1st Meeting of the third substantive session of the Open-Ended Working Group (OEWG)

8 Mar 2021 16:00h - 18:00h

Event report

The third substantive session of the OEWG was opened by Ambassador Jürg Lauber. After introductory remarks were given by Ms Izumi Nakamitsu (Under-Secretary-General and High Representative for Disarmament Affairs) and Lauber, delegations began stating their opinion on the First Draft of the Substantive Report with the view to negotiate the provisions of the final report by the end of the session on 13 March. In this first meeting, 16 delegations had taken the floor.

Introduction

In the section ‘A. Introduction’, five states requested edits to the text: China, South Africa, Islamic Republic of Iran, Australia, and the USA.

Paragraph 1

Iran and the USA proposed edits to paragraph 1 of the Introduction, which is as follows in the First Draft Report:

‘Despite the radical transformations the world has experienced since the United Nations was founded 75 years ago, its purpose and timeless ideals retain foundational relevance. Alongside the reaffirmation of their faith in fundamental human rights, and their commitment to promote the economic and social advancement of all peoples and to establish conditions for justice and respect of international law, States resolved to unite their strength to maintain international peace and security.

The USA noted that there is a reference to ‘fundamental’ human rights in the third line of the paragraph, which is not congruent with usual nomenclature of the UN ‘human rights and fundamental freedoms’. It was therefore suggested that this should be aligned with the UN Declaration of Human Rights, which does not contain a hierarchy of human rights. On the other hand, Iran put forward that the entire paragraph should be deleted as the country believes the paragraph does not have added value and is redundant.

Paragraph 2

Australia requested the deletion of the phrase ‘for the common good of humankind’ from paragraph 2, as this reference is covered by the references to progress, development, and expanding opportunities for cooperation earlier in this paragraph. The paragraph is as follows in the First Draft Report:

‘2. Developments in information and communications technologies (ICTs) have implications for all three pillars of the United Nations’ work: peace and security, human rights and sustainable development. ICTs and global connectivity have been a catalyst for human progress and development, transforming societies and economies, and expanding opportunities for cooperation for the common good of humankind.’

Paragraph 3

Iran suggested minor changes to paragraph 3, which is as follows in the First Draft Report:

‘3. The imperative of building and maintaining security and trust in the ICT environment has never been so clear. Negative trends in the digital domain could undermine international security and stability, place strains on economic growth and sustainable development, and hinder the full enjoyment of human rights and fundamental freedoms. These trends include the growing exploitation of ICTs for malicious purposes.‘

Iran’s proposal is that the phrase ‘and hinder the full enjoyment of human rights and fundamental freedoms’ be deleted from the paragraph, and that the word ’exploitation’ be replaced with the word ‘use’. Iran also noted their appreciation and support of the proposed changes by China and Cuba in this paragraph.

Paragraph 4

Paragraph 4 of the First Draft Report is as follows:

‘4. The current global health crisis has underscored the fundamental benefits of ICTs and our reliance upon them, including for provision of vital government services, communicating essential public safety messages, developing innovative solutions to ensure business continuity, accelerating research, and helping to ensure continuity in education and social cohesion through virtual means. In this time of uncertainty, States, as well as the private sector, scientists and other actors, have leveraged digital technology to keep individuals and societies connected and healthy. At the same time, the COVID-19 pandemic has demonstrated the risks and consequences of malicious activities that seek to exploit vulnerabilities in times when societies are under enormous strain. It has also highlighted the necessity of bridging digital divides, building resilience in every society and sector, and maintaining a human-centric approach.’

Iran noted that only part of the first sentence of paragraph 4 should be kept in order to read: ‘The current global health crisis has underscored the fundamental benefits of ICTs and our reliance upon them.’ The country has advocated that the rest of the paragraph should be deleted, as proposed by Russia in their written statement on the Zero Draft Report, with the justification that it does not have relevance to the mandate of the OEWG and in particular to the context of international security.

On the other hand, South Africa proposed an edit of the last sentence to add reference to maintaining a technology neutral approach. The sentence would then read: ‘It has also highlighted the necessity of bridging digital divides, building resilience in every society and sector, and maintaining a human-centric and technology neutral approach.’

