How international law applies to the use of ICTs (extracted from 2015 GGE Report)

24. The 2013 report stated that international law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. Pursuant to its mandate, the present Group considered how international law applies to the use of ICTs by States.

25. The adherence by States to international law, in particular their Charter obligations, is an essential framework for their actions in their use of ICTs and to promote an open, secure, stable, accessible and peaceful ICT environment. These obligations are central to the examination of the application of international law to the use of ICTs by States.

26. In considering the application of international law to State use of ICTs, the Group identified as of central importance the commitments of States to the following principles of the Charter and other international law: sovereign equality; the settlement of international disputes by peaceful means in such a manner that international peace and security and justice are not endangered; refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations; respect for human rights and fundamental freedoms; and non-intervention in the internal affairs of other States.

27. State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory.

28. Building on the work of the previous Groups, and guided by the Charter and the mandate contained in General Assembly resolution 68/243, the present Group offers the following non-exhaustive views on how international law applies to the use of ICTs by States:

(a) States have jurisdiction over the ICT infrastructure located within their territory;

(b) In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States. Existing obligations under international law are applicable to State use of ICTs. States must comply with their obligations under international law to respect and protect human rights and fundamental freedoms;

(c) Underscoring the aspirations of the international community to the peaceful use of ICTs for the common good of mankind, and recalling that the Charter applies in its entirety, the Group noted the inherent right of States to take measures consistent with international law and as recognized in the Charter. The Group recognized the need for further study on this matter;

(d) The Group notes the established international legal principles, including, where applicable, the principles of humanity, necessity, proportionality and distinction;

(e) States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts;

(f) States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. However, the indication that an ICT activity was launched or otherwise originates from the territory or the ICT infrastructure of a State may be insufficient in itself to attribute the activity to that State. The Group noted that the accusations of organizing and implementing wrongful acts brought against States should be substantiated.

29. The Group noted that common understandings on how international law applies to State use of ICTs are important for promoting an open, secure, stable, accessible and peaceful ICT environment.

International law (extracted from 2021 OEWG Report)

34. Recognizing General Assembly Resolution 70/237, and also acknowledging General Assembly resolution 73/27, which established the OEWG, States reaffirmed that international law, and in particular the Charter of the United Nations, is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. In this regard, States were called upon to avoid and refrain from taking any measures not in accordance with international law, and in particular the Charter of the United Nations. States also concluded that further common understandings need to be developed on how international law applies to State use of ICTs.

35. States also reaffirmed that States shall seek the settlement of disputes by peaceful means such as negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, and resort to regional agencies or arrangements, or other peaceful means of their own choice.

36. States concluded that, given the unique attributes of the ICT environment, deepening common understandings on how international law applies to State use of ICTs, can be developed by exchanging views on the issue among States and by identifying specific topics of international law for further in-depth discussion within the United Nations.

37. In order for all States to deepen their understandings of how international law applies to the use of ICTs by States, and to contribute to building consensus and common understandings within the international community, States concluded that there was a need for additional neutral and objective efforts to build capacity in the areas of international law, national legislation and policy.

The OEWG recommends that

38. States, on a voluntary basis, continue to inform the Secretary-General of their national views and assessments on how international law applies to their use of ICTs in the context of international security, and continue to voluntarily share such national views and practices through other avenues as appropriate.

39. States in a position to do so continue to support, in a neutral and objective manner, additional efforts to build capacity, in accordance with the principles contained in paragraph 56 of this report, in the areas of international law, national legislation and policy, in order for all States to contribute to building common understandings of how international law applies to the use of ICTs by States, and to contribute to building consensus within the international community.

40. States continue to study and undertake discussions within future UN processes on how international law applies to the use of ICTs by States as a key step to clarify and further develop common understandings on the issue.

International law (extracted from 2021 GGE Report)

69. International law is the basis for States’ shared commitment to preventing conflict and maintaining international peace and security and is key to enhancing confidence among States. In its consideration of how international law applies to the use of ICTs by States, the Group reaffirms the assessments and recommendations on international law of the reports of previous Groups of Governmental Experts, notably that international law, and in particular the Charter of the United Nations is applicable and essential to maintaining peace and stability and for promoting an open, secure, stable, accessible and peaceful ICT environment. These assessments and recommendations, in conjunction with other substantive elements of previous reports, emphasize that adherence by States to international law, in particular their Charter obligations, is an essential framework for their actions in their use of ICTs.

