On 20 March, the Geneva Dialogue on Responsible Behaviour in Cyberspace organised a masterclass, the first one in a series in 2024, to start analysing the implementation of the existing norms and confidence-building measures (CBMs) related to critical infrastructure protection. In particular, the masterclass focused on the work of regional organisations: their ongoing projects, priorities, and possible opportunities to engage relevant stakeholders to support states in the implementation of the existing norms and CBMs. The format of masterclasses allows active learning and knowledge sharing among the Geneva Dialogue experts and invited keynote speakers from different fields such as cyber diplomacy, technology, and cybersecurity. The online event took place under Chatham House rules. Below, we’re sharing some of the takeaways from the discussion.
The representatives of four regional organisations and unions such as the African Union, Association of Southeast Asian Nations (ASEAN), Organization of American States (OAS), and Organization for Security and Co-operation in Europe (OSCE), shared their experiences and initiatives in promoting the operationalisation of the UN cyber-stability framework. The four keynote presentations have demonstrated the growing maturity of regional approaches to enhance international cooperation, transparency, and trust building in cyberspace governance.
In particular, the OSCE is considered a pioneer in developing cyber CBMs, drawing on its experience in disarmament affairs. Since 2012, an informal working group has been drafting CBMs for cyberspace, leading to the adoption of 16 non-binding voluntary CBMs aimed at transparency, cooperation, and resilience. These 16 CBMs can be categorised into three main groups: posturing (increasing transparency of state posture in cyberspace), communication (facilitating timely communication and cooperation between states), and preparedness/resilience (promoting national preparedness and cyber resilience). One of the CBMs, i.e. CBM #8, involves the nomination of technical or policy points of contact for cybersecurity by participating states. These contacts facilitate communication, coordination, and exchange of information, contributing to cyber-stability.
The CBMs have also been an important pillar in the approach taken by the OAS in the Latin American and Caribbean region. The OAS cybersecurity program operates within the Inter-American Committee Against Terrorism (CICTE). In 2016, the OAS started to look at the non-traditional CBMs related to cyberspace. In 2018, the OAS adopted a resolution stressing the need to prepare and agree upon a set of CBMs for cyberspace in order to enhance interstate cooperation and transparency. One of the further successes for the OAS region was the establishment of the point of contacts directory, which currently includes over 82 cyber policy points of contacts, and 19 ministers of foreign affairs contacts. For those who may be wondering why there are no technical points of contacts, the OAS established the network of government cyber incident response teams (CSIRT) of OAS Member States. The CSIRTAmericas Network is now a cybersecurity community which includes over 47 CERTs from 22 countries along with 379 professionals.
When it comes to Africa, the countries are facing numerous challenges such as the lack of capacities, political will, and sufficient awareness among states. More specifically, the need for public–private partnerships to build capacities and means to gather up-to-date threat intelligence to promote collective responses to cyberthreats has been highlighted. Despite these challenges, the African Union has announced several important initiatives ( e.g. the establishment of the African Union Cyber Security Expert Group, aimed at providing guidance on cyber policies and strategies, as well as recents initiatives to establish cyberthreat information sharing platforms and capacity-building programs.
When discussing the developments in the ASEAN region, it was highlighted that the countries’ leaders first endorsed the voluntary cyber norms in 2015, with subsequent establishment of a working committee to develop a regional action plan. The major focus was on capacity building, i.e. the establishment of dedicated cybersecurity agencies in member states and ongoing efforts to develop regional action plans and metrics for implementing cyber norms. In 2021, the Member States also adopted the ASEAN Cybersecurity Cooperation Strategy, which outlines five focus areas for advancing cyber readiness, strengthening international cyber policy coordination, enhancing trust in cyberspace, and regional capacity building.
The ASEAN countries were also successful in advancing the regional action plan metrics developed to identify capabilities required for norm implementation and to facilitate cooperation and capacity-building activities within ASEAN.
During the session, the role of non-state actors was underscored as essential for the practical implementation of these norms and measures. Furthermore, it has been discussed that the implementation of cyber norms and CBMs is an ongoing and collaborative process requiring multistakeholder engagement. The need for improved communication, education, and institutional memory was highlighted to ensure sustained knowledge and engagement among diplomats and technical experts