The sixth meeting of the first substantive session of the Open-Ended Working Group (the OEWG) discussed rules, norms, and principles of responsible behaviour of states in cyberspace.
The representative of Ghana recommended some guidelines for the work of the OEWG. The rules, norms, and principles developed must respect human rights, sovereignties, and hold cyber offenders responsible for malicious cyber activity. These rules, norms, and principles should safeguard cyberspace, especially critical national infrastructure. Ghana underscored the challenges of attribution and stated that innovative norms and principles to address these challenges need to be developed. Future rules, norms, and principles should be consistent with existing international law and treaties. The work of the OEWG should build upon the previous system, as there is an inherent applicability of international law. Establishing these rules, norms, and principles at the domestic level is essential.
The representative of China said that states should pledge not to use information and communications technologies (ICTs) and ICT networks to carry out activities which go against maintaining international peace and security. China is of the view that all states have the right to participate equally in the management and distribution of international Internet resources. Regarding critical infrastructure, China stated that no state should undermine another state’s critical infrastructure. China recommended that the OEWG should explore the right and responsibility of states to protect their ICT infrastructure against damage, and the right and responsibility to ensure the security of personal information and data relevant to their national, public, and economic security. Underdeveloped rules, norms, and principles governing Internet of Things (IoT), artificial intelligence (AI), big data, cloud computing, and blockchain should be explored in order to minimise the risks of these technologies, while reaping the benefits they bring to economic development.
The representative of Singapore stated that the work of previous GGEs should serve as the starting point for discussions at the OEWG. Singapore also spoke of their commitment to implementing the 11 norms outlined in the 2015 GGE report. The key is to continue developing practical guidance and co-operation towards the implementation and refinement of norms, and the enabler for this is the building of cyber capacity.
The representative of Botswana reiterated the importance of the work of the previous GGEs, stating that the OEWG should enhance this work by clarifying how rules, norms, and principles can be implemented.
The representative of Japan outlined the country’s efforts to stop malicious cyber activities domestically. Japan is of the view that the implementation of non-binding and voluntary norms of responsible state behaviour can be achieved by accumulating concrete national measures, and expressed its willingness to share its experiences.
The representative of Chile stated the country’s belief that the main principles of cyberspace are safety and responsibility. Chile underlined that the principles of international law are applicable in their entirety in cyberspace. Chile also highlighted that there are regional efforts to create norms, principles, and confidence building measures (CBMs) to address the challenges in cyberspace.
The representative of New Zealand stated its commitment to recommendations outlined in the previous GGE reports. The norms on responsible state behaviour provide states with the necessary framework to act responsibly in cyberspace, and they are not so prescriptive as to be at risk of obsolescence brought about by technological change. New Zealand expressed its hope that the report of the OEWG will deepen the understanding of the previous work of the GGE among both decision makers and the general public. The GGE should further articulate how to best implement these norms.
The representative of Egypt stated that the voluntary non-binding norms of responsible state use of ICTs can reduce the risks to international peace and security in the short term, but underscored that rapid technological developments will necessitate developing a rules based international regime on ICT security. The OEWG’s task is to agree on recommendations on where the existing norms may be codified into practical binding rules. The group could adopt an outcome report that confirms that states shall adhere to the rules, norms, and principles contained in the recommendations of the 2015 GGE report, and could recommend the continuation of inclusive intergovernmental deliberations, with a view to gradually developing binding international rules. The implementation of the agreed rules and principles can be fostered through national and international measures, including international co-operation, capacity building, and the possible establishment of a multilateral institutional platform for this purpose.
The representative of Malaysia stated that the country supports the existing set of international rules, norms, and principles of responsible state behaviour outlined in the 2015 GGE report. Malaysia spoke of regional efforts to implement these rules, norms, and principles undertaken by ASEAN. ASEAN has recognised the disparities between its member states and has informally committed to working towards regional capacity building to enable implementing these norms. Malaysia further stated that implementing the norms is only possible if they are translated into practical initiatives at the national level.
