8th Meeting of the first substantive session of the Open-Ended Working Group (OEWG)

Event report

The representative of Singapore opened the eighth meeting of the first substantive session of the Open-Ended Working Group (the OEWG), saying that confidence building measures play an important role in reducing the risks of miscalculation and misunderstanding in cyberspace. They are a practical way to foster global and regional co-operation, and to build mutual trust and confidence among states through increasing transparency and predictability. He then drew everyone’s attention to the work of ASEAN in developing confidence building measures (CBMs) regionally, as for example, in the ASEAN leaders’ statement on cybersecurity co-operation in April 2018. Such public statements represent the political will and commitment of states towards building trust and confidence. Another example is the ASEAN Ministerial Conference on Cybersecurity, held annually at the sidelines of the Singapore International Cyber Week since 2016.

The representative of Japan talked about the bilateral consultations that Japan has with a number of countries around the world. They share their view on policies, strategies, and experiences not only between diplomats, but also involving key stakeholders such as defense authorities, law enforcement agencies, and others.

The representative of Malaysia noted that the operationalisation of CBMs through regional mechanisms will provide more opportunities for effective outcomes. In Malaysia’s point of view, the list of CBM’s recommended by the 2015 GGE report are universal, it is reasonable to find ways to implement them as a whole.

The representative of New Zealand pointed out that in an environment where peace and stability reign, developing CBMs is prudent. In an environment where risk and instability is commonplace, developing confidence building measures is vital. New Zealand is looking forward to working with countries in the Pacific to continue conversations on CBMs.

The representative of Switzerland said that implementing existing CBMs could be a relatively low hanging fruit. He then shared Switzerland’s experience in the Organization for Security and Co-operation in Europe (OSCE) in implementing several CMBs contained in the GGE report. In addition to the implemented CBMs 16a and 16c, Switzerland, together with Germany, put forward a proposal to establish a consultation mechanism that would reduce the risk of misperception escalation and conflict on the level of the OSCE.

The representative of the Netherlands said that the OEWG could examine avenues for co-operation in and between regional forums and other groupings with a view to determining the most productive way to advance the development and promotion of CBMs. The group could provide guidance to internationalise some of the CBMs that already exist, and to facilitate a cross regional exchange.

The representative of China talked about extensive policy exchanges and practical co-operation on cybersecurity at the ASEAN forum and the ASEAN +3 forum. There is an established co-operation between the emergency response teams of ASEAN states. Moreover, he suggested that the OEWG can conduct studies on the related terminologies and definitions to clarify the understanding of critical infrastructure, cybersecurity, and cyber terrorism in relation to CBMs.

The representative of Chile pointed out that meetings like these are already a form of CBMs because they allow different states and parties to meet each other face-to-face and find out what each is doing. He mentioned that Chile chairs the CMBs working group in the Organization of American States (OAS). In addition, they have six bilateral MoUs with Spain, Ecuador, Colombia, Israel, Argentina, and the United Kingdom.

The representative of the United Kingdom emphasised that the implementation of CBMs is a key step and that we need to share examples of best practices, be they national or regional. She also noted that the UK is an active member of the OSCE Regional Forum. In 2013, it agreed on 16 CBMs. The CBMs promote cyber stability through co-operation between states, as well as private actors and civil society; having a multistakeholder approach is important.

The representative of Canada also talked about the participation of her country in regional initiatives, such as a workshop on sharing information as part of the ASEAN Regional Forum. In regards to the OSCE, Canada participated in several exercises, such as: use point of contact lists which enable computer incident response teams (CERTs)and Ministries of Foreign Affairs to communicate more swiftly in case of a crisis.

The representative of the Republic of Korea highlighted the importance of inter-regional dialogue on CBMs. Recently, Korea hosted the biennial inter-regional conference on ICTs and cybersecurity in close partnership with the OSCE. She suggested submitting the outcomes of the inter-regional initiatives to UN Office for Disarmament Affairs (UNODA), in written format, so that UN can play the role of the repository. Furthermore, she mentioned that there is already a useful reference tool for policymakers and experts operated by UNIDIR: the Cyber Policy Portal.

The representative of India endorsed the implementation of the recommendations on CBMs contained in the GGE reports. Additionally, he drew attention to the issue of supply chain contamination through poor design or the deliberate actions of actors. This requires the active involvement of industry as an important stakeholder in discussing CBMs.

