IGF 2021 – Day 0 – Event #131 Programme of Action (PoA) for advancing responsible state behaviour in cyberspace – why do we need it?

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MIROSLAW BROILO:  Good morning and, depends on the time zone, good evening, good afternoon.  First of all, I would like to thank you very much for coming.  I would like to cordially welcome all participants here gathered in the audience and those who are following our event online.  Let me check with our technical team whether our panelists online are with us.  Do we have all panelists on board?  Could you confirm, please?  Mr. Pablo Castro?  Ms. Kathryn Jones?  And Dr. Patryk Pawlak?  Yes, they are here.  So we have an audio and we have video.  Okay, I think we can officially start our panel.

Ladies and gentlemen, since the frequency, I would say complexity, and sophistication of malicious cyberactivities in the cyberspace have been steadily and constantly growing, the international community seeks a proper way to address this issue and to cope with this dangerous phenomenon.  The international debates are ongoing in different fora and at different levels, starting from the United Nations level through Regional organizations and including non‑governmental multistakeholders.  Today we are going to speak on initiative Programme of Action for advancing responsible behavior of states in cyberspace.  This is an initiative led by France and Egypt, which currently is supported by 54 states.  And this is another attempt to find and to set up kind of international Global Platform, international framework, for addressing cybersecurity issues in more practical manner, and practice tall is a very important word in this context.

We invited representative makeup of panelists to address this issue.  We have one panelist with us onsite, Mr. Ambassador Henri Verdier from France, and we have 3 panelists online.  Let me briefly introduce them.  Mr. Ambassador Verdier is Ambassador of Digital Affairs at the Ministry for Europe and Foreign Affairs of France.  He's a very experienced diplomat, and as a matter of fact, he's one of the Masters of Programme of Action.

Online we have Ms. Kathryn Jones representing Foreign, Commonwealth and Development Office of the United Kingdom.  Kathryn is the head of International Cyber Governance unit at the FCDO, and she has long experience in dealing with telecommunication and Digital Affairs.

From the Western hemisphere we decided to invite Mr. Pablo Castro, who is a career diplomat at the Ministry of Foreign Affairs of Chile, and who is supposed to tell us more about the Regional dimension of Programme of Action.

And last but not least, Dr. Patryk Pawlak is today with us, as well.  He is Brussels' Executive Officer of the EU International ‑‑ Institute of the EU International Studies, and we expect that Dr. Pawlak will give us a little bit more of a scientific ‑‑ will look at this issue from the scientific point of view.

Let me start with the first question, the same question which I'm going to address to each of the panelists.  I think that we can all agree that the current year 2021 was quite successful in terms of the results of international debate on cybersecurity issues.  Two important reports have been adopted, first by Group of Governmental Experts, actually 6 additional GGEs, and the second one by Open‑Ended Working Group.  Moreover, Russian Federation and the United States have decided to table within the first Committee of the UN General Assembly common draft of Resolution dealing with cyber issues and it was a successful step because this Resolution was adopted without voting.

And my first question is as follows:  In this I would say geopolitical context, in your view, what makes Programme of Action still attractive and still needed?  And I'm asking first Ambassador Verdier to answer this question.  Please, Ambassador, the floor is yours.

>> HENRI VERDIER:  Thank you very much.  First of all, I would like to warmly thank Poland for convening this panel and PoA initiative.  This is a timely opportunity to discuss this initiative, to clarify its objectives and further elaborate on its possible content, including ‑‑ and that's why it's so important to have this conversation ‑‑ within the IGF with all interested stakeholders such as states, private entities, Civil Society, researchers.  I say also a great hello to my friends and counterparts, U.K., Chile, and Poland, one of the first co‑sponsors to support this initiative, so we are a team now, and we work together.

So I will be brief, but your question was with a small explanation, because of course, during the past few years, we, no, the past 20 years, we have collectively achieved a number of important diplomatic results in cybertalks at the United Nations and, yes, as you say, the last Open‑Ended Working Group and the last Governmental Expert Group have adopted substantive final reports, very important, which reaffirms the applicable framework for responsible state behavior in cyberspace, which deepens the common understanding of this framework offering guidance for implementation, as well as useful recommendations and confidence‑building measures, capacity building and international cooperation, and we do welcome and we do respect those results.

