Dedicated stakeholder session (in accordance with agreedmodalities for the participation of stakeholders of 22 April 2022)

Summary

This discussion focused on confidence-building measures (CBMs) in cybersecurity, particularly the Global Points of Contact (POC) Directory. The Chair announced that 111 countries have joined the directory and emphasized the importance of increasing participation to near-universal levels. Several countries, including Russia, the EU, and the UK, highlighted the progress made in implementing CBMs and stressed the need for further operationalization.

Key points included the importance of regional cooperation, information sharing, and capacity building in enhancing cybersecurity. The EU emphasized the value of learning from regional experiences and creating synergies between regional and global efforts. Several countries, including El Salvador and South Africa, proposed specific measures to enhance the protection of critical infrastructure and improve the implementation of CBMs.

The discussion also touched on the challenges in implementing CBMs, with Iran proposing a new measure to facilitate unhindered access to secure ICT markets. The UK shared its efforts in developing tools to raise the resilience of critical national infrastructure internationally. Many participants emphasized the role of the private sector and the importance of public-private partnerships in addressing cybersecurity challenges.

The session concluded with calls for continued cooperation, information sharing, and capacity building to enhance trust and stability in cyberspace. Participants agreed on the need to further operationalize the Global POC Directory and integrate CBMs into the future permanent mechanism for cybersecurity discussions at the UN level.

Keypoints

Major discussion points:

– Operationalization and expansion of the Global Points of Contact Directory for cybersecurity incidents

– Implementation of confidence-building measures (CBMs) in cyberspace at global and regional levels

– Capacity building initiatives to support countries in implementing CBMs and joining the POC Directory

– Proposals for additional CBMs, including on critical infrastructure protection and ICT supply chain security

– Integration of CBMs into the future permanent mechanism on cybersecurity at the UN

Overall purpose:

The purpose of this discussion was to review progress on implementing confidence-building measures in cyberspace, particularly the Global POC Directory, and to gather input on further operationalizing and expanding CBMs as part of the UN’s work on cybersecurity.

Tone:

The overall tone was constructive and collaborative, with countries sharing their experiences implementing CBMs and offering suggestions to improve global cooperation. There was broad support for expanding participation in CBMs, though some tensions emerged briefly when discussing regional conflicts. The Chair maintained a positive, action-oriented tone throughout, encouraging concrete proposals and emphasizing the importance of inclusivity and partnership.

Speakers

– Chair: Presiding over the meeting

– Hitachi America: Representative from Hitachi America

– National University of Singapore – Centre for International Law: Representative from the Centre for International Law

– Crest International: Representative from Crest International

– GSM Association: Representative from the Global Mobile Industry Association

– Write Pilot: Medina Ali, President and CEO of Safe-eC Solutions

– RSIS – Center of Excellence for National Security: Representative from Singapore

– Fundación Carisma: Representative working on digital rights and digital security

– Global Partners Digital: Representative

– Global Cyber Alliance: Philip Reitinger, President

– SafePS solutions: Adina Ali, President and CEO

– Diplo Foundation: Vladimir Adunovic, Representative

– Youth for privacy: Shivani Sundaresan, Representative

– Center for Humanitarian Dialogue: Representative focusing on cyber mediation and confidence building

– European Union Institute for Security Studies: Representative

– Red en Defensa de los Derechos Digitales: Francia Pietra Santa Valdaso, Representative

– Portugal: Representative

– France: Representative

– Israel: Representative

– Ghana: Representative

– Viet Nam: Representative

– Australia: Representative

– Sierra Leone: Representative

– ICRC: Representative

– Benin: Representative

– Lebanon: Representative

– Russian Federation: Representative

– European Union: Representative

– Islamic Republic of Iran: Representative

– United Kingdom: Representative

– Bosnia and Herzegovina: Representative

– Fiji: Representative

– El Salvador: Representative

– Italy: Representative

– South Africa: Representative

Additional speakers:

– Nigeria: Mentioned as part of the Africa Group statement

– Kazakhstan: Mentioned as expressing concern about IoT security

– Cuba: Mentioned as addressing sensitive points

– Egypt: Mentioned as touching on capacity building

Revised Summary of Cybersecurity Confidence-Building Measures Discussion

Introduction:

This discussion focused on confidence-building measures (CBMs) in cybersecurity, with particular emphasis on the Global Points of Contact (POC) Directory. The session covered key topics including the expansion of the POC Directory, regional and cross-regional cooperation, information sharing, capacity building, and the application of international law to cyberspace.

Global Points of Contact Directory:

The Chair announced that 111 countries have joined the directory and stressed the importance of increasing participation to near-universal levels. Plans were outlined for a second ping test in December 2024 and a simulation exercise in 2025 to further operationalize the directory. South Africa suggested standardized templates to enhance the directory’s effectiveness.

Confidence-Building Measures:

1. Regional and Cross-Regional Efforts:

– The European Union highlighted how regional CBM initiatives complement global efforts, with several speakers mentioning the OSCE CBMs as an example.

– A cross-regional group of Confidence Builders was noted for their work on information sharing.

2. Information Sharing:

– Fiji emphasized that information sharing contributes to cybersecurity and stability.

– The Russian Federation stressed the importance of the Global POC Directory as a key CBM for information exchange.

3. Critical Infrastructure Protection:

– El Salvador proposed specific CBMs related to critical infrastructure protection, including establishing national contact points and sharing best practices.

– Italy noted that public-private partnerships enhance cyber resilience, particularly for critical infrastructure.

Application of International Law to Cyberspace:

There was general agreement on the applicability of international law to cyberspace, though interpretations varied:

– The ICRC stressed that international humanitarian law applies to cyber operations in armed conflicts.

– Israel acknowledged that international law provides a framework for cyber stability but suggested it may need clarification.

– Australia proposed scenario-based exercises to build understanding of international law application in cyberspace.

A brief debate between Lebanon and Israel highlighted ongoing geopolitical tensions in discussions of international law and cyberspace.

Capacity Building:

Several speakers emphasized the importance of capacity building in relation to CBMs and the Global POC Directory:

– Ghana highlighted the need for support to help developing countries engage in international law discussions.

– South Africa stressed how capacity building supports the implementation of CBMs.

– Benin emphasized the need for capacity building to address cyber threats in developing countries.

Key Agreements and Unresolved Issues:

Agreements:

1. The importance of expanding and operationalizing the Global POC Directory.

2. The value of regional and cross-regional cooperation in enhancing cybersecurity.

3. The applicability of international law to cyberspace, with recognition that further clarification may be needed.

4. The critical role of capacity building in supporting CBM implementation.

Unresolved Issues:

1. Specific application of international law principles in cyberspace.

2. Balancing national sovereignty concerns with international cooperation.

3. The potential development of additional legally binding instruments for cybersecurity.

Conclusion:

The discussion demonstrated progress in cybersecurity cooperation, particularly through the Global POC Directory and regional CBM initiatives. However, it also highlighted the need for continued dialogue to address remaining differences in the practical application of agreed-upon principles. The session concluded with calls for increased participation in the Global POC Directory, enhanced information sharing, and continued capacity building efforts to strengthen trust and stability in cyberspace.

Additional Notes:

– The European Union suggested the creation of thematic working groups in the future permanent mechanism for cybersecurity discussions at the UN level.

– While stakeholder engagement was mentioned, it was not a primary focus of the discussion.

Chair: In accordance with our program of work, we will now begin the dedicated stakeholder session which is being convened in accordance with our agreed modalities for the participation of stakeholders as agreed in April 2022. I want to thank all the stakeholders for joining us in person and also the various delegations for joining and participating in this session. I also want to say that the dedicated stakeholder session has always been an important and integral part of the work of the Open-Ended Working Group and it provides an opportunity for all delegations to hear the views of the stakeholders and it also allows the stakeholders to give some of their views on the topics that have been discussed over the last few days and perhaps over the next two days. I want to also take this opportunity to thank the stakeholders for their continuing engagement in this process. You have been very active in this process by making your ideas and contributions as part of our discussions here. I would also encourage you to continue to remain engaged but also reach out to the delegations, talk to them and likewise I would encourage the delegations to reach out and talk to the stakeholders. What we have under the current Open-Ended Working Group are the beginnings of an arrangement that has created an opportunity for stakeholders to participate and contribute to our work. And of course, we need to build on what we have learned in this process, build on the arrangements that we have agreed to in order to enhance further the participation of stakeholders in the future permanent mechanism. So without further ado, I intend to open the floor now to give the stakeholders an opportunity to speak. But as the stakeholders would know, we are operating under a time pressure. So unfortunately, we’ll have to put a time limit of a time limit of three minutes. I know it’s not very pleasant to be cut off, but the microphones will automatically go off. I’m advised. So to the stakeholders, thank you very much. We’ll start with the list that is before me. So we’ll start with Hitachi America to be followed by Center for International Law of Singapore.Hitachi America, please.

Hitachi America: Thank you, Mr. Chair, for holding this dedicated stakeholder segment. I’m honored to be here today. Hitachi group supplies and serves critical infrastructure and critical information infrastructure, including energy, health care, transportation, water, while innovating positive use of AI, quantum and fusion nuclear for improving human lives every day in the world. First, as a stakeholder, we can contribute to capacity building and the norms operationalization with evolving checklist for future permanent mechanism. Collaborating with international stakeholders and member states under auspices of the United Nations. We need a baseline plan with multi-stakeholder scheme for global human-centric ICT for peace, safety, security, and resilience, identifying resources, prioritizing initiatives. I recognize that Global Digital Compact already identified key security issues, such as AI security objective 5, environment in SDGs goals 13, 7, 8, 9, 15. Of course, global roundtable and web portal are great capacity-building measures. Second, we would provide best practices for global supply chain, addressing risks and vulnerabilities by sector by sector. Digitally enabled critical infrastructure with operational technology can bring positive use of AI while preventing abuse and misbehavior by AI. We should consider continuous research and development for new technology innovations. Third, for developing countries, small states, and companies, we should create a mechanism to share practical use cases, for instance, security by design, zero-trust architecture, to address resources limitation. Also, stakeholders contributing should be recognized with level of trust and standards. Finally, it is essential to keep consistent communication and promotions with vision, mission, incentives, and progress of concrete results among stakeholders and member states. To conclude, international public-private partnerships are key for common human-centric goals for peace, safety, security, working together. Thank you very much, Mr. Chair.

Chair: Thank you very much, Hitachi America, and top marks to you for keeping within the time limit. No pressure on the next speaker, Centre for International Law. Over to you.

National University of Singapore -Centre for International Law : Thank you, Chair. On behalf of the Centre for International Law, we thank you for the opportunity to engage in the discussions of the OEWG. We are encouraged by State’s interventions this week, which indicate a healthy appetite and indeed a hunger to engage in deeper dialogue on the non-exhaustive list of topics referenced in paragraph 39 of the 3rd Annual Progress Report, such as on the issue of thresholds. Several delegations have also emphasised the need for discussions on the application of the identified principles in the context of cyber operations affecting critical infrastructure, electoral processes, cyber-enabled misinformation, disinformation campaigns, as well as emerging issues like the cyber-AI nexus. This is with a view to reaching a common understanding on how international law applies, identifying gaps if any in interpretation, as well as in the international legal framework. In this regard, I am pleased to share information on recent initiatives which can support States in this journey. In September this year, we supported the 3rd Annual Symposium on Cyber and International Law on the theme of Cyber and Information Conflicts, the International Law Implications of Convergence. This symposium explored the implications of the evolving realms of information conflict with the attendant convergence of cyber and information operations. This raises critical questions across the spectrum of war and peace, including, among others, the law of state responsibility and international human rights. The recording of this session is expected to be available on the conference website in due course and offers a useful resource for States. In October, in collaboration with the University of Exeter, we also hosted a closed-door regional workshop on the practical aspects of developing national positions on the application of international law, which some have prescribed as the high-end book project. Turning to the subject of regular institutional dialogue, the Centre for International Law is committed to continue to engage constructively and contribute meaningfully to the process, in particular on the question of how international law… applies to the use of ICTs by states, while fully respecting that it is for states to evaluate the inputs provided and to decide thereafter. We are very appreciative of the dedicated stakeholder sessions that have been arranged over the course of the OEWG sessions. And as this meeting evolves to a future permanent mechanism, it is perhaps timely to also reflect on how the stakeholder engagement process can also evolve. And to this end, we support calls by others that stakeholders be permitted to intervene in a thematic manner in line with the permanent mechanism in the future, and this will enable us to offer timely and ultimately more impactful and effective inputs to the thematic issues at hand. And equally important, the formats will, in our view, better position delegations and stakeholders to engage dynamically in a more inclusive and interactive manner. We appreciated that this may call for innovative meetings, structures, but we are confident that in your good hands this can be achieved. In the interest of time, I will leave the rest of the statement to delegations reading, which will be uploaded. Thank you, Chair.

Chair: Thank you very much, CIL, for your contribution and also for keeping within the time limit. Crest International, please.

