The seventh meeting of the second substantive session of the Open-Ended Working Group (the OEWG) discussed capacity building. In particular, the representatives addressed the role and principles for capacity building, national efforts to enhance cybersecurity and resilience, regional and international cooperation and development assistance in capacity building efforts, the link between capacity building measures and the sustainable development goals (the SDGs), as well as fora for further discussions on this topic.
The role of capacity building
The participants discussed in detail the role and impacts of capacity building when it comes to improving the security of information and communications technology (ICT) infrastructure and cyber resilience. As the European Union (EU) noted, capacity building supports global cyber resilience and reduces the ability of potential perpetrators to misuse ICTs for malicious purposes. The USA has agreed that capacity building strengthens the ability of states to effectively respond to - and recover from - cyber-threats.
Indonesia pointed out that capacity building strengthens confidence between states, helps individual countries understand the governance of cyberspace, and enables them to actively participate in future deliberations on ICT security.
According to the Netherlands, and echoed in the statements from the USA and Estonia, cyber capacity building is one of the most important instruments to ensure that states are able to adhere to the GGE’s Framework of Responsible State Behaviour in Cyberspace, and in particular, as stated by the Czech Republic, the ability to comply with the obligations of due diligence.
As far as the content of capacity building is concerned, the USA stated that capacity building should focus on furthering the acceptance and implementation of prior GGE recommendations on norms and confidence building measures.
Brazil emphasised that particular attention needs to be given to measures which would contribute to protecting and improving the security of existing systems, and ensure that critical infrastructures are resilient to security threats.
Antigua and Barbuda, speaking on behalf of the Carribean Community (CARICOM), pointed out that mechanisms for capacity building should aim to guide vulnerable infrastructures from reactive positions to proactive ones by allowing for monitoring and upgrades of technology.
Summarising several points of discussion, Australia proposed that the capacity building section of the OEWG report should include both technical and policy capacity building that emphasises the obligation for responsible state behaviour in accordance with the UN GGE Report 2015.
Speaking of current challenges in capacity building efforts, France pointed out that good coordination and optimal use of existing resources is a major issue. Norway, Singapore, Cameroon, and others agreed. The need to prevent the duplication of efforts as raised by France and Estonia requires systematic, coordinated, and analytical approach. According to Norway, the OEWG provides an opportunity to identify gaps in the implementation of the established framework, and consequently, to strengthen the capacity required to fill those gaps and look into how the effort could be better coordinated and prioritised.
Several representatives, such as Mauritius and Brazil, raised the need to address the funding of capacity building efforts. The UK has praised national efforts in capacity building and called for the allocation of resources and funds to support them further. Cameroon specifically believes that the OEWG could establish a fund and scholarships for this purpose.
The principles of capacity building
A great portion of the discussion focused on the principles of capacity building. The majority of participants called for the principles to be included in the report from the second substantive session of the OEWG. Several principles and areas of agreement have transpired in the course of two days:
The participants, particularly Singapore, Egypt, the Republic of Iran, the Philippines, Ethiopia, Cuba, Nigeria, Argentina, and others stressed the need for a demand-driven, needs-based, non discriminatory approach to capacity building.
Singapore stated that capacity building needs to be sustainable and politically neutral, and while there is probably no one-size-fits all approach, the goal is to incrementally develop capacities of the recipients.
Egypt pointed out that special emphasis should be placed on strengthening the capabilities of developing countries to defend their national critical infrastructures, to respond to ICT related emergencies, as well as implementing the existing norms and rules in this domain.
The Pacific Island Forum called for a technologically neutral and human centred approach in the delivery of capacity building programmes. China asked that the national governments and IT companies with the ability to identify loopholes and threats should publicise this information in a timely manner, and that the administrators of key resources such as Internet root servers, should not be controlled by any government. France stated that the need to share the capacities that we have must be done in the spirit of empowering those who receive assistance.
