Brazil is the world’s eighth largest economy in terms of GDP, and by far South America’s most populous and powerful state. While the country has suffered economic and political crises since 2014, it has made significant advances in domestic digitization and played a pivotal, albeit ambiguous role in international negotiations on cyberspace. Brazil has the world’s fifth largest internet user base, after China, India, the United States and Indonesia, and is a leading country in South America when it comes to ICTs usage. The share of Brazilians using the internet has increased from less than 3% of the population in 2000 to more than 68% in 2019. As such, Brazil remains a critical partner for the EU’s efforts to build a secure, stable and rights-based cyberspace.

An EU candidate country since 2014, Albania has been eagerly embracing its digital revolution with the government ushering in an array of cyber and digital policy initiatives. In recent years, Albania has worked on adapting its legal framework to comply with the EU’s acquis communautaire and further approach the Digital Single Market. The Albanian policy framework ranks 1^st across the Western Balkans region in fostering the inclusivity and competitiveness of digital society [x], while the country currently ranks 80^th in the Global Security Index [x]. An OECD report praised Albania for enhancing intragovernmental cooperation, emphasising the cross-cutting character of ICT in its development strategies, and allocating resources towards the implementation of its digital strategy. Despite the proliferation of such policies, however, the country is currently the 5^th largest source of cybercrime in Europe, suffering at least 1.3 million cyberattacks yearly [x]. As such, modernising cybercrime legislation and upgrading critical infrastructure protection constitute key priorities for Albanian policymakers.

The digital economy is amongst the most powerful loci of Canadian economic growth; over the past decade, the digital economy grew roughly 40 per cent faster than – and generated almost four times as many jobs as – the overall economy. However, this spurt has also led to increased vulnerabilities in relation to cybersecurity; in 2020, successful cyber attacks affected 78% of Canadian companies. Canada has quietly developed a robust cyber diplomacy approach aiming at promoting a rules-based international order in cyberspace, in line with the goals of other ‘like-minded’ states (including European Union countries). Both the EU and Canada share a vision of cyberspace as a domain of human activity that is open, free, and secure, and which is characterized by due regard for fundamental rights and democratic values. As such, Canada is an important strategic partner for Europe.

In accordance with the output produced by the 2013, 2015, and 2021 consensual reports of the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), Brazil believes that international law enjoys general applicability in cyberspace. For Brazil, this also includes international humanitarian law and international human rights law. Nevertheless, Brazilian delegations have expressed concern that unqualified transfers of international humanitarian law and an unlimited right of self-defence could legitimise cyberspace as a military domain, while also challenging the protective value of sovereignty and cementing a Western-biased status quo.

At the first substantive session of the 2021-2025 UN Group of Governmental exports (UNGGE), Albania aligned itself with the EU’s statement that the existing corpus of international law, notably the UN Charter, international humanitarian law, and international human rights law, apply in cyberspace in its entirety. In particular, this includes the principle of state sovereignty, sovereign equality, the settlement of disputes by peaceful means, the provision of the use of force non-intervention in the internal affairs of other states, and the respect for human rights and fundamental freedoms as principles of international law that are applicable to states use of ICTs in cyberspace. [x] Albania has also consistently aligned itself with the EU position in a number of key resolutions at the United Nations, including resolutions A/73/27 and A/74/29. A 2015 policy paper notes that cybersecurity will only be “efficient” if it is “based on the fundamental human rights and freedoms, pursuant to the Charter of Fundamental Rights of the European Union and the universal values of the EU”. In the same vein, the 2020-2025 National Cybersecurity Strategy includes “improving the legal framework providing norms and regulating cybersecurity in the country, and aligning this framework with European Union directives and regulation” as a stated objective.

As per the conclusions of the 2013, 2015, and 2021 UN GGE (Group of Governmental Experts) reports, Canada believes that international law applies in cyberspace and is “essential to maintaining peace and stability” as well as “promoting an open, secure, peaceful, and accessible ICT environment”; according to Canada, the applicability of international law “puts guardrails on states’ behaviour in cyberspace”. Applicable legal instruments include the UN Charter, the law on state responsibility (including countermeasures), International Human Rights Law, and International Human Rights Law (IHL). Canada does not favour the establishment of a treaty or binding legal instrument on cyber issues, arguing that it would undermine existing international law and norms of responsible state behaviour. Instead, Canada believes that existing international law and agreed-upon norms are sufficient to guide State behaviour in cyberspace.