Crest International: Distinguished Chair and Delegates, on behalf of Crest International, may I welcome the Chair’s continued commitment to stakeholder engagement. Crest is a not-for-profit which brings 18 years’ experience of building trust in the digital world. It works with governments and regulators to advance the capacity and capability of cyber service providers and professionals through standard setting and quality assurance. Bearing in mind the Chair’s guiding question requesting additional views from states relating to the development of the norms of responsible state behaviour, and the references in paragraph 31 of the OEWG’s third annual progress report to the importance of regulatory guidelines for protection of critical infrastructure, the critical role of the private sector in securing the integrity of the supply chain. the encouragement of the private sector to play its role in improving security, and the further development of the norms of responsible state behavior, we continue to urge the OEWG to consider promoting minimum standards for the security of critical infrastructures, and harmonizing international certification frameworks to support the creation of trusted pools of cybersecurity service providers and professionals globally to give operators confidence in the quality of services. And noting the Chair’s request for proposals for specific dedicated thematic groups that could be established as part of the Future Permanent Mechanism, CREST would be delighted to join stakeholder working groups focused on these areas to coordinate activities and engagement with the Future Permanent Mechanism and develop collaborative, action-oriented, and experience-based proposals. Please may I take the opportunity afforded by this meeting to ask any OEWG stakeholders who may be interested in working with CREST in these areas to get in touch so that we can start to coordinate our efforts. Noting the Chair’s request for examples of concrete, action-oriented capacity-building initiatives that advance international cooperation, I draw the OEWG’s attention to our Cyber Accelerated Maturity Program, or CREST-CAMP. This enables cybersecurity service providers seeking to improve their maturity and quality to self-assess against CREST’s internationally recognized standards and receive donor-funded mentoring from CREST members to fill the gaps identified. The first cohort of CREST-CAMP is underway, funded by the UK government, with 32 service providers from 11 countries in Europe, Africa, the Middle East, and Southeast Asia, and we’re about to launch a second cohort with funding from an alternative donor. In conclusion, CREST is committed to supporting the OEWG’s goals and priorities through its ongoing efforts in standard-setting, capacity-building, and stakeholder engagement, and we look forward to continued collaboration with states and governments. stakeholders. Thank you, Mr. Chair.

Chair: Thank you, Crest International. GSM Association.

GSM Association: Mr. Chair, distinguished delegates, thank you for the opportunity to contribute. I represent GSMA, the Global Mobile Industry Association, uniting operators and connectivity providers across the entire mobile ecosystem. This week, member states have highlighted the potential of digital technologies for socioeconomic progress, alongside valid concerns about security threats to governments, companies, and citizens. A safe, resilient, and secure digital space is a global necessity and a shared objective for governments and the industry I represent. As connectivity becomes fundamental to our daily lives, many countries consider mobile networks to be critical national infrastructure. Constant technical scrutiny and investment by operators are necessary to manage threats and protect our infrastructure. Regulation plays an important role in securing the digital space. We encourage greater alignment among regulatory frameworks to avoid fragmentation and enhance effectiveness. While regulation is necessary, it is not sufficient. Due to its complexity, cybersecurity is a shared responsibility across the digital value chain. Not one sector alone can effectively secure the digital space in its multiple and evolving dimensions. We encourage greater cross-sector cooperation as well as open and inclusive dialogue on this critical matter. Active public-private collaboration will allow governments to leverage innovation, agility, and technical expertise of industry. to complement regulatory efforts. GSMA is ready to partner with member states and other stakeholders. Concretely, our well-established capacity-building program has a strong record in equipping public officials around the world with state-of-the-art expertise on different aspects of the mobile ecosystem, including security, privacy, and data issues, among many others. We look forward to working with all of you member states and other stakeholders in these shared priorities. Thank you.

Chair: Thank you, GSMA. Wright-Pilot, please.

Write Pilot: Good afternoon. Good afternoon, honorable chair, distinguished delegates, and colleagues. On behalf of Wright-Pilot, Awaf and Nimri, I am going to speak on behalf and give the statement today. I am Medina Ali, the president and CEO of Safe-eC Solutions. Currently, Wright-Pilot is proudly delivering the Air Women in Cyber Diplomacy Fellowship Program. This initiative has successfully sponsored three Iraqi women nominated by their national authorities, providing them with training in Arabic that is focused on the essential workings of the UN’s first and third committees. In collaboration with my company, Praxis AI, and the Global Forum on Cyber Expertise, GFCE, we have recently hosted a webinar on cybersecurity awareness training, which is built on a generative AI platform. And we were glad to have the Air Women in Cyber Diplomacy Fellows join the webinar and currently join the program. The program includes a Module 8. which is dedicated to the work that we’re currently doing with the United Nations OWEG on ICT security. Also, along with the training, there is an avatar called Superhero Aili, and that assists the students through the training. The initiative unites a diverse array of stakeholders under the influential gravitational pull of the GFCE, striving to fulfill the commitments outlined in the ACRA call. As a result, we aim to foster a common understanding, provide targeted knowledge resources relevant to the UN OWEG’s work, and tailor our activities to specific needs of Arab women, all in accordance with the principles of Cyber Capacity Building, CBB. In response to your inquiry regarding further actions to support the integration of capacity-building principles in programming activities, we advocate for the establishment of a link between these principles and the proposed voluntary fund. As we address challenges women from the Middle East face in understanding how to navigate the UN financial instruments, we welcome integration of concerns by Middle Eastern and Arab women into UN activities, particularly by providing access to gender response development initiatives such as those led by…

Chair: Thank you very much, Wright Pilot. I’m sorry that you had to be cut off, but do be assured that you can send us your statement. We’ll put it on the website. Thank you very much for your understanding. Center of Excellence for National Security, please. Thank you.

RSIS – Center of Excellence for National Security: Thank you, Chair. Our remarks today addresses the future of regular institutional dialogue. We would like to thank you, Chair, for your efforts to continue including all stakeholders in the conversation throughout this OEWG process, both in formal and informal formats, in the face of tough political situation around the world. As stakeholders, we remain committed to contribute to the OEWG process, even though States have often not accepted stakeholders’ input into the Annual Progress Reports. We therefore urge States to protect stakeholder involvement in future permanent mechanisms in an inclusive, deliberate and meaningful manner. We recognise that States have the vote, but we hope they will also continue to hear our voice in the future permanent mechanism. We would like to in particular address your question on the expansion of the active engagement and participation of all stakeholders in the future permanent mechanism, including facilitating the increased participation of stakeholders from developing countries and small States. All stakeholders have felt the financial strain to attend multiple plenary meetings in New York, but have continued to attend because we feel that it is important to contribute to the dialogue over responsible State behaviour in the use of ICTs. Developing countries and small States feel this strain even more so. To improve this state of affairs, we have six suggestions to make. First, carry over the current accredited list of stakeholders from this current process into a future permanent mechanism for continuity with the current OEWG process, while reforming the accreditation process to allow more stakeholders to participate. Second, hold a single annual stakeholder meeting, a duration of three days to one week, with thematic leaders facilitating discussions. Preferably, append it to the substantive plenary sessions and vision in the elements paper. Third, allow stakeholders to participate remotely in this single annual stakeholder meeting if they cannot afford to come in person. Fourth, invite selected accredited stakeholders to brief the state’s plenary session with the findings from this meeting. Fifth, urge regional and sub-regional organizations to establish separate thematic study groups and cross-regional best practice events with stakeholders to discuss issues with regional contacts and feed the findings back to the substantive meetings. And sixth, upload the findings from all these meetings to the upcoming e-portal of the Future Permanent Mechanism to benefit all states and stakeholders. We thank you for your time, Chair.

Chair: Thank you very much, Centre of Excellence for National Security, Singapore. I give the floor now to Fundación Carisma.

Fundación Carisma: Mr. Chairman, thank you for steering this working group and thank you for giving me the opportunity to speak today. I represent the Carisma Foundation. We work to promote digital rights and we have a laboratory for digital security. We support the role that has been given to various stakeholders in the third annual report and we invite states to continue working with all stakeholders. We would like to stress the need for the working group and the Future Permanent Mechanism to address cyber security from an approach that includes how it is affecting citizens. Although we’ve discussed AI, the Internet of Things, and the vulnerability of supply chains, the principal approach has been to take a macro approach focusing on major infrastructure or state security, but these technologies have a real impact on citizens’ lives. The use of AI to create deep fakes and to scam people on the Internet is affecting millions of people throughout the world, and the vulnerabilities in common use technologies can affect people in their real lives. These are risks that need to be looked into. Current policies on cyber security end up leaving the burden on the final user, ultimately the weakest link in the chain. Users have the responsibility to take necessary measures to avoid becoming a victim of a cyber attack. The use of safe passwords and dual-factor authentication and VPNs are all positive measures, but they’re not enough to protect people. We’re talking about a major burden that people have to bear, people who may struggle as a result of their age or language or a lack of knowledge on a particular subject. We need to rethink how we deal with these issues, because states are not the main victims of cyber attacks, it’s people as a result of the failure of basic infrastructure or as a result of a direct attack. So we need to focus on protecting people first and foremost. We have mentioned that cyber security needs to uphold people’s rights. We need to think about the impact of technology on final users, and we need to think about a human rights approach in the risks that there are within the supply chain. Thank you.

Chair: Thank you very much. Global Partners Digital, you’re next.

Global Partners Digital: …for this valuable opportunity to share our views. Given the critical juncture we are at, I would like to focus my comments on the contributions of… stakeholders and regular institutional dialogue. Chair, distinguished delegates, it is heartening to hear the considerable support for prioritizing the contribution of stakeholders within the new permanent mechanism. As reflected in a non-paper by a group of states entitled, Stakeholders Contributing to Multilateral Cybersecurity Discussions, stakeholders are at the center of cyberspace. They perform vital roles, operating and defending the infrastructure, providing practical guidance on the implementation of the norms or the application of international law, contributing real-world understanding, and bringing the wider community around implementation. GPD has contributed to such efforts by undertaking research, developing toolkits, and offering other forms of guidance. While no one disputes that the new mechanism will be state-led, many, if not all, aspects of the implementation of the framework require stakeholders and the data and expertise which is uniquely held by the stakeholder community. This is why it is vital that capacities for stakeholder engagement be embedded in the future mechanism, to ensure it is both credible and implementable in the real world. As the group considers the design of the future mechanism, we recommend that the following principles be prioritized. First, that modalities be predictable and guided by principles of openness, inclusivity, and transparency. Every effort should be made to avoid a single veto power in favor of a more transparent and accountable voting process. Useful lessons may be drawn from other first committee processes, like the Ad Hoc Committee on Cybercrime and the OEWG on Aging, while noting that these modalities should be understood as a baseline. Second, that stakeholders be enabled to engage in all institutional layers of a new mechanism. We are supportive of proposals to develop thematic working groups and intersessional work streams. as these could allow for a deeper level of discussion and dialogue. However, the integration of such groups or work streams should not result in the exclusion of stakeholders from plenary discussions, where it is vital that we can also follow discussions to ensure our contributions are relevant and timelier. Third, that stakeholders be enabled to represent ourselves in all our diversity to ensure that different views can be heard and contribute to state deliberations. This is particularly important to ensure that lesser-resourced stakeholders are not excluded from discussions and their unique perspectives lost. Fourth, and finally, that hybrid modalities be ensured and sponsorship programmes prioritised to facilitate greater participation, including by addressing visa barriers.

Chair: Thank you very much, Global Partners. Global Cyber Alliance, please.

Global Cyber Alliance: Thank you, Honourable Chair, distinguished delegates and stakeholders. My name is Philip Reitinger, and I am the President of the Global Cyber Alliance. GCA is an international non-profit that is focused on delivering a secure, trustworthy Internet that enables social and economic progress for all. Thank you for the opportunity to present. We commend the efforts of the OEWG to promote a secure and stable cyberspace through dialogue, collaboration, and mutual trust. On behalf of the Common Good Cyber Secretariat, I would like to draw attention to an essential pillar of the global cybersecurity community, the role of non-profit organizations in building capacity and protecting everyone online. Non-profit organizations tirelessly work behind the scenes to safeguard the Internet and high-risk communities, often with minimal resources. The roles played by these organizations are many. Non-profits provide neutral platforms. for diverse stakeholders, including governments, industry, and civil society, to collaborate effectively on addressing systemic cybersecurity challenges. Nonprofits play a key role in innovating and scaling practical cybersecurity solutions that address global needs, allowing under-resourced government agencies, small businesses, and civil society organizations to operate safely and securely. Nonprofits are deeply involved in building cyber resilience, particularly in developing countries and underserved communities, and guided by principles of the common good, nonprofits champion ethical approaches to cybersecurity. Examples include the GCA Cybersecurity Toolkit for Mission-Based Organizations, which offers a collection of free-to-user resources removing the financial barrier for cybersecurity solutions. Another example is the CyberPeace Institute’s CyberPeace Builders, which matches technical needs with expertise, removing the barrier to a skilled workforce. In light of these contributions, a coalition of cybersecurity nonprofits launched the Common Good Cyber Initiative to ensure that the role of nonprofits is adequately recognized, leveraged, and supported within the global ecosystem. You can learn more about that at commongoodcyber.org. This Friday, on December 6, 2024, the Global Cyber Alliance in Chile will convene the OEWG community at a side event, The Role of Nonprofits in Cybersecurity, between 1315 and 1430 at CR7. Lunch will be provided from 1230 to 1315 at the Vienna Cafe. We welcome all stakeholders to attend and learn more about these issues in detail. Thank you.

Chair: Thank you very much, Global Cyber Alliance, for your statement and also for your invitation. Safe PC solutions, you’re next.

