1st Meeting of the first substantive session of the Open-Ended Working Group (OEWG)

Event report

The first meeting of the first substantive session of the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security established pursuant to General Assembly Resolution 73/27 was opened by Mr Jürg Lauber (Permanent Representative of Switzerland to the United Nations), the Chair of the group. Lauber stressed that the OEWG represents the first opportunity for the wider UN membership to address the challenges and developments in the field of information and telecommunications in the context of international security, and encouraged all delegations to express their opinion on the issues in question.

Ms Izumi Nakamitsu (UN High Representative for Disarmament Affairs) highlighted three points. First, she stated that the OEWG is an opportunity that comes at a vital time when the malicious use of information and telecommunications technologies (ICTs) has become a shared concern of UN member states. She highlighted that the OEWG will hold an intersessional consultative meeting with businesses, non-governmental organisations, and academia on 2-4 December 2019. Second, Nakamitsu said that there is already a foundation of work on which the OEWG can build: the assessments and recommendations of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). Third, she emphasised that the OEWG and the GGE should work in close complementarity with each other.

The Chair put to the vote the draft organisation of the work of the first substantive session, as contained in document A/AC.290/2019/2. He then opened the floor for statements in the general exchange of views.

The delegate of the Republic of Indonesia spoke on behalf of the Non-Aligned Movement (NAM). NAM agreed with the conclusions of the GGE in its 2013 and 2015 reports, that international law, and in particular the UN Charter, is applicable to cyberspace. NAM expressed its concern about cases of illegal and malicious use of new ICTs to the detriment of its members states, as well as the militarisation and weaponisation of cyberspace. The Movement called for timely action within the UN context with a view to developing rules, norms, and confidence building measures for responsible behaviour in this domain.

The representative of the European Union (EU) spoke on behalf of the Union and its members. The EU stated that the implementation of the GGE reports by the entire UN community would significantly advance cyber stability. The Republic of North Macedonia, Montenegro, Albania, Bosnia and Herzegovina, the Republic of Moldova, and Georgia, all aligned themselves with this statement. The OEWG could provide a forum for addressing the most important issues in this regard: raising awareness around building a common understanding on implementing the rules, norms, and principles of responsible state behaviour; and, advancing common confidence building measures and global cyber resilience through capacity building programmes. The EU and its members states underlined their full support of the already existing ‘strategic framework’ for conflict prevention, co-operation, and stability in cyberspace as endorsed by the General Assembly and said that they do not see a necessity for the creation of new international legal instruments for cyber issues. The EU stated that the OEWG offers an opportunity to seek a full range of views and perspectives regarding the challenges to implementing cyber-norms across the UN membership, but also, non-governmental stakeholders. The EU representative underlined the importance of confidence building measures (CBMs) as a practical means of preventing conflicts. The role of regional organisations in this regard was emphasised, as implementing cyber CBMs in a regional setting will increase the predictability of state behaviour and could reduce the risk of conflict. Cyber capacity building is important for developing the skills and capacity to address cyber threats adequately, and to advance peace and stability through the effective implementation of norms, rules, and principles.

The representative of Antigua and Barbuda spoke on behalf of the Caribbean Community (CARICOM). He aligned CARICOM’s statement with the statement delivered by Indonesia on behalf of NAM. CARICOM has seen an alarming growth in cybercrime, which could have a devastating impact on national security, and even hamper the social and economic development of the Caribbean states. CARICOM welcomes the OEWG as a means to develop a legally-binding framework that would take into account the concerns and perspectives of all states on cybersecurity. It must be ensured that the digital divide is narrowed, and effective and accessible international cyber international co-operation is a priority for the OEWG.

Guatemala stated that it is the duty of states to update their legislation to deal with the new types of crime taking place in cyberspace. Due process must be guaranteed, protocols for dealing with the chain of custody of digital evidence must be established, and the rights of all persons safeguarded. The need to deal with cyberspace in a harmonised way is becoming more urgent, given the increasing proliferation of the various uses of cyberspace.