The representative of Montenegro expressed the country’s readiness to support the work of the OEWG, since the country has been the target of several malicious cyber activities in recent years. She pointed out that the work of CERTs and their successful co-operation, especially at regional levels, could be considered to be the best illustration of de-politicised technical co-operation that could lead to normative opportunities.

The representative of Ecuador reminded everyone that what is needed are legally binding instruments. He said that what divides delegates are not their concerns, but the level of their capacities.

The representative of Austria also welcomed the idea to see a linkage between global and regional CBMs initiatives in the OEWG’s work.

The representative of Israel said that the country has been developing co-operation with other states based on information sharing on trends and patterns, and focused on working together to mitigate cyber incidents and co-ordinate appropriate remedies. Israel supports the important work that has been done by the OSCE as a Mediterranean partner.

The representative of Estonia reiterated the importance of regional organisations in CBMs. Establishing contact points, having information sharing, and early warning mechanisms, and sharing information on strategies and doctrines will promote confidence and stability in cyberspace. Estonia think that CMBs developed and implemented in regional organisations would serve as blueprints in implementing the CBMs from the 2013 and 2015 GGE reports.

The representative of Australia noted that the ASEAN points of contact directory allows countries to nominate a co-ordinating ministry, or a co-ordinating central point if a country has them. It also allows the flexibility for countries to nominate national security agencies, cyber agencies, communications agencies, and foreign ministries when appropriate, and reflects their national structure. Together with Singapore, Australia delivered risk reduction workshops in which ASEAN partners demonstrated how to use the points of contact directory. She also acknowledged the contribution of Russia and China in finalising the text of the CMBs at the ARF inter-sessional meeting in March 2019. Finally, she suggested that the OEWG report should acknowledge the regional efforts being made and also recommend the sharing of best practices.

The representative of Germany pointed that it is important not just to have channels of communication such as the CBMs, but to encourage all members to actively commit themselves to using these channels for consultations in order to reduce the risks of misperception and the possible emergence of political or military tension.

The representative of Cuba stated once again that CBMs, transparency, and capacity building do not replace the need for legally binding instruments. Additionally, he proposed a set of other measures: increase co-operation in order to grapple cyber incidents; exchange information that does not compromise the privacy of states with regard to their capacity, nor in breach of national legislation; establish a central mechanism under the auspices of the United Nations for verification among states in order to mitigate any potential misuse of attribution; establish official contact points among states, both at the technical and political levels, to ensure appropriate processing of the information exchange.

The representative of Iran noted that monopoly and anonymity in the ICT environment and on the Internet are among the main sources of mistrust between states. Iran believes that we have to reverse the current situation in terms of ownership and governance through effective CBMs. He then brought everyone’s attention to the issue of sanctions and embargo policies affecting ICTs and the Internet. Restrictions affect capacity building and hamper states from performing their obligations.

The representative of Chile took the floor again to stress the importance of involving the private sector in discussions on CBMs implementation. In middle and small sized countries like Chile, the private sector has a great capacity for detecting or preventing cyber incidents. He suggested that the Chairman invite the private sector to the inter-sessional meeting in December.

The representative of the United States provided a historical perspective on why the 2010 GGE report contained the first mention of CBMs for cyberspace. It has roots in the work of the First Committee dealing with kinetic arms and disarmament. Cyber instruments in contrast do not have external observables, thus the role of CBMs was to enable everyone to say something about the intentions of other states with respect to this technology, within the context of the First Committee. She also reminded everyone about the three major types of CBMs: transparency measures (publication of strategies and doctrines); confidence measures (establishment of technical and political points of contact); and, confidence and security building measures (CSBMs). They are aimed at preventing conflict and its out-of-control escalation, based on the example of the 1982 US-Soviet agreement on the prevention of incidents at sea.

The representative of Spain reminded all of the failed consensus of the 2017 GGE, showing that there are still pending issues that the OEWG needs to continue discussing. He asked the Chairman to prepare some guiding questions for the next meeting in February that would orient the debate.

The representative of Belgium suggested that the OEWG look at and combine all the successful regional initiatives. Furthermore, he asked whether the private sector should come on board for further discussions on CBMs.

The representative of the Syrian Arab Republic reiterated the need for legally binding instruments in addition to CBMs. Also, he noted that regional CBMs remain subject to the nature of the region and composition of its organisations.