When I tried to explain to my daughters why this process matters and why I have to leave France for such long periods, I say that probably if we didn't have a real cyberwar during the last 20 years, it's because of this work in the United Nations, because we understand each other.  We agree on norm of good behaviors.  We explain the level of aggressions, the level of escalation, we exchange about attributions, so that's very important.  And, yes, this year during this first Committee these two reports have been adopted by General Assembly in a single consultation so, yes, we understand that after the trauma of a dual track process during the last three years it's not time for no one and even France want a new dual track process but, and I want to take a few tames to explain this, we are not speaking about a dual track process.  We are not speaking about two concurrent tracks.  We are speaking about a second approach complementary to the first one and to mention this, in the final report, both the Open‑Ended Working Group and the GGE have noted this proposal for Programme of Action and recommended to further elaborate these.

Because I will start with a very simple analogy, which is not in my paper.  Let's think about what's happened in our life, in our lives.  The police does protect us, but we close the doors and windows of our houses, so we need a certain level of security to make possible for the police to protect ourselves and to make it simple in cyberspace, we didn't work enough but the strengthness about the resilience about the quality of the cyberspace itself, we didn't engage enough effort to allow the companies to have better IT.  We need companies to agree together on norms on good products or contracts.  We need to work with the States to help those who need this to build serious capacities, I'm speaking about CERT, about cybersecurity entities, but also about good laws, policies, justice.

We need to build data together to help research, to understand forensic security, et cetera.  Maybe we need to build together for example an index of cybersecurity to understand where we are weak and so that's the idea of the PoA.  The idea of the PoA is to have an action oriented concrete body within the United Nations to not ‑‑ so first to implement the good ideas and good Resolutions of the Open‑Ended Working Group and GGE processes, and, yes, there will be a second document and they will continue together to elaborate better norms, better Confidence Building Measures, better understandings of the norms and international law, but we need also and also within the United Nations and also within inclusive body to work, to build concretely better cyberspace, and so the Programme of Action is a status that does exist within the United Nations.  For example, it does exist, Programme of Action for small arms and light weapons.

This has some advantages.  First, I don't know if everyone knows this, when we have an Open‑Ended Working Group or GGE, we decide for 3 or 5 years.  We nominate a Chair, but we have to renegotiate every year and we don't have a permanent Chair or a permanent team, so we need ‑‑ and there is, I did participate in two of these process ‑‑ there is a final week of negotiation effects so everyone prepares the last week so everyone, so the last month we do prepare the last week, the last week we do prepare the last month.  There is a lot of and too much strategy.

So if we have an endless program we have to deliver every year because we don't have these finite line effects and then we can have a permanent body and because we have a permanent body, we can build some tools for example a PoA for small arms and light weapons, publish the index of disarmament every year so that's an official function of this period so I consider that we need this complementary tool and both of them, the new Open‑Ended Working Group and the PoA should be very inclusive and used by everyone.

And just to conclude because maybe I'm a bit too long, I consider maybe we will exchange about this, we could mention two in particular eras which the PoA may be needed as an effort complementary with the Open‑Ended Working Group.  Firstly concretely supporting the capacities of states to implement agreed cybernorms, so the GGEs, the Open‑Ended Working Group did recognize that the international community's ability to prevent or mitigate the impact of malicious ICT activity depends on the capacity of each state to prepare and respond, but to build these concretely we need to open a work stream.

Every state should be encouraged to express their needs and identify capacity gaps that they face and implementing a solution.  For example we could use tools such as the National survey of implementation that was promoted by Mexico and Australia during the Open‑Ended Working Group and then we'll be able to target corporation action and then and I hope the PoA will have money, will be able to give money to finance capacity building.

And the second point is that, yes, this process is PoA or Open‑Ended Working Group, because we speak about international law, we are a bit open.  We consult and listen to Civil Society, but we cannot be as open as we need, because we cannot decide international law with complete community.  We can exchange a lot but we cannot vote altogether, but when we'll speak about concrete security, norms of good practices, actual implementation, we will completely ‑‑ or capacity building, we'll completely need the civil societies, the multistakeholders and in return with all the co‑sponsors to build a really multistakeholder body, and so we'll have to discuss.  That's why we'll take one year, we intend to propose in the next year, but to organize a governance.  So for example maybe we need a permanent Forum of Civil Society.  Maybe we need to create a status of observance for the Civil Society to the part that involves states, et cetera, et cetera.