SafePS solutions: Thank you, Chair, for giving me the opportunity to speak on my views at the OWEG 9th Substantive Session. In response to the guiding question on threats under Annex B and threats due to risk because of the utilization of deepfakes within generative AI, allow me, Mr. Chair, to note that these tools are being used by countries who have played a role in interference in the recent U.S. elections. While these carry great risk, generative AI can also be used to detect cybersecurity threats. For example, enhanced threat detection. Generative AI models can stimulate various cyberattacks, helping security teams anticipate potential risk and refine their incident response protocols. This leads to faster detection and more efficient responses to cyberthreats. Currently, there’s not enough knowledge around generative AI, and there is, I’ve heard from several member nations, even stakeholders who are concerned about generative AI, and the only way we combat this is through education and proper education. In terms of the rules, norms, and principles of state behavior, I clearly agree with you that by July 2025, we need to take a step forward for the Voluntary Checklist for Practical Actions. And our focus has been really on capacity building, and also building alliances with other stakeholders, and currently, under our cybersecurity awareness pilot training, which is built on a generative AI platform, we are working with both public, private, and nonprofit organizations, where they’re providing feedback on our training. The countries that are currently in the pilot program are from the US, Iraq, Jordan, Karasau, and Haiti. Module eight of the training focuses on understanding the foundational capabilities of UN member nations. And we’ve incorporated how to utilize the UNIDIR cyber policy portal. And in 2025, we’re going to also be incorporating the civil knowledge policy, which has been created by GFCE. My call to action is very simple, is that all those that are interested in advancing capacity building and learning foundational capabilities in cybersecurity and generative AI, please contact us. Again, I’m Adina Ali, the president and CEO of SafePC Solutions. Thank you.

Chair: Thank you very much, SafePC Solutions. Diplo Foundation, please.

Diplo Foundation: Mr. Chair, distinguished delegates, colleagues, my name is Vladimir Adunovic. I represent Diplo Foundation, a nonprofit educational organization supporting small and developing countries, as well as various stakeholders in industry and civil society through capacity building in cyber diplomacy, cybersecurity, and internet governance topics for over 20 years. Mr. Chair, in terms of the norms implementation checklist, we would like to share some findings that have emerged through regular discussions in the Geneva Dialogue on Responsible Behavior in Cyberspace, an international process established by Switzerland and led by Diplo Foundation. The Geneva Dialogue involves relevant stakeholders from the private sector, civil society, academia, and technical community from across the globe to discuss the implementation of the agreed cyber norms. These findings include the challenges for the implementation of measures to protect critical infrastructure. One. While each country defines its own critical infrastructure, essential ICT services and infrastructure that underpin its functionality are not always considered critical, such as cloud services, submarine cables, or the ICT supply chain, including the open source components. Such interdependencies span across jurisdictions, provided and managed by the private sector or technical community, and used by critical infrastructure in multiple countries or regions. Incidents affecting these shared services can disrupt critical infrastructure in one or multiple countries or regions. There is a lack of international coordination in protecting these interdependencies in critical infrastructure, especially in sectors with regional and global impact. In this regard, cooperation among states with other non-state actors should be enhanced to better understand and map such critical interdependencies, identify related risks and jointly act upon them, and develop standardized risk-based security measures for critical infrastructure which are interoperable across jurisdictions. Two, increasing geopolitical tensions result in national and cybersecurity policies that introduce various restrictions to cooperation between cybersecurity experts, such as cybersecurity researchers, incident responders in securing cross-border ICT networks, and underpin critical infrastructure. Restrictions affect information sharing about threats, vulnerability disclosure, and incident response and force experts to take sides instead of collaborating. Consequently, risks for critical infrastructure are increasing and can harm anyone. In this regard, it’s worth reiterating the CBM section of the UN GGE 2015 report. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders.

Chair: Thank you very much, Diplo Foundation. Youth for Privacy, please.

Youth for privacy: My name is Shivani Sundaresan, and I’m representing Youth for Privacy today. For our intervention, we first want to recap our side event yesterday titled Youth Voices Empowering the Next Generation for a Secure Digital Future, co-sponsored by the Nuclear Age Peace Foundation, Reverse the Trend, the Major Group for Children and Youth, and the Permanent Mission of CureBus. Our event highlighted cybersecurity initiatives that young people are doing to make the internet more secure and safe. In today’s interconnected world, vulnerabilities and ICTs can have far-reaching consequences, including unintended escalation of conflict, misinformation, and the disruption of critical infrastructure. Young people as digital natives are uniquely positioned to understand and solve these challenges and advocate for responsible technology use that minimizes these risks. This event showcased the achievements of Youth for Privacy’s fellowship program, which has empowered eight young ambassadors to design and implement privacy-focused projects in their schools and communities. Our fellows worked on projects such as documenting student experiences with privacy violations on college campuses and merging privacy and cybersecurity with traditional Hawaiian traditions to protect indigenous knowledge. In line with the OEWG’s focus on data security and capacity building, the event also explored the intersection of youth empowerment, privacy advocacy, and nuclear disarmament through a youth expert panel. These initiatives show that young people not only care about cybersecurity and privacy, but also have the capacity to play a role in making bottom-up changes within their communities. Thus, the topic of youth should be a part of the conversation of regional institution dialogues established, as well as the permanent mechanism. As we mentioned in our informal statement, we propose establishing a youth-focused thematic group as a part of the future permanent mechanism, which will engage directly with policymakers and tech companies advocating for youth-centered digital rights and developing actionable recommendations to enhance youth empowerment. enhance privacy protections for young people. This task force will also promote international collaboration on these issues, leading to enhanced capacity building and other critical initiatives. The thematic focus on youth is also in line with the principles of the Global Digital Compact regarding inclusivity. In conclusion, we call upon all stakeholders to unite in this mission to improve digital rights for youth. By working together, we can create a robust framework that not only protects, but also empowers the next generation of the digital world. Thank you.

Chair: Thank you very much, Youth for Privacy. Center for Humanitarian Dialogue, please.

Center for Humanitarian Dialogue: Thank you, Mr. Chair, for organizing this stakeholder session and for giving me the floor. I’m speaking on behalf of the Center for Humanitarian Dialogue, a non-profit private diplomacy organization acting from the principles of humanity, impartiality, neutrality, and independence. Our digital conflict program focuses on cyber mediation and confidence building. I’d like to take off on some of the questions that you’ve put before states regarding cyber confidence building. States hold the responsibility for maintaining international peace and security. Non-state stakeholders can only complement their efforts. Mediators, like the Center for Humanitarian Dialogue, cannot replace formal diplomacy and confidence building. Yet mediation is one of a range of diplomatic instruments. The UN Charter lists it among negotiation, conciliation, arbitration, and other peaceful means for the settlement of conflicts. By definition, confidence building happens in low-trust environments. It requires engaging with non-like-minded actors, which can be uncomfortable and potentially risky for governments. Non-state mediators can be useful to explore informally what diplomatic initiatives might make sense, to generate political interest, and also they can go where former mediators cannot due to lack of a mandate. In its mediation efforts, the Center for Humanitarian Dialogue is using multi-level engagement to build interest, test ideas, and foster reflections. For example, through workshops, tabletop exercises, and scenario-based discussions. We combine our engagement with unofficial interlocutors with shuttle diplomacy and consultations with formal authorities. All of this requires political buy-in, which and obtaining leaders’ attention. That can be a challenge, but it is essential for cyber-confidence building to succeed. I’d like to end by observing that there’s no quick fix for cyber-confidence building. Confidence is like a tree, it grows slowly, though it is felled quickly. If I can take the analogy into the sphere of legends and literature, in Tolkien’s world, the mediators would be like the ends, slow, determined, and deliberate. But sometimes they need to be agile, and they need to be also strong in taking setbacks. So I think they’re more like Tolkien’s hobbits, capable of amazing things. Thank you.

Chair: Thank you very much, Center for Humanitarian Dialogue. I certainly agree with you that each one of us here, especially all of you before me are capable of amazing things. So let’s get this done in July 2025. I give the floor now to the European Union Institute for Security Studies.

European Union Institute for Security Studies: Thank you, Honorable Chair, for giving me the floor. The UN OEWG is entering a crucial phase of its mandate. Over the years this forum has proven to be an invaluable space for perspicacious dialogue on the evolving challenges of cyberspace. However, as we approach its final cycle, we must turn our attention to shaping the future of global cyber governance. The European Union Institute for Security Studies, EUISS, has long recognized the importance of multilateral cooperation in addressing the evolving challenges of cyberspace. Chair, on Monday we had the privilege of hosting a side event on an action-oriented approach to the protection of critical infrastructure and critical information structure during major international events, with insights from delegates and experts alike. The discussion illustrated that there is not a one-size-fits-all solution to the protection of critical infrastructure and critical information infrastructure. This highlights the importance of a flexible approach that prioritizes international collaboration, innovation, and the sharing of knowledge and best practices, particularly with the multi-stakeholder community, to build collective cyber resilience. To this end, the EUISS welcomes the non-paper by Canada and Chile on enabling stakeholders to add value to state-led discussions in the future UN mechanism for cybersecurity. Chair, the dynamic, multifaceted, and borderless challenges of cyberspace require equally diverse, adaptive, and inclusive solutions. The latter should encompass diplomatic, policy, academic, and technical efforts aimed at promoting adherence to existing norms and international law. In this regard, the EUISS is proud to have supported the activities of the European External Action Service and European Union Member States delegates by fostering discussions and moments of reflection, which ultimately contributed to the Council of the European Union’s approval of the declaration by the EU and its Member States on a common understanding of the application of international law to cyberspace last month. To mark this milestone, we invite delegations to join us at a reception hosted at the EU Delegation. on Thursday evening, where we will formally present and share this declaration. Chair, a balanced approach where international law and norms provide the framework for stability and multi-stakeholder collaboration drives practical implementation is crucial for building resilience and trust in cyberspace. Under your leadership, Chair, the UN OEWG has built something incredibly valuable. Let us seize this opportunity to ensure that this platform evolves in a direction that reflects both the urgency of our challenges and the promise of collective action. I thank you for your attention.

Chair: Thank you very much, European Union Institute for Security Studies, for your contribution. The last speaker I have is the Red on Defensa de los Derechos Digital. You have the floor, please.

Red en Defensa de los Derechos Digitales: Thank you, Mr. Chair, for this opportunity to share our views. My name is Francia Pietra Santa Valdaso. I am representing R3D, Red en Defensa de los Derechos Digitales, a Mexican civil society organization that has defended human rights in the digital space for over 10 years through advocacy, research, and litigation. As this mandate approaches its conclusion next year, and with increasing calls for further discussion on the future mechanism and stakeholder participation, we urge the following. While the future mechanism will be state-led, there is a need to enable stakeholder engagement across all of its layers. We support proposals to develop thematic working groups and international work streams as they could foster more in-depth discussions and a two-way dialogue. However, it is necessary that this approach does not sideline stakeholder contributions. and actionable approaches developed by stakeholders can contribute to the future mechanism in the areas discussed throughout this mandate. For instance, R3D has been instrumental in advancing norm operational especially norm 5 on respecting human rights and privacy through the development of national and policy guidance, ensuring a rights-respecting approach and suggesting safeguards to protect these rights when implementing OEWG initiatives and cybersecurity policies at the national level. Regarding international law, R3D has promoted and developed guidance to understand application of the Inter-American Human Rights System. This system offers special protection for human rights such as freedom of expression and privacy and should be interpreted in conjunction with states’ broader international legal obligations in the region. On capacity building, R3D enhances the capacity of public interest groups to address emerging cyber threats effectively by conducting digital security workshops. This provides them with practical tools to enhance their resilience. In relation to threats, R3D has gathered factual evidence on malware and assessed specific cyber risks through a human-centric approach, focusing on threats targeting public interest groups including journalists and human rights defenders. Throughout the OEWG mandate, R3D has contributed to regular institutional dialogue by providing a global majority perspective and advocating for inclusive and equitable participation in these discussions. When building the rules and procedures for the new mechanism, clear, transparent, predictable rules, procedures, and modalities should be prioritized. There should also be focus on eliminating the negative impact on single bits of power. Thank you, Mr. President.

Chair: Thank you very much for your statement. Dear friends, this afternoon is a demonstration, in my view, of the value of listening to stakeholders. I think we’ve heard quite a lot of good ideas, very concrete suggestions, all put forward in a positive and constructive tone. And this reflects, I think, the commitment of the stakeholder community who have been engaged in this process to participate and contribute meaningfully. And so this is something that all of us need to reflect on, because each of the stakeholders in many ways represented the voices in our own society, different segments of our own society. And I think their voice and input and ideas is a valuable addition to our process. Now, this does not mean we will agree with everything they have said. This will not mean that we will be able to implement everything they would like us to do. We will have to prioritize. This is a state-led process. And I don’t think the stakeholders dispute that either. They recognize that this is a state-led process. So I just wanted to say that this afternoon, once again, has been a demonstration of why it’s important to engage stakeholders and how they can add value to our process. And I hope that this will give us some food for reflection as we get into the discussion on modalities when we come into regular institutional dialogue. So I want to take this opportunity to thank all the stakeholders here who have taken the trouble to be here in person and participated by giving their ideas, and also those who might be following the discussion virtually from the web TV. So, I would like to suggest that we, at this point, wrap up this part of our stakeholder session and move on to the remaining list of speakers for international law. So let’s do that. So I’d like to now adjourn the session of the dedicated stakeholder session and I convene the sixth meeting of the ninth substantive session of the Open-Ended Working Group in the use of ICTs in order to continue our discussions on Agenda Item 5 and to continue the speakers’ list under the theme of international law. We have about seven speakers, so we’ll start with Portugal to be followed by France. Portugal, please.

