building measures and Albania stands ready to cooperate achieving this objective. At the end of the day, we all put those efforts in getting ourselves prepared. that the day we go to work, and our screens go black, we should know who should we call, who should we trust, and where we can ask for support. This is why CBM’s implementation continuously is very important and plays such an important role in preparation process, in increasing cyber resilience, and in enhancing the stability, integrity, and openness in the cyberspace. Thank you, Chair.

Chair: Thank you very much, Albania, for your statement. Bosnia-Herzegovina, to be followed by the United Kingdom.

Bosnia and Herzegovina: Thank you, Mr. Chair. While we aligned with the statement of the European Union, I would like to add a few remarks in my national capacity. Bosnia-Herzegovina remains committed to participate in international dialogue on cooperation regarding cyber, which is ongoing at the bilateral, regional, international, and global framework of cooperation. Given the fact that the Global POC Directory is a CBM in itself, and also provides a basis for the implementation of other CBMs that could help to promote open, secure, stable, and peaceful ICT environment, Bosnia-Herzegovina has appointed a diplomatic and technical point of contact for POC Directory, and had the pleasure to participate in PING test in December. We are looking forward to participating in simulation exercise next month, as well as to working with other states to further operationalize the Global POC Directory. In addition to that, I wish to share that Bosnia-Herzegovina participated at the beginning of this month in the study visit organized by the OSCE in cooperation with the Ministry of Foreign Affairs of the Netherlands. The study visit was organized for the OSCE policy and technical points of contact. from some of the OSCE participating states from the Eastern Europe and the Western Balkans who are a part of the OSCE’s network created in line with one of the OSCE’s confidence-building measures on cyber ICT security. We visited relevant ministries, institutions and private companies responsible for enhancing cyber security in the Netherlands and gained valuable insights into good practices, shared knowledge on the latest cyber security developments and explored potential areas for collaboration in strengthening digital resilience. Exchanging experience in cyber diplomacy and international cyber security is essential for building trust and fostering future cooperation. The study visit was an excellent opportunity to liaise with other points of contact from the respective regions. Furthermore, it has proved invaluable information through sharing knowledge, experience, the best practices and lessons learned. In addition to that, as a public-private partnership in the field of cyber security can provide an appropriate framework for knowledge exchange, the sharing of the best practices and the establishment of a common level of understanding amongst stakeholders, and with a view to promoting public-private partnerships and cooperation on ICT security. Following the OSCE initiative Adopt a CBM, Bosnian Herzegovina has just joined the group Adopt CBM on public-private partnerships. We look forward to benefiting from the exchange with other members of the group of knowledge experience and best practices in this area. Mr. Chair, Bosnia-Herzegovina reaffirms that confidence-building measures are essential for enhancing mutual trust and predictability between the states and in reducing tensions and misunderstanding. and remains committed to enhancing cooperation on cyber confidence-building. Thank you.

Chair: Thank you very much, Bosnia-Herzegovina. United Kingdom to be followed by Singapore.

United Kingdom: Thank you, Chair. As many states have acknowledged this week, we are in a challenging geopolitical climate. The need to foster trust and understanding is paramount for us to maintain international peace and security and advance our discussions on the Framework for Responsible State Behaviour. The UK recognises the importance of the initial list of global confidence-building measures towards this goal. In December 2024, we outlined some of the UK’s activities relevant to CBM implementation, including the voluntary sharing of information, delivery of capacity-building programmes, and our contributions to building the resilience of critical national infrastructure internationally. In line with CBM2, the UK recognises the importance of bilateral, sub-regional, regional, cross-regional and multilateral dialogue between states. In this context, we would like to highlight that in October 2024, at the Crown-to-Ransomware Initiative Summit, the UK and 38 states united with international cyber insurance bodies in support of new guidance to assist organisations that experience ransomware attacks. This is a recent example of a resilience-building outcome emerging from cross-regional dialogue. Chair, this week, we have heard states including El Salvador, Mauritius, Malaysia, Italy, Ghana, Chechnya and Ireland refer to the potential challenge of quantum computing for cybersecurity. Considering CBM3, which invites states to share information on their national policies, we would like to highlight the UK’s August 2024 White Paper preparing for post-quantum cryptography. This guidance is freely available on the website of our National Cyber Security Center and may be of interest to member states. Chair, we would also like to recognize the importance of non governmental stakeholders, the private sector, non-governmental organizations and academia, to the operationalization of the eight global CBMs. Academia plays a critical role in enriching our discussions and the research community is needed to implement CBMs 5 and 6. The UK works with a wide range of academic and research organizations. This week we were pleased to support a side event ahead of the publication of a global compendium on responsible cyber behavior. This publication, developed by the Royal United Services Institute in collaboration with a cross-regional group of academic contributors, is based on several years of cross-regional dialogue between states and the academic community. It stands to increasing our shared understanding and provide further insight into how different nations and regions approach the UN framework for responsible state behavior in cyberspace. CBM 8 relates to public-private sector partnerships and cooperation on ICT security. The private sector is a critical partner in our capacity building programs. Last year UK began to pilot an international cyber instant response capability to provide instant response support to international partners following cyber attacks. This was deployed for the first time in late 2024 in response to a ransomware attack. This program would not be possible without the leading contribution of specialized instant response companies. The States have widely and repeatedly recognised the essential contributions of such stakeholders in the implementation of the consensus UN framework. The future mechanism will be permanent, and we need to take bolder steps towards their inclusive participation. Thank you, Mr. Chair.

Chair: The President Thank you very much, UK. Singapore to be followed by the Russian Federation.

Singapore: The President Thank you, Mr. Chair. Singapore welcomes the international community’s adoption of the eight voluntary global CBMs contained in the OEWG’s third APR. Given that the full value of CBMs is only realised when they are actively implemented by all States, it is imperative that we concentrate on efforts to accelerate the implementation of these eight global CBMs. In this regard, we believe it is essential for States which are already implementing CBMs to share best practices, the potential pitfalls and the ways around them. These exchanges could be consolidated in a repository, which could be included as a module in the Global ICT Security Cooperation and Capacity Building Portal proposed by India when it is established. Singapore also welcomes the circulation of the Secretariat’s initial report outlining the proposal for the development and operationalisation of the Global ICT Security and Capacity Building Portal, in particular the five proposed modules set out in paragraph 17 of the report. Singapore believes that the Secretariat’s initial report provides a clear vision for the establishment of the portal that is practical and useful. We call on the OEWG to work on the basis of the Secretariat’s report with a view towards reaching consensus on the establishment of the portal by July 2025. We are also pleased to see the efforts to ensure that the Global Intergovernmental Points of Contact Directory remains a useful and effective initiative for all UN Member States. In particular, we are strongly supportive of efforts to expand and increase participation in the Global POC Directory. Singapore has participated in the PING test for the Global Intergovernmental Points of Contact held in December 2024. Both our technical and diplomatic POCs will also be participating in the simulation exercise to be held in March this year. Thank you, Mr. Chair.

