Agenda item 5: discussions on substantive issues contained inparagraph 1 of General Assembly resolution 75/240 part 2

Summary

This transcript covers a meeting of the Open-Ended Working Group on Security of and in the Use of ICTs, focusing on the development and implementation of norms for responsible state behavior in cyberspace. The discussion centered on the existing 11 voluntary, non-binding norms and the potential need for additional norms. Many delegates emphasized the importance of implementing the current norms, with some countries like Japan and the UK arguing against developing new norms at this time. Others, including Cuba and Egypt, advocated for legally binding norms or additional measures to address evolving threats.

The voluntary checklist of practical actions for implementing norms was widely supported, with several countries suggesting improvements or additions. Capacity building was frequently mentioned as crucial for effective norm implementation, especially for developing countries. Some delegates, like those from Bangladesh and Kazakhstan, proposed specific new norms to address emerging technologies and threats.

The Chair noted a disconnect between the rapidly evolving threat landscape discussed earlier and the more static positions on norms. He urged delegates to consider how to bridge divides between those prioritizing implementation of existing norms and those pushing for new norms. The Chair emphasized the need for serious, candid conversations on this topic, challenging delegates to move beyond entrenched positions and address the changing technological landscape in their approach to norms.

Keypoints

Major discussion points:

– Implementation of existing voluntary norms vs. development of new norms

– The voluntary checklist as a tool for implementing norms

– Potential new norms to address emerging threats and technologies

– The need for capacity building to support norm implementation

– Debate over legally binding vs. non-binding norms

Overall purpose:

The purpose of this discussion was to review progress on implementing existing norms of responsible state behavior in cyberspace, consider potential new norms, and discuss ways to improve the voluntary checklist for norm implementation. The goal was to advance the work of developing and implementing norms ahead of the conclusion of the Open-Ended Working Group in 2025.

Tone:

The overall tone was diplomatic and constructive, with states sharing their perspectives and national experiences. However, there was an underlying tension between those advocating for new norms and those preferring to focus on implementing existing ones. The Chair noted this divide in his closing remarks, expressing frustration at the lack of progress in bridging these positions. This shifted the tone to be more critical and urgent by the end of the session.

Speakers

– Chair: Ambassador Burhan Gafoor (mentioned as chairing the meeting)

– Zimbabwe

– Pakistan

– Guatemala

– Democratic People’s Republic of Korea

– Slovakia

– ICRC (International Committee of the Red Cross)

– European Union

– Portugal

– Cote d’Ivoire

– El Salvador

– Cuba

– United Kingdom

– Russian Federation

– Islamic Republic of Iran

– Bosnia and Herzegovina

– Japan

– Singapore

– South Africa

– Argentina

– Mexico

– Kazakhstan

– Egypt

– Kingdom of the Netherlands

– Bangladesh

– Italy

– Indonesia

– Canada

– Republic of Korea

– Paraguay

– Albania

Additional speakers:

– France (mentioned but did not speak)

– New Zealand (mentioned but did not speak)

– United States (mentioned but did not speak)

– Malaysia (mentioned but did not speak)

– China (mentioned but did not speak)

– Ireland (mentioned but did not speak)

– Switzerland (mentioned but did not speak)

– Australia (mentioned but did not speak)

– Mozambique (mentioned but did not speak)

– Brazil (mentioned but did not speak)

– Mali (mentioned but did not speak)

Expanded Summary of the Open-Ended Working Group on Security of and in the Use of ICTs Meeting

The Open-Ended Working Group on Security of and in the Use of ICTs convened a meeting chaired by Ambassador Burhan Gafoor to discuss the development and implementation of norms for responsible state behaviour in cyberspace. The session focused on reviewing progress on existing norms, considering potential new norms, and discussing ways to improve the voluntary checklist for norm implementation.

Key Discussion Points:

1. Implementation of Existing Norms vs. Development of New Norms

A significant divide emerged between countries advocating for the development of new norms and those arguing for a focus on implementing existing norms. Japan, the Republic of Korea, Canada, and the United Kingdom emphasised the importance of implementing the existing 11 voluntary, non-binding norms before considering new ones. They argued that the current framework is comprehensive enough to address current challenges.

In contrast, the Russian Federation, Cuba, and Egypt called for new legally binding norms to address evolving threats, believing that voluntary norms are insufficient. Bangladesh suggested both implementing existing norms and exploring new proposals. Indonesia’s position aimed to bridge this divide by prioritising implementation of existing norms while remaining open to new proposals.

Several specific norm proposals were discussed:

– Egypt suggested a norm prohibiting ICT activity contrary to international law obligations.

– Canada proposed adding protection for international and humanitarian organizations to Norm G.

– El Salvador suggested a new norm on ethical hackers and updating Norm E on privacy.

2. Voluntary Checklist for Norm Implementation

There was broad support for the voluntary checklist as a tool for implementing norms, with several countries suggesting improvements or additions. Singapore, Bangladesh, the European Union, the United Kingdom, and Kazakhstan all endorsed the checklist as a valuable instrument. The Netherlands viewed it as a good basis but in need of further improvements.

Bangladesh proposed specific enhancements to the checklist, such as promoting digital literacy and standardized incident reporting. The UK suggested adding text on commercially available cyber attack capabilities.

However, the Islamic Republic of Iran expressed concerns about the checklist being based on the 2021 GGE report, which was not universally accepted. Russia called for supplementing the checklist with rules from UNGA Resolution 73/27, highlighting disagreements about the nature, content, and process for updating the checklist.

3. Critical Infrastructure Protection

Several speakers, including Italy, Paraguay, Canada, and Kazakhstan, emphasised the importance of protecting critical infrastructure. They called for enhanced focus on safeguarding critical sectors, including healthcare and humanitarian organisations. Italy specifically highlighted the need to protect healthcare services from ransomware attacks. Kazakhstan proposed the development of unified baseline cybersecurity standards for critical infrastructure.

4. Role of Private Sector and Non-State Actors

Argentina, Bangladesh, the United Kingdom, and Egypt highlighted the importance of involving the private sector in cybersecurity efforts, particularly in protecting critical infrastructure and supply chains. They also called for accountability of non-state actors in cyberspace. Slovakia urged states to prioritise security in collaboration with manufacturers, reinforcing the need for robust internal cybersecurity frameworks.

5. Capacity Building and International Cooperation

Côte d’Ivoire, Mexico, Kazakhstan, Bangladesh, and Indonesia emphasised the importance of capacity building and international cooperation for effective norm implementation, particularly for developing countries. Côte d’Ivoire specifically highlighted the value of UNIDEA training programs. Indonesia called for capacity building to support norm implementation and threat response. Paraguay emphasized the importance of norms for countries with digital divides.

6. Emerging Technologies and AI

Albania and Kazakhstan raised concerns about potential threats from AI and emerging technologies. They called for the development of norms and ethical guidelines to address these new challenges. Albania also suggested including gender-sensitive perspectives in norm development.

7. Debate over Legally Binding vs. Non-Binding Norms

A clear divide emerged between states advocating for legally binding norms and those supporting the existing voluntary framework. Russia, Cuba, and Egypt called for legally binding norms, while the EU, UK, and others defended the current voluntary approach.

8. National Implementation Efforts

Bosnia and Herzegovina shared detailed information about their national implementation efforts and regional cooperation. The Netherlands emphasized the importance of Norm C on not allowing territory to be used for internationally wrongful acts using ICTs.

Chair’s Observations:

Ambassador Gafoor noted a disconnect between the rapidly evolving threat landscape discussed earlier and the more static positions on norms. He urged delegates to consider how to bridge divides between those prioritising implementation of existing norms and those pushing for new norms. The Chair emphasised the need for serious, candid conversations on this topic, challenging delegates to move beyond entrenched positions and address the changing technological landscape in their approach to norms.

Unresolved Issues and Suggested Compromises:

Key unresolved issues included how to develop new norms while still prioritising implementation of existing ones, bridging the divide between states favouring legally binding norms and those preferring voluntary norms, and effectively addressing rapidly evolving technologies like AI within the norms framework.

Suggested compromises included pursuing both implementation of existing norms and discussions on potential new norms in parallel, considering a mix of binding and non-binding measures to address increasing cyber threats, and focusing on practical cooperation and capacity building to bridge divides on norm development.

Conclusion:

The discussion revealed significant disagreements on the future direction of cybersecurity norms, particularly regarding the development of new norms versus the implementation of existing ones and the debate over legally binding versus voluntary norms. These divisions could potentially hinder progress in establishing a comprehensive and universally accepted framework for responsible state behaviour in cyberspace. However, there was broad agreement on the importance of protecting critical infrastructure, the value of the voluntary checklist (with improvements), and the need for capacity building and international cooperation.

The Chair’s closing remarks highlighted the need for more dynamic approaches to developing norms in response to rapidly evolving threats, encouraging participants to reconsider their positions and engage in more candid discussions to bridge the existing divides.

Chair: Distinguished delegates, good morning to all of you. The third meeting of the ninth substantive session of the Open-Ended Working Group on Security of and in the Use of ICTs is now called to order. We will continue our discussions this morning under the topic in Agenda Item 5 relating to Existing and Potential Threats. As I indicated yesterday evening, before we adjourn, we have a few more speakers remaining on the list of speakers. We will hear these speakers and then I’ll give some remarks and then I’ll open the floor for the next cluster of items which is related to norms. So at this point, I’m only taking speakers for the first cluster of items and then we can go on to the next item. I must say that I’m very encouraged by the buzz of conversation here this morning. It is very clear that all of you like each other very much. That is a good sign. It means that you’re talking to each other, listening to each other, making friends, making connections. That in a sense is the beauty of the United Nations. It provides a place for these conversations to take place. But as I’ve always said, it’s important that you have conversations with people who are not always like-minded with you because if you keep talking to people you like so much because they think like you, then we are not going to be able to build strong bridges. So make an effort to talk to people who have a different point of view as well. I would encourage that strongly. That is also in keeping with the spirit of the work of this working group. which is to talk about the most difficult issues, find solutions to them, build consensus, and strengthen the multilateral framework that we have built over the last many years. So with those comments, I’ll go to the remaining list of speakers, starting with Zimbabwe, to be followed by Pakistan and Slovakia. Zimbabwe, please, you have the floor.

Zimbabwe: Thank you, Mr. Chair. Zimbabwe aligns itself with the statements delivered by the African Group and the Non-Aligned Movement. I wish to make the following additional remarks in a national capacity. At the onset, Mr. Chair, my delegation welcomes the consensus adoption of the third annual progress report, and we applaud your stewardship of this important process. This comprehensive document encapsulates the discussions and agreements reached over the past year, serving as a roadmap for future negotiations and actions within the OEWG framework. Zimbabwe is aware of the significant surge in cyber threats, reflecting a global trend that necessitates immediate and coordinated action. My delegation has taken note of the International Telecommunication Union’s Global Cyber Security Index of 2024, which has highlighted areas where cybersecurity measures require enhancement, particularly in technical, organizational, capacity development, and cooperation frameworks. To this effect, my delegation acknowledges the OEWG’s efforts in fostering international dialogue on ICT security. Ransomware, malware, trojans, and distributed denial of service are among the cybersecurity threats we face globally. These threats have been intensified by developments in the field of artificial intelligence, which may fall into the hands of malicious actors. Zimbabwe emphasizes the critical importance of operationalizing confidence-building measures to foster trust and cooperation among nations in cyberspace. These measures are vital for mitigating the risks of miscalculation and conflict. We highlight that CBMs must prioritize inclusivity and respect for the sovereignty of all states, ensuring that smaller nations are equally equipped to engage in and benefit from these frameworks. We commend the establishment of the Points of Contact Directory and the planned simulation exercises, which are vital for enhancing global cyber incident response capabilities. Mr. Chair, my delegation advocates for enhanced capacity building, and we urge the OEWG to support initiatives that provide technical assistance and training to developing nations, empowering them to build robust cybersecurity infrastructure. In this regard, my delegation supports the establishment of regular dialogue under the United Nations auspices, promoting inclusive participation from all member states to address evolving cyber threats collaboratively. We emphasize the important role of applying existing international law to state behavior in cyberspace, ensuring accountability and fostering a secure digital environment. Zimbabwe believes that the OEWG process should culminate in an internationally legally binding instrument that speaks to ICT security and the responsible behavior of states. Mr. Chair, Zimbabwe reiterates that the OEWG deliberations should remain single-track and state-led. We stress that the OEWG as a state-led mechanism must uphold its guiding principle of consensus. ensuring that the process remains inclusive, impartial, and firmly grounded in the sovereign capacity, excuse me, the sovereign equality of all nations. Stakeholder and non-state actor participation is welcome and beneficial to this process, provided that the negotiations remain confined to the multilateral framework that underpins the OEWG. Zimbabwe strongly reaffirms its support for the modalities agreed upon at the eighth substantive session in July 2024, which were the result of careful, balanced, and delicately negotiated compromises. Revisiting these modalities would destabilize the fragile network of trust and collaboration that has been essential to the OEWG’s process. In conclusion, Mr. Chair, Zimbabwe remains committed to collaborating with all member states to strengthen the global cybersecurity arena. We believe that through collaborative action, capacity building, and adherence to international legal principles, we can create a secure and resilient cyberspace for all. Thank you, Mr. Chair.

Chair: Thank you very much, Zimbabwe, for your contribution. Pakistan to be followed by Guatemala.