So those two very important issues, how to organize targeted and precise and efficient capacity building supports, and how to build concrete and solid governance with the multistakeholders as to our two important parts of the period.

>> MIROSLAW BROILO:  Thank you very much for your comprehensive answer and these explanations.  Let me just underline maybe three elements.  You've mentioned that PoA is not a dual track process.  At OEWG this is a very important statement.  Secondly this is a complementary approach and you mentioned also capacity building as a perspective, the most prospective goal of Programme of Action.

With the same question, the same question I address now to Kathryn Jones.  Please, we are interested in what is your perspective concerning the role of PoA in the current geopolitical context.  The floor is yours.

>> KATHRYN JONES:  Thank you, Miroslaw.  It's great to see everybody and I'm very sorry I couldn't be there with you today.  It's always great to hear Henri Ambassador Verdier talk about his vision for this project and we really are excited to be able to play into this work.

I think starting with your question Miroslaw, 2021 was indeed a lot more successful than many of us could have hoped and I think we sincerely welcome the consensus reports and the Resolution that we secured this year but we also mustn't be complacent.  Those processes were really hard fought and at this points this very welcome situation we find ourselves in didn't seem totally attainable so we remain quite clear eyed that although we've overcome the disappointment of not finding agreement in 2017 in the previous processes, there's still a lot of work that we need to do together to cement that progress.

For us in the U.K., we've had disagreements with various countries about how to move forward in this work, but the reason that we look towards that Programme of Action as a viable proposal in this space is that any approach that takes us forward that builds on those areas that we do agree on and continues the progress we've made without reverting back constantly to those fundamental disagreements, that has to be really welcome so it's within this context the U.K. thinks that a Programme of Action could make a really significant contribution to our shared aim of upholding stability in cyberspace.  The core benefit of a Programme of Action nor us lies in its ability to deliver practical change as Henri was saying, by focusing on the implementation of agreed measures, so in our case, the international community has already agreed on effective framework for responsible state behavior in cyberspace and that can guide states in their actions but to support our shared aim all states have to be willing and able to implement that framework.

So assessing our National progress with the framework and identifying shared challenges, capacity gaps, best practice and expertise on these issues is crucial if we're going to move forward.

International community's ability to prevent or mitigate the impact of malicious ICT activity as Henri said depends on the capacity of each state so we have to strengthen international cooperation and we have to support the capacities of all states in an inclusive and coordinated and efficient manner, and that's the change that we think the Programme of Action could deliver here.  The challenge for many states of implementing the framework when they only have limited capacity can't be overlooked here.  It's a real challenge for many.  Cyberskills whether we're talking operational all the way through to policy are a constrained resource.  And of course secure and well maintained infrastructure which supports the latest technologies is very costly so a really strong capacity building focus to a Programme of Action will be a precursor so its success.

The political Declaration and high‑level engagement that usually accompanies a Programme of Action process is therefore an opportunity for states to raise cyber international and national agenda, leveraging greater political awareness and commitment at the very highest levels will help all states secure this topic the priority it deserves and ensure our international cooperation truly does deliver.

And the U.K. also believes the time has come for the UN to commit to regular institutional dialogue on in a way that sets out a roadmap for future engagement.  It's really important that our roadmap we set out can't be static.  It has to be sufficiently flexible to remain in step with the latest developments in technology which we know we have progresses so quick.  It has to work with the exponential advances we see in technology to preempt and to respond to risks in cyberspace.  We believe the Programme of Action can meat that need for flexibility through its combination of review conferences which set the program of work for the strand and the technical meetings.  Importantly those review conferences provide a periodic opportunity to assess whether additional actions might be necessary to review work plans and priorities and implementation, and to ensure that the Programme of Action remains relevant and responsive to states' needs.

But the roadmap also has to provide for action rather than argument.  To date all of the UN Forums on international cybersecurity are deliberative processes to create dialogue and exchange rather than to take action and the time for focusing only on discussion has passed.  We must now implement agreed cooperative measures to address the threats we see in cyberspace.  But of course we continue to also need dialogue and that's where Henri's comments about this not being a dual track process are particularly important.  Dialogue provides foundation of our cooperation and that's why the PoA should provide the states to decide to update the framework by including new principles or recommendations and commitments if consensus agreement is found in another UN process, or by consensus agreement during the review conference.  But there's really no substitute for strengthening global capacity and practical cooperation.  We can't afford to hold up practical efforts to increase our shared security while we nurse those long‑standing differences and approaches I referred to at the beginning.  The U.K. believes the Programme of Action will enable states to make progress and cooperate in practical ways whilst also building platforms that support any future agreements and that's why we support it.  Thank you, Miroslaw.

