Agenda item 5: discussions on substantive issues contained inparagraph 1 of General Assembly resolution 75/240 part 3

Summary

This discussion focused on the application of international law to cyberspace and information and communication technologies (ICTs). Participants from various countries and regional groups shared their perspectives on how existing international law applies to cyber activities and the potential need for new norms or legal frameworks. Many delegates emphasized the importance of implementing existing norms and laws, while some called for developing additional binding rules specific to cyberspace. There was broad agreement that international law, including the UN Charter, applies to state behavior in cyberspace, though views differed on how to interpret and implement specific principles.

Key topics discussed included state sovereignty in cyberspace, the applicability of international humanitarian law to cyber operations in armed conflicts, human rights protections online, and state responsibility for cyber activities. Several countries and regional groups, including the EU and African Union, highlighted their recently published common positions on these issues. Many delegates stressed the need for capacity building to enable all states to participate meaningfully in discussions on international law and cyber issues.

Some states raised concerns about politically motivated attributions of cyber attacks and called for agreed technical mechanisms to identify sources of malicious activities. The importance of protecting critical infrastructure from cyber threats was emphasized by multiple speakers. While there was general support for continuing discussions on international law in the Open-Ended Working Group, views differed on whether to prioritize implementing existing norms or developing new binding rules for cyberspace. Overall, the discussion reflected growing engagement on these complex legal issues, but also highlighted ongoing differences in perspective among states.

Keypoints

Major discussion points:

– Applicability of existing international law to cyberspace and ICTs

– Need for further development of norms and implementation of existing norms

– Importance of capacity building to enable all states to participate in discussions

– Debate over whether to develop new binding norms or focus on implementing existing framework

– Role of international humanitarian law in cyberspace and armed conflicts

Overall purpose:

The purpose of this discussion was to exchange views on how international law applies to the use of ICTs by states, identify areas of consensus and divergence, and consider next steps for the Open-Ended Working Group in addressing international law issues related to cybersecurity.

Tone:

The overall tone was formal and diplomatic, with states presenting their positions and perspectives. There was a mix of optimism about progress made in developing common understandings, as well as some tension between states with differing views on key issues like developing new norms versus implementing existing ones. The Chair encouraged constructive dialogue and finding middle ground as the discussion progressed.

Speakers

– Chair: Chairperson of the meeting

– Belarus: Delegate

– United States: Delegate

– Malaysia: Delegate

– China: Delegate

– Ireland: Delegate

– Switzerland: Delegate

– Australia: Delegate

– Brazil: Delegate

– Mali: Delegate

– France: Delegate

– New Zealand: Delegate

– Mozambique: Delegate

– Viet Nam: Delegate

– Ethiopia: Delegate

– Burkina Faso: Delegate

– Nigeria: Speaking on behalf of the African group

– European Union: Representative

– Fiji: Speaking on behalf of a cross-regional group of states

– Albania: Delegate

– Lebanon: Delegate

– Austria: Delegate

– El Salvador: Delegate

– Singapore: Delegate

– Egypt: Delegate

– Malawi: Delegate

– Islamic Republic of Iran: Delegate

– Finland: Delegate

Additional speakers:

– African Union: Mentioned as having published a common position

– ASEAN: Mentioned as having developed a norms implementation checklist

Expanded Summary of Discussion on International Law in Cyberspace

This discussion, chaired by the Chairperson of the meeting, focused on the application of international law to cyberspace and information and communication technologies (ICTs). Delegates from various countries and regional groups shared their perspectives on how existing international law applies to cyber activities and the potential need for new norms or legal frameworks.

Key Themes and Areas of Agreement

There was broad agreement among participants that international law, including the UN Charter, applies to state behaviour in cyberspace. Many delegates, including those from the United States, Austria, Finland, and Singapore, emphasised the applicability of existing international legal frameworks to the cyber domain.

A significant development was the European Union’s announcement of a declaration on a common understanding of the application of international law to cyberspace. This declaration, supported by all EU member states and several others, demonstrates growing consensus among a large bloc of countries on issues such as state responsibility, due diligence, and the applicability of international humanitarian law (IHL) to cyber operations during armed conflicts.

The importance of implementing existing norms and laws was a recurring theme. Australia highlighted the usefulness of a voluntary checklist as a tool for norms implementation. Several speakers stressed the need for capacity building to enable all states, particularly developing countries, to participate meaningfully in discussions on international law and cyber issues.

Many delegates supported the idea of structured, in-depth discussions on international law in cyberspace. Singapore proposed scenario-based discussions to develop shared understandings, while El Salvador and Egypt advocated for dedicated thematic groups on international law in future mechanisms.

Areas of Disagreement and Debate

Despite the general agreement on the applicability of international law to cyberspace, there were significant disagreements on specific issues. Belarus called for a UN Convention on International Information Security, while the United States and European Union argued that existing international law is sufficient. This debate over whether to develop new binding rules or focus on implementing the existing framework was a key point of contention.

The applicability of IHL to cyber operations in armed conflicts was another area of disagreement. While many countries, including Austria and the United States, asserted that IHL applies to cyber operations in armed conflicts, Iran argued that technical challenges make it difficult to automatically apply international law principles to ICTs.

Several countries agreed on the need for clarification of international law in cyberspace but focused on different aspects. The United States emphasized state responsibility and the applicability of IHL, while Egypt highlighted the need for clarity on specific rules and sovereignty thresholds. The Islamic Republic of Iran raised concerns about politically motivated attributions of cyber attacks and called for agreed technical mechanisms to identify sources of malicious activities.

Regional Perspectives and Initiatives

The discussion highlighted the importance of regional initiatives in advancing norms implementation and developing common understandings. Nigeria, speaking on behalf of the African group, emphasised the importance of state sovereignty in cyberspace and called for a balanced approach that considers the needs and perspectives of developing countries. The African group also stressed the importance of capacity building and technology transfer.

Specific Country Experiences and Proposals

Lebanon provided a significant statement about recent cyber attacks on their country, highlighting the real-world impacts of cyber threats and the importance of international cooperation in addressing them.

Malawi shared information about their national efforts to align their laws with international standards, demonstrating the practical steps being taken by individual countries to implement cyber norms.

Finland emphasized the importance of involving legal advisors in discussions on international law in cyberspace, a point echoed by several other delegates.

Capacity Building and Implementation

The need for capacity building was a recurring theme throughout the discussion. Many delegates, including those from Fiji, Albania, and Malawi, stressed the importance of supporting developing countries in building their capacity to engage with cyber issues and implement international law and norms in the cyber context.

Future Mechanisms and Next Steps

Several delegates expressed support for a future mechanism to continue discussions on international law in cyberspace. El Salvador advocated for dedicated thematic groups, while Egypt stressed the need for substantive debates. The European Union voiced support for a Programme of Action as a future mechanism.

The Chair encouraged participants to focus on concrete steps forward, challenging them to consider how to make progress on implementing norms and discussing potential new norms. This framed the discussion in terms of taking tangible steps forward rather than just restating positions.

Unresolved Issues and Follow-up Questions

Several important issues remained unresolved, including:

– The need for new legally binding instruments specific to cyberspace

– How to address attribution challenges in cyberspace

– Specific thresholds for violations of sovereignty in cyberspace

– How to balance freedom of expression with combating misinformation online

– The exact content of due diligence obligations for states in cyberspace

Follow-up questions emerged on topics such as improving the voluntary checklist for norms implementation, enhancing capacity building efforts, and developing a common understanding on attribution of cyber attacks.

Conclusion

The discussion reflected growing engagement on complex legal issues related to cyberspace, but also highlighted ongoing differences in perspective among states. While there was general support for continuing discussions on international law in the Open-Ended Working Group, views differed on priorities and approaches. The debate underscored the need for further dialogue to bridge gaps in understanding and develop more concrete agreements on how international law applies in the cyber context. The emphasis on capacity building, regional initiatives, and the need for practical implementation of existing norms emerged as key themes for future work.

Chair: Distinguished Delegates, the fourth meeting of the ninth substantive session of the Open Entity Working Group on Security of and the Use of ICTs is called to order. We’ll continue our considerations of Agenda Item 5 and address the topic of further developing the rules, norms and principles of responsible behavior of states and the ways for the implementation and if necessary to introduce changes to them or elaborate additional rules of behavior. And we’ll continue with the speakers list as we had them prior to adjourning earlier this morning. And we start with Belarus to be followed by the United States, Malaysia, China, Ireland and as follows. So Belarus, you have the floor, please.

Belarus: Thank you, Mr. Chairman. Since this is the first time I’m taking the floor, first of all, allow me to thank you and your team for the work that you’re doing to ensure that we have the conditions to continue the negotiating process in the working group. And also for your constructive and attentive approach to all of these days’ proposals. We expect and we rely on your experience and your knowledge in bringing together states’ efforts and achieving a resultive outcome during this session and creating the conditions for continuing dialogue in the future and this is going to play an important role in our work together. International information security has long become an integral factor in the maintenance of global security and stability. In this context, we comprehensively support the work of the working group as the key negotiating platform in IIS. We welcome the adoption by consensus of the report of the eighth substantive session of the OEWG in July this year. Regarding the subject of today’s discussion, I’d like to note that Belarus consistently advocates in favor of agreeing universal legally binding norms in the sphere of IIS. The existing universal norms and principles of international law enshrined in the UN Charter can in principle be applied to the sphere of ICTs. However, those instruments don’t contain concrete conditions for that applicability. In our view, practical aspects of the use of ICTs need to be regulated by a specific universal international legal document, which could not only provide criteria for the application of existing norms of international law to the use of ICTs, but also include new binding provisions that correspond to the present conditions. We continue to believe that the norms of international humanitarian law applicable in situations of armed conflict cannot be sufficient for ICT-related issues. We recall that a number of states, including Belarus, have advanced a proposal or proposals to develop a UN Convention on International Information Security. We call on all states to support this initiative. We are of the view that we need to avoid creating an imbalance in approaches to establishing binding rules, norms and principles of responsible state behavior in the information space. While we have nothing against the proposal for a checklist of practical actions, we believe that this matter, in our view, cannot replace the process of developing binding norms or serve as a universal approach for regulating the area of international information security. Mr Chairman, thinking about your proposal, to think about how we can bring positions of those states that have taken the vote closer together, those that hew to different points of view when it comes to the applicability of the norms of international law or the creation of new norms. Perhaps it’s worth thinking about or focusing on not just repeating the same old positions, but rather trying to make the existing proposals as concrete as possible, specifically fleshing out those norms that, in states’ opinions, can regulate these relations. For example, we could ask states to say what principles and rules they think already exist, or ask states to indicate the norms and principles that aren’t yet in effect, but which could be developed in order to achieve a more comprehensive regulation of the ICT sphere. In our view, these new norms could include the norm of national sovereignty, the norm of non-interference in internal affairs, the norm of exclusive jurisdiction of states over the ICT sphere within the bounds of their territory. But at the same time, it’s important to understand that having a list of states’ proposals, or a list of those proposals, could have the opposite effect to what we want, because it could lead to the appearance of dividing lines and could then require more efforts to bring those positions closer together. So, we, as always, call for dialogue on the basis of trying to bring states’ positions closer together and on the basis of consensus, respecting absolutely all states’ positions. And we remain in your hands, Mr. Chairman, and we stand ready to constructively participate in the upcoming negotiations, and we stand ready to cooperate with all participants in the session. Thank you.

Chair: Thank you very much, Belarus, for your contribution. United States, to be followed by Malaysia.

