I have the honour to deliver the statement on behalf of the EU and its Member States. The Candidate Countries Turkey, the Republic of North Macedonia, Montenegro and Albania, the country of the Stabilisation and Association Process and potential candidate Bosnia and Herzegovina as well as Georgia and Ukraine align themselves with this statement.
The EU and its Member States would like to thank the Chair and his team for their tireless effort and for presenting the draft report of the Open-Ended Working Group (OEWG) on developments in the field of Information and Telecommunication (ICTs) in the context of international security.
We welcome the structure of the draft. The thorough draft report reflects the rich and substantive discussions among the Members of the OEWG, and does so in a balanced manner.
The report has a solid and action-oriented basis that consider all recommendations and proposals submitted during the OEWG. It is important that we continue to discuss the way forward included in the report. We strongly encourage all States to consider the Programme of Action to Advance Responsible State Behaviour, as presented during the OEWG discussions, as the future process for regular institutional dialogue under the auspices of the United Nations that would allow for an inclusive, permanent and constructive environment for the whole UN Membership.
We believe however that the draft report could emphasize even further the widespread acknowledgement that the international community is not starting from scratch, and that the consecutive reports of the UN Group of Governmental Experts (UNGGE) endorsed by the UN General Assembly (UNGA) are the foundation to provide guidance for additional discussions and recommendations.
Recalling their commitment to adopt, by consensus, a comprehensive, realistic and action-oriented draft report, the EU and its Member States would like to make the following comments, in order to further highlight the agreed basis and proposals that reflected a widespread support during OEWG formal and informal sessions.
Session 1 on Existing and emerging threats
The EU and its Member States are concerned by the rise of malicious behaviour in cyberspace by both state and non-state actors, including the use of ICTs for malicious purposes, notably those with systemic effects that might affect supply chains, critical infrastructure and essential services, medical facilities, democratic institutions, full enjoyment of human rights and processes and undermine economic security and development, including through cyber-enabled theft of intellectual property.
We suggest to reflect that the 2010, the 2013 and notably 2015 GGE consensus reports, as endorsed by the UN General Assembly (UNGA), constitute the baseline for discussions by the international community.
We strongly believe that this existing and consensually endorsed applicability of the normative framework contributes to international security and stability, and all UN Member States should abide by it. Undermining its implementation could have destabilising effects and bring enhanced risks of conflict, and would denigrate the achievements of the international community to date, constituting a threat in itself.
Furthermore, during the current global health crisis, we have observed, with serious concern, an increase of cyber threats and malicious cyber activities targeting essential operators globally, including in the healthcare sector.
The EU and its Member States also support the acknowledgement of the threat against the general availability or integrity of the public core of the Internet and the threat of malicious interference by foreign actors aimed at undermining electoral processes, including through malicious cyber activities that disrupt the infrastructure essential to these processes.
We welcome the inclusion in the draft report of these issues. This is supported by a significant number of States across different regional groups. We suggest to review the reference to the public core of the internet on existing and potential threats in line with our comments provided.
Session 2 on International law
The EU and its Member States stress the importance of the reaffirmation that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety and respect for human rights and fundamental freedoms.
The EU and its Member States strongly support to reflect in the draft report, in the agreed conclusions and recommendations of international law section, that International Humanitarian Law (IHL) applies in cyberspace. Such reflection recalls the view that IHL is fully applicable in cyberspace in times of armed conflict but its applicability in cyberspace should not be misunderstood as legitimising the use of force between States in this domain, which is governed by the Charter of the United Nations. International law sets clear boundaries for the legality of the use of force between states. In this regard the EU and its Member States support to retain the essence part of the initial paragraphs 29 and 34 of the zero-draft report.
The EU and its Member States also support the language in the draft report which calls on further efforts to promote the application of existing international law to cyberspace, including on exchanging information and best practices thereon, and encourage all UN Member States to share their national positions on their understanding on how international law applies to the use of ICTs by states.