The representative of Belarus affirmed its readiness and interest to move towards agreeing to previously drawn up norms. Belarus also suggested borrowing the approach used to regulate outer space in 1996 under the auspices of the UN.
The representative of the United States stated that the country does not believe a new international legal instrument regulating state behaviour and addressing threats is necessary. Regarding the proposal that the OEWG should focus on developing new legally binding rules, the US stated that a long legal negotiation is not the right way to respond to the evolving threats posed by malicious cyber activities. Rather, the existing political commitments to the non-binding norms should be implemented. The OEWG should raise awareness among all states about these norms. Additionally, willing states should have sufficient capacity and knowledge to be able to adhere to these agreed upon norms and the broader framework of international cyber stability.
The representative of Switzerland reaffirmed that the 2015 GGE report provides a substantial list of recommendations on responsible state behaviour in cyberspace. On the international level, the already negotiated voluntary norms should be taken as a basis for discussion. The priority should be the universalisation of the norms and their implementation by all countries.
The representative of Cuba stated that developing norms, rules, and principles for responsible state behaviour in cyberspace could be a step forward towards a legally binding instrument. Cuba is also of the view that the proposals put forth by Russia in its working document serve as a basis to continue these discussions.
The representative of Guatemala highlighted the importance of a regional approach. There are about 10 national strategies for cybersecurity at the Latin American and Caribbean level. All of them are guided by good practices and methodologies developed by regional organisations, which serve as a basis and departure point to work on future norms, rules, and local legislations that will govern responsible behaviour and prevent violence in cyberspace.
The representative of the European Union shared their experience of implementing norms and principles – the EU NIS directive adopted in 2016. This EU-wide piece of cybersecurity legislation enhances national capabilities, cross border collaboration, as well as the supervision of critical sectors across the EU. It is a very concrete example of how we should implement agreed norms and build trust and confidence between our member states; it is an attempt to address the challenges of malicious cyber activity from a regional perspective.
The representative of India suggested new norms to include in the final report, such as norms to avoid tempering in supply chains, condemn offensive cyber operations by malicious actors, and take-down ICTs infrastructure being used by botnets. India favours the idea of creating a specialised institutional mechanism within the UN framework, and the OEWG may initiate the discussion of details and contours of such a mechanism.
The representative of Canada indicated the main challenges for norms implementation. First, developing states lack the resources and capacity to implement these norms. The OEWG should therefore prioritise helping states in disseminating the norms more widely to favour their universalisation and guide states in their implementation. She also asked to take gender issues into consideration. The OEWG could play an important role in highlighting how gender considerations could better be integrated in norms implementation, women's participation in discussions such as this one, women's participation's in national cybersecurity emergency team research, and other such opportunities to advance gender equality in this field.
The representative of Iran read out several points from the working paper submitted to the secretariat. Any envisaged rules and norms for responsible behaviour should strengthen international relations security, and prevent any threats and damage to state sovereignty. In its approach to human rights, Iran considers that the norms should also address the protection of individuals and society from hate speech, xenophobia, unilateral coercive measures, and sanctions in digital space and other destructive measures within the digital space. All the states should have have an equal right to supply chains, including ICT-related R&D, as well as manufacturing, utilising, and transferring ICT products and services. The development of technology infrastructure and information platforms should be done with the principle of common but differentiated responsibilities. Finally, stakeholders other than states and social media platforms, also need to observe these principles and norms. He also noted that the monopolisation of Internet governance is one issue that should also be addressed at the OEWG.
The representative of Mexico suggested that delegates think about three issues: First, the difference between a norm and a confidence building measure; the difference between rules, norms, and efforts of international co-operation. Second, the implementation of norms only, without additional measures, is not enough to guarantee security. Third, not to put aside proposals that come from regional organisations, civil society, or other actors.
