Confidence building measures (CBMs)

16 Dec 2021 15:00h - 18:00h

Event report

There was a broad consensus that CBMs are an important and integral part of the previously agreed upon framework for responsible state behaviour, though states placed different emphasis on them. The Netherlands, for instance, considered CBMs as a key pillar of the OEWG work, while China reminded that CBMs cannot replace the international norms setting, and Cuba stated that CBMs are supplementary to the international legal instrument for cyberspace. 

Cuba noted that, for CBMs, it is important that states refrain from turning to unilateral coercive measures which restrict universal access to technologies. While inviting for an agreement on fundamental universal principles for CBMs, Russia added, in the similar tone, that such principles should not provide states with instruments for military or political advantage, such as for interference in domestic affairs or punishment in the form of sanctions. China underlined that CBMs should not become an excuse to use weapons in cyberspace. Iran went further, noting that the ICT environment is a peaceful space which should be kept aside from the disarmament context, and thus the CBMs – which have military history and connotation – should not be applied in cyberspace.

Iran also warned that the reference to the UN Resolution 43/78 (H) of 1988, which provides guidelines for CBMs adopted by the Disarmament Commission, may leave a false impression that cyberspace is recognised as a battlefield. Egypt, on contrary, suggested states to take into consideration these guidelines and the UN Resolution 43/78. 

Regional experiences and cross-regional exchange

A number of countries, including Argentina, Indonesia, Chile, Cuba, and Thailand clearly recognised the OEWG itself as an important CBM. The work of regional organisations in defining and implementing CBMs was reiterated over and again.  Indonesia, Japan, Malaysia, and Thailand, among others, showcased the good practices by the ASEAN and the ASEAN Regional Forum (ARF); Estonia, Germany, Serbia, and Switzerland, among others, have elaborated on 16 OSCE CBMs and practical follow-ups; Chile and other OAS members have reflected on the 6 OAS CBMs. Most countries agreed about the value of cross-regional exchange of experiences out of, and within the OEWG. 

There were differences, however, in observing the role of regional experiences within the OEWG. Switzerland reminded that the OEWG and GGE reports underscore relevance of regional and subregional efforts, while Korea and Serbia underlined that regional efforts are an important contribution to the OEWG and the development and advancement of CBMs. The EU, together with North Macedonia, Montenegro, Bosnia, Ukraine, Georgia, and Moldova, suggested that the OEWG should continue to provide space for regional fora to share practical tools, best practices, and examples to further advance the development and implementation of CBMs, which helps their improvement and engages other interested stakeholders in implementation. Estonia suggested the OEWG to enhance cross-regional information and identification of synergies through regional road maps or toolboxes. The Netherlands went further to suggest the OEWG to facilitate adherence of states to CBMs developed by regional organisations and multistakeholder initiatives, by providing practical measures to disseminate and exercise CBMs, and providing guidance to universalise those already existing CBMs that are based on the GGE consensus. In this direction, Malaysia called for the OEWG to adopt the existing practical measures implemented by the regional and subregional organisations. Indonesia called for expanding regional efforts into global ones, but taking into account regional differences. 

Cuba was particularly cautious about regional experiences in the global context, noting that every region or subregion has its own specificities and therefore CBMs implemented at that level cannot be considered as global models; in addition, their implementation should be voluntary, and not allow interference in internal affairs of a state. India noted that CBMs of global relevance could be propagated and implemented on regional levels, but agreed that frameworks developed at bilateral and regional level may have their own limitations – at least as an action point for the first substantive session of the OEWG. Indonesia and Thailand supported the cross-regional exchange, but emphasised that the UN maintains the lead role in CBM development and implementation. 

Proposals for actions

Number of concrete proposals for ways forward for the OEWG were also brought up. Following the OSCE example of states and group of states voluntarily spearheading particular CBMs to further explore their implementation, as presented by Estonia and Serbia; Germany suggested that the OEWG can embrace similar approach and engage states in groups to advance particular CBMs with involvement of the industry, academia, and others; Germany, Serbia, and Switzerland offered to elaborate this proposal to other delegations. Germany also proposed that the list of national terminology on ICT, composed by the OSCE as part of its CBMs, be offered to all the UN member states.

India noted that harmonisation of regional CBMs is the key to develop a common action by the international community, and invited the OEWG to create an indicative list of agreed CBMs to be implemented voluntarily. The Netherlands invited the OEWG to advise states to make declaratory statements reaffirming that they subscribe and adhere to the CBMs within the existing Framework adopted by the UN GA. 

Egypt invited states to address requests to mitigate concerns emanating from their own territories, while taking into account limited capacities that certain states might have in this regard. Russia invited states to conduct consultations on their activities in cyberspace that could cause concern, and proposed establishing a practice of exchanging national lists of spheres involving critical information infrastructure. Iran went step further to invite states with offensive cyber capabilities to unilaterally declare to refrain from offensive use of it.