New Zealand spoke about a partnership approach to capacity building and the fact that the existing mechanisms for capacity building coordination have rapidly developed in recent years.
The multistakeholder approach was supported by a majority of participants, such as Colombia, Argentina, Canada, the Czech Republic, the Netherlands, Norway, Singapore, Greece, Kenya, Nigeria, the EU, and the United Kingdom.
Australia agreed with Indonesia’s statement that the two-way nature of cooperation between states and the private sector, and building links between the technical and policy communities, are areas of importance for capacity building.
Antigua and Barbuda speaking on behalf of CARICOM stressed the importance of the link between the public and private sectors in ensuring the security of ICTs and engaging in public private partnerships in order to lessen overall vulnerability.
Algeria highlighted the role of academia as having a crucial function in providing relevant data and research.
The multidisciplinary approach was specifically called for by Singapore, Argentina and the Netherlands. Capacity building should not only be on the technical level, but also on the operational, policy, and diplomatic levels, and requires the involvement of different industries. The Netherlands pointed out the need to provide capacity building guidance across silos.
New Zealand, Norway, Kenya, Nigeria, Australia, Canada, the United Kingdom and others stressed the need for an evidence based approach and metrics to ensure the effectiveness of capacity building initiatives.
Bridging the digital divide as a principle of capacity building and its primary task was mentioned by many, in particular the Netherlands, Argentina, the Pacific Island Forum, Lao PDR, India, Kenya, CARICOM, the Republic of Korea and others.
Capacity building with safeguards to protect fundamental rights and freedoms has been emphasised by the EU. The need for gender equality and bridging the gender divide was raised by many participants, such as Switzerland, Argentina, Australia, Canada, Norway, South Africa, Nigeria, the Netherlands, and others.
Kenya and the Philippines applauded the UK, Australia, Canada, the Netherlands, and New Zealand for establishing The Women in International Security and Cyber Space Fellowship.
India pointed out that the principles of capacity building should not be mixed up, i.e., the principles mentioned in the context of internal security should not be mixed up with any bilateral original ICT co-operations on capacity building. The discussion, according to India, should go further, as it mitigates ICT issues that are of a global nature within the international security context. Capacity building should keep in mind emerging and potential threats, which have a large implication on internal security.
The relationship between capacity building and norms
The representatives discussed the impacts and alignment of capacity building measures with binding and voluntary international norms.
Switzerland pointed out that there is a clear link between adhesion to international norms, voluntary norms, confidence building measures, and capacity building.
The EU stated that the capacity building approach must include an understanding that existing international law and norms apply in cyberspace, and that they are rights based with safeguards to protect fundamental rights and freedoms.
Australia emphasised the obligations of states under the international law, including human rights, the UN Charter, as well as the importance of responsible state behaviour in cyberspace. In particular, Australia proposed that the report of this OEWG include the need for capacity building to be aligned with the existing norms and CBMs recommendations, and support countries developing their national positions.
Canada stressed an important interlink nature of the norms implementation, confidence building, and capacity building.
Belgium requested including in an indication of guidance as to how capacity building programmes could stimulate norms, rules, and principles for responsible state behaviour, and include a facilitation of best practices in this OEWG report.
India stated that it is time to begin discussions on international legal instruments on cyberspace in the context of international security to achieve the right kind of development, where all are equal and have the capacity to discuss legitimate subjects and matters under the auspices of the UN. Furthermore, India stated that capacity building is beyond what is being dealt with under international security, and it should be based on addressing the emerging and potential threats.
In its statement, Indonesia said that capacity building should go beyond technical and operational ICT capacity and that it needs to be geared toward the development of ICT policy and legal frameworks. Indonesia acknowledged the central role of the UN in promoting the implementation of norms to capacity building programmes.
Egypt has pointed out that the UN GEE reports 2013 and 2015 rightly recommended that the international community should provide assistance to improve the security of critical ICT infrastructure, develop technical skills, as well as appropriate legislation strategies and regulatory frameworks to fulfill their responsibilities.