Pakistan: Thank you, Chair. I convey Pakistan’s deep appreciation for your leadership in steadily guiding the OEWG towards achieving its objectives. Since its establishment, the group has successfully facilitated the exchange of views among member states on challenges and threats in the global cyberspace. However, much work still lies ahead. Mr. Chair, while reflecting upon guiding questions on existing and potential threats, Pakistan acknowledges the fact that the global cyberspace has become increasingly unstable, posing numerous challenges to both global and international organizations. and regional security. The ongoing global conflicts have further intensified this situation. Furthermore, the unregulated military applications of cyberspace, as highlighted in the third annual progress report, have further exacerbated these challenges stemming from an unregulated cyberspace. It has been observed that states and non-state actors are increasingly utilizing advanced tools and techniques to inflict harm, as evidenced by rising cyber attacks on critical infrastructure. These attacks disrupt essential sectors, including business, healthcare, energy, and transportation systems. Additionally, COVID operations aimed at spreading misinformation and state-sponsored disinformation campaigns contribute to social unrest and instability. Furthermore, the exploitation of hardware and software vulnerabilities poses significant risks, highlighting the urgent need for a global regulatory framework to ensure the responsible use of cyberspace. Chair, the militarization of cyberspace, the development of offensive cyber capabilities by nations, and the unchecked military applications of new and emerging technologies are all contributing to the further erosion of global peace and security. The employment of new technologies, especially artificial intelligence by states and non-state actors, to disrupt, degrade, and deny access to cyberspace has significantly complicated the global cybersecurity landscape. Malicious actors are increasingly leveraging AI to enhance their cyber attack capabilities, leading to a surge in sophisticated threats. For example, the use of deepfake technology and automated phishing schemes has made it more challenging to detect and counteract these attacks, as adversaries can create highly convincing disinformation campaigns that undermine trust and security. Like other countries, Pakistan is also facing serious threats from an increasingly ungoverned cyberspace. These threats include cyberattacks on critical infrastructure, DDoS attacks, data theft, and targeted disinformation campaigns. To tackle these challenges and secure its digital assets and information systems, Pakistan put in place its first national cybersecurity policy in 2021. This policy aims to secure the entire cyberspace of Pakistan and to establish a stable cybersecurity ecosystem. In this regard, recently established its National Computer Emergency and Response Team or NSAID to make cyberspace more protected and resilient. Considering all this, Pakistan firmly believes that ungoverned cyberspace and the absence of a regulatory mechanism at the global level in the form of a legally binding instrument has become threatening for the global peace and security. On its part, Pakistan stands ready for enhancing interstate cooperation to effectively counter the threats posed by ungoverned global cyberspace. I thank you, Chair.

Chair: Thank you very much, Pakistan, for your contribution. Guatemala, please.

Guatemala: Thank you, Chair. Guatemala, I would like to thank you and your team for the coordination of this ninth substantive meeting of the open-ended working group and all of the work that has been done to ensure that we have sustained and action-oriented results. It’s undeniable that due to the very nature of cyberspace, potential threats will be a constant factor in this environment. We have recognized on various occasions that cyberspace represents a fundamental, crucial space for global activity. Nonetheless, due to its civil and double-use nature, it has been exploited on various occasions by criminal and terrorist groups. Furthermore, the increasing integration of technologies such as AI in critical systems increases the risk that future attacks will be increasingly destructive and complex. If these technologies are not adequately regulated, they could be used to automatize and speed up attacks with an unprecedented pace. Chair, Guatemala recognizes all of the efforts that have been made since the establishment of this OEWG. Many of the recommendations and needs have been taken into account and reflected in the annual reports, including the need for an international regulatory framework and the need for resources as well as capacity building, in addition, rapid response mechanisms and CBMs. These without any doubt are fundamental elements to allow us to address existing threats. Nonetheless, we are concerned that the current international juncture does not favor the prevention of emerging threats. We note with concern that the experience that we have gained in addressing attacks has increased. We are seeing increasing specialization leading to more precise cyber attacks. We need to step up our efforts, Chair, in order to bolster critical infrastructure, aware of the digital divide and therefore the crucial need for capacity building in a broad sense. The digital transformation is part of the path towards our shared success here. Open, resilient, safe, stable, accessible, peaceful, free and interoperable cyberspace is crucial for all. We recognize the importance of fostering partnerships between governments, private sector, academic institutions and international organizations to share experiences, resources and best practices in cyber security and to lead the efforts of our group towards the development, strengthening and current constant updating of the skills of every member. This is fundamental to ensure that we can mitigate cyber threats. Guatemala continues to be committed to promoting spaces for dialogue to ensure mutual trust between actors and international actors. We believe that through cooperation and the exchange of experiences, we can better face the current challenges and anticipate those that might arise in the future. Likewise, we reaffirm our readiness to work closely with other countries and institutions as well as the private sector to foster resilience and security in cyberspace. Thank you very much.

Chair: Thank you very much Guatemala for your contribution. The next three speakers after which I’ll give some remarks to wrap up this part of the discussion and then we’ll move on to the next cluster on norms. So, the next three speakers are Democratic People’s Republic of Korea, Slovakia, and then the ICRC.

Democratic People’s Republic of Korea: Thank you, Mr. Chair. I am going to be very brief and concise in the interest of the time. At the outset, my delegation would like to appreciate, Chair, and your team for the tireless efforts for the successful convening of the Ninth Substantive Session of the OEWG. We consider that the adoption of a single consensus resolution on the issue of ICT security in November is a positive signal in the right direction. We look forward to constructive dialogue and cooperation in the upcoming sessions, including this Substantive Session, to work out a balanced outcome document in 2025 in accordance with the mandate of the OEWG established pursuant to GA Resolution 75-240. We thank Chair for preparing a set of guiding questions to help facilitate discussions on the various outstanding issues under the OEWG mandate, and we are committed to constructively engaging with Member States to address outstanding issues in the final annual cycle of the OEWG. On that note, we would like to make a brief observation on the guiding question of existing and potential threats. In terms of security in the ICT domain, it is highly important that the cardinal principles of respect for sovereignty, territorial integrity, and non-interference in internal affairs must be strictly observed. It is deeply troubling that ICT tools are increasingly utilized for military purposes under the disguise of countering cyber threats, which exacerbates regional tensions and poses a significant threat to international peace and security. In addition, we share deep concerns of a number of Member States that disinformation, false flags, false narratives, and politically motivated attributes remain unabated, thus raising the risk of confrontation and conflict. Action-oriented measures should be clarified in the final report to urgently address those concerns without further delay. I thank you, Chair.

Chair: Thank you very much, Democratic People’s Republic of Korea, for your contribution. Slovakia, please.

Slovakia: Thank you, Mr. Chair, distinguished delegates. As the Slovak delegation takes the floor for the first time in this meeting, we are both honored and committed to fostering an international environment where mutual trust and cooperation are fundamental in the ICT security. The Slovak Republic stands in alignment with the statement presented by the EU, but I would like to take this opportunity to offer some brief remarks on other topics. Our world is increasingly interconnected, yet the quality of ICT products and services remains alarmingly poor. The substandard quality not only compromises global security, but also stunts strategic development on a worldwide scale. Slovakia therefore urges all states to prioritize security in collaboration with manufacturers, reinforcing the needs of robust internal cybersecurity frameworks. The ongoing struggle against cyber threats encompasses two distinct phases, reactive and preventive. In the aftermath of the incident, the reactive phase involves attribution, investigation, monitoring of financial flows, and effort to block or recover funds, particularly in the case of ransomware attacks. Preventively, our focus shifts to enhancing resilience, building capacity, educating users, and minimizing potential attack surfaces. It is crucial to align system design, implementation, and operation with internationally recognized standards and best practices, particularly in addressing vulnerabilities. Unfortunately, the majority of manufacturers prioritize basic market features over security. This is driven by the competitive demand for lower prices. This approach often leads to the omission of security considerations in product architecture and development. The secure-by-design concept, while commendable, is hindered by its reliance on a limited number of responsible entities. Current trends indicate an increase in vulnerabilities even among established manufacturers, stressing the ineffective application of secure processes in practice. Furthermore, as we enter the era of AI-based products and services, the imperative for secure design escalates. Concurrently, the rise in supply chain attacks during the design and manufacturing phases poses new challenges, often resulting in compromised product reaching end-users. Therefore, we would like to highlight here at the Open Indeed Working Group the crucial role of state influence over domestic manufacturers. This influence can be exerted through various means – regulation, control, certification, standardization – to motivate manufacturers to adhere to security-by-design principles, thereby reducing vulnerabilities and attack surfaces. Finally, Slovakia advocates for enhanced dialogue within this Working Group on preventive measures concerning both established and emerging technologies. Our collective effort in ensuring the security and resilience of ICT products and services is not just a strategic necessity but a fundamental responsibility towards our global community. Thank you.

Chair: Thank you very much, Slovakia, for your contribution. I give the floor now to the ICRC.

ICRC: Ambassador Gafoor, Excellencies, dear colleagues, the International Committee of the Red Cross is grateful for the opportunity to participate in this ninth meeting of the Open Indeed Working Group and to address the group with respect to the potential threats arising from the malicious use of ICTs. As this group recalled in the third annual progress report, The use of ICTs in future conflicts is becoming more likely, and ICTs have already been used in conflicts in different regions. The ICRC would like to raise awareness and deepen delegations’ understanding of conflict-specific threats by emphasizing some of the threats identified at the 34th International Conference of the Red Cross and Red Crescent, held in October. This conference brought together all high-contracting parties to the Geneva Conventions, and components of the Red Cross and Red Crescent movement. One of the resolutions it adopted focused specifically on protecting civilians against the potential human cost of ICT activities during armed conflict. We would like to emphasize four threats about which the conference expressed concern, and that could also be reflected in the final report of the OEWG. First, during armed conflict, connectivity and ICTs are of great importance for the delivery of many goods and services for the civilian population, for humanitarian relief operations, for civilians to seek and receive information on where to find safety and objects essential for their survival, and for maintaining family links. Thus, cutting connectivity or disrupting ICTs during armed conflict poses a significant risk to civilians. Second, the malicious use of ICT capabilities by parties to armed conflict risks causing harm to the civilian population, including across international borders. In particular, there is a shared concern that such capabilities will be directed against or incidentally affect ICTs that are part of civilian objects, including objects indispensable for the survival of the civilian population, as well as works and installations containing dangerous forces such as dams, dikes, and nuclear electrical generation stations. Third, ICTs may enable or be used to encourage civilians to conduct or support ICT activities in armed conflict. In our assessment, and as confirmed by states and other humanitarian organizations, civilians are often not aware of the risks involved when conducting ICT activities during armed conflicts or the legal limits that they must respect. Relatedly, and as this group is aware, private technology companies provide a range of ICT products, services, and infrastructure on which civilian populations, governments, and humanitarian organizations rely. Given the importance of ICT services for civilian populations during armed conflict, it is important for private technology companies to consider the needs of all people affected by armed conflict when offering their services consistent with applicable law. Fourth, since 2022, the ICRC has repeatedly drawn the attention of this group to the threat of ICT activities that target humanitarian organizations and their data. Data breaches and disinformation, for instance, disrupt relief operations, undermine trust in their work, and threaten the safety and security of their personnel, premises, and assets, ultimately harming their ability to meet the needs of affected populations in armed conflict. We commend the reference to this threat in the latest OEWG Annual Progress Report. Chair, the threats we have just mentioned are of great importance for the lives and well-being of civilian populations during armed conflict, and they are widely acknowledged by states. The ICRC stands ready to continue its contribution to the discussion on threats and commends your efforts in reflecting many of these concerns in the final report. I thank you, Chair.

