UN OEWG 2021-2025 – Confidence building measures

Event report

The UN OEWG and GGE reports of 2021 suggested, as one of the voluntary confidence building measures, the creation of national points of contact (PoC). This item was in focus of the OEWG discussions on CBMs during the second substantive session. The group also had extensive exchanges about the role of regional organisations and mechanisms to build on their work, and ways to involve other stakeholders. Role of the UNIDIR Cyber Portal was also discussed, and several other CBMs were reflected on.

Directory of Points of Contact

Previous discussions outlined the need to appoint PoCs on technical, policy, and diplomatic levels; additional possible PoCs were suggested, such as for law enforcement authorities (Malaysia), and even the private sector as useful (The Netherlands). Chile reminded of gender equality in the decision about PoC, while Russia and Korea emphasised that the PoC should have authority on national level. Russia emphasised that the PoCs should maintain political neutrality, and not be subject to international sanctions.

There was a broad agreement that a directory of such PoCs should be created and maintained. At minimum, it should contain the title, name and email, and a description of a PoC. Such a directory should be functional and operational, and continuously updated (El Salvador) and tested annually (Japan), with the PoCs undergoing regular training (Jordan). Several countries (the US, the Netherlands, South Africa, Thailand) stressed the need for tests through the tabletop exercises (TTX) for the PoCs, and supported (Australia, Ecuador, Brunei) a model proposed by Singapore that is based on gradual increase of complexity, and would involve all states, as well as representatives of the CERTs and their global network – FRIST.

While a number of countries invited for such a directory to become a proactive network, there was a diversity of views on what such a network should be entitled to do. Russia expressed the need to create global and regulated mechanism for interstate interaction to prevent attacks, for detecting, preventing and responding to attacks, and exchanging information about incidents related to resources within own jurisdiction through authorised channels; such information should include technical data needed to jointly determine source of attack and to avoid ‘false flags’. Timor-Leste asked to establish an international coordination mechanism. Columbia asked for an inter-regional platform for direct contact between states which would include a 24/7 system, and Ghana also looked for establishing a multilateral cyber hotline for crisis management. Kenya suggested that the PoCs should react on requests from other states in relation to malicious activities, crime, or terrorism – yet according to the international law and the framework of responsible behaviour. According to Iraq, the network should also identify defence measures, while Columbia suggested they create a repository of responses – as well as holding bilateral, regional, and multilateral consultations.

States have shared success stories from regional levels, such as the work of the cooperation and PoC network in ASEAN and ASEAN Regional Forum, and the intergovernmental procedures for communications during crisis and regular checks in the OSCE (Russia, Australia, Cambodia, Thailand, Switzerland), and the 24/7 mechanism established by the Council of Europe Budapest Convention in response to crime (Ghana). Chile suggested a global PoC network to be built upon networks on regional levels. Costa Rica proposed to the OEWG to further explore PoC experiences in regional organisations as well as the tech community, and Brazil proposed a study by the Secretariat on possible options offered by regional platforms – especially related to technical cooperation – and experiences of other fora like FIRST. Both proposals were supported by a number of countries.

Russia, The Netherlands, Malaysia and Australia, among others, further reflected on the need to define protocols and procedures for communications in a PoC network, and Indonesia added an idea of cryptographic protection of such communications. Columbia proposed the OEWG to define protocols for information management, and a related open database. 

The role of regional and sub-regional organisations 

States shared examples of CBMs and their successful implementation by the regional organisations, such as the regular venue to discuss cyber norms and CBMs in the OAS, implementation of OSCE CBMs by volunteering to take leadership and responsibility over particular CBMs, or a coordination committee in ASEAN. The OAS informed that it invited its member states to endorse the UN framework. 

Several proposals were placed on how to advance cross-regional exchange within the OEWG, to share experiences, best practice, lessons learned, and industry standards, and map the states’ needs. Germany, with a number of other countries, have convened an Open Cross Regional Group on implementation of CBMs, open to all the interested states to join. The group is expected to provide a report on its current findings to the OEWG portal. Egypt and Chile invited the OEWG to hold formal dedicated meetings with regional bodies, while Switzerland suggested annual sessions held in different locations. Indonesia also suggested a dedicated informal dialogue. Ecuador and Denmark supported the initiative of France and Egypt to establish the Programme of Action (PoA), as a platform to strengthen CBMs by bringing in regional organisations and capacity building.

Cuba suggested the involvement of other regional and sub-regional organisations, like CELAC, while Botswana asked the OEWG to also assist sub-regional organisations to pursue CBMs. 