>> MIROSLAW BROILO:  Thank you very much for presenting your perception of PoA.  And you mentioned many important elements to some extent complementary to what Mr. Ambassador said.  Let me just mention your fundamental question how to move forward this process which is very important.  Secondly, how to overcome capacity gaps.  Then how to raise political awareness and how to start regular institutional dialogue.

And now I'm asking the same question, Mr. Pablo Castro.  Thank you very much for joining us, first of all, because I guess that in your time zone it's relatively early.  I don't know, what time is it in Chile?

>> PABLO CASTRO:  Thank you very much, Miroslaw.  No, it's 11:10, so it's not bad.

>> MIROSLAW BROILO:  So not so bad.

>> PABLO CASTRO:  And it's summer.

>> MIROSLAW BROILO:  Thank you.  The floor is yours.

>> PABLO CASTRO:  Thank you very much Miroslaw.  I'll say hello to Kat, Patryk, very good friend, Henri, bonjour, Henri, and I have to say I fully agree about what Kat and Henri already said.  It's very complete, and another perspective of Chile and have the same in some way for the perspective of Latin America.  Of course when ‑‑ what the PoAs offer in terms of actions and implementation it's very, very important and I think it's quite timely in my work for example from the Ministry of Foreign Affairs, when we try to, of course, work with other National agencies trying to engage them in the United Nations processes, sometimes they see those discussions as Kat said as just a very interesting dialogue but not real concrete measures and those agencies sometimes are very technical.  They're very concerned about cooperation and collaboration.  For them cybersecurity is about to face our threats and incidents all day so the question is okay, how this discussion about application of the National law or norms in our work and National processes and of course my job is trying to convince them to say yes, this is a very important discussion that's going to affect also your work and output of National policies but they're always asking about what else?  What are the concrete steps we're taking on this?  Where's the international collaboration?  Where's the implementation?  So I think in that case the PoA makes a difference.

I think it's also I think it's my sense, there's a sense that after maybe 20 or more years of having this discussion at the international level we definitely need to move on and start to do more concrete things, steps and from the perspective of Latin American capacity, it's essential.  I have to say it's probably the most strategic aspect of our discussion on cyberspace and cybersecurity because it allows also you to face better other discussions.

For example, the whole discussion, the application of international law, 5 years or 6 years ago in Chile would not be possible to develop our National policy or to have some kind of positions.  Right now, thanks to the training of the capacity building was offered especially for the organization of American states, we have a special expert of the Government and we're ready maybe to move on to develop our National position, so capacity building is actually a solidifying factor.

And I think the PoA is putting the main focus on this approach.  I'm very optimistic ‑‑ that's probably the reason I'm very optimistic about the future of the PoA because, and maybe this is, what I'm going to say is very ambitious, but I think the PoA in some way is the next step of the evolution in our multilevel discussions.  I think sooner or later the states are going to stand is whether the PoA is offering is what we need right now and we need it in the coming years.  Because I don't think the situation is getting better in terms of what is going on in cyberspace right now.  Geopolitics every day is more complicated.  It affects cyberspace, and the challenges are every day more difficult to face.  So far, the dialogue, the exchange has been great at the level of the United Nations at the Open‑Ended Working Groups.  You're describing in your question about the result of the outcomes are really good.

Maybe the question is:  Are they good enough?  And I think right now and in the next years definitely we need to move on and start to as a state we definitely need to demonstrate that our discussion, our dialogue offers concrete step and solutions of our state, from the perspective of Latin America which is one of the key factors why so far we joined the PoA.  I'm pretty confident that more states in our Region will understand this proposal because it fits quite well about what we have in our regions and with our needs.  That's from my side.

>> MIROSLAW BROILO:  Thank you very much, Pablo.  I think that you underlined one important aspect that we still need to do kind of homework to raise a little bit awareness of capacity building in our states, because as you mentioned, many agencies focus mainly on technical aspects of cyberspace, and in fact, we need to build the resilience of our states and of our societies, and this is ‑‑ there is a lot to do in this context.  And thank you for your optimistic view, your optimistic perspective on PoA.

And as you rightly stated, 2021 was good in terms of international debate about it's not necessarily enough.  So we have to do more.