Chair: Thank you very much, ICRC, for your contribution. Friends, this has been a very rich and detailed discussion. And I hope that each one of you also found it useful as you listened to the many. different contributions and I have to say very well-prepared and very thoughtful contributions from all of you. I wanted to say that with regard to the discussion on emerging or existing and potential threats, if you look at the very first annual progress report and look at the section under existing and potential threats and compare that with the most recent third annual progress report, you can tell that the section describing existing and potential threats has become much larger but also more detailed. That is an indication of two things. First, it is an indication that the threat landscape itself is evolving very rapidly. Second is also an indication that there is a greater level of comfort in discussing very candidly the threat landscape as we see it. And so that is a real value in my view of a discussion on existing and potential threats, to raise the level of awareness in terms of the very rapidly evolving threat landscape. And second, having raised the level of awareness of what is out there as existing and potential threats, ask ourselves as to what can be done in terms of cooperative measures and international initiatives to deal with these emerging, existing and potential threats. So, from that point of view, I think this working group has helped to provide that venue for a discussion on existing and potential threats because such a discussion is not taking place anywhere else at this point in time. And I’m also very encouraged that there are so many delegations which have taken the floor because in a sense understanding the existing and potential threat landscape is fundamental and even foundational to everything else that we do because everything else is intended in some ways as a response to address, mitigate and deal with the existing and potential threats that we face. Now the discussion today goes further in some ways than the annual progress report we adopted just a few months ago in July. And that already shows that the existing and potential and emerging threat landscape has evolved even faster because technology is very rapidly evolving. And it is clear to me from your interventions that there is a great demand for everyone to express their point of view but share their concerns and also identify possible initiatives for cooperation at the global level. And precisely because the threat landscape is evolving so rapidly that it is important that we update and capture as many of the emerging elements or existing threats which are intensifying in novel ways. And it’s really important that we capture them firstly to raise awareness and secondly to encourage. every country to respond to these emerging existing and potential threats. Now I think it’s also important to keep in mind that when we are discussing the section on emerging existing and potential threats to not look at it as if it is a section where fingers are going to be pointed in any particular direction. The idea of the annual progress report and for the final progress report later next year in July will be to capture in as comprehensive a way as possible the state of the existing and potential threat landscape because that will then give a very strong basis for the future permanent mechanism to to look at possible cooperative measures to deal with and mitigate these threats. So my plea to you would be to look at the discussion on the existing and potential threat section not as a way that fingers could be pointed but as a way that we can collectively address these threats and therefore to try and be as comprehensive as possible. What I also found encouraging is that everyone is committed to engaging in a discussion here so that is a very very good sign that there is gradually an emerging sense of comfort in talking about the different existing and potential threats and raising awareness with it. So there has been of course references to increasing use of ICTs in the context of conflicts. We’ve also heard the contribution from the ICRC which was the last speaker. in our discussion this morning, and then the criminal and terrorist use of ICTs and how the lines are sometimes blurred between criminal and terrorist use of ICTs. And of course supply chain security and harmful hidden functions is a recurring issue, and I think many of you addressed this point as well. And ransomware has been a recurring issue, and the nature of this particular threat is also evolving in terms of frequency, scale, and the impact that these attacks have, especially on critical infrastructure and critical information infrastructure. I remember when we first started discussing threats a few years ago, even a reference to ransomware was seen as very divisive and contentious. But after several years of discussing this, we now know that it is a real threat, and that we cannot be like the proverbial ostrich, pretending that all is well. So we have to address this head on, not head in the sand, and address it, raise awareness of it. Again, as I said, not in a finger-pointing way, but in a way that is descriptive, neutral, and looks at the threat as it is. And then, of course, AI and other emerging technologies. I think the discussions in this domain has become more and more detailed. Again, I remember when we tried to first include a reference to artificial intelligence, there was a debate as to whether that should even be discussed in this working group. But we now know that there is no other place to discuss it. Yes, we can discuss it in many different contexts. But from the point of view of international peace and security and ICT security, this working group provides a good venue to have those discussions about how the use of artificial intelligence has accelerated and expanded the threat landscape. And then, of course, there are many different ideas that have been put forward for addressing these threats. Measures to mitigate, measures to cooperate. And many different ideas have been put forward for collaboration, of course, working with stakeholders, the private sector. Because ultimately, it’s important that we work with everyone who have the capacity, the technology, and the knowledge if we are to seriously deal with this threat. And, of course, the question of capacity building keeps coming back even to this discussion. So, dear friends, I think it’s an excellent, excellent start to our work, our week here. And so let’s get on to the next cluster. What I have just said is by no means a summary and certainly not an exhaustive summary. And so if I have left out any particular issues of importance to you, it is not intended. We’ll go back and reflect on the notes. In any event, this is the first discussion as we resume this cycle. We have the session in February. And therefore, I would invite delegations to think of submitting working papers, which is one of the requests that was made in the last annual progress report, working papers. And better still, if these working papers are submitted collaboratively with groups of countries. But again, I would encourage these groups of countries to be cross-regional. to reach out to other groups, to be as inclusive as possible so that you are building the foundations for partnerships and collaboration to deal with the emerging existing and potential threats. So let’s move on to the next cluster, which is the cluster relating to the further development of the rules, norms, and principles of responsible behavior of states and the ways for the implementation and if necessary to introduce changes to them or elaborate additional rules of behavior. So with that, I open the floor under this cluster, press your buttons, and then we’ll go through this cluster one speaker at a time. Very good. I’ve got a list of speakers. Yeah, the list is growing. That’s a good sign. Let’s start with Pakistan to be followed by the European Union. Pakistan, please.

Pakistan: Thank you, Ambassador. Pakistan acknowledges the importance of establishing rules, norms, and principles to ensure responsible state behavior in cyberspace, and we welcomed 2015 report adopted by the group of governmental experts in which member states reached consensus on 11 norms of responsible conduct. I would like to reaffirm Pakistan’s commitment to constructively contribute to further development of such normative framework. Within this working group, Pakistan is ready to engage with fellow member states to forge a consensus. on these foundational elements of responsible state behavior. And I would like to list some of these as following. Number one, initiate discussion on the adoption of a legally binding instrument to regulate the behavior of states in cyberspace. Number two, ensuring prohibition of ICT activity that knowingly or unintentionally damages critical infrastructure. Number three, enhancing cooperation to reach an agreement on prohibiting the creation of harmful hidden functions or accumulation of vulnerabilities in ICT products, as well as to commit to responsible and timely reporting of ICT vulnerabilities. Number four, facilitating cooperation in the context of supply chain security of ICT products. Number five, ensuring safe cross-border data exchange and taking measures against data theft. Number six, refrain from allowing the ICT infrastructure to be used for malicious activities that threaten international peace and security and avoid interfering in the internal affairs of other states through means such as fake news and disinformation. And finally, formulation of an agreed mechanism under the auspices of the UN to resolve the conundrum of attribution. Chair, Pakistan maintains a balanced position regarding the advancement of these norms. While we recognize the significance of formulating non-binding voluntary norms to promote a secure and stable cyberspace. It is crucial to emphasize Pakistan’s persistent position that such norms cannot serve as a substitute for a legally binding instrument. The fundamental discussion lies in the fact that a legally binding framework imposes explicit obligations and breaches thereof invoke state responsibility under international law. Moreover, non-binding norms tend to be effective primarily in peacetime, with their efficacy diminishing in times of conflict. Therefore, it is imperative that we strive towards establishing a robust legal framework that ensures accountability and promotes stability within the digital sphere. Concerning the checklist of practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICTs, Pakistan in general supports the voluntary nature of the checklist. However, we are of the view that considering the technical and capacity-related gaps, further discussion is required on the draft checklist within this working group. I thank you, Chair.

Chair: Thank you very much, Pakistan, for kicking off the discussions under this cluster. European Union to be followed by Portugal.

European Union: Thank you, Chair. I have the honor to speak on behalf of the European Union and its member states. The candidate countries Montenegro, Albania, Ukraine, the Republic of Moldova, Bosnia and Herzegovina, and the EFTA country Norway, member of the European Economic Area, aligned themselves with this statement. Mr. Chair. Under your leadership, this open-ended working group has covered great ground in increasing and deepening our common understanding on the norms of responsible state behavior. There is now a need to build on this momentum to further promote and fully implement the existing 11 norms of responsible state behavior through practical cooperation in light of the challenges. Over the past three years, we have discussed many of the 11 norms in more detail. We have also considered how countries can implement these norms in relation to the cyber threats they face, emphasizing that implementation is an ongoing process rather than a one-time effort. The EU welcomes the norms checklist of practical actions for the implementation of these norms, and your encouragement, Mr. Chair, for states to use that list as part of the implementation efforts. We also welcome the specific focus in the norms section of the last annual progress report on critical infrastructure and critical information infrastructure, as many identified threats are related to or can influence these systems. However, we believe there is room for improvement in the final report’s text. We would like to see greater emphasis on the protection of all critical infrastructures supporting essential public services, particularly medical and health care facilities, along with enhanced cooperation between states. We also welcome your initiative for states to share information about their national experiences implementing specific norms, with a priority focus on the critical infrastructure norms 13F, G, and H. These experiences and lessons learned can help guide and deepen our conversation on on this topic over the next year, as well as transition into more practical exchanges and cooperation on the protection of critical infrastructure, including in the context of the future mechanism. The need for an identification of any new norms will become clearer once we engage in more fulsome efforts to implement our existing norms. Indeed, we see this as part of the cycle that has been described in the context of the program of action that could identify gaps through the implementation of norms and discussion of international law, including the application of capacity building to identify possible gaps, and whether these gaps could, in the future, be addressed through the development of further common understanding. Chair, the EU attaches great importance to international and multi-stakeholder cooperation to advance an open, stable, peaceful, and secure cyberspace. We also stress the need to continue to share knowledge and best practices among states and stakeholders on specific challenges, determining what rules of existing international law and what norms would be applicable to tackle these challenges. The mentioned process would strengthen global capacities to address specific cyber threats. Overall, these efforts are essential to support states in their implementation of the agreed UN framework for responsible state behavior in cyberspace, including in relation to their national system, policies, and legislation. One of the key considerations for identifying critical infrastructure and protecting it from ICT threats is establishing a trusted exchange between critical infrastructure operators and relevant government authorities. which ultimately must take place in service of the efforts to successfully implement norms. The future mechanism for regular institutional dialogue should therefore prioritize practical exchanges with the multi-stakeholder community. These are just a few examples of how we can further strengthen our collaboration building on the norms checklist. Implementations on the implementation of norms will not only enhance the effectiveness of our exchanges, but also enable us to increase our concrete efforts to improve cybersecurity. Mr. Chair, we still have significant work ahead to implement the existing 11 consensus norms. We believe that in 2025 our efforts will be better focused on ensuring the continuity of institutional dialogue within the UN regarding norms and other elements of the existing consensus framework. Thank you.

Chair: Thank you. European Union. Portugal to be followed by Cote d’Ivoire.

Portugal: Mr. Chairman, Portugal allows fully with the EU statement, but would like to emphasize a few points on due diligence as a mature principle of responsible state behavior, which we believe could easily become ready for universal implementation. Among the non-binding norms of responsible state behavior in cyberspace, repeatedly endorsed by the UN General Assembly since 2015, due diligence is, in our view, one of the most deserving of a further layer of common understanding. The growing use of proxies by hackers, including of official proxies, is very worrying and can precipitate the use of unjustified countermeasures. which will be especially dangerous in the context of an armed conflict. Thus, before resorting to countermeasures in response to malicious operations launched from the territory of another state, namely when it apparently originated on a device belonging to a government agency, this state should be immediately called upon by the victim to confirm if digital devices on its territory have indeed been manipulated. A state should take all measures within the limits of its technological capability in order to avoid the use of devices on its territory, and in case it took them but devices were still used, it can be called to conduct an investigation and to share its results with the third state, as opposed to merely replying that it was unaware of the attack and of its authors. The cyber due diligence should also encompass the obligation to take into account the known risks that those operations may take place in the future, and thus it is violated when a state, knowing that devices on its territory can be used against the critical infrastructures or the rights and freedoms of the citizens of another state, does not act within the limits of its technological capabilities to avoid it. In sum, the cyber due diligence requires that states be vigilant and guarantee the security of the ICT networks existing on their territories, whose devices can be intruded and abused to launch attacks against other states. Another layer of common understanding about this norm, which, with a view to its adoption by as many countries as possible, could endeavor to strike a real balance between, on the one hand, protection of fundamental rights and freedoms, like integrity, of personal data or freedoms of expression and assembly in the cyberspace and, on the other hand, the provision of security by national governments. Though the technical obstacles are many and hard to overcome, we should not desist from agreeing on a set of standards that increase the attractiveness of cyber due diligence as a means to afford a pause before precipitating a crisis generated by an unlawful act against a critical infrastructure. Thank you, Mr. Chairman.

Chair: Thank you very much, Portugal. Côte d’Ivoire to be followed by El Salvador. Thank you, Mr. President.

Cote d’Ivoire: Thank you, Chairman. Mr. Chair. At the outset, I’d like to reiterate to you my sincere congratulations for the perfect way in which you are leading our work, and we wish to reassure you that you will have the full cooperation of Côte d’Ivoire to ensure the successful conclusion of our discussions. Côte d’Ivoire believes that despite their voluntary, non-binding nature, the norms represent the backbone or even the very spirit of the framework of responsible state behavior. They provide crucial guidance as to the standards of state behavior in the use of information and communication technologies. In this way, they help to curb the risk of misperceptions. They help to prevent conflicts and, finally, to promote the peaceful use of cyberspace, which is the ultimate aim of our efforts. The need for their implementation and their gradual development is, therefore, of paramount importance. However, we continue to face numerous challenges in this area that hamper our results in this domain, particularly for developing countries. These are particularly related to differences in levels of common understanding of these norms as well as a lack of capacities, resources and technical means. Capacity building is therefore essential to support the effective implementation and also the effective implementation of the Responsible Behaviour Framework. My delegation believes that the voluntary checklist of practical actions for the implementation of the voluntary norms of responsible state behaviour in ICTs that we recently adopted is a precious tool, particularly in order to identify states’ needs and priorities, particularly of those states that are less well endowed with digital capacities. The use of this checklist, based on taking into account the technical gaps between states, the diversity of national systems and regional specificities, must indeed remain an essential precondition here. Furthermore, initiatives such as UNIDEA’s training programmes in norms, international law and cyberspace should be encouraged. Cote d’Ivoire this year was able to benefit from this programme, which represents a true instrument for the promotion of these norms and addressing the challenges while also ensuring their specific implementation. Furthermore, my delegation calls for the development of frameworks to allow us to change experiences and good practices, particularly at the bilateral and regional levels, as well as to ensure further support for the implementation of the pre-existing good practices. Cote d’Ivoire, firmly guided by the various voluntary norms for behaviour, is making real efforts to ensure further security and stability in cyberspace. Therefore, over the last few years, my country has been bolstering its national legislation in the use of digital technologies by adopting various measures on personal data protection, on combating cybercrime, and addressing electronic transactions. My country, since December 2021, has been implementing a national cybersecurity strategy for the period 2021 to 2025. This aims to ensure more effective and efficient management of cybersecurity and combating cybercrime. On the 30th of October this year, the Ivorian government decided to establish the National Agency for Information System Security. This is now the only national structure dedicated to cybersecurity. The agency is tasked with managing cybersecurity crises, coordinating efforts to protect critical infrastructure and information systems. It’s also in charge of steering prevention, protection, monitoring, detection processes, and responding to digital incidents. My country also has had, for the last decade, a Côte d’Ivoire Computer Emergency Response Team. This is a center to monitor and respond to information security incidents in Ivorian cyberspace. In 2016, our CERT joined the FIRST, the Forum of Incident Response and Security Teams. Since then, it has been collaborating with several regional and international networks in this domain. At the regional level, Côte d’Ivoire is involved in various initiatives. These include the ECOWAS Symposium on Cybersecurity in West Africa. Indeed, we organized the first edition of this in 2021. It seeks to holistically ensure responses to cyber attacks. My country is also actively involved in the Cyber Active Africa Forum. The aim of this is to ensure discussion of good practices in order to come forward with specific solutions in cyber security. In addition, in order to prevent the terrorist use of digital technology, my country in September 2019 signed the Christchurch Call. The goal of this is to remove terrorist and violent extremist content online and to curb the use of the Internet by terrorists. Cote d’Ivoire intends to continue this action to promote a better implementation of these norms of responsible state behavior. Thank you very much.