The representative of the Russian Federation cautioned that cyber confrontation is on the rise, and that should joint efforts to fight these threats be absent, a global ‘cyberwar’ will be just down the road. The establishment of two negotiating mechanisms – the OEWG and the GGE – intensifies and diversifies the negotiation process. However, in the OEWG, the responsibility lies with the governments and they must agree amongst themselves; while the GGE is an experts platform. These independent mechanisms should operate in parallel, but they should be mutually reinforcing, which can be achieved by a specialisation by each group. It is Russia’s opinion that the OEWG should concentrate on the rules and norms pertaining to responsible state behaviour in cyberspace, digital capacity building (assisting developing countries to bridge the digital gap), and on a thorough analysis of threats in the digital field.

India said that it is of the view that UN member states should be open and flexible to consider both the OEWG and the GGE issues with a view to working upon a common minimal denominator, which would help to develop a consensus on the contentious issues. The issue of cyberwarfare, cyber doctrines, and their impact on international security should be taken up at all relevant international fora. The impact of cybercrime and cyberterrorism on national, regional, and international peace and security, needs to be considered because international co-operation on these issues will facilitate building trust and confidence among members. The applicability of international law to the ICTs domain should be developed through open, inclusive, non-discriminatory approaches that involve all stakeholders. While the 11 norms elaborated by the 4th GGE cover a wide landscape, evolving threats require additional norms, including norms to avoid tampering with supply chains, condemn offensive cyber operations and take-downs of ICT infrastructures by botnets.

CBMs are particularly important for developing countries and should include mechanisms for practical co-operation between cyber agencies, promoting cyber dialogue, cyber capacity building, the exchange of information on cyber-threats, cyber policy law enforcement, co-operation against cybercrime and cyberterrorism, and mechanisms for the protection of information infrastructure.

Switzerland expressed its concern that cyberspace is increasingly becoming a sphere of power projection. The OEWG and the GGE should be mutually reinforcing and a regular and transparent flow of information should be maintained between them. It is important to ensure consistency between the two processes and avoid any contradiction, fragmentation, or redundancy in the activities conducted within these two processes. Their mandates are closely linked, and therefore, allow the OEWG to consolidate and build on the progressive past results of the GGE. Switzerland stated that the OEWG could focus on the progress achieved and difficulties faced in implementing existing CBMs. The representative of Switzerland also stated that is necessary to support the operationalisation of international law in the ICTs environment.

The representative of the Republic of Korea stated that his delegation recognises 11 non-binding and voluntary norms on responsible state behaviour in cyberspace from the 2015 GGE report. The representative stressed that nations should focus on the implementation of what has been agreed upon by past GGEs. In Korea’s view, the OEWG has a great advantage as a forum to focus on implementing existing rules and push forward with a practical and action-oriented approach. CBMs should be the first step to peace and stability in cyberspace. Developing and implementing CBMs to limit the risk of conflicts deriving from a misunderstanding or miscalculation must continue. Lastly, confidence building must be followed by capacity building, and they offered to participate in efforts to bridge the gap by organising annual cybersecurity training courses for countries’ experts.

The Hungarian representative aligned his statement with the statement of the EU. He added that Hungary welcomes that the OEWG is open to all UN member states and holds international consultative meetings with industry, regional organisations, non-government organisations, and academia. He underlined the role of regional organisations in developing CBMs and contributing to capacity building efforts.

The representative of Egypt stated that the OEWG should lead to meaningful agreements on three fronts. First, by compiling detailed rules based on the recommendations of the previous GGEs of 2013 and 2015, which would be politically and legally binding. Second,

the process should include an agreement on whether it is necessary to establish an institutional platform dedicated to international co-operation on safeguarding the peaceful uses of ICTs and mitigating their associated risks. A platform such as this one would enable an inclusive and transparent exchange of information on vulnerabilities and best-practices, foster international co-operation and capacity-building, issue recommendations on CBMs, and contribute to resolving possible international disputes in a co-operative and non-arbitrary manner in conformity with international law. Third, the outcome should contain meaningful recommendations on CBMs, especially for developing countries, and on international co-operation in this domain.