United States: Thank you, Chair. To begin, I’d like to address your question on the voluntary checklist of practical actions. The 11 consensus UN cyber norms provide useful direction on the expectations of the international community on steps that responsible states should take to ensure the safety and resilience of the Internet, as well as harmful and destabilizing activity that responsible states should not conduct. All states in this room have recognized the utility of these norms in reducing risks to international peace, including misperceptions, and thereby contributing to the prevention of conflict. The value of the norms is best realized through their implementation. In fact, eight of the 11 cyber norms describe positive actions that, if undertaken, benefit not only all member states by improving stability and security of the ICT environment, but also Internet users within each state. A voluntary checklist that provides guidance to states on the implementation of the norms should therefore be a welcome innovation. The U.S. has reviewed the proposed voluntary checklist of practical actions in Annex A and compared it to other existing and new guidance on norms implementation. We note the efforts to capture the detailed and useful information contained in the norms section of the 2021 UN GGE report, but feel that more could be done in this respect. For example, with respect to Norm H on responding to requests for assistance, paragraph 54 of the 2021 GGE report provides the following wise counsel. Common templates for requesting assistance and responding to such requests can ensure that the state seeking assistance provides as complete and accurate information as possible to the state from which it seeks the assistance, thereby facilitating cooperation and timeliness of response. Such templates could be developed voluntarily at the bilateral, multilateral, or regional level. A common template for responding to assistance requests could include elements that acknowledge receipt of the request and, if assistance is possible, an indication of the timeframe, nature, scope, and terms of the assistance that could be provided. In addition, we take note of more recent efforts such as the ASEAN checklist for the implementation of the norms of responsible state behavior that could be leveraged to broaden and deepen the checklist. We understand that the latter checklist, for instance, includes multiple recommendations for capacity building activities that can support implementation of each norm. In sum, the voluntary checklist will be a valuable reference as states continue to implement the framework. It should be viewed as a living document that could be further improved, both by incorporating some of the helpful suggestions we are hearing today and in the future POA. In fact, we believe the future mechanism, with its focus on implementation of the framework and associated capacity building, would be an ideal forum for further elaborating the voluntary checklist. Separately, Chair, I feel compelled to respond to the revisionist history I have heard from a few delegations in the room regarding the consensus framework of responsible state behavior and its 11 norms. The GGE process, which ran over the course of two decades, developed several reports that were endorsed by consensus by the GA. The GA didn’t just welcome the reports, but also repeatedly and by consensus called on all states to be guided in their actions by the GGE report’s recommendations. In addition to the GA’s multiple endorsements, the first OEWG report also endorsed, by consensus, the GGE reports as the framework of responsible state behavior. I call all states’ attention to the text in paragraph 7 of the final report of the first OEWG, which references the GGE reports and the 11 norms, as well as the fact that member states agreed, by consensus, to be guided in their use of ICTs by the 2015 GGE report, which sets forth those 11 norms. All UN member states, of course, were invited to participate in that first OEWG and joined consensus on that report. That OEWG report and the 2021 GGE report were together endorsed by the GA in 2021. The checklist represents a meaningful step forward on implementing the commitments all states have already agreed to. By contrast, the set of 13 proposed norms raised by a few states were drafted by one state, included in a controversial non-consensus resolution, and have not gained traction in the years since. Attempts to reinvent the framework or deliberately confuse and undermine its consensus recommendations must be rejected. Finally, Chair, in response to your comments before the break, I want to make a few quick remarks. First, the United States does not subscribe to the view that new threats automatically mean new norms or new CBMs or rewriting of the framework itself. Evolving technology does not require new foundational rules. In fact, the framework is designed to be effects-based and technology neutral. A good example of this is ransomware. The United States is a champion of the fight against ransomware, including within the UN and via the Counter-Ransomware Initiative. Ransomware is an emerging tool of concern, but the normative principles to combat it are already in the existing framework. International law prohibits the use of ICTs, including ransomware, to coercively intervene in the internal or external affairs of other states. Existing norms indicate that ICT tools, like ransomware, cannot be used by states to disrupt critical infrastructure, and existing norms and CBMs provide normative and practical guidance on how victim states can request assistance from others in the event of a ransomware attack. We don’t need new norms to deal with ransomware. We need more in-depth discussion on how the existing comprehensive framework can and should be deployed to help states combat this and other disruptive tools. Government ideas in this regard that enjoy consensus could be incorporated into the norms checklist, for example. In our view, it is only through these more in-depth conversations that we can make practical progress and keep up with the evolving threat landscape. While some proposals we have heard today deserve consideration within that context, others appear to be elements of already established international law or rewriting of existing norms. The 11 consensus norms are valuable for many reasons, but perhaps the most central reason is that they have been agreed repeatedly by consensus. They are a solid foundation to work from to address current concerns. In the attempts we have seen to rewrite the framework and the risks that poses to this process writ large, we strongly recommend building on and reinforcing the importance of the existing 11 consensus norms. Thank you.

Chair: Thank you, United States. By contribution, Malaysia, to be followed by China.

Malaysia: Mr Chair, Malaysia welcomes the Voluntary Checklist of Practical Action in the OEWG’s third annual progress report, which represents a significant step forward in our collective efforts to strengthen the implementation of the framework of responsible state behaviour. In our view, the Voluntary Checklist provides a helpful guide for states in implementing the norms. Noting its status as a living document, Malaysia believes that the checklist may further improve as we progress in our discussions under the OEWG, as well as the future permanent mechanism. This is reflective of the dynamic nature of the ICT environment. Deliberations regarding norms could be further improved by adding common understanding, as well as potential concrete actions and best practices. We support the proposal of El Salvador to strengthen Norm E to allow states to advance the establishment of regulatory frameworks for handling data during its entire life cycle. The establishment of such frameworks will help ensure that elements of security and privacy by design are implemented in a coordinated manner. We also support the proposal of the United Kingdom to strengthen Norm I by adding the proliferation and irresponsible use of commercial cyber intrusion capabilities. Malaysia shares the view mentioned by Singapore, South Africa and others that we should be open to discussions on the possibility of new norms, which may be pursued in tandem with our efforts to implement the existing agreed norms. As mentioned by Singapore, in ASEAN we have recently completed the development of the ASEAN Norms Implementation Checklist, which sets out actionable steps for states in our region to consider, in line with their respective national priorities and capacities. As is the case with the OEWG Voluntary Checklist of Practical Actions, the ASEAN Norm Implementation Checklist is a living document. States do not need to implement all the steps in the checklist, but may choose to undertake particular steps as appropriate to their national context. In developing the ASEAN Norm Implementation Checklist, ASEAN Member States discuss a list of steps for each norm, organised into five pillars – the policy, operational, technical, legal and diplomatic. This is to provide greater clarity on how different state agencies can contribute to the effective implementation of the ICT security norms. It is hoped that the checklist will support the development of common understanding of what states may expect from each other in terms of behaviour in ICT environment, thereby supporting international peace and security.

Chair: Thank you, Malaysia, for your contribution. China to be followed by Ireland.

China: Thank you, Chair. China notes with appreciation that this year the third APR of the OEWG reaffirms the importance of discussing and developing new norms and emphasizes that further development of new norms and the implementation of the existing ones are not mutually exclusive and could take place in parallel. This once again proves that the approach proposed by China of stabilizing existing norms and promoting additional ones is recognized by countries and is in line with the characteristics of ICT development and the common interests of all countries. In light of the Chair’s guiding question 1 on this item, on possible new norms, China believes that new norms could be developed on data security, supply chain security, and the protection of critical infrastructure, among others. As China pointed out when speaking on the item on threats, based on the relevant reports by the Chinese relevant agencies, hacker groups with national backgrounds have carried out on global critical infrastructure, including those in China, including pre-positioning cyber threats and other harmful practices. These reports also point out that China, Germany, and other countries have experienced state-backed hacker attacks as well as espionage. These issues once again, prove that these issues are common challenges faced by all countries, and it is in the common interest of all countries to explore the development of and compliance with common norms, which will help countries jointly tackle risks and challenges and safeguard peace and stability in cyberspace. On data security, this year’s APR of the working group once again stressed that data protection and data security are of increasing relevance. Discussions in the OEWG should be more detailed and more in-depth. In this year’s APR, AI as well as data security in cross-border data flows have been raised, and specific concerns have been covered, which can serve as a starting point for our discussions on formulating new norms. Based on discussions at multilateral platforms such as the UN and state practices, China has taken the initiative to propose the Global Initiative on Data Security, which addresses the common concerns of countries and the general attributes of emerging technologies, and puts forward constructive solutions to the protection of important data on critical infrastructure, personal information protection, data storage, and cross-border access to data. In addition, China recently issued the Global Cross-Border Data Flow Cooperation Initiative. Upholding the principles of openness, inclusiveness, security, cooperation, and non-discrimination, the initiative advocates the promotion of efficient, smooth, and secure cross-border data flows, respecting the reasonable security concerns of other countries, deepening international exchanges and cooperation, and building an open and win-win landscape of international cooperation in cross-border data flow. The initiative also explicitly opposes the politicization of data issues and prohibits illegally obtaining data by means such as installing backdoors in digital products and services and exploiting vulnerabilities in digital infrastructure. The above-mentioned initiatives and proposals can serve as the basis for discussion and development of relevant norms. With regard to the checklist for implementing the norms, China is of the view that the list can help countries comply with and implement existing norms in line with their own conditions, which China appreciates. If the checklist is to be updated and further improved, it should be based on consensus reached at the UN to avoid unnecessary divergences. Thank you, Chair.

Chair: Thank you very much, China, for your contribution. Ireland, to be followed by Switzerland.

Ireland: Thank you, Chair. To begin, Ireland aligns with the statement delivered on behalf of the European Union earlier today, and I would like to proceed with some short additional remarks in my national capacity. Chair, Ireland supported and was encouraged by the consensus development of the UN Framework for Responsible State Behaviour in Cyberspace. We have been clear that states must ensure that the maintenance of peace and security in cyberspace is rooted in international law. This consensus agreement was a major achievement in our collective path towards a global, open, secure cyberspace. Presently, The framework is our strongest tool for ensuring that we achieve a safe, secure and accessible cyberspace where human rights and fundamental freedoms apply both on and offline. Ireland particularly welcomes the specific focus in the norms section of the last annual progress report on critical infrastructure and critical information infrastructure as many identified threats are related to or can influence these systems. Chair, in Ireland we say, Tús maith leath na hUibre. A good start is half the work. We remain convinced that the first step in what you have called our thousand mile journey must be to fully implement existing agreed norms of responsible state behaviour which remain valid and should be honoured. Ireland favours an approach focused on ensuring existing norms are operational in order to build confidence before seeking to identify, agree and implement further norms. In this regard, we strongly welcome the Chair’s checklist of practical actions for the implementation of norms as a useful how-to guide for this crucial work. In light of the transnational and interconnected nature of cyber critical infrastructure we would welcome the inclusion in the checklist of a recommendation to support enhanced cooperation between states and the private sector in their identification and protection of critical infrastructure. The norms checklist is an effective capacity building tool for states demonstrating the value of sustainable capacity building initiatives. Ireland would welcome capacity building programmes to assist with the implementation of the existing norms particularly on the applicability of international law in cyberspace. Further institutionalising the normative framework within the Future Permanent Mechanism will be essential to continue progressing implementation. Appropriately convened thematic groups within the mechanism will be an important contribution. to ensuring that the capacity building and norms implementation are seamlessly integrated in such an institutional way. Chair, to conclude, we already have the necessary tools to implement these existing and incredibly useful norms. We look forward to the checklist being used as a map to guide states’ implementation and to build into an action-orientated future mechanism to promote a global, open and secure cyberspace. Thank you, Chair.

Chair: Thank you, Ireland, for your contribution. Switzerland, to be followed by Australia.

Switzerland: Thank you, Chair. Switzerland is of the opinion that before developing new voluntary norms, we should focus on the implementation of the existing ones. The argument that the norms are only voluntary, which is why we need binding obligations or norms, is not convincing in our view. The voluntary norms were confirmed and adopted by all states by consensus. States stressed that such norms reflect expectations and standards of the international community regarding the behavior of states in their use of ICTs. This does not exclude that we could develop new norms over time and were useful or needed. However, in our view, many of the proposed new norms can be subsumed under the existing ones, but also has been pointed out by the UK earlier. From our point of view, this does not contradict the discussion about the rapidly changing threat landscape. The 11 voluntary norms are formulated in general terms and offer flexibility so that they can also be applied to the new developments. The U.S. delegation explained this convincingly a moment ago. Yesterday, many states referred to the increasing intensity of ransomware attacks and state-sponsored cyber attacks. against critical infrastructures. We therefore see merit in focusing on norms 13C, F, G, and H, calling for the protection of all critical infrastructures supporting essential services to the public, in particular medical and healthcare facilities, as well as cooperation between states for this purpose. I don’t need to go into the importance of the principle of due diligence in more detail here, as Portugal has already done so very well. In summary, in view of the increasing frequency, scale, and severity of ransomware attacks, it is important that states do not serve as safe havens for criminal groups and that they take measures against them. One of the key elements to protecting and identifying critical infrastructure from ICT threats is establishing a trusted exchange between the operators of critical infrastructure and the relevant government authorities, which is guided by clearly defined responsibilities and mandates on all levels. This also should entail an understanding of a member state’s dependencies on national and international critical service providers. Switzerland has established such an information exchange platform or network. This is a closed network. Operators of this network usually meet once a month for a virtual meeting to exchange information about the threat landscape, attacks that have been observed, and preventive and recovery measures. This exchange helps all participants to have a better understanding of the threat situation and to protect their own systems and infrastructure, or to support others in doing so. The definition of what constitutes a critical infrastructure is very flexible. An operator can apply to join this network. To give an example, some time ago, a manufacturer of security paper used for printing banknotes submitted an application and was accepted. Chair, like other delegations, we see the proposal for a checklist as an important step that we took in the last IPR. It is a useful instrument for states in their efforts to implement the voluntary norms and can serve as a capacity-building tool. We would like to thank Canada and the United Kingdom for their proposals for additions to the checklist under Norms G and I, in connection with the protection of international and humanitarian organisations and commercially available ICT intrusion capabilities. Switzerland supports these proposals. I thank you.

Chair: Thank you very much. Switzerland, Australia, to be followed by Brazil.