70. In this respect, the Group reaffirmed the commitments of States to the following principles of the Charter and other international law: sovereign equality; the settlement of international disputes by peaceful means in such a manner that international peace and security and justice are not endangered; refraining in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the purposes of the United Nations; respect for human rights and fundamental freedoms; and non-intervention in the internal affairs of other States.

71. Adding to the work of previous GGEs and guided by the Charter and the mandate contained in resolution 73/266, the present Group offers an additional layer of understanding to the 2015 GGE report’s assessments and recommendations of how international law applies to the use of ICTs by States, as follows:

(a) The Group notes that, in accordance with their obligations under Article 2(3) and Chapter VI of the Charter of the United Nations, States party to any international dispute, including those involving the use of ICTs, the continuance of which is likely to endanger the maintenance of ADVANCE COPY 14 international peace and security, shall, first of all, seek a solution by such means as described in Article 33 of the Charter, namely negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice. The Group also notes the importance of other Charter provisions relevant to the resolution of disputes by peaceful means.

(b) The Group reaffirms that State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of ICT-related activities and to their jurisdiction over ICT infrastructure within their territory. Existing obligations under international law are applicable to States’ ICT-related activity. States exercise jurisdiction over the ICT infrastructure within their territory by, inter alia, setting policy and law and establishing the necessary mechanisms to protect ICT infrastructure on their territory from ICT-related threats.

(c) In accordance with the principle of non-intervention, States must not intervene directly or indirectly in the internal affairs of another State, including by means of ICTs.

(d) In their use of ICTs, and as per the Charter of the United Nations, States shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State or in any other manner inconsistent with the purposes of the United Nations.

(e) Underscoring the aspirations of the international community to the peaceful use of ICTs for the common good of mankind, and recalling that the Charter applies in its entirety, the Group noted again the inherent right of States to take measures consistent with international law and as recognized in the Charter and the need for continued study on this matter.

(f) The Group noted that international humanitarian law applies only in situations of armed conflict. It recalls the established international legal principles including, where applicable, the principles of humanity, necessity, proportionality and distinction that were noted in the 2015 report. The Group recognised the need for further study on how and when these principles apply to the use of ICTs by States and underscored that recalling these principles by no means legitimizes or encourages conflict.

(g) The Group reaffirms that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. It also reaffirms that States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts. At the same time, the Group recalls that the indication that an ICT activity was launched or otherwise originates from the territory or the ICT infrastructure of a State may be insufficient in itself to attribute the activity to that State; and notes that accusations of organizing and implementing wrongful acts brought against States should be substantiated. The invocation of the responsibility of a State for an internationally wrongful act involves complex technical, legal and political considerations.

72. Without prejudice to existing international law and to the further development of international law in the future, the Group acknowledged that continued discussion and exchanges of views by States, collectively at the United Nations on how specific rules and principles of international law apply to the use of ICTs by States is essential for deepening common understandings, avoiding misunderstandings and increasing predictability and stability. Such discussions could be informed and supported by regional and bilateral exchanges of views between States.

73. In accordance with the Group’s mandate, an official compendium [document symbol to be provided] of voluntary national contributions of participating governmental experts on the subject of how international law applies to the use of ICTs by States will be made available on the website of the United Nations Office for Disarmament Affairs. The Group encourages all States to continue sharing their national views and assessments voluntarily through the United Nations Secretary-General and other avenues as appropriate.

Norms, Rules and Principles for Responsible State Behaviour (Chapeau text extracted from 2015 GGE Report)

[9] The ICT environment offers both opportunities and challenges to the international community in determining how norms, rules and principles can apply to State conduct of ICT-related activities. One objective is to identify further voluntary, non-binding norms for responsible State behaviour and to strengthen common understandings to increase stability and security in the global ICT environment.

[10] Voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability. Accordingly, norms do not seek to limit or prohibit action that is otherwise consistent with international law. Norms reflect the expectations of the international community, set standards for responsible State behaviour and allow the international community to assess the activities and intentions of States. Norms can help to prevent conflict in the ICTenvironment and contribute to its peaceful use to enable the full realization of ICTs to increase global social and economic development.

[11] Previous reports of the Group reflected an emerging consensus on responsible State behaviour in the security and use of ICTs derived from existing international norms and commitments. The task before the present Group was to continue to study, with a view to promoting common understandings, norms of responsible State behaviour, determine where existing norms may be formulated for application to the ICT environment, encourage greater acceptance of norms and identify where additional norms that take into account the complexity and unique attributes of ICTs may need to be developed.

