9th Meeting of the first substantive session of the Open-Ended Working Group (OEWG)

Event report

The ninth meeting of the first substantive session of the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security established pursuant to General Assembly Resolution 73/27 discussed capacity building.

The representative of Tuvalu spoke on behalf of the Pacific Island Forum. In 2018, the Pacific Island Forum leaders endorsed the Boe Declaration, which renewed their commitment to strengthening the regional security architecture, and to working together more effectively to address shared security threats. The leaders committed to strengthening national cybersecurity capacities, including by establishing partnerships to address a wide range of cyber-threats. These partnerships should be respectful of the receiving partner’s needs, including its national laws and regulations. The Pacific Island Forum is of the view that the OEWG should prioritise recommendations to deliver targeted and co-ordinated capacity building, taking into account the work other partners have already undertaken. Such recommendations would deliver meaningful progress towards peace and stability in cyberspace.

The representative of Japan highlighted that enhanced capacity is the key to promoting the implementation of the norms and principles of responsible state behaviour in cyberspace. Therefore, Japan actively offers capacity building support. The delegate spoke about the Japan-ASEAN Cyber Security Policy Meeting, which encompasses cyberspace trainings and exercises, as well as seminars and workshops about the protection of critical information infrastructures. Japan also established a Japan-ASEAN Cybersecurity Capacity Building Centre in Thailand, which conducts exercises for the cybersecurity personnel of government organisations and critical infrastructure providers of Japan’s partner countries. The Japan International Cooperation Agency (JICA) has various kinds of training courses and tabletop exercises targeting Asia as a whole, including the Middle East and Africa.

The representative of Malaysia stated that the fundamental elements that should be focused on in building states’ capacity in cybersecurity include people, process, and technology. Developing cybersecurity capacity should be a joint responsibility of the public and private sectors entities, as most critical infrastructures and services reside within the private sectors. Malaysia suggested that the OEWG formulates a recommendation on encouraging the private sectors to play a more serious role in building states’ capacity and capability in cybersecurity, with a view to providing more balanced roles between public and private entities, and their partnership on this matter. The recommendation should also address public-private entities’ roles in reducing the risk of cyber-threats, in particular those that may have originated from the private sector’s deficiency.

The representative of Egypt stated that particular states may not have the capacity to protect their information and communications technology (ICT) networks or to assist other states to address relevant incidents, which may represent a global threat if major ICT incidents spill over. Providing assistance for cybersecurity capacity is essential for international security because it improves the capacity of states for co-operation and collective action. Egypt recommended that the activities of the United Nations Institute for Disarmament Research (UNIDIR) focus on developing modules that could be of relevance in assisting developing countries to identify their needs. Egypt also encouraged the further development of UNIDIR’s work in capacity building and facilitating donor recipient dialogue. In Egypt’s view, the outcomes of this OEWG should include practical measures on strengthening capacity building for developing countries, and highlight the need for developing a comprehensive view and strategy on this issue.

The representative of France stated that the OEWG needs tools and strategies for capacity building. These include, in particular, strengthening and implementing national cybersecurity strategies, help in defining the national legislative frameworks to promote cybersecurity and frameworks for the protection of critical infrastructure, as well as co-operation measures with the private sector.

The representative of The Republic of Korea stated that facing cyber challenges caused Korea’s private and public sectors to continue to ramp up their cybersecurity capacity and resilience. Korea suggested that information on cybersecurity capacity building programmes of all member states should be included on the UNIDIR Cyber Policy portal or another relevant website for the reference of all member states.

The representative of Algeria stated that capacity building is essential for international peace and security, and may also help reduce the digital divide. It also strengthens confidence between states and helps countries understand the governance of cyberspace. It is important to assist developing countries to build their capacities, and it should include training sessions, strengthening exchanges of best practices and a better understanding of technologies. It is also important to help these countries put in place programmes and technological means in order to protect their security. Furthermore, it is important to develop measures for mutual assistance in order to be able to swiftly respond to cyberspace incidents and to deal with the consequences of these events. Scientific research should be funded and focus should be put on the development of threats and the ways to counter them. The OEWG should look at the gaps in capacities, and identify what the states’ needs are.