Australia: Thank you, Chair. As you have heard from us consistently over the years of this OEWG, Australia is of the view that a dedicated focus on the implementation of existing norms leads to a more fulsome understanding about what existing norms cover and how they apply. This understanding is the essential precursor to a conversation on any gaps and the possible identification of additional voluntary non-binding norms that might advance our framework of responsible state behaviour. This is why Australia was pleased to support the Voluntary Norms Checklist in the third APR and are pleased to see a priority on continuing this work within your questions, Chair. Australia continues to advocate for such practical tools that enable all states to achieve greater implementation of our framework. Such practical initiatives breathe life into our framework, including as a vital tool to assist in cyber capacity-building. The checklist, much of which is based upon consensus-agreed guidance, shows how much work has already been done by this group on norms implementation guidance and its predecessors, including the Consensus 2021 GGE report, providing in-depth guidance to all countries on how they can be implemented and applied. Australia supports the characterisation of Malaysia, Singapore, South Africa, Kazakhstan, Egypt and the Netherlands of this document as a living document and of Côte d’Ivoire as embodying the spirit of our framework. The sense of momentum on this valuable checklist gives Australia a sense of optimism in the work ahead of us. We share the hope of the Netherlands that we may adopt this checklist in our final report in July 2025 and take note of your suggestion from your opening remarks, Chair, to not try and kick this can down the road. We do see this checklist as important movement by us all on this issue and a demonstration of how we have worked together to seek to bridge the divides you noted in your remarks before lunch. We also do not take for granted how important a milestone this checklist is and commend you for your efforts in leading this work. Australia welcomes the suggestion of the UK to include whole-of-government coordination to paragraph 3 and ensure we keep this document up to date as our discussions continue, including on the proliferation of commercially available cyber intrusion capabilities. Noting also China’s call for consensus language, we support drawing on the consensus language of the third APR in this regard. We’re interested, by the suggestion from Bangladesh, to consider cyber hygiene education and think there is merit to this suggestion too. We also support the inclusion of further references to the private sector and multi-stakeholder community as flagged by Ireland. Australia sees this voluntary checklist not only as a significant achievement in collating the progress of many years of discussion but as a shiny example of how the work of regional organisations can advance our work here at the UN. Australia has been privileged, as a dialogue partner of ASEAN, to watch and support the valuable work of ASEAN on norms implementation for many years. To see some of this hard work eventuate with concrete progress here at the OEWG… shows the value of regional perspectives, a point others have made too. I also would like to use this opportunity to thank Malaysia and RSIS Singapore for their participation and the fruitful conversation at today’s lunch side event co-hosted by Australia and the Australian Strategic Policy Institute on ASEAN-Australia regional cooperation to advance UN cyber norms. And while I have the chance on the topic of side events, I would also like to flag that Australia will again be hosting our international law breakfast tomorrow morning at the Australian Mission, where we will have breakfast and, importantly, coffee. A core part of implementation of the norms of responsible state behaviour is not only sharing understandings of how to implement its recommendations, but also to self-assess what actions each of us have taken towards implementation and what actions are still required to implement them fully. Australia suggests that the checklist will be a useful tool for all of us to use in the following ways. To help each state determine for ourselves how we implement the norms, with examples of how this might be achieved. To collate national take-up of the norms. To share information, best practices, and our priorities for norms implementation. And, importantly, to identify challenges that inhibit the implementation of a norm or norms. All of this can assist the development of targeted capacity-building programs to address challenges to implementation or gaps in capacity, providing an evidence-based, which is provided by the state itself, on the particular needs of that state. Australia would also like to add our voice to others, such as Cote d’Ivoire, Singapore, Argentina, Kazakhstan, and Ireland, that have called out the work of our multi-stakeholder community to advance our understanding and implementation of the norms. In particular, Australia has been proud to work with UNIDIR, GFC, and ASPE to name just a few on norms implementation, including through our cyber capacity-building program. Australia, ourselves, has published non-exhaustive examples. of the way Australia implements the 11 agreed norms. However, we view this checklist as a valuable tool to enable us to revisit this work. A good reminder that our work on implementation is not a one and done activity. We must all continue our work and ensure that as our landscape changes and updates, so too must our work in implementing our framework. Australia shares your wish for progress and a consensus spirit chair. However, we do think that we should not seek to run before we have yet mastered walking. Given the value of the norms implementation checklist as a tool to assist all states in building our understanding of the norms and helping us uplift our implementation, we do not think we should be seeking to unnecessarily increase the work ahead of us by adding new norms without due consideration and consensus. We also do not share the view that new technology requires new norms. The norms have been designed to apply to state behavior, not to technology. The application of the norms to new threats or technology is exactly the value of this checklist. We cannot know or demonstrate the need for new norms without understanding how the existing norms apply, including to new threats or technologies and assist states in their implementation. Thank you, chair.

Chair: Thank you very much, Australia, for your contribution. Brazil to be followed by Mali.

Brazil: Thank you very much, Mr. Chair. My delegation would like to thank you for both your guiding questions circulated ahead of this meeting and for the considerations you made at the end of this morning’s session, which gave us good food for thought. Brazil is a staunch supporter of the key of previous UN processes on ICTs and international security, particularly the voluntary norms of responsible state behavior, which have guided us in the establishing of our national norms and policies to secure our critical infrastructures and critical information infrastructures. In this regard, we welcome efforts to facilitate their implementation, including the voluntary checklist of practical actions you have drafted. and which was included as NXA to our third APR. We look forward to continuing to update it ahead of July and thank the delegations which have already made improvement suggestions. We have heard, throughout our debates, the arguments for advancing the implementation of the existing norms and for the adoption of new ones. In our view, those positions are not in any way mutually exclusive, taking into account that regulation, even more so at international level, always lags behind technological developments. It is important to aim that the norms we develop, legally binding or otherwise, be as future-proof as possible. This means that they should be written in a way that focuses on actions states should take, with language that, while making references to specific technology when necessary, is as general as possible in this regard, to allow for applicability even in light of new technological developments. The fact that the 11 norms of responsible state behavior adopted almost 10 years ago and endorsed by consensus by the General Assembly, as many have reminded us, have retained and arguably increased their relevance is a testament to how future-proof they have proved to be. They are still at the core of the framework that guides states in their use of ICTs. We also recognize that we have not much time left in this OEWG and, as mentioned in our previous statement, believe that we should focus our discussions until July mainly on regular institutional dialogue, which may prove a challenge to the adequate consideration of specific proposals for new norms. This does not mean, in any way, however, that we should outright disregard the discussion of the possibility of new norms or refuse to even consider any concrete proposals that might be put forward. Inasmuch as we want our norms and commitments to be able to withstand changes in technology, we must not remain blind to the fact that reality will, in many situations, create a need for new norms to account for a fundamental shift in circumstances. If that were not the case, we would not be continually negotiating new commitments and obligations on all of the issues that are under the purview of the United Nations. In this regard, we remain open to discussing proposals that are eventually put forward for new norms or to update existing ones. We took note with interest of the suggestions made by some of the expert panelists at the main intersessional, as well as the proposal made by El Salvador on strengthening norm E. In any case, we would like to reiterate that any efforts aimed at eventually developing new norms of behavior in the cyber domain must be inclusive and therefore take place within the UN, where the needs of all countries, including developing ones, are duly taken into account. The truth of the matter is that there are many initiatives currently underway that aim to, in some shape or form, mold state behavior in areas that clearly fall within the purview of this OEWG and, hopefully, the future permanent mechanism. Finally, my delegation would like to stress that, in light of the complementarity between hard and soft law, support for the 11 norms and other voluntary norms, and discussing the possibility of adopting specifically legally binding instruments are not mutually exclusive. Existing binding obligations of international law and the voluntary norms are complementary. We are open, as our debates evolve, to consider the adoption both of additional voluntary norms and of legally binding ones, which both have a role to play in the promotion of a peaceful cyberspace. Voluntary norms could shape state behavior to build state practice, one of the two necessary elements for a rule to become customary international law. Therefore, we would also very much prefer, given this complementarity, that the future mechanism discusses both international law and voluntary norms and principles in an integrated manner within the same thematic group. I thank you.

Chair: Thank you very much, Brazil, for your contribution. Mali, to be followed by France.

Mali: Mr. Chairman, I have the honor to deliver this statement on behalf of the three member states of the Confederation of the States of the Sahel, Burkina Faso, Mali, and Niger. First of all, I’d like to congratulate you for all of the efforts you’ve made thus far. This is the first time I’m taking the floor in this session. Regardless of the consideration of the checklist, I do have a brief general statement to make. As developing countries with limited resources and infrastructure that is poorly protected against the existing threats, we welcome the holding of this meeting and we would like to underscore the following priorities. The need for capacity building and technology transfers to help our countries effectively address threats, in light of the risk of artificial intelligence being used for malicious purposes, we call for the establishment of international and national regulatory mechanisms that can help curb the potentially dangerous effects of artificial intelligence. We call for international cooperation to facilitate the sharing of experience, knowledge, and technology. However, the Confederation of the States of the Sahel rejects the use of ICTs as a pretext for the unleashing of conflicts, threats, or use of force, or as a tool for interventionism or to destabilize states’ political systems. In particular, we oppose the dissemination of fake news and media disinformation campaigns against sovereign governments. Thank you.

Chair: Thank you very much, Mali, for your statement. France to be followed by New Zealand.

France: Thank you, Mr. Chairman. My delegation aligns itself with the statement delivered by the European Union and would like to make the following remarks in a national capacity. My delegation would like to also bring three attentions to your attention today. As was mentioned by several delegations, this will be my first topic addressed, on the 8th of November this year, the Security Council held a meeting on ransomware attacks on the health sector in particular. France joined in the joint statement made by a group of states to underscore that, in accordance with relevant norms, states must not intentionally allow their territory to be used for harmful acts. This, of course, includes action by ransomware actors under their jurisdiction. This initiative is fully part of our discussions on the implementation of the norms of responsible state behavior, particularly Norm 13c on due diligence, the scope of which was recalled by the Netherlands and other countries today. We have in the past often recalled that we should focus on the use of ransomware that we should focus on implementation gaps, but we’ve not done so purely as a result of dogma. It’s actually rather because these gaps exist and they represent a break. to the establishment of a safe and secure cyberspace at the international level. Through the example that I’ve just mentioned, we also have a clear example of the insufficient application of existing norms. And in order to contribute to this collective effort, a group of European states published earlier this year a non-paper on the implementation of Norm 13c. This is still available on the Open-Ended Working Group’s website. Consequently, we welcome the reference to in-depth discussions into this norm as provided for and planned by the third annual progress report of our group. My second point now, this pertains to Norm 13i. As you’ll be aware, this covers the issue of non-proliferation of harmful tools, malware. We’re currently facing the swift growth of a private, unregulated market of cyber capacities that could be used for offensive purposes. Let’s not fool ourselves here. This situation represents a danger to the security of all states and our citizens. That’s why my delegation supports the proposal made by the United Kingdom to add to the checklist an action relating to the implementation of this norm. Finally, and this is my last point, Chair, I would like to touch on certain key developments within the European Union. The European Union, through its normative capacity, represents a powerful force for reform. It’s a powerful force for reform. It’s a powerful force for reform. It’s a powerful force for reform. It’s a powerful force for reform. us to help in implementing the agreed framework. This is particularly the case in security within supply chain and ICT products. This in connection of course with norms 13i and j. On the 10th of December next week the European regulation on cyber resilience, the Cyber Resilience Act, CRA, will enter into force. This pioneering text is the first European regulation to impose minimal requirements of cyber security requirements on all digital products before their entry onto the European market. These include ordinary consumer goods and software from the most complex industrial systems and enterprises. This system will use the CE mark which is well known and used by numerous categories of products. The text is notably based on the principles of cyber security by design and cyber security by default. Further regulation. Manufacturers must moreover notify the authorities of vulnerabilities that are actively exploited and incidents affecting their products. This in order to facilitate the exchange of information and ensure swift remediation. All manufacturers wishing to sell a product on the European market will be subject to these obligations. Chair thanks to its regulatory work and specific measures that are taken in that regard. The EU therefore plays a fundamental role in reducing the sites that are prone to cyber attacks, attack surface, at the global level, contributing to increasing the international security of cyberspace, this in accordance with agreed norms and frameworks. In conclusion, it’s important to underscore that norms must be addressed through a cross-cutting lens. To do this, we invite states to consider the links between the implementation of norms and other dimensions of the normative framework. Capacity building, for instance, is an important avenue of work to guarantee that states are effectively able to work to operationalize voluntary norms. The draft checklist set out in the last progress report is in this regard a key tool. Thank you.

Chair: Thank you very much, France, for your contribution. New Zealand to be followed by Mozambique.

New Zealand: Thank you, Chair. In response to your guiding question related to developing new norms, we have previously expressed our view that the agreed framework for responsible state behavior, if fulsomely implemented, provides a sufficient basis as states seek to cooperate on maintaining a stable and peaceful cyberspace. We do understand there is a wish from some to consider new norms within this framework. We recognize that for many states this is based on an underlying desire to improve our current framework, including to fill any potential gaps, particularly in the light of rapidly developing technology. However, such a process to identify potential gaps, strengths or weaknesses needs to be deliberate and well informed. In our view, and as several others have said today, the most effective way to develop our collective understanding is to ensure robust implementation of the current framework and then take stock and assess if any gaps are present. As we look ahead to a future permanent mechanism, we think the same logic applies. A future permanent mechanism should have at its heart a focus on implementing the current framework so that we can better understand what else, if anything, is required. We do hear the voices that say, why can’t we do both these things at once, implementation and consider new norms? In our view, it is worthwhile firstly having this period of consolidation and informed assessment through implementation of existing norms. This does not equate to completely shutting off the idea that we may progress towards considering new norms. We take note of your comments, Chair, at the end of the morning session and we understand the point made regarding emerging, evolving and new threats and how this may impact the development of norms. However, we do think there are practical reasons for taking such a deliberative approach, including to make the best use of our scarce resources and avoid pursuing potential initiatives that are duplicative of existing norms or which may not make a significant improvement to the current framework. We do risk this if we do not take that deliberative and evidence-based approach to assessing potential gaps. Chair, we want to again acknowledge the work by you and your team to produce the checklist of norms. In our view, the strength of this checklist lies in it carefully and deliberately reflecting what has already been agreed by consensus. This lends it immediate credibility as a practical tool for norms implementation. There is a clear link between the agreed norms and capacity-building efforts, and we think this checklist nicely links the two. We are open to the idea of periodically reviewing the checklist. We take note of some of the suggestions by others that have been made today to build on that checklist, and we thank those who have generated various ideas which we will be considering in detail. I’ll leave my remarks there. Thank you, Chair.

Chair: Thank you very much, New Zealand, for your contribution. Mozambique to be followed by Vietnam.