Chair: Thank you very much, Cote d’Ivoire, for your contribution. El Salvador, to be followed by Cuba.

El Salvador: Chair, El Salvador welcomed the document that sets out practical actions for the implementation of voluntary norms of responsible state behavior and the use of ICTs. We believe that this list is fundamental in order to make headway in this implementation. We are grateful that this list now exists and that our request in this regard was taken into account. We believe that it’s important to strengthen cooperation and the exchange of experiences effectively and to respond to requests for assistance in the case of ICT incidents. We are pleased to note that since the last session in which we addressed this matter, El Salvador has adopted its cybersecurity and information security law and our personal data law. These laws include the establishment of an agency that will be responsible for supervising information security at the national level. The personal data protection law aims to establish a normal legal framework for the collection, use, processing, storage and other related activities, activities related to data. Both laws are key steps towards the implementation of a responsible behavior framework, particularly the 11 voluntary norms. In this context, El Salvador proposes the consideration of a potential new norm and the updating of an existing norm, a new norm underscoring the crucial role of ethical hackers in the investigation of cybersecurity incidents. These professionals work preventatively to look at vulnerabilities in our ICT systems to avoid their exploitation. In this sense, we suggest that states provide better protection, including the allocation of criminal responsibility for those who, in good faith, penetrate into information systems to address vulnerabilities that could be exploited for unlawful purposes. We recommend the strengthening of norm E on the right to privacy in the digital sphere through voluntary steps to ensure that states can make headway in establishing legal frameworks for data management across its lifecycle. This could include the implementation of principles such as the limitations in the collection of personal data, more transparency in the… purpose of the collection of data that should be relevant to the specific purposes for which it should be used. It also includes the application of security principles as well as accountability processes. Many modern cyber attacks seek to collect personal data to carry out other future attacks, such as financial fraud or identification, ID theft. Therefore, these steps could help to curb these risks. Finally, we reiterate the importance of international cooperation and capacity building, as well as technology transfer and technical assistance as fundamental elements to make headway in implementing these norms. Thank you very much, Chair. Thank you very much, El Salvador.

Chair: Cuba to be followed by the United Kingdom.

Cuba: in favour of the development, within the context of the United Nations, of legally binding norms as a complement to the applicable principles of international law. These would fill legal voids in cyber security and enable the objective management of increasing threats and challenges that states are facing in this sphere. Voluntary norms are limited by their very voluntary nature. They, for this reason, only represent an intermediate step in our efforts here. In response to the guide questions presented for this meeting, in relation to the establishment of a voluntary checklist of practical actions, we recall that the norms, rules and principles developed by the previous GGEs, in which not all member states were involved, do not have universal acceptance. Chairman, the mandate of our working group included the development as a priority of rules, norms and principles of responsible state behaviour and, where necessary, the introduction of changes or the drafting of additional rules of behaviour. As we mentioned in our statement yesterday, in light of the very little time remaining to conclude the work of the OEWG, it is crucial and urgent now to ensure that it fulfils its mandate to strengthen the normative framework to regulate the sphere of ICT security and use. To prepare additional norms, the OEWG should take the proposals of norms presented by states as a basis. These are set out in the annex to the OEWG Chair’s report from 2019 to 2021. The elaboration and implementation of norms for responsible state behaviour in cyberspace should be done on the basis of respect for the principles of sovereignty, sovereign equality, political independence and territorial integrity. They must promote peaceful coexistence and international cooperation for mutual benefit and interest. We need norms that, for instance, refer to the prevention of the militarization of cyberspace and the promotion of cooperation to reduce gaps and build capacities to respond to the threats that states are facing, as well as to ensure the peaceful settlement of possible disputes. At the same time, we must bear in mind that single recipes, if you like, for the implementation of norms developed within the United Nations are not an option, given that every country has its own specificities and, in general, developing countries don’t have the same technical and technological conditions as developed countries. Therefore, even though we have common responsibilities, they must also be differentiated. Chairman, we see urgent need to, together, address increasing threats. However, this cannot be done without developing voluntary good faith norms, which is a notion that could, however, be manipulated on the basis of political interests and contexts. A broad-based, legally binding instrument that establishes obligations that should be constantly followed up on would be the most effective contribution to establishing a model for responsible state behavior. Guided by this maxim, our delegation supports the Russian initiative that suggests the elaboration of a future international convention. We have joined as a co-sponsor of the concept note that puts forward a preliminary notion or concept of… and based on this proposal. As we work towards preparing a future binding instrument, we could consider the preparation of a roadmap. The Global Cyber Security Index established by the ITU includes a set of indicators that could also be included as a starting point here. Thank you very much.

Chair: Thank you very much, Cuba, for your statement. United Kingdom, to be followed by the Russian Federation.

United Kingdom: Chair, the voluntary checklist in Annex A of the Third Annual Progress Report marked a positive step forward last year. The checklist is at the right level of detail and contains numerous valuable recommendations for states seeking to improve their implementation of the agreed norms. It also makes valuable use of the 2021 GGE report, which remains an important milestone document on norms guidance. We agree with the acknowledgement in the introductory section in paragraphs 1 to 5 of Annex A that implementing the norms is related to capacity and that this checklist is a capacity-building tool. As parts of the checklist acknowledge, capacity is related to whole-of-government coordination. In our view, in the introductory section, there is an opportunity to further emphasise whole-of-government coordination in relation to the norms. At the national level, states should take steps to raise awareness of the voluntary non-binding norms with relevant national authorities, including the technical community. Reflecting this principle could improve paragraph 3. We also see an opportunity to add a new voluntary practical action to aid implementation of Norm I. to bring it up to date with recent developments. Norm I partly relates to preventing the proliferation of malicious ICT tools. The existing voluntary practical actions under Norm I already contain a number of useful recommendations relating to supply chain risk management, data protection and privacy, and vulnerability exploitation. But they do not fully address the more recent issue of the proliferation of commercially available ICT capabilities. We would like to add a new practical action recommending that states safeguard against the potential for the illegitimate and malicious use of commercially available ICT intrusion capabilities by ensuring that their development, dissemination, purchase, export or use is consistent with international law, including the protection of human rights and fundamental freedoms. This would draw on the text from the OEWG’s third annual progress report and could form a new voluntary practical action number seven under Norm I. Chair, we took note of the suggestions for additional new norms that were made last year. Overall, we still consider the existing set of norms to be a helpful and comprehensive articulation of states’ collective expectations of behaviour in cyberspace. Many of the suggestions for new norms were either beyond the international peace and security mandate of these discussions or related to behaviour that is already addressed by one or more of the existing agreed norms. At this time, we are therefore not convinced that new norms are needed. Instead, we think that we should focus our limited time together on how best to develop our collective capacities to deliver on the intent behind the agreed norms. Thank you, Chair.

Russian Federation: Mr. Chair, in accordance with the mandate of the Open-Ended Working Group, enshrined in UNGA Resolution 75-240, a priority of our work is to develop rules, norms and principles of responsible behavior of states in cyberspace. We believe that such efforts should be carried out in line with the principle of maintaining a balance between the implementation of the voluntary rules approved by the UN and the drafting of new legally binding norms pursuant to UNGA Resolutions 77-36 and 78-237. In this regard, we deem it still relevant for the Chair to design a paper with the relevant proposals made by states within the current group and in the first OEWG. We are convinced that to raise the security of states in the ICT sphere, there is a need for a transition from political agreements to a legally binding framework. Until then, it is crucial that states responsibly implement the rules. The key indicator in this respect is the integration of the relevant guidelines into national legislation. The Russian Federation is ready to present a review of its compliance of national legislation and doctrinal documents with the rules, norms and principles of behavior in the field of International Information Security, IIS, approved by the UN. We will submit our contribution to the UN Secretary-General after this statement. We request it be published on the OEWG website. We view this review as Russia’s contribution to further work on the CHECKLIST. on the implementation rules prepared by the OEWG Chair. Our document takes into account the initial list of 13 rules contained in UNGA Resolution 7327. It includes references to the Constitution of the Russian Federation, to international treaties, to federal laws, the Criminal Procedural Code and to strategic planning documents. The review clearly represents the commitment of our country to strengthening cooperation with foreign states in the field of information security on an equal footing. Our commitment to observing norms of international law and to contributing to maintaining the central coordinating role of the UN. The priority is to promote the establishment of an international legal regime for the prevention or settlement of interstate conflicts in the global information space, to enhance the security of critical cyber infrastructure or information infrastructure rather, and to ensure it can function sustainably, to develop mechanisms for the detection, prevention and mitigation of information threats, and to draft measures to prevent and suppress offenses and crimes committed with the use of ICTs. We believe that the review could be used for capacity building to develop national legislation. We call on other states participating in the OEWG to follow our example, since their legislation includes similar provisions. Such endeavors would move us closer to drafting universal, legally binding agreements in the field of IIS. Russia is determined to achieve this goal with the support of the majority of states. Are concrete views on the new rules, norms and principles of state behaviour are set forth in the concept of a UN Convention on IIS submitted as an official document of the 77th session of the UNGA. The document intended to promote prevention and peaceful settlement of conflicts could serve as a basis for negotiating new norms and in the long term could become a starting point to draft an international agreement on IIS. Our previous suggestions on the new norms include the following the sovereign right of each state to ensure the security of its national information space as well as to establish norms and mechanisms for governance in its information space in accordance with national legislation. 2. Prevention of the use of ICTs to undermine and infringe upon the sovereignty, territorial integrity and independence of states as well as to interfere in their internal affairs. 3. Inadmissibility of unsubstantiated accusations brought against states of organising and committing wrongful acts with the use of ICTs including computer attacks followed by imposing various restrictions such as unilateral economic measures and other response measures 4. Settlement of interstate conflicts through negotiations, mediation, reconciliation or other peaceful means of the state’s choice including through consultations with the relevant national authorities of states involved. In the context of the incident in Lebanon in September 2024 we would like to emphasise the importance of complying with the norms of responsible behaviour enshrined in UNGA Resolution 73-27. This is particularly true regarding states taking measures to ensure the integrity of supply chains for the sake of the security of ICT products, as well as preventing the proliferation of malicious ICT tools and techniques, and the use of harmful hidden functions. We believe that these provisions relate not only to states as regulators of the activities of IT companies on their territory, but also to developers and manufacturers of ICT products and services. We should like to comment briefly on the above-mentioned checklist. In our view, the document is good food for thought. It includes a number of useful elements that could be reflected in a future international agreement in the field of international information security. However, there are still substance-wise questions to the list. In particular, the list takes into account only 11 rules of behaviour from the 2021 GGE report, which were approved without the participation of the majority of states, while the initial list of 13 rules was approved by the UNGA. In this regard, we insist on supplementing the Chair’s document with the missing rules set forth in UNGA Resolution 7327. It would be a good idea to consider updating the checklist, taking into account the agreements reached at the OEWG. First of all, to focus more on the global intergovernmental points of contact directory for the exchange of information on computer attacks incidents launched in May 2024. In addition, we would like to draw attention to the purely voluntary nature of this document. And we would caution states against employing it for political propaganda. Thank you very much indeed.

Chair: Islamic Republic of Iran.

