From May 19-20, 2022 Canada, the Kingdom of the Netherlands, and in collaboration with the CyberPeace Institute, collectively hosted a hybrid workshop on Advancing the Cyber Programme of Action (PoA) in Geneva, Switzerland.
The objective of the workshop, which was held under Chatham House rule, was two fold: first, to present on the design, structure, formation and overview of case studies of past programmes of action. Second, to bring together relevant stakeholders (States, the non-governmental multi-stakeholder community, civil society, industry etc.) and engage in interactive discussions to consider the substantial priorities that need to be considered and reflected into the formation of a Cyber PoA.
For context, on March 12 2021, the UN Open-Ended Working Group on ICTs and International Security (OEWG) adopted a final report and Chair’s summary by consensus after two years of negotiations. The report was an important step forward. It strongly reaffirmed the framework for responsible state behaviour in cyberspace, as anchored in the applicability of international law, agreed norms of responsible behaviour and confidence-building measures (CBMs). Overall, all UN member States supported its adoption. On May 28, 2021 the UN Group of Governmental Experts (GGE) also adopted a consensus report.
These were significant achievements given that no UN cyber process had resulted in a consensus report since the UN cyber Group of Governmental Experts (GGE) report in 2015. These successful outcome showed that progress on cyber security issues was still possible at the UN and in other multilateral fora, despite persistent geopolitical divisions and tensions surrounding these issues. The consensus outcome augurs well for the two UN cyber processes that will currently underway in 2022: the new 2021-2025 OEWG and a proposed cyber Programme of Action (PoA).
Currently, 60 States are co-sponsoring the establishment of a UN PoA as a permanent, inclusive, consensus-based and action-oriented international instrument to advance responsible behavior in the use of ICTs in the context of international security.
High level remarks on the opening day included interventions from H.E. Nathalie Jaarsma, Ambassador at-Large for Security Policy and Cyber, Kingdom of the Netherlands; First Secretary David Fairchild on behalf on H.E Leslie Norton, Ambassador of Canada and Stéphane Duguin, Chief Executive Officer of the CyberPeace Institute. The common theme highlighted in each of the remarks included the emphasis that the possible formation of a Cyber PoA is a unique opportunity to shape responsible behaviour in cyberspace by implementation and multi-stakeholder cooperation.
Finding ways to operationalize already agreed-upon norms of responsible State behaviour to promote peace and security and protect individuals and the enjoyment of their fundamental rights in cyberspace was agreed by all to be the fundamental objective of a Cyber PoA. Video remarks were also presented by Ambassador Jürg Lauber, Permanent Representative of Switzerland to the United Nations and Other Organizations in Geneva, and Ambassador Burhan Gafoor, the current Chair of the OEWG 2021-2025. Both applauded the progress that had been made to move implementation of the normative framework forward, and expressed hopes that the PoA would be complementary to the OEWG. The task was laid ultimately to states, who need to show how the PoA can lead to results and action-oriented outcomes.
Allison Pytlak, Programme Manager, Women’s International League for Peace and Freedom (WILPF) and Katherine Prizeman, Political Affairs Officer with UN Office for Disarmament Affairs (UNODA) both provided complementary overviews of existing PoAs, the current status of the cyber PoA proposal, and seven priorities for Cyber PoA supporters to consider. Many of these items were also presented in the research paper that Canada commissioned WILPF to undertake, in order to provide policy options and operational recommendations with a focus on the formation, architecture and technical guidance of a possible cyber PoA as it relates to cybersecurity.
For further reading, the paper is available here.
Key questions posed to participants for their consideration included: what mutual concerns would be addressed through this instrument; the scope and the form of the Cyber PoA; and whether a political declaration should accompany the Cyber PoA. Building on the history of PoAs while looking specifically at the cyber field, a strong recommendation included that the Cyber PoA needs to include a more forward-looking perspective. This would include considerations into how it will take into account the rapidly changing nature of technology and ICT threats and new norm development.
Other questions for consideration included how the Cyber PoA would be situated in the larger UN framework, how it can help to narrow the digital divide, and how the Cyber PoA sees itself in relation to other relevant processes and global goals. Ideas were also presented on how to ensure the Cyber PoA is gender-sensitive, such as by reinforcing relevant human rights and Women, Peace and Security frameworks as well as by recommending new policies and actions to close the digital gender gap and address gendered cyber harm.
Equipped with this knowledge on the functions of PoA’s, the second day focused on breakout conversations with intermingled participation between State representatives and non-governmental multi-stakeholder participants, which were preceded by kick-off presentations and remarks.
The first round of breakout discussions discussed “Aims and objectives” of a future Cyber PoA, including how a new instrument would address capacity-building and cyber norms implementation. The second round focused more on “Operationalizing a PoA” and touched on topics like the role of non-governmental stakeholders and reporting.”
Each group then presented on a number of those considerations that were presented at the onset. Key takeaways presented included the need for a mandate from the UNGA to initiate the establishment of the PoA, and to keep developing a working draft resolution for the upcoming UNGA session. Participants also mentioned the need to continue to discuss and clarify the topics that emerged during the event. These conversations also need to be widened to include a wider set of State and non-State stakeholders.
For a full breakdown and transcript of the presentations and remarks from each group and speaker, the attached Annex 1 offers a complete readout.
In terms of next steps, participants will look to widen the participation, understanding about, and support for the Cyber PoA, and consider how governmental engagement and stakeholder involvement at the national level can be an important driver to this effect. It was an important element to note that there is space for further research on several outstanding issues, and existing work can be re-purposed so that it is more accessible to a variety of stakeholders.
 Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Chile, Colombia, Croatia, Czech Republic, Denmark, Ecuador, Egypt, Estonia, Fidji, Finland, Gabon, Georgia, Germany, Greece, Guatemala, Honduras, Hungary, Iceland, Ireland, Italy, Japan, Jordanie, Latvia, Lebanon, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Montenegro, Morocco, Netherlands, Norway, Paraguay, Poland, Portugal, Republic of Cyprus, Republic of Korea, Republic of Moldova, Republic of North Macedonia, République dominicaine, Romania, Salvador, Singapore, Slovakia, Slovenia, Spain, Sweden, Switzerland, Timor Leste, UAE, Ukraine, United Kingdom, European Union