Mozambique: Distinguished Chair, since it’s our first intervention in this session, the Mozambique delegation commends your leadership and the open-ended working groups’ significant progress in addressing ICT-related challenges to international security. Mozambique delegation welcomes the ongoing discussions regarding the application of international law to the use of information communication technologies by states and the checklist of norms, rules, and the precepts for the responsible behalf of states presented. ICTs has driven globalization, reshaping societies while introducing substantial risks. This includes the gay peace in a criminal law, limited technical capacity to combat cybercrime, and the anonymous effort by ICT which fosters impunity. Mozambique, like many nations, faces cross-border cyber threats, underscoring the urgent need for collaboration in legal frameworks to protect our shared digital space. In this context, Mozambique has made notable advancements, including ascending to the Malab Convention, adopting the Electronic Transitions Law, and implementing the cyber security policy and strategy. Mozambique is also in the process of joining the Budapest Convention and drafting cyber security and cybercrime law. However, significant challenges remain particularly in enhancing international cooperation and in keeping criminal justice authorities to address cybercrime and digital evidence effectively. Mozambique emphasizes the importance of strengthening international collaboration to implement existing norms, sharing technical information, and adopting best practices in preventing, detecting, and responding to ICT incidents. Mozambique recommends implementation of existing norms to ensure its implementation by countries that are still starting to deal with ICT issues, include some voluntary norms from the checklist to draw up internal rulers, build the resilience by capacity building initiatives and technologies transferred particularly for development countries, combat ICT-driven misinformation by promoting the ethical use of ICT and the collaboration between states and the private sector, upload privacy rights as a cornerstone of a cyber security policy. The OWGs remind us a cornerstone for advising quality of digital security and ensuring ICTs are used for peaceful purpose. Mozambique deeply values this platform and acknowledges GFC role in empowering women and fostering the sense of expertise. Thank you, Sheikh.

Chair: Thank you very much, Mozambique, for your contribution. Vietnam to be followed by Ethiopia.

Viet Nam: Mr. Chair, the delegation in Vietnam recognizes that the voluntary and non-legally abiding norms of responsible state behaviors, reflecting the expected standards of conduct by the international communities in the use of ICT can mitigate threat to international peace and securities. Vietnam consistently emphasizes that no state should allow its territory to be used for unlawful actions. We also underline the importance of the protection of critical infrastructures and critical information infrastructure. Mr. Chair, with regard to the Voluntary Checklist of Practical Action for the Implementation of Voluntary Norms of Responsible State Behaviors in the Use of ICTs, as contains in Annex A of the third API report, Vietnam underscores the inherent rights of state to designate infrastructures as critical, as well as the need to develop protective frameworks aligned with each nation’s unique context and capabilities. Additionally, Vietnam places high importance on enhancing human resource training and raising public awareness about the multifaceted threat to critical infrastructures and critical information infrastructures. Mr. Chair, at the 10th anniversary of the 11 norms it’s approaching, Vietnam joined other ASEAN countries, namely Singapore and Malaysia, in supporting the formulation of additional norms that respond to the dynamic evolution of the ICTs and a new global, regional, and national cyber landscape, and scoring the international community’s commitment to strengthening the legal and normative frameworks governing cyberspace in the language of international law. In particular, the principle of common but differentiated responsibilities of state in maintaining international peace and securities in cyberspace. I thank you, Mr. Chair, for the kind attention. Thank you very much.

Chair: Vietnam, Ethiopia, to be followed by Burkina Faso.

Ethiopia: Mr. Chairperson, since my delegation is taking the floor for the first time, I would like to commend your efforts and your able leadership in this process. You have the full support of my delegation. Mr. Chairperson, our world today faces a multitude of challenges, including cyber security threats. Despite these rising threats, the working group has managed to achieve progress, which has paved a very constructive path in our work to be able to attain our collective objective. My delegation would like to underscore the critical role of the United Nations, which is at the core of our discussion on information and communications security. In order to address the increasing cyber and other emerging threats, it is vital that we enhance global cooperation, and through which the provision of the necessary support to developing countries to enhance their capacities in the field. Ethiopia believes that through global cooperation and addressing the digital divide between North and South, the international community stands a better chance of maximizing the benefits from cyber security and minimize risks related to ICT. We share the views of other member states of encouraging open dialogue to addressing emerging threats, including the recommendation of initiatives on sharing information on cyber security awareness, leveraging the global points of contact directory. to conduct regular training and promoting collaborative work in cybersecurity. These initiatives, we believe, are also critical to better understand and mitigate risks, including those arising from the deployment and application of generative AI. This is one of the areas of ICT where we can forge a common understanding based on what has been achieved thus far, and build upon those agreed frameworks to mitigate threats to ICT security. Mr. Chairperson, we support the view of others of excluding the development of new norms at this point of time. This is primarily because we in Africa need to develop our capacity and understanding to keep pace with adoption of new norms. My delegation would also like to underscore the African Union’s Common African position adopted by all AU member states, which affirms that international law applies in cyberspace. It is critical that we uphold the fundamental rules of international law in cyberspace, including the obligation to respect the territorial sovereignty of states and the prohibition on the threats or use of force. This also includes an obligation to combat malicious and criminal conducts in cyberspace by non-state actors. We are therefore glad to see the inclusion of reference of the continent’s Common African position in the third annual progress report. I thank you.

Burkina Faso: Mr. Chairman, ladies and gentlemen. At the outset, the delegation of Burkina Faso, since this is the first time we’re taking the floor, would like to express to you and other members of the Bureau our warm congratulations for the results already seen, and we reassure you of our unwavering support and wish you every success in your role. Burkina Faso aligns itself with the position put forward by the Russian Federation within this working group and also the position of the African group. Chair, Burkina Faso welcomes the efforts made by the open-ended working group to promote an international framework conducive to a safe, responsible use of information and communication technologies. We welcome the commitment of all delegations towards enhanced multilateral cooperation and constructive dialogue. We wish to express our serious concern at the increasing use of artificial intelligence in the carrying out of sophisticated denial-of-service attacks on critical infrastructure, which have a dangerous impact on the economy, quality of services, and the social lives of our citizens. Chairman, Burkina Faso reiterates the importance of bearing in mind the specificities of developing countries as we analyse and respond to emerging threats. We should particularly bear in mind their vulnerability when facing a lack of robust infrastructure and qualified human resources. We insist on the need to bolster national and regional capacities to detect, prevent, and effectively respond to cyber security incidents. We underscore the urgent need to eliminate the enormous technological gap and all obstacles imposed on developing countries, including unilateral coercive measures which hamper our abilities to invest in the security of our ICT infrastructure. We encourage the adoption of clear, applicable norms to regulate the use of ICTs while also underscoring the importance of national frameworks and norms. With this in mind, Burkina Faso adopted a law on information system security on the 9th of July this year. This law establishes rules for the protection of information systems. It is underpinned by fundamental principles such as proportionality, technological neutrality and national security. Burkina Faso further calls for the adoption of an international, legally binding instrument under the auspices of the United Nations, establishing clear obligations incumbent on all states. The establishment of a voluntary United Nations fund dedicated to capacity building in cybersecurity, the establishment of a standing institutional mechanism under the auspices of the United Nations to ensure regular dialogue and a coordinated response to increasing threats, standardization of nomenclature for cyber incidents to facilitate international cooperation, and finally a firm commitment to an exclusively peaceful use of ICTs and the rejection of the militarization of cyberspace. Chairman, Burkina Faso remains determined to contribute actively to international efforts to build a secure, resilient and inclusive cyberspace. We reaffirm our commitment to strengthening regional and international partnerships. Thank you, President. Thank you, Chair.

Chair: Thank you very much, Burkina Faso, for your contribution. Friends, no more speakers on this cluster, so we’ll move on to the next cluster on international law. But I just wanted to offer some reflections, certainly not an exhaustive summary by any means. And I’m glad that I did make some remarks and post some questions before the lunch break because that did elicit some reactions and responses. And through the responses, you also get a sense of the range of positions on this issue. I think we need to start from the fact that the third annual progress report, the section on rules, norms, and principles of responsible state behavior, gives us a good basis to reflect on what we can do for the remaining months before we conclude our work. Now yesterday I had invoked the metaphor of running a marathon and today our colleague from Australia said that we should learn how to walk before we run. Now whether we run or walk, we need to take one step forward. So we don’t need to debate about whether we are walking or running, but the question is do we want to take a step forward? Or do we want to stand still? I think on the range of issues, we have the option of summarizing the status quo as it is. In other words, repeat essentially what we had agreed in July and say this is what we have done. In essence, meaning we have not been able to take a step forward. But I think precisely because we are at a stage in the process where we are going to wrap up our work after a five-year process, I think it’s incumbent on us to reflect deeply as to what would constitute a step forward. For some, it may be a small step, for others, what is a small step may be a huge leap. But whether we are walking or running, we have to step forward, we have to take a step forward, and certainly we don’t want to step backwards. I think we can all agree on that. In the context of the Framework of Rules, Norms, and Principles, I think we have all agreed the Framework of Rules, Norms, and Principles, as adopted and repeatedly endorsed by the General Assembly, by consensus, gives us a very solid foundation. And as one of you reminded us, it’s the 10th anniversary of the adoption of this Framework of Rules, Norms, and Principles, repeatedly endorsed by the General Assembly, by consensus, and that is a fact. And we should be proud of the fact that we have this foundation. What we have different views, or what you have different views about, is what would constitute the next step, and what would constitute some forward movement. We have also agreed throughout the previous years that further development of norms and the implementation of existing norms were not mutually exclusive, but could take place in parallel. This is a phrase that’s repeated in our various annual progress report, and it originates in the first open-ended working group. And there’s also that common understanding that the two are not mutually exclusive. And if they are not mutually exclusive, how do we fashion a step forward in terms of implementation, but also in terms of our discussion on the development of additional norms? And that leads us to the three recommended actions. in the third annual progress report. So we continue our exchange of views, which is what we have done today. And it’s important that we do pay attention to implementation. I mean, I think it’s important to keep in mind that implementation is not spontaneous or automatic. It will require effort. And I think that’s where the voluntary checklist comes in. We had this very lengthy discussion last year, and the idea of the voluntary checklist is nothing sinister, nothing suspicious. It is to help accelerate implementation. And we know that this process has engaged so many countries who are in various stages of development, and they will need help with implementation. And the voluntary checklist was intended to be also used as a capacity-building tool, self-help tool, self-checking tool for countries and regions to support each other in the implementation process. I was encouraged that many of you saw the norms implementation checklist as providing a good, good instrument or tool to facilitate implementation. And we also heard many different proposals from countries on how the checklist could be improved. There were specific suggestions in terms of how the checklist could elaborate additional elements to assist with implementation and to offer guidance to states in terms of what is responsible state behavior. But some of you also said that the checklist is not complete, elements are missing, or some of you have also emphasized the need to use consensus language, agreed elements. And I think it’s important that we continue this important conversation around the voluntary checklist as a way of focusing and assisting countries with implementation. But talking about implementation is not to mean that everything else is deprioritized. I think there is a delicate balance in this cluster, and that is that balance we need to maintain, and that relates to the discussion on strengthening or further elaborating existing norms and then also the discussion on new norms. Now here, again, we need to depend on consensus. In the case of the norms implementation checklist, we could possibly resort to agreed language from previous documents and then say this could be a basis for consensus. But when it comes to new norms or providing additional guidance to the implementation of existing norms, we need to build consensus from scratch, and that precisely is the challenge. So I would like to, first of all, thank all of you for your various comments and engagement and discussion. Second, I’d like each one of you to continue reflecting deeply on how we can make progress, both in terms of the implementation of existing norms, but also in terms of our discussion on additional norms. keeping in mind that we have all agreed that the two need not be mutually exclusive. And there’s also no reason why we should shut the door to the possibility of additional new norms, because that’s not what we have agreed. We have agreed that we will continue discussions and the two are not mutually exclusive. Now, it’s understandable that different groups of countries start from different vantage points, but I think we need to get to the middle. We need to get to the middle because that’s where the consensus will have to be found. So, friends, these are some random reflections at the end of a very useful debate. I know that each one of you have listened to each other as well. This discussion is not a dialogue between you and me, but is a dialogue between states. Each one of you out there seated in your delegation seats to listen to each other, because I think if we want to make progress, then I think we need to find a way to move forward and not to remain static. And let’s not also forget that as part of the overall mandate of the OEWG, we need to find a way to move forward on each aspect of the agenda, so we can’t be static in this agenda item. That is what I want to leave you with as a message. And if we are not to remain static, if we are to take a step forward, what would that movement forward look like in terms of implementation of norms, in terms of a discussion on additional new norms? We need to find consensus, so there’s no other option but to move forward and there’s no other option but to find consensus. Those, my friends, are some of my random reflections, so we’ll move on to the next agenda item. And that is under international law. And I have a very long speakers list that has spontaneously erupted, and so we will go through the list one by one, starting with Nigeria speaking on behalf of the African group. So Nigeria, you have the floor, please, to kick off the discussion on international law.