And now I'm wondering what is the EU, what is the Brussels perspective?  How do you see the importance of PoA from 2021 onwards?  Please, Dr. Pawlak, the floor is yours.

>> PATRYK PAWLAK:  Good afternoon.  Of course I cannot claim to speak for the EU.  I wouldn't even dare.  I can share my very modest views on the PoA, and as you also said in your introductory remarks, I think I'm going to disappoint on the scientific approach to PoA.  I would love if there was a science to the discussions about PoA that we have these days but unfortunately this is not the case yet.

So maybe let me start with a few observations and then answer to your question, Mr. Chairman.  So I think my first comment would be that when I think about the PoA, I think very often about some sort of a mythical creature.  I do not really know what it is, or it seems to be the combination of several different elements.  Even on this panel today, we have heard references to it as a platform, a framework, a body, and I think if we really want to move the conversation forward and bring new partners onboard we need to be very clear about the language and what this is that we're really talking about.

And I think the different references are not necessarily helping different stakeholders in getting really clarity about what we're talking about.  Now, the good news is that every meeting that we organize on PoA, in my view, brings a little more clarity about what it is that we're talking about, so even today, I think I got a few answers to the questions I've been asking myself, and I will get there in my presentation.

Now, your question was about how does the PoA fit within the strategic competition given the outcomes that we have had in the GGE and Open‑Ended Working Group.  And I think my first comment would be to maybe abstain from presenting the PoA as an element in the geopolitical competition.

I think we should be really very careful about how we present it to the partners in the outside world because I actually think the PoA is the answer to, as Ambassador Verdier said and Kathryn, to something that the international community has been really waiting for, this action oriented permanent mechanism that will actually get ‑‑ give us this kind of get‑out‑of‑jail card if you want, get out of jail card being always being stuck between the big powers negotiating and deciding, what are we going to go for the UN GGE or maybe in the Working Group.  This gives the whole international community this permanent structure that takes this politicization of the debate really away and gives everybody a chance to participate.

So I would not present it as a sort of, another element in the geopolitical competition we have seen in the past but rather as a departure maybe from what we have seen in the past and something that is supposed to complement indeed the discussions that we're having but really set them on the content and the action as Kat said rather than continue with this politicized debate about the format.  Of course, that's partly wishful thinking because the PoA got already politicized.  That ship has sailed.  We have seen at the end of the Open‑Ended Working Group that Russia and other group of countries have been quite juice spoken when it comes to criticizing PoA for being this last minute addition to the conversation.  But frankly I think it's a compliment because it seems that they are afraid and they perceive this potential as something that indeed would take this ammunition away from them in politicizing the discussion.  But this observation comes with a few words of warning I would say.  The concept now even on the panel today some of the speakers were referring to the PoA as facilitating implementation of the consensus framework for responsible state behavior, and I think there is a word of caution there, so yes ‑‑ so, yes, we have the consensus reports, but we have to be very careful not to take those reports as everybody agreeing with the reports.  The Chair of the Open‑Ended Working Group has published a report that clearly identifies where states have taken different views and would like to see a separate path.  In the National submissions by many of the countries, we also hear this repeated statement:  You know, this deal, if you want, these reports, are not ideal, but for the sake of progress, we are not going to block them.

And I think not blocking and being ‑‑ giving approval to something are different concepts, so we have to know that when we talk about PoA as a way to implement something, this idea of implementation is already loaded and takes specific position and I think that is not necessarily so clear‑cut in my view yet and there will be further conversation.

But having said that, I think that indeed, the parallel track that will be taking place in these discussions in the Open‑Ended Working Group could give us more clarity on actually where those agreements are, where do we still have certain disagreements, despite of course everybody having voted for the consensus reports.

