EU Statement – UN Open-Ended Working Group on ICT: Rules, Norms and Principles of Responsible Behaviour

Excellencies,

I have the honour to speak on behalf of the European Union and its 27 Member States.

The candidate countries North Macedonia*,  Montenegro*, Serbia*, Albania*, Ukraine, the Republic of Moldova and Bosnia and Herzegovina*, the potential candidate country Georgia, and the EFTA countries Iceland and Norway, members of the European Economic Area align themselves with this statement.

The eleven agreed norms, complemented with existing rules of international law, are important and form a comprehensive  compendium to guide state behaviour in cyberspace. Given the urgency of preventing damage to critical infrastructure stemming from malicious cyber activities, we welcome the Chair’s guiding questions focusing on norms that strengthen the protection and resilience of critical infrastructure. 

The recommendations of the GGE and OEWG reports provide an important basis for addressing threats to critical infrastructure. In particular, norm 13 (c) and the three CI-related norms, 13 (f), (g), (h) can serve as a basis for advancing cooperation, in order to prevent the use of ICTs to damage CI and CII. The norms include elements of restraint, cooperation and transparency, bolstered by additional CBMs-related recommendations.

In this regard, we welcome more substantive discussion on the measures that States have already been put in place to implement and adhere to the norms. Such measures can include, cybersecurity incident exercises with relevant stakeholders, creating or supporting the creation of national or regional point of contact networks of critical infrastructure operators, or developing or assisting other States in developing effective policies and structures to protect for critical infrastructure . Such exchanges would help build trust in these initiatives and between those involved. This would  help inform targeted capacity building efforts and build sector-specific understanding.

Against this background, the OEWG needs to keep building common understandings of the threat landscape relevant to critical infrastructure, including collecting information of malicious use of ICTs against critical infrastructure. This  is particularly relevant towards clarifications on how existing and potential threats are experienced differently by states and diverse sectors of critical infrastructure.

In all of this work, there is a need for cooperation with non-governmental stakeholders, given their active role in threat detection, response, norms promotion, implementation and capacity-building.

The OEWG could help to further elaborate the role of different stakeholders, with the aim of not only identifying gaps in norms implementation to further protect critical infrastructure from the malicious use of ICTs, but also advancing common understandings on respective responsibilities and providing future guidance. That would in turn help with the CI-related risk management, including with regard to CI co-dependencies, as well identifying, classifying and managing ICT incidents affecting critical infrastructure. Including multistakeholder’ views in the process is therefore necessary when working towards an effective and sustainable operationalization of the framework. 

Countries should further develop clarification on the application of international law and in particular, international humanitarian law in the use of ICTs regarding critical infrastructure. In the context of the OEWG, discussions about norms implementation and how International Law applies to cyber operations that target CI, in peacetime and in conflict are vital for improved accountability. 

Specifying which laws or norms have been violated or not respected following a malicious cyber incident would assist  other countries in applying the framework of responsible behaviour. Promoting cooperation with the private sector, civil society, academia and the technical community in capacity building is a necessary step contributing to a holistic cyber resilience of designated sectors and infrastructure.

The focus on developing guidance on norms implementation would make the OEWG more effective and enable concrete exchanges on how countries interpret and track these norms nationally and how the United Nations could help countries implement them. A discussion that would be enhanced by the participation of non-governmental stakeholders that are or have been working on developing frameworks for supporting implementation.

We look forward to continuing conversations on how to implement the existing rules, norms, and principles, including through capacity building –which will be under focus later this week.