Islamic Republic of Iran: Thank you Mr. Chair. The OEWG mandate as enshrined in Resolution 76-19 tasks us to further develop rules, norms and principles for the responsible behavior of states in information space and the ways for their implementation. My delegation has always supported the formulation of consensual international rules for information space that would be accepted by all countries. The norms must be developed and implemented on the basis of respect for the principles of sovereignty, sovereign equality, political independence and territorial integrity of states. They must promote peaceful coexistence and international cooperation for mutual benefit and interest. Further, technical and technological gaps among states should be taken into account. We have stressed that the inclusive participation of all states in the norms development process is crucial for the effective implementation of them. The current approach within the group contrasts with the mandate given to the OEWG. We are of the firm belief that developing documents such as the checklist provided by the Chair aimed at the effective implementation of those norms should be considered within a holistic approach. There are a lot of questions and ambiguities regarding the purpose and content of the checklist. The document, as reflected in Annex A of the last APR, is based on the recommendations of the 2021 GG report, which the majority of the OEWG members did not take part in the development and this report does not enjoy universal acceptance. Moreover, states’ proposals on new norms as put forward and reflected in 2019 OEWG’s Chair’s summary and recognized in paragraph 80 of the final report are ignored. Much of the language used in developing checklists, especially on norms B and E, are vague, interpretable, and unnecessary. In addition, attitudes such as attempting to condition the implementation of capacity building commitments by states on a set of norms and checklists are unconstructive. We believe it is rational to postpone negotiating the document to be discussed within the permanent mechanism once states decided regarding the methods of agreeing on the comprehensive list of norms. Meanwhile, to fulfill the outstanding mandate of elaborating additional norms before the OEWG wraps up its work in 2025, my delegation once again suggests that the chair of the OEWG take the initiative to provide an initial draft encompassing all new norms, rules, and principles proposed by member states, which could be based for discussion in the forthcoming format. The substantive sessions of the current group could be spent on elaborating countries’ views on the norms, rules, and principles they are considering, as recommended in paragraph 34 of the third APR. In this regard, my delegation believes that at the time being, in-depth discussions on data security issues, including cross-border data flow and supply chain security, are of the most importance. All countries should strive to maintain an open, fair, and non-discriminatory business environment and ensure that the global supply chain of information technology products and services is equally available for member states. All countries should require enterprises and private companies to strictly abide by the laws of the country where they are located and where they are providing services. These requirements should be regulated through. certain objective norms. In this regard, and among those other norms submitted by my delegation, we would like to highlight the norm aimed to ensure that the private sector, including social media platforms with extraterritorial impacts, are held accountable for their behavior in the ICT environment. The full list of proposed norms has been submitted to the group before. We are willing to work with all parties to jointly promote the establishment of global rules for digital governance that reflect the wishes of all parties and respect the interests of all parties. I thank you, Mr. Chair.

Chair: Thank you very much, Islamic Republic of Iran. Friends, at this point it strikes me that all of you have been so thoughtful and very assiduous in following the discussions, so I’m going to reward you with a 15-minute coffee break. Exactly 15 minutes is also an opportunity for confidence building between all of you, so we will come back exactly 15 minutes later after the coffee break. The meeting is adjourned for 15 minutes. It seems to me that the index of happiness rises after a coffee break. I hope you had some time to connect with other delegations. And so we return now to the list of speakers, starting with Bosnia and Herzegovina, to be followed by Japan, Singapore, South Africa. We’ll go down the list. Bosnia and Herzegovina, please. Right, we’ll go to the next speaker. Japan.

Japan: Thank you, Mr. Chair. First, I’d like to emphasize the importance of focusing on the steady implementation of existing norms by making concrete, action-oriented proposals. Japan shares the view expressed in the third APR Paragraph 31A that voluntary and non-binding norms of responsible state behavior can reduce risks, international peace, security, and stability, and play an important role in enhancing predictability and reducing the risk of misperception, thus contributing to conflict prevention. Mr. Chair, with regard to the guiding question on additional norms, Japan attaches importance to promoting existing norms of responsible state behavior in cyberspace. We believe that the international community should focus its resources on taking concrete actions to implement existing norms, rather than spreading resources among multiple objectives at the same time, including the search for possible additional norms. The world is facing a sharp increase in cyber threats to all member states. as this group discussed yesterday. So we need to accelerate the concrete actions on the ground to counter these threats without delay. Given the limited resources of each member state, now is the time to prioritize our efforts and to focus on the implementation of the norms in a more concrete way. Mr. Chair, with regard to the guiding question on the voluntary checklist of practical actions, it is essential to ensure the effective use of the checklist of practical actions for the implementation of the voluntary, non-binding norms of responsible state behavior. In order to improve this checklist, states can take advantage of its nature as a living document by sharing lessons learned from its actual use and exchanging ideas on how to improve it. Therefore, Japan would like to encourage the actual application of the checklist by each state and proactively share feedback with the OEWG. Based on such practical knowledge, we can have more concrete and effective discussions in the coming meetings. Thank you, Mr. Chair.

Chair: Thank you very much, Japan. Singapore to be followed by South Africa.

Singapore: Thank you, Mr. Chair. Singapore appreciates the vibrant discretion to discuss the evolving ICT landscape, which is both unique and rapidly transforming. The voluntary and non-binding norms agreed by all UN member states in 2015 were critical milestones. However, the pace of technological advancement over the last decade requires us to adapt to the new opportunities and challenges. We acknowledge the pressing need to respond to these new and emerging threats and welcome forward-looking discussions on the further development of norms. This will be essential to ensure continued stability and responsible use of cyberspace in the future. At the same time, Implementing the existing norms remains a priority as many states have just begun to explore operationalizing these norms. For this reason, Singapore strongly supports the Voluntary Checklist of Practical Actions. We hope that states will be able to reach a consensus recommendation on the Voluntary Checklist in the OEWG’s final report, in line with the recommendation agreed in the third APR. We see it as a living document, one that evolves iteratively and inclusively to keep pace with the dynamic cyber landscape. This approach aligns with our regional development of the ASEAN Norms Implementation Checklist that was recently completed in collaboration with all ASEAN Member States and UNIDIR. We wish to highlight that implementing existing norms and developing new ones are not mutually exclusive processes. They must proceed in tandem. As we work on implementations, gaps will naturally emerge, highlighting areas that require a new set of considerations. This interconnected and coordinated approach ensures that we remain both grounded in practice and forward-looking in strategy. Thank you, Mr. Chair.

Chair: Thank you very much, South Africa, to be followed by Argentina.

South Afrca: Thank you, Chairperson. South Africa values the importance of continuing discussions on possible additional norms of responsible state behavior in the use of ICTs. Our delegation has expressed a view that implementation of existing norms contributes to a better understanding of the gaps in existing norms, if any, thus informing the need for new or additional norms to be developed, as our colleague from Singapore has stated. The third APR has reiterated increasing concern that threats in the use of ICTs in the context of international security have intensified and evolved significantly in a geopolitical environment that remains challenging. It has become very clear, the threat section of the first, second, and third annual progress reports, that while incidents involving the malicious use of ICTs and ICT threats manifest themselves differently across regions, their effects can also be global. Despite the many benefits emerging technologies bring, such as AI, the associated risks are two-fold. Thus, our delegation believes that the discussion on the development of additional norms to complement existing norms on threats to ICT security should be left open for member states to attend to when it becomes necessary. With regard to the voluntary checklist of practical actions, we believe that the same principle applies, that is, the checklist can be further enhanced through experiences gained during the norms implementation process. As a living document, the checklist will continue to evolve and benefit from the information shared as more states continue to implement the cumulative and evolving framework on ICT security. I thank you.

Chair: Thank you very much, South Africa. Argentina, to be followed by Mexico.

Argentina: Thank you very much, Chairman. Argentina recognises the challenge posed by the changing nature of ICTs, and for this reason, we accept the proposals for the elaboration of new rules of responsible behaviour in cyberspace. Against this backdrop, my delegation welcomes the opportunity to continue exchanging perspectives on possible additional responsible behaviour norms, as is reflected in the third annual report. However, it is more urgent, we believe, to focus the group’s efforts on the effective implementation by states of the 11 current norms adopted by the General Assembly. In this context, the Voluntary Checklist of Practical Actions we think is a good starting point in this direction that should continue to be considered by the Group. Chair, every State belongs to a specific region marked by its own characteristics and threats. For this reason, it is the prerogative of every State to establish which infrastructure should be designated as critical. Furthermore, and due to these differences, we believe it is essential to assist in the implementation of the pre-agreed norms by focusing on additional efforts and capacity building in a broad-based sense as well as other efforts. As Côte d’Ivoire, we would like to underscore the commendable work done by UNIDIR in promoting and training State representatives on the norms of responsible behaviour. Furthermore, my delegation encourages the promotion of international cooperation and cooperation with the private sect. Particularly, public-private partnerships are key to developing and promoting best practices in the protection of the entire supply chain. For this reason, we encourage the exchange of information and experiences for the effective implementation of norms with the active participation of all interested stakeholders. Thank you.

Chair: Thank you, Argentina. Mexico to be followed by Kazakhstan.

Mexico: Thank you. Thank you. which is fundamental to guaranteeing security and stability in cyberspace. It is thought that the focus of discussions in this substantive session and those that we have tabled for 2025 should be focused on the practical implementation of the norms of responsible behaviour that were already adopted in the final reports of the GGE and the working group from 2021 as well as the three annual progress reports from this working group. We underscore that the effective implementation of these voluntary norms not only promotes stability and security in cyberspace but it is also essential to continue fostering an inclusive dialogue that encompasses all relevant actors. This dialogue under the auspices of the United Nations should guarantee a gender-sensitive approach and should be tailored to meeting emerging challenges. The approach will not only strengthen mutual trust between states but also seek to ensure training of developing states to ensure that they can address cyber threats in an effective and collaborative manner. Furthermore, my country welcomes the checklist for practical steps and we believe that this is a living document that can be adapted to national context. This resource which is complemented with tools such as the survey for national implementation, the civil portal and other tools provides a solid basis for exchange of information, the identification of gaps and mapping opportunities. In this context, Mexico suggests incorporating in the checklist the lessons learned from regional organizations, including the OAS, the African Union, and ASEAN. Thank you very much.

Chair:

Kazakhstan: Thank you, Chair. As we advance in our discussions, it is evident that while significant progress has been made through the voluntary checklist, the rapidly evolving nature of ICTs needs a periodic review of the checklist to maintain its relevance. In this regard, it is crucial to adopt both global and region-specific approaches, including the establishment of cross-regional partnerships to facilitate knowledge sharing among states within the similar ICT conditions. As mentioned by several states, we believe that prioritizing the enhancement and practical implementation of existing norms is more effective than introducing the additional new ones. The voluntary checklist should evolve into a living document that adapts to shift in the global cyber risk landscape. Furthermore, the active engagement of the private sector and non-governmental organizations is vital for transferring expertise and fostering collaborative environment. In light of ongoing discussions on existing norms, we would like to offer several observations to support a more robust and unified approach to responsible state behavior in cyberspace. For norm E, we propose adding a focus on strengthening personal data protection measures through the development and the enforcement of comprehensive data protection laws to safeguard personal data from unauthorized access, misuse, or exploitation. These frameworks should align with the international standards. to protect individuals’ rights to privacy and foster trust in the secure use of ICTs, adhering to the principles of confidentiality, integrity, and availability. In response to the increasing ICT-related threats, Kazakhstan has been annually improving its legislation on personal data. This includes implementing mandatory cyber insurance for operators managing than one million personal data records, refining consent mechanisms, and creating state technical solutions for managing consent. For Norm G, to safeguard critical infrastructure, we emphasize the importance of conducting international scenario-based discussions that simulate ICT-related disruptions. This exercise will build resilience across borders and foster a shared understanding of best practices. Additionally, establishing unified baseline cybersecurity standards will enable all states, respective of their technological development, to protect their critical infrastructure effectively. As part of our efforts in this area, Kazakhstan is implementing standards to monitor the actions of super-administrators and employees of the information systems. Moreover, our country allocates 10-15% of its ICT budget to information security issues. For Norm K, looking to the future, it is essential to promote ethical guidelines for the development and use of technologies such as AI. These guidelines should emphasize transparency, accountability, and fairness. For instance, AI ethics framework could advocate for the inclusion of the misuse prevention mechanisms, such as detection and correction protocols, to ensure the responsible use of ICTs. Such measures would mitigate risks associated with the emerging threats and promote safe integration of AI in society. Kazakhstan has integrated cybersecurity and personal data protection requirements into its AI concept and has included the development of methodological recommendations across various sectors in the strategic plans. Finally, as the digital world becomes increasingly integrated into our daily lives and national security frameworks, the opportunities for collective progress are immense. By advancing state’s proposals and continuously refining the voluntary checklist, we can create a more secure, resilient and collaborative cyberspace. Thank you.

Chair: Thank you very much, Kazakhstan. Bosnia and Herzegovina, please. Works. The mic is not working. Yeah, it is.