Since the adoption of the UN GGE 2013, specifically Chapter V on capacity building measures, many participants undertook to implement the recommendations. As Greece noted, implementing these recommendations has proven to be a challenging task for several nations due to a variety of factors, such as the lack of expertise or adequate funds.
Many representatives, such as Singapore, Ethiopia, India, and others described in detail their national capacity building measures over the last years.
According to Colombia, states need to start to internally diagnose in which areas they require capacity building. Colombia also pointed out the importance of education and design plans to bolster capacity building.
Ghana noted that many developing countries lack enough capacity in cybersecurity, cybercrime, data protection and development, international security and cyber hygiene practices, incident response, and the overall protection of critical information infrastructure. However, the risks and challenges of cyber-attacks are not confined to one country group or region.
Nigeria pointed out the need to make substantial efforts to develop capacity at the local level, especially with respect to law enforcement agencies and cybercrime investigations.
The UK stated that regional organisations and local partners are often the best place to understand the regional context, and to support the sustainability of capacity building efforts. It pointed out that the most important statements that the UK wishes to align themselves with are those of participants who have been working to increase their own capacity. The UK especially praised Uganda as an excellent example of bolstering their national capacity. Such examples should be reflected in the OEWG report from this session, such as funding and resource availability and how it makes a difference in a state's ability to implement the framework. Additionally, the UK said that the opportunity provided by the OEWG report should encourage all relevant stakeholders to allocate funding and expertise for capacity building, while following the capacity building principles and coordinating initiatives.
When discussing regional and international cooperation, Thailand stated that no individual country can address the issue of capacity building alone, and that they look forward to seeing regional and international capacity building initiatives.
Estonia emphasised the good examples set by the Organization of American States (the OAS), the Association of Southeast Asian Nations (the ASEAN), the African Union (the AU), and the Pacific Region, working closely on capacity building issues, stating that this kind of regional approach also seems to be the way to strengthen confidence, security, and trust among the partners in the region. Estonia shared the example of the EU CyberNet Project implemented with Germany, Finland, and Luxembourg - the European Union cyber capability building network aimed at putting together the network of experts and organisations. This network will map and systematise the cyber capacity-building efforts of the EU and enhance the effectiveness of conducting training on cybersecurity.
Estonia aligned itself with New Zealand calling for better coordination on an international level, and establishing a global clearinghouse function.
Canada aligned itself with Argentina and several others to the effect that regional organisations have a really important role to play in capacity building and coordination efforts, as well as other fora such as the Global Forum on Cyber Expertise (the GFCE).
The Republic of Korea spoke about varying ways of participation in capacity building efforts, from knowledge-sharing, to staff exchanges, and to the presentation of national strategies and policies. It is up to states to choose how to be engaged in the international community's efforts in capacity building, but more resources should be invested to develop cyber defence capabilities and foster resilience in the entire cyber ecosystem, stated the Republic of Korea.
In Israel's experience, bilateral, as well as existing multistakeholder frameworks are effective channels for enhancing capacity building and provide grounds for cooperation in this field in the future.
Brazil stated that aid by the regional organisations in promoting cooperation in the cyber domain is of central importance for capacity building efforts and shall remain so for the foreseeable future. According to Brazil, the OEWG should recognise this fact and include in the recommendations on capacity building a call for greater cross-regional cooperation and exchanges. One of the possible contributions of the OEWG in this regard could also be to recommend the establishment of a capacity building coordination mechanism to help match the needs and available resources of the private sector, and the expertise of academia and civil society structured to harness and optimise contributions by all relevant stakeholders.
Slovenia sees merits in capacity building activities through a combination of engagements on the bilateral level, through regional organisations, and through multilateral institutions given the nature of threats involved.
Cuba called to promote south-south, north-south, and triangular cooperation by establishing and strengthening relevant mechanisms.
