Rules, Norms and Principles
Current OEWG discussions have so far illustrated that there is widespread agreement that the 11 norms adopted by the UNGA in 2015 require implementation, and that implementation requires greater guidance, including from a wide range of stakeholders.
This session will invite discussion and inputs from both governmental and non-governmental stakeholders on the topic of the UN GGE norms adopted in 2015. It will also be an opportunity to comment on norms guidance text that has been proposed by both governmental and non-governmental stakeholders within the context of the OEWG and relevant sections of the OEWG's revised pre-draft and non-paper. Finally, this event will allow discussions on the ways that both governmental and non-governmental stakeholders can support norm implementation.
The session will open with scene-setter presentations from its co-organisers and lead discussants. A set of discussion questions will be circulated to participants in advance in order to guide their contributions and statements. It is envisaged that this will be an interactive, dialogue-oriented session.
This session is co-chaired by:
Q: It seems that My question about norms on digital sanctions on other nations has been forgotten to answer!?
Q: It is not enough if States alone subscribe to norms, but it requires non-state actors to adopt norms, which makes it important that this process becomes a multi-stakeholder process. Also, the multistakeholder model makes it possible for norms to be adopted swiftly, by models that differ from the slow process of global agreement in a multi-lateral fora, but rather by fuzzy models that would lead to global adoption at a far swifter pace. (to Sivasubramanian Muthusamy)
Q: With respect to the draft “Norms” section of the OEWG the pre-draft report, are there any notable omissions, additions, or statements with which you support or disagree? (see paragraphs 38-44) In particular, do you think there is sufficient reference to non-governmental stakeholder engagement? If not, how could this be improved?
Q: Re: Alex’s points - another argument for ensuring an accountability mechanism that would enable calling out states that have transgressed against the critical infrastructure protection norm. (to Paul Meyer)
Q: in response to Anastasiya, we do plan on adding to the norms guidance text by possibly integrating some of the other proposals made by States in the norms non paper, as well as stakeholder comments
Wout de Natris
Q: Nobody, whether an individual, organisation or government, wants to be hacked, phished, lose data, etc. On the other side many states have or would like to have offensive tools that allow for the above. How to bridge this contradiction? Could this start by recognising that no one wants to be hacked, etc. That without a doubt is a potential norm.
Q: Digital sanctions are main barriers in implementation of norms and capacity building in cybersecurity area.
Q: +1 on Raman's point re: regional organisation's need to engage with other stakeholders from the outset and throughout in norm implementation efforts
Q: The Chair’s revised pre-draft in para 22 already mentions “medical facilities, energy, water and sanitation” - but what about transport, finance, nuclear, and electoral processes? A comprehensive approach is desirable, and we should recall that the GGE norm only speaks to the protection of critical infrastructure without further elaboration.
Antonio de Coco
Q: I am not entirely in agreement with Paul. Using language like “including but not limited to…” would solve the problem giving a little bit more clarity but without foreclosing more protection
Q: It seems that My question about norms on digital sanctions on other nations has been forgotten! (to Sirine Hijal)
Q: +1 for Paul
Q: The problem with the Joint Statement Dan mentions is that it was issued by a group of US allies and thus reflects bias in criticizing actions by others while ignoring trespass by their own (Stuxnet?). We need a credible accountability process for state conduct in cyberspace that is inclusive of all states.
Q: Question Three for open discussion: What challenges do you see in taking forward the proposals included in the non-paper, including in any of the relevant norms guidance text?
Q: It seems that My question has been forgotten!
ISOC Cybersecurity SIG
Q: Hello everyone :). Please allow me to share this information with the community, perhaps these two investigations that we have conducted at IGF BPF Cybersecurity, may be useful for those of us who are working on Cyber Rules, Norms and Principles. 2019 I. Introduction to GMP on Cybersecurity II. Norms and expected behavior in cyberspace III. Cybersecurity agreements IV. Turn cybersecurity agreements into action V. Review of cybersecurity agreements https://www.intgovforum.org/multilingual/filedepot_download/8395/1896 During 2020 this deeper analysis, we are looking specifically if the agreement includes any of the UN-GGE consensus standards; and if any additional rules are specifically mentioned. https://www.intgovforum.org/multilingual/filedepot_download/10387/2253 (to Sirine Hijal)
Q: Hi Neno! I am only in the live stream, so cannot take the floor. You have summarized the OSCE position well. We follow UN level discussions and are also ready to cooperate and give input on our experiences. In the case of OSCE this is mainly on developing and implementing CBMs, and cyber capacity-building. (to Nemanja Malisevic)
Q: survey mentions stakeholders twice: requests Member States to encourage regional organisations and other stakeholders to conduct analysis of the compilation of responses to the Survey with a view to developing targeted capacity building programmes which address any challenges to implementation or gaps in capacity so identified; The Secretary-General (through the UN Office of Disarmament Affairs) will compile national responses to the Survey as part of the annual report of the Secretary-General to the UNGA with the views of Member States on the issue. States, regional organisations, and other stakeholders can then use this compilation of responses to conduct analysis with a view to developing targeted capacity building programs which address any challenges to implementation or gaps in capacity identified.