Chair: Thank you, Singapore. Russian Federation, to be followed by Pakistan.

Russian Federation: Mr. Chairman, we are pleased to note the steady development of confidence-building measures within the OEWG framework launched in May 2024. The Global Intergovernmental Points of Contact directory for exchange of information on computer attacks and incidents has 113 participants already, as has been mentioned. We call on the Member States who have joined the register to designate their diplomatic and technical POCs as soon as possible. It is our absolute priority and common goal to facilitate further expansion of the directory’s membership. We consider the regular testing of interaction algorithms within the directory to be of high importance. In our opinion, it is key to increase the mechanism’s efficiency. We would like to congratulate all Member States on the second PING test that took place in December 2024. The Russian POCs stand ready to take part in the upcoming simulation exercise in March 2025, and we are looking forward to receiving connection details and preparatory materials from the organizers. We commend the efforts of the directory’s manager, the UN Office for Disarmament Affairs, UNODA. It is our firm belief that further efforts to improve the POC directory parameters should be carried out on the consensus basis with all Member States involved, in order to consolidate and multiply the results that have already been achieved. Continuity is crucial. The future permanent mechanism should inherit the supervision of the registry from the current OEWG. We support the idea of establishing a dedicated thematic subgroup on CBMs within the framework of the future body. We would like to draw the attention of Member States to some shortcomings that have been revealed in the POC’s directory functioning and need to be eliminated. The Russian technical POC has identified 10 inactive contacts, as well as at least four technical POCs who have limited authority at the national level and so were unable to respond to our notifications. We are seeing cases where we receive feedback from old contacts, whereas the new ones turn out to be inactive. We are convinced that the POC’s directory’s goals cannot be fully achieved without these emerging issues being resolved. Before proceeding further, Member States should carefully elaborate on the procedure of the POC’s designation. Please note that the Russian Federation has developed guidelines on how to set up a UN technical POC. It seeks to build capacity in this field. We would invite all Member States to examine the document on the OEWG website. As a contribution to the POC directory’s development, on February 19, the UN Institute for Disarmament Research, with the support of the Russian Federation, will hold a seminar entitled Global Intergovernmental Points of Contact Directory Towards Universal Participation. The agenda includes the practical capacities of the directory, as well as technical assistance issues. We invite all Institute delegations to participate. We would like to note the proposal of our Iranian colleagues regarding an additional CBM. We consider this initiative to be constructive, taking into account the growing digital threats, including the risk of harmful, hidden functions being integrated into ICT products. Thank you.

Chair: Thank you, Russian Federation, for your statement. Pakistan, to be followed by Thailand.

Pakistan: Thank you, Chair. In today’s tumultuous geopolitical era, where tensions and mistrust often dominate interstate relations, channels of communication are indispensable for ensuring stability and fostering confidence building. Therefore, Pakistan has consistently emphasised the importance of CBMs, including in cyberspace, as a mean to promote trust, transparency and predictability among states. In this respect, I would make the following three points. First, as cyber threats continue to evolve and escalate, the potential for misunderstandings and conflicts between nations grows. This requires efforts to foster stability and cooperation among states in an increasingly interconnected digital landscape. Second, CBMs serve as a proactive approach to mitigate these risks by enhancing transparency and communication. By establishing clear channels for dialogue and information sharing, states can reduce the likelihood of misperception that may lead to escalatory spirals or unintended confrontations. Third, we believe that the establishment of and discussions in this OEWG have served as an important tool for building confidence among member states. The establishment and activation of POC directory among the major achievements of this working group. The operationalization of this directory provides a potential structured mechanism for timely communication during cyber incidents, thus reducing the risk of escalation and miscalculation. Chair, we believe that the utility of POC directory goes beyond crisis management. It serves as a foundation for broader collaboration in areas such as information sharing, capacity building, and joint exercises to enhance cyber resilience globally. Continuous evaluation and improvement of this directory will ensure its relevance and effectiveness in addressing fast evolving issues. We call for regular updates to maintain its integrity and encourage greater participation from all UN member states to maximize its impact. In addition, we propose that lesson learned from regional POC mechanisms be incorporated into this global framework to avoid duplication and leverage best practices. Finally, we look forward to contributing further to discussions on enhancing CBMs under a dedicated thematic group in the future permanent mechanism and ensuring that such mechanism remains inclusive, effective, and sustainable. I thank you, Chair.

Chair: Thank you very much, Pakistan, for your statement. Thailand to be followed by Republic of Korea.

Thailand: Thank you, Mr. Chair. Thailand regards the ongoing discussion in the ODBG as constructive and essential part of the CBM efforts. The establishment of the Global POC Directory is a concrete contribution by the OEWG to build confidence among states by facilitating the exchange of information and real-time communication during cybersecurity incidents. Thailand views the implementation of the eight CBMs adopted in the APR last year as essential tools for mitigating ICT-related threats and for reducing tension, misunderstanding, and miscalculations. In this regard, Thailand would like to highlight the following points on operationalization of the CBMs. First, Thailand would like to reiterate the importance of strengthening capacity-building efforts for POCs through exchange of best practices between them and regional POCs to ensure an effective and seamless response to cybersecurity challenges. Thailand has also participated in the PING tests and looks forward to the upcoming simulation exercise next month. Second, Thailand welcomes the development of standardized templates to optimize communication between POCs. At the same time, we are of the view that it is important to allow for flexibility for contact, particularly during emergencies, as this not only ensures clear and efficient communication but also the ability to adapt and respond quickly to urgent situations. Third, Thailand supports the role of regional bodies in implementing CBMs and sees great importance of cross-regional cooperation in the exchanges of information and good practices. Thailand is working with other ASEAN member states under the ASEAN Cybersecurity Coordinating Committee as well as the ASEAN Regional Forum, which serves as a platform for forging cross-sectoral and cross-pillar coordination on cybersecurity within the region and with external partners. Last, the launch of the physical facility of the ASEAN Regional CERT in Singapore last October marks a significant step towards enhancing operational and timely coordination to better address emerging cyber threats in the region. Best practices from the ASEAN CERT would be useful input for the possible establishment of a global CERT-to-CERT cooperation, to serve as a platform for enhancing voluntary information exchange and cooperation among national and regional CERTs. Thailand is of the view that such platform, together with global POC directory, would contribute towards building trust and confidence among states. Thank you, Mr. Chair.

Chair: Thank you very much, Thailand. Republic of Korea, followed by Malawi.