I think one thing maybe that I think would be quite useful as well, as I said in addition to this reference about the mythical future for me at least would be to get an understanding whether PoA is a goal or a tool and I really hope that it's a tool, that it's a tool towards strengthening states' commitment towards responsible state behavior in cyberspace.  But if it's a tool then I would also think maybe if we have already certain mechanisms or examples from the outside of the UN as well, that could help us design and make this tool very effective and I've been thinking about it, and one that came to my mind is really this similarity of approach or thinking between the Budapest Convention and the GLACY+ program which was very much capacity building focus so if you think about the framework of responsible state behavior as a political commitment similar to the one we have in Budapest Convention when it comes to the fight against Cybercrime, then the PoA becomes the mechanism towards the implementation, and I think where the important lessons lie that when the Budapest Convention was negotiated and signed, mostly European countries have signed up to those from the Council of Europe, nowadays there are many more countries that have either acceded or made legislation aligned or compliant with the Budapest Convention and that's thanks to GLACY+ capacity building projects that have been implemented globally.  I'm wondering whether there are lessons to be drawn for the PoA.  Can PoA become the GLACY+ if you want for the first Committee conversation where by we through this hard work for capacity building we actually convince people there is value in adhering to the framework of responsible state behavior like many countries have understood the values of the Budapest Convention in their own fight against Cybercrime and that could be an interesting exercise.  I must say I have not gone throughout fully so I'm sharing some of the ideas that were born from my head today but I think there might really be something and the easier task here is I think that the Budapest Convention and the criticism we hear is it was negotiated by Europeans only so there's a much smaller, but in the framework of responsible state behavior as we have heard has been discussed in the UN for over 20 years, the Open‑Ended Working Group report and the UN GGE report got the universal approval of the General Assembly so this political buy‑in is much higher in terms of the first Committee discussions and I think that could be maybe one interesting avenue to try to gain more political support for the idea and I'll stop here and look forward to the discussion afterwards.  Thank you.

>> MIROSLAW BROILO:  Thank you very much, Dr. Pawlak, for your political analysis which I very much counted on so thank you.  I'd like to mention one caveat you've made very, very interesting, two reports have been adopted but the question still remains whether everybody agrees on this report.  This is a very interesting point of view.  Around you are right we have to be much more clear about the language whether it's platform framework but you proposed something which I like very much, action oriented permanent mechanism.  It sounds very good.  We are running a little bit out of time in this panel and we have ahead of us a second round of individual questions to each of the panelists so my kind request is to limit your intervention to two up to three minutes, not more, and let me again start with Ambassador Henri Verdier.  The first question I would like to pose is following ‑‑

France is the co‑founder of a Programme of Action and had a great influence on its current shape.  I wonder what is your long‑term vision of the PoA in terms of membership, in terms of structure and the main tasks which PoA supposed to realize in the future?  Can you make certain projection how would you imagine PoA let's say in 10 years from now?

>> HENRI VERDIER:  In 3 minutes.  Just one simple idea, probably the PoA was born in my mind during ‑‑ so you may know that France did launch the Paris call for cybersecurity and so here we have a huge multistakeholder organization with more than 1,200 supporters and one is the CTO of Air France KLM, and one day Jean‑Christophe Lalanne told me, what did you do for me?  Okay, you work hard in the United Nations, I am more security than 20 years ago, what did you do concretely for me?  And in fact it was the beginning of can we end this culture of "catch me if you can."  In French we say ‑‑

[ Speaking French ]

"If you don't see me, you don't catch me."  Can we improve the security of cyberspace which we want to improve just with norms and international law?  That's why Patryk was right, it's not a geopolitical approach.  It's not a bloc against another bloc.  Maybe some big cyber corporations would be made more difficult to enter into the system, but it's not bloc against bloc and then I say also to Patryk that yes we started with a very open and simple proposition, because we want to build this together, because we want to integrate new supporters and to listen to them and to take more and more good ideas and yes, and if some countries say it was a last minute addition, here they did lie because in fact, we did propose with Egypt this idea the first trimester of the beginning of the Open‑Ended Working Group so we are speaking about this idea since 2019.

And in fact, it's not our fault if someone did propose to make a second Open‑Ended Working Group without waiting for the conclusion of the first one so that's important.  So what I dream in 10 years, that's a very good question, we should always ask what do we want in 10 years?  First, I hope an inclusive PoA with every Member State of the United Nations.  I need a PoA that did help in 10 years all of the states to have a good CERT, a good law, and a good police and a good justice to protect itself and to better cooperate with other states.

I hope ‑‑ I have a lot of ideas but I have 2 minutes so I conclude ‑‑ that we'll ‑‑ we did in 10 years organize a better cooperation with the Private Sector on especially to disseminate the best practice and to promote a culture or maybe norms of good practices about security by design, because as a former tech guy, I consider that security starts in the product, and I hope that we will be able to publish this index of cybersecurity, because again, as myself a former CTO, you know what?  We know that some solutions are weak, and that some solutions ‑‑ a lot of attacks pass through every time the same solution, and we consider that it's time to publish this, engage a race to the top and a good competition between companies, and to conclude, I hope that my friend Jean‑Christophe Lalanne will help me saying now I feel more secure.

