Conference on Disarmament - EU Statement on cybersecurity
Mr. President,
I have the honour to speak on behalf of the European Union.
The Candidate Countries Turkey, North Macedonia[*], Montenegro*, Albania*, Ukraine, the potential candidate countries Bosnia and Herzegovina* and Georgia align themselves with this declaration.
Let me start by congratulating you on assuming the Presidency of the Conference on Disarmament and assure you of our full support. We appreciate your proposal to dedicate this plenary session to cyber security, notably following on the third substantive session of the Open-ended Working Group on security of and in the use of information and communications technologies (OEWG ICTs) that took place in New York from 25 to 29 July 2022.
The EU and its Member States strongly promote a global, open, free, stable and secure cyberspace where international law, including respect for human rights and fundamental freedoms fully apply, supporting social, political and economic development. We recall the important work achieved by the international community to advance international security and stability in cyberspace, as well as to address cyber threats. The cyber threat landscape continues to evolve and sadly cyberspace has been increasingly misused to conduct malicious cyber activities, which the EU strongly condemns.
The EU welcomes the successful conclusion of the third substantive session of the OEWG and is looking forward to further engagement on this matter. The consensus annual progress report is a step forward towards setting out a firm agenda for the next sessions, allowing the OEWG to make concrete progress in its discussions while building on previous commitments.
The EU notes the progress made on existing and potential threats. We share the assessment that the use of information and telecommunications technology (ICTs) in the context of international security has continued to intensify and has evolved significantly in the current challenging geopolitical environment. However, we regret that no consensus could be reached regarding the threat posed by the use of cyber in armed conflict. This issue is particularly relevant in the context of Russian aggression against Ukraine, which has made our discussions even more necessary and timely. Russia’s flagrant breach of the United Nations Charter has shaken not only Ukraine, but also the entire rules-based international order. The annual progress report could also have noted, as requested by many delegations, that ransomware, when targeting critical infrastructure, can have significantly destabilizing effects on national and international security.
Let me recall the risks that Russia’s aggression in Ukraine brings to our broader security and stability, and underline that the EU and its Member States attributed the malicious cyber activity targeting the satellite KA-SAT network to the Russian Federation on 10 May 2022.
This cyberattack took place one hour before Russia's unprovoked and unjustified invasion of Ukraine on 24 February 2022, facilitating the military aggression. It had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States.
Such behaviour is contrary to the expectations set by all UN Member States, including Russia, of responsible State behaviour in cyberspace. We continue to stress that cyberattacks targeting one State could spill over into other countries and cause systemic effects putting the security of another State at risk. Let me reiterate, that the EU condemns such activities in the strongest possible terms. Moreover, the EU and its Member States are ready to use all relevant instruments of the Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (Cyber Diplomacy Toolbox) to respond to malicious cyber activities targeting EU institutions, Member States and our international partners.
Threats to the territorial integrity and independence of any State are a threat to us all, and it is important to establish a common understanding of the threat landscape, which allows us to shape common responses to prevent, discourage, deter and respond to these threats and activities, and to better protect key targets of malicious actors.
Mr. President,
Regarding the work ahead of us, the EU will prioritise strengthening the existing strategic framework for conflict prevention and stability in cyberspace. In particular, the EU will work with Member States and international partners to advance the Egyptian-French proposal to establish a Programme of Action to Advance Responsible State Behaviour in Cyberspace (Cyber PoA), for which France intends to table a resolution in the 77th session of the UN General Assembly First Committee.
The Cyber PoA will allow for concrete action to advance the normative framework and to support building global capacities by leveraging international assistance, while giving periodic opportunities to review and update the framework as appropriate in the light of emerging challenges. The PoA will, where appropriate, seek to improve cooperation with other stakeholders, such as the private sector, civil society and academia, to strengthen the effective implementation of the normative framework.
It is important to stress that the draft resolution aims to design the PoA in complementarity with the continuation of the work of the OEWG in order to avoid duplication of work. It is not a “parallel process” as it will only take up its work in 2025, at the end of the OEWG. However, considering that it will take two to three years to prepare, negotiate and adopt the PoA as a permanent instrument, work must start now. The draft resolution foresees a prominent role for the OEWG during the first stage of this process in 2023, also to allow for the consideration of the recommendations from the 2022 annual progress report of the OEWG. In a second stage and taking into consideration the mandate and workload of the OEWG, the resolution foresees the creation of a preparatory committee in 2024, which would be tasked specifically with negotiating the founding document for a PoA based on discussions held in the OEWG in 2023. This would allow the OEWG to focus on and further advance issues within its mandate. The OEWG and the PoA are intended to reinforce each other, as outcomes agreed by consensus within the current OEWG would of course be taken into account by the future PoA when it starts working in 2025.
Given the importance that the EU attaches to the aspect of capacity building, we welcome the Presidency’s focus on this issue. Especially considering that external cyber capacity building is a strategic building block of EU's cyber diplomacy as outlined in the EU's Cybersecurity Strategy and other policy documents such as the EU's Digital4Development Strategy and the Global Gateway initiative. The EU's aim is to support partners in addressing their key cyber-related needs, including strengthening societal resilience, building trust in the digital environment, protecting human rights and fundamental freedoms, or participating in international processes.
Over the last years, the EU's financial commitment has increased to EUR 79.5 billion. More precisely, the EU is currently funding over 30 projects addressing cybersecurity (e.g. Cyber4D), cybercrime (e.g. Glacy+, iProceeds and OCWAR-C) and cyber diplomacy (e.g. EU Cyber Direct, Security in/with Asia). Moreover, the EU has been systematically linking its capacity building with development and international cooperation funds in five pillars covering (1) national strategic framework, (2) criminal justice in cyberspace, (3) cyber crisis prevention and management, (4) cyber hygiene and awareness, and (5) cyber diplomacy.
Lastly, the EU reiterates its full commitment to continue its constructive engagement in the OEWG with a view to address stability and security in cyberspace through the application of international law, and in particular the United Nations Charter in its entirety, International Humanitarian Law and International Human Rights Law. The EU supports the development of practical ways to implement the existing non-binding voluntary norms of responsible state behaviour, as well as the further development and implementation of confidence building measures between States in cyberspace, and promotes cyber capacity building – as just outlined. Moreover, the EU remains ready to engage with stakeholders in a systematic, sustained and substantive manner, including with regional and sub-regional organizations.
Thank you Mr. President
[*] North Macedonia, Montenegro, Albania and Bosnia and Herzegovina continue to be part of the Stabilisation and Association Process.