Portugal: Mr Chairman, Portugal subscribes the Declaration on Applicability of International Law in Cyberspace which was approved by the European Union Foreign Affairs Council two weeks ago, but would like to add a brief recall on the centrality, in our view, of the binding duty to protect the right to freedom of expression. The applicability in cyberspace of the Universal Declaration on Human Rights and of the United Nations Human Rights Conventions has been consensually endorsed by the UN General Assembly several times in this century. It is worth remembering in this regard that Article 19 of the Universal Declaration asserts the fundamental freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media, regardless of frontiers. And that Article 19 of the International Covenant on Civil and Political Rights asserts that these rights shall include freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing, or in print, in the form of art, or through any other media of choice. Freedom of expression happened to be at the core of the Internet when it was devised by its inventors as a privileged means to foster scientific debate across all divides, in the best possible conditions, including full anonymity. When Internet was expanded to encompass almost all dimensions of our private and public lives, freedom of expression, including anonymous expression, remained an indispensable feature of cyberspace. When we reaffirm the applicability of international law in cyberspace, we therefore also mean the binding state duty to protect freedom of digital expression, including anonymous expression. Having said that, we are perfectly aware that, according to the respective international conventions, fundamental human rights and freedoms are not absolute, and thus can, though only in exceptional circumstances, be suspended by states in the exercise of their responsibility for the public health or the security of their citizens and territories. State responsibility, sovereignty, and non-intervention are, of course, pillars of international peace and security, also in cyberspace. But states, according to precedent and jurisprudence, must also uphold and protect the freedom of expression across borders of their citizens, including anonymous expression, because that is part of their binding obligations under international law. Therefore, in our view, future scenario-based exercises on how binding state obligations apply in cyberspace should give due attention to the duty to protect freedom of expression, including anonymous expression, and regardless of borders. Thank you, Mr. Chairman.

Chair: Thank you, Portugal. France, to be followed by Israel, please.

France: Merci, Monsieur le Président. Thank you, Mr. Chair. My delegation aligns itself with the statement delivered by the European Union. We also align ourselves with the declaration of the European Union and its member states on the common understanding of the application of international law to cyberspace. Through this declaration, the European Union and its member states contribute to transparency and to convergence of views on international law and on how it applies to cyberspace. We welcome the fact that a growing number of states have published their national stance and have joined their voices to the discussion on international law. And that’s good, because every viewpoint is important in this body, which France, in partnership with Ireland, is currently supporting with the participation of 16 countries in this ninth session of the Open-Ended Working Group through a dedicated support and training program. Mr. Chair, the future mechanism or program of action affords us an opportunity to connect the discussions on international law to the reality of the challenges that we face, so that we can finally get out of the rut of the sometimes too theoretical discussions on this matter which are not productive. The thematic groups of the future mechanism will also be an invaluable tool to move forward the discussion on how international law applies, but also with regard to what the gaps might be as concerns international law. These thematic groups need to be centered around concrete challenges, such as indicated by Chile. The contribution of legal experts to these discussions will allow for us to do something unprecedented, to bring our discussions on international law and the concrete challenges that we face closer. These discussions can be organized around scenarios, as stressed by New Zealand. The use of scenarios will indeed allow us to more deeply engage on the points of law and to identify issues in very tangible fashion. The list of questions enumerated yesterday by Egypt can in this regard constitute an outline of the program of work for these discussions, which are held on the basis of practical cases. Mr. Chair, international humanitarian law, finally, is a… vital building block of the edifice of international law. Ignoring it in our discussions would carry the threat of threatening the soundness of our common framework. Therefore, France has regularly had the opportunity in 2024 to reaffirm the fact that international humanitarian law applies to all cyber operations undertaken in the context of armed conflict and in connection with such conflict. We therefore welcome the work done by the international movement of the Red Cross and the Red Crescent during the 34th International Conference of the Movement that was held last October. Namely, we support the resolution adopted at that occasion. Like several delegations that have spoken before us, we would like for the momentum, this impetus toward the full recognition of the applicability of international humanitarian law, we would like this to be reflected in our group’s report this year. I thank you.

Chair: Thank you very much, France. Israel, to be followed by Ghana.

Israel: Thank you, Chair. Thank you for giving us the floor to comment on the important issue of international law. Before I do that, I wish to touch briefly on the former pillar dealing with our normative framework. Chair, while answering your guiding question at this point in time, there is no need in our opinion to develop or elaborate any new norms, nor do we see a need for developing any legally binding instruments. In this regard, we wish to support the U.S. and other member states that have eloquently presented a detailed reasoning for that. Israel believes that a more cautious approach with respect to norms is required. As things currently stand, there is still a lack of certainty as to the manner in which existing norms and rules are being implemented and interpreted by states. Chair, before embarking on any process of updating the existing norms or developing new norms, it would be more appropriate, in our view, to focus on those norms that currently exist, sharing best practices in assessing whether and how they are being understood and applied, ensuring that there exists a common language and understanding when referring to these norms. For that purpose, the checklist of norms implementation can serve, in our view, as a very good basis and can assist us in our future discussions. And now for the issue of international law, Mr. Chair. In previous sessions, we have already presented Israel’s perspective on the issue of application of international law to cyberspace. And please allow me now to reiterate a few key points. We encourage discussions on the application of international law to cyberspace. We believe, however, that deepening our understanding of how international law applies is a continuing and long-term process, one that involves states forming national views and exchanging positions as we witness that the threat landscape continues to develop. Israel’s position on the application of international law to cyberspace has been constantly expressed over the years in this open-ended working group discussions as well as in other international fora. We’re also happy to mention that we’ve also presented to the UNODA Secretariat with an official legal paper dealing with Israel’s perspective on key legal and practical issues concerning the application of international law to cyber operations. We reiterate our fundamental position that international law is applicable to cyberspace. However, given the unique features of cyberspace and the fact that many traditional rules of international law have been developed and adopted in a domain-specific context, it is necessary to evaluate whether and how certain rules of international law relate or apply to the cyber domain. In order to understand whether adjustments and clarifications are necessary, Mr. Chair, the Open-Ended Working Group has played a key role in enabling states to present and publish their views on the application of international law. As the landscape continues to evolve, states will no doubt seek to continue to make their views known, relate to the international law aspects of new threats that are emerging, refine previous positions, and perhaps revise and update previous statements. Subsequently, Mr. Chair, we feel that building a common understanding of how international law applies to the use of ICTs by states should be the first step before moving to the creation or adoption of any new rules and norms. Mr. Chair, yesterday in our afternoon session we heard some unbased allegations and false remarks against Israel, and I wish to clarify some matters responding to the remarks made by the Lebanese delegation. It is important to clarify that the source of all the situation in the failed state of Lebanon is Hezbollah, an internationally designated terror organization operating as a proxy of the Iranian regime. Hezbollah’s actions have led to widespread destruction, particularly due to its strategy to embed itself within the civilian population and infrastructure of Lebanon, thus endangering countless lives of Israelis, Lebanese, and foreign citizens, among them also UN peacekeepers. Moreover, it is deeply regrettable that Hezbollah not only exploits civilian infrastructure, but also manipulates the concept of non-profit organizations and so-called journalists for its purposes, just as their brothers to terror, Hamas, does in Gaza. We call on the international community to see these actions for what they are, and to address the ongoing abuse of both civilian structures and international norms by terrorist organizations on Lebanese soil. Chair, in the last 14 months, Israeli citizens are under attack on seven fronts, including from the northern border with Lebanon, after Hezbollah made the decision to enter the war on October 8, 2023, in solidarity with their Hamas terrorist comrades. Since then, they fired over 15,000 rockets, missiles, anti-tank missiles, UAV drones, and other such weapons targeting our civilian population. As a result, around 70,000 of our civilians have been made internal refugees. Israel has been perfectly clear on what it takes to restore calm. Hezbollah must withdraw to the north of the Litani River, as outlined in UN Security Council Resolution 1701, and southern Lebanon must be freed of any Iranian influence and proxies, per Resolution 1559. No other country in the world would accept 70,000 of its civilians being displaced by terrorist organizations. No other country would take any different steps than Israel to protect its citizens and territory. No other country would agree that a terrorist organization will remain and operate on its borders. The International Committee, as well as the Government of Lebanon, must join us in our efforts to restore Lebanese sovereignty over southern Lebanon, freeing the Lebanese people of their Iranian masters. and enforcing the many resolutions of many UN bodies. I thank you.

Chair: Thank you, Israel, for your statement. Ghana, to be followed by Vietnam.

Ghana: Mr. Chair, thank you for giving me the floor. Ghana reaffirms that international law, particularly the rules and principles enshrined in the UN Charter, including sovereignty, sovereign equality, non-intervention, the peaceful settlement of disputes, international humanitarian law, the principles of humanity, necessity, proportionality, the extension and respect for international human rights law, remains applicable and essential for maintaining peace and stability. These rules and principles are fundamental in promoting an open, secure, stable, accessible and peaceful ICT environment. Mr. Chair, in response to your question on how to facilitate and increase access to capacity building in the area of international law, my delegation welcomes the recommendations outlined in the third annual progress report and wish to propose additional measures. We see significant merits in promoting south-to-south cooperation to support the development of national positions on the application of international law in cyberspace. Facilitating exchanges among nations of the global south to share experiences and strategies in this area will be highly beneficial. Similarly, organizing regional and sub-regional workshops in collaboration with entities such as the African Union and the Economic Community of West African States, ECOWAS, will address specific needs and priorities of member states. The AU Common African position on the application of international law to the use of ICTs, adopted in January this year, offers a valuable starting point for advancing such regional collaborations. It provides an in-depth explanation on how various rules and principles in the UN Charter applies in cyberspace, including international humanitarian law and international human rights law, which is pertinent in keeping an open, secure, stable, accessible, and peaceful ICT environment. Mr. Chair, it is important that states respect, protect, and ensure the human rights of individuals and people on their territory or under their jurisdiction, including protection from malicious ICT incidents, such as ransomware attacks, which poses a threat to the rights to life, the rights to health, the rights to privacy, freedom of expression, and information, among others. It is important that states uphold their obligations in protecting individuals and collective rights against infringements by states and non-state actors. This significant topic was discussed at a side event yesterday, which was co-hosted by Ghana, the Netherlands, and Global Partners Digital. We are grateful to all member states who participated in this event. Mr. Chair, as echoed by several member states, my delegation firmly believes that scenario-based exercises involving member states and relevant stakeholders are instrumental in building capacity and fostering a deeper understanding of each other’s positions. and should be captured in the final APL. These exercises promote areas of convenience and consensus regarding the application of international law in cyberspace. In this regard, the OEWG should continue encouraging research institutions, academic organizations, and other stakeholders to organize and participate in such initiatives. China particularly values the training sessions sponsored by the United Nations Institute for Disarmament Research, which have been immensely beneficial, and accordingly, we thank the donors of this initiative. These sessions provided a comprehensive understanding of the UN Framework for Responsible State Behavior, including the applicability of international law in cyberspace, the 11 norms of responsible state behavior, confidence building measures, and cyber capacity building. We also take this opportunity to express our gratitude to the United Nations Office for Disarmament Affairs for sponsoring a group of delegates to participate in this ninth substantive session. We are grateful to the donors of this sponsorship program. This initiative has enabled Ghana to include an additional delegate from the Cyber Security Authority of Ghana in the OEWG, enhancing our engagement on these critical issues. Mr. Chair, as we continue to dialogue on how international law should apply in cyberspace, it is important that all member states continue to implement the 11 norms of responsible state behavior because it will go a long way to reinforce our obligations under international law. I thank you, Mr. Chair.

Chair: Thank you very much, Ghana, for your statement. Vietnam to be followed by Australia.

Viet Nam : Mr. Chair, thank you for giving us the floor again to share views on the topic of international laws, SOEWGs. We are approaching the final years of the current EWGS mandated by Resolution 75-40. It is crucial for our UN members to reflect on the developments of international law for cyberspace in the last four years. This delegation finds it really encouraging that the international community has made significant progress on the questions of how international law applies to the use of information and communication technologies by state. In August, the Ad Hoc Committee of the UNGA Third Committee has adopted unanimously the first-ever United Nations Convention Against Cybercrimes. On this occasion, we would like to express our sincere thanks to all UN member states for your support to have this convention signed in Hanoi in 2025. In the same manner, another group of states have also opened for signature the first Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law. In addition to conventional text, the understanding of the OEWGs on international laws in cyberspace has been enriched with numerous regional and national position papers on different aspects of international cyber law. Even scholars are producing their own understanding of international cyber law, for example, through the Oxford Statements. At this juncture, this delegation welcomes the effort from a number of delegations led by Australia to identify conversion points in this position. and support the inclusion of such agree points in the OEWG report. Mr. Chair, witnessing such broad enthusiasm from all possible cyber actors, we may confirm that the momentum for the progressive codification of international cyber law has been built up for the next permanent mechanisms. In this regard, this delegation would like to suggest the following elements relating to international law that the future mechanisms should consider. First, the progressive codification of international cyber law should be done through multilateralism as the United Nations. It is unfair if only a small group of countries with advanced technologies could get together and design international rules for emerging technologies such as artificial intelligence with the intention to keep the digital divide among nations get even wider. Second, the future mechanisms should be confident in the promise of international law to regulate cyberspace activities as the success of the recent cybercrime convention has testified. It is for sure that the cyberspace with its unique features will require a different governance model, but with goodwill and hard work, the United Nations member states will arrive as a better rules-based international cyberspace for all. Third, member states should be fair, transparent, and consistent in the way they promote international law for cyberspace. It is flatly unjust for a group of states, on the one hand, to speak with confidence that at the UN it is premature to have any legally binding instrument on the ICT securities, and on the other hand, start their own process to create new treaties for cyberspace. Fourth, the future mechanism should engage other UN entities, such as the SICS or legal committees or International Law Commission, to urgently study the published national and regional position on international law in cyberspace. We understand that all these UN entities are welcoming topics of international cyber laws in their future works. Last but not least, the future mechanism should be ambitious and clearly indicate a concrete outcome on the topic of international law, such as a guidelines, declaration, or a set of understandings on the application of fundamental norms in cyberspace, building upon the position papers of more than a hundred Member States from all regions. A good example of this outcome is a declaration on friendly relations among nations back in the 1970s. Before concluding this intervention, this delegation again would like to confirm its readiness and confidence, as well as full support for the developments of international law in cyberspace and the future mechanism. I thank you, Mr. Chair.