Paragraph 7

Paragraph 7 of the First Draft Report is as follows:

‘7. The OEWG represents the latest milestone in international cooperation towards an open, secure, stable, accessible and peaceful ICT environment. On six occasions since 2003, groups of governmental experts (GGEs) have been established to study existing and potential threats in the sphere of information security and possible cooperative measures to address them. Through their three consensus reports (2010, 2013 and 2015 ), which are cumulative in nature, these Groups have reaffirmed that international law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace, security and stability in the ICT environment. They also recommended 11 voluntary, non-binding norms of responsible State behaviour and recognized that additional norms could be developed over time. Furthermore, specific confidence-building, capacity-building and cooperation measures were recommended. In General Assembly resolution 70/237, Member States agreed by consensus to be guided in their use of ICTs by the 2015 GGE report, thereby consolidating an initial framework for responsible State behaviour in the use of ICTs.’

In Iran’s view, paragraph 7 should be deleted because the notion reflected in this paragraph has been repeatedly contested by some delegations, underscoring that linking the work of the OEWG to the GGE is not acceptable. Iran also underlined that there is no need or justification to have the GGE in parallel with the OEWG with the same mandate.

Paragraph 8

The first sentence of paragraph 8 of the First Draft Report reads as follows:

‘8. Building on this foundation, the OEWG has sought common ground and mutual understanding among all Member States of the United Nations on a subject of global consequence.’

The USA suggested that the first part of the sentence be edited to ‘building on and reaffirming this framework’. The edit would connect paragraph 8 with paragraph 7, clarifying which foundation is referred to. The addition of the word ‘reaffirming’ was explained as ‘before we need to build on something we need to reaffirm it.’

Paragraph 9

Paragraph 9 of the First Draft Report reads as follows:

‘9. While States are ultimately responsible for the maintenance of international peace and security, all stakeholders have a responsibility to use ICTs in a manner that does not endanger peace and security. As the international security dimension of ICTs cuts across multiple domains and disciplines, the OEWG has benefited from the expertise, knowledge and experience shared by representatives from inter-governmental organizations, regional organizations, civil society, the private sector, academia and the technical community. The three -day informal consultative meeting of the OEWG held in December 2019 produced a rich discussion between States and a wide variety of other stakeholders. In addition, these stakeholders have provided concrete proposals and examples of good practice through written contributions and informal exchanges with the OEWG. Some delegations have also conducted multi-stakeholder consultations at their own initiative to inform their contributions to the OEWG.’

Australia proposed a minor edit to the first sentence to read: ‘While States are primarily responsible, […]’ Iran’s edits were more extensive, with its suggested text being ‘While states have primarily responsibility for the maintenance of international peace and security, all stakeholders, including private sector with extraterritorial impacts including platforms for their behavior in ICT environment, have a responsibility to use ICTs in a manner that doesn’t endanger national sovereignty, peace and security, and public order of the states.’

Paragraph 11

This paragraph of the First Draft Report reads as follows:

‘11. The OEWG welcomes the high level of participation of women delegates in its sessions and the prominence of gender perspectives in its discussions. The OEWG underscores the importance of narrowing the “gender digital divide” and of promoting the effective and meaningful participation and leadership of women in decision-making processes related to the use of ICTs in the context of international security.’

Iran supported Russia’s suggestion to delete this paragraph in Russia’s amendments to the Zero Draft Report, because it does not have direct relevance to the support and mandate of the OEWG.

Paragraph 12

This paragraph of the First Draft Report reads as follows:

‘12. The OEWG recognizes the importance and complementarity of specialized discussions on aspects of digital technologies addressed by other UN bodies and fora. These topics include matters related to sustainable development, human rights (including on data protection and privacy, freedom of expression, and freedom of information), digital cooperation, Internet governance, cybercrime and the use of the Internet for terrorist purposes.

Iran supported the proposal of Chinese delegation to delete this paragraph.