Republic of Korea: Thank you, Chair. Confidence-building measures serve long-term objectives, including reducing misperceptions and possible subsequent escalation in cyberspace, and thereby enhancing predictability. Achieving these goals is contingent upon effective information sharing through global POC. In this context, the Republic of Korea looks forward to the upcoming global POC simulation exercise in March, contributing to strengthen the network. We appreciate the well-chosen time slot for Asia-Pacific region in this regard. Given that this is the first such exercise, it’s possible that future exercises could involve all countries simultaneously. Meanwhile, as many states have emphasized the voluntary nature of the POC template, we hope that the POC template example, which will be published by the Secretariat in April, will serve as a reference for communication, rather than imposing any constraints on interaction among national POCs. As part of the implementation of CBM-5 and CBM-6, our country has been hosting the World Emerging Security Forum, WESF, annually since 2021 to promote international cooperation on cybersecurity and emerging security issues. At the fourth WESF last December, multi-stakeholders including government, businesses, academia, and civil society engaged in in-depth discussion on AI governance, risks related to the AI WMD nexus, and international cooperation to address cyber threats. The public of Korea plans to host the WESF again this September. We strongly encourage active participation and interest from all states. Lastly, we welcome Ghana’s participation in the UN Confidence Builders subgroup. I thank you, Mr. Chair.

Chair: Thank you, Republic of Korea. Malawi to be followed by Mexico.

Malawi: Mr. Chairman, Excellencies, and Delegates. Confidence building measures, as outlined by the United Nations, are voluntary and non-binding measures designed to enhance transparency, build trust, and reduce the risks of conflict stemming from misperceptions or misunderstandings in cyberspace. These measures serve as practical steps that foster cooperation, improve information sharing, and support capacity building efforts to ensure that states engage in responsible behavior in the digital domain. Malawi strongly believes that CBMs must be action-oriented, fostering both national and international partnerships. While we discuss their significance, we also recognize a crucial trend, legislation and regulatory frameworks emerge as a recurring theme in nearly every intervention. within these dialogues. This underscores a fundamental truth. Legal structures are the bedrock of CBM implementation. The very fact that Malawi has continuously referenced our cyber security bill, cyber crimes bill, and Data Protections Act that speaks to the indispensable role of domestic legislation in translating our commitments into tangible outcomes. At the international level, the UN Charter and established frameworks provide essential guidance on ensuring that state conduct in cyberspace aligns with international peace and security. In particular, Article 2 subsection 4 prohibits force or cohesion against states, even in digital operations, while Article 33 encourages peaceful resolution of disputes. Furthermore, the 2015 UN GGE report on CBMs and 2021 OEWG report both emphasize the need for structured collaboration, early warning mechanisms, and real-time exchange of third intelligence. Our key recommendations. First, strengthening legal frameworks for CBMs implementation. Since national legislation is the foundation for implementing CBMs, we advocate for enhanced cooperation in sharing best practices on regulatory development. Harmonizing national policies with regional and international cybersecurity frameworks will promote consistency and reduce legal fragmentation. Second, enhancing transparency through information sharing. Trust between states is built on open channels for information exchange, particularly through national and regional certs. Malawi encourages the formalization of structured intelligence sharing mechanisms. allowing for real-time cyber threat analysis and joint mitigation strategies. Third, capacity building and technical assistance. Malawi calls for targeted initiatives that empower developing nations with resources, technical expertise, and training programs. International cooperation should prioritize knowledge transfer to bridge cybersecurity gaps. Fourth, marches stakeholder engagements. CBMs should leverage the expertise of the private sector, academia, and civil society, actors that are at the forefront of technological advancements. However, engagement must be guided by clear principles to safeguard national security concerns and maintain the apolitical nature of discussions. And lastly, Chair, regional cooperation and sustainable dialogue mechanisms. In support of Albania’s statement and recognition of the roles CBMs play, Malawi acknowledges the role of the African Union and regional bodies in advancing CBMs. We support the establishment of dedicated thematic groups within the OEWG to ensure the discussions move beyond rhetoric and into practical implementation strategies. In conclusion, Malawi is ready to work with all stakeholders in advancing CBMs that foster trust, enhance security, and promote responsible state behavior in cyberspace. Our commitment to cybersecurity is not just a national priority, it is a global one. We invite partners to collaborate with us in shaping policies, strengthening institutional capacity, and core developing frameworks that ensure a safer digital future for all. Thank you, Chair.

Chair: Thank you very much, Malawi, for your statement. Mexico, to be followed by Vanuatu.

Mexico: Thank you very much, Mr. Chairman. My country acknowledges the importance of strengthening international cooperation in the management of cyber incidents, this through the effective use of initiatives such as the Global Directory of Points of Contact and confidence-building measures adopted by consensus in the annual reports of this working group and those of the GGE, as well as those adopted in regional contexts. We must recall that confidence-building measures aim to stand as instruments to reduce military tensions between states. They do this through transparency, communication and cooperation. As things stand, these measures have evolved to tackle modern global security challenges. Today, they are key instruments in the management of risks associated with emerging technologies. An example is artificial intelligence. Such technologies can be unpredictable and have the potential to be dual-use technologies. These tools, CBMs, are crucial to facilitate timely communication and coordinated responses following incidents. That minimizes the risk of tensions escalating and helps foster a safe environment in cyberspace. Mexico underscores the need to strengthen the practical implementation of these measures. We must guarantee that they are accessible and operable for all states, particularly for developing countries. We can reach this goal by capacity-building and the exchange of good practices. Moreover, we emphasize the need to integrate CBMs into a cross-cutting approach which aims to mitigate and resolve cyber incidents. Such an approach would include strengthening standardised communication protocols and holding practical exercises which evaluate the effectiveness of CBMs in various contexts. Mr Chairman, in Mexico’s view, it is pivotal that the future mechanism improve the interoperability of confidence-building measures across cyber security incident response teams and diplomats in order to promote standards on information exchange and the harmonisation of protocols for the management of cyber crises. All of this work should include the creation of mutual assistance mechanisms to be triggered for incidents with a cross-border impact. The meaningful participation of all stakeholders, including the private sector, civil society and the scientific-technical community, is vital to guarantee that we work according to a holistic and sustainable approach when it comes to the management of ICT-related incidents. With this in mind, Mexico supports their active participation within the thematic group to strengthen cooperation in the management of ICT-related incidents, including through confidence-building measures. Thank you very much.

Chair: Thank you, Mexico, for your contribution. Vanuatu, to be followed by Finland.