>> MIROSLAW BROILO:  Thank you, Ambassador.  Just one sentence, inclusive PoA with full membership.  Our aim.  Another question I'm going to address to Ms. Kathryn Jones.  Dear Kat, the United Kingdom has a long and rich experience and history in delivering development assistance, so let us come back to capacity building and I'm wondering, how do you see the importance of the capacity building within the PoA?  And how it should be and how it could be realized in practical terms taking also into account diversified membership of the PoA now and even more in the future?  Please.

>> KATHRYN JONES:  Thank you, Miroslaw, so I thought Pablo's comments on this angle were particularly important, so obviously the U.K. is committed to cyber capacity building internationally and since 2012 we've committed more than 36 million pounds partnering with over 100 countries in this air gentleman to try to deliver this practical real world change we're now talking about as part of the PoA.

But we know states are increasingly concerned about the implications of malicious use of digital technologies and concerns around the international peace and security angle but also around human rights and of course development.  That concern isn't surprising because all states now really understand the transformational benefits to economic Growth and Sustainable Development that such technologies can support and deliver so it's increasingly vital we find ways to harness the benefits of those technologies whilst preventing responding to any misuse and to make good on these benefits we can't simply ban those technologies so we need to help states develop capacities to use them in a responsible and a secure manner and that's why capacity building has to lie at the heart of the Programme of Action.

Also being working on this sometime together we know our efforts thus far while significant haven't really moved the dial in terms of sufficiently strengthening international cooperation to develop states' capacities so the Programme of Action provides an opportunity to do more to understand the diverse challenges faced by different states in terms of implementing a framework for responsible state behavior.  To deliver on that aim it will be really important to clearly map the specific needs and challenges faced by different states, and I think states could assist by reporting on their National implementation efforts as Ambassador Verdier mentioned so we can identify best practice and actionable recommendations for responding to the challenges that we share here.

We believe that helping states to secure concrete support for capacity building efforts that respond to those challenges will also be a key element of this work so we need to mobilize funds.  We need to match needs to solutions and we need to coordinate efficient and effective delivery in line with the principles of capacity building agreed in the OEWG last year.  That's no easy task but there's still more we can do.  The Programme of Action could have an advantage here, both through the increased political commitment it could generate and through its approach to inclusive participation drawing together those who are already working in this sphere.

So fostering meaningful engagement within the Programme of Action will bring expertise and resource that makes a practical contribution to our shared security.

So to summarize the U.K. previous the Programme of Action has a lot to deliver on capacity building in this area but we're only one part of the capacity building cycle.  The Programme of Action will only succeed if we learn from states involved in the process, how best to manage the needs and the expectations of the community so as to deliver those practical outcomes, and that's why we're committed to inclusive consultation on this issue, both through the upcoming Open‑Ended Working Group but beyond so we look forward to hearing from others on how we can deliver this much‑needed promise from the Programme of Action.  Thank you.

>> MIROSLAW BROILO:  Thank you, Kat, for your perspective and thank you for mentioning sustainable development which linked this discussion to the importance of SDGs, as well, and definitely political commitment is needed to advance our job concerning PoA.

Let me now address question to Mr. Pablo Castro.  Pablo, Chile belongs to the Region which is quite prominently represented in the Programme of Action in comparison to other regions.  I wonder what added value do you see in this initiative from the Regional point of view?  What immediate benefits it could bring to foster cybersecurity in your but also in other regions?  The floor is yours.

>> PABLO CASTRO:  Thank you, Miroslaw.  I still remember when the CBM proposed the French embassy here in Santiago about the PoA and I started some consultations in combination with my colleagues from Colombia and Argentina and we all agree that the PoA was things we were waiting for for maybe a long time.  I will mention capacity building of course but the idea having a permanent platform for conversation, discussions, to be inclusive, the promise of the idea that from this PoA we can get something that could be important for our National policies and our own development I think was very seductive from the state of Latin America.  I'm very positive we can engage more states in our Region.  I think Patryk is right when he says, what is the PoA?  We need more outreach in this case, more PR.  Maybe a website or something, and other states with know better about this especially Ministry of Foreign Affairs.