Australia noted that they support the sentiment of the paragraph, but that it needs to be tweaked to accurately reflect the legal obligations. For example, data protection in and of itself is not a human right and the delegation suggested that the term data protection be retained but moved later in the paragraph so that it is not conceptualised as a human right. They also suggested that references to freedom of expression and freedom of information be amended to reflect Article 19 of the International Covenant on Civil and Political Rights (ICCPR).

The USA also noted that the list of human rights in this paragraph is not accurate. The only human right listed is freedom of expression. The delegation suggested that the wording in the parentheses in the second sentence of the paragraph reads as follows: ‘including those involving data privacy and privacy, freedom of expression, and freedom of information), […]’

Paragraph 13

This paragraph of the First Draft Report reads as follows:

‘13. The OEWG underscores that the individual elements comprising its mandate are interrelated and mutually reinforcing, and together promote an open, secure, stable, accessible and peaceful ICT environment. International law governs relations and interactions between States, and norms set expectations of responsible State behaviour. Measures that build confidence and capacity reinforce adherence to international law, encourage the operationalization of norms, provide opportunities for enhanced cooperation between States, and empower each State to reap the benefits of ICTs for their societies and economies.’

For this paragraph, Iran supported the suggestion of the Russian delegation to the Zero Draft to delete the second sentence of this paragraph. Australia would prefer that the second sentence of the paragraph notes that ‘norms reflect expectations of responsible State behaviour’.

Existing and emerging threats

Paragraphs 16-18

The Chinese delegation read out China’s amendments to paragraphs 16-18 of the First Draft Report in full.

‘16. States agreed that more states are developing ICT capabilities for military purposes and the likelihood of using icts in conflicts between states is rising. The continuing increase in incidents involving the malicious use of icts by States and non-state actors including terrorists and criminal groups is a disturbing trend. Some non-state actors have demonstrated ICT capabilities previously only available to states.’

‘17. States also agreed that any use of ICTs by states in a manner inconsistent with the framework of responsible behavior of states undermines international peace and security, trust and stability between states, and may increase the likelihood of future conflicts between states.’

‘18. States agreed that there are potentially devastating security, economic, social, and humanitarian consequences of malicious ICT activities and critical infrastructure and critical information infrastructure supporting essential services to the public such as but not limited to medical facilities, financial, energy, water, transportation and sanitation. Such infrastructure may be owned, managed or operated by the private sector, may be shared or networked with another state or operated across different states. As a result, interstate or public-private cooperation may be necessary to protect its integrity, functioning and availability.’

China’s edits to these paragraphs were supported by Iran.

Paragraph 19

Paragraph 19 of the First Draft Report reads as follows:

‘19. States also agreed that ICT activity contrary to obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public, poses a threat not only to security, but also to economic development and livelihoods, and ultimately the safety and wellbeing of individuals.’

The Chinese delegation requested that ‘state sovereignty’ is added after ‘not only security’. This edit was supported by Iran.

Paragraph 20

The first sentence of the paragraph 20 of of the First Draft Report reads as follows:

‘States agreed that a lack of awareness and adequate capacities to detect, defend against or respond to malicious ICT activities introduce new vulnerabilities as all countries are increasingly reliant on digital technologies.’

The Chinese delegation proposed that the sentence be amended to: ‘States agreed that a lack of awareness and adequate capacities to detect, defend against or respond to malicious ICT activities introduce new vulnerabilities as all countries are increasingly reliant on digital technologies.’ This edit was supported by Iran.

Malicious use of ICTs

Suriname, on behalf of CARICOM, noted its concern about the implications of the malicious use of ICTs by states and non-state actors. The EU and its member states noted they attach particular importance to the use of ICTs for malicious purposes, notably those with systemic effects that might affect supply chains, critical infrastructure and essential service medical facilities, democratic institutions, the full enjoyment of human rights and processes, and economic security and development (including through cyber-enabled theft of intellectual property). The EU delegation also noted that the EU and its member states acknowledge the threats against the general availability or integrity of the public core of the internet, and the threat of malicious interference by foreign actors aimed at undermining electoral processes – including through malicious cyber activities – that disrupt the infrastructure essential to these processes. The delegation suggested that the reference to the public core of the internet be reviewed in line with these comments.