[12] The Group noted the proposal of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan for an international code of conduct for information security (see A/69/723).

[13] Taking into account existing and emerging threats, risks and vulnerabilities, and building upon the assessments and recommendations contained in the 2010 and 2013 reports of the previous Groups, the present Group offers the following recommendations for consideration by States for voluntary, non-binding norms, rules or principles of responsible behaviour of States aimed at promoting an open, secure, stable, accessible and peaceful ICT environment:

Norms, Rules and Principles for Responsible State Behaviour (text extracted from 2021 OEWG Report)

24. Voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability and play an important role in increasing predictability and reducing risks of misperceptions, thus contributing to the prevention of conflict. States stressed that such norms reflect the expectations and standards of the international community regarding the behaviour of States in their use of ICTs and allow the international community to assess the activities of States. In accordance with General Assembly resolution 70/237, and acknowledging General Assembly resolution 73/27 States were called upon to avoid and refrain from use of ICTs not in line with the norms for responsible State behaviour.

25. States reaffirmed that norms do not replace or alter States’ obligations or rights under international law, which are binding, but rather provide additional specific guidance on what constitutes responsible State behaviour in the use of ICTs. Norms do not seek to limit or prohibit action that is otherwise consistent with international law.

26. While agreeing on the need to protect all critical infrastructure (CI) and critical information infrastructure (CII) supporting essential services to the public, along with endeavouring to ensure the general availability and integrity of the Internet, States further concluded that the COVID19 pandemic has accentuated the importance of protecting healthcare infrastructure including medical services and facilities through the implementation of norms addressing critical infrastructure. such as those affirmed by consensus through UN General Assembly resolution 70/237.

27. States affirmed the importance of supporting and furthering efforts to implement norms by which States have committed to be guided at the global, regional and national levels.

28. States, reaffirming General Assembly resolution 70/237 and acknowledging General Assembly resolution 73/27, should: take reasonable steps to ensure the integrity of the supply chain, including through the development of objective cooperative measures, so that end users can have confidencein the security of ICT products; seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions; and encourage the responsible reporting of vulnerabilities.

29. Given the unique attributes of ICTs, States reaffirmed that, taking into account the proposals on norms made at the OEWG, additional norms could continue to be developed over time. States also concluded that the further development of norms, and the implementation of existing norms were not mutually exclusive but could take place in parallel.

The OEWG recommends that

30. States, on a voluntary basis, survey their national efforts to implement norms, develop and share experience and good practice on norms implementation, and continue to inform the Secretary-General of their national views and assessments in this regard.

31. States should not conduct or knowingly support ICT activity contrary to their obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public. Furthermore, States should continue to strengthen measures to protect of all critical infrastructure from ICT threats, and increase exchanges on best practices with regard to critical infrastructure protection.

32. States, in partnership with relevant organizations including the United Nations, further support the implementation and development of norms of responsible State behaviour by all States. States in a position to contribute expertise or resources be encouraged to do so.

33. States, recalling General Assembly resolution 70/237 and acknowledging General Assembly resolution 73/27 take note of proposals made by States on the elaboration of rules, norms and principles of responsible behaviour of States in future discussions on ICTs within the United Nations, noting that resolution 75/240 established an Open-ended Working Group on security of and in the use of information and communications technologies 2021-2025.

15. The Group reaffirms with regard to the use of ICTs by States that voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability. Norms and existing international law sit alongside each other. Norms do not seek to limit or prohibit action that is otherwise consistent with international law. They reflect the expectations of the international community and set standards for responsible State behaviour. Norms can help to prevent conflict in the ICT environment and contribute to its peaceful use to enable the full realization of ICTs to increase global social and economic development.

16. The Group also underscores the inter-relationship between norms, confidence-building measures, international cooperation and capacity-building. Given the unique attributes of ICTs, the Group reaffirms the observation of the 2015 report that additional norms could be developed over time, and, separately, notes the possibility of future elaboration of additional binding obligations, if appropriate.

17. In addition to work in the United Nations system, the Group acknowledges the valuable experiences on norms implementation emerging at the regional level, including those shared during the informal consultations held with Member States in New York and in collaboration with regional organizations in accordance with its mandate, noting that future work on ICTs in the context of international security should take these efforts into account. The Group also noted the proposal ofChina, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan for an international code of conduct for information security (see A/69/723).