Vanuatu: Thank you, Mr Chair. While Vanuatu aligns itself with the Pacific Islands Forum Statement delivered by Tonga, we would like to add the following in our national capacity. Vanuatu reaffirms its commitment to confidence-building measures as a vital tool for promoting stability, transparency and cooperation in cyberspace. Small states, like our members of the international community, have a role to play in fostering trust and cooperation. predictability in the use of ICDs. We support practical, inclusive, and implementable CPMs that enable all states, regardless of size or capacity, to contribute to global cyber stability. Measures such as timely information sharing, transparency in national cybersecurity policies, and the establishment of direct communication channels help to reduce misunderstandings and escalate tensions and build trust among states. In this regard, Vanuatu is pleased to announce that we joined the UN-established Points of Contact Network in December 2024. This marks an important step in strengthening regional and international cooperation on cybersecurity. By participating in this initiative, Vanuatu demonstrates that even the smallest states can pull their weight in making cyberspace safer for all. The POC Network provides a critical channel for rapid communication in the event of cyber incidents, and we encourage most states, particularly small island developing states, to join and contribute to this essential mechanism. Vanuatu strongly believes that the POC Network, on its own, while a significant milestone, should not be the ceiling for our ambition. We are grateful to the ODA for holding ping tests and the upcoming exercise. Participating in this is important in our joint efforts to make the POC Network into a practical tool with real-world benefits. As such, we look forward to participating in the simulation exercise next month. As we continue to advance CPMs within the OEWG, we emphasize the need for greater support to help all states build the institutional capacity needed to implement these measures effectively. Vanuatu welcomes regional CPM initiatives, particularly those tailored to the unique challenges faced by developing nations. We call on the international community to ensure that CPMs remain inclusive, accessible and responsive to the needs of all states, reinforcing our collective commitment to a stable and secure cyberspace. I thank you, Mr. Chair.

Chair: Thank you very much. Vanuatu, Finland, to be followed by Malaysia.

Finland: Chair, thank you for giving us the floor. Finland aligns itself with the statement of the European Union and would like to further elaborate and emphasize the message on the multi-stakeholder perspective and its significance for confidence building. While states bear primary responsibility for the maintenance of international peace and security, numerous other stakeholder groups, such as civil society, private sector, academia and the technical community, are critical for promoting stability and advancing responsible behavior in cyberspace. It is paramount to include all the mentioned stakeholders in view of successful confidence building. Responding to cybersecurity threats requires cooperation across wide sectors of societies, both public and private. Private actors develop and own many of the technology’s digital products and services that the well-being of societies depend on. While governments have the power of regulation and policy setting, they need the cooperation with the private sector to address cybersecurity incidents. Private actors may be reluctant to invest resources in something that is outside of their immediate business interests, whereas governments might be disinterested or unable to incentivize businesses of doing so. Therefore, Finland wants to highlight the role of public-private partnerships. in enhancing cyber security and cyber resilience as part of the whole-of-society approach to security and preparedness. The state authorities, businesses, civil society organizations, and citizens jointly safeguard all vital functions of the society. In Finland, private businesses actively share cyber security information with one another and with the public sector. Finland’s new cyber security strategy acknowledges their role, highlighting that mutual trust between various stakeholders in society and trust in public institutions and their services help to build strong national resilience. We also promote public-private partnerships in OSCE as we support the approach of learning and benefiting from experiences at the regional level. As a recent example of a cross-sector effort was the EU-financed Cyber Citizen Initiative implemented by the Finnish Aalto University in collaboration with the Ministry of Transport and Communications. The initiative produced a model for cyber security learning aiming to help an average citizen stay secure while using digital services and devices in their everyday life. The model includes a learning portal with educational elements and also taking into account different target groups, a mobile game targeted especially to the younger users. The portal is available in English and in all EU languages in case you’re interested in having a look. With this example and as a final remark, Finland wants to emphasize that cyber security is a joint endeavor and confidence building depends on all the different stakeholders being present and included in a meaningful way. This is key also for the future permanent mechanism. Thank you.

Chair: Thank you very much. Finland, Malaysia to be followed by Canada.

Malaysia: Mr Chair, Malaysia joins others in welcoming the continued effort of Member States to build trust and confidence in support of the international peace and security in ICT domain. Malaysia reaffirms that confidence-building measures are essential for enhancing mutual trust and predictability between States and reducing tension and misunderstandings. Malaysia fully supports the implementation of the Global POC Directory that maintains the flexible and voluntary nature of this initiative with a step-by-step approach, but at the same time ensures sustainability and ownership towards the Permanent Future Mechanism. This is important so that we do not have to reinvent the wheel, rather work together to build trust to improve coordination towards reducing response time, especially to the urgent ICT incident. In this regard, we are pleased to see in the Chair’s Discussion Paper a dedicated thematic group on enhancing cooperation in the management of ICT-related incidents through CBMs, to consider how States can best utilise relevant initiatives developed in the context or framework of responsible States’ behaviour in the use of ICT, including the Global POC Directory and the Voluntary Global CBMs. A dedicated thematic group on CBMs will have the participation of Inter-ALIA Technical Experts and National POC, which in Malaysia’s view will organically streamline the POC Directory with the Global CBMs. Malaysia thanks the Secretariat for the briefing on developments of the Global POC Directory. Malaysia looks forward to participating in the simulation exercise. For Malaysia, this simulation exercise will also indirectly test the linkage and workability of our nominated Global POC and how they communicate with our domestic response and communication procedure of national cyber crisis as a whole. As mentioned in our previous intervention in the 9th OEWG substantive meeting, we are in the process of revising our National Cyber Crisis Management Plan to fit the requirement of our Cybersecurity Act 2024 on the obligations of critical infrastructure owners to protect their critical information infrastructure. We will take this opportunity of this simulation exercise to verify our domestic national cybersecurity incident process flow and complement with the objective, purpose and requirement of the global POC. It is our aim that our revised National Cyber Crisis Management Plan will be more comprehensive and will allow us to identify our capacity building needed for the protection of critical information infrastructure and this is also aligned with CBM 7. Malaysia recognizes and appreciates the work conducted at regional level, which complements the agreed non-exhaustive list of voluntary global CBMs. In this regard, Malaysia supports Thailand’s statement on the works of ASEAN across the ASEAN sectoral bodies and working groups, including the information sharing and operationalization of the ASEAN regional CERTs. Malaysia further shares the view of Albania that the Women in International Security and Cyberspace Fellowship is a confidence-building measure and would like to thank all the donors, especially the Government of Australia for making this program possible. As veterans for this program, apart from non-veterans, Australia, from time to time, will reach out to us to bounce ideas and seek recommendations to improve the Women in Cyber program and we appreciate that. This has created the sense of ownership and built trust, which is a true confidence-building measure. Thank you, Chair.