Chair: Thank you very much, Vietnam. Australia, to be followed by Sierra Leone.

Australia: Thank you, Chair. Australia is pleased to join the statement made by Tonga on behalf of the 14 Pacific Islands Forum Member States with a presence here in New York, as well as the statement made by Fiji on behalf of a cross-regional group of eight states comprised of Australia, Colombia, El Salvador, Estonia, Fiji, Kiribati, Thailand, and Uruguay. We will now make some brief additional comments in our national capacity. Chair, we have taken your earlier comments to heart about avoiding entrenched positions on international law. Australia shares your wish for progress and has been actively working with a range of states to find common ground and identify convergences. We remain optimistic because we see that the OEWG has indeed made significant progress in its mandate on international law since this group began and we are now building considerable momentum. With the release of the common African position and the EU common understanding there are now over 100 states that have published national or regional positions. There have also been more states making substantive interventions and being part of joint statements on international law in the OEWG plenaries including yesterday and today. As you said earlier chair the increase in joint statements is a positive development. All these developments allow more states to engage in these important conversations and allow us to identify yet more convergences and progress discussions on the application of international law to cyberspace. Chair we feel that this progress assists us in answering your question about additional layers of understandings. Australia is pleased to see increasing convergences regarding the application of international humanitarian law, international human rights law and the law of state responsibility to cyberspace. Australia along with Colombia, El Salvador, Estonia and Uruguay submitted a paper in May 2024 with textual proposals on these topics for inclusion in the 2024 annual progress report to reflect convergences reached on these topics after rich substantive discussions in the OEWG. We regret that despite the widespread support that was voiced in the March and July sessions of the OEWG this year the textual proposals were not incorporated in the 2024 APR. Our group has now increased in size with Fiji, Kiribati and Thailand also co-sponsoring the re-released paper and becoming part of this cross-regional coalition. We consider that the OEWG’s final report provides an opportunity to faithfully capture the convergences reached in the OEWG, and we have therefore once again proposed text on international human rights law, state responsibility, and IHL that are reflective of these convergences. Chair, on your question about developments in other fora, echoing many others, we view the adoption of the consensus resolution at the 34th International Conference of the Red Cross and Red Crescent as a significant development that demonstrates recognition by states that IHL is applicable to cyber activities within an armed conflict, and that states recognize that IHL plays a critical role in protecting civilians and civilian objects, noting that cyber has already been used in armed conflicts and is more likely to be used in future conflicts. Chair, discussing IHL does not legitimize or encourage conflict, and many delegates yesterday and today have expressly acknowledged its applicability to cyberspace. We share the views of many other states, including El Salvador, Malawi, Egypt, Korea, Sri Lanka, Brazil, South Africa, the Philippines, and Ghana, as well as many others, that we should engage in substantive discussions on IHL, and we underscore the need for inclusion of references to IHL in the final report. Chair, Australia emphasizes that capacity building programs are critical to increasing engagement with international law and continuing to build common understandings. Australia has been a big supporter of capacity building efforts on international law, including in our region, and in early 2025 we will be sponsoring regional training workshops on the application of international law to cyberspace and the development of national positions, convened by UNIDIR in partnership with the governments of Thailand and Fiji. We have heard from many in the room today, including most recently the delegate from Ghana, that such training is highly valuable for capacity building. Finally, Australia also underscores the value of events such as scenario-based exercises as means of building capacity and identifying convergences, as many others have expressed today. This morning, Australia, the Philippines and Uruguay hosted another scenario-based workshop-style side event, being the third iteration of such an event. The event brought together a diverse group of policy, legal and technical delegates, as well as multi-stakeholders to consider the practical application of existing international law to a hypothetical scenario. It allowed each participant to offer their perspectives in an informal environment and highlighted the practical relevance of international law. The small group discussions in this format were frank and substantive, encouraging rich exchanges of views and building common understandings, while functioning as both a capacity building and confidence building exercise at the same time. Chair, Australia remains ambitious on international law and considers that much progress can still be made in this final year of the OEWG. We look forward to continuing to support your work and contributing to these discussions and seeing emerging convergences reflected in the final report for 2025. Thank you.

Chair: Thank you very much, Australia. I give the floor now to Sierra Leone to be followed by the ICRC.

Sierra Leone: Thank you, Mr. Chair. As this is the first time Sierra Leone is taking the floor, permit me to extend my delegation’s gratitude to you and the Secretariat for your tireless efforts in fostering inclusive and productive dialogue. discussions throughout the sessions of the OEWG. Sierra Leone aligns itself with the statements delivered by the Distinguished Delegate of Nigeria on behalf of the Africa Group, as well as the Common African Position, which reaffirms the applicability of international law to cyberspace and consistent with the United Nations Charter. Sierra Leone, like the African Union and many other member states, believes that the application of international law to cyberspace constitutes the cornerstone for maintaining international peace and security in our rapidly evolving technological ecosystem. It is therefore the view of Sierra Leonean delegation that the United Nations Charter provides solid basis for the further development of future permanent mechanisms for governing cyberspace. Key among these include the principles of sovereignty, non-intervention, and the prohibition of the use of force, among others. It is therefore not to be gained said that these enshrine universally accepted framework for regulating the behavior of states in cyberspace, as well as ensuring stability in the digital domain. We look forward to engaging constructively along these lines during ongoing discussions with a view to clearly defining how international law applies to cyberspace. Mr. Chair, it is our hope that this dialogue will also focus on the right of states to govern their digital infrastructure, resources, and data without external interference. Like many other small developing states, Sierra Leone calls for respect of sovereignty in order to ensure that our emerging digital economies are protected from cyber threats and exploitation. My delegation also emphasizes that the principle of non-intervention must extend to activities such as cyber attacks against critical infrastructure, disinformation campaigns, and other forms of digital aggression. The use of ICTs for hostile purposes, including attacks on critical infrastructure, poses a direct threat to international peace and security. My delegation recognizes that legal cyber capacity building is pivotal for developing countries to fully engage in multilateral cyber processes and implement international law effectively. Strengthening the legal, institutional, and technical capacities of developing states will ensure inclusivity, equity, and shaping the future of cyberspace. We therefore commend the efforts of international organizations, regional bodies, and donor nations that have supported capacity building within the cyberspace domain, including but not limited to UNIDA, ITU, GFC, and donor countries like the United Kingdom, the German Federation, and Singapore. My delegation echoes the views presented by the distinguished delegates from Ghana on the importance for South-South cooperation and regional capacity building efforts, including scenario-based exercises. We also note, Mr. Chair, that emerging technologies such as artificial intelligence present both opportunities and challenges. Sierra Leone believes that the application of international law to AI can help prevent misuse, particularly in areas like automated cyber attacks or the development of autonomous weapon systems. In conclusion, Mr. Chair, we urge dialogue, continued dialogue among member states to enhance clarity and understanding of how international law applies to cyberspace, and a bid to identifying and addressing the gaps in its application. I thank you, Mr. Chair.

Chair: Thank you very much, Sierra Leone. ICRC, to be followed by Benin, and then that’s the last speaker. Mr. Chair. Absolutely the last speaker before we move on. Thank you very much. ICRC, over to you.

ICRC: Mr. Chair, Excellencies, dear colleagues, the ICRC is grateful for the opportunity to address this open-ended working group on the question of how international law applies to the use of ICTs. To answer your first question, Mr. Chair, we consider it essential for this group to focus on building common understandings on how international humanitarian law applies to and therefore limits the use of ICTs during armed conflict. In light of the threats identified by this group and the reality of today’s armed conflicts, this is a pressing issue. To support such discussions, the ICRC has submitted four short papers to this OEWG on the principles of distinction, proportionality, necessity, and humanity, and on the question of when IHL applies to the use of ICTs. Mr. Chair, the ICRC recognizes that the questions of international humanitarian law must be addressed with caution and that delegations have expressed a diversity of views on the subject. Yet, and this leads us to your second question, finding agreement is possible. In 2024, two regional organizations, the African Union and the European Union, published common positions or understandings on the application of international law to the use of ICTs. In addition, in October this year, the 34th International Conference of the Red Cross and Red Crescent, at which all states were represented, adopted a resolution on protecting civilians and other protected persons and objects against the potential human cost of ICT activities during armed conflict. The resolution recognizes that states have expressed a diversity of views on the questions of IHL and that further study is needed on how and when IHL applies to the use of ICTs. The resolution also highlights key protections that IHL provides for civilian populations. For example, the resolution reiterates that in situations of armed conflict, IHL rules and principles serve to protect civilian populations and other protected persons and objects, including against the risks arising from ICT activities. The resolution further calls on parties to armed conflicts to respect and protect medical personnel, units and transports, including with regard to ICT activities. Likewise, it calls on states and parties to armed conflict to allow and facilitate impartial humanitarian activities during armed conflict, including those that rely on ICTs, and to respect and protect humanitarian personnel and objects, including with regard to ICT activities. Building on the work of this OEWG, the resolution also calls on parties to armed conflict to protect civilian infrastructure that provides services across several states, including the technical infrastructure essential to the general availability or integrity of the Internet, such as undersea cables and orbit communication networks. We encourage delegations to consider whether some of these issues should also be reflected in the final OEWG report. Finally, I turn to increasing states’ capacity on international law and the use of ICTs. Third question for this session. At the ICRC, we engage in a number of legal capacity-building projects. Let us highlight one that is of particular relevance. In partnership with private and public institutions, we are working institutions from around the world, the ICRC is supporting the Cyber Law Toolkit. In this toolkit, delegations may find concrete cases written by experts and practitioners explaining how international law, including IHL, applies to the use of ICTs by states and a comprehensive list of all national and regional positions on international law and ICTs. Chair, I cannot conclude without mentioning the global initiative to galvanize political commitment to IHL that was launched earlier this autumn by Brazil, China, France, Jordan, Kazakhstan, South Africa, and the ICRC. Indeed, one of the work streams that will compose this initiative will aim to foster agreement among states on how IHL imposes limits on ICT activities during armed conflicts. On the basis of a series of consultations open to all states, we will seek to develop concrete and practical recommendations on upholding the protection that IHL affords civilian populations and other protected persons and objects against the dangers arising from the use of ICTs during armed conflict. Common understandings on how IHL applies to the use of ICTs can be achieved. The ICRC stands ready to continue supporting this endeavor here in New York and through the global initiative. I thank you, Chair.

Chair: Thank you very much, ICRC. Bena, you have the floor, please.

Benin: Thank you, Mr. Chairman. I would like to begin with an apology for what has happened in the past. At the outset, I would like to say that Benin stands in solidarity with you, the Bureau, and the Secretariat, which is supporting you. On a personal level, I apologize for what I very much appreciated your leadership, which leads me to tell you that you are one of the most brilliant ambassadors of your country. If it’s possible to continue holding the sessions the way that you’re doing, I would love to stay because I very much approve of your management. Allow me to thank the Bureau as well. Allow me to thank the UNODA, without which Benin would not be present in this meeting. And I wish to thank all of the other donors and the partners that have supported us in one way or another. This is also the opportunity to welcome and to thank all of the distinguished delegates present at this meeting, at this session, without forgetting the American – the U.S. for their kind support. Before I dive into the matter at hand, I wish to draw attention to Benin’s position with regard to the latest cybersecurity index and the classification thereof. Benin is a small country, and we’re trying to make headway on this matter without too much turmoil. Today, we’re proud to say that we have a national law, and we’re proud to say that we’ve ratified the Malibu Convention, which is the African regional instrument on cybersecurity and the protection of regional – We’re also proud to say that we’ve joined the Budapest Convention, and we’re a member of it. I’m also proud to say that we participated in the work in the development of the United Nations Convention Against Cybercrime. At the national level, we’ve been doing other things. We have been working to bolster cybersecurity. We also passed a regulation that governs the protection of our critical infrastructure. And continuously, the Government of Benin will be adapting the classifications of the critical infrastructure that we’ve identified for our country. When you see this presentation, you can understand that Benin is very, very sensitive with regard to these issues, and we’re very much engaged in the discussions. This is why, Chair, you can see – you can see, however, there’s some divergences in views. Before the end of the cycle of negotiations, we hope a consensus will be reached. But some distinguished delegates have addressed issues that are of importance and which should be addressed. For example, the delegate of Cuba. who addressed some sensitive points that resonate with a country like Benin. There’s also Egypt and my predecessor, Cyril Leone, which touched on capacity building and other important matters. When we see the concept of force being used in international law and when we transpose that into the cyber realm, I struggle to comprehend the concept. I think this is a concept which needs to be redefined because here it’s enough to have an algorithm, it’s enough to have a program to create something disagreeable without using force within the international definition. So can there be a victim if we’re talking about force? This debate remains open. That’s why one should encourage the position of the African Union and the European Union, one should encourage the states today to engage in discussions at the national level in order for national positions of states to be clearly defined. This will facilitate a convergence of views during the discussions to come. I will leave it at that, Mr. Chair, by congratulating you once more on the conduct of our work. I want to reiterate that you have been in support in the context of the work that you are doing. And I want to recall that when we talk about voluntary norms… These are non-binding norms, and if they’re non-binding, what do we want? This is why you’ve sometimes seen divergences in viewpoints. But we’re going to iron out these differences as we move forward. I thank you, Mr. Chair.