18. In consensus resolution 70/237, the General Assembly called upon Member States to be guided in their use of ICTs by the 2015 report of the GGE, which included eleven voluntary, non-binding norms of responsible State behaviour. In accordance with its mandate to advance responsible behaviour, the Group has developed an additional layer of understanding to these norms, underscoring their value with regard to the expected behaviour of States in their use of ICTs in the context of international peace and security and providing examples of the kinds of institutional arrangements that States can put in place at the national and regional levels to support their implementation. The Group reminds States that such efforts should be conducted in accordance with their obligations under the Charter of the United Nations and other international law, with a view to preserving an open, secure, stable, accessible and peaceful ICT environment. States are called upon to avoid and refrain from the use of ICTs not in line with the norms of responsible State behaviour.

A/70/174 13(a) – Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are agreed to be harmful or that may pose threats to international peace and security;

A/70/174 13(b) – In case of ICT incidents, States should consider all relevant information, including, inter alia, the larger context of the event, the challenges of attribution in the ICT environment, and the nature and extent of the consequences;

[13(c)] – States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;

A/70/174 13(d) – States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs, and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

A/70/174 13(e) – States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on theInternet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;

A/70/174 13(f) – A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

A/70/174 13(g) – States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account, inter alia, General Assembly resolution 58/199 (2003) “Creation of a global culture of cybersecurity and the protection of critical information infrastructure”, and other relevant resolutions;

A/70/174 13(h)] – States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at another State’s critical infrastructure emanating from their territory, taking into account due regard for sovereignty;

A/70/174 13(i)] – States should take reasonable steps to ensure the integrity of the supply chain, so end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

A/70/174 13(j) – States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities, in order to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;

A/70/174 13(k) – States should not conduct or knowingly support activity to harm the information systems of another State’s authorized emergency response teams (sometimes known as CERTS or CSIRTS). A State should not use authorized emergency response teams to engage in malicious international activity;

Confidence-building Measures (extracted from 2015 GGE Report)

16. Confidence-building measures strengthen international peace and security. They can increase interstate cooperation, transparency, predictability and stability. In their work to build confidence to ensure a peaceful ICT environment, States should take into consideration the Guidelines for Confidence-building Measures adopted by the Disarmament Commission in 1988 and endorsed by consensus by the General Assembly in resolution 43/78 (H). To enhance trust and cooperation and reduce the risk of conflict, the Group recommends that States consider the following voluntary confidence-building measures:

(a) The identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts;

(b) The development of and support for mechanisms and processes for bilateral, regional, subregional and multilateral consultations, as appropriate, to enhance inter-State confidence-building and to reduce the risk of misperception, escalation and conflict that may stem from ICT incidents;

(c) Encouraging, on a voluntary basis, transparency at the bilateral, subregional, regional and multilateral levels, as appropriate, to increase confidence and inform future work. This could include the voluntary sharing of national views and information on various aspects of national and transnational threats to and in the use of ICTs; vulnerabilities and identified harmful hidden functions in ICT products; best practices for ICT security; confidence-building measures developed in regional and multilateral forums; and national organizations, strategies, policies and programmes relevant to ICT security;

(d) The voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them, including information on national laws and policies for the protection of data and ICT-enabled infrastructure. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders. These measures could include:

(i) A repository of national laws and policies for the protection of data and ICT-enabled infrastructure and the publication of materials deemed appropriate for distribution on these national laws and policies;

(ii) The development of mechanisms and processes for bilateral, subregional, regional and multilateral consultations on the protection of ICT-enabled critical infrastructure;

(iii) The development on a bilateral, subregional, regional and multilateral basis of technical, legal and diplomatic mechanisms to address ICT-related requests;

(iv) The adoption of voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident, for the purpose of facilitating the exchange of information on incidents.

