Session
Organizer 1: Vladimir Radunovic, 🔒DiploFoundation
Organizer 2: Droz Serge, Swiss Federal Department of Forgein Affairs
Organizer 3: Anastasiya Kazakova, DiploFoundation
Organizer 4: Bojana Kovac, DiploFoundation
Speaker 1: Kazuo Noguchi, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Bushra AlBlooshi, Government, Asia-Pacific Group
Speaker 3: Nicolas Grunder, Private Sector, Western European and Others Group (WEOG)
Speaker 4: Kaleem USMANI, Government, African Group
Speaker 5: Klée Aiken, Director, Community & Capacity Building, the Forum of Incident Response and Security Teams (FIRST)
Speaker 6: Melanie Kolbe-Guyot, Head of Digital Policy, C4DT – EPFL
Speaker 7: Maria Pericàs Riera, Project Assistant, Center for Geopolitics, Geoeconomics, and Technology, DGAP
Vladimir Radunovic, Civil Society, Eastern European Group
Anastasiya Kazakova, Civil Society, Eastern European Group
Bojana Kovac, Civil Society, Eastern European Group
Roundtable
Duration (minutes): 90
Format description: The roundtable format and 90-minute duration are tailored to maximise engagement and effectiveness for our session. The circular seating arrangement promotes inclusivity and active participation, ensuring every voice is heard and fostering dynamic discussions. With 90 minutes allocated, we strike a balance between depth of exploration and time efficiency, allowing for exploration of topics without losing momentum. This duration respects participants' time constraints while providing an opportunity for meaningful exchange of ideas and insights. Additionally, the roundtable setting encourages networking and relationship-building, enhancing the overall value of the session.
A. How can international cooperation be strengthened to develop minimum cybersecurity measures for critical infrastructure protection (CIP), recognising the interdependencies of ICT infrastructure and the potential systemic risks posed by cyberthreats? B. In what manner can emerging technologies, such as Artificial Intelligence (AI), be seamlessly integrated into the existing frameworks for safeguarding critical infrastructure, and how can these frameworks remain adaptive to evolving cyberthreats and vulnerabilities? C. Which strategies can be identified to enhance information sharing and transparency among stakeholders, both domestically and internationally, concerning the classification of critical infrastructure, cyber risk assessment methodologies, and coordinated incident response mechanisms?
What will participants gain from attending this session? Through a roundtable and scenario-based discussion, various participants – representing diverse geographical and stakeholder communities – will have the opportunity to share their perspectives concerning the roles and responsibilities of non-state stakeholders to protect critical infrastructure and implement the relevant existing cyber norms and confidence-building measures (CBMs). The session will bring various leaders from different stakeholder groups to discuss these issues and to, in a highly interactive form during a simulation exercise, exchange views as well as learn from one another. Attendees will thus be invited to actively contribute to the next chapter of the Geneva Manual, which examines the implementation of these norms, and outlines incentives for stakeholders, challenges in implementation, and relevant best practices, drawing from both successful and unsuccessful experiences.
Description:
In the times when increasing interdependencies span across national borders and, along with hybrid conflicts, in which the line between cyber and physical becomes blurrier and, probably, less relevant, are states and relevant stakeholders sufficiently equipped to protect the most critical assets? How do the relationships between public and various private actors, both during conflict and peace times, transform in protecting critical infrastructure? How do the existing and emerging tech impact critical infrastructure protection (CIP)? Is there a need for an international approach to, and minimum cybersecurity measures for CIP, and what would those include? What role do the agreed UN framework and cyber norms play in CIP? Are the roles and responsibilities clear for non-state stakeholders, and how can they support states in promoting responsible behaviour in cyberspace? The Geneva Dialogue on Responsible Behaviour in Cyberspace (GD) addresses these concerns in a multistakeholder approach, engaging representatives from the private sector, academia, civil society, and technical community for a regular dialogue. Established by Switzerland in 2018 and implemented by DiploFoundation with support of others, the GD maps the roles and responsibilities of various actors in the implementation of agreed cyber norms and thus contributes to stability and security in cyberspace. The outcomes of those dialogues are published in the Geneva Manual, offering a comprehensive guidance on non-state actors’ implementation of the normative framework agreed by states, in the context of the UN GGE/OEWG. The session will bring together actors, including those from the Global South, to discuss the issues identified above, provided also in a format of a scenario-based discussion, i.e. simulation exercise with the cards developed by the GD. The insights gathered during the session will contribute to the forthcoming chapter of the Geneva Manual, focusing on the implementation of CIP related norms and confidence-building measures (CBMs).
The session will foster a deeper understanding of the roles and responsibilities of non-state stakeholders in safeguarding critical infrastructure and implementing the relevant agreed cyber norms and confidence-building measures (CBMs). By engaging in scenario-based discussions and sharing insights, participants will collaboratively discuss a possible implementation checklist of the existing norms and CBMs outlining key actions for relevant stakeholders. Additionally, the session will highlight relevant good practices drawn from diverse experiences, offering valuable lessons to protect critical infrastructure. Ultimately, the expected outcome is to equip participants with practical knowledge and tools to support their meaningful participation in such processes, as well as encourage their contributions in enhancing cybersecurity and resilience in CIP.