Nigeria: Thank you, Mr. Chair. I really appreciate it. The African group appreciates you and your team’s dedication and effort since the commencement of OEJW on ICT in 2021. Your sterling performance in harmonizing divergent view of member states is quite impressive and laudable. Having commenced the ninth session, it is a clear indication that we are moving towards the last leg of the race. It is on this premise that the African group deems it necessary to make the following remark in addition to its earlier submission of common African position on the application of international law to the use of information and communication technology in cyberspace. African group reiterated that addressing the threat of ICT should be done in a holistic nature that would include recent development in today’s world and should capture incidents that take place, whether in technical context or those with a geopolitical nature, including targeting critical infrastructure, ransomware attack. and as well as the recent use of malicious ICT activities to target life of civilians. Regarding capacity building in the norm of ICT, the group believe that the evolving nature of cyber threats require a long-term and cooperative approach to ensure the attainment of a minimum threshold of collective security. One useful tool in this context is the operationalization of the POC directory. We also wish to affirm need to enhance capacity building initiatives, including technological transfer know-how and on a need-based approach. Proposals on the UN Voluntary Fund and a capacity building portal are equally valuable initiatives that should be seriously considered and supported. Furthermore, the group wishes to state that capacity building and technical assistance must respect state sovereignty and should also be based on mutual trust and recognition of national ownership. The African group emphasizes that capacity building and all cooperation in this area should respect the integrity and security of national ICT infrastructure and correspond to nationally identified needs and priorities, and respect and protect the confidentiality of national policy and plans. Concerning the norms, rules, and principles of responsible state behavior in the ICT domain, why the African group appreciates the value of the norms from A to F in the said annals of the third annual progress report? We wish to underscore the importance of a serious discussion on the effectiveness of the norm-binding norms and to whether we need to enact a means of both binding and non-binding measures to deal with the increasing and rapid development. Mr. Chair, on the participation of stakeholders, the group considers the participation of stakeholders from the civil society and private sector as an added value to our discussion. It is our conviction that their representation and participation in the work of the future permanent mechanism should be preserved through the current modalities that have been successfully worked on by the Open Ended Working Group process. However, we have the fear that introducing new proposals might be counterproductive. On the international law applicability to ICT, the African group wishes to affirm as outlined in its common position on the application of international law to the use of information and communication technology in cyber space that states are not only under an obligation not to engage in internationally wrongful act but to combat malicious and criminal cyber operation by non-states. To this end, by virtue of territorial sovereignty, states are entitled to exercise jurisdiction including legislative, adjudicative and enforcement authority over the components of cyber space that are located on their territory. To this effect, the group affirms that international law as it applies to the use of ICT in cyber space does not permit a state to exercise enforcement authority on the territory of a foreign state in response to unlawful cyber activities that emanate. from the territory of that foreign state. It is therefore important to state that any unauthorized access by a state into the ICT infrastructure located on the territory of a foreign state is unlawful. In conclusion, Mr. Chair, African Group highlights that response of internationally wrongful acts committed through ICT in Sabah Spree should be in accordance with its obligations under the UN Charter, especially obligations relating to the peaceful settlement of disputes and the other application rules of international law, including the obligation to respect the territorial sovereignty of a state. Thank you, Mr. Chair, and thank you, distinguished delegates. Mr. Chair, you allow me to deliver my national statement, and that will be done by my colleague. Thank you. Thank you, Mr. Chair, for giving us the platform to speak again. Nigeria fully aligns with the African Union position on the application of international law to the use of information and communication technologies in the cyberspace, and I would like to make some remarks in our national capacity. The guiding principles of international law are entrenched in our collective responsibilities as state parties to the United Nations to ensure and maintain global peace and stability. The United Nations Charter should serve as our international constitution, which should be adhered to in spite of the dynamics of global affairs. Government cyberspace should not be immune to the guiding principles of international law. Nigeria acknowledges the evolving nature of modern technology, which has fundamentally transformed the lives of people, businesses, and institutions, bringing people out of poverty, increasing wider prosperity. It is also creating a more connected world and supporting globalization with greater access to free markets, democratic systems, prosperity and innovation. These benefits cannot be quantified but abuse is inevitable as evident in the proliferation of criminal activities online. These are firms are positioned on the application of requisite laws whenever necessary to deter existing and potential violation of the cyberspace I haven’t mentioned that Nigeria will continue to engage other states with contrary opinions in order to develop a legal framework within the ambience of global consensus. Distinguished delegates, my delegation oppose the sovereignty of all states and its inherent rights to conduct its internal and external affairs including its cyberspace without external interference through malicious cyber activities. The onus therefore falls on states to enforce relevant laws against malicious digital activities within their territories. States must uphold high standard against sponsoring cyber attacks particularly against critical infrastructure and critical information infrastructure in other territories. The preservation of lives and provision of busy communities are sacrosanct. Attack against facilities that cater for such provision is inhumane and should be avoided at all costs. Nigeria validates due diligence as a process that promotes openness, accessibility, safety and security of the cyberspace. Due diligence is crucial in investigating the source of malicious cyber activities to avoid escalation of conflicts between and among perpetrators and victims. Bearing in mind that states do not possess the same technical capacity in detecting and subverting criminalities in cyberspace. The collaboration and information sharing amongst states computer emergency response team and cyber security incident response team should be encouraged. maintained, and sustained at global level. My delegation believes international human rights law is also applicable in the cyberspace, giving users the freedom of expression online, including the right to seek, receive, and impact information and ideas, as well as to disseminate opinions online. Any restriction imposed by states on these rights must be codified and limited to what is strictly necessary in a democratic society to respect and protect the rights and reputation of others, as well as to protect national security, public order, public health, and morals. Freedom of expression of opinions should not be misused to incite violence, hate speech, crimes, terrorism, or other organized crimes, particularly targeting people based on their race, ethnicity, color, sex, language, religion, political, or any other opinion, or any other status. In conclusion, Chair, Nigeria calls for international cooperation among states to reinforce the objective of combating a common enemy through a consensus-based legal framework for peaceful settlement of disputes on cybersecurity-related issues. It is therefore no doubt that the attainment of a common legal position is premised on states’ willingness to compromise divergent views to achieve the ultimate goal of safeguarding the cyberspace. Thank you.

Chair: Thank you very much, Nigeria, both nationally and on behalf of the African group. I’ll give the floor now to the European Union, to be followed by Fiji, also speaking on behalf of the group of states. EU, please.

European Union: Thank you, Mr. Chair. I have the honor to speak on behalf of the European Union and its member states. The candidate countries, North Macedonia, Montenegro, Serbia, Ukraine, the Republic of Moldova and Bosnia. and Herzegovina and Georgia, and the EFTA country Norway, member of the European Economic Area, as well as San Marino, aligned themselves with this statement. Chair, please allow me to start with the good news. I am delighted to announce that the EU and its member states have published a declaration on a common understanding of the application of international law to cyberspace. With this common understanding, we reiterate that international law, including international human rights law and international humanitarian law, is fit for purpose in digital age. With this declaration, we show that it is possible to reach an understanding on a set of fundamental principles and rules of international law applicable to cyberspace, including state sovereignty, the principle of non-intervention, due diligence, the prohibition on the use of force, and the compliance with the rules of international humanitarian law, international human rights law, the law of state responsibility, and lawful state responses. Here I would like to reiterate and underscore that recognizing the applicability of international humanitarian law to cyberspace does not lead to or encourage the militarization of cyberspace, nor does it legitimize cyber warfare. We see that with every published national, regional, or international position and common understanding on the application of international law to cyberspace, we make progress towards a truly common and global baseline of understanding. The declaration by the EU and its member states should also be seen in that vein, and we would welcome further acknowledgement of the importance of regional views on the application of international law in cyberspace in the final report of this Open-Ended Working Group. Now, please allow me to reflect on our discussions on international law in the Open-Ended Working Group outcome reports. While we are pleased that the growing number of states now participate in the discussions on international law, we see at the same time that we have not managed to reflect the rich discussion and large number of interventions thereon, in particular with regards to the application of international humanitarian law, international human rights law, and the law of state responsibility in cyberspace in our last annual progress reports. We consider it of utmost importance that in the time remaining we appropriately carry out the group’s mandate and work towards a robust articulation in the Open-Ended Working Group final report of the shared views on how international law applies in the cyber context. Throughout the work of this Open-Ended Working Group, a plethora of states have emphasized the need to respect and protect human rights and fundamental freedoms and the application of IHL in cyberspace. In addition to individual statements, the working papers on IHL submitted by a cross-regional group of 13 states, as well as the cross-regional working paper by Colombia, El Salvador, Uruguay, Australia, and Estonia, that proposed specific texts for this year’s annual progress report, demonstrate the broad appetite that exists across all regions to focus on international on the applicability of international law in cyberspace in the progress reports. In that respect, the EU reiterates that international humanitarian law applies to operations in cyberspace in the same way as it does to operations by any other means conducted in the context of armed conflict. This includes the prohibition of using ICTs to direct attacks against civilians and civilian objects, including critical civilian infrastructure. Chair, colleagues, this year marks the 75th anniversary of the four Geneva Conventions of 1949, the cornerstone of international humanitarian law. The fact that all states have accepted to follow and are bound by the rules set out by the four Geneva Conventions demonstrates the universal values embodied by international humanitarian law. It is essential that the Geneva Conventions and other relevant sources of IHL are upheld in this digital domain. Reference to those rules and principles ensures that civilians and civilian objects, medical units and personnel, and humanitarian personnel and objects enjoy the same protection during armed conflict disregarding from where threats originate, the physical or virtual domain. Chair, we need to ensure that the rich discussions about and the many voices raising the application of IHL in the cyber domain in the context of armed conflict are accurately reflected in the Open-Ended Working Group’s report. The final report should recognize the work done and include a clear reference to IHL applicability in the cyber context. Acknowledgement in the reports that IHL applies in cyberspace does not preclude recognition that further study on how international humanitarian law applies to ICT operations in situations of armed conflict is needed. The EU recommends that the final report adopt an action-oriented approach, wherever it acknowledges that IHL applies and that many states discussed how IHL applies to cyber operations executed in the context of and in relation to armed conflict, and that they made concrete proposals to engage in further discussions on this matter. Chair, we remain of the view that giving due consideration to the legal framework we already have in place should be our priority. Existence of different, even contradictory, legal opinions does not imply a lack of applicable legal framework. After all, states present different interpretations of rules and principles not only in the cyberspace context but also in many other fields of international law. This includes accurately reflecting the weight of discussions in the room. Unfortunately, in this open-ended working group process thus far, equal weight has been given to some proposals that are supported by just a few states as to those proposals that have cornered much broader support. If we are to reach common understandings, proposals that command almost universal support should be duly acknowledged and reflected in the products of the working group. Several important developments have been gaining momentum over the course of the Open Ended Working Group’s mandate, such as the sharing of national views on how international law applies to cyberspace, as well as support for a permanent action-orientated mechanism, the Programme of Action. In particular, the approach to a further future permanent mechanism outlined by the POA would draw on the valuable discussions from each of the Open Ended Working Group’s pillars and develop them into practical, cross-cutting workstreams that could ensure we tackle the actual challenges we face in cyberspace, and support meaningful implementation of the framework in direct relation to these challenges. It is only by learning from our collective implementation of the framework that we will be able to assess whether any gaps in the framework exist. Thank you.

Chair: Thank you very much, European Union, for your intervention and also for the good news that the European Union and its associated states have reached a common understanding on the application of international law. I think that will hopefully add some momentum to our discussions here. Thank you very much for that. I’ll give the floor now to Fiji, please.

Fiji: Thank you, Chair. I’m delivering this statement on behalf of a cross-regional group of states that includes Australia, Colombia, El Salvador, Estonia, Kiribati, Thailand, Uruguay, and my own country, Fiji. Over the past year, states have engaged in focused discussions and made substantive interventions on international law. And we’ve been impressed by the number of states delivering such detailed statements on how international law… applies to cyberspace. We welcome the increased number of national and regional positions that have been put forward, which contributes to deepening collective understanding on how international law applies in cyberspace. In May this year, a cross-regional group presented a working paper on convergence language on international law, which reflected additional areas of convergence which have emerged from progressing discussions. We would have liked to see this language reflected in the 2024 Annual Progress Report, including references to the application of international humanitarian law. Now, building upon previous discussions and acknowledging the momentum gained in our recent sessions and guided by the insightful questions raised by you, Chair, on additional layers of understanding that can be reached on international law, we represent a diverse cross-regional group that is pleased to publish an updated paper that offers convergence language for the 2025 final report of this OEWG. The paper draws attention to areas of emerging convergence on international law that have been reflected in discussions and national and regional positions over the past year, including recognition that, firstly, states must respect and protect human rights and fundamental freedoms, both offline and online, in accordance with their respective obligations. Secondly, states must meet their international obligations regarding internationally wrongful acts attributable to them under international law, and international humanitarian law applies to cyber activities in situations of armed conflict, including where applicable, the established international legal principles of humanity, necessity, proportionality, and distinction. The paper also affirms that states have recognized that, in addition to Articles 2, Subarticle 3, and Articles 33, Chapter 6 of the Charter of the United Nations, more broadly provides for the pacific settlement of disputes, which is applicable to states conducting cyberspace. We acknowledge the importance of continuing discussions on how international law applies in cyberspace within the OEWG, as well as the importance of building capacity on international law so that all states can participate meaningfully in these critical discussions that are key to preventing conflicts and maintaining peace and security. We also acknowledge that cooperation and capacity building are crucial for building states’ technical cyber capabilities for the purposes of determining the source of malicious cyber activities and attributing internationally wrongful acts, and we support continuing dialogue on this topic. It is important to continue to discuss and exchange ideas to generate a common understanding of how states envision the future. The future permanent mechanism to advance the responsible behavior of states in the use of ICTs in the context of international security could offer a framework to accommodate these informed and structured discussions and assist with capacity building on international law. Dedicated thematic groups which incorporate discussions on international law issues could be part of an action-oriented future permanent mechanism and useful for these purposes of facilitating substantive exchanges on international law as well as capacity building. We welcome support from other states for the textual proposals in our paper and hope to see the text reflected in the 2025 final report of this OEWG. Thank you, Chair.

Chair: Thank you very much, Fiji, for your statement and also for publishing your common position paper. Let me see who’s next. Albania to be followed by Lebanon, please.

