EU Statement – UN Open-Ended Working Group on Security and ICT: Threats

Threats

1. Thank you Chair.
2. I have the honour to speak on behalf of the European Union and its Member States.
3. The Candidate Countries North Macedonia*, Montenegro^* and the Republic of Moldova, Ukraine, the country of the Stabilisation and Association Process and potential candidate Bosnia and Herzegovina, as well as Georgia and Monaco align themselves with this statement.
4. As it is the first time I am taking the floor, let me start by thanking you and your team for all your work over the past year, and for your revised draft annual progress report.
5. The EU and its Member States align with the comments made by the Czech Republic in the initial comments with regard to the objections raised against a large number of multistakeholders.
6. The EU and its Member States welcome the draft annual progress report of the second Open-Ended Working Group and express their support to the Chair to identify commonalities and to use the draft report to set out a concrete agenda for 2023, allowing the OEWG to make concrete progress in its discussions.
7. We note that the Russian aggression against Ukraine has made our discussions here in the OEWG more difficult, however also more timely and needed. Russia’s flagrant breach of the United Nations Charter has shaken not only Ukraine, but also the entire rules-based international order.
8. Before addressing the threat section, the EU welcomes the strengthening of the improved introduction of the draft, including the clear objective to set out a roadmap for more focused discussion. We also welcome the better reflection the role of the multi-stakeholder community, and the objective to address the gender divide.
9. As regards para 2, we support the Chair to include the mandate in a balanced manner, and in that light request to further clarify that it is all the pillars of the UN framework for responsible State behaviour in the used of ICTS that are equally addressed (threat, norms, international law, confidence building measures and capacity building).
10. On para 3, it is important to recall the commitment agreed by all Member States to engage with stakeholders in a systemic, sustained and substantive manner. We would suggest to however delete the last sentence, particularly as we differ views about how much flexibility was shown, certainly also looking at the outcome of the process for participation of non-governmental organizations and other non-governmental entities.
11. Mr. Chair, threats to the territorial integrity and independence of any State are a threat to us all, and it is important to establish a common understanding of the threat landscape, which allows us to shape common responses to prevent and respond to these threats and activities, and to better protect key targets of malicious actors.
12.  In that regard, the EU requests to better reflect in the revised draft report the heightened cyber threat landscape, as we requested for the zero-draft. At this stage, the revised draft contains a mere reference to the previous GGE and OEWG reports, which in our view is not sufficient to enhance our common understanding on the cyber threat landscape.
13. The EU agrees that it is ambitious to include an exhaustive list of threats, but the current drafting of the report suggest that the OEWG only addresses few, such as threats against critical infrastructure, supply chain, and data. Let me outline a few more that are relevant and which are of great concern to international security and stability.
14. First, ransomware attacks, conducted by state and non-state actors, remains one of the main cyber threats for the EU and its Member States, with a prediction to hit 11.5 billion EUR in damages globally in 2022. Ransomware attacks show how such malicious activities can have implication for security and stability, and how much we need international cooperation to tackle these type of threats. The EU is not alone as shows a recent ransomware attack experienced by Costa Rica, which affected even its critical infrastructure.
15. Second, as noted last week in our Declaration by the High Representative on behalf of the European Union, we are seeing a striking and concerning number of hackers and hacker groups targeting essential entities globally. These malicious cyber activities, which have significantly increased in the context of the unjustified Russian aggression against Ukraine, create unacceptable risks of misinterpretation and possible escalation.
16.  Third, let me recall the risks that Russia’s aggression in cyberspace brings to our broader security and stability, and recall the EU and its Member States' attribution of the malicious cyber activity targeting the satellite KA-SAT network to the Russian Federation on 10 May 2022. This cyberattack took place one hour before Russia's unprovoked and unjustified invasion of Ukraine on 24 February 2022, facilitating the military aggression. It had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States.
17. It is of utmost important to explicitly reflect that since OEWG report adopted in 2021, the existing and potential threats landscape have dramatically changed, with the Russia’s invasion of Ukraine, including the use of cyber means.
18. Furthermore, as a general remark, the focus of the existing and potential threats section should be on the threat landscape itself, rather than on the means to address it. In other words: the technical and cooperative measures to address the threat landscape are already articulated under the others pillars. We see redundancy between the recommendations, with guidance on the implementation of norms, such as b.(III) with norms (i); confidence-building measures in regional settings or capacity building such as b.(VIII). Furthermore, the b.VI and b.VII does not fall under the remit of the First committee but cybercrime domain.
19.  Moreover, the list includes controversial elements. First the proposal to agree on terminology and the list of critical infrastructure is an example of a proposal that in our experience will not allow for consensus discussions between states. Based on experiences in prior multilateral and regional settings these discussions are considered divisive, time consuming and could imply – in the case of the list of critical infrastructure – that there are acceptable targets.
20. In addition, welcoming discussion on “data security initiatives” remains premature, including as it is not clear whether the First Committee is the appropriate forum to take forward these discussions.
21. At the same time, we have reservations towards limiting the revised draft report itself on the addressing only on the “use of harmful hidden functions”, as we perceive this as very narrow and limiting description of malicious use of ICTs that is contrary to international law, rules and norms.
22. Rather the EU supports, next to enhancing our common understanding on the cyber threat landscape, to recommend to hold discussions on how to prevent and appropriately respond to cyber threats and malicious activities in cyberspace, taking into account the inter-regional cooperative approach on secure of and in the use of ICTs.
23. In addition, we have been working with our international partners, industry and academia to be able to defend ourselves against the adversary's latest techniques and tactics. These exchanges have supported not only a good level of situational awareness, but also strengthened and accelerated cooperation processes and improved reporting. It is therefore essential to reflect the role and interaction with the multi-stakeholder community, although we would not limit to protection of critical infrastructure. However, para. 7.d. looks more as a recommendation. We suggest changing not to use conditional tense or “States proposed to consider”. 

* North Macedonia, Montenegro continue to be part of the Stabilisation and Association Process.