Chair: Thank you very much, Malaysia. There are a lot of veterans, but all of you look so young. How is that possible? Obviously, this process is rejuvenating and energizing. So please stay young. We need you all and your energy for the future permanent mechanism. And hopefully you will find a younger chair as well.

Canada: Thank you, Mr. Chairman. We’d like to take this opportunity to put CPM3 into practice and to share with all of you that earlier this month, we published the 2025 version of Canada’s National Cyber Security Strategy. Our strategy provides for the establishment of a national multi-stakeholder mechanism so that both governmental and non-governmental stakeholders can work even more closely together on plans and policies in the field of cyber security. Our strategy has been uploaded to the UNIDIR portal, and we thank them for their efforts because they facilitate transparency. We’d like to note here that we’ve made a great deal of progress on CBMs in this open-ended working group. In 2023, we reached an agreement on four CBMs. In 2024, less than a year ago, we doubled the number of CBMs in place. Together, we established the points of contact directory, and that was a major achievement. Our efforts to facilitate the participation of new points of contact and to plan a simulation exercise are commendable. They help us to experiment with this voluntary tool and to look at how it might be used if we wish to use it. when urgent and major cyber incidents occur. It is right and proper to turn our vision into a reality where the other CBMs are concerned too. We should really put into practice these CBMs by offering fora for discussion on specific issues. The thematic groups allow us to do just that. Indeed, the thematic groups provide a forum within which to hold seminars, workshops, or training courses as encouraged by CBM 6. The thematic groups will allow us to exchange more information and to hold broader discussions about best practices for the protection of critical infrastructure as provided for in CBM 7. Finally, by bringing stakeholders on board, more specifically non-governmental stakeholders, we will be able to put CBM on public-private partnerships into action. That brings me to the end of our brief statement. Thank you, Mr. Chairman.

Chair: Thank you very much, Canada, for your contribution. Switzerland, to be followed by South Africa.

Switzerland: Thank you, Mr. Chair. Mr. Chair, since our statement on international law was a little longer yesterday, I will keep this brief. In our statement at the December session, we reported on our experience in implementing CBMs and using the POC network in the OSCE in response to your guiding questions. I will not repeat the examples mentioned in December again. Other delegations reported on the work of other regional organizations. The EU delegation has mentioned CBM 12 of the OSCE, which we adopted together with North Macedonia, Poland, and the EU, and which we are committed to implementing. An important element of this CBM is the engagement and exchange of experiences between regional organizations, but also between the regional and the global levels. We are convinced that it is in the… that it is to the advantage of this working group and the future mechanism if we learn from and benefit from the experiences at the regional level. We therefore believe that the final report of this open-ended working group should contain a recommendation for continuous engagement and exchange with regional and sub-regional organizations. I thank you.

Chair: Thank you very much, Switzerland. That was way too brief for me. We like to hear you. But thank you very much for your contribution, Switzerland. South Africa to be followed by Ethiopia.

South Africa: Thank you, Chairperson. In the current geopolitical environment, there is a greater risk of misunderstandings between member states. The implementation of the eight agreed global confidence-building measures is one of the key elements of ensuring transparency, cooperation, and stability in cyberspace. The full operationalization of the eight CBMs will require sharing of experiences by member states and regional organizations who have an established practice of implementing CBMs. This is a shared effort amongst the international community to develop better understandings between member states. The Global POC Directory and the Global Cyber Security Cooperation and Capacity Building Portal could assist the permanent mechanism take forward the work of this OEWG. We believe that by narrowing the capacity gap, the goal of achieving maximum participation in the Global POC Directory is attainable. As stated during our intervention at the ninth session, support for member states’ participation in the POC Directory could take the form of workshops and roundtable discussions to share experiences and expertise, engage in dialogue to identify some of the challenges the non-contentious areas to start with, and move to more sensitive ones as we continue to build layers of understanding and trust. The simulation exercise scheduled for March 2025 is a welcome initiative to empower the global POCs with step-by-step actions to take to request or offer assistance during a cyber incident. We thank the Secretariat for facilitating this. South Africa supports the proposal for the development of templates to assist communication between member states on a voluntary basis. The templates should at a minimum provide a brief description of the nature of assistance sought, details of the cyber incident, acknowledgment of receipt by the requested state, and provide indicative response timeframes. Chairperson, we join Malawi, Malaysia, and Albania in mentioning that the Women in Cyber Fellowship, which South Africa also participates in, is a CVM across donor states and fellows who are a diverse cross-regional group. In conclusion, Chair, it will take collective action to build trust between member states and ensure a smooth functioning of global ICT security systems and ensure an open, safe, secure, stable, accessible, peaceful, and interoperable ICT environment. I thank you.

Chair: Thank you very much, South Africa, for your contribution. Ethiopia to be followed by Laos PDR.

Ethiopia: Thank you, Mr. Chair, for giving me the floor. As I have said, my delegation wishes to express its appreciation to you, Mr. Chairman, for the manner in which you are steering the work of this working group. We are having this substantive session of the OEWG at a crucial time, when the increasing integration of advanced technologies such as artificial intelligence are creating further opportunities for economic and social development. As the world continues to benefit from the development and deployment of these technologies, we are also confronted with challenges of cyber threats and potential misuse. The critical tasks in tackling these challenges require international cooperation and urgent need to address the digital divide. In addition to strengthening the effort with regards to ensuring accountability, managing cross-border cyber threats, and protecting critical infrastructure, the International Committee should provide the necessary support to developing countries. The support is extremely vital to enhance developing countries’ capacity to effectively respond to the multi-pronged challenges arising from the evolving digital landscape, in particular in the field of cyber security. In the same vein, we believe confidence-building measures are more crucial now than ever, which provide frameworks to fostering trust, promoting transparency, and facilitating international cooperation in cyberspace. We must employ these measures in our collective effort to prevent conflict and build resilience against cyber threats. By engaging in open dialogue, information sharing, and collaboration, these measures yield the necessary results in managing risks. that stem from the use of these technologies. Mr. Chairperson, Ethiopia has implemented several confidence-building initiatives to improve cybersecurity and promote trust. The establishment of the Information Network Security Administration and the Ethiopian Artificial Intelligence Institute, which play a critical role in the national cybersecurity, ensure that the country’s digital system remains secure and resilient against cyber threats. These institutions not only ensure national security, but also work with international partners and engage in capacity-building efforts aimed at enhancing cybersecurity capabilities. Additionally, public-private partnerships have been instrumental to strengthen cybersecurity across sectors. Through this partnership, the government has been able to work with different stakeholders in implementing cybersecurity policies, creating awareness, and training the next generation of cybersecurity professionals. Mr. Chairperson, it is our firm belief that in the ideology, we can forge consensus and strengthen collaboration in the field of cybersecurity. We have come a long way and made significant progress to bring this process to a successful conclusion. We must continue to build on what we have achieved thus far, particularly through building confidence both at regional and global levels. In this regard, we call on the international community, particularly the United Nations, to continue to support our efforts of setting up future permanent mechanisms to ensure confidence-building, reduce risks, encourage cooperation, and capacity-building on cybersecurity matters. It is also the view of my delegation that this permanent mechanism would be a state-led process where negotiation and decisions on ICT security are based on intergovernmental process. My delegation looks forward to working closely with all to make this substantive session a success. I thank you.