It is important to add a reference to the concern regarding the development of ICT capabilities for purposes that undermine international peace and security in this chapter, Egypt highlighted. This was supported by Australia.

South Africa expressed concern over the trend of non-state actors developing capacities previously only designated for state, underscoring the need for stronger governance over non-state actors. The delegation also emphasised that some states are in a position to develop strategies for resilience, while most developing countries pursue prevention strategies. They also brought up the need to acknowledge that threats affect vulnerable groups differently.

A technology-neutral approach

Another important reference Egypt proposed to be added would highlight that measures to promote responsible state behavior should remain technology neutral, underscoring that it is the misuse of technologies – not the technologies themselves – that is of concern. This was supported by Australia.The Pacific Island Forum (PIF) also noted a technology-neutral approach.

On critical infrastructure

Strengthening measures to protect critical infrastructure from ICT threats, including through technical cooperation and capacity-building programmes is a crucial area of convergence, the Czech Republic noted. South Africa noted that in most countries, civilian and military infrastructure is shared and the lack of distinction means civilian critical infrastructure primarily meant to deliver essential public services may be the target of a malicious attack.
Germany noted its support for the clarification in paragraph 18 that the list of critical infrastructures is non-exhaustive and can be further expanded. According to Germany, this clarification effectively addresses concerns of some states about the national prerogative to determine critical infrastructure.

Other considerations

The EU also noted that undermining the implementation of the GGE reports could have destabilising effects and bring enhanced risks of conflict and would denigrate the achievements of the international community to date, constituting a threat in itself.

Iran proposed that a new paragraph is added to the end of the section, to read as follows: , ‘States agreed to continue to study with the view to promoting common understanding existing and potential threats in the sphere of information security, inter alia data security, within the new open-ended working group established under the UNGA resolution A/RES/75 /240.’

The need to have a monitoring mechanism and a national implementation survey should be emphasised in the final version of the report, Mexico stated.

International law

On applicability of international law to the use of ICTs

The PIF countries and Egypt underlined the applicability of international law to the use of ICTs in the context of international security. The PIF countries and CARICOM highlighted the applicability of the UN Charter. The delegation also expressed support for the recommendation on sharing national views on how particular principles of existing international law apply to the use of ICT in the context of international security. PIF countries also supported the establishment of a central repository of these views.

The PIF countries and Egypt supported calls to enhance efforts in promoting the application of existing international law to cyberspace, including efforts to build capacity and strengthen national legislation and policy in order for all states to develop an understanding on how international law applies to the use of ICTs.

On the role of previous GGE reports

Germany underlined that the explicit reaffirmation of the contents of the GGE 2015 report at the beginning of section B should not be questioned, as the UN GA agreed by consensus to be guided in the use of ICTs by the 2015 GGE report and its section on international law.

The need for a legally binding instrument

There is a need for a new legally binding instrument, Iran and Belarus noted. Iran noted that the current international law has not been effective in securing a safe ICT environment, which is why a new legally binding obligation – that would limit the discussions on implementation of the 11 norms of the GGE 2015 – is needed. Belarus similarly noted that current international law cannot be applied to the use of ICTs. The delegation specified that they support the development and adoption of new norms and legally binding documents in this area.

CARICOM stressed that the development of any International legal framework to address ICT-related challenges in the context of international security must take into account the concerns of all states, and be transparent, inclusive, and democratic in nature.

South Africa noted that the paragraph 17 of the First Draft Report is better placed in the international law section of the report. The paragraph reads as follows:

‘17. States also agreed that any use of ICTs by States in a manner inconsistent with their obligations under international law undermines international peace and security, trust and stability between States, and may increase the likelihood of future conflicts between States.’

Rules, norms and principles

The PIF countries and CARICOM welcomed the emphasis of the GGE 2015 report and its norms in the First Draft Report. CARICOM also noted that the GGE 2015 report should serve as the basis of further discussions on norms in the next OEWG, and requested that the non-paper on rules, norms, and principles be added to the final report of the OEWG. The PIF countries also stressed that the reports should prioritise practical recommendations that raise awareness of the norms, their purpose, and their implementation.