Chair: Thank you very much, Bena, for your intervention, for your kind words as well, addressed to me and my team, as well as the Secretariat. I think that is perhaps a good note to wrap up the discussions on international law. I will not attempt a summary. I did make some remarks prior to the lunch break, so I will leave those comments at that. But I will say that I think there is a way forward to take a step forward on the issue of international law. There are certainly areas of divergence and strongly held views on both sides or on different sides. But I think after several years of discussing these issues, I think we certainly have a greater level of clarity, greater level of common understandings, greater level of detail in terms of how international law applies. But there is also a greater level of clarity in terms of the issues that will need further discussions and also specific issues under international law on which there is divergence in terms of our positions or your positions. I should say, but we can also agree that it is important for us to capture the state of the discussion. Capture the state of the discussion such that we reflect the areas of convergence and areas where there remain differences in points of view, but where we need to continue the discussion. So it is possible, I think, that we look at the final report as a way to capture the state of the discussions with regard to international law, so that that provides that foundation for the next step as we take this discussion into the future permanent mechanism. I think it is also clear that at this discussion we have heard delegations which have not previously expressed their views. I think that is a good thing. Obviously more and more delegations are ready to take a position, express their views with regard to international law, and especially the views of countries from the developing world from the south, from the small island developing states, from the very small countries, least developed countries. They have taken the trouble to be present, and of course with the help and support of partners who have also made that possible. I think that too is an example of partnership and building trust and building relationships. Those things are important, but what the working group has done is really created a truly inclusive platform to have some of these difficult conversations. So I think that is a very precious achievement. of all of us collectively. So I think there’s no reason to be pessimistic, but every reason to look forward, to see how we can take a step forward, but also I would encourage all of you to see how you can go beyond your very safe comfort zones of existing positions, because we do need to find a way to move forward. So once again, my thanks to all of you for what has been a very, very rich discussion. I think it’s exactly 5 o’clock, we’re slightly behind schedule, so we will now move on to the next agenda item, or rather the next item under the agenda, which is confidence-building measures. So I’d like to open the floor now for comments from interested delegations under the theme of confidence-building measures. All right, I give the floor now to Lebanon, to be followed by the Russian Federation.

Lebanon: Thank you very much, Mr. President. In fact, I was raising a hand to ask if the right of reply for the previous point is covered now or at the end of the session.

Chair: Thank you. Thank you very much, Lebanon. Perhaps we can take that at the end of the day. Thank you very much for your understanding, Lebanon. Russian Federation to be followed by the European Union.

Russian Federation: Mr. Chair, important milestone in CBMs was the launch this year of the global directory of points of contact for exchanging information on computer attacks and incidents. In the half year since, 109 countries have already joined the directory, and we trust that by designating diplomatic and technical POCs will be designated. We highly appreciate the presentation by the chair of the calendar of events for the new cycle of the OEWG. The Russian POCs are ready to participate in upcoming ping tests and simulation exercises. We support this aspiration as a matter of principle. Russia and doubtless many other countries would be happy to engage in a discussion of the parameters for the aforementioned events. We are confident that regularly testing the algorithms of the directory is the key to its efficiency. We thank separately the UN Office for Disarmament Affairs for managing the POC directory. Turning now to further efforts to develop the directory, one of the first priority tasks is to determine its scope. That is, the specific areas of cooperation between the designated diplomatic and technical points of contact. There’s also a need to develop a common understanding of the functionality of the technical POC required for effective participation in the directory. This will help to improve the parameters of its functioning. The fact that these issues are not on the agenda has already led to problems when cooperating on incident response. The Russian technical point of contact has already begun to engage in interactions using the addresses distributed on the registry website. We’ve identified ten contacts that did not work, as well as four technical POCs who had limited powers at the national level, which left them unable to respond to our notifications. Thus, the tasks of the POC directory cannot be completed fully without solving some emerging problems. Before moving forward, one needs to carefully consider the designation of the POCs and the scope of the registry. Please note the fact that the Russian Federation has developed a guide to the creation of a UN technical contact point for the UN, which will build capacity in this area. That document is available for you at the OEWG website. Among the instruments that could potentially ensure sustainable exchange of information is our standardized communication templates. We’re talking about improving the usability of the POC directory, which is especially crucial for those states that continue to lack expertise, and capacity in mitigating computer attacks. Russia has submitted its concrete views on this matter. You can find it in the concept paper, which we’ve put on the website of the OAWG. At the same time, it’s essential for further work on developing the POC directory to involve absolutely all states and to be grounded in the principle of consensus. In other words, the patronage of the directory should pass from the current OAWG to the future permanent mechanism. There’s one more priority area of work. It is expanding the membership of the POC directory. There’s some states that continue to struggle to establish national computer incident response teams. To address this situation and to build the capacity of such states, we have a common mission. That is our common mission, rather. We believe that providing assistance in this area should be linked to the specific needs and priorities of recipient states. In this context of particular importance are activities aimed at raising the awareness of the directory among states, that is, outreach and the main aspects of its functioning. I thank you.

Chair: Thank you very much, Russian Federation, for kicking off the discussions, for getting us straight into the substance of CBMs. Please let me just make two points with regard to that. First, I’m happy to announce that the global POC directory now has 111 countries, so two more than what you indicated, Russian Federation. So 111 countries. I think if we look back at the last year and a half, I think we’ve seen a lot of progress how far we have come in terms of talking about it, establishing it, and getting to 111 is a very, very good start. But as we have been discussing the question of widening participation, it is really important that we need to increase the numbers. We need to make it near universal. And this is where the issue of partnership with countries who will find it challenging to come on board becomes very, very important. I think each one of us has to reach out. Is the list of 111 countries on the website? Catherine? Well, the POC directory is password protected, so one would not be able to tell from the directory as to which countries are in the directory and which are not. But I think the secretariat has the information as to which countries have not yet been able to join. So we certainly don’t want to pressure or name and shame countries. That is not the spirit of the global POC directory. But it’s very clear that countries will need help, especially those who have not obviously joined already. So I would encourage each one of you, those with the capacity to do so and the commitment to reach out, to please see how you can reach out, extend a hand of friendship and partnership to bring people. on board the Global POC Directory. So that’s the first point I wanted to mention. Second, in accordance with the letter I circulated to all member states on the 12th of November, where I attached a schedule of activities for the remaining few months, I had indicated that the second Global POC Directory ping test will take place in December 2024, which is this month. The exact date will not be announced, so this may well remind you of an unannounced school test for you and your people back in capital. It will happen sometime soon. It may happen maybe on Christmas Eve. I hope not. OK, not on Christmas Eve. The idea is not to trick anyone. The idea is to really test the system internally and also to check if all the contacts and communications are ongoing. And frankly, this won’t be the last simulation exercise we are doing. It’s already the second. We need to do this regularly so that people nationally can also understand, and people at the international level and regional level can also be a part of it. So just send the signal to your people that those of you who already have designated a POC Directory that the test is coming. So it’s time to test and get ready for the ping. And Secretary, will you be giving out grades? Of course not. So you are spared. It will be a surprise test, but there will be no grades. But we hope that as many of you would be able to. take the opportunity to check the system and see how we can get everybody on board. So my message is please get ready for the ping test and please pass the message along to your people in your capital. Let’s continue with the speakers’ list. European Union to be followed by Islamic Republic of Iran.

European Union: Thank you, Chair, for giving me the floor. I have the honor to speak on behalf of the European Union and its member states. The candidate countries, North Macedonia, Montenegro, Serbia, Ukraine, the Republic of Moldova, Bosnia and Herzegovina and Georgia, and the EFTA country, Norway, member of the European Economic Area, as well as San Marino, align themselves with this statement. Chair, confidence-building measures are well-proven and established cyber diplomacy tools. To reduce the risk of misunderstanding, escalation, and conflict, the Global Point of Contact Directory represents a valuable signal of our joint commitment to building confidence. We thank you, Mr. Chair, and the Secretary-General, for your continuing efforts to fully operationalize the BSC Directory. From early on, the EU has supported the approach of learning and benefiting from experience at regional level. Continuous exchange between various regional organizations, but also between regional organizations and the Open-Ended Working Group, is important. It would help to create synergies and seek harmonization with regional BSC networks while avoiding conflicting efforts. Chair, we encourage States to share examples of CBMs and their successful implementation in their region and share the success stories. Many of these processes serve distinct purpose and audience. Some are about articulating agreed upon norms of behavior while others focus on implementation. The OSCE CBMs, for example, serve primarily to build levels of trust between participating states and thereby reduce the risks of conflict stemming from the use of ICTs. Another example is the establishment of an ASEAN regional CERT, which aims to promote and facilitate information sharing related to cyber incident response to complement the operational mandate exercised by individual national CERTs in each ASEAN member state. These two types of norm building exercises operate in distinct avenues but ultimately serve to create more trusted outlets for states to operate together in cyberspace in the regional context. Mr. Chair, we would also like to flag the work the informal cross-regional group on confidence builders is doing. The recent paper on how information sharing contributes to security and stability in cyberspace provides examples of how information sharing can make a direct contribution to strengthening security and stability in cyberspace from pre-existing point-of-contact networks, namely that of ASEAN, the OAS, and the OSCE. The paper demonstrates how regional POC networks can be used to share information to prevent, detect, respond to, and recover from cybersecurity incidents. Thereby, the group makes an important contribution towards further operationalizing the global POC directory, also with a view to the POC directory exercise scheduled for next year. Linking our BSC directory with the future mechanism is incredibly important to ensure sustainability and ownership. As highlighted in the town hall meeting last week, the EU believes that the future mechanism should discuss shared policy objectives in a cross-cutting, integrated way through dedicated thematic working groups to deepen our understanding of the implementation of the framework of responsible state behavior, which CBMs are an integral part of. A step-by-step approach could be taken to streamlining the BSC directory and the other global CBMs into the thematic working groups based on experience from their operalizations to address the different policy objectives in the cross-cutting thematic working groups. Chair, over the next six months we should focus on further operationalizing the BSC directory and encouraging further participation from as many states as possible. The EU looks forward to the publication of the tutorials by the Secretariat as a way to build capacities that encourage use of the BSC network. We also hope that the stimulation exercise in the coming months to come will provide relevant experience to all member states in using the network. We anticipate that this will feed back positively to our work on implementation of other global CBMs and also help to improve the resources we provide for the BSCs. Thank you.

Chair: Thank you very much, European Union. I give the floor to the Islamic Republic of Iran, followed by the United Kingdom.

Islamic Republic of Iran: Bismillah ar-Rahman ar-Rahim. Mr. Chair, thank you for the floor. Broad mutual understanding of each state’s policies and strategies, as well as established connections among states, is essential to prevent escalation of tensions among states due to the miscalculation and misunderstandings. ICT environment is not an exception. To meet these requirements, the Islamic Republic of Iran has held consultations with different countries and is preparing to widen bilateral agreements. These efforts have been pursued at the regional level, including through the Shanghai Cooperation Organization and cooperation among the BRICS countries, as well as regional initiatives in the Middle East and with the Persian Gulf countries. This diverse stream of efforts with different partners serve as a solid bedrock for our efforts to advance confidence buildings, including in the Middle East and Persian Gulf region, and we are committed to continuing them. Mr. Chair, your guiding question has advised us to comment on the challenges for implementation of the CBMs. Last September, the leaders of the member states of the United Nations adopted the Global Digital Compact, advocating, I quote, to equitable and meaningful inclusion in digital economy, which requires tackling existing concentration of the technological capacities and market power, and maintaining stable and resilient supply chains for global digital products and services. ICT security is a critical component of the digital economy. International community recognize that ensuring the integrity of the ICT supply chains and the security of the ICT products are increasingly critical for international security and digital and broader economic development. Based on this understanding and previous deliberations, we would like to propose a new language and additional CBM to be included in the final report of the group as follows. I quote, CBM-9, facilitating the unhindered access by all states to the secure ICT market, including the ICT security market, to mitigate potential risks in the supply chain, encompassing technological and human risk factors, and to enable enhancing resilience through integrated cyber risk management, end of the sentence. It’s worth noting that in the recent APR, the group agreed to continue exchanging views on the potential development of additional CBMs. In closing, I would like to also highlight that in the previous APRs, the OEWG recognized that capacity building is an important confidence building measure, expressing that capacity building programs are an important avenue for collaboration, which could strengthen relationship as well as build trust and enhance confidence between the states. We hope that in the final report, the OEWG can take concrete steps forward, strengthening the language in this regard. As I have the floor, Mr. Chey, I would like to refer to the statement made by representative of Israel, Israeli regime, which has used this platform once again to resort to false narratives and deflect attention from the regime’s ongoing war crimes against the people of the Palestine and Lebanon. This regime is notorious enough for its persistent and blatant violation of international law, the Charter of the United Nations and Security Council Resolution, and is never in a position to accuse others of baseless allegations. It’s profoundly ironic that the Israeli regime, for its dark record of engaging in the terrorist activities within the region, dares to talk about international law. Since the Israeli regime’s ongoing genocide and war crimes against the Palestinian people, along with the terrorist attacks involving detonation of the thousands of the wireless communication devices in Lebanon. On September 17 and 18, are utterly unjustifiable and have been widely condemned by the international community. The representative of the Israeli regime, instead of providing credible and convincing responses to the concerns expressed by the delegation in this room, resorts to desperate attempts to distort the reality and divert attentions toward Iran, attempting to invert the roles of the perpetrator and the victim. Yet the truth starkly contrasts with these fabrications and undeniable facts explicit for themselves. My delegation has responded to those allegations during the meeting yesterday and in the relevant platforms as well. I do strongly reject the groundless and unsubstantiated accusations directed to my country by this representative of the Israeli regime. I thank you, Mr. Chairman.

