End of summer updates…

One of our core focuses at GPD is promoting inclusive and value-based approaches to cybersecurity policymaking—and, last month, we launched a new Toolkit to support this.

The Toolkit’s central component is a comprehensive guide for policymakers on involving relevant stakeholders in the process of developing, implementing and reviewing a National Cybersecurity Strategy (NCSS). It also includes a repository of good practices in developing inclusive NCSSs, and an interactive map, which tracks the adoption of core cybersecurity capacity building instruments in the 54 countries of the Commonwealth. 

To mark the launch of the Toolkit, we’ve also created “NCSS Unpacked”, a podcast series interviewing stakeholders involved in NCSS processes on the ground. Listen here. 

Trust and security

• The UN Third Committee’s ad-hoc committee on cybercrime’s meeting has been postponed. There aren’t many more details available, but we know that it has to take place before 1 March, and word is that it will be early next year. That’s potentially good news for civil society—it means there’s more time to try and shape the agenda, and make the case for non-governmental engagement. We’ll be following this closely.
• Over at the First Committee, the GGE held its third meeting from 17-21 August. The next meeting is the final one, and is scheduled for May. This final meeting will be preceded by informal sessions, which will be open to non-GGE member states. We’ll share further details when they become available; see also the GGE website.
• On 26 August, the UN Security Council held a (virtual, live-streamed) Arria formula meeting on cyber attacks against critical infrastructure—with broad participation from a range of states, as well as the International Committee of the Red Cross, UNIDIR and Office for the Coordination of Humanitarian Affairs. Some key takeaways:
  • Participants agreed that cyberattacks are increasing in number and frequency and that medical facilities should be considered part of critical infrastructure (this was frequently referred to in reference to the implementation of the GGE norms). There was also a general condemnation of attacks on critical infrastructure.
  • There was widespread recognition that capacity building is essential for implementing the GGE norms relevant to critical infrastructure—with participants emphasising the importance of building shared understandings of what critical infrastructure means and how to protect it.
  • Several countries (including Belgium, Estonia, France, Denmark, Finland, Iceland, Sweden, Norway, Netherlands, and Romania) referred to human rights, and in particular the rights to health, privacy and the impact of cyberattacks on human rights. There were only a few references to the importance of engaging civil society and other stakeholders in critical infrastructure protection (Belgium, Ukraine, Malaysia and Mexico.

Finally, the second informal intersessional of the Open-ended Working Group (OEWG) is fast approaching (29 September—1 October), this time on the controversial topic of international law. Unfortunately, it seems that—once again—NGOs won’t be allowed to participate. We’ll try to find out what we can anyway—keep an eye on our First Committee info hub for updates.