Chair: Thank you very much, Ethiopia, for your contribution. Laos PDR to be followed by Ghana.

Lao PDR: Mr. Chair, Distinguished Delegate, The Laos PDR firmly believes that confident building measures are essential for fostering mutual trust, reducing tension, misunderstanding and miscalculation, which are particularly dangerous in this rapidly evolving cyberspace. We reaffirm that the OEWG, the CBM itself, serves as the crucial forum for discussing both areas of existing agreements and those where divergence remains. This open dialogue allows for the exploration of new approaches and the refinement of existing measures. This continuous process of development and implementation of CBMs is important for maintaining peace and security in cyberspace. In this respect, we welcome the establishment of the Global Point of Contact Directory, and we support the continuous awareness for the operation of the POC to be a functional and accessible POC directory for timely communication and de-escalation of potential cyber incidents. To ensure its effectiveness, particularly for developing countries, we stress the importance of providing robust capacity building to enhance participation and utilization of POC directories in an inclusive manner. More importantly, Regional efforts are important for the successful implementation of the CBMs. Within ASEAN, for example, the diverse level of ICT maturity among member states requires tailored approaches. In this respect, capacity building and joint exercise training are themselves valuable CBMs, providing invaluable opportunities for member states from different agencies to share information, exchange views, and engage in scenario-based exercise. These activities foster a deeper understanding of respective cyber capabilities and intentions, promoting transparency and cooperation. Therefore, we call on states in the position to do so, to continue providing assistance and capacity building to this endeavor. Thank you.

Chair: Thank you very much. Lao PDR, Ghana, to be followed by North Macedonia.

Ghana: Mr. Chair, I would like to begin by thanking the secretaries for the briefing notes on the updates regarding the POC. Indeed, we have made tremendous and tangible progress in the area of CBMs through this initiative. On confidence-building measures, my delegation emphasizes the critical role of integrating CBMs into national cybersecurity policies and strategies to ensure their effective implementation at both the domestic and regional levels. While regional and global CBMs are essential for fostering trust and cooperation, their ultimate success is closely tied to the ability of individual states to personalize these measures within their own national frameworks. Therefore, Ghana encourages the mainstreaming of the AIDS globally agreed CBMs into national cybersecurity policies, ensuring alignment with international best practices. In addition, while the implementation of CBMs demands substantial technical expertise and resources, we recognize the need for increased capacity building to effectively operationalize these CBMs. Ghana believes that strengthening the capacity of states, particularly through regional cooperation, is crucial. Furthermore, my delegation acknowledges the importance of building capacity at the regional level and involving regional bodies in the implementation of these CBMs. Ghana has actively engaged in a number of regional workshops with ECOWAS aimed at building capacity for technical and diplomatic officials in the West African regions on understanding and implementing these CBMs and eventually adopting our own sub-regional CBMs. This regional approach is crucial for fostering a cohesive and collaborative environment for their adoption. As mentioned by some delegations, CBMs play a crucial role in building trust among states, hence they must be implemented effectively in order to be impactful. Furthermore, Ghana supports the points raised by Mauritius and Kazakhstan to have a standardized template for incident reporting, which will lead to an effective operationalization of the POC. Like other delegations, Ghana is looking forward to participating in the PING test scheduled for March 2025 and has recently submitted the details of an additional technical POC. The success of CBMs, however, is not solely dependent on resources. It ultimately relies on the political will, dialogue, and commitments of states. To this end, it is important that as countries continue to prioritize cybersecurity at the national level, we equally engage in regional dialogue. Government officials need to continue exchanging views, engaging in bilateral, sub-regional, and multilateral processes like the UN OEWG, which is in itself a CBM. We can only overcome existing and potential threats through sustained dialogue and cooperation. Mr. Chair, our participation this morning in the Confidence Building Sub-Group as a means to enhance our knowledge and capacity on CBMs was very beneficial. Ghana looks forward to continued discussions on CBMs within the Future Permanent Mechanism as well. well. We believe that such platforms, together with efforts being made at the regional and global level, will be invaluable in fostering trust and collaboration among states, ensuring that CBMs serve as a very powerful tool for enhancing cyber security and international stability. I thank you, Mr. Chair.

Chair: Thank you very much, Ghana. North Macedonia, please.

North Macedonia: Distinguished Chair, esteemed delegates, North Macedonia aligns itself with the statement of European Union on this agenda item, and its own capacity would like to share the perspective on the implementation of the global CBMs. Building trust and confidence in cyberspace is a long-term commitment and requires continuous efforts and engagement. With the adoption of the new cyber security strategy, we remain dedicated to straightening capacity-building efforts and ensuring the effective implementation of key measures. We have seen how gradually steps foster dialogue between states, reducing the risk of malicious cyber activities, misunderstanding, and escalation. Those measures enhance mutual understanding, predictability, and overall stability in cyberspace. North Macedonia has appointed both a diplomatic POC and a technical POC, and successfully participated in the test conducted in December 2024. We also believe that connecting the POC directory with the future mechanism is crucial for ensuring its long-term stability and ownership. Our country actively engages in dialogues with partner organizations and institutions to advance cyber security, actively working on the development and implementation of the minimum standards in each public institution for improving cyber resilience. with the huge support of the government of United Kingdom. Regional organizations plays an irreplaceable role in cybersecurity. As an active OSCE cybersecurity community member, we stress the importance of implementing the 16 OSCE CBMs to support responsible state behavior. In informal working group under PC decision 1039, foster transparency and best practices, sharing, enhancing stability and predictability in cyberspace. Additionally, as a co-adapter of OSCE CBM 12, alongside with the European Union, Switzerland and Poland, North Macedonia remains committed to straightening cybersecurity cooperation and confident building at regional and international level. To support implementation of strategic goals, enhancing secondary legislation and advance the development of sectorial search, we actively collaborate with Estonian and Governance Academy and Geneva Center for Security Sector Governance. Their support and expertise plays an important role in straightening our cybersecurity framework and response capabilities. The new MKSafeNet project, started as a part of digital Euro program, aims to create a safer internet by raising awareness and educating children, families and educators on responsible online behavior at all levels. Also, the straightening collaboration at all levels, we highly appreciate the support provided by Germany in advancing our cyber diplomacy efforts. As a developing country, we face significant challenges, including the shortage of human resources and limited… capabilities. We believe that UN instruments and initiatives are crucial in helping us addressing these gaps. Moving forward, we emphasize the needs of continued exchange and more important, the effective implementation of CBMs under the Future Permanent Mechanism. CBMs should be applied in a cross-cutting and actionable manner, integrating them into each working group to ensure practical and effective solutions to curing challenges. So Chair, we look forward to continued discussion and collaborative progress. I thank you.