The representative of New Zealand aligned its statement with the statement of the Pacific Island Forum. New Zealand seeks a partnership approach in its capacity building efforts, which requires understanding the perspectives of its partners, particularly on addressing emerging cybersecurity issues and developments like the Internet of Things (IoT), and the migration to cloud and big data technology. New Zealand is also of the view that capacity building should enable a prosperous digital economy. There is space to ensure all regions have the opportunity to access capacity building support and New Zealand would welcome the opportunity to hear such views.

The representative of Singapore spoke about capacity-building programmes in the Association of Southeast Asian Nations (ASEAN). In Singapore’s view, capacity building must be conducted in a holistic and multidisciplinary manner, going beyond technical and operational cyber capacities to cyber policy development and the creation of effective legislative frameworks. Singapore also underlined that member states need to assess the effectiveness of each capacity building programme towards achieving the best capacity building outcomes, and to revise those that do not work.

The representative of the United States referenced a set of consensus UN resolutions that outline best practices for national approaches to cybersecurity and which established five best practices pillars for national cybersecurity: a national strategy, government – private sector collaboration, deterring cyber crime, national incident management capabilities, and the culture of cybersecurity. The US underlined that cyber capacity building activities should target a range of government officials with cyber responsibilities, including senior officials, policymakers, and technical staff from Ministries of ICT, Foreign Affairs, Justice, Interior, Defence, and other offices in the executive and legislative branches. The US briefly outlined its work in cybercrime capacity building which is based on recognised national best practices, as well as its work on capacity building efforts on the framework for responsible state behaviour in cyberspace. The OEWG could play an important role in publicising the steps taken by states to implement these best practices and the GGE’s recommendations, opportunities for education and dialogue, identification of gaps, and other forms of transparency and information sharing.

The representative of the Netherlands underlined that international cyber capacity building can ensure that states are able to adhere to the framework of responsible state behaviour and can help achieve the sustainable development goals (SDGs). The OEWG could take some of the following steps to enhance capacity building: ensure adequate awareness of the importance of ICT security issues at the political level; commit to building institutions where necessary, and develop policies to co-ordinate ICT security efforts; commit to developing, adopting, and implementing national cybersecurity strategies; identify which steps need to be taken in order to adequately implement the norms and confidence building measure (CBMs) that were agreed upon in the previous GGE reports. In this regard, the OEWG could welcome the various instruments and ongoing work for international cyber capacity building, such as the Global Forum on Cyber Expertise (GFCE).

The representative of Costa Rica stated that capacity building needs to first serve the purpose of closing the digital divide between countries. Capacity building does not only include building capacity at a national level, but it is also a tool for confidence building between states. Capacity building also needs to be geared towards developing the capacity of the diplomats of those countries with the least amount of knowledge and know-how, so that in time, the OEWG could have a wider membership. Costa Rica also underlined the regional efforts in capacity building.

The representative of Israel believes in impact based assistance, harnessing the wider development community to achieve sustainable and meaningful capacity building. Hence, Israel has provided project-based assistance to other states, which includes strategy formulation, national skills gap analysis, computer incident response teams (CERTs) development roadmap, critical infrastructure protection scheme development, and support for national training initiatives. Israel has also held workshops, clinics, study tours, and seminars focusing on sectoral or professional cyber themes, such as banking operations, energy, law enforcement, and more. In Israel’s experience, bilateral as well as existing multistakeholders frameworks and international financial institutes are effective channels for enhancing capacity building, and they provide good grounds for co-operation in this field.

The representative of Greece noted that the practical steps taken so far by the international community regarding cybersecurity are beginning to take root. He pointed that national cybersecurity defence approaches alone cannot alleviate the risks. Contrary to other conventional defence strategies, the sovereign cyber resilience of a nation is also, to some degree, co-dependent on the cybersecurity capacities and capabilities of other nations. Cyber capacity not only builds resilience, but also limits the offensive capabilities of malicious state actors and strengthens the collective capability to accurately attribute cyber-attacks. Therefore, capacity building may increase accountability, as well as limit the impunity of malicious behaviour in cyberspace.