17. States should consider additional confidence-building measures that would strengthen cooperation on a bilateral, subregional, regional and multilateral basis. These could include voluntary agreements by States to:

(a) Strengthen cooperative mechanisms between relevant agencies to address ICT security incidents and develop additional technical, legal and diplomatic mechanisms to address ICT infrastructure-related requests, including the consideration of exchanges of personnel in areas such as incident response and law enforcement, as appropriate, and encouraging exchanges between research and academic institutions;

(b) Enhance cooperation, including the development of focal points for the exchange of information on malicious ICT use and the provision of assistance in investigations;

(c) Establish a national computer emergency response team and/or cybersecurity incident response team or officially designate an organization to fulfil this role. States may wish to consider such bodies within their definition of critical infrastructure. States should support and facilitate the functioning of and cooperation among such national response teams and other authorized bodies;

(d) Expand and support practices in computer emergency response team and cybersecurity incident response team cooperation, as appropriate, such as information exchange about vulnerabilities, attack patterns and best practices for mitigating attacks, including coordinating responses, organizing exercises, supporting the handling of ICT-related incidents and enhancing regional and sector-based cooperation;

(e) Cooperate, in a manner consistent with national and international law, with requests from other States in investigating ICT-related crime or the use of ICTs for terrorist purposes or to mitigate malicious ICT activity emanating from their territory.

18. The Group reiterates that, given the pace of ICT development and the scope of the threat, there is a need to enhance common understandings and intensify cooperation. In this regard, the Group recommends regular institutional dialogue with broad participation under the auspices of the UnitedNations, as well as regular dialogue through bilateral, regional and multilateral forums and other international organizations.

Confidence Building Measures (extracted from 2021 OEWG Report)

41. Confidence-building measures (CBMs), which comprise transparency, cooperative and stability measures can contribute to preventing conflicts, avoiding misperception and misunderstandings, and the reduction of tensions. They are a concrete expression of international cooperation. With the necessary resources, capacities and engagement, CBMs can strengthen the overall security, resilience and peaceful use of ICTs. CBMs can also support implementation of norms of responsible State behaviour, in that they foster trust and ensure greater clarity, predictability and stability in the use of ICTs by States. Together with the other pillars of the framework for responsible State behaviour, CBMs can also help build common understandings among States, thereby contributing to a more peaceful international environment.

42. As CBMs are voluntary engagements taken progressively, they can be a first step to addressing mistrust arising from misunderstandings between States by establishing communication, building bridges and initiating cooperation on a shared objective of mutual interest. As such, CBMs may lay the foundations for expanded, additional arrangements and agreements in the future.

43. States concluded that the dialogue within the Open-ended Working Group was in itself a CBM, as it stimulates an open and transparent exchange of views on perceptions of threats and vulnerabilities, responsible behaviour of States and other actors and good practices, thereby ultimately supporting the collective development and implementation of the framework for responsible State behaviour in their use of ICTs.

44. In addition, States concluded that the UN has a crucial role in the development and supporting implementation of global CBMs. Practical CBMs have been recommended in each of the consensus GGE reports. In addition to these ICT-specific recommendations, in consensus resolution 43/78(H) the General Assembly endorsed the Guidelines for Confidence-building Measures developed in the United Nations Disarmament Commission, which outlined valuable principles, objectives and characteristics for CBMs which may be considered when developing new ICT-specific measures.

45. Building on their essential assets of trust and established relationships, States concluded that regional and sub-regional organizations have made significant efforts in developing CBMs, adapting them to their specific contexts and priorities, raising awareness and sharing information among their members. In addition, regional, cross-regional and inter-organizational exchanges can establish new avenues for collaboration, cooperation, and mutual learning. As not all States are members of a regional organization and not all regional organizations have CBMs in place, it was noted that such measures are complementary to the work of the UN and other organizations to promote CBMs.

46. Drawing from the lessons and practices shared at the OEWG, States concluded that the prior existence of national and regional mechanisms and structures, as well as the building of adequate resources and capacities, such as national Computer Emergency Response Teams (CERTs), are essential to ensuring that CBMs serve their intended purpose.

47. As a specific measure, States concluded that establishing national Points of Contact (PoCs) is a CBM in itself, but is also a helpful measure for the implementation of many other CBMs, and is invaluable in times of crisis. States may find it useful to have PoCs for, inter alia, diplomatic, policy, legal and technical exchanges, as well as incident reporting and response.

The OEWG recommends that

48. States, on a voluntary basis, continue to inform the Secretary-General of their views and assessments and to include additional information on lessons learned and good practice related to relevant CBMs at the bilateral, regional or multilateral level.

49. States voluntarily identify and consider CBMs appropriate to their specific contexts, and cooperate with other States on their implementation.

50. States voluntarily engage in transparency measures by sharing relevant information and lessons in their chosen format and fora, as appropriate, including through the Cyber Policy Portal of the United Nations Institute for Disarmament Research.