The PIF countries and Côte d’Ivoire also welcomed the clarifications in the reports that the voluntary norms do not replace or alter states’ obligations under international law. The PIF countries noted that the further development of norms and the implementation of existing norms are not mutually exclusive but could take place in parallel. Côte d’Ivoire stated that voluntary non-binding norms that are accepted by all could supplement international law. Such norms would open the way towards binding norms in the future if necessary.

Iran disagreed that the next OEWG should discuss the 11 voluntary norms contained in the GGE 2015 report.

Confidence building measures (CBMs)

Developing CBMs

CARICOM emphasised that CBMs must be developed in an adaptable manner that is appropriate to their specific contexts and priorities. The delegation noted that CBMs should be implemented at the regional and sub-regional levels taking into account differentiated capacities. The PIF countries also underlined the role of regional organisations in developing and taking forward CBMs.

Proposals for establishing repositories

The delegations of Côte D’Ivoire and the PIF countries noted their support for the proposal to create a global repository of CBMs under the auspices of the UN. The Czech Republic and Côte D’Ivoire supported the establishment of a global repository of national contact points with a view to promote diplomatic, political, and technical exchanges. In the view of the Czech Republic, this is a key prerequisite to the OEWG’s work on additional CBMs at the UN level.

On the other hand, Iran noted it is not in a position to subscribe to any proposal to create repositories.

Capacity building

Guiding principles for capacity building

The PIF countries underlined some of the principles which are already identified in the report: national ownership, sustainability, non-discrimination, and political neutrality. CARICOM also underlined some of the principles which are already identified in the report: ‘national ownership, sustainability, non-discrimination and importantly furnishing with the necessary financial resources, equipment and training opportunities in this regard.’ Côte d’Ivoire underlined the principles of neutrality, confidentiality, and respect for human rights, as well as the sovereignty of states.

Needs-based arrangements

Multiple delegations, namely Côte d’Ivoire, the PIF countries, and CARICOM, noted that the priorities, specific needs, and contexts of states need to be taken into account when forming cybersecurity capacity-building partnerships.

Coordination

Côte d’Ivoire emphasised sharing of experiences and good practices, as well as coordination through a better rationalisation of resources. The PIF countries noted the usefulness of a global coordination mechanism that could assist countries to match needs with capacity-building providers.

Voluntary survey

The PIF countries, CARICOM, and the Czech Republic expressed their support for the inclusion of the ‘National Survey of Implementation of United Nations General Assembly Resolution 70/237’ in the report. The survey serves as a model survey ‘to inform the Secretary-General of the countries views and assessments on Developments in the field of ICTs in the context of international security and to include additional information on lessons learned and good practice related to capacity building programmes and initiatives.’

Regular Institutional dialogue

The delegations brought forth different views about the form of regular institutional dialogue.

The UN

The UN should be the main platform for regular institutional dialogue, CARICOM noted. Côte d’Ivoire stated that regular institutional dialogue should be held under the auspices of the UN to ensure synergy with the First Committee of the UN GA. The delegation also stated that there must be the ultimate fusion and combination of different fora on cybersecurity in the UN.

The First Committee of the UN GA

The First Committee could be utilised for the future institutional dialogue and not to duplicate existing initiatives across the UN system, stated the PIF countries.

Programme of Action

The EU and its member states, as well as national delegations of Greece and the Czech Republic endorsed the Programme of Action (PoA). CARICOM stated it is open to consider the proposal for the establishment of the PoA. The Czech Republic noted that the PoA could draw on the inclusivity of the OEWG and the achievements of the past GGEs, thereby bringing the existing first committee processes on ICT security back to a single consensus track.

The OEWG

Belarus noted that recommendations on the creation of a PoA as well as other proposals should be considered jointly together with proposals on the work of the new OEWG and be subject to consideration within the mandate of the group, to ensure that a duplication of efforts and a drop in effectiveness be avoided.

CARICOM noted that ‘the work culminating in this report can serve as an excellent starting point for the work of the new working group.’ This would establish continuity between the two processes.

Lastly, Iran stressed that it recognises the OEWG Process as the sole multilateral and inclusive intergovernmental body to address the mandate detailed in the paragraph 5 of the UNGA Resolution A/RES/73/27.