Albania: Thank you, Mr. Chair, dear colleagues. I have a short statement this time, but it’s important to present the position of Albania on this issue. Upholding international law in cyberspace is fundamental to maintaining peace, security and stability in an increasingly interconnected digital world. Albania supports efforts to ensure the international law, including the principles enriched in the UN Charter, are effectively implemented to address the challenges steaming from the use of ICTs. The application of international law in cyberspace provides a robust framework for fostering responsible state behavior and accountability. It ensures that states’ actions in the ICT environment align with the global norms, reinforcing trust and cooperation among countries. Albania recognizes the importance of advanced shared understanding of how these principles guide actions in cyberspace, particularly as emerging technologies evolve and the new challenges arise. Albania emphasizes the need to expand capacity-building resources in international law to ensure equitable access for all states. This includes tailored training initiatives on applying international law to cyberspace, such as in case of incident attribution, incident response, etc., and potentially the development of platforms to share best practices, guidelines and technical tools. Strengthened partnership with regional organizations, academia and civil society are also essential to addressing local need and enhancing global capacities. Albania appreciates the training offered by UN UNIDIR to member states on capacity-building on international law norms and state-responsible behavior, where we benefited significantly this year. We believe that those efforts must continue. Through its national and regional initiatives, Albania actively has given its contribution to those efforts. A number of conferences, policy dialogues, roundtables, and training sessions hosted by Albania have focused on both operational and legal aspects of cybersecurity, fostering cooperation and promoting the implementation of national and international law that regulates this field. Most recently, the Western Balkan Policy Roundtable, supported from the Government of Netherlands, brought together the entire region of Western Balkans, covering those issues as well. To conclude, Albania reaffirms its commitment to upholding international law’s application in the use of ICTs, advancing shared understanding of international law in cyberspace, and supporting capacity building efforts that promote compliance with international law. We expect other countries to do the same, not only in the statements given in this floor, but also in their international practices daily back home. Thank you, Chair.

Chair: Thank you very much, Albania, for your statement. Friends, I just wanted to let you know that we have more than 40 delegations that have inscribed. So we are looking at a discussion that will require more than three hours. Now, this is a happy state of affairs. And it is no surprise that the cluster on international law always elicits the largest number of requests for the floor, which is an indication of your deep desire to express yourself on this important subject. And I think that’s important, because each of you, everyone needs to listen to each other. And through that expression of your positions, you are not only taking a certain stand, but also letting your stand be known and understood by others. And all this is part of. the process that we are engaged in. So it’s very important. But what I wanted to ask you, though, is you are certainly most welcome to put your full text of your statement on the OEWG website, because that, too, adds to international understanding of your position, but also international understanding of international law principles. So you have the option of presenting an abbreviated version of your statement so that we can use the time here for you to focus on the essential points that you want other delegations to understand about your international law position or highlight any significant initiative. But at the end of the day, I have never tried to cut off speakers, so we will give you as much time as you judge necessary and as much time as you deem essential for you to exercise your sovereign right to express your delegation’s point of view. But I would encourage that you submit your statement and you also do your best to present the key points and post the rest of it on the website. So with that, we will now continue with our law seminar by listening to the many interesting statements, starting with Lebanon, to be followed by Austria.

Lebanon: Thank you, Mr. Chairman. Allow me to begin by thanking you for holding this meeting. I’d also like to congratulate you on your excellent stewardship of the work of the working group over the last few years. We further welcome the adoption of the third annual progress report on the OEWG’s work. Chairman, in the context of discussions on existing or potential threats in the field of information security and the way in which international law applies to the use of information and communication technologies by states, the Lebanese delegation wishes to report on the attack on Lebanon on the 17th and 18th of September 2024, which constitutes a very dangerous precedent in the field of cyber attacks, the repercussions of which are not limited to Lebanon alone. Rather, these repercussions are also being felt on international peace and security and on the global civilian supply chain. Israel conducted large-scale terrorist cyber attacks on Lebanon on the 17th and 18th of September 2024 by detonating thousands of booby-trapped pages. These pages were rigged by Israel before being exported to Lebanon after their origin was disguised. The pages exploded after electronic messages were sent to them. These barbaric attacks led to the death of dozens, including children and women. More than 3,000 people were injured. Hundreds are in a critical condition or suffered physical disfigurement. They lost a limb or their eyes. These attacks caused within hospitals and medical teams an unprecedented state of emergency, exhausting their capacity. They also triggered a wave of terror and panic among all Lebanese citizens across the country. This attack is a clear example of the misuse of ICTs to carry out subversive terrorist attacks that undermine international peace and security. It also undermines multilateral efforts made in the framework of the United Nations for years aimed to develop rules, norms, and principles of responsible behavior in the field of the security of ICTs. The ninth preambular paragraph of Resolution 75-240, entitled Developments in the Field of Information and Telecommunications in the Context of International Security, mentions that the embedding of harmful hidden functions in information and communication technologies affect the safe and reliable use of these technologies, and the supply chain of information and communication technologies for products and services erode confidence in trade and harm international security. saying that these pages were already booby-trapped, what if these means, if these was booby-trapped? In addition to the danger that this poses to national security, we must also consider the other consequences on means of civilian communications and confidence in supply change and the security of supply change, as well as confidence in brands of companies that export products and consequently on the security in the international economy and trade. Furthermore, we heard of the decision by one airline to ban these pages being transported on board their aircraft. This will not be the only side effect from this attack. Chairman, this is not the only Israeli cyber attack on Lebanon. Indeed, Israel has over the last few months, and this is just one example, it’s a non-exhaustive example, has jammed the GPS system in Lebanon. This has had repercussions on all services that use this technology, such as transportation and communications. And also through the use of jamming, particularly with regard to the aerospace of the Rafik Hariri International Airport. and the Global Navigation System, the GNSS system, and the spoofing of satellite signals used by civilian aircraft to determine the proper functioning of their systems, their flight and their path. This endangers civilian aviation and the safety of civilian passengers in Lebanese airspace. This in turn represents a threat to Lebanese national security and constitutes a flagrant violation of Article 45 of the Constitution of the ITU. Chairman, in the final substantive report of the Open-Ended Working Group on developments in the field of information and communications technology in 2021, states affirmed that international law, and particularly the Charter of the United Nations, applies to the use of these technologies and is necessary to maintain peace and stability and to promote an open, stable, safe, available and peaceful ICT environment. In this regard, states were called upon to avoid taking any measures that would be inconsistent with international law, in particular the United Nations Charter. Furthermore, Under the Second Amended Protocol to the Convention on the Prohibition or Restriction of the Use of Certain Conventional Weapons, the use of booby traps is prohibited, especially in civilian areas. The use of these booby traps and the targeting of thousands of people without knowing who was in possession of these targeted pages and their location and who was in their vicinity at the time of the attacks violates international human rights law and international humanitarian law. It is completely inconsistent with the fundamental principles to be applied in conflicts, namely distinction, proportionality and precaution. We draw the working group’s attention to the briefing by the United Nations High Commissioner for Human Rights, Mr. Volker Tuch, to the Security Council on the 20th of September 2024. In that briefing, he classified the nature of the attacks on the 17th and 18th of September as a flagrant violation of international law and international humanitarian law in an unambiguous manner. It would be useful to listen to this briefing to understand, the full briefing, to understand how international law applies to this use of ICTs by states. On this attack in particular. States, you should particularly listen to the full briefing. Chairman, Israel’s documented and ongoing violations of international law undermine the international law-based order and the aims of this working group. Chairman, we would like the threats that we have presented in the area of information security and technology and the position on how international law applies to the use of ICTs by States to be reflected in the next progress report of the working group.

Chair: Thank you very much, Lebanon, for your statement. Austria, to be followed by El Salvador.

Austria: Thank you, Mr. Chair. Austria fully aligns itself with the statements on behalf of the European Union, and we would like to make some further remarks in our national capacity. At the outset, my delegation would like to join others in thanking you and your team for your efforts in this final annual cycle of the open-ended working group. In this and previous sessions, we have seen the appetite in the room to further engage in discussions on how international law, including international human rights law and international humanitarian law, applies in the cyber context. Since cyber activities do not take place in a separate virtual space, but in the real world, through real infrastructure and persons, international law applies in its entirety. In previous UN reports, as well as in numerous position papers, States reaffirmed the applicability of rules and principles of international law to cyber activities. In addition, the resolution on ICT in Austria was a major step forward in the international armed conflicts adopted by consensus during the 34th International Red Cross and Red Crescent Conference underlined the applicability of international humanitarian law also in the cyber context. It has been repeatedly stressed that human rights and fundamental freedoms must be protected both online and offline. In the same vein, states reiterated that international humanitarian law and its core principles of distinction, proportionality, necessity, and humanity must be respected at all times during armed conflicts, including in the conduct of cyber activities. However, we regret that those fruitful discussions, as well as the existing convergences on international law, have not accordingly been reflected in the third annual progress report adopted in July this year. From a few in this room, we sometimes hear that IHL would contribute to the militarization of cyber activities. Were this argument to be true, then we should abolish IHL altogether, because it would mean that IHL in general leads to more militarization and armed conflict. The facts are, of course, quite the opposite. Affirming the applicability of IHL to armed conflict does not encourage or legitimize armed conflict. IHL intends to protect civilians and civilian objects from the effects of hostilities. In this vein, let us be clear. Affirming the applicability of IHL to cyber activities in connection with an armed conflict does not encourage or legitimize cyber warfare. Austria is committed to the rule of law and welcomes the various position papers on international law and cyber activities that several states have already published. Recently, the EU Declaration on a Common Understanding on the Application of International Law to Cyberspace was published. This serves as another proof that there are common grounds among a large number of states when it comes to international law. The African Union set an excellent example earlier this year by publishing the consolidated legal view of 55 countries. Now the European Union has followed suit with its declaration comprising the legal view of 27 member states. Austria published its own position paper on cyber activities and international law in April this year. While we acknowledge that there are aspects that need further consideration, for us this is a clear sign that international law is a priority for many states and thus further in-depth discussions are not only desirable but urgently needed. Mr. Chair, finally, we want to emphasize once more that in our view the international law mandate of the Open-Ended Working Group can only be fulfilled by giving due consideration to the existing legal framework. For that purpose, we consider scenario-based discussions and exercises to be particularly useful in the further development of shared understandings. Given the broad support for this approach by many states, we would also like to see this reflected in the outcome documents of the Open-Ended Working Group. My delegation remains committed to this issue and would like to thank you, Mr. Chair, again for giving us the opportunity to share our views on these important matters. I thank you.

Chair: Thank you, Austria. El Salvador to be followed by Singapore.

El Salvador: Thank you very much, Mr. Chairman. All protocol observed. And I will now be referring briefly to the third annual progress report and our full statement will be published. As set out in the position statement after its publication, El Salvador is profoundly concerned due to the lack of references to the application of international humanitarian law in cyberspace. My country reaffirms that the interrelation with international humanitarian law is essential, particularly with regard to the analysis and effective implementation of the principles of international humanitarian law, such as the principle of proportionality, the principle of distinction and precaution. The implementation of these principles are underpinned by the advisory opinion provided by the International Court of Justice on the legality of the threat or the use of nuclear weapons, particularly when the Court recalled that the norms and principles of international humanitarian law applicable to armed conflict are applicable to all forms of war and all types of weapons, including those in the future. For my delegation, this affirmation applies to the development of the spheres of cyberspace, particularly with regard to operations in the context of armed conflict. Specifically, the International Court of Justice describes the principle of distinction as a cardinal principle because it requires that parties to an armed conflict refrain from undertaking cyber activities that might constitute attacks on civilian infrastructure or targets. For our delegation, the principle of distinction also prohibits indiscriminate attacks, including those that use cyber means or methods of war. In this context, El Salvador reaffirms the need to continue furthering the obligations of states with regard to the protection of civilians and civilian targets, including critical infrastructure and critical information infrastructure under international law and international humanitarian law. Finally, Mr. Chairman, and with regard to the work of this group and its link with the standing mechanism, we believe it’s essential for this group to be able to structure the application of international law thematically and divided by group in order to set out the different perspectives and the elements of the application of international law to cyberspace. Thank you very much, Chair.

Chair: Thank you very much, El Salvador. Singapore to be followed by Egypt.

Singapore: Thank you, Mr. Chairman, for giving us the floor. Singapore sees international law as a crucial component of the OEWG’s work. As a firm believer in a rules-based international order, Singapore believes that fostering common understanding among states in the application of international law in the ICT context will contribute to the greater peace, security and trust among states. Singapore is heartened by the progress made at the OEWG thus far and views paragraph 37 of the third APR as being a fine example of an additional layer of understanding which has been reached thus far. It provides a degree of clarity which is helpful for all states to understand how international law applies to cyberspace. Optimistically, Singapore is of the view that there could be further elaboration on what uses of ICT violate states’ sovereignty or amounts to use of force and armed attacks under the UN Charter, etc. Realistically, while we understand that it may be difficult for states to come to agreement in writing on the application of additional substantive areas of international law to ICTs, they can still individually issue national statements or even regional ones such as what the African Union and the European Union have done. Even if they do not represent the views of all states, these statements would contribute to the archy of states’ understanding on how international law applies in cyberspace that assists not only our work at the OEWG, but even beyond. Mr Chairman, capacity-building is an essential part of fostering common understanding, ensuring that every state acquires the necessary expertise and capacity to contribute meaningfully to discussions on international law remains a crucial undertaking for all Member States. In this regard, Singapore believes that aside from existing initiatives in the form of seminars, workshops and conferences, to further capacity-building, scenario-based discussions based on realistic hypothetical scenarios could help to add a more granular layer of understanding as to how international law should be applied in possible real-world situations. Such discussions would be further enhanced by the participation of states’ legal advisors and legal experts, where discussions can go beyond legal principles at the broad level to a more detailed level of application and understanding of international law. Recent events and forums have shown that progress is being made in this year. For example, the Singapore International Cyber Week, the Sino-European Expert Working Group on International Law in Cyberspace and the 2024 Cyber Stability Conference organised by UNIDIR were forums that brought together experts from different regions, creating opportunities for the exchange of views and sharing of expertise on a broad range of issues, including international law in cyberspace, which may contribute to further understanding at the OEWG and beyond. Thank you, Mr Chair.

Chair: Thank you very much, Singapore. Egypt to be followed by United States.