National survey of implementation

Following the proposal by Mexico to establish a national survey of implementation of the UN framework, several countries proposed further steps. A template, and an online self-assessment tool for voluntary national reporting can be established at the UNIDIR Cyber Portal (Egypt, Timor-Leste, Costa Rica). Survey could include updates about national policies and strategies as well as PoCs, and show that these measures are interpretations of the UN framework. Repository of national surveys can help developing countries to understand the experience of other countries with implementing the UN framework and CBMs in practice. The request for submitting national surveys, however, should remain on a voluntary basis rather than being imposed, due to limited capacities of many states to conduct it. (Costa Rica)

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal is seen as a repository of PoC contacts and details, national survey submissions, and country profiles, regional experiences and lessons learned, glossary of terms, and previous cyber incidents. Yet, several countries suggested the portal should play a more dynamic role, including: notifications and warnings of malign operations (Korea); space for discussions on possible new norms – especially in context of emerging technologies (Malaysia); sharing information info about military capabilities; and a tool for submitting official requests for response by CERTs (Jordan). Singapore proposed that UNIDIR works with the Global Forum on Cyber Expertise to conduct study on regional CBMs, while OAS offered its own portal as an example to study.

Multistakeholder approach

Number of countries emphasised the importance of involvement of non-state stakeholders in the OEWG process, and the roles they could play. For instance, Korea shared the useful offers by non-state actors during the informal multistakeholder meeting to support states through knowledge and training; Malaysia stressed the important role the private sector should play in developing TTX; Israel shared its own experience with operating national information sharing among cyber professionals, as a possible model to study for the UN level. India tabled a proposal for the OEWG to set up a practical mechanism in the form of periodical consultations, that would involve private sector, academia, civil society, and tech community. The proposal was supported by several countries. The EU supported the PoA that would enhance multistakeholder cooperation.

The role of the OEWG

Several statements focused on the particular role the OEWG should play with regard to CBMs in future. The EU suggested OEWG to share tools and best practices for implementation. Uruguay stressed the critical role to develop and support implementation of CBMs on a global level. India suggested OEWG to focus on practical areas of cooperation in CBM, like exercises, training of professionals, ICT security advice and guidance, and studies, and compile regional experiences relevant for the international level.  Other proposals included the role of the OEWG to develop guidance and recommendations.

Other CBMs

As several countries reminded of the role of OEWG as a CBM itself, Brazil underlined that this can remain valid if the OEWG manages to agree on the modalities of its work before the next session; this observation was supported by several other countries, and the Chair himself. 

Germany stressed that war in Europe puts high demands on CBMs, while the EU, Austria, and Denmark warned that the Russian aggression against Ukraine undermines trust and is contrary to the CBM efforts of the OEWG.

Russia suggested to exchange national lists of areas in which critical information infrastructure operates, and categorise it. Argentina suggested developing guidelines for protecting critical infrastructure. Djibouti shared its experience with hosting a regional connection point for submarine backbone connectivity, and reminded of the need to address submarine cables protection and their regional relevance.

Iran proposed, as a CBM, that states should refrain from restricting universal access to ICT. Similarly, Cuba asked states to refrain from adopting unilateral coercive measures that might restrict or prevent universal access. Both countries suggested that trust has to be built through the multilateral approach to internet governance, on equal footing for all states – and in particular by addressing global challenges related to anonymity, hostile content, unilateral coercive measures, and lack of responsibilities of private companies.

India invited states to share good practices on establishing and running CERTs, and on experiences with existing regional and global emergency response networks and organisations. Costa Rica suggested exploring experiences from other CBM domains like nuclear security, biological weapons, and outer space. Iran, Cambodia and Argentina supported the development of a common glossary of terms. Pakistan suggested states to jointly work on research. Japan also reminded that bilateral dialogue is crucial for developing confidence.

Pakistan also underlined the importance of vulnerability disclosure by states. The Netherlands shared OSCE experience with this issue, which outlines the importance of national policies for coordinated vulnerability disclosure and exchange. Canada reignited its call for a transparency measure: for states to share information about national cyber capabilities and conditions of their possible use in line with norms (except for any confidential data).

Ghana invited for the joint work on attribution of cyberattacks, and the establishment of a related adjudication council. Russia suggested that PoCs should also exchange technical data needed to jointly determine the source of attack. Pakistan also called for cooperation to investigate origins of cyberattacks, while keeping in mind limitations of technical capacities of developing countries to address such requests.

Cuba asked for CBMs to remain voluntary, with respect of sovereignty and non-interference. China invited states not to use CBM as reason for cyber weapons proliferation or to impact the supply chain, and reminded that CBMs go hand in hand with rule-making. Similarly, Iran, Pakistan and Cuba invited for development of a binding international framework to regulate the ICT environment.

Capacity building as a CBM

Several states reminded that capacity-building efforts present an important contribution to building confidence and trust. Egypt invited for further assistance to states to develop their national strategies. Similarly, Timor-Leste invited for assistance to national cybersecurity centres to establish policies and procedures. Brunei Darussalam was invited to strengthen capacities to protect critical infrastructure and law enforcement. Thailand and Timor-Leste emphasised the importance of greater involvement of women, and praised the ‘women in international security and cyberspace fellowship’ championed by Australia.