The second meeting of the first substantive session of the Open-Ended Working Group (OEWG) started with the representative of the Philippines saying that the country had suffered a range of serious cyberattacks and that their concerns about information security are reflected in the national cybersecurity plan and national security strategy. She noted that the international community has been developing a number of multilateral instruments to counteract malicious cyber activity and that they are at times co-operative, and at others, competitive. For this reason, she put forwards six suggestions: international and regional co-operation among states to reduce and anticipate risks, and protect critical national and international infrastructures; multistakeholder engagement to prevent cyber conflict and restrict offensive cyber operations by non-state actors; easier cyber incident attribution; the standardisation and universalisation of national legislations by sharing best cybersecurity practices; and, provision of assistance to states that lack the capacity to thwart cyber-threats.
The representative of Bulgaria said that an effective multilateral cybersecurity system can only be based on the existing international legal frameworks, which include the United Nations Charter and existing international law. Attempts to introduce new international legal instruments would not lead to the enhancement of global cybersecurity and could undermine the existing national and international legal frameworks.
The representative of Estonia said that the four pillars, previously agreed upon by the GGE: applicability of international law in cyberspace; norms of responsible state behaviour; confidence building measures (CBMs); and, capacity building, should guide the work of the OEWG. He mentioned that existing international law is sufficient to guide state conduct and that no new international legal instruments are needed. Estonia has supported several academic studies analysing how the existing international law applies. Moreover, the country has a flexible and innovative national cybersecurity model which it is willing to share with other states interested in improving their resilience. The success of the OEWG relies on the active participation of all states and widespread discussions with other stakeholders. Participants should look at how to pool common resources to advance international security and stability, as well as expand the global understanding on the framework of international cyber stability.
The representative of Costa Rica stressed that respecting human rights and privacy should be the focus of the group’s work. In addition, there should be co-operation between national, regional, and international actors, including participation and input from other stakeholders, to develop rules, norms, and principles in information security, as well as measures to promote transparency and confidence building to address these issues in a holistic manner.
The representative of Canada shared how the OEWG can fulfil its mandate: while building on consensus reports of previous GGEs, the group should develop concrete and practical guidance on norms implementation. The OEWG can help explain what the norms mean in practice and provide concrete assistance for states and regional organisations when it comes to implementation. Canada noted that numerous member states are not well equipped to implement existing commitments, thus Canada, together with other states and regional organisations, is investing in capacity building workshops. The representative highlighted that human rights organisations, academia, and the private sector should be included in this process and their input should be reflected in the OEWG report. However, she expressed a regret that only organisations with a UN Economic and Social Council (ECOSOC) status were accredited to formally participate in the meeting. Finally, Canada suggested exploring ways in which the active engagement of women in discussions on negotiation strategies and capacity building programmes could be increased.
The representative of Japan said that they will work in both the OEWG and the GGE. In the meantime, Japan is strengthening co-operation on an international level by promoting the rule of law, CBMs, and capacity building. On the national level, they have a robust national cyber policy, which is a good basis for a steady implementation of the results of the OEWG and the GGE discussions. Additionally, Japan took the initiative to establish the intersessional meeting on cybersecurity. At the ASEAN Regional Forum, together with Singapore and Malaysia, they proposed a set of concrete measures to build confidence in cyberspace.
The representative of Argentina claimed that both groups can work in a complementary manner. However, the important question now is to define how states understand the applicability of international law to cyberspace. Moreover, various groups of states or regions can develop their own framework for understanding, but, it is in everyone's interest that the international community continue to achieve greater consensus at the global level. Argentina promotes the peaceful use of cyberspace and believes that the cybersecurity agenda should be seen in an interrelated manner with the international legal framework, which is applicable, and would promote and protect human rights as well. In conclusion, the representative of Argentina shared the country’s efforts in addressing cybersecurity and CBMs in the region.
The representative of Brazil noted that the OEWG will not have to start its discussions from scratch, but will build on the GGEs experience and outcomes. Moreover, there should be a meaningful dialogue with representatives from the private sector, academia, and civil society as mandated by the resolution. Brazil believes that international law, including international humanitarian law and international human rights law applies to cyberspace. This applicability must not be understood as legitimising the transformation of the cyber environment into an arena for military conflict. This understanding should force restraint from all states and contribute to the maintenance of a safe, secure, stable, and prosperous information and communications technology (ICT) environment.
The representative of Finland said that the OEWG can provide added value by focusing on existing and potential threats in cyberspace, as well as available co-operative means to address them. We should explore confidence building measures to prevent and mitigate misunderstandings and miscalculations in the event of cyber incidents. The gaps in the implementation of the recommendations contained in the GGE reports need to be addressed. He stressed the importance of reaching out to all interested stakeholders of cyberspace. Trust between states, and the trust of citizens and communities in their states, needs to be built on the rule of law and human rights. Finally, he mentioned that the true success of this working group is not measured by the number of paragraphs, that ‘we are not here to rewrite international law that already provides a solid framework for cyberspace, but generate trust between states to work together in this domain’.
