The fifth meeting of the second substantive session of the Open-Ended Working Group (OEWG) discussed confidence-building measures (CBMs). The delegations discussed regional CBMs ready to be recognised on a global level, the linkages between CBMs and capacity building, whether there is a need to establish a global repository of existing confidence-building efforts at regional and sub-regional levels, and whether there is a need to establish a global list of points of contact.
Several delegations stated that there are regional CBMs ready to be recognised on a global level. According to Chile, several of the measures adopted in the various regional organisations, including the Organisation of American States (OAS) could garner that recognition. Canada and New Zealand stated that certain CBMs were ready to be recognised on the global level, a view that Slovenia aligned itself with. Hungary also stated that it is in favour of further elaborating on the globalisation of regional CBMs. In Australia’s view, the sharing of approved regional CBMs should be encouraged. To Estonia, CBMs developed and implemented by regional organisations serve as enablers in implementing norms. Similarly, the Republic of Korea believes that these regional and sub-regional efforts have values in identifying, developing, and promoting global CBMs.
Egypt noted that voluntary CBMs are not sufficient to address the rapidly widening scope of the global threats from the malicious use of ICTs, and suggested combining a number of politically binding commitments with some CBMs. The EU encouraged the OEWG to consult with regional bodies in order to share good practices with a view to go on to develop and implement global CBMs. The delegations of Brazil and the Syrian Arab Republic acknowledged the importance of regional CBMs, but noted that global CBMs should be developed. Switzerland noted that the OEWG should stress the implementation of existing CBMs in order to increase their practical relevance.
CBMs should respect the sovereignty of states and the principle of non-intervention in the internal affairs of states, the Russian Federation, Venezuela, and the Islamic Republic of Iran underlined. Russia noted that CBMs should not be used as an instrument for interference in the domestic affairs of states. Venezuela’s view is that the most important CBM is the reaffirmation of proper procedures in accordance with the charter of the UN and international law, with special affirmation on the principles of non-intervention in internal affairs, refraining from the use of force or the threat of use of force, and respect for the sovereignty of states. Iran noted that CBMs should not be used in any way to undermine the sovereignty, public order, and national security of the states. CBMs should also not be abused for using force or offensive capabilities against other states. Iran also noted that states with offensive cyber strategies should unilaterally declare to refrain from their offensive use. Venezuela highlighted the erosion of trust that comes from declaring cyberspace as a domain of war, suggesting that adopting binding regulations will allow states to shift from the doctrine of national security of states and foster harmonious relations between them.
Russia noted that CBMs should not be used to carry out unobjective assessments of states’ behaviours and intentions in cyberspace, with the resulting application of sanctions and similar measures. Venezuela underlined that any unilateral measures which impede states to benefit from ICTs and close the digital gap should be withdrawn. Iran also called for the removal of unilateral sanctions in the cyber field, as this would pave the way for capacity building necessary for states to participate in CBM arrangements.
The linkages between CBMs and capacity building were brought up by several delegations. Mexico noted that CBMs and capacity building cannot be disconnected from each other because some countries will need more support to implement CBMs. Canada also spoke about the importance of capacity building as a way to help build confidence, noting that the two are interrelated - confidence helps build capacity and capacity building can often help build confidence. The OEWG should further elaborate on these linkages, Canada noted. Kenya similarly underlined that capacity building is a key CMB. CBMs cannot have the intended results if some countries lack the capability to detect, identify, investigate, defend, contain or counter existing and potential cyber-threats. Malawi supported proposals that capacity building be treated as an integral part of any advancement of CBMs. Venezuela noted that developing and implementing CBMs begins with capacity building and cooperation. The UK suggested that the report of the OEWG should contain the recommendation for encouraging countries to establish CERTs, and Australia noted that they should be supported to do so via capacity building where appropriate.
With regard to the question of the need to establish a global repository of existing confidence-building efforts at regional and sub-regional levels, the delegates of Columbia, Vanuatu, New Zealand, Switzerland, Kenya, Ghana, France, Australia, Malawi, Ecuador, Malaysia, and Slovenia expressed support for the idea.
Kenya noted that such a repository would help countries to review best practices and to reflect on ways to improve collaboration, information sharing, and the identification of risks, gaps, and challenges when it comes to cybersecurity and ICT. Ghana suggested that the OEWG should become a repository for concrete and practical CBMs on an effective response to threats to critical information infrastructures, and to reduce the risk of misperception and possible conflict, and maintain a safe and secure cyberspace. Australia suggested that existing mechanisms, such as UNIDIR, could serve this purpose.
However, some delegations expressed certain concerns regarding this repository. Columbia and Switzerland brought up the question over the management of such a repository, with Columbia suggesting that a protocol for information management is necessary. Russia posed the question over the security of said repository, inquiring whether a specific encryption system would be set up for the repository and on the basis of which specific mathematical algorithms, as well as who would be in charge of security. The Russian delegation also brought forth the question of access to the repository, asking whether it will be available to states only or if all non-state actors will have access as well. A particular concern for the delegation would be terrorists accessing the information.
The question of establishing a global list of points of contact got a largely positive response. The delegations of Columbia, Chile, New Zealand, Mexico, Switzerland, Russia, Canada, Ghana, France, Australia, Estonia, Brazil, Siryan Arab Republic, Malawi, Ecuador, Malaysia, Slovenia, and Argentina supported expressed support for this idea.