Hybrid Format: The session will be structured into two engaging parts: a roundtable multistakeholder discussion led by organisers, and scenario-based discussions in smaller groups (i.e. simulation exercise). The session will start with a presentation of findings from the Geneva Manual zero draft, highlighting potential roles and responsibilities of non-state stakeholders in implementing cyber norms and CBMs related to CIP. During the roundtable, participants will discuss policy questions, with designated discussants offering their perspectives to start the conversation. Special attention will be given to the participants representing youth and attendants from open-source communities, civil society, SMEs, academia, and the Global South, recognising their vital role in implementing norms despite resource constraints. Interaction with online participants will be encouraged through polls and chat discussions, facilitated by moderators. With Diplo's expertise in organising hybrid meetings, seamless engagement will be ensured for both in-person and remote attendees.
Report
A common issue identified across all groups was the need for clarity and consistency in defining critical infrastructure (CI) across different jurisdictions, with a proposed solution of starting with regional cooperation before expanding to a global level.
Another key challenge highlighted was the necessity of understanding the interdependencies within the private sector, particularly concerning software, cloud infrastructure, and internet service providers.
The importance of including civil society in these discussions was also emphasized, as it is believed that they play a crucial role in encouraging stakeholders to implement the norms for responsible behavior in cyberspace.
Protecting critical infrastructure (CI) requires addressing complex interdependencies and supply chain vulnerabilities, which often span national, regional, and international boundaries. To achieve this, international efforts are essential to better understand cross-jurisdictional interdependencies across CI. Baseline security requirements and standards for CI operators and service providers are crucial to strengthening resilience.
However, while cyber norms and international cooperation play a vital role in CI protection, challenges in implementation persist. Effective protection demands the active engagement of multiple stakeholders, including governments, industry, and researchers, to ensure a comprehensive and coordinated approach.
The Geneva Dialogue on Responsible Behaviour in Cyberspace, an initiative launched by the Swiss government and implemented by DiploFoundation with support of the Republic and State of Geneva, C4DT, Swisscom and UBS. It focuses on connecting high-level cyber norms with practical implementation. The current phase emphasizes protecting critical infrastructure (CI) from cyber threats and operationalizing agreed cyber norms.
The recent session brought together stakeholders from various sectors and regions to explore practical measures and international frameworks for CI protection. A scenario-based exercise, simulating a cyberattack on a fictional cloud service provider, served as a foundation for discussions on implementing norms, securing CI, and addressing cross-jurisdictional challenges.
Key Themes and Insights
1. Defining and Identifying Critical Infrastructure
A major challenge is the lack of consistent definitions of CI across countries. Maria Pericàs Riera (DGAP) noted that over 40% of countries do not publicly define their critical infrastructure, complicating the establishment of common norms. Dr. Bushra AlBlooshi (Dubai Electronic Security Centre) and Kaleem Usmani (CERT-MU) emphasized the need for regional or international agreements and thorough national asset inventories to understand interdependencies.
Anastasiya Kazakova (DiploFoundation) highlighted the difficulty of identifying cross-jurisdictional interdependencies, which often span national, regional, and international levels. Nicolas Grunder (ABB) stressed the importance of precise CI definitions to support effective protection.
2. Protecting Critical Infrastructure
Baseline security requirements for CI operators and service providers emerged as a critical need. Kazuo Noguchi (Hitachi America) emphasized practical measures like backup systems and geographic distribution, while Paola Nkandu Haamaundu stressed the importance of staff training and awareness programs.
Discussions also underscored the complexity of interdependencies. Dr. Bushra AlBlooshi noted that we need to define critical sectors, map their interdependencies, and anticipate the cascading effects of sector failures. Vladimir Radunovic (DiploFoundation) added that securing supply chains is equally critical, given the interconnected nature of hardware, software, IoT, and people.
3. Role of Cyber Norms and International Cooperation
Cyber norms were seen as essential to reducing risks to CI. Kaleem Usmani highlighted their role in guiding responsible state behavior, while Klée Aiken (FIRST) emphasized the importance of threat intelligence sharing. However, Melanie Kolbe-Guyot (C4DT-EPFL) questioned whether cyber operations can entirely avoid targeting CI during conflicts, raising ethical and operational concerns.
4. Challenges in CI Protection
Several challenges persist in CI protection. Dr. Bushra and Vladimir highlighted the complexity of interdependencies and the risks of cross-border impacts. Imad Aad (C4DT-EPFL) pointed out the difficulty of securing supply chains, while Anastasiya stressed the need for greater transparency from states to facilitate stakeholder support.
Vladimir Radunovic also noted the unintended consequences of cyberattacks on service providers, like the fictional OmniCloud, which could disrupt multiple sectors and countries.
5. The Geneva Manual and Operationalizing Norms
The Geneva Manual provides practical guidance on implementing cyber norms and protecting CI, and document aims to bridge the gap between high-level agreements and on-the-ground actions.
Takeaways and Next Steps
- Greater international efforts are needed to understand cross-jurisdictional interdependencies in CI.
- Addressing supply chain vulnerabilities and establishing baseline security requirements are essential.
- Cyber norms and international cooperation are key, though implementation challenges remain.
- CI protection requires the active engagement of governments, industry, and researchers.
Action items include finalizing the next chapter of the Geneva Manual by early next year, developing scenario-based exercises to foster discussion, and increasing participation from developing countries in the Geneva Dialogue.
The session concluded with a call for inclusive dialogue and practical action to address the complexities of CI protection in an interconnected world.