The representative of New Zealand said that the group should seek to familiarise the UN membership with the work undertaken to date on peace and security in cyberspace. In addition, he recognised that states are at a different level of readiness to implement the GGE recommendations. This is why they have invested heavily in the Pacific region, acknowledging the GFCE’s contribution. Finally, New Zealand suggested that the report of the OEWG should focus narrowly on state behaviour online, and not on potential online harms such as cybercrime or terrorist and violent extremist online content, which they think are best addressed through other mechanisms.
The representative of the Lao People’s Democratic Republic aligned the country with the statement delivered by Indonesia on behalf of the Non- Aligned Movement (NAM). Lao emphasised that respecting the rules, norms, and principles of international law is one of the most effective ways to maintain security and preserve a peaceful cyberspace.
The representative of Ireland focused on four main areas: CBMs as an essential mechanism for averting conflict in cyberspace by increasing predictability of state behaviour and reducing the risks of misinterpretation and escalation; sustainable capacity building: we should look to combine policy and technical expertise with promotion and awareness; regular institutional dialogue; and, facilitation of greater multistakeholder dialogue. Ireland believes that the upcoming multistakeholder consultations in December should inform the OEWG report.
The representative of Australia stressed that they recognise the legitimate right of countries to develop offensive cyber capabilities. Australia is one of the few countries that has publicly declared that they develop and use these capabilities. However, Australian cyber operations are always conducted in accordance with international law, and the norms of responsible state behaviour. Australia has made the decision to be transparent about its capabilities, and is looking to militarise cyberspace because many countries have developed, and many more are in the process of developing, these capabilities. Australia seeks to bring them out of the shadows and to foster a more mature conversation about the rights, but also the obligations, that govern the use of cyberweapons. Finally, Australia suggested that the OEWG gets an update from states on the measures that they are already taking, consistent with the GGE 2015 report, and ask them to identify gaps in implementation and, if applicable, the capacity required to fill those gaps.
The representative of Malaysia noted that the OEWG will indeed provide an avenue for all the member states, especially those who never had the opportunity to be in the GGE, to provide insight on all the issues with regards to cybersecurity. Malaysia also highlighted its wish to build a ‘universal attribution mechanism’ under the auspices of the UN, which is trustworthy and recognised by all UN member states. Due diligence is one of the most important elements that should be included to prevent any wrongful attribution.
The permanent Representative of Bangladesh said that the UN must continue its norm-setting role in cyberspace in an inclusive, open, and transparent manner. He welcomed the opportunities for developing countries to voice their concerns and priorities through the work of the OEWG and play their role in defining future rules and enhancing CBMs in cyberspace. He shared Bangladesh’s plans to enhance their cyber capacity in defence from cyberattacks, creating awareness, and developing reliable early warning systems through information sharing.
The representative of Italy also noted the complementarity of the OEWG and the GGE, and said that Italy will continue to be committed to the implementation of the GGE reports, while calling on all states to work together in a spirit of consensus and mutual respect. Italy believes that the OEWG should devote more attention to the effective implementation of existing rules, rather than engaging in negotiations on more new norms that could create uncertainty on the applicable legal framework.
The representative of Austria noted that the lack of working attribution mechanism does not release states from the obligation of behaving responsibly in cyberspace. The OEWG should build a common understanding on how the implementation of agreed norms can best be achieved in each individual state, comparing best practice models on, for instance, safeguarding critical infrastructure. Capacity building is a necessity and not a luxury for states, and EU member states strongly support a range of programmes to assist countries with developing their capacities to address cyber incidents, as well as initiatives to enable the exchange of best practices.
The representative of Pakistan stressed than the UN Charter is unequivocal in its categorical upholding of the principles of sovereignty, territorial integrity, and non-interference in internal affairs of other states. These principles should guide the OEWG as it navigates the complexities of cyber governance. But a simple assertion of the applicability of existing international law to cyberspace is not sufficient. It needs to be adapted, in particular, the law of armed conflict and international humanitarian law to cyberspace. Pakistan suggested that the UN Conference on Disarmament is an appropriate venue for further multilateral work on strengthening security in the cybersphere through the elaboration of a comprehensive and balanced international convention. The UN CD can also build on the OEWG’s work with a view to ensuring a regular and inclusive institutional dialogue on the subject.
The representative of Sweden said that the main task of the OEWG should be practical implementation in areas such as: protection of critical infrastructure exchange of information, co-operation measures, capacity building, and CBMs. He also mentioned the importance of observing human rights online while discussing digital issues. Security cannot be achieved by states alone and the multistakeholder approach will and should remain a fundamental part of our co-operation. Sweden underlined the importance of participating with other stakeholders in a multistakeholder system in developing the common standards of the Internet. This should include a range of different stakeholders, from government – to industry – to civil society, including human rights defenders.