Germany aligned itself with the statement of the EU. The representative of Germany also stated that an essential element for Germany will be a widespread, shared, and clear understanding of the norms which would govern responsible state behaviour in cyberspace. Germany underscored the importance of multistakeholder co-operation as the basis of the efforts to develop and implement principles on Internet governance. Germany expects the OEWG to consider global CBMs and produce an end-report which will strengthen the collective understanding of the current normative framework, and address how security can be promoted. The coming focus on capacity building will be an important complementary issue.

The representative of the United Kingdom stated that OEWG discussions should rest upon the collective commitment to maintain international peace and security, promote and respect human rights and fundamental freedoms, and respect international law; for which the GGE’s 2013 and 2015 reports are important. The UK also stated that all states have a legitimate right to develop sovereign cyber capabilities, but that there is an obligation to ensure that they are used in line with existing international law. CBMs are a topic the OEWG could engage in, drawing on the work of regional groups on increasing transparency and predictability of state behaviour in cyberspace. There is an urgent need for international cyber capacity building, and the UK will promote the subject at upcoming OEWG discussions.

Iran aligned itself with the statement that Indonesia made on behalf of NAM. Iran’s representative also stated that states have a primary responsibility for maintaining a secure, safe, and trustable ICT environment. Iran is of the view that the main sources of mistrust in ICTs are the monopoly, anonymity, and ICT-based and ICT-enabled restrictive measures against other states. This necessitates concrete measures by the international community – including – through relevant CBMs. While the private sector and social media platforms should also observe the rules, norms, policies, and cultural diversity of the countries they operate in; states should consider ways to make these actors responsible and accountable. Because the ICT environment is the common heritage of mankind, it should be treated and governed through completely inclusive states-led arrangements.

Cuba stated that attempts to make cyberspace a theatre of military operations must be rejected. ICTs must be used in peaceful ways for the common good of humankind and for promoting the sustainable development of all countries. Cuba’s representative also stated that the OEWG could contribute to the adoption of a legally binding international instrument that would respond effectively to the current legal vacuums that exist in the sphere of cybersecurity.

South Africa also aligned itself with NAM’s statement. In view of the vast dangers to critical infrastructure with the intent of paralysing a city or government, South Africa believes that the norms for responsible state behaviour are very important. Adequate capacity building is needed for developing countries to be able to contribute to a peaceful cyberspace. With more complicated jurisdiction matters in today’s interconnected world, the responsibility of states to reject the use of their territories for launching attacks is more important now. South Africa encourages member states to have a long-term view of the cybersecurity architecture that will include a legally binding framework that can both hold member states accountable, and assist in the arbitration of grievances. The OEWG and the GGE should explore the complementarity of the two bodies in the area of operationalisation, and in the implementation of norms, rules, and principles on responsible state behaviour and the application of international law.

Mexico stated that the OEWG should establish compromises between all involved actors, so that they can forge ahead on the basis of shared responsibilities. The OEWG and the GGE have different mandates, but their work should be complementary, so that groups create synergies and not work in silos. Mexico will look to ensure that the groups work toward complementary goals.

The representative of Poland stated that as the OEWG is not starting its work from scratch, the focus should be on helping countries implement the already agreed upon frameworks. It is Poland’s belief that the focus of both the GGE and the OEWG should be practical action for the benefit of all countries, and not protracted negotiations. The groups have similar mandates and their main difference is their composition, but they should achieve complementary outcomes. The OEWG could make recommendations on how best to facilitate co-ordinated capacity building to address the gaps in the implementation of the 2015 GGE report. Lastly, the Polish representative underlined that the OEWG is a valuable platform for the exchange of positions and discussion that can foster a stronger common understanding of threats faced in cyberspace, and a collaborative approach to fighting them.