And from the perspective of Chile and I want to thank the Budapest Convention and the GLACY+ project and one of the reasons why we decided to join because National agencies especially the prosecutor's office was telling to us look, if we're part of the Budapest Convention we also the chance to get training and capacity building from the GLACY+ project and from judges and Prosecutors' Office in the Cybercrime domain which is very important key factors from our first ‑‑ from our Cybersecurity Policy and was very important elements of joining the Budapest Conventions.  We have other elements but this was a key factor, and I'm sure that was the same for other states in Latin America, who also decide to join the Treaty, and even I remember that we were having conversation with other states and how to use the Budapest Convention is, it was also the promises about getting that sort of collaboration which is a key factor in our Region and of course in other ones, so I think what Patryk said is very, very important, and we have expertise to find members.  It was the first time we heard about this proposal in 2015 was look, it was very capacity building oriented.  Well, this is something which we need.  At that moment, Chile was working with the first National cybersecurity policy and making these policies we're quite clear that we definitely need a lot of assistance, exchange points of view, experiences of other states and it's something that has not been changed during the last years, and I think it's common things for other states in our regions that our same conclusion is probably the most important animus why we value joining the PoA.

>> MIROSLAW BROILO:  Thank you very much Pablo and thank you for mentioning once again the Budapest Convention.  This is a very good example of I would say a very wise approach of states to join international legal instrument also from the point of view of building National capacity.  Very important aspect.

We have 5 minutes, 3 minutes for Patryk and 2 minutes for summing up our discussion.

Poland as a state of the European Union highly values the debate on cybersecurity issues.  Could you share your role what role for the EU and its Member States do you envisage as far as further development of Programme of Action?

>> PATRYK PAWLAK:  I'll try be very brief.  Let me add one more thing about Budapest and GLACY+.  I don't want to leave everybody with the position we're merging two tracks from the committees here and I just want to be clear that I meant it more as sort of a mechanism that was very successful in the Budapest Convention, and that might serve as an inspiration for developing the PoA and promoting it internationally.

But to your specific question, I think for me the most important thing already that has happened with PoA and I think kudos to Henri for doing that is really we managed to reappropriate again the language of capacity building.  I remember when the Russian Resolution about establishment of Open‑Ended Working Group was put on the table, it's basically capacity building after capacity building after capacity building.  And I think it was a very set thing to work towards, something that is such a successful mechanism, let's say, of the Western democracies got completely appropriated by a country like Russia that frankly doesn't even invest in capacity building so that was really quite interesting to watch and we have sort of abdicated that conversation slightly so I'm very happy we're reappropriating it again and putting our own spin on it.

Now, when it comes to the EU Member States, I think the important thing for us to do is first of all to be, to continue to be drivers of the process.  The EU Member States to really take the lead in explaining to all states how this process benefits all stakeholders and how this is really this viable alternative to geopolitical competition that other big players are engaging in.

Now, I think in order to be successful at the end, we also have to be credible and the EU needs to demonstrate how the approach can work in practice and I think we have good examples for that already so we have to start delivering and start using the examples of what's already happening.  Henri is very familiar with the French engagement in Senegal with the Regional capacity building center that has been there for years now.  There are many more projects that the EU and individual Member States have been funding.  We have to really start showing that this action oriented capacity building focused approach can really bring results and then makes ultimately everybody happy.  We do not have to wait for the vote in the UN General Assembly, in my view that sort of rubberstamps the Programme of Action to show everybody that this approach can work.  I think we should follow the different logic.  We should actually ‑‑ while negotiating should already be showing everybody that this is what we mean.  These are the examples how we think this action oriented impactful model could work and we want everybody to be part of it and I think only then we can really get this political support at the end of the day.

And I think final for the EU, I think it would be a big miss if we didn't try to become a much clearer or define more clearly the role we see for the Regional organizations in the PoA.  EU being Regional organizations itself, I think we have this mandate and I think maybe even responsibility to show everybody how Regional organizations can play a role and I think we should really take it more seriously.  Thank you.

>> MIROSLAW BROILO:  Thank you very much.  We managed to reappropriate language of capacity building EU as a driver of the process.  Very important statements.

We need to finish.  Let me first of all thank our distinguished panelists for your participation, for your engagement and for sharing your very rich perspective on the PoA and let me thank our audience here in this room and everybody who followed our event online.  Thank you very much.

[ End of event ]