Egypt: Mr Chair, it is our view that there is a consensus that international law applies in cyberspace. There are also many emerging elements and areas of agreement on how specific primary and secondary rules of international law apply in cyberspace. There are, however, many other questions that remain to be answered and that require further consideration by member states and relevant stakeholders. Some of these questions include the following. Does the obligation to respect the territorial sovereignty of states include a de minimis threshold of harmful effects that must be met for intrusive cyber operations to constitute internationally wrongful acts? Does diplomatic law protect governmental communications against interception in cyberspace? Can a cyber operation that does not cause physical damage constitute an instance of the use of force in contravention of Article 2.4 of the UN Charter? What is the definition of coercion as an element of the prohibition on intervention? What is the exact content of the duty of due diligence, especially that it is an obligation of conduct, the execution of which depends on national capacities? Also, how does due diligence require states to ensure that the conduct of non-state actors operating from the territory of a state does not violate the rights of other states? How does the duty of cooperation, which is a primary rule of international law, apply in cyberspace? And how can it contribute to addressing internationally wrongful conduct in cyberspace, especially in the area of attribution? What is the exact content of the obligations of corporations, especially social media platforms, to respect and protect human rights online? Is data a protected civilian object under international humanitarian law? Mr. Chair, we believe that international law already provides juridical tools to answer many of these questions. However, we also believe that these are matters that require further consideration by the international community, and this demonstrates the importance of further robust engagement by all states on this matter. In this regard, on many of these questions, Egypt’s position is entirely aligned with the common African position on the application of international law in cyberspace that was adopted by both the African Union Peace and Security Council and the 37th Assembly of the African Union. Egypt also welcomes the adoption by the 34th International Conference of the Red Cross and Red Crescent of the resolution titled Protecting Civilians and Other Protected Persons and Objects Against the Potential Human Cost of ICT Activities During Armed Conflict. In our view, this resolution reflects in many of its aspects how rules of conventional and customary international humanitarian law apply in cyberspace. However, it remains essential for more states, especially from the Global South, to consider issuing national statements on the application of international law in cyberspace. Such statements provide authoritative expressions of opinio juris in this area. And in order to enable more countries to do so, more resources should be dedicated for capacity building in this area, including through scenario-based trainings. In this regard, we express our appreciation for partners that have contributed to capacity-building projects in this area, especially in Africa. And we take this opportunity to encourage our sisters and brothers from African delegations to join us tomorrow at 1.15 at the mission of the Federal Republic of Germany for a panel discussion on the role of African states in UN Framework for Responsible State Behavior in Cyberspace, which is co-sponsored by Egypt and Germany. Mr. Chair, Egypt emphasizes that the debate on how international law applies in cyberspace is one of the most consequential debates for the future of international law. This is a conversation that has the potential to reshape many of the fundamental rules of the international legal system. Moreover, Egypt underscores that those states that have not yet issued national statements on the application of international law in cyberspace should not be assumed to have acquiesced to positions that have been adopted by other states or regional organizations that they are not members of. Therefore, it is also important for the future permanent mechanism to provide sufficient space for states to engage in substantively robust and interactive debates on how international law applies in cyberspace, especially that the law in this field will continue to evolve as technology develops and intersects with other technologies such as artificial intelligence. We therefore encourage legal advisors, whether based here in New York or from capitals, to become active participants in debates in the permanent mechanism and going forward. Thank you, Mr. Chair.

United States: This group has made enormous progress in its discussions of international law over the past three and a half years. Increasing numbers of states from various regions as well as cross-regional groups of states have offered views on how international law applies to the use of ICTs. These rich discussions have enabled us to further develop common understandings of this issue, which is critical to the promotion of international peace and stability. In the time remaining, we can make meaningful progress on the topics identified for focused discussions in paragraph 39 of the third APR. We would highlight the topic of state responsibility as one that is particularly ripe for discussion. This group can be guided in this discussion by the ILC’s draft articles on state responsibility, in particular articles 12 through 15, which concern the bedrock rules of when a state is responsible under international law for an act or omission attributed to it, including situations where the breach is extended over time or occurs through multiple acts or omissions. As the draft articles affirm, there is a breach of an international obligation by a state when an act of that state is not in conformity with what is required of it by that obligation, regardless of its origin or character. An act of a state does not constitute a breach of an international obligation unless the state is bound by the obligation in question at the time the act occurs. In addition, the breach of an international obligation by a state through a series of actions or omissions, defined in aggregate as wrongful, occurs when the action or omission occurs which, taken with the other actions or omissions, is sufficient to constitute the wrongful act. These are matters on which we should all be able to reach consensus. The final OEWG report should also reflect the discussions this group has had, including the multiple statements on how IHL applies to the use of ICTs and the working paper submitted by Australia and other states from across regions. Pretending these discussions never occurred would undermine what we have achieved together and would do a disservice to us all, as well as to the broader international community, which will be looking to our final report to assess what this group has been able to accomplish. The fact that a few states argue, whether due to misunderstanding or for some political reason, that international law may not apply to the use of ICTs, or that acknowledging the existence and applicability of IHL would somehow justify the use of force in violation of the UN Charter, should not make us afraid to have a report that reflects the reality of our discussions. It is also a reality that ICTs are already being used in armed conflict. To refuse to acknowledge the applicability of IHL to such use of ICTs is to imply that states can do whatever they want with ICTs in armed conflict, unbound by the constraints that IHL imposes on the conduct of hostilities and treatment of victims of war. This would be unacceptable. In this regard, we note the adoption last month by the 34th International Conference of the Red Cross and Red Crescent of the resolution referenced by several other delegations. This marks a significant milestone in international discussion of how IHL applies to the use of ICTs in armed conflict. Given that discussions of the topic are developing elsewhere, it would be all the more unfortunate if this group proved unable to adopt a report that acknowledged that the OEWG has also discussed IHL and how it applies to the use of ICTs in conflict. We also congratulate the European Union on its declaration of a common understanding of international law and cyberspace. Along with the African Union common position earlier this year, this is a significant achievement that further demonstrates the progress states are making on understanding how international law applies to the use of ICTs. And, as noted by others, there are rich discussions on international law being held through various mechanisms and fora. Significant work is also being done to support states in developing national positions on international law. In order to build on this momentum, capacity building on international law is vital and must be an integral part of our continued work. Many states, including the United States, already provide support for such capacity building, including through UNIDIR. Capacity building will be a core component of the future POA, and we look forward to working with other states to build a future mechanism that capitalizes on the achievements of this OEWG, including on the topic of international law. Thank you, Chair.

Chair: Thank you very much, United States. Malawi, to be followed by Islamic Republic of Iran.

Malawi: Thank you so much, Chair and distinguished guests. Malawi aligns itself with the Chair’s remarks and appreciates the opportunity to contribute to this important discussion. I will therefore be sharing my delegation’s views and efforts to adopt the international law. Chair, I’d like to start off by saying no man is an island. The biggest problem we have, especially in our developing nations, is implementation. My delegation believes in the spirit of benchmarking and learning from each other. I therefore urge all of us to not only align our lost points we deem necessary, but to ensure effectiveness across borders, but also continue pushing initiatives that will allow us to see how best our neighbors managed to implement the very laws we wish to acquire. Malawi recognizes that international law is essential in governing the use of information and communication technologies by states. We acknowledge the applicability of international law. to ICTs is a complex issue, requiring careful consideration of various factors. According to the United Nations Secretary General’s report on developments in the field of information and telecommunications in the context of international security, the A-76-153, the increased use of ICTs has created new opportunities for cooperation, but also new challenges for international peace and security. In this regard, Malawi suggests that we focus on the following key areas, applicability of international law, state responsibility, protection of critical information infrastructure, as well as human rights and international humanitarian law. Malawi recognizes the importance of SIM card registration in preventing and investigating cybercrime, while also respecting the right to privacy and freedom of expression. In this regard, we align ourselves with the International Telecommunication Union’s guidelines for SIM card registration, which emphasize the need for transparency, security, and proportionality in registration processes. Having had many cyberattacks performed through the misuse of SIM cards, Malawi has put efforts to develop legislation that oversees national SIM card registration to control these high fraud cases. Through the UN’s efforts to control SIM card-related crimes, my delegation has set up a National Central Equipment Identity Register to mitigate these disturbances. Chair, in support of the importance of international law, Malawi participated in the expert group of meetings on ransomware threat analysis and policy, alongside other countries from East and Southern Africa, Latin America, and the Caribbean, including the Asia-Pacific region. Malawi’s participation in these meetings demonstrates our commitment to collaborating with other countries to address the global threat of ransomware, to develop effective policies and measures to prevent and respond to such attacks. Chair, as we discuss the application of international law to the use of ICTs, Malawi proposes that we establish a benchmarking framework to assess the implementation of international law in this area. This framework could include guidelines, standards, and best practices for states to follow, as well as a system for monitoring and evaluating progress. For instance, the Council of Europe’s Budapest Convention on Cybercrime provides a useful model for benchmarking cybersecurity laws and practices. Regarding misinformation, Malawi suggests that we consider developing guidelines for balancing the right to freedom of expression with the need to prevent the spread of misinformation. This could involve exploring the use of fact-checking initiatives, media literacy programs, and regulations that prohibit the dissemination of false information. For example, the European Union’s Code of Practice and Disinformation provides a useful framework for addressing misinformation online while respecting freedom of expression. By addressing these issues, we can promote a safer and more secure online environment that respects human rights and the rule of law. As I highlighted in the UNODER’s Cybersecurity and Cybercrime Report of 2020. 2021, the global cost of cybercrime is estimated to reach $10.5 trillion by 2025. The unity of our nations can be held firmly around aligning our laws. At the national level, Malawi has taken steps to align its laws and policies with international law, specifically CHAIR. With the vast advancement of technologies in the past years, from the introduction of extensive AI models to more complex cases of quantum technologies, Malawi decided after reflecting and involving necessary states to separate the Electronic Transactions and Cybersecurity Act of 2016 into the Electronic Transactions Act and a separate bill on cybersecurity, which is yet to pass parliament. Malawi is committed to strengthening its national cybersecurity framework in alignment with international law. In this regard, we are currently drafting two critical pieces of legislation, the Cybersecurity Bill and the Cybercrimes Bill. These bills aim to provide a comprehensive framework for preventing and responding to cyber threats, as well as prosecuting crimes related to ICTs in accordance with our international obligations and commitments, including the African Union Convention on Cybersecurity and Personal Data Protection and the United Nations General Assembly resolutions on the development of international law in the field of ICTs. Malawi is also taking steps to strengthen its national cybersecurity policy framework. We are currently drafting a new national cybersecurity policy, which will provide a comprehensive framework for managing cybersecurity risks and promoting a culture of cybersecurity awareness in my delegation. Furthermore, we are reviewing our national cybersecurity strategy to ensure it remains effective in addressing emerging threats and align with international best practices. These efforts demonstrate Malawi’s commitment to developing a robust national cybersecurity framework that supports our national development, protects our citizens’ personal data and enhances our national security. Malawi looks forward to continuing to work with other states and international organizations to promote the development of international law in the field of ICTs. Thank you.

Chair: Thank you very much, Malawi. Islamic Republic of Iran, please.

Islamic Republic of Iran: Thank you, Mr. Chair. Based on previous discussions, there is a common understanding regarding the applicability of generally accepted principles of international law and the purposes and principles of the UN Charter to the ICT field, which include primarily sovereign equality, non-use of force and threat of force, respect for territorial integrity of states, resolution of international disputes by peaceful means, non-interference in internal affairs, as well as fulfillment in good faith of obligations under international law and international cooperation. However, due to the unique technical and legal features of ICT environment, including its cross-border nature, the anonymity of their use, and the difficulty of reliable identification of sources of malicious activities, these principles cannot be carried out or applied automatically. Neither there are clear mechanisms agreed upon by the international community to do so. Among others, political attribution of computer attacks and the problem of reliable identification of the source of harmful activities is a critical question. All accusation of organizing and committing illegal acts brought against states should be substantiated. It is unacceptable to assign responsibility for incidents in information space to anyone without evidence and a fair consultation process among interested parties. It is necessary to agree on definitions and technical mechanism that will enable objective identification of the sources of computer attacks. The risk of politically motivated and fabricated attributions, as well as false flag operations remains crucial. It is worth noting that currently many of these attributions, especially those published by so-called private sectors are formed based on political interest and affected by political and geopolitical conflicts between states and don’t necessarily have a technical basis or legal merit. To address these challenging gaps, we emphasize the priority of considering the possibility of additional legally binding obligations, as requested by the countries of the non-aligned movement, acknowledging the need to identify legal gaps in international law through the development of an international legal framework specific to the unique attributes of ICT environment. Mr. Chair, distinguished colleagues, during the eighth substantive session of the OEWG, my delegation expressed strong reservations about paragraph 27 of the third APR, as it seeks to subsume international law under the concept of responsible state behavior, warranting scrutiny. Addressing international peace and security is a delicate endeavor, entailing profound legal and political ramifications. According to international law, states are bound solely. by the legal obligations to which they have consented and established customary international law or by ergo-omness norms. Consequently, it is untenable to elevate a concept above the international law. Amalgamating international law, voluntary norms, and confidence-building measures under the ill-defined umbrella of so-called responsible state behavior undermines the sanctity of international law. By diminishing the primacy of international law, paragraph 27 inherently jeopardizes the international legal order. The way the paragraph is drafted assigns equal weight to voluntary norms, legal norms, and CBMs in terms of their impact on undermining international peace and security. From both a practical and theoretical standpoint, this is profoundly problematic. Consequently, as agreed during the eighth substantive session of the OEWG, we strongly support amending paragraph 27 and are prepared to engage in discussions with all delegations on this matter. I thank you, Mr. Chair.

Chair: I thank very much the Islamic Republic of Iran. We can perhaps take one more speaker before we adjourn for the evening. So I give the floor to Finland. You have the floor, please.