Nigeria stated that there is a need to establish normative frameworks for responsible state behaviour in cyberspace. The OEWG should develop proposals for dealing with the following pressing problems: attribution; disinformation, hate speech, and political interference; and, artificial intelligence (AI). For accusations of organising and implementing wrongful acts brought against states to be substantive, reliable attribution mechanisms will be needed and this requires the establishment of a neutral international cyber attribution agency. ICTs have escalated the problems of disinformation, hate speech, and political interference, and thus, a norm should be created to address this. AI can escalate some of the problems of state conducted cyber operations, and this would require an extension of the normative framework for responsible state behaviour in cyberspace to AI. There is a need for cybersecurity capacity building in developing countries to assist them in building and maintaining the required national security institutions. The representative of Nigeria stated that Nigeria hopes that the OEWG will create or bring about a legally binding international instrument. The work of the OEWG and the GGE should be complementary.

The representative of Indonesia, speaking in his national capacity, stated that the OEWG can accommodate diverse views and facilitate constructive dialogue among member states in broader engagement with other stakeholders in order to find a common ground. Indonesia encouraged a collaboration between the OEWG and the GGE to fulfil their respective mandates and to lead to practical outcomes. According to Indonesia, the OEWG’s priority should be on cyber norms that can accommodate the interests of developed and developing countries. The OEWG should identify and develop further norms and find ways to promote the implementation of the norms outlined in the GGE reports through practical guidelines. Furthermore, the OEWG needs to identify grey areas and fill the gap of ungoverned issues in cyberspace. Regular institutional dialogue under the auspices of the UN is necessary for advancing measures on cybersecurity, but establishing a new body is not necessary. The OEWG should identify the need for capacity building, taking into account each state’s particularities involving multistakeholderism, technical systems, and adequate resources for capacity building.

Colombia underlined that international law must apply to cyberspace, just as it governs the digital world, but that its application to cyberspace requires more in-depth study. Colombia also underscored that countries must have the tools that they need to effectively co-operate in the fight against cybercrime. Cybercrime is an issue that should be debated about from a technical and political standpoint by the Commission on Crime Prevention and Criminal Justice (CCPCJ). There are challenges related to cybercrime such as digital identity, co-operation with Internet Service Providers (ISPs), digital evidence, data protection, privacy, and with respect to the various rights and freedoms of persons. Columbia’s representative also stated that it is important to foster discussion at the highest level about the applicability of the UN Charter to cyberspace for maintaining international peace and security.

The representative of Singapore stated that managing cyberspace is about managing the global commons, which is why it requires a global approach based on global norms and rules. A global approach includes a strong focus on capacity building in countries that need help, and this is an area where the OEWG can make a meaningful and concrete contribution. The OEWG should build on the previous work of the GGE. A framework to guide countries to access capacity building programmes is needed, and the UN can provide training as well as disseminate information about already existing capacity building programmes. The OEWG should look at ways to mature and refine CBMs to reduce mistrust, increase transparency, help governments make rational judgments, and de-escalate tensions. Regional organisations can assist in the implementation of the cybersecurity principles developed at the UN, and can also play an important role in capacity building and CBMs. The work of the OEWG and the GGE should complement each other, and both processes need to succeed and deliver meaningful outcomes.

Thailand also aligned itself with the statement delivered by Indonesia on behalf of NAM. The inclusive and consensus-based nature of the OEWG are two elements that will drive its work forward. The OEWG and the GGE should work in a complementary manner and build upon the work of the previous GGEs. Thailand expressed its support for the organisation of capacity building activities around the world to assist competent national authorities to better respond to computer emergencies and incidents. States cannot carry out all the work within the scope of the OEWG and the GGE alone, stakeholder engagement is necessary for comprehensive and thorough discussions and deliberations on this agenda.

The representative of Liechtenstein identified trends towards an increasingly militarised cyberspace, developments in AI, pervasive data collection and manipulation, as well as cybercrime as a real security risk to states and their citizens. These trends need to be analysed thoroughly against existing legal frameworks and addressed comprehensively. The OEWG has a responsibility to contribute to the implementation of established human rights obligations by states in cyberspace, including the right to privacy, freedom of expression, and freedom of information. The OEWG can contribute to narrowing digital divides and tap the potential of ICTs for sustainable development. Cyberspace is already governed by international law, and the OEWG can help to advance the implementation of agreed upon rules, norms, and principles of responsible state behaviour and further delineate how international law applies to cyberspace.