The representative of Austria agreed with Mexico to work on norms as a package. It's very important to start with practical matters, breakdown these norms on what they mean for the implementation in each and every country and then countries can take it as an inspiration for the domestic legal frameworks.
The representative of the Netherlands noted that norms help encourage particular examples of responsible behaviour, but do not replace existing international obligations. The Netherlands believes that a transparent approach would allow the OEWG to make the most practical recommendations on the implementations of the progress that has been developed in the previous UN GGE reports.
The representative of Colombia highlighted the importance of strengthening international community co-operation not just for the sake of transparency, but in order to find out more about best practices in dealing with new technologies, as well as having a joint and co-ordinated effort in this area.
The representative of the United Kingdom provided several thoughts. First, he echoed the richness of contributions from regional organisations to the debates on norms. Second, he announced that the UK is going to publish a map document outlining how it will be seeking to apply the agreed norms. Third, he noted that the OEWG should not move towards legally binding instruments since there is not much consensus among delegates so far on that issue. Finally, he agreed with New Zealand that beyond the group of specialists, these norms are still not properly understood, and we need to work on their further expansion.
The representative of Israel considers that voluntary norms regarding shared best practices that focus on co-operation between states in order to enhance global cybersecurity resilience, are the most potentially effective types of norms. Israel's global positioning in cybersecurity is based on a domestic ecosystem that promotes real time information sharing, developing adequate methodology, encourages educational programmes, and raises public awareness on cybersecurity.
The representative of Chile warned that when we have to apply a norm, we must interpret it, and we end up with different interpretations. He mentioned that crafting a code or written norms is based on the Latin system of law. He drew an example of the Pacific Statement that helped crystalise the norm about exclusive marine zones which was accepted by all states and became part of international public law. Chile agrees that we need a binding convention on cyberspace, but current international law requires adaptation, and non-binding measures may be enough for a start.
The Chinese representative took the floor again to talk about the 5G issue. He reminded all that Article 9 of the 2015 UN GGE report is about the security of supply chains. He doubts that it is expedient to have 5G supply chain security as a separate norm, especially as the states pushing for this norm are trying to discriminate against Chinese enterprises, which is unethical. Instead, China put the following norms for consideration: states should not exploit their dominant position to undermine the supply chain security of ICT goods and services of other states; states should prohibit ICT goods and service providers from installing backdoors in the products and devices to illegally obtain users data, control, and manipulate users system and devices; IT providers should be prohibited from seeking illegitimate interests from taking advantage of user dependence on their products, or forcing users to upgrade their systems or devices; providers should make a commitment that if serious vulnerabilities in their products are detected, they will notify their partners and users in a timely manner; states should be committed to upholding a fair and non-discriminatory market environment; and, states should not use national security as a pretext for restricting normal ICT development and co-operation, or restricting market access of ICT products and the export of high tech products.
The representative of Australia pointed out that norms must stand the test of time and not become outdated with the development of ICTs. She repeated the suggestions on norms represented in the working paper Australia submitted to the secretariat. Then she highlighted that resolution created the OEWG was not a consensus and not all of the norms inside this resolution meet UN consensus. She reaffirmed that Australia’s starting point for this should be the 2015 GGE report which all countries have endorsed. However, she didn’t exclude the option of elaborating new norms.
The representative of Iran responded to Australia saying that the OEWG should work according to its mandate, and discuss norms contained in paragraph 5 of the resolution.
The representative of Brazil said that the OEWG should build on the norms, rules, and principles contained in the recommendations of the past GGE reports, and that we should try to focus on creating a framework to ensure their implementation on the basis of the respective capabilities of states, and to facilitate capacity building and the creation of trust. He noted that the OEWG should not focus on issues that can be left to other forums, such as Internet governance.
The representative of Spain thought the most reasonable thing would be to look at where we have already achieved consensus, and not to get into discussions on whether or not the current resolution was approved by consensus or not.