51. States, which have not yet done so, consider nominating a national Point of Contact, inter alia, at the technical, policy and diplomatic levels, taking into account differentiated capacities. States are also encouraged to continue to consider the modalities of establishing a directory of such Points of Contact at the global level.

52. States explore mechanisms for regular cross-regional exchanges of lessons and good practices on CBMs, taking into account differences in regional contexts and the structures of relevant organizations.

53. States continue to consider CBMs at the bilateral, regional and multilateral levels and encouraged opportunities for the cooperative exercise of CBMs.

Confidence Building Measures (extracted from 2021 GGE Report)

74. The Group notes that by fostering trust, cooperation, transparency and predictability, confidence-building measures (CBMs) can promote stability and help to reduce the risk of misunderstanding, escalation and conflict. Building confidence is a long-term and progressive commitment requiring the sustained engagement of States. The support of the United Nations, regional and sub-regional bodies and other stakeholders can contribute to the effective operationalization and reinforcement of CBMs.

75. To underpin their efforts to build confidence and ensure a peaceful ICT environment, States are encouraged to publicly reiterate their commitment to, and act in accordance with, the framework for responsible State behaviour referred to in paragraph 2. States are also encouraged to take into consideration the Guidelines for Confidence-building Measures adopted by the United Nations Disarmament Commission in 1988 and endorsed by consensus by the General Assembly in resolution 43/78 (H), as well as emerging practices at the regional and sub-regional levels relevant to CBMs and their operationalization.

Points of Contact (extract from 2015 GGE Report)

16. Confidence-building measures strengthen international peace and security. They can increase interstate cooperation, transparency, predictability and stability. In their work to build confidence to ensure a peaceful ICT environment, States should take into consideration the Guidelines for Confidence-building Measures adopted by the Disarmament Commission in 1988 and endorsed by consensus by the General Assembly in resolution 43/78 (H). To enhance trust and cooperation and reduce the risk of conflict, the Group recommends that States consider the following voluntary confidence-building measures:

(a) The identification of appropriate points of contact at the policy and technical levels to address serious ICT incidents and the creation of a directory of such contacts;

Points of Contact (extract from 2021 OEWG report)
The OEWG recommends that

51. States, which have not yet done so, consider nominating a national Point of Contact, inter alia, at the technical, policy and diplomatic levels, taking into account differentiated capacities. States are also encouraged to continue to consider the modalities of establishing a directory of such Points of Contact at the global level

Points of Contact (extract from 2021 GGE report)

76. The identification of appropriate Points of Contact (PoCs) at the policy and technical levels can facilitate secure and direct communications between States to help prevent and address serious ICT incidents and de-escalate tensions in situations of crisis. Communication between PoCs can help reduce tensions and prevent misunderstandings and misperceptions that may stem from ICT incidents, including those affecting critical infrastructure and that have national, regional or global impact. They can also increase information sharing and enable States to more effectively manage and resolve ICT incidents.

77. When establishing PoCs or engaging in PoC networks, States could consider:

(a) Appointing dedicated PoCs at the policy, diplomatic and technical levels and providing guidance on the specific attributes of the PoCs, including expected roles and responsibilities, coordination functions and readiness requirements.

(b) Creating inter- and intra-governmental procedures to ensure effective communication between PoCs during crises. Standardized templates can indicate the types of information required, including technical data and the nature of the request, but be flexible enough to allow for communication, even if some information is unavailable.

(c) Drawing lessons and good practices from regional PoC networks, including with regard to discussing, developing and implementing practical approaches to using PoC networks in national, regional and international contexts, including for early awareness of serious ICT incidents, with the aim of strengthening coordination and information sharing amongst designated PoCs.

78. Addressing global ICT security threats also requires global approaches that are both inclusive and universal. States could invite the United Nations Secretary-General to facilitate voluntary exchanges between all Member States on lessons, good practices and guidance relevant to PoC networks that are already in place at the regional and sub-regional levels. Such work could contribute to discussions relevant to the establishment of a directory of such PoCs at the global level.

Completion of this Survey provides an opportunity for countries to nominate (if they have not done so already) and share Points of Contact (POCs). UNIDIR will consolidate the information received and circulate an updated list to all nominated POCs twice a year. POC details will not be automatically included in survey responses, but will be available for download in a separate PDF that Member States can choose to submit to UNIDIR or not. POC details will not otherwise be shared or disseminated.

Once initiated, any communication initiated utilising the points of contact information, and any subsequent action, will proceed by mutual agreement.