Q: Regional organisations can publicly recognise/adopt the UNGGE norms - as ASEAN Regional Forum did recently for example, and develop frameworks to support their members to implement, including mappings of current state of implementation, reporting etc
Q: Globalization of norms may also need not wait for approval by all the nations of the world, but a few nations from Europe, or a regional block such as G20 could set the trend that would be welcomed by all stakeholders and by the success of how it works, the whole world will follow, nation by nation.
Q: survey proposal: https://front.un-arm.org/wp-content/uploads/2020/12/updated-december-2020-draft-v02-joint-oewg-proposal-survey-national-implementation.pdf
Wout de Natris
Q: Accountability could be an effective deterent. If used consequently and with authority. This would exclude a peer review, but be purely incident based. How could that best be organised and would this have to a public-private partnership?
Q: States have accepted peer review mechanism in the context of human rights an even more sensitive issue area I suggest than cyber security activity. States actually are more comfortable with state-led peer review than they would be for instance via scrutiny by civil society or the private sector alone.
Brett van Kierkerk
Q: Does anyone have any opinions on how the norms apply to 'thresholds' for non-intervention and armed attacks?
Q: Does the norms survey proposal include questions regarding stakeholder engagement?
Q: If norms implementation would put emphasis on the role of regional organizations, what kind mechanisms are envisioned to be appropriate to be put in place to ensure that progress can be achieved?
Q: Reminder - Second Question for open discussion: The focus so far in the non-paper is on the 11 agreed norms, but are there other issues that should be considered?
Q: As you all know the effects of unilateral digital sanctions on some nations have become more intensive and destructive speciallly during covid-19 pandemic and other emergencies when physical contacts are limited. These digital sanctions on investment in ICT infrastructures, digital technologies, digital resources like IPs and DNS system and access to networks are key barriers in achieving national development goals using ICTs and definitely constitutes human rights violation in cyberspace. Iranian private sector, digital entrepreneurs and some ICT projects are suffering from primary and secondary sanctions in digital domain. The question here is : What the UN family and OEWG community can and should do to adress this vital issue with regard to making norms to prohibit digital sanctions on nations specially in emergencies. (to Sirine Hijal)
Q: The ICRC welcomes this important initiative. The particular vulnerability of healthcare facilities may also warrant the articulation of an additional Norm on responsible States behavior. A important point : during armed conflicts the norm on intentionally damages critical infrastructures and operations of critical infrastructures to provide services to the public, this norm reflects legally binding obligations under IHL
Q: Regarding your question Arthur, "In the event of ICT-related incidents, States should consider all relevant information, including the broader context of the event, the challenges of attribution in the ICT environment, and the nature and scope of the consequences ", in the event of incidents, the information is essential, not only between states, but also for multistakeholds and citizens. The authorities must inform and render accounts to the public about the measures taken in the matter of cybersecurity, both those directly implemented and those carried out by private intermediaries contracted by the State. This should be part of the accountability that states must render, and it should be fulfilled. Thanks
Wout de Natris
Q: Protecting the public core of the Internet could be expressed more explicit. Part of that core are the technical standards that make the Internet work and function, like Olaf Kolkman explained. They are basically deployed in a slow fashion, fascilitating attacks (on the public core) This is the link to the IGF Dynamic Coalition on Internet Standards, Security and Safety: https://www.intgovforum.org/multilingual/content/dynamic-coalition-on-internet-standards-security-and-safety-dc-isss. It is in search of expertise to assist in creating policy suggestions on how to deploy existing Internet standards, ICT guidelines and best practices in a faster way. You can join through the IGF website link. … and through the Public Core)
Q: First Question for open discussion: In the non-paper, there is guidance for the implementation of the eleven agreed norms. Are there any elements missing in this guidance?
Stimson Center, Washington, DC
Q: How would you suggest that some pilot cooperative application of norms be developed - say around international or regional vaccine distribution or regional electoral security principles? Could this help further the development of agreed norms?
Q: "States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs (2015 13(c))." How do states that with limited resources or limited expertise confirm to this and similar norms? Doesn't scenarios such as these require cross-border, multi-stakeholder response, even in the case of "national" incidents?
Q: Hello to everyone. As you all know the effects of unilateral digital sanctions on some nations have become more intensive and destructive speciallly during covid-19 pandemic and other emergencies when physical contacts are limited. These digital sanctions on investment in ICT infrastructures, digital technologies, digital resources like IPs and DNS system and access to networks are key barriers in achieving national development goals using ICTs and definitely constitutes human rights violation in cyberspace. Iranian private sector, digital entrepreneurs and some ICT projects are suffering from primary and secondary sanctions in digital domain. The question here is : What the UN family and OEWG community can and should do to adress this vital issue with regard to making norms to prohibit digital sanctions on nations specially in emergencies.
Q: You can access all the documents related to the OEWG from the Secretariat, states, and other stakeholders here https://www.un.org/disarmament/open-ended-working-group/
Q: Here is a link to the non-paper that Dan McBryde mentioned: https://front.un-arm.org/wp-content/uploads/2020/05/200527-oewg-ict-non-paper.pdf
EU Institute for Security Studies
Q: You can tweet about the session using #LetsTalkCyber and #UNcyberOEWG Thanks!
Q: Dear Participants, We encourage you to ask your questions in this chatbox. Thanks!