Chair: Thank you, Islamic Republic of Iran, for your statement. United Kingdom, to be followed by Bosnia and Herzegovina.

United Kingdom: Chair, the UK welcomes the continued efforts of Member States to build confidence in support of international peace and security. We also recognize the important work conducted at a regional level, which complements the agreed voluntary, non-exhaustive global confidence-building measures in Annex B of the Third APR. In line with CBM 3, we acknowledge the importance of the voluntary sharing of information nationally, regionally and globally to foster trust and confidence. The UK continues to share information through the website of our National Cyber Security Centre, which sees an average of 1.6 million visitors per year, of which 22% are from outside the United Kingdom. Much of the guidance is not only relevant to the UK, and Member States may wish to make use of this resource. Chair, this week we have heard from states including Nigeria, Kazakhstan and Vietnam about their concern for the cyber security of the Internet of Things. The UK would like to draw attention to our product security and telecommunications infrastructure legislation which came into force in April this year. This legislation requires private sector providers, importers and retailers to implement certain security requirements on their products. This includes requirements to strengthen the default password security of products, requirements to provide customers with information on how to report security incidents and requirements to publish information on minimum security update periods. The legislation therefore addresses the most common reasons for insecure consumer IoT and could serve as a model for states seeking to minimise consumer IoT risks. In support of CBM7, the UK continues to develop and share tools to raise the resilience of critical national infrastructure internationally. Since 2019, the UK has supported the assessment of national cyber security risks in nearly 20 countries in Africa, Europe, South America, the Middle East, the Caribbean and Asia. National cyber risk assessments identify and categorise critical infrastructure assets and help states to prioritise cyber security investment. With regard to CBM8 on private sector and government partnerships, the UK emphasises relationship development with our domestic stakeholder community. One way we do this is by inviting the private sector to second experts with a range of professional expertise into our national cyber security centre. To date, 132 organisations from across the private sector have provided 300 secondees since the creation of this programme. Consistent with CBM6, the UK continues to deliver and support a variety of capacity building programmes. related to ICT security. The role of the multi-stakeholder community cannot be underestimated with regard to the delivery of these programmes. For example, in September this year, the UK announced its support for CREST’s Cyber Accelerated Maturity Programme in collaboration with the national cyber security authorities of Armenia, Bahrain, Georgia, Ghana, Kenya, Lithuania, Malaysia, the Philippines, Thailand, Qatar and Oman. This programme will bridge the global cyber skills gap by supporting CSIRTs, protecting CNI and preventing and responding to cyber crime. Finally, the UK was pleased to join the POC Directory this year. We recognise the value of the POC Directory in providing states with direct means of communication in situations that threaten international peace and stability. We thank the Secretariat for their continued efforts to operationalise the Directory. Thank you.

Chair: Thank you very much, United Kingdom, and welcome on board the POC Directory. Bosnia and Herzegovina to be followed by Fiji.

Bosnia and Herzegovina: Thank you, Mr Chair. While we aligned with the statement of the European Union, I would like to add some remarks in my national capacity. Bosnia and Herzegovina reaffirms that confidence building measures are essential for enhancing mutual trust and predictability between states and reducing tensions and misunderstanding. In addition to activities of Bosnia and Herzegovina with regard to implementation and operationalisation of the OSCE CBMs, as I mentioned yesterday, Bosnia and Herzegovina would like to share some actions and engagement with a view of implementation and operationalisation of global CBMs. As it was mentioned and concluded in the so far work of the OEWG, we are committed to working with the European Commission on The dialogue within the OEWG was in itself a CBM. So efforts have been made by Bosnia-Herzegovina in coordination and with the support of our international partners, as I have already mentioned on Monday, which we appreciate highly. The efforts have been made to have at this OEWG session a representative from our capital in charge of coordinating cyber and digital diplomacy activities of the Ministry of Foreign Affairs. Furthermore, we welcome the launch of the Global Points of Contact Directory in May this year. Given the fact that the Global Intergovernmental Points of Contact Directory is a CBM in itself and also provides a basis for the implementation of other CBMs that could help to promote open, secure, stable, and peaceful ICT environment, it is a particular pleasure to share today that Bosnia-Herzegovina has just nominated points of contact for the Global POC Directory, diplomatic point of contact, as well as technical point of contact. We are looking forward to participating in ping tests this month and simulation exercise next year, as well as to working with other states to further operationalize the Global POC Directory. With regard to what you, Mr. Chair, have mentioned earlier on the coming ping test, as I am nominated diplomatic POC, I assure you that I will do my best to get ready for it, as well as to bring it to the attention of my colleague from the Ministry of Security, who is a technical POC. Mr. Chair, I further wish to highlight that Bosnia-Herzegovina intensified its engagement in regular sub-regional, regional, and cross-regional exchanges. of lessons learned and good practices within the Western Balkans and the OSCE, as well as with the EU. As mentioned during yesterday’s session, we have engaged in discussion with our Western Balkans partners to consider modalities of establishing Western Balkans Cyber Diplomacy Network and we have enhanced our participation in the OSCE informal working group on ICT. Furthermore, we have participated at the fourth Inter-Regional Conference on Cyber-ICT Security organized by the OSCE and the Ministry of Foreign Affairs of the Republic of Korea, aiming at strengthening cooperation, exchange of information, and considering cooperative activities which could enhance cyber stability in both the OSCE and Asian regions. Together with our Western Balkan partners, we have enhanced our exchange of views and information with the EU institutions and Member States, including participation at the third European Conference on Cyber Security Skills held in Budapest, organized by ENISA and held under the auspices of the Hungarian Presidency of the Council of the EU, during which conference a panel was held actually on building cyber capacity in the Western Balkans from the diplomatic perspective. Therefore, while advancing our cooperation and partnerships, aiming at enhancing sub-regional, cross-regional exchanges, we are also strengthening our cyber capacities. In this regard, Bosnia and Herzegovina highly appreciates the support of the partner countries as well as of the multilateral organization. Thank you, Mr. Chair.

Fiji: Thank you, Chair, for giving me the floor. The following statement is delivered on behalf of the informal cross-regional group of the OEWG Confidence Builders in the name of the following OEWG participating states. Argentina, Australia, Brazil, Canada, Chile, Colombia, Czech Republic, Dominican Republic, Germany, Israel, Republic of Korea, Mexico, the Netherlands, Singapore, and Uruguay. The informal cross-regional group of Confidence Builders is glad to share that we have published a new joint working paper titled, How Information Sharing Contributes to Security and Stability in Cyberspace, Examples from Regional Points of Contact Networks, which you may find on the OEWG website. The joint paper by the cross-regional informal group of Confidence Builders seeks to contribute to the operationalization of the global POC directory by demonstrating how information sharing can make a direct contribution to strengthening security and stability in cyberspace. UN efforts in building confidence can draw on significant progress made at the regional level through regional organizations. Setting up intergovernmental networks of cybersecurity focal points has commonly served as a confidence building measure in and of itself, serving as a basis for further measures that can help to promote a secure and stable information and communications technologies environment. The paper provides four examples from the context of three POC networks, namely the OAS, the ASEAN, and the OSCE POC network. The examples show how regional networks of points of contact have been used to share information to prevent, detect, respond to, and recover from inter-liar urgent and significant ICT incidents. Chair, the confidence builders look forward to working constructively with you and all member states on how to integrate CBMs in the future mechanism. Chair, with your leave, Fiji will also be delivering a statement in its national capacity. Thank you.

Chair: Thank you very much, Fiji, for the statement and also my thanks to the confidence builders for continuing to build confidence. I think we need to keep at this process. So your work is very appreciated. I give the floor now to El Salvador. Please.

El Salvador: Thank you very much, Mr. Chairman. On confidence building measures, my country is pleased with the list of measures that have been reflected in Annex B of the Third Annual Progress Report. We welcome the measures that give clear indicators for the operationalization of the Global Directory of National Focal Points. This is an action-oriented measure, which builds on the work of this group, which we have always supported from El Salvador. We also welcome the development of specific measures on the protection of critical infrastructure in line with the standards for responsible behavior. This was a proposal that El Salvador put forward during the seventh substantive session, and we’re pleased to see it reflected in the list of initial proposals. Nevertheless, we think we need to build on concrete measures for the implementation of these measures in practical terms. And in this regard, Chairman, we would like to suggest four specific proposals. First, the voluntary identification of critical infrastructure and critical IT infrastructure at the national level and to delineate them through strategic sectors. This has to be in line with national regulatory frameworks, particularly for those infrastructures that provide public services. This identification could allow for an internationally accepted codification with under the aegis of the United Nations. Two, the exchange of lessons learnt and good practices at the regional level. This exchange should be a foundation to extrapolate experiences from other regions when it comes to how critical infrastructure can be protected. Three, ensuring public-private associations and working with public service providers. This is critical. These alliances are critical to protect critical infrastructure, particularly to ensure the availability of the Internet. And four, the development of specific capacity building programmes. These programmes have to be designed to understand the specific features of each country and each region and how to protect critical infrastructure best. We would like to underscore that interstate cooperation through technical assistance and capacity building and technology transfer can certainly make a significant contribution to building confidence more generally. That is why we suggest that we consider looking at a specific confidence building measure which is focused on capacity building itself. Thank you.

Chair: I thank very much the Permanent Representative of El Salvador for her statement and also for her very specific proposals. Give the floor now to Italy, please.

Italy: Thank you, Mr. Chair, for giving me the floor. We fully align with the statement delivered by the European Union. In our national capacity, we wish to highlight the importance of confident building measures for fostering trust, reducing misperception, and promoting stability in cyberspace. They play a critical role in preventing escalation and enhancing predictability and creating a safer, more cooperative international environment for addressing cyber security challenges. Italy supports the Global Points of Contact Directory, designed to strengthen communication and collaboration among states. By integrating it with existing national and regional initiatives, we believe that the directory will help foster an open, secure, stable, accessible, and peaceful ICT environment. We also attach particular importance to regional CBMs developed by the OCE, which we regard as highly effective. Italy actively contributes to Measure 8 on points of contact and Measure 14, fostering public-private partnerships to address shared cybersecurity challenges. Through contributions such as the OCE report, Emerging Practices in Cybersecurity-Related Public-Private Partnerships, Italy underscores the private sector’s pivotal role in enhancing resilience and addressing multi-faceted cyber threats. We recognize the importance of cross-regional collaboration to enhance CBMs. By integrating lessons learned from diverse frameworks and sharing experiences, Italy contributes to a more adaptable and comprehensive approach to trust-building in cyberspace. We remain committed in supporting CBMs as a foundation of international cooperation. By fostering collaboration and mutual understanding, we aim to ensure cyberspace as a domain of stability, trust, and progress in an ever-evolving world. changing digital landscape. Thank you, Mr. Chair.

Chair: Thank you very much, Italy. South Africa, you have the floor, please.

South Africa: Thank you, Chair. With the rapidly evolving threat landscape, as discussed during the threat section, the implementation of the eight agreed global CBMs is one of the key elements of ensuring transparency, cooperation, and stability in cyberspace. In respect of what we can do to support and facilitate full operationalization of the eight CBMs, South Africa believes that cooperation at a UN, regional, and sub-regional levels is key. This support could take the form of workshops and roundtable discussions to share experiences and expertise, engage in dialogue to identify some of the non-contentious areas to start with, and move on to more sensitive ones as we continue to build layers of understanding and trust. With regard to increasing participation in the global POC directory, a number of delegations posited that effective implementation of CBMs, including participation in the POC directory, is tightly linked to capacity building, and we share this view. We believe that by narrowing the capacity gap, the goal of achieving maximum participation in the global POC directory is attainable. Member states are encouraged to share success stories from assistance received from the global POC. during a cyber incident. The proposed simulation exercise is a welcome initiative to empower the global POCs with step-by-step actions to take to request or offer assistance during a cyber incident. Finally, Chair, to give effect to paragraph 47 of the third APR on the development of standardized templates, it is proposed that such templates should be simple and easy to use. As proposed by some delegations, the templates should, at a minimum, provide a brief description of the nature of assistance sought, details of the cyber incident, acknowledgment of receipt by the requested state, and provide indicative response timeframes. Thank you, Chair.

Chair: Thank you very much, South Africa, for your statement and also for your very specific suggestions. Dear friends, I’m conscious that we need to wrap up soon, and we’ve had a request from the delegation of Lebanon for a right of reply. So I would now invite the representative of Lebanon to exercise his right of reply.

Lebanon: Thank you very much, Mr. Chair, and I’m aware of the long day today, so I’m going to keep my right of reply pretty short. But just to mention a couple of points, it’s been like a pattern that when we discuss a specific matter in the first committee or here in the OEWG, and then we specifically mention certain attacks from Israel, and then what I mentioned yesterday was particularly how it is seen from an international law perspective. Today, we got, if we call it a right of reply, it was very vague and did not touch on the point. It was very generic and, in fact, maybe it was on purpose to evade any responsibility. To that, I would add that and to remind that the attacks was the explosion of the ragers and the hacking of the Beirut International, Rafik Hariri International Airport, very concrete two examples and those are only two. And I would like to add that the spokesperson of the Israeli PM acknowledged the responsibility for 17-18 September attack on 11 November. To add to that and from the intervention of the Israeli delegation, it seems that it is more convenient for them to keep the field of ICT out of concrete regulation to allow them a free hand in abusing this technology against the sovereignty of other nations. And the examples on that are very, very valid. I’m not going to enter into more examples. Also, I would like to mention that Lebanon is far from being a failed state. Every person and every diplomat who visited this country knows that this is a resilient and vibrant nation and a resilient and vibrant country. So just to brush away any responsibility by designating this or that country conveniently in a negative description does not absolve them from the fact that they are in complete breach of international law. And I would like to add that despite the destructive aggressions by Israel of Lebanon for many times and for many years, three times already, Lebanon has always been resilient and always managed to get up on its feet and play the important role it is playing in the region and in the world. And one last point, since he mentioned 1701, which Israel completely disregards and completely and never respected since 2006, I would like to reiterate that Lebanon upholds its obligation according to international law, respects all Security Council resolutions, including 1701, and is committed to fully implement it. I thank you very much, Mr. Chair.