Since international law applies to state conduct in cyberspace with the norms of responsible state behaviour playing an important role as further guidance, the EU and its Member States wish to highlight that every country has an obligation to exercise due diligence and take appropriate actions against actors conducting malicious activities from its territory, consistent with international law and the 2010, 2013 and 2015 consensus reports of the United Nations Groups of Governmental Experts (UNGGEs) in the field of Information and Telecommunications in the Context of International Security. In this respect, the EU and its Member States would support to retain in agreed conclusions and recommendations the initial paragraph 30 of the zero-draft report and appreciate an explicit reference to the principle of due diligence:
In general, the EU and its Member States are of the view that the report should highlight more clearly the consensus reached by the respective UNGGEs, endorsed by the UNGA, in 2010, 2013 and 2015, in the conclusion and recommendation sections of the pillar of international law. This would show that a truly universal normative framework exists and that raising unnecessary doubt on whether existing international law already applies in cyberspace may encourage misunderstanding, erode accountability and lead to increased instability in cyberspace.
The EU and its Member States would like to suggest to add an introductory paragraph under this section.
Session 3 on Norms, rules and principles of responsible state behaviour
The EU and its Member States welcome the repeated calls on States to be guided in their use of ICTs by the 2015 GGE report, consensually endorsed by the UNGA in resolution 70/237, and on further implementation of these agreed norms and confidence building measures, which play an essential role in maintaining peace and preventing conflict.
The EU and its Member States encourage focusing our collective efforts on advancing the implementation of these 11 norms, that set standards for responsible State behaviour and allows the international community to assess the activities and intentions of States in order to prevent conflict and increase stability and security.
We encourage clearly distinguishing between, on the one hand, the consensus reached in 2010, 2013 and 2015, and on the other hand, a set of rules proposed in the OEWG 73/27 resolution, adopted by divisive vote 2018 and 2020. However, the draft report fails to underscore that all States agreed to be guided by the 11 norms of responsible state behaviour in 2015, which constitute a consensual basis for our discussion. States did not agree during the discussion to take into account topics beyond the consensual 70/237 resolution to advance responsible state behaviour. Therefore, the section, and para 38 specifically, should be revised accordingly.
The recommendations should emphasise the need to share best practices on the implementation of 11 norms of responsible State behaviour in order to further guide and contribute to the dissemination of responsible endeavours. The EU and its Member States support proposals to survey and support implementation and elaborate additional guidance of existing normative framework in order to add a layer of understanding to support implementation.
Session 4 on confidence building measures
With regard to confidence-building measures (CBMs), the EU and its Member States underline the importance of CBMs as a practical means of preventing conflicts.
The EU and its Member States welcome the initiative to exchange best practices on CBMs, in coordination with interested regional and sub-regional bodies, without prejudice to the further development and implementation of CBMs at different levels.
We attach particular importance to recommendation to encourage States, as a CBM, to publicly reaffirm their commitment to be guided by the 2015 report of the Group of Governmental Experts in their use of ICTs. In addition to this purpose, the issuance of national declarations of adherence to the framework for responsible State behaviour should also be included in the conclusions and recommendations sections.
Session 5 on capacity building
The EU and its Member States underline the importance of capacity building as a means to strengthen resilience globally, with particular attention to developing countries.
We agree that an important function of capacity building is to enable the implementation of the agreed normative framework for responsible state behaviour in cyberspace, and to strengthen cyber security and global resilience against cyber threats. Throughout the draft report, as well as during OEWG exchanges in the formal and informal sessions, it was underlined that adequate capacities are critical to support the three main pillars of the framework for responsible state behaviour.
We welcome the paragraph 28 stressing the importance of capacity building for States in order to develop their understanding of how international law applies to the use of ICTs in the context of international security.
We reiterate that existing initiatives, including the Global Forum on Cyber Expertise (GFCE), could play a meaningful role in building global cyber capacity and expertise.
