The second and third part of the UN Open-Ended Working Group (OEWG) meeting focused on rules, norms, and principles of responsible state behaviour in cyberspace.
This agenda item caused a visible polarisation between delegates to those who stood for implementation and operationalisation of already agreed upon norms of the 2015 Group of Governmental Experts (GGE) framework, and those, who considered existing norms insufficient for the current cyber landscape.
Interestingly, a significant number of states - Egypt, Finland, Singapore, the Netherlands, Brazil, Sweden, Germany, France, Pakistan, and Argentina - proposed that the OEWG considers additional norms, that would help elaborate on the existing norm on the protection of critical infrastructure in the GGE report. These norms are: protection of the public core of the Internet and protection of electoral infrastructure. The UK expressed support to consider the norm on public core and general availability of the Internet, but remained concerned about the concept that the Internet has a public core. Singapore also suggested to protect supranational critical information infrastructure that are owned by private companies which operate across national borders and are not under any particular state's jurisdiction, such as SWIFT for international banking and Amadeus for airlines. Also, the International Committee of the Red Cross (ICRC) proposed to elaborate on another norm from the 2015 GGE report, demanding that states do not conduct or knowingly support ICT activities that offer medical services or medical facilities; and they should take measures to protect medical services from harm. As for the protection of critical infrastructure, civilian infrastructure in cyberspace shall be segregated from theIcomputer system on which critical civilian infrastructure depends.
Mexico proposed a follow-up mechanism focusing on implementing the norms that were already proposed by various GGEs. This mechanism reports to the UN Office for Disarmament Affairs (UNODA) Secretariat on the progress of states in implementation of norms, rules and principles, as well as challenges they faced in this process, on a voluntary basis. Indonesia, Austria, Chile, Norway, Australia, Germany, and the UK expressed their support to the creation of such a mechanism.
Another new norm proposal on refraining from weaponisation and offensive uses of ICTs had support from Indonesia, Iran, India, Pakistan, Cuba, and Nigeria. However, the UK, Australia, and Denmark expressed an alternative view, saying that states can develop offensive cyber capabilities, but use them in line with state rights and obligations under international law and taking into account the framework for responsible state behaviour. In this case, states should demonstrate transparency about possession and use of offensive capabilities that are needed for predictability and common understanding.
Multiple delegations called for greater awareness, operationalisation, and implementation of the existing norms, incorporated in the 2015 GGE report, namely Vanuatu, Egypt, Finland, Estonia, Singapore, the Netherlands, Czech Republic, Bangladesh, Sweden, Switzerland, Brazil, Indonesia, Colombia, Republic of Korea, Japan, Belgium, Germany, France, New Zealand, Canada, Malaysia, Israel, Austria, Chile, Croatia, Australia, Norway, Ghana, Denmark, Ireland, and Kenya.
A group of states called for consideration of additional norms that would fully respect state sovereignty, sovereign equality, political independence, and integrity of states; while also promoting peaceful coexistence and international co-operation and satisfy mutual interests. Russia and China suggested to include norms contained in the Shanghai Cooperation Organization proposal of 2011 and 2015; Cuba and Iran called for states to consider new measures to address threats emanating from content.
A number of states underlined the important role of regional and sub-regional organisations in norms implementation and capacity building. Singapore and Malaysia emphasised the efforts by ASEAN member states in practical steps - establishment of ASEAN Cybersecurity Coordination Committee to consider the development of long term regional action plans to ensure effective and practical implementation of norms, protection of critical infrastructure, alignment of regional cybersecurity policy and diplomacy positions on operational considerations.
The Philippines expressed concern about non-binding norms and reduced options for compliance and enforcement. It asked OEWG to consider compliance and enforcement while remaining cognisant of state sovereignty.
Bangladesh stated the most important thing is to identify the gaps in existing international norms in terms of applicability in the context of the ever evolving challenges of the cyber world and developing a shared understanding.
Brazil in a medium to long term objective, supports the negotiation and adoption of a legally binding international instrument on the issue of ICTs and international security. But also sees that states should concentrate on non-binding norms developed by GGE in the meanwhile. Pakistan, Cuba, and Egypt also called for the development of internationally binding rules.
By Ilona Stadnik