Bosnia and Herzegovina : Thank you, Mr. Chair. While we aligned with the statement of the European Union delivered earlier, I would like to add some remarks in my national capacity. I wish to share developments at the national level in Bosnia-Herzegovina as well as on our engagement at the international level regarding the practical actions for the implementation of voluntary non-binding norms of responsible state behavior in the use of ICTs. At the national level, we are continuously investing efforts in strengthening our cyber capacities as well as in developing strategic and regulatory framework. In that regard, following the adoption of changes of the internal structure of the Ministry of Security, legal conditions are met for establishing CERT at the state level. The premises for the new CERT are provided as well, and we are in the process of finding solutions regarding staffing and employment of experts. Staffing, sorry, and employment of experts. Also, we are finalizing procedures to establish a working group that would be tasked with developing strategic framework on cybersecurity in Bosnia-Herzegovina. In parallel. There are ongoing efforts for developing and adopting laws relevant to network and information security. Also, we have intensified activities in the Ministry of Foreign Affairs, both in the domain of establishing coordination regarding cyber diplomacy, as well as in the domain of strengthening cyber security. In addition to that, we have organized in September this year first AI Summit in Sarajevo, the capital of Bosnia-Herzegovina, which was entitled Kiss the Future. It was held under the auspices of the Presidency of Bosnia-Herzegovina and in cooperation with the Ministry of Foreign Affairs. The event was an opportunity to gather both public and private sector representatives and engage in conversation on how AI is transforming industries and shaping a sustainable future. That was not actually one-off gathering. The next edition is to take place in October next year. At the regional and international level, we engage in exchanging information and good practices on ICT sub-regionally within the Western Balkans region and regionally within the Organization for Security and Cooperation in Europe, especially through the informal working group established by the OSCE Permanent Council Decision 1039. First, as a reminder, by this decision, the OSCE participating states decided to work on developing comprehensive CBMs in order to enhance cooperation between the states, increase transparency, predictability, and stability, and reduce risks of conflicts which might be stemming from the use of ICT. Two sets of CBMs have been adopted. Eleven transparency measures which promote cyber-resilience and preparedness, encourage communication and increase transparency, and five cooperative measures which further address effective communication channels. public-private partnership, critical infrastructure protection, and sharing of vulnerability information. These CBMs are non-binding, but all 57 participating states made a political commitment to adhere to them. Bosnia-Herzegovina has recently actually enhanced its participation in this informal working group within the OSCE and actively shares information with regards to operationalization and implementation of these CBMs. Additionally, with the support of the Partnership for Strengthening Cybersecurity, which was established under the Berlin Process, which is a framework of cooperation within the region of the Western Balkans and of the region with the European Union, and with the support of our partners from the government of Germany, GIZ, recently the partners from the Western Balkans region have engaged in discussions on modalities of strengthening of our cooperation in cyber diplomacy domain, including on possibly establishing Western Balkans Cyber Diplomacy Network. We already have established cooperation between our CERTs in the region and national authorities in charge of cybersecurity. Given the fact that the EU membership of Bosnia-Herzegovina is the strategic goal and priority of foreign policy, and in the view of candidate country status of Bosnia-Herzegovina for the EU membership, as well as the Council decision on opening accession negotiations with Bosnia-Herzegovina once the certain conditions are met, the EU legislation and standards regarding network and information security, in particular NIS2 directive, are of crucial importance for us. Furthermore, in order to strengthen dialogue and cooperation with private sector, academia, civil society, and technical community, We are investing efforts in strengthening cooperation within the informal working group which is established in Bosnia-Herzegovina called Neretva Group. It was established several years ago under the auspices of the OSCE mission of Bosnia-Herzegovina. It gathers political stakeholders and ICT cyber experts, as well as representatives of the public and private sector from all levels of government in Bosnia-Herzegovina, including state and entities institutions, then from agencies, banks, energy and academic sector, as well as young prospective experts. This group proves to be a generator of policy actions, initiatives and ideas in the area of cyber security, including preparing guidelines for strategic framework for cyber security in Bosnia-Herzegovina, establishing public-private partnerships and platform and modules for e-learning. The latest meeting of this group was held during the month of cyber security awareness in October and it was the opportunity to focus on EU-NIS2 directive, which I mentioned earlier, in order to emphasize its importance as well as that of the cyber security in general. Regarding fighting cyber criminal use of ICTs, I wish to remind that Bosnia-Herzegovina is a party to the Council of Europe Cyber Crime Convention, so-called Budapest Convention. Also we welcome the progress made on cyber crime convention in the UN. Bosnia-Herzegovina is committed to continuing its efforts on contributing to protection and promotion on human rights and fundamental freedoms online and offline. In that vein, and following the adoption in May this year and recent opening for signature of the Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law, As an international legal instrument aiming at ensuring that the development of artificial intelligence respects our standards in the field of human rights, democracy, and the rule of law, we have initiated our internal legal procedures for signing this Framework Convention. The process is still ongoing. From this brief, non-exhaustive overview, it is evident that we have many ongoing activities with regard to the implementation of norms of responsible state behavior in the use of ICTs, especially at the regional level. However, we still have significant work ahead in continuous implementation of those and other existing norms and practical actions, including those regarding critical infrastructure. Although we are committed to fostering dialogue, and thus ready to engage with other states in discussions on possible additional norms of responsible state behavior in the use of ICTs in due course, currently, in the view of the aforementioned and having in mind our capacities and resources, we are giving priority to the implementation of the existing norms, especially taking into consideration that many of activities on implementation of the norms are already ongoing in the regional framework of cooperation. Thank you.

Egypt: Mr. Chair, thank you. On norms, rules, and principles of responsible state behavior in the ICT domain, we would recall that in paragraphs 31A and F, of our third APR, it was stated that the aim of these non-binding norms is to reduce risks to international peace and security through increasing predictability and avoiding misperceptions, while noting that the voluntary checklist is a living document that should be updated. That said, and while appreciating the value of the norms A through F in the checklist, we believe that the current and recent developments in our world require measures that do more than focus on consulting, sharing, enhancing national policies, and calling upon exercising self-restraint. Accordingly, we propose the following four points. First, it’s our belief that we need to have a serious discussion on the effectiveness of non-binding norms and whether we need to enact a mix of both binding and non-binding measures to deal with the increasing and rapid development of threats. Second, we might as well consider developing a negative list of actions that states are required to refrain from. Third, norm F of the checklist states the following. A state should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure. While agreeing with the importance of such norm and the need to prevent any attack on critical infrastructure, we believe that it’s even more important to prevent engagement in ICT activity that would run against the state’s obligation under international law in general. So we propose that the checklist could benefit from an additional norm that treats as follows. A state should not conduct or knowingly support ICT activity contrary to its obligations under international law. Fourth, and last point, we see a lot of merit in the proposal by the Russian Federation to add an additional norm to the checklist that stresses that states need to safeguard the integrity and the safety of the supply chain, including the role of private sector in this regard. I thank you, Mr. Chair, and I will submit the statement as you requested in the beginning of the session. Thank you so much.

Chair: Thank you very much, Egypt, for your contribution. Netherlands, to be followed by Bangladesh.

Kingdom of the Netherlands: Thank you, Chair. The Kingdom of the Netherlands aligns itself with the statement delivered by the European Union, and I would like to make the following points in a national capacity. The 11 voluntary non-binding norms of responsible state behavior in the use of ICTs play a key role in reducing risks to international peace and security and ensuring stability. These norms reflect the expectations and standards of the international community and allow the international community to assess the activities of states. States have committed to be guided by these norms at the global, regional, and national levels through multiple consensus General Assembly resolutions. Chair, we consider that the 11 norms, when implemented and adhered to, would greatly advance security and stability in cyberspace. And here we echo Mexico in emphasizing the implementation of the norms. My delegation is of the view that there is still work left to be done in this regard. Let me focus on a few particular norms. First, according to Norm C, states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. My delegation considers this norm essential for states to address threats posed in particular by non-state actors. We welcome the specific reference to this norm in the third APR and recommend further discussions on its content and scope. In this regard, my delegation notes that this norm does raise the expectation that a state will take reasonable steps within its capacity to end the ongoing activity emanating from its territory. However, it does not imply that states could or should monitor all ICT activities within their territory. Furthermore, we should not forget norm E on human rights. Implementation of the norms and normative framework more broadly should be done in accordance with states’ human rights obligations. Of particular relevance with regard to ICT activities are freedom of expression and the right to privacy. Chair, you asked us whether the voluntary checklist of practical actions needs to be further improved to facilitate reaching a consensus recommendation by July 2025. In our view, the current voluntary checklist already provides a good basis with concrete guidance to states to implement the norms. The checklist could be further improved by adding further common understandings and reflecting concrete actions and best practices. Allow me to share a few suggestions. One, to include best practices identified in the UNIDIR report on unpacking cyber capability needs, to include a recommendation to hold further discussions on the content and scope of some of the norms, especially in relation to norm C that I referred to earlier. And third, to update paragraph three in the introductory section to further emphasize the whole of government coordination and the need thereto in line with the U.K.’s recommendation. Finally, Chair, we agree with Singapore, South Africa, and others that the checklist could be updated periodically as a living document, including in the future mechanism, on the basis of consensus. At the same time, the Netherlands is a strong supporter of adoption of the initial checklist by July 2025. This will provide a firm consensus baseline for states to be able to work off and start surveying their national implementation efforts. efforts, and take concrete action to further implement the norms. Thank you, Chair.

Chair: Thank you, Kingdom of Netherlands. Bangladesh to be followed by Italy.

Bangladesh: Thank you, Mr. Chair. Bangladesh commends your ongoing efforts to advance our discussions on the practical implementation of these non-binding norms for responsible State behaviour. Mr. Chair, Bangladesh acknowledges the paragraph 31K of the third APR and agrees that these discussions represent significant progress toward the collective strengthening of cyber security frameworks. In particular, we emphasize the need to continuously refine existing norms and explore new proposals that align with evolving technological challenges. In line with paragraph 33 of the APR, Bangladesh recommends enhancing the voluntary checklist of practical actions by integrating practical measures that address key gaps in implementation, such as cyber hygiene and digital literacy, that is, introducing specific actions to promote digital literacy from the elementary level, incorporating cyber security education into school curriculums. To this end, an inclusive model curriculum for cyber security education could be developed by leveraging the expertise of advanced countries in this domain, thereby enabling other nations to benefit from this model curriculum. These will strengthen States’ capacity in a bottom-up manner to observe Norm A by promoting stability and security in ICTs by fostering resilience and preventing harmful practices. Promoting Norm G by protecting critical infrastructure by equipping individuals and organizations. with knowledge to secure systems effectively. Standardized incident reporting, that is, establishing standardized formats and a common platform for reporting ICT incidents will enhance information sharing, enable real-time analysis, and support timely responses by relevant authorities. This approach promotes transparency, consistency, and trust among states while addressing response delays. Such a system directly supports Norm B by ensuring states consider comprehensive and relevant information, including context, attribution challenges, and consequences during ICT incidents, and Norm G by strengthening the protection of critical infrastructure through coordinated and efficient threat reporting and response mechanisms. Bangladesh also suggests exploring four additional norms. First, promotion of explainable and transparent AI. States should ensure that AI technologies built and integrated into ICT systems within their territories are transparent and accountable, not biased against or disrespectful towards any people or culture. Second, cyber accountability for non-state actors. Bangladesh highlights the growing influence of non-state and private ICT actors, their control over critical information infrastructure, decision-making without accountability, and potential misuse of platforms for disinformation, surveillance, or censorship undermine sovereignty and global norms. Therefore, states should take measures to prevent and hold accountable non-state actors, including private entities and individuals operating from their territory that engage in malicious ICT activities affecting other states. Third, preservation of cyber ecosystem diversity. Encouraging a diverse cyber ecosystem reduces the risk of widespread vulnerabilities and increases resilience against cyber attacks. Thus, states should promote technological diversity and avoid actions that create monocultures in ICT products and services which increase systemic vulnerabilities. And fourth, digital sovereignty and cross-border data security. States should respect the digital sovereignty of other states by refraining from unauthorized access to data stored within another state’s jurisdiction. Additionally, they must refrain from unauthorized access to another state’s data when it is located within the former’s jurisdiction, ensuring adherence to international norms and lawful practices. Moreover, states should ensure the security of cross-border data flows. With increasing concerns about data localization, privacy, and jurisdiction, this norm would promote respect for sovereignty while supporting secure and lawful data exchanges. The effectiveness of these norms lies in their collective ownership and practical implementation. Bangladesh calls for strengthened international cooperation to interpret and apply these norms in an evolving cyber landscape. Cybersecurity capabilities are unevenly distributed, and vulnerabilities in one region can create global risks. To that end, we emphasize the importance of building cyber resilience in developing and least developed countries by providing resources, technical expertise, and training programs fostering a secure and inclusive global cyberspace. Mr. Chair, my delegation remains committed to contributing constructively to this forum’s efforts to enhance the security and stability of the ICT environment. Thank you.

Italy: Thank you very much, Mr. Chair, for giving me the floor. Italy fully aligns itself with the statement delivered by the European Union, and I would like to add a few elements on our national capacity. We support the concrete implementation of the UN Framework on Responsible State Behaviour in Cyberspace, with the 11 agreed voluntary norms serving as a central component. Mr. Chair, we welcome the checklist of practical actions for the implementation of these norms as a very valuable tool to guide states in their implementation efforts. We also welcome the specific focus in the latest APR on critical infrastructures and critical information infrastructures. However, we would like to see even greater emphasis placed on protecting healthcare services, which remain among the most vulnerable and heavily impacted by ransomware attacks, as we discussed yesterday. Italy, Mr. Chair, welcomes your invitation for states to share their national experiences in implementing norms F, G, and H on critical infrastructures. Such exchanges will facilitate the transition towards more practical cooperation on this vital issue. Very briefly, in 2019, Italy introduced legislation establishing a national cybersecurity perimeter. This framework ensures the security of networks, information systems, and information services used by public administrations, public and private entities, and operators essential to the state’s function. Entities included in the national perimeter are required to identify and adopt specific security measures, as well as to assess and mitigate dependencies. on external services. Additional obligations derive from the European legal framework, in particular the so-called NIS2 Directive, imposing strict legal requirements on notification of incidents and the development of risk management measures. Our National Cyber Security Agency serves as the central authority for safeguarding the cybersecurity and resilience of our country. The private sector, which often manages and owns critical infrastructures, plays a vital role in safeguarding them and in strengthening cyber resilience. It is essential, therefore, to further enhance structural dialogues between critical infrastructure private operators and the relevant government authorities. One final point. Italy underscores the importance of prioritizing the implementation of existing norms before considering the development of new ones. The identification of additional norms will become more evident only after substantial efforts have been dedicated to effectively applying the current framework. Thank you, Mr. Chair.