India invited states to recognise critical transnational networks, respect the designation of critical infrastructure and transnational infrastructures by other states, and organise joint drills and tabletop exercises (TTX) for national CERTs. Cuba suggested states to standardise methodology of cyber incidents and incident response, and provide CERTs with tools to capture and process evidence related to published or hidden vulnerabilities. Mexico suggested the creation of a global cyber incident repository, which can be used by member states to voluntarily share their experiences on the technical characteristics and variables of attacks or incidents reported.

Columbia invited states to translate CBMs into tangible action with the support of the multiple stakeholders; Estonia and Switzerland underlined the important role of the private sector in particular. Korea confirmed that multistakeholder approach is essential to CBMs, and called for utilising available technical instruments like FIRST, the global network of CERTs, for communication. Israel focused on public-private partnerships to develop skilled cyber professionals and bridge the existing global gap with demand. It shared its experiences with engaging the private sector for ‘out of the box’ solutions, running education programmes for girls and women and the wider population, and developing cybersecurity research centres that assist regulators and policy makers to get a holistic view of progress. 

Points of contact

Points of contact (PoC) were of particular relevance for many countries. Germany presented PoC as the basis for other CBMs and information exchange. Russia saw PoC as an immediate follow-up on the invitation by the previous OEWG to share information, though it noted that the amount of information should be determined by states themselves. Cuba also noted that information sharing should not reveal state’s capacities.

Chile and Singapore both invited for establishing a global PoC list in the context of the United Nations, on the basis of existing regional PoC networks, and the Netherlands suggested that the OEWG enhances the existing directories. Thailand and the Netherlands have suggested this list to contain contacts on technical and diplomatic levels, Costa Rica and Indonesia listed policy level as well, while Malaysia and Singapore also listed law enforcement level, based on the experiences of the ARF. Japan suggested to identify a coordinator country in each region, to simplify managing PoCs and updating the lists.

The Netherlands invited for shaping the framework for the PoC interaction, while India proposed to create a robust mechanism for sharing PoC and information, and suggested the Secretariat to collect PoCs. Costa Rica invited the OEWG to develop a template for communication among PoC, including conducting communications checks to keep the directory up-to-date, and scenario exercises to test their work. Estonia and Singapore also invited a demonstration of the value of such PoC networks through training and TTX, based on the experiences of OSCE and ASEAN, respectively.  Singapore added that such tests could develop a common understanding about the minimum thresholds for cyber incidents, and offered to work with the UN on such exercises with PoCs of all states in technical and operational domain at the Singapore Cyber Week in 2022.

A central repository of information

India proposed to create a related repository of PoC and shared information, while Argentina added the legislative repository and a glossary of common definitions. Many countries shared the view that the UNIDIR Cyber Policy Portal is a convenient platform for information sharing. Japan invited governments to submit new lessons learned at the OEWG meetings, as well as to the Cyber Policy portal. The Netherlands, which invited OEWG to encourage states to share the information about their national policies and positions, and how they advance implementation of norms and CBMs, saw Cyber Policy Portal as useful also for publishing state positions on the interpretation of how international law applies to cyberspace. 

Korea, Egypt, Indonesia, Estonia, and Costa Rica also expressed support for the role of the Cyber Policy Portal for exchange of information, as well as indexing and disseminating accumulated experiences of states and regional organisations, and a central place for states to report their progress on CBMs. In addition, Costa Rica suggested forming templates for reporting on CBMs, possibly following the example of the biological weapons convention, and invited the OEWG to standardise the information which the states should include in their reports.

Broader issues

A number of delegations reflected on issues not directly included in the OEWG mandate. India warned about proliferation of misinformation, smear campaigns, and terror propaganda, and outlined the obligation of the states to cooperate on counterterrorism as CBM (include removing harmful content). India also invited the OEWG to develop effective mechanism for sharing information and digital evidence between law enforcement agencies, to counter terrorism and crime in order to build confidence. Malaysia also shared the ARF experiences with sharing on preventing criminal and terrorist use. 

Cuba expressed belief that internet governance with participation of states on equal footing is required to close the digital gap and build confidence. In the same vein, Iran called the OEWG to address the main source of mistrust in the ICT environment: the monopoly in the internet governance, coupled with challenges of anonymity, offensive cyber strategies, hostile image building, and xenophobia, which is leading to unilateral coercive measures and lack of responsibilities. Therefore, Iran continued, CBMs should be extended to areas such as national security and limiting coercive policies and measures against other states, but also to cryptocurrencies, ICT products, services, and contents.