Chair: Thank you very much, North Macedonia. Distinguished delegates, friends, we have about ten more delegations that have asked to speak under CBM, so certainly we will have to continue this afternoon. So this is what we will do. We will continue the discussions this afternoon, starting with the dedicated stakeholder dialogue, which is being held in accordance with our agreed modalities. And so at 3 p.m. exactly, we will reconvene to listen to the stakeholders. I think we have about 16 of them who have registered their interest in making interventions. I have told the stakeholders that they will have three minutes to make their intervention so that we can continue with our work after the stakeholders have made their interventions with the remaining list of speakers on CBMs. And then this afternoon we will transition to the next agenda item, which is capacity building. So at 3 p.m. I’d like to invite all delegations. to be present here. Firstly, it’s important that you are here to listen to the stakeholders and the contributions that you have made. I know many of you have engaged with them. The stakeholders have travelled from far to be here, and it’s important that you are here, and I will be looking around and taking attendance. And we will tabulate the list and put it in my little black book. So I hope to see all of you this afternoon so that you can listen to what the stakeholders have to say, then we continue with the speakers list. The meeting is adjourned. I wish you a pleasant lunch. Thank you.

Agreement Points

Importance of the Global Points of Contact (POC) Directory

speakers

– ODA
– Mauritius
– Thailand
– Ghana
– Malaysia
– Russian Federation
– Singapore
– Japan
– Kazakhstan

arguments

Global Points of Contact (POC) Directory is a key CBM achievement

Need for standardized templates and protocols for POC communication

CBMs essential for enhancing mutual trust and reducing tensions

CBMs crucial given current geopolitical tensions

Future mechanism should facilitate information sharing on national policies

Importance of clarifying benefits of POC Directory participation

Need for standardized templates for POC communication

summary

Multiple speakers emphasized the significance of the Global POC Directory as a crucial confidence-building measure, with suggestions for improving its effectiveness through standardized communication protocols and templates.

Need for capacity building in implementing CBMs

speakers

– Cuba
– Malawi
– Vanuatu
– Ghana
– Ethiopia
– Lao PDR

arguments

Need for capacity building to implement CBMs, especially for developing countries

Need targeted initiatives to empower developing nations

Capacity building crucial for developing countries to implement CBMs

Regional capacity building workshops important

Capacity building should address digital divide

Capacity building itself serves as a CBM

summary

Multiple speakers stressed the importance of capacity building, particularly for developing countries, to effectively implement CBMs and address the digital divide.

Similar Viewpoints

Both speakers emphasized the importance of public-private partnerships in enhancing cybersecurity and implementing effective CBMs.

speakers

– Finland
– Bosnia and Herzegovina

arguments

Public-private partnerships crucial for effective CBMs

Importance of public-private partnerships in CBMs

Both speakers recognized the Women in Cyber Fellowship program as a confidence-building measure that brings valuable perspectives and fosters trust.

speakers

– South Africa
– Albania

arguments

Women in Cyber Fellowship program acts as a CBM

Women in Cyber Fellowship as a confidence-building measure

Unexpected Consensus

CBMs as tools for managing risks from emerging technologies

speakers

– Mexico
– Republic of Korea

arguments

CBMs help manage risks from emerging technologies like AI

Importance of practical exercises in cyber simulations for testing the effectiveness of CBMs in real-world scenarios

explanation

While most discussions focused on traditional cybersecurity concerns, these speakers highlighted the role of CBMs in addressing risks associated with emerging technologies like AI, suggesting a forward-looking approach to CBMs.

Overall Assessment

Summary

There was broad agreement on the importance of the Global POC Directory, the need for capacity building in implementing CBMs, and the value of regional and multi-stakeholder cooperation. Many speakers also emphasized the need for standardized communication protocols and templates for the POC Directory.

Consensus level

The level of consensus was relatively high, particularly on the importance of CBMs and the need for capacity building. This suggests a strong foundation for future cooperation in implementing CBMs and developing the permanent mechanism. However, there were some differences in how speakers envisioned the structure of future discussions on CBMs, with some advocating for dedicated thematic groups and others preferring a cross-cutting approach.

Different Viewpoints

Structure of CBM discussions in future mechanism

speakers

– Egypt
– Austria

arguments

Need dedicated thematic group on CBMs in future mechanism

CBMs should be cross-cutting across thematic groups

summary

Egypt proposes a dedicated thematic group for CBMs, while Austria argues for a cross-cutting approach across all thematic groups.

Approach to implementing CBMs

speakers

– Ghana
– Austria

arguments

CBMs should be integrated into national cybersecurity policies

CBMs should be cross-cutting across thematic groups

summary

Ghana emphasizes integrating CBMs into national policies, while Austria advocates for a cross-cutting approach in international discussions.

Unexpected Differences

Proposal for new CBM on secure ICT market access

speakers

– Islamic Republic of Iran

arguments

Proposal for new CBM on secure ICT market access

explanation

Iran’s proposal for a new CBM focusing on secure ICT market access was unexpected and not directly addressed by other speakers, potentially introducing a new economic dimension to the CBM discussion.

Overall Assessment

summary

The main areas of disagreement revolve around the structure of CBM discussions in the future mechanism, the approach to implementing CBMs (national vs. international), and the specific focus areas for capacity building.

difference_level

The level of disagreement is moderate. While there is general consensus on the importance of CBMs and the need for capacity building, differences in implementation approaches and priorities could impact the effectiveness of future CBM efforts. These disagreements highlight the need for further dialogue to find common ground and develop a comprehensive approach that addresses the concerns of all parties.