Capacity building and SDGs
The link between capacity building and the SDGs was described in detail in a non paper submitted by The Netherlands. According to their statement, the OEWG should ensure and codify an increased linkage between capacity building and the achievement of the SDGs through recognising the linkages between the SDGs and capacity building, by integrating the SDGs in the capacity building initiatives, and by endorsing the principles of capacity building put forward by the Delhi Communiqué on a GFCE Global Agenda for Cyber Capacity Building.
Norway supported the Netherlands in showing a clear link between the SDGs and capacity building and stated that regional efforts should be in line with SDGs.
Estonia asked for cyber capacity building to become part of the overall development assistance approach and seen as a part of SDGs.
Nicaragua stated the importance of ICTs as a means of promoting the SDGs, specifically goal 9. The 2030 Agenda for Sustainable Development refers to the fact that ICTs are a major challenge, but also an opportunity for the international community to build capacities and to exchange information.
Fora to discuss capacity building
The majority of participants were looking to identify fora to discuss capacity development efforts further and agreed with the statement by South Africa to use existing structures and not create new ones.
The UN, as the main forum for further discussions on capacity building was named by Indonesia, Republic of Iran, Egypt, Cuba, Kenya, Mexico, and India.
Indonesia acknowledged the central role of the UN in promoting the implementation of norms to capacity building programmes.
The Islamic Republic of Iran believes that at the global level, the UN and its specialised agencies are expected to take the lead role in capacity building in the ICT environment. This should entail planning, monitoring, and implementing capacity building schemes at regional levels.
Egypt stated that the mandate of the proposed regular institutional dialogue or any follow-up mechanism should be in the form of a body that would be created within the UN on this topic, and must be focused on strengthening and coordinating capacity-building efforts.
Cuba believes that the UN should play a central role and be an ongoing forum for dialogue consultation cooperation among member states, including promoting and bolstering capacities, and providing technical assistance to developing countries in the area of cybersecurity and ICT.
Kenya said that the UN is uniquely positioned to coordinate capacity building at a global level. The UN could start with initial coordination steps, such as creating a registry of existing capacity building measures and their contact points, and available lessons learned. This registry should then be used to determine a baseline for the measurement of the minimum cybersecurity level necessary for global security and allow countries to perform self assessments.
Mexico welcomed any attempt to find synergies throughout the UN system and capacity building. It pointed out that efforts should not be duplicated or repeated if they are already happening elsewhere in the UN system, and not to get involved in the mandates of other groups already working on convergence of technology and sustainable development.
Another forum to further discuss issues related to capacity building measures was the Global Forum on Cyber Expertise (the GFCE). The Netherlands, as the founder of the GFCE noted that this forum has undergone a reform and said that New Zealand has made great strides over the last five years.
Switzerland stressed the need to take a more systematic approach to identifying capacity-building initiatives that work, and to find effective ways to spread awareness. Switzerland suggested making such initiatives accessible through existing platforms such as the GFCE. Canada and Belgium concurred.
Argentina also highlighted the role played by international multi-sectoral platforms such as the GFCE, and expressed the belief that it would be a valuable element to incorporate such platforms in efforts to build capacity.
The UK agreed with the Netherlands and pointed out that the GFCE plays an important role as a matchmaker in capacity building efforts. The UK stated the importance of adhering to the principles stated in the Delhi Communique, citing it as a useful guide for the work ahead.
Estonia stated that the already existing platforms should be used to better coordinate global capacity building efforts, suggesting that the GFCE could fill the role of coordinator and of a global clearing house mechanism for these efforts.
Australia reaffirmed their support for the Delhi communique developed by the GFCE and the principles stated therein, and noted that the other principles should be considered for the report from this OEWG as well.
In conclusion, the Secretariat of the Internet Governance Forum (the IGF) presented the possibility to discuss capacity building measures further within the IGF meetings as a multistakeholder forum in November 2020 in Poland.
By Pavlina Ittelson