Chair: Thank you, Lebanon. Are there any other requests for the exercise of the right of reply? I see none. So at this point, we will have to conclude our meeting for this afternoon. We will continue tomorrow morning with the remaining list of speakers, and then I think we would be able to complete the remaining list of speakers in about an hour and a half maybe, and then tomorrow we will transition in the morning to the next cluster of items, which is capacity building. So once again, my friends, my thanks to all of you for your very constructive engagement today, and I wish you all a pleasant evening. The meeting is adjourned.

Agreement Points

Importance of stakeholder engagement in cybersecurity discussions

Global Partners Digital

Youth for privacy

Hitachi America

Red en Defensa de los Derechos Digitales

National University of Singapore -Centre for International Law

Global Cyber Alliance

Stakeholders provide valuable expertise and real-world understanding

Youth should be included in future cybersecurity mechanisms

Private sector plays key role in securing critical infrastructure

Civil society contributes to norm implementation and human rights protection

Academic institutions support capacity building efforts

Non-profit organizations provide neutral platforms for collaboration

Multiple stakeholders emphasized the importance of including diverse perspectives from civil society, youth, private sector, academia, and non-profits in cybersecurity discussions to ensure comprehensive and effective outcomes.

Application of international law to cyberspace

ICRC

Portugal

Sierra Leone

Israel

Ghana

Australia

International humanitarian law applies to cyber operations in armed conflicts

Human rights law, including freedom of expression, applies in cyberspace

State sovereignty and non-intervention principles apply to cyberspace

International law provides framework for cyber stability but may need clarification

Developing countries need support to engage in international law discussions

Scenario-based exercises help build understanding of international law application

Multiple speakers agreed that international law applies to cyberspace, including humanitarian law, human rights law, and principles of sovereignty, while acknowledging the need for clarification and capacity building in its application.

Importance of confidence building measures in cyberspace

Russian Federation

European Union

Fiji

Italy

South Africa

El Salvador

Global Points of Contact Directory is a key confidence building measure

Regional CBM initiatives complement global efforts

Information sharing contributes to cybersecurity and stability

Public-private partnerships enhance cyber resilience

Capacity building supports implementation of CBMs

Protection of critical infrastructure should be a focus of CBMs

Multiple speakers emphasized the importance of confidence building measures in cyberspace, including global and regional initiatives, information sharing, public-private partnerships, and capacity building efforts.

Similar Viewpoints

These speakers emphasized the importance of capacity building and regional cooperation to support developing countries in addressing cybersecurity challenges and engaging in international discussions.

Ghana

Benin

Bosnia and Herzegovina

Developing countries need support to engage in international law discussions

Capacity building needed to address cyber threats in developing countries

Regional cooperation enhances cyber threat response capabilities

These speakers emphasized the importance of protecting human rights in cyberspace and adopting a human-centric approach to cybersecurity that considers the direct impact on citizens.

Portugal

Red en Defensa de los Derechos Digitales

Fundación Carisma

Human rights law, including freedom of expression, applies in cyberspace

Civil society contributes to norm implementation and human rights protection

Human-centric approach needed to address impacts on citizens

Unexpected Consensus

Importance of scenario-based exercises

Australia

South Africa

Scenario-based exercises help build understanding of international law application

Capacity building supports implementation of CBMs

Despite representing different regions and levels of technological development, both Australia and South Africa emphasized the value of practical, scenario-based exercises in building capacity and understanding in cybersecurity. This unexpected consensus highlights a shared recognition of the need for hands-on approaches to complex cyber issues.

Overall Assessment

Summary

The main areas of agreement include the importance of stakeholder engagement, the application of international law to cyberspace, and the value of confidence building measures. There was also consensus on the need for capacity building, especially for developing countries.

Consensus level

Moderate to high consensus on broad principles, with some divergence on specific implementation details. This level of agreement suggests a strong foundation for future cooperation in cybersecurity, but also highlights the need for continued dialogue to address remaining differences, particularly in the practical application of agreed-upon principles.

Disagreement Points

Role of international law in cyberspace

Israel

Portugal

Sierra Leone

International law provides framework for cyber stability but may need clarification

Human rights law, including freedom of expression, applies in cyberspace

State sovereignty and non-intervention principles apply to cyberspace

While all speakers agree that international law applies to cyberspace, they emphasize different aspects and interpretations. Israel argues for potential clarification of rules, Portugal focuses on human rights law application, and Sierra Leone emphasizes state sovereignty and non-intervention principles.

Approach to cybersecurity challenges

Hitachi America

Fundación Carisma

Private sector plays key role in securing critical infrastructure

Human-centric approach needed to address impacts on citizens

Hitachi America emphasizes the role of the private sector in securing critical infrastructure, while Fundación Carisma argues for a more human-centric approach that considers direct impacts on citizens. This represents a difference in focus between infrastructure-level and individual-level cybersecurity concerns.

Unexpected Disagreements

Stakeholder engagement in cybersecurity discussions

Global Partners Digital

Youth for privacy

Hitachi America

Red en Defensa de los Derechos Digitales

National University of Singapore -Centre for International Law

Global Cyber Alliance

Stakeholders provide valuable expertise and real-world understanding

Youth should be included in future cybersecurity mechanisms

Private sector plays key role in securing critical infrastructure

Civil society contributes to norm implementation and human rights protection

Academic institutions support capacity building efforts

Non-profit organizations provide neutral platforms for collaboration

While there is no direct disagreement, it’s unexpected to see such a diverse range of stakeholders emphasizing their specific roles without a clear consensus on how to integrate these various perspectives. This highlights the complexity of stakeholder engagement in cybersecurity discussions and the potential challenges in balancing different interests and expertise.

Overall Assessment

Summary

The main areas of disagreement revolve around the application of international law to cyberspace, the balance between state-centric and human-centric approaches to cybersecurity, and the roles of various stakeholders in cybersecurity discussions. There are also differences in emphasis on global versus regional approaches to confidence building measures.

Disagreement level

The level of disagreement appears moderate. While there are clear differences in perspectives and emphases, there is also a general consensus on the importance of addressing cybersecurity challenges through international cooperation and multi-stakeholder engagement. The implications of these disagreements suggest that future discussions and negotiations may need to focus on finding ways to integrate diverse perspectives and balance competing priorities in developing comprehensive cybersecurity frameworks and policies.

Partial Agreements

All speakers agree on the importance of confidence building measures (CBMs) and information sharing for cybersecurity. However, they differ in their emphasis on global vs. regional approaches. The Russian Federation focuses on the global POC Directory, the EU highlights regional initiatives, and Fiji emphasizes the value of both global and regional information sharing networks.

Russian Federation

European Union

Fiji

Global Points of Contact Directory is a key confidence building measure

Regional CBM initiatives complement global efforts

Information sharing contributes to cybersecurity and stability

Similar Viewpoints

These speakers emphasized the importance of capacity building and regional cooperation to support developing countries in addressing cybersecurity challenges and engaging in international discussions.

Ghana

Benin

Bosnia and Herzegovina

Developing countries need support to engage in international law discussions

Capacity building needed to address cyber threats in developing countries

Regional cooperation enhances cyber threat response capabilities

These speakers emphasized the importance of protecting human rights in cyberspace and adopting a human-centric approach to cybersecurity that considers the direct impact on citizens.

Portugal

Red en Defensa de los Derechos Digitales

Fundación Carisma

Human rights law, including freedom of expression, applies in cyberspace

Civil society contributes to norm implementation and human rights protection

Human-centric approach needed to address impacts on citizens

Key Takeaways

Stakeholder engagement is crucial for effective cybersecurity discussions and policy development

International law, including humanitarian and human rights law, applies to cyberspace but may need clarification

Confidence Building Measures like the Global Points of Contact Directory are important for fostering trust and stability in cyberspace

Capacity building is essential to support developing countries in implementing cybersecurity measures and participating in international discussions

Protection of critical infrastructure and addressing supply chain vulnerabilities are key priorities

Regional cooperation and information sharing enhance cyber threat response capabilities

Resolutions and Action Items

Conduct a second Global POC Directory ping test in December 2024

Organize a simulation exercise for the Global POC Directory in 2025

Increase participation in the Global POC Directory, aiming for near-universal adoption

Develop standardized communication templates for the Global POC Directory

Consider establishing a youth-focused thematic group in the future permanent mechanism

Reflect emerging convergences on international law application in the OEWG’s final report

Unresolved Issues

Exact modalities for stakeholder participation in the future permanent mechanism

Specific application of international law principles like use of force in cyberspace

Development of additional legally binding instruments for cybersecurity

Addressing geopolitical tensions impacting cybersecurity cooperation

Balancing national sovereignty concerns with international cooperation in cyberspace

Suggested Compromises

Integrate stakeholder engagement across all layers of the future mechanism while maintaining state-led nature

Focus on implementing existing norms and building common understandings before developing new legally binding rules

Use scenario-based exercises to build shared understanding of international law application without requiring formal agreements

Develop flexible, regionally-tailored approaches to critical infrastructure protection

Balance information sharing for security with protections for privacy and human rights

We see significant merits in promoting south-to-south cooperation to support the development of national positions on the application of international law in cyberspace. Facilitating exchanges among nations of the global south to share experiences and strategies in this area will be highly beneficial.

Speaker

Ghana

Reason

This comment introduces the important perspective of developing nations and proposes a concrete way to increase their participation and capacity.

Impact

It shifted the discussion to focus more on inclusion of developing countries and capacity building, with subsequent speakers like South Africa echoing similar points.

Chair, international humanitarian law, finally, is a vital building block of the edifice of international law. Ignoring it in our discussions would carry the threat of threatening the soundness of our common framework.

Speaker

France

Reason

This comment forcefully argues for the inclusion of international humanitarian law in the discussions, which had been a point of contention.

Impact

It sparked further debate on the role of IHL, with subsequent speakers like Australia and the ICRC supporting this view, while others remained hesitant.

When we see the concept of force being used in international law and when we transpose that into the cyber realm, I struggle to comprehend the concept. I think this is a concept which needs to be redefined because here it’s enough to have an algorithm, it’s enough to have a program to create something disagreeable without using force within the international definition.

Speaker

Benin

Reason

This comment challenges traditional concepts of international law and highlights the unique challenges of applying them to cyberspace.

Impact

It introduced complexity to the discussion and highlighted the need for further conceptual work on how international law applies to cyberspace.

The fact that these issues are not on the agenda has already led to problems when cooperating on incident response. The Russian technical point of contact has already begun to engage in interactions using the addresses distributed on the registry website. We’ve identified ten contacts that did not work, as well as four technical POCs who had limited powers at the national level, which left them unable to respond to our notifications.

Speaker

Russian Federation

Reason

This comment provides concrete examples of challenges in implementing the Points of Contact directory, moving the discussion from theory to practice.

Impact

It shifted the conversation towards practical implementation issues and the need for capacity building, influencing subsequent speakers to address these concerns.

Overall Assessment

These key comments shaped the discussion by highlighting the challenges of applying international law to cyberspace, emphasizing the need for inclusion of developing countries, and focusing attention on practical implementation issues. They moved the conversation from theoretical discussions towards more concrete, action-oriented proposals and highlighted areas where further work and clarification are needed. The comments also revealed ongoing tensions and differing perspectives among participants, particularly regarding the application of international humanitarian law and the readiness of states to commit to binding agreements in cyberspace.

How can the Global Point of Contact Directory be further operationalized and improved?

Speaker

Russian Federation

Explanation

The Russian Federation identified issues with non-functioning contacts and limited powers of some technical POCs, suggesting a need to refine the directory’s functionality and scope.

How can regional and global confidence-building measures be better integrated and harmonized?

Speaker

European Union

Explanation

The EU emphasized the importance of creating synergies between regional and global CBMs to avoid conflicting efforts.

How can capacity building programs be better integrated as a confidence-building measure?

Speaker

Islamic Republic of Iran

Explanation

Iran suggested strengthening the language in the final report regarding capacity building as a CBM, indicating a need for more concrete steps in this area.

How can states develop and implement effective legislation to address IoT security risks?

Speaker

United Kingdom

Explanation

The UK highlighted its product security legislation as a potential model for other states, suggesting an area for further study and implementation.

How can the multi-stakeholder community be more effectively engaged in delivering capacity building programs?

Speaker

United Kingdom

Explanation

The UK emphasized the importance of the multi-stakeholder community in delivering capacity building programs, indicating a need for further exploration of this approach.

How can sub-regional, regional, and cross-regional exchanges of lessons learned and good practices be enhanced?

Speaker

Bosnia and Herzegovina

Explanation

Bosnia and Herzegovina highlighted the importance of these exchanges, suggesting a need for further development of such initiatives.

How can specific measures for the protection of critical infrastructure be implemented in practical terms?

Speaker

El Salvador

Explanation

El Salvador proposed four specific measures, indicating a need for further development and implementation of these ideas.

How can standardized communication templates for the POC directory be developed and implemented?

Speaker

South Africa

Explanation

South Africa suggested the development of simple, easy-to-use templates, indicating a need for further work in this area.