Partial Agreements

These speakers agree on the need for standardized templates for POC communication, but differ slightly in their emphasis on flexibility and specific implementation details.

speakers

– Mauritius
– Kazakhstan
– Thailand

arguments

Need for standardized templates and protocols for POC communication

Need for standardized templates for POC communication

Importance of standardized templates to optimize communication between POCs

These speakers agree on the importance of capacity building for developing countries to implement CBMs, but emphasize different aspects such as technical assistance, institutional capacity, or addressing the digital divide.

speakers

– Cuba
– Vanuatu
– Malawi
– Ethiopia

arguments

Need for capacity building to implement CBMs, especially for developing countries

Capacity building crucial for developing countries to implement CBMs

Need targeted initiatives to empower developing nations

Capacity building should address digital divide

Similar Viewpoints

Both speakers emphasized the importance of public-private partnerships in enhancing cybersecurity and implementing effective CBMs.

speakers

– Finland
– Bosnia and Herzegovina

arguments

Public-private partnerships crucial for effective CBMs

Importance of public-private partnerships in CBMs

Both speakers recognized the Women in Cyber Fellowship program as a confidence-building measure that brings valuable perspectives and fosters trust.

speakers

– South Africa
– Albania

arguments

Women in Cyber Fellowship program acts as a CBM

Women in Cyber Fellowship as a confidence-building measure

Key Takeaways

The Global Points of Contact (POC) Directory is seen as a major achievement in implementing Confidence Building Measures (CBMs)

There is broad agreement on the importance of CBMs for building trust, reducing tensions, and enhancing stability in cyberspace

Many countries emphasized the need for capacity building to effectively implement CBMs, especially for developing nations

Regional cooperation and initiatives are viewed as crucial for successful CBM implementation

There is support for integrating CBMs into the future permanent mechanism, though views differ on exactly how

Public-private partnerships and multi-stakeholder engagement are seen as important for effective CBMs

Practical exercises and simulations are viewed as valuable for testing and improving CBM effectiveness

Resolutions and Action Items

Upcoming simulation exercise in March 2025 to test the Global POC Directory

Development of standardized templates for POC communication (proposed by multiple countries)

Continued efforts to expand participation in the Global POC Directory

Integration of CBMs into national cybersecurity policies and strategies (proposed by Ghana)

Unresolved Issues

Exact structure for addressing CBMs in the future permanent mechanism (dedicated group vs. cross-cutting approach)

Specific methods for bridging the capacity gap between developed and developing countries in CBM implementation

Details of how to effectively include non-governmental stakeholders in CBM processes while maintaining the intergovernmental nature of discussions

Concrete steps for harmonizing global and regional CBM initiatives

Suggested Compromises

Allowing flexibility in POC communication methods while also developing standardized templates

Balancing state-led processes with increased multi-stakeholder engagement in CBM implementation

Combining dedicated CBM discussions with integration of CBMs across other thematic areas in the future mechanism

We firmly believe that we need a dedicated platform on international law in the permanent mechanism. The exact modalities, mandate, structure, those are things we can talk about and I’m absolutely sure we can reach consensus on those issues.

speaker

Egypt

reason

This comment introduced a concrete proposal for structuring discussions on international law in the future mechanism, challenging the existing approach.

impact

It sparked debate on how to best organize discussions on international law, with subsequent speakers addressing this point and offering alternative views.

We propose workshops, roundtables and scenario-based cyber simulation discussions to exchange experiences, identify contentious and non-contentious issues, and build understanding and trust.

speaker

Kazakhstan

reason

This comment offered specific, actionable suggestions for implementing confidence-building measures in a practical way.

impact

It shifted the discussion towards more concrete implementation ideas, with later speakers building on the concept of practical exercises and simulations.

We would like to highlight that in October 2024, at the Crown-to-Ransomware Initiative Summit, the UK and 38 states united with international cyber insurance bodies in support of new guidance to assist organisations that experience ransomware attacks.

speaker

United Kingdom

reason

This comment introduced a real-world example of international cooperation on cybersecurity, providing context for the theoretical discussions.

impact

It grounded the conversation in practical realities and inspired other delegations to share their own national and regional initiatives.

We believe it is essential that the confidence-building measures developed within the current OEWG reflect this reality. We hope this will be acknowledged in the final report as an additional CBM.

speaker

Islamic Republic of Iran

reason

This comment proposed a new confidence-building measure focused on ensuring access to secure ICT markets, challenging the existing list of CBMs.

impact

It introduced a new topic for consideration and debate, with some subsequent speakers acknowledging the proposal.

We join Malawi, Malaysia, and Albania in mentioning that the Women in Cyber Fellowship, which South Africa also participates in, is a CVM across donor states and fellows who are a diverse cross-regional group.

speaker

South Africa

reason

This comment highlighted the role of gender diversity in cybersecurity as a confidence-building measure, broadening the scope of what constitutes a CBM.

impact

It drew attention to the importance of inclusivity in cybersecurity efforts and was echoed by several other delegations in their statements.

Overall Assessment

These key comments shaped the discussion by introducing concrete proposals for the future mechanism, emphasizing practical implementation of CBMs, grounding the conversation in real-world examples, proposing new areas for consideration as CBMs, and highlighting the importance of inclusivity. They collectively moved the dialogue from theoretical concepts to more actionable ideas and broadened the scope of what constitutes effective confidence-building in cybersecurity.

How can the Global POC Directory be further operationalized and improved?

speaker

Multiple speakers including Russian Federation, Singapore, Thailand

explanation

Several countries emphasized the need to enhance participation, resolve technical issues, and develop standardized templates to optimize communication between POCs.

How can regional experiences and best practices in implementing CBMs be incorporated into the global framework?

speaker

Switzerland, Thailand, Kazakhstan

explanation

Multiple countries suggested learning from regional initiatives and incorporating these lessons into the global CBM framework.

How can capacity building efforts be enhanced to support effective implementation of CBMs, especially for developing countries?

speaker

Cuba, Lao PDR, Ghana

explanation

Several countries highlighted the need for increased capacity building to enable developing nations to fully participate in and benefit from CBMs.

How can multi-stakeholder engagement, including private sector and civil society, be effectively integrated into CBM implementation?

speaker

United Kingdom, Finland, Mexico

explanation

Multiple countries emphasized the importance of involving non-governmental stakeholders in CBM efforts and called for exploring ways to facilitate their participation.

How can the future permanent mechanism best incorporate and advance discussions on CBMs?

speaker

Multiple speakers including European Union, Pakistan, Canada

explanation

Many countries expressed interest in how CBMs will be addressed in the future permanent mechanism, with some suggesting dedicated thematic groups or cross-cutting approaches.

How can standardized templates and procedures for cyber incident reporting and information sharing be developed?

speaker

Mauritius, Kazakhstan, Ghana

explanation

Several countries proposed developing standardized formats for incident reporting to enhance the effectiveness of information sharing through the POC Directory.

How can the linkage between national cybersecurity frameworks and global CBMs be strengthened?

speaker

Ghana, Ethiopia

explanation

Some countries emphasized the need to integrate global CBMs into national cybersecurity policies and strategies for effective implementation.

How can simulation exercises and scenario-based discussions be further developed to enhance CBM implementation?

speaker

Multiple speakers including Kazakhstan, Mauritius

explanation

Several countries expressed interest in expanding practical exercises to test and improve the effectiveness of CBMs.