The EU and its Member States support better coordination for enhancing coherence in capacity building efforts in the use of ICTs, while underlining the importance of creating synergies, avoiding duplication and building upon work done by existing regional organisations, as well as multi-stakeholder platforms.
Under the conclusions section, we support a recognition that capacity building activities for an open, free, secure, stable, accessible and peaceful ICT environment must go hand-in-hand with activities to implement the normative framework for stability in cyberspace.
We attach particular importance to the inclusion of the promotion and protection of human rights and fundamental freedoms in the list of principles related to the implementation of capacity building activities, and in the design of capacity-building projects.
To this end, the EU and its Member States supports the principles outlined in the paragraph 55, but also note that the requirements such as “evidence-based”, “politically neutral” and “without conditions” lack clarity and will require further discussion.
We would like to suggest to take into consideration in this paragraph 55 both the fundamental adherence to the promotion and protection of human rights and fundamental freedoms, as well as implementing the framework of responsible state behaviour, to develop capacity building activities.
Session 6 on Regular institutional dialogue
The EU and its Member States work with all the UN Membership for future discussions on cyber issues in the context of international security that aim to return to a consensus path in the First Committee.
To this end, the EU and Member States – as part of an increasing group of co-sponsors – strongly encourage States to consider the recommendation to establish a permanent Programme of Action (PoA) to Advance Responsible State Behaviour in Cyberspace. This proposal complementary to the ongoing OEWG process clearly constitutes a direction where a middle-ground can be found to overarch or replace the current parallel processes.
The EU and its Member States believe this proposal would constitute a useful recommendation for a positive and compromise way forward and welcome further support and inclusive discussion on scope and modalities to advance the establishment of the Programme of Action to Advance Responsible State Behaviour in Cyberspace. This proposal has been submitted to the OEWG and the 6th UN GGE.
The PoA offers the opportunity to work together towards an inclusive, permanent and constructive environment with the whole UN Membership. It would allow our work to progress, including on the pertinent and pressing problem of increasing cyber incidents.
The PoA would also allow the international community to strengthen cooperation and advance the normative framework at international level, preserving the achievements of the international community to date and facilitating cyber capacity building, including through operational and financial support, in a concrete and results-oriented manner.
The EU and its Member States reiterate that the OEWG is mandated to make recommendations on proposals submitted during its discussions to OEWG participants. In a spirit of compromise, we agree to note the adoption of resolution 75/240 on a new open-ended working group established for 5 years. However, as this process has been established outside of the OEWG, reference to it can not constitute an OEWG recommendation.
More specifically, the EU and its Member States suggest recommending to further elaborate the establishment of the Programme of Action in dedicated sessions, with the whole UN Membership and where appropriate the multi-stakeholder community. These sessions should allow for a solid basis to establish the PoA, and to proceed with inclusive and consensus annual discussions held in the permanent and constructive environment that the PoA offers. A dedicated session between First committee processes could be explored in order to improve coherence and synergies.
On section “Discussions”
The EU and its Member States would like to thank the Chair for sharing an overview of the discussions held through the formal and informal sessions of the Open-Ended Working Group (OEWG) in written.
The EU and its Member States believe that the discussions part reflects the wide range of issues addressed during the OEWG.
The OEWG provided a valuable platform for the exchange of views building on the acquis developed over the last 10 years by the UNGA, and allowed to advance the common understanding of the international community on cyber threats and the work that has been done to date to ensure security and stability in cyberspace.
To further progress this work, the EU and its Member States are committed to the adoption of a realistic and action-oriented outcome document.
To this end, the EU and its Member States believe that the agreed conclusions and recommendations form the substantive part of the outcome, as these sections provide comprehensive and meaningful proposals on how to implement and take forward the framework of responsible state behaviour in cyberspace.
At the same time, the discussions section is an important element reflecting the rich discussions in the OEWG
The EU and its Member States welcome the dedicated and concrete negotiations on the draft report, and would like to seek the Chair's views on his options to reflect the discussions in OEWG final report, in view to achieve consensus on an action-oriented report.