The representative of the United Kingdom said that capacity building for digital access should go together with cybersecurity capacity building, and it should be tailored to national priorities. This is a two-way process, as countries learn from each other’s experience. She suggested that the report could have some concrete recommendations, perhaps, 5 to 10 areas focusing on capacity building. She noted that multistakeholder engagement is vital since states do not have expertise on every issue.

The representative of the European Union said that they strongly support – either through direct engagement with countries or through bilateral contacts and multilateral institutions – a range of programmes to assist countries with developing their capabilities to address cyber incidents, as well as initiatives to exchange best practices. He added that the EU prepared a paper on this topic and will share it through the secretariat.

The representative of Canada also noted that capacity building should be multistakeholder, and in particular, involve the technical community that has unique insights on how CERTs can function and co-operate in information sharing. She pointed out that capacity building is not only about the technical part, but that it enables states to participate in discussions and gives them a space to be heard. Finally, she remarked on the importance of gender balance and the participation of women in capacity building efforts and mechanisms.

The representative of India shared their experience of national capacity building efforts under the national e-government plan, including training programmes through public-private partnerships, change of educational curricula, training of law enforcement agencies to investigate cybercrimes etc. He pointed out that after the completion of trainings, there should be an appropriate mechanism for the measurement of impact and reach in the state.

The representative of Estonia stressed the importance of cybersecurity for doing business online. Estonia have put a lot of effort into the promotion of the Budapest Convention on Cybercrime and engaged in technical co-operation to build the capacity of other countries in this area. Also, Estonia is leading the initiative to establish an EU cyber capacity building network (EU–CyberNET), which aims to systematise the cyber capacity building efforts of the EU, in order to enhance the effectiveness of training offered to partner countries.

The representative of Mexico said that the creation and strengthening of capacity should be seen in two different ways: what relates to technical matters, and what relates to international policy or cyber diplomacy. Regarding gender equality, Mexico hosted an event called the ‘Cyber Women Challenge’, to strengthen capacity and to raise awareness on the issue of women in cybersecurity.

The representative of Cuba noted that we continue to face limitations in regards to accessing new technologies due to the imposition of coercive unilateral measures and the monopoly of the transnational ICT companies. As for capacity building, he said that it is important to consider that the implementation of these measures should be guaranteed without any conditions, discrimination, or interference in the internal affairs of states. Also, there is a need to lift the sanctions and unilateral measures that prevent developing countries from having access to new information technologies.

The representative of Australia said that they have a USD$34 million cyber co-operation programme and over 40 projects through the Pacific region. She spoke about the Asia-Pacific cybersecurity operations network. Australia is chairing the Asia-Pacific CERT community, and the Asia-Pacific cybersecurity operations network which helps their partners in the Pacific who do not have their own CERTs. Finally, she suggested that the OEWG look at better co-ordination of capacity building efforts.

The representative of Iran highlighted that a regional approach to capacity building may result in some regions being left behind, because some regions may be of no interest to donor countries for capacity building. Thus, one of the recommendations of the OEWG should be a kind of global capacity building architecture led by the UN. He also mentioned the problem of sanctions and restrictive measures hampering capacity building efforts of some countries.

The representative of Bangladesh said that the country had conducted a study on capacity gaps in their cybersecurity policy and strategy. It turned out that there are gaps in almost all the spheres, but those in need of immediate attention are cybersecurity culture in society, and cybersecurity education, training, and skills. He shared other examples of national capacity building efforts, including the Bangladesh National Digital Architecture and national CERT co-operation with friendly countries. Also, Bangladesh signed an agreement with Microsoft’s digital crimes unit to build the capacity of their cybersecurity experts.

Finalising the ninth meeting of the first substantive session of the OEWG, the Chairman briefly summarised the main discussion of the past working week. He shared a working plan for the OEWG for the coming months. By the end of the year he will come up with a draft paper that will contain a preliminary structure of discussions within the OEWG and ideas and proposals put forward by the delegates. In February, after the second session, he will prepare a first raw draft of the OEWG report and it will be discussed at two short inter-sessional meetings by the delegates. Then, he will collect the delegates’ feedback and prepare the draft report by May, which will be the basis for the final negotiations in July. Moreover, Singapore will chair the informal inter-sessional meetings with other stakeholders and will prepare a paper with the outcomes for the delegates’ consideration.