Chair: Thank you very much, Italy. Indonesia to be followed by Canada.

Indonesia: Thank you, Mr. Chair. Indonesia, through its National Cyber and Crypto Agency, has established a national cybersecurity strategy that aligns with the 11 norms of responsible state behavior in cyberspace. This alignment reflects Indonesia’s strong commitment to promoting a secure and stable cyberspace. Key areas for focus within the strategy include protecting critical infrastructure, strengthening international cooperation, and protecting the privacy and security of our citizens. enhancing capacity-building initiatives, improving incident-response mechanisms, promoting responsible state behavior, and safeguarding human rights, particularly in protecting user privacy and personal data. While recognizing the continued relevance of the 11 norms in addressing today’s challenges, Indonesia emphasizes the importance of advancing their implementation at global, regional, and national levels. This includes exploring new proposals for norms as part of ongoing discussions. Such proposals can contribute to addressing emerging threats and enhancing the framework for responsible state behavior in cyberspace. To facilitate meaningful progress, Indonesia reiterates the necessity of capacity-building programs, which are pivotal in supporting states to effectively implement norms and to respond to ICT threats. Mr. Chair, Distinguished Delegates, regarding the Voluntary Checklist of Practical Actions annexed in the third APR, Indonesia recognizes its value in outlining recommended actions that states can undertake, both at the national level and through international cooperation, to operationalize the 11 norms. Indonesia acknowledges that improvements to the checklist may be necessary to facilitate broader consensus. Further discussions could focus on refining the guidance to reflect the evolving cyber landscape, ensuring its applicability across diverse national contexts, and addressing potential gaps. These efforts could better support states in aligning their actions with the 11 norms and strengthen collective implementation. While Indonesia remains committed to reaching consensus by July 2025, it is essential for member states to continue engaging in dialogue, finding compromise, and exploring common ground on both the voluntary checklist and proposal of new norms. Such discussion could serve as a vital platform to address the concerns raised in paragraph 31K and paragraph 34 of the third APR. Indonesia therefore looks forward to constructive exchanges among member states to advance these efforts and ensure an inclusive and effective process moving forward. Thank you, Mr. Chair.

Chair: Thank you very much, Indonesia. Canada to be followed by Republic of Korea.

Canada: Thank you, Mr. Chairman. Canada reiterates its unfailing support for the implementation of the norms that we all have supported since 2015. These norms complement current international law and they serve as a joint reference point for the international community. We note that the additional guidance adopted by consensus through the Group of Governmental Experts 2021 report can serve to support our implementation efforts. This report was adopted by consensus by the General Assembly in 2021 and this is 76-19. It is useful to reiterate something crucial in the report as regards norms, and I quote, they translate the expectations of the international community and establish rules for responsible behaviour of states, end quote. Mr. Chair, Canada would like to take this opportunity today to raise a recent specific example of the implementation of a specific norm, Norm J, regarding responsible reporting of vulnerabilities and information sharing on means to correct them. Indeed, in November 2024, Canada, accompanied by its partners, published a bulletin that highlights the 15 main areas of vulnerability on ICTs exploited and observed in 2023. The bulletin encourages all concerned parties, namely the providers, the developers, the designers and the end-users, to implement mitigation measures recommended in that same bulletin in order to reduce any risk. Mr. Chair, Canada joins with Singapore, Kazakhstan, Mexico, Argentina and South Africa, just to name a few, and welcomes the efforts of the Chair to add the voluntary tool, and the living tool indeed, there is a toolbox for states to add to the existing. Now I’d like to talk about something, sir, that you raised, sir, before this meeting. Canada considers that it is not a good opportunity, in particular some seven months from the conclusion of the work of the OEWG, to dedicate efforts to draft new norms. The timing does not enable us to really conscientiously tackle that. Furthermore, we consider that the existing norms are sufficiently flexible to cover the ideas of the new norms. Several of these ideas, indeed, that have been raised, for example, threat to critical infrastructure, be this assisted by artificial intelligence or not, that is clearly covered by the norms on critical infrastructure. The discussion on potential new norms could have a role in the future mechanism, including in the context of the thematic groups on public policies that are specific and cross-cutting. Indeed, this discussion would push forward different discussions on looking at the possible shortcomings that need to be addressed within the framework. In order to respond to your question on the voluntary checklist to support the implementation of existing norms, Canada considers that we’re talking about progress, based on which we can build the last few kilometers towards July. Canada has a specific suggestion for this voluntary checklist, namely, something to add for Norm G on the protection of critical infrastructure. This is G. And now I’d like to quote our suggested addition in English. Cooperate and take measures to protect international and humanitarian organizations against malicious cyber activities which may disrupt the ability of these organizations to fulfill their respective mandates in a safe, secure and independent manner and undermine trust in their work. End quote. And I’m going to speak French again. This addition seeks to reflect states concerns regarding malicious activities targeting international and humanitarian organizations. The text used for this proposal closely follows the one that was reached by consensus in the annual progress report of July 2024 and more specifically paragraph 17. Finally, Canada would like to express its support for the UK’s proposal to add a text to the voluntary checklist on norm I and specifically on the capacities of cyber attack available on the market. In our opinion, having these kinds of additions within the voluntary checklist is something that represents regional reasonable progress at the stage that we’re currently at in our current marathon. Indeed, it would be a good idea to consider the energy spent in the first kilometers of the marathon and the energy that we’re going to need collectively to complete our marathon in one go. Thank you very much.

Chair: Thank you very much, Canada, for your contribution. Republic of Korea to be followed by Paraguay.

Republic of Korea: Thank you, Chair. States have agreed that the voluntary and non-binding norms effectively supplement international law and that norms promote responsible state behavior and contribute to confidence-building by enhancing predictability in cyberspace. My delegation believes that currently there is little necessity to establish new norms, as the 11 norms agreed upon in the GGE and adopted at the UN General Assembly are already quite comprehensive. Furthermore, the checklist adopted in the third APR will serve as a valuable tool to support the effective implementation of these norms. Meanwhile, it is noteworthy that the checklist features the Global POC Directory as a key tool for promoting the implementation of norms. Given that the POC Directory was launched only last May, it is important to allow sufficient time for its further application. Recently, our fellow confidence builders submitted a working paper introducing regional examples of POC utilization. We hope this working paper serves as a valuable guideline for advancing norm implementation. Thank you.

Paraguay: Given the possibilities for interconnection via information and communication technologies, it is fundamental to establish and abide by guidelines, as well as norms, that regulate the use of these technologies ethically and safely. In this context, states have held deep-rooted discussions over the last two meetings on rules, norms and principles of responsible behavior in the use of ICTs, and my country supports these. We believe that norms ensure predictability and prevent conflicts. They also allow us to address the threat of… unlawful acts within states. We particularly believe that norms on cooperation and exchange of national knowledge and regional experience is crucial to build common understanding, particularly in countries with digital divides that are lagging behind more advanced countries. Security in the design and manufacture of ICTs and the protection of critical infrastructure and information contained in critical infrastructure is vital. It’s also important to ensure security in supply chains to avoid damage that might have an adverse effect at a national and global level. We also support norms on the misuse of information for criminal purposes, terrorist purposes or in violation of human rights and privacy. The role of the private sector in public-private partnerships and the exchange of information is also important here. Finally, we believe that countries must continue making strides to implement these norms and principles to build national strategies and regional practices in cyber security. We must also adapt to emerging changes and challenges in a complex digital environment. We also further believe it’s important to change in step with technologies and establish norms in addition to those that have already been established. Thank you.

Chair: Thank you very much, Paraguay. Albania, please, to be followed by Belarus.

Albania: Thank you, Mr. Chair. Albania actively promotes responsible state behavior in cyberspace and implements the new rules, norms and principles showing its engagement to fulfilling its commitment to international organizations through concrete actions. Recognizing the importance of voluntarily checklists of practical actions as a tool to operationalize norms and support states in their implementation, Albania has already implemented most of those actions and remains dedicated to their ongoing execution. Pursuant to the law number 25 of this year on cyber security, which transposes the EU-NISTU directive, Albania has in place the necessary legislation and policies and is currently working to finalize the required secondary legislation that will further improve the existing regulations, procedures and methodologies. In addition, work has started in drafting the new national cyber security strategy 2025-2030. Albania’s existing legal and policy framework supports international cooperation, provides for strengthening cyber security structures, processes and measures, enhanced critical information infrastructure protection, improved cyber risk and incident management as well as enables addressing vulnerabilities and sharing information. Albania has focused on capacity building initiatives and has engaged with international organizations and partners in joint efforts to improve cyber security both at national and regional level. In line with the norms implementation, Albania has concluded cooperation agreement with states like Italy and Romania as well as private sector entities in the field of cyber security. Albania is cooperating with universities, private sector and civil society in the country to enhance cyber security knowledge and awareness with the aim to increase capacities to prevent and address the cyber threats. As evidenced by Albania’s active participation and UN open-ended working group on ICT security discussions, Albania has increased its participation in international organizations and forums. Through participating in NATO, EU, and OSCE initiatives and activities, Albania has actively promoted responsible state behavior in cyberspace and cooperation to address common cybersecurity challenges. To improve the checklist, capacity-building elements such as training resources and technical toolkits could be considered to assist states with limited expertise or infrastructure through guidance and support. Additionally, regular updates based on involving cyber threats and lessons learned would help ensure the checklist remains relevant and effective. Albania supports the ongoing development of new norms, as recognized in paragraph 31K of the Third Annual Progress Report. Considering the challenges Albania faces due to irresponsible behavior in cyberspace and different actors, Albania would like to emphasize that if there will be new norms, they must prioritize safeguarding critical services and their respective information infrastructure from malicious ICT operators. If there will be new norms, they should focus on the potential threats posed by emerging technologies such as AI and quantum computing, strive to enhance transparency and security in their development cycle, as well as address the inequality in the distribution of benefits as they excerbate to digital divine. Proposals to improve accountability mechanisms such as framework for attributing malicious ICT activities and discouraging them are significant to fostering trust among states. New norms that address vulnerabilities in supply chain to reduce risk posed by hidden functionalities or the exploitation of critical components are significant. Gender-sensitive perspectives should be integrated in norms development to ensure that all members of society are included and benefit equally from enhanced cyber security. Considering the above mention, we can continue our discussion aimed to converge as outlined in paragraph 34 of the IPR. I believe clear and inclusion norms that are in line with the dynamic development of ICT and the challenges faced globally would further enhance international cooperation and ensure their practical implementation. Albania reaffirms its commitment to advance the rules, norms, and principles of responsible state behavior in cyberspace. By developing inclusive norms, strengthening implementation tools, and addressing gaps in existing framework, we can ensure a secure and stable ICT environment at the global level. Thank you, Chair.

Chair: Thank you very much, Albania, for your contribution. I think Belarus, if you don’t mind, will have to, in view of the time limit, will have to come back in the afternoon with you as the first speaker. My apologies for that. But France, before you wrap up, I want to leave you with this thought. Compared to the discussions on the threat landscape, existing and potential threats, where there was a very robust, detailed discussions about the many new emerging threats on the horizon plus the intensification of existing threats, we all collectively had a sense of how rapidly the threat landscape was evolving. But I have to say that in the context of the discussions on norms, I have the sense that positions are more static. And therefore, there is a disconnect between the two discussions. On the one hand, it is very clear technology is rapidly evolving, but on the other hand, when it comes to a discussion on norms, quite a number of delegations seem to believe fairly strongly as an article of faith that we do not need new norms. And there is a disconnect there, which I can see from the podium. You may not like to hear this from me, but it is my responsibility to point that out to you. And therefore, the discussion on norms, to me, gives a sense of déjà vu since the beginning of this process. A divide between no new norms and let’s have more new norms. Let’s implement existing norms before we get to new norms versus let’s focus on new norms. Let’s not prioritize implementation. I’m simplifying, but these seem to be some of the divides that I sense, and there has not been much movement since the beginning of the process. So I invite all of you to reflect very seriously and carefully. How do we bridge the divides? If we say in the context of threats and emerging threats that technology is rapidly evolving, how can we also bring that dynamic perspective in the context of rules, norms, and principles? Does a discussion on new norms mean we are not prioritizing implementation? Ask yourself this question. Does a discussion on new norms mean… that we are actively de-prioritizing implementation? Can we do both? If we do both, how do we do it in a way which creates assurance to everyone that we are not diverging from prioritizing implementation, but we are finding a balance, especially in a context when things are evolving? Quite a number of you have also identified new norms, potential new norms. So in that sense, there has been some movement, I have to say, especially over the last year or so. Ideas for new norms have come from delegations, but also stakeholders. But there is a fundamental sort of reticence, reluctance to sort of have a very candid conversation. And I think we are at a stage in the process where we need to get into a serious discussion. Some of you have said it’s too late to have a discussion on new norms because the process is concluding. But when we began the process, some of you also said it’s too early to get into a discussion because we need to focus on implementation. It is never a good time, and it’s always a good time. At the United Nations, everything is difficult. We can start today. We can start next year. It’s always tempting to do things later. It’s always difficult to do things now. Friends, I’m not advocating any particular position, but this is what I see from the podium. And we can continue these discussions till July 2025, and I will just put together some pieces of paper and staple it and give it to the next chair. And then you can continue this same déjà vu debate in the future permanent mechanism. You will certainly have my blessings. and I will wish you all good luck, but we will not be doing justice to what needs to be done and we will not be having the serious conversations that needs to be had. So during your lunch break, this would be your homework, I’d like you to all revisit your talking points, amend and revise them for the afternoon speakers, and they will be Belarus, United States, Malaysia, China, Ireland, Switzerland, Australia, Mozambique, Brazil, Mali, France and New Zealand. Take another look at your talking points, refresh them, come back and I hope to listen to all of you and then I’ll make further concluding remarks at the end of the cluster. I wish you a pleasant lunch and my thanks to the interpreters. The meeting is adjourned.