Finland: Thank you, Chair. Finland aligns itself with the statement of the European Union and wishes to make some additional remarks in its national capacity. Firstly, we would wish to highlight the importance of this dedicated session within the OEWG on international law. As affirmed by the previous OEWG and endorsed by the General Assembly, We reiterate that international law, including the UN Charter, applies in cyberspace. Its applicability does not depend on the technological means employed. As the application of certain provisions in practice may pose specific questions, it is important to continue in-depth discussions on these. Numerous states, including the member states of the African Union and the European Union, have already put forward their views and positions on how international law applies in cyberspace. The EU and its member states, 27 in total, just recently shared its declaration on a common understanding of the application of international law to cyberspace, reaffirming that international law, in particular the UN Charter, international human rights law, and international humanitarian law, fully applies to cyberspace. This common understanding complements Finland’s national position elaborated in 2020. It also means that now more than a half of the UN member states have elaborated such positions and understandings. This shows that we are on our way towards a truly common understanding on the interpretation of international law in cyber-related situations. It also shows that cyberspace is a regulated arena. This broad support should be reflected and articulated clearly in the OEWG final report. Such articulation should be additional to the core obligations already reflected in the third annual progress report. We are particularly pleased that there is growing agreement on the need to address IHL in our work. We would wish for the final report to include a clear reference to IHL’s applicability in cyberspace. New technologies do not render the existing rules of international humanitarian law meaningless or necessarily require new legal regulation. At the 34th International Conference of the Red Cross and Red Crescent, states and national societies of the Red Cross and Red Crescent approved a resolution on protecting civilians and other protected persons and objects against the potential human cost of ICT activities during armed conflict. Said resolution contained important language with regard to ICT activities, for example, on the protection of civilians, medical personnel, units and transports, humanitarian personnel and objects, as well as on allowing and facilitating humanitarian access. This resolution should also contribute to our discussions at the OEWG. The resolution recognized the OEWG as a central intergovernmental forum for studying how international law applies to the use of ICT by states. As the function of the International Conference of the Red Cross and Red Crescent is to contribute to the respect for and development of IHL, it is important for the OEWG on its part to take into consideration the progress made at the latest international conference in this regard. Finally, the OEWG has an important role in capacity building among states, and the discussions on international law have significantly deepened during the course of the OEWG. It is important to involve all states in the conversations on how international law applies in cyberspace. We continue to welcome a discussion on the specific areas where capacity building would be most needed and commend existing capacity building initiatives such as the Talent Summer School of Cyber Diplomacy. It is also important for dedicated in-depth discussions and briefings to have member states’ legal advice present. We would wish for such dedicated discussions on how international law applies in the use of ICTs to continue also in the framework of the future mechanism. Thank you.

Chair: Thank you very much, Finland, for your statement. Friends, we’ll have to adjourn soon. It’s almost six o’clock. But it’s very clear that there’s a lot of interest in making statements, and so we will certainly continue tomorrow. I have about 30 speakers. It may well still take three hours, but I would still once again encourage delegations to consider submitting your national statement on the understanding that these national statements are also formal articulations of your positions and perspectives on how international law applies. And that in itself is a useful exercise, so you could choose to present an abbreviated version of your statements here during the meeting tomorrow morning. So with that note, thank you very much, and I wish you all a pleasant evening. The meeting is adjourned. Thank you.

Agreement Points

Applicability of international law to cyberspace

European Union

United States

Austria

Finland

Singapore

Nigeria

International law, including UN Charter, applies to cyberspace

Existing international law is sufficient, no need for new binding norms

International humanitarian law applies to cyber operations in armed conflicts

Human rights must be protected both online and offline

Need to clarify how specific rules of international law apply to cyber context

Importance of state sovereignty in cyberspace

There is broad agreement that existing international law, including the UN Charter, international humanitarian law, and human rights law, applies to cyberspace. However, there are differing views on whether new norms are needed and how specific rules should be applied.

Importance of capacity building

Fiji

Albania

Malawi

Need for capacity building to enable states to participate in international law discussions

Need for capacity building on applying international law to cyberspace

Importance of benchmarking and learning from other countries’ implementation

Multiple speakers emphasized the need for capacity building to enable all states, particularly developing countries, to effectively participate in discussions and implement international law in the cyber context.

Similar Viewpoints

Both countries emphasize the sufficiency of existing international law and support voluntary implementation measures rather than new binding norms.

United States

Australia

Existing international law is sufficient, no need for new binding norms

Voluntary checklist is useful tool for norms implementation

These countries support structured, in-depth discussions on international law in cyberspace, either through scenario-based exercises or dedicated thematic groups in a future mechanism.

Austria

El Salvador

Egypt

Scenario-based discussions useful for developing shared understandings

Support for dedicated thematic groups on international law in future mechanism

Future mechanism should provide space for substantive debates on international law

Unexpected Consensus

Importance of regional initiatives

European Union

Nigeria

Malaysia

International law, including UN Charter, applies to cyberspace

Importance of state sovereignty in cyberspace

Importance of regional initiatives in advancing norms implementation

Despite representing different regions and sometimes having divergent views, these speakers all emphasized the value of regional initiatives in developing common understandings and implementing norms, showing unexpected alignment on the importance of regional approaches.

Overall Assessment

Summary

There is broad agreement on the applicability of international law to cyberspace, the need for capacity building, and the value of structured discussions on international law. However, disagreements persist on the need for new norms and the specific application of certain legal principles in the cyber context.

Consensus level

Moderate consensus on general principles, with significant divergences on specific issues. This implies that while there is a common foundation for discussions, substantial work remains to be done in clarifying and agreeing on the details of how international law applies in cyberspace.

Disagreement Points

Need for new legally binding norms specific to ICTs

Belarus

United States

European Union

Need for new legally binding norms specific to ICTs

Existing international law is sufficient, no need for new binding norms

International law, including UN Charter, applies to cyberspace

Belarus advocates for new legally binding norms for ICTs, while the US and EU argue existing international law is sufficient and applicable to cyberspace.

Applicability of international humanitarian law to cyberspace

Austria

Islamic Republic of Iran

International humanitarian law applies to cyber operations in armed conflicts

Difficulty in automatically applying international law principles to ICTs due to technical challenges

Austria asserts that IHL applies to cyber operations in armed conflicts, while Iran argues that technical challenges make it difficult to automatically apply international law principles to ICTs.

Unexpected Disagreements

Inclusion of international humanitarian law in OEWG reports

El Salvador

Islamic Republic of Iran

Support for dedicated thematic groups on international law in future mechanism

Difficulty in automatically applying international law principles to ICTs due to technical challenges

While many states support discussing IHL in the context of cyberspace, Iran’s strong opposition to automatically applying international law principles to ICTs, including IHL, is somewhat unexpected given the general trend towards acknowledging IHL’s relevance.

Overall Assessment

Summary

Main areas of disagreement include the need for new legally binding norms, the applicability of existing international law (particularly IHL) to cyberspace, and the approach to clarifying how international law applies in the cyber context.

Disagreement level

The level of disagreement is moderate to high, with significant implications for the development of international law in cyberspace. These disagreements could hinder progress in establishing a universally accepted legal framework for state behavior in cyberspace, potentially leading to increased uncertainty and risk of conflicts.

Partial Agreements

These speakers agree on the need for clarification of international law in cyberspace, but focus on different aspects: state responsibility, specific rules, and sovereignty thresholds.

United States

Singapore

Egypt

Need to clarify rules on state responsibility for cyber operations

Need to clarify how specific rules of international law apply to cyber context

Questions remain on thresholds for violations of sovereignty

Similar Viewpoints

Both countries emphasize the sufficiency of existing international law and support voluntary implementation measures rather than new binding norms.

United States

Australia

Existing international law is sufficient, no need for new binding norms

Voluntary checklist is useful tool for norms implementation

These countries support structured, in-depth discussions on international law in cyberspace, either through scenario-based exercises or dedicated thematic groups in a future mechanism.

Austria

El Salvador

Egypt

Scenario-based discussions useful for developing shared understandings

Support for dedicated thematic groups on international law in future mechanism

Future mechanism should provide space for substantive debates on international law

Key Takeaways

There is broad agreement that international law applies to cyberspace, but disagreement on specifics and whether new binding norms are needed

Many states emphasize the applicability of international humanitarian law to cyber operations in armed conflicts

Capacity building on international law is seen as crucial to enable all states to participate meaningfully in discussions

There is growing support for scenario-based discussions to develop shared understandings of how international law applies in practice

Regional initiatives and positions are playing an important role in advancing norms implementation and shared understandings

Many states support having dedicated discussions on international law in a future permanent mechanism

Resolutions and Action Items

Continue discussions on specific areas of international law identified in paragraph 39 of the third Annual Progress Report

Reflect the group’s discussions on international humanitarian law in the final OEWG report

Consider improving the voluntary checklist for norms implementation based on suggestions made by delegations

Involve legal advisors more in future discussions on international law in cyberspace

Unresolved Issues

Whether new legally binding norms specific to ICTs are needed

How to address attribution challenges in cyberspace

Specific thresholds for violations of sovereignty in cyberspace

How to balance freedom of expression with combating misinformation online

Exact content of due diligence obligations for states in cyberspace

How to reflect divergent views on international law applicability in the final report

Suggested Compromises

Focus on implementation of existing norms while remaining open to discussions on potential new norms

Use agreed language from previous consensus documents as basis for voluntary checklist

Acknowledge discussions on international humanitarian law in final report without full elaboration

Structure future mechanism to allow for both implementation focus and continued substantive debates on international law

We need to find a way to move forward on each aspect of the agenda, so we can’t be static in this agenda item. That is what I want to leave you with as a message. And if we are not to remain static, if we are to take a step forward, what would that movement forward look like in terms of implementation of norms, in terms of a discussion on additional new norms?

Speaker

Chair

Reason

This comment challenged participants to think concretely about how to make progress, rather than just restating positions. It framed the discussion in terms of taking tangible steps forward.

Impact

It set the tone for subsequent speakers to focus on specific proposals and areas of potential agreement, rather than just reiterating established positions.

I am delighted to announce that the EU and its member states have published a declaration on a common understanding of the application of international law to cyberspace.

Speaker

European Union

Reason

This announcement of a major new regional position statement introduced an important new development into the discussion.

Impact

It demonstrated growing consensus among a large bloc of countries and provided a concrete example of progress in articulating how international law applies to cyberspace. Several subsequent speakers referenced this declaration as a positive development.

The fact that a few states argue, whether due to misunderstanding or for some political reason, that international law may not apply to the use of ICTs, or that acknowledging the existence and applicability of IHL would somehow justify the use of force in violation of the UN Charter, should not make us afraid to have a report that reflects the reality of our discussions.

Speaker

United States

Reason

This comment directly addressed and challenged the arguments of some states against including references to international humanitarian law in the report.

Impact

It brought underlying disagreements to the forefront and argued for accurately reflecting the content of discussions, even if consensus was not reached. This pushed back against efforts to exclude certain topics from the report.

Amalgamating international law, voluntary norms, and confidence-building measures under the ill-defined umbrella of so-called responsible state behavior undermines the sanctity of international law.

Speaker

Islamic Republic of Iran

Reason

This comment raised fundamental objections to how international law was being framed in relation to other concepts like norms and confidence-building measures.

Impact

It highlighted ongoing disagreements about the relationship between binding international law and other voluntary measures or norms. This pushed back against the framing used by many other states and reintroduced controversy into areas where consensus seemed to be emerging.

Overall Assessment

The discussion revealed growing consensus among many states on how international law applies to cyberspace, as evidenced by regional declarations and calls to reflect these discussions in the final report. However, fundamental disagreements persist with some states objecting to how international law is being framed or applied. The Chair’s call to focus on concrete steps forward helped structure the discussion, but tensions remain between those pushing to codify emerging understandings and those resisting what they see as premature conclusions or inappropriate framing of international law issues.

How can the voluntary checklist of practical actions for norms implementation be improved?

Speaker

Multiple delegations including UK, Bangladesh, Ireland

Explanation

Several countries suggested additions or improvements to the checklist to make it a more effective tool for implementing norms

What new norms may be needed to address emerging threats and technologies?

Speaker

China, Brazil, Singapore

Explanation

Some countries argued for considering new norms in areas like data security, supply chain security, and AI, while maintaining existing norms

How can capacity building efforts on international law and norms implementation be enhanced?

Speaker

Multiple delegations including Singapore, Egypt, Malawi

Explanation

Many countries emphasized the need for more capacity building, especially for developing countries, to enable effective participation in discussions and implementation

How does international humanitarian law apply specifically to cyber operations in armed conflicts?

Speaker

Multiple delegations including EU, El Salvador, Austria

Explanation

Several countries called for more detailed discussion on how IHL principles apply in the cyber context during armed conflicts

What are the specific mechanisms for applying general principles of international law to the unique attributes of the ICT environment?

Speaker

Islamic Republic of Iran

Explanation

Iran argued that while international law principles apply, their application is not straightforward in cyberspace and requires further elaboration

How can states develop a common understanding on attribution of cyber attacks?

Speaker

Islamic Republic of Iran

Explanation

Iran highlighted the challenges of attribution in cyberspace and called for agreed definitions and technical mechanisms for identifying attack sources

What specific legal gaps exist in international law regarding cyberspace that may require new binding obligations?

Speaker

Islamic Republic of Iran, Non-Aligned Movement countries

Explanation

Some countries argued for exploring new legally binding instruments to address perceived gaps in existing international law for cyberspace

How can scenario-based discussions be used to develop more granular understanding of international law application in cyberspace?

Speaker

Singapore, Austria

Explanation

Some countries suggested using hypothetical scenarios to explore practical application of international law principles in realistic situations