Columbia suggested that the list should contain different levels of points of contact - political, police, procedural, etc. Brazil noted that the list should contain both technical and political points of contact. Russia noted that states need to define bodies and agencies responsible for response to computer incidents and set up single points of contact for international cooperation at the technical level. The importance of building cyber diplomacy and the roles ministers of foreign affairs should play in the list of points of contact was underlined by Colombia, Mexico, Ecuador, Malaysia, Argentina, and Australia. Australia noted that all countries organise themselves differently and that diplomatic points of contact would act as an entry point within a country.
Columbia underlined that it will be important to decide who would determine the aforementioned list and keep it up to date. France noted that states should outline their expectations for points of contact and for the functioning of the list. Russia stressed that it will be necessary to develop rules and procedures that would regulate the work and interaction of points of contact. Ecuador stated that considering how to operationalise this list would be important. Switzerland noted the importance of encouraging regular exchanges between points of contact in order to establish lasting relations based on mutual trust.
Ghana suggested that national points of contact of focal institutions networks should be created under the OEWG. Malawi and Brazil expressed support for a global list of contacts under the auspices of the UN, while the Syrian Arab Republic noted it is something the UN should consider.
A global point of contact list of national CSIRTs and CERTs hosted by the Software Engineering Institute at Carnegie Mellon University already exists and such a mechanism should not be duplicated, Canada warned, a point also acknowledged by Australia, Ecuador and Slovenia.
The importance of regional points of contact was noted by Switzerland, Estonia, Australia, and the UK. A network of regional points of contact can prevent misunderstandings and errors in calculation, Switzerland noted. For Estonia, functioning regional points of contact are a priority, but global points of contact could also be developed. While Australia expressed support for a global repository, it also suggested that in the interim step, the OEWG could recommend the sharing of the existing regional repositories or to use the existing regional repositories as the starting point for a global repository. The obligation to continue to update those regional repositories would still rest with the regional organisations.
The UK noted that the secretariats of regional organisations could share the lessons learned in the implementation of regional networks of points of contact. The role that regional organisations have in implementing CBMs was recognised by France, Canada, the EU, and the OAS, and these delegates suggested that the OEWG consult with these organisations on the implementation of CBMs. The USA and Indonesia noted that regional mechanisms can play a significant role in the operationalisation of CBMs. Regional organisations are also considered to be important vehicles for the universalisation and the operationalisation of the OEWG’s recommendations by the UK.
The USA, Indonesia, Canada, Malawi and Switzerland noted that the OEWG could provide guidance on adopting and implementing existing CBMs. Those CBMs would be the CBMs outlined in the previous GGE reports, stated the USA, Canada and Malawi. Brazil added that the OEWG should put together a set of CBMs - it should begin with the CBMs outlined in the GGE reports, but also consider additional measures. The Netherlands suggested that the OEWG endorse the second set of CBMs of the OSCE where possible, and develop them into fully universal CBMs. The delegation added that the OEWG could explore how the stability measures outlined in the UN GGE 2015 consensus report could be developed and implemented.
The USA suggested that the OEWG could also identify emerging best practices in the area of cyber CBMs from the work of regional bodies such as the OSCE, the OAS and the ARF. Additionally, the OEWG could encourage governments and regional organisations to conduct voluntary reporting of progress in implementation of CBMs, and create platforms to share information and implement other measures. Another suggestion by Malaysia was that the OEWG could consider putting up a mechanism on how to perform comprehensive cyber exercises. Ghana noted that the OEWG can best serve as a global platform to promote dialogue exchange of best practices, awareness raising, facilitate cooperation and consultation among states, and provide information on capacity building in cyberspace, which are essential constituents of CBMs. Ghana suggested that the OEWG become the repository of CBMs and points of contact.
India and Iran put forward additional elements that the OEWG could deliberate about in the future. India suggested that the OEWG should consider the three stages of cyber peace and stability process: conflict avoidance measures, CBMs, and peace building measures. The group could also consider co-operation on cybercrime and cyberterrorism, and addressing the trust deficit in the supply chain through CBMs. Iran’s view is that the OEWG should first address the sources of mistrust in the ICT environment: the monopoly in Internet governance, offensive cyber strategies and policies, hostile image building and xenophobia, leading to unilateral coercive measures and a lack of responsibility of private companies and platforms.
A few delegations took the opportunity to reflect on the elements the OEWG report should contain. Austria and Switzerland described CBMs as a low-hanging fruit that should be harvested for the report. New Zealand put forward guidance on best practice CBM delivery as something the report should consider, while the Philippines suggested that the OEWG identify key elements and common threads from regional CBMs arrangements and have them reflected in the report. Australia echoed Mexico’s proposal that countries should share their experiences on the implementation of the recommendations from the previous UN GGE reports, and report on that implementation, noting that it would be valuable to include it in the report. Australia also stated that it is working with Mexico and Mauritius on a questionnaire that might assist this process. The role universities, the private sector, and civil society play in raising the awareness of CBMs should be reflected in the report, stated Switzerland. The UK suggested that the report should recommend encouraging countries to establish CERTs, a view supported by Australia. The Netherlands proposed that the report should call on UN member states to start practising transparency measures.
By Andrijana Gavrilović