Mr. Chairman,
Thank you for allowing me to make a few remarks. I am Debra Decker, Senior Advisor with the Stimson Center, a think tank based in Washington, DC, with offices in Brussels and Nonresident Fellows around the world.
First, on confidence-building measures and the points of contact directory: I want to compliment the States on the many great ideas presented for consideration this week. In establishing a points of contact directory, it is indeed key to set out first the work expected from points of contact and the outcomes expected as a result, such as the smooth handling of crisis situations.
A systematic look at the purposes, policies and procedures is needed with an assessment that considers the benefits and drawbacks of different alternatives. The OEWG should consider the scope of the information it wants to capture to start and the process for adding information such as best practices, if desired.
- One should assess how regional organizations have implemented their efforts at establishing and utilizing POCs, not just in practice scenarios but also in crisis situations, because there clearly must have been some.
- One should not stop by looking at regional cyber crisis and information-sharing organizations. Lessons can be learned from other efforts, including in the UN. For example, one year the UN Security Council Resolution 1540 Committee made it a goal to try to have POCs from every country. How well did that work out and to what end? Indeed, as some have pointed out, there has to be some benefit to participating in this simple effort.
It is important not just to have POCs named with policies and procedures established but also to have some goals and performance indicators established for the success of the effort given its stated purposes.
Consideration should be given to the security of the directory and its actual use. Two additional points on this:
- How secure does the information need to be? Some international agreements require points of contact but with different levels of security. For example, the requirement for Competent National Authorities under the International Drug Control Treaties is publicly available online. Some States give actual names of people as POCs while others give generic office email addresses that must be monitored but might be easier to change with employee changes.
- The UN systems themselves have not been secure, so consideration has to be extended to multi-factor authentication measures and the establishment of communication methods when online methods and perhaps even regular cell phone communications do not work. In addition, the advent of AI and deep fakes can mean that you may not even know with whom you are speaking – this is an issue that some brought up in a roundtable the Stimson Center held in Vienna on nuclear security issues with States, regulators, insurers and industry. The need for trustworthy, resilient methods of contact is a reality and should be considered in establishing POCs.
Thus the purposes, policies and procedures of a Points of Contact directory need to be determined before States decide how to establish their POCs, which may be various depending on a State’s choice and capacity, and the methods for communication, which also may be various.
Second, on cyber norms and international law, the Stimson Center is embarking on an initiative to progress cyber norms, law and accountability by looking at how other areas of risk have been internationally addressed to take lessons to the cyber area – including in capacity and confidence building. We are hoping to avoid the need to reinvent some approaches while also developing bold ideas for better agreement on governance of cyberspace.
As part of the preparatory work for this effort, we have held a series of webinars with legal and technical experts in cooperation with the Washington Foreign Law Society. And I want to thank Canada, Egypt, Switzerland and the United States who have spoken in these webinars. These webinars have already provided interesting ideas for how a look back could help develop a way forward:
- Given the grey space in the interpretation of norms and application of law and development of individual State’s laws and regulations, countries’ actions in this area should be captured. Statements on policy are good but countries should state the actual norms and law that have been violated when they make accusations of violations, impose sanctions or prosecute criminal violations. Such clear and consistent and coordinated statements and actions would support the further development of the community acquis in the cyber area, especially if this information is captured and preserved. Best practices and domestic legal and regulatory regimes can be better developed then for States’ capacity building.
- Confidence building and capacity building are very much linked. When a State experiences a cyber incident that appears to be malicious, what are the best processes for classifying and investigating the incident? Policies and processes for coming to agreement among States relating to apparent violations have been developed in other areas, with private actors and governments working together, that may be applied to the cyber area. Many States and UNIDIR itself have suggested the benefits of a consistent framework. As for innovative ideas in the cyber area, we held a webinar in late November in which Microsoft, the CyberPeace Institute, and the MITRE corporation discussed technical characteristics of attribution that identified some key elements of attribution that could be adopted internationally and be part of capacity building.
I thank those States and organizations, including insurers, that are already engaged with us on this effort. I invite others interested in progressing the application of cyber norms, law and accountability better to secure cyberspace to contact us. Our research is for application, which requires, by definition, stakeholders to be involved in shaping the work and applying the outcomes of this initiative.Thank you for your leadership, Mr. Chairman, and the work of the Secretariat in establishing the OEWG dialogues.