The representative of Israel noted the Organization for Security and Co-operation in Europe’s (OSCE) work in the field of CBMs as a positive example of a regional initiative. Israel thinks that the OEWG should not affect, duplicate, or impede other UN processes, and work solely on its mandate, focusing on global co-operation, enhancing cybersecurity of global ICTs, and building trust between states.
The representative of Belarus spoke about the ‘principle of information neutrality’ which means not using ICTs for malicious purposes. This principle, along with the principle of information sovereignty, is embedded in the new Belarussian cybersecurity strategy. He also mentioned several examples of the successful implementation of norms contained in GGE reports, such as the 2013 bilateral agreement with Russia on refraining from using ICTs against each other, and the 2017 CSTO regional agreement to prevent disruptive ICT acts among members of the CSTO. Belarus coined an initiative for a ‘belt of digital good neighbourliness’, aimed to bring together like minded states and encourage responsible behaviour in the ICT sphere. Finally, he said that the absence of consensus in dealing with international information security lets malicious actors think that information space is still a grey zone for international law.
The representative of Venezuela said that Venezuela has suffered from cyberattacks on its critical infrastructure, and that they are concerned by the trend of certain powerful nations and military alliances who believe that cyberspace is a theatre of war and who use all of their technological power to interfere in the internal affairs of states. That is why Venezuela thinks that it is important to guarantee non-interference in internal affairs, refrain from using force, and respect the political sovereignty of states in cyberspace.
The representative of France underlined that transparency of policies, doctrines, and strategies, and the interpretation of the application of international law is essential for trust in cyberspace. In addition, France mentioned its Paris Call for confidence and security in cyberspace, launched last year.
The representative of the United States provided an overview of the efforts made at the UN over the past 20 years in relation to cybersecurity. The OEWG is the first committee consisting of all UN member states and it must prioritise the adoption of the UN's extensive consensus based on expert driven work. The OEWG will be most effective if it focuses on identifying what needs to be done and getting commitments on the capacity needed, given that the OEWG itself must operate on a consensus basis.
The representative of Luxembourg said they are making every effort to implement the recommendations from the GGE reports endorsed by the G7 as part of their national ICTs security toolkit. Luxembourg is very committed to an Internet that is open, free, stable, and safe. The rules and norms that apply in the physical world also apply in cyberspace, and include international law, in particular, international humanitarian law, as well as human rights. There is a growing responsibility by technology companies that have a direct influence on their users. It is therefore not optional for digital giants to respect international law and universal human rights. ICTs could allow for undue political influence and cast doubt on the integrity of the processes of democratic institutions, particularly via social networks. The responsibility of states also extends to this level, but it should not be understood as an imposition of restrictions on the fundamental rights and freedoms. The abuse of new technology for the purposes of surveillance, intimidation, or repression is incompatible with responsible state behaviour.
The representative of Kazakhstan emphasised the importance of regional dialogues in addressing emerging threats. As for implementation, Kazakhstan has put in place CBMs such as cyber shield – a concept that defines state policy on protecting information resources, networks, and ensuring the safe use of ICTs. Another state programme is Digital Kazakhstan which includes the implementation of the Digital Silk Road expansion of communication networks and ICT infrastructure. In addition, Kazakhstan has promoted an initiative to create a centre of information security within the Shanghai Cooperation Organization. Working in both the OEWG and the GGE, Kazakhstan is looking forward to practical recommendations on the applicability of international law.
The representative of Spain recalled the EU’s statement about effective multilateralism to defend international order based on the rule of law, and in this context, the UN has excellent premises to address the challenges that we face in cyberspace. He noted that there is no normative vacuum for cyberspace since international law and the UN Charter are applicable to cyberspace in their entirety, and that now, we should focus on reducing malicious acts, and stopping initiatives that lead to disagreements on the application of CBMs.
The representative of Belgium stressed the importance of a common vision and an inclusive approach in solving these urgent problems, which is why Belgium welcomes recommendations for holding an open dialogue with civil society, the private sector, and academia. Building a common vision, but also the implementation of these norms, rules, and principles requires that all stakeholders showed their own responsibilities too.
The representative of Turkey reiterated the importance of adhering to the set of rules and instruments agreed upon by the GGE previously. Turkey signed the Budapest Convention on cybercrime with an additional protocol that criminalises acts of a racist and xenophobic nature committed through computer systems. Moreover, Turkey has made cybersecurity an integral part of national security, conducts cyber exercises, and has signed a range of bilateral cybersecurity agreements. Finally, the problem of terrorist activity on the Internet for financial recruitment and propaganda services was put to OEWG’s attention.
The representative of Norway concluded the second meeting saying that Norway will make every effort to engage constructively with both groups. The OEWG presents a new opportunity for all UN member states to come together and work towards putting the existing framework into practice. However, Norway was disappointed that NGOs without an ECOSOC status did not obtain accreditation to participate in the meeting.