Agreement Points

Importance of implementing existing norms

Japan

Indonesia

Republic of Korea

Canada

United Kingdom

Focus on implementing existing 11 norms before developing new ones

Prioritize implementation of existing norms while remaining open to new proposals

Existing norms are sufficient; focus on implementation rather than new norms

Too late in the process to develop new norms; focus on implementation

Existing norms are comprehensive; little need for new ones

These speakers emphasize the importance of implementing existing norms before or instead of developing new ones, arguing that the current framework is comprehensive enough to address current challenges.

Support for the voluntary checklist as a tool for norm implementation

Singapore

Bangladesh

European Union

United Kingdom

Kazakhstan

Support for voluntary checklist as a living document to be updated

Checklist should be enhanced with practical measures addressing implementation gaps

Checklist is a valuable tool but needs further improvement

Support for checklist as capacity-building tool

Checklist should be updated to reflect evolving cyber landscape

These speakers support the voluntary checklist as a valuable tool for implementing norms, while also suggesting that it should be regularly updated and improved to address gaps and reflect the evolving cyber landscape.

Importance of protecting critical infrastructure

Italy

Paraguay

Canada

Kazakhstan

Need for enhanced focus on protecting critical infrastructure, including healthcare

Importance of protecting critical infrastructure and information systems

Proposal to add norm on protecting international and humanitarian organizations

Need for unified baseline cybersecurity standards for critical infrastructure

These speakers emphasize the importance of protecting critical infrastructure, including healthcare and humanitarian organizations, and suggest developing unified standards for this purpose.

Similar Viewpoints

Both countries argue for the development of legally binding norms in cyberspace, believing that voluntary norms are insufficient to address current and evolving threats.

Russian Federation

Cuba

Need for new legally binding norms to address evolving threats

Need for legally binding norms to complement voluntary ones

These countries emphasize the importance of involving the private sector in cybersecurity efforts, particularly in protecting critical infrastructure and supply chains, while also calling for accountability of non-state actors.

Argentina

Bangladesh

United Kingdom

Egypt

Importance of public-private partnerships in cybersecurity

Need for accountability of non-state actors in cyberspace

Importance of private sector involvement in critical infrastructure protection

Need to address role of private sector in supply chain security

Unexpected Consensus

Need for capacity building and international cooperation

Cote d’Ivoire

Mexico

Kazakhstan

Bangladesh

Importance of capacity building for norm implementation

Need for enhanced international cooperation and capacity building

Importance of cross-regional partnerships and knowledge sharing

Need for capacity building to support developing countries

Despite differing views on other issues, there is unexpected consensus among these diverse countries on the importance of capacity building and international cooperation in implementing cybersecurity norms, particularly for developing countries.

Overall Assessment

Summary

The main areas of agreement include the importance of implementing existing norms, support for the voluntary checklist as a tool for norm implementation, the need to protect critical infrastructure, and the importance of capacity building and international cooperation.

Consensus level

There is moderate consensus on the importance of implementing existing norms and using the voluntary checklist. However, there remains significant disagreement on whether to prioritize the development of new norms, particularly legally binding ones. This divide could impede progress in developing a comprehensive global cybersecurity framework.

Disagreement Points

Development of new norms vs. implementation of existing norms

Japan

Russian Federation

Indonesia

Republic of Korea

Bangladesh

Canada

Cuba

United Kingdom

Focus on implementing existing 11 norms before developing new ones

Need for new legally binding norms to address evolving threats

Prioritize implementation of existing norms while remaining open to new proposals

Existing norms are sufficient; focus on implementation rather than new norms

Need for both implementation of existing norms and development of new ones

Too late in the process to develop new norms; focus on implementation

Need for legally binding norms to complement voluntary ones

Existing norms are comprehensive; little need for new ones

There is a significant divide between countries advocating for the development of new norms (especially legally binding ones) and those arguing for a focus on implementing existing norms before considering new ones.

Nature and status of the voluntary checklist

Singapore

Bangladesh

European Union

Islamic Republic of Iran

United Kingdom

Kazakhstan

Support for voluntary checklist as a living document to be updated

Checklist should be enhanced with practical measures addressing implementation gaps

Checklist is a valuable tool but needs further improvement

Concerns about checklist being based on 2021 GGE report not universally accepted

Support for checklist as capacity-building tool

Checklist should be updated to reflect evolving cyber landscape

While many countries support the voluntary checklist, there are disagreements about its nature, content, and the process for updating it.

Unexpected Disagreements

Timing of developing new norms

Canada

Bangladesh

Too late in the process to develop new norms; focus on implementation

Need for both implementation of existing norms and development of new ones

The disagreement on timing is unexpected, as it highlights different perceptions of the urgency and feasibility of developing new norms at this stage of the process.

Overall Assessment

Summary

The main areas of disagreement revolve around the development of new norms versus implementation of existing ones, the nature and status of the voluntary checklist, and the specific focus areas for norm development and implementation.

Disagreement level

The level of disagreement is significant, particularly on the issue of developing new norms. This disagreement has important implications for the future direction of cybersecurity norms and could potentially hinder progress in establishing a comprehensive and universally accepted framework for responsible state behavior in cyberspace.

Partial Agreements

These speakers agree on the importance of protecting critical infrastructure but have different emphases on specific aspects or approaches to achieve this goal.

Italy

Paraguay

Canada

Kazakhstan

Need for enhanced focus on protecting critical infrastructure, including healthcare

Importance of protecting critical infrastructure and information systems

Proposal to add norm on protecting international and humanitarian organizations

Need for unified baseline cybersecurity standards for critical infrastructure

Similar Viewpoints

Both countries argue for the development of legally binding norms in cyberspace, believing that voluntary norms are insufficient to address current and evolving threats.

Russian Federation

Cuba

Need for new legally binding norms to address evolving threats

Need for legally binding norms to complement voluntary ones

These countries emphasize the importance of involving the private sector in cybersecurity efforts, particularly in protecting critical infrastructure and supply chains, while also calling for accountability of non-state actors.

Argentina

Bangladesh

United Kingdom

Egypt

Importance of public-private partnerships in cybersecurity

Need for accountability of non-state actors in cyberspace

Importance of private sector involvement in critical infrastructure protection

Need to address role of private sector in supply chain security

Key Takeaways

There is a disconnect between rapidly evolving cyber threats and more static positions on norms development

States are divided on whether to focus on implementing existing norms or developing new ones

The voluntary checklist for norm implementation is seen as valuable but in need of updates

Critical infrastructure protection remains a key concern for many states

There is growing recognition of the need to address emerging technologies like AI in norms discussions

Capacity building and international cooperation are viewed as essential for norm implementation

Resolutions and Action Items

Continue discussions on possible additional norms as outlined in paragraph 34 of the APR

Consider updating the voluntary checklist to reflect evolving cyber landscape and implementation experiences

Share national experiences in implementing norms F, G, and H on critical infrastructure protection

Unresolved Issues

Whether and how to develop new norms while still prioritizing implementation of existing ones

How to bridge the divide between states favoring legally binding norms and those preferring voluntary norms

How to address rapidly evolving technologies like AI within the norms framework

How to effectively involve the private sector and address non-state actors in norm implementation

Suggested Compromises

Pursue both implementation of existing norms and discussions on potential new norms in parallel

Consider a mix of binding and non-binding measures to address increasing cyber threats

Update the voluntary checklist as a living document to incorporate new developments and state experiences

Focus on practical cooperation and capacity building to bridge divides on norm development

The unregulated military applications of cyberspace, as highlighted in the third annual progress report, have further exacerbated these challenges stemming from an unregulated cyberspace.

Speaker

Pakistan

Reason

This comment highlights the growing militarization of cyberspace as a key emerging threat, which many other speakers then echoed and expanded on.

Impact

It set the tone for discussing the need for regulation and norms around military uses of cyberspace, which became a recurring theme.

Slovakia therefore urges all states to prioritize security in collaboration with manufacturers, reinforcing the needs of robust internal cybersecurity frameworks.

Speaker

Slovakia

Reason

This comment introduced the important perspective of working with the private sector on cybersecurity, rather than just focusing on state actions.

Impact

It broadened the discussion to include the role of manufacturers and the private sector, which several subsequent speakers then addressed.

Zimbabwe believes that the OEWG process should culminate in an internationally legally binding instrument that speaks to ICT security and the responsible behavior of states.

Speaker

Zimbabwe

Reason

This was one of the first explicit calls for a legally binding agreement, which became a key point of debate.

Impact

It sparked discussion about whether voluntary norms are sufficient or if legally binding measures are needed, with speakers taking different positions on this issue.

The ICRC would like to raise awareness and deepen delegations’ understanding of conflict-specific threats by emphasizing some of the threats identified at the 34th International Conference of the Red Cross and Red Crescent, held in October.

Speaker

ICRC

Reason

This comment brought in a humanitarian perspective and specific examples of ICT threats in conflict situations that had not been previously discussed.

Impact

It expanded the conversation to include humanitarian concerns and the impact of cyber threats on civilian populations and humanitarian operations.

Compared to the discussions on the threat landscape, existing and potential threats, where there was a very robust, detailed discussions about the many new emerging threats on the horizon plus the intensification of existing threats, we all collectively had a sense of how rapidly the threat landscape was evolving. But I have to say that in the context of the discussions on norms, I have the sense that positions are more static.

Speaker

Chair

Reason

This insightful observation highlighted a key disconnect in the discussions and challenged participants to think more dynamically about norms.

Impact

It prompted reflection on the need to evolve norms in response to rapidly changing threats, and encouraged participants to reconsider their positions.

Overall Assessment

These key comments shaped the discussion by broadening its scope to include military, private sector, humanitarian, and legal perspectives on cybersecurity. They highlighted the tension between rapidly evolving threats and relatively static approaches to norms. The Chair’s final comment particularly challenged participants to bridge this gap and consider more dynamic approaches to developing norms in response to emerging threats.

How can we bridge the divides between different positions on developing new norms vs implementing existing norms?

Speaker

Chair

Explanation

The Chair noted a disconnect between rapidly evolving threats and static positions on norms, highlighting the need to find a balance between implementing existing norms and developing new ones.

How can we have a serious discussion on potential new norms while still prioritizing implementation of existing norms?

Speaker

Chair

Explanation

The Chair emphasized the need for a candid conversation on new norms, noting that there’s always reluctance to start these discussions but they are necessary to address evolving threats.

How can we update the voluntary checklist to reflect evolving cyber threats and lessons learned?

Speaker

Multiple speakers including Singapore, South Africa, and Mexico

Explanation

Several delegates suggested that the checklist should be a living document that adapts to new challenges and incorporates lessons from implementation efforts.

What are the potential new norms needed to address emerging technologies like AI and quantum computing?

Speaker

Albania

Explanation

Albania suggested focusing on new norms to address potential threats from emerging technologies and enhance transparency in their development.

How can we develop norms to safeguard critical services and information infrastructure from malicious ICT operators?

Speaker

Albania

Explanation

Albania emphasized the need for new norms to protect critical infrastructure, given the challenges they face from irresponsible behavior in cyberspace.

How can we improve accountability mechanisms, such as frameworks for attributing malicious ICT activities?

Speaker

Albania

Explanation

Albania suggested exploring new norms to enhance accountability and discourage malicious activities in cyberspace.

How can we address vulnerabilities in the supply chain through new norms?

Speaker

Multiple speakers including Egypt and Albania

Explanation

Several delegates highlighted the need to reduce risks posed by hidden functionalities or exploitation of critical components in the supply chain.

How can we integrate gender-sensitive perspectives into the development of new norms?

Speaker

Albania

Explanation

Albania suggested that new norms should ensure all members of society are included and benefit equally from enhanced cybersecurity.

How can we develop a legally binding instrument to regulate state behavior in cyberspace?

Speaker

Multiple speakers including Pakistan, Cuba, and Egypt

Explanation

Several delegates emphasized the need for a transition from voluntary norms to a legally binding framework to address evolving threats effectively.

How can we enhance the implementation of due diligence as a principle of responsible state behavior?

Speaker

Portugal

Explanation

Portugal suggested further discussions on the content and scope of due diligence, particularly in relation to addressing the use of proxies by hackers.

How can we develop norms to ensure the security of cross-border data flows while respecting digital sovereignty?

Speaker

Bangladesh

Explanation

Bangladesh proposed a new norm to address concerns about data localization, privacy, and jurisdiction in cross-border data exchanges.

How can we promote the development and use of explainable and transparent AI in ICT systems?

Speaker

Bangladesh

Explanation

Bangladesh suggested a new norm to ensure AI technologies integrated into ICT systems are transparent, accountable, and unbiased.

How can we develop norms to preserve cyber ecosystem diversity and avoid monocultures in ICT products and services?

Speaker

Bangladesh

Explanation

Bangladesh proposed a norm to promote technological diversity and reduce systemic vulnerabilities in the cyber ecosystem.