Brazilian diplomats portray Brazil’s role in the often polarised debates on norms of responsible state behaviour as that of a broker or strategic bridge-builder between the different camps rather than a mere ‘swing state’ and highlight that balancing between both camps serves to maintain an independent foreign policy. Brazil sought to focus its chairmanship of UN GGE’s third and fourth iterations on three issues: the role of civilians in cyber conflict, the right to respond, and attribution. Since the 2013 Snowden revelations, the country has been a stark champion of data protection, showcasing exceptional norm entrepreneurship
in relation to cyber-surveillance norms. Brazil has also expressed support for the proposal of adopting a legally binding instrument in the medium to long-term to prevent the militarisation of cyberspace.

At the first substantive session of the 2021-2025 UNGGE, Albania aligned itself with the EU’s position that the previous UNGGE and OEWG reports, including corresponding UNGA resolutions adopted by consensus” form the unequivocal basis for “any further discussions on the position, role, and implementation of the voluntary non-binding norms, rules and principles of state behaviour in cyberspace (norms)” [x]. In 2018, Albania voted against the Russian-sponsored resolution A/73/27, which launched the Open-Ended Working Group (OEWG) format.

Canada regards the applicability of norms of responsible state behaviour in cyberspace, together with existing international law, as the “foundation of sustaining international peace and security […] in cyberspace”. This is why it has strongly promoted the adoption and implementation of the UN GGE norms in various fora, including the G7, G20, North American Leaders’ Summit, NATO, ASEAN, and the OSCE. From Canada’s perspective, there is no need to develop new norms; international cooperation efforts should instead focus on fostering States’ capacity-building abilities, as well as the implementation and operationalization of existing norms. Canada has also been the biggest proponent of taking gender considerations into account when discussing the implementation of cyber norms, advocating for greater women’s participation and gender equality in the field of cybersecurity.

Brazil’s 2020 National Cybersecurity Strategy (E-Ciber) outlines ten strategic actions to be undertaken in relation to cyber resilience, which include the extension of international cooperation and the enhancement of protection for critical infrastructure. The Strategy pledges Brazil to encourage international cooperation in cybersecurity, participate in joint cyber resilience events and exercises, and expand cybersecurity cooperation agreements. On the level of discourse, Brazil remains committed to international cyber cooperation in resilience, staying true to its traditional stance in favour of multilateral solutions.

In recent years, Albania has significantly expanded its capacity-building activities, modernising both the relevant institutional apparatus and the diplomatic outreach accompanying it. Since 2017, ALCIRT, Albania’s national CSIRT, has been given an expanded mandate and merged with the National Authority for Electronic Certification and Cyber Security (AKCESK). AKCESK is responsible for preparing strategic documents relating to cybersecurity, drafting legislation, collaborating with relevant stakeholders (international organisations, civil society organisations, the private sector) and providing training. [x] Through AKCESK, Albania has signed Memoranda of Understanding (MOU) with several regional national CERTs (Kosovo, North Macedonia, Romania) and is currently negotiating similar MoUs with Serbia, Montenegro, Cyprus, and Slovenia. [x] AKCESK also frequently collaborates with the Council of Europe in relation to incident response and awareness training. [x] As a member of NATO, Albania signed the MoU with the NATO Cyber Incident Response Centre (NCIRC) on enhancing cyber defence in 2013 [x] and has participated in numerous NATO-led training initiatives, including the flagship Cyber Coalition exercise. Meanwhile, increased emphasis has been placed on the protection of critical infrastructure, with a 2015 government paper stating that future actions will be focused on “the protection and resilience capacity of critical infrastructure” and on “encouraging operators that own them to implement a full security architecture (including risk management and emergencies)”. [x] In 2020, Albania adopted its first-ever cybersecurity regulation for the electricity sector, which establishes incident reporting and assessment criteria for electricity operators. [x] This was reportedly only the first of many planned initiatives intended to reduce the country’s cyber vulnerabilities and increase trust in digital services.

The Canadian National Cyber Security Strategy puts an emphasis on “secure and resilient Canadian systems”, specifically critical infrastructure such as electricity grids, communications networks, and financial institutions. The ambition to help other countries expand their capacity building activities has been a key aspect of Canada’s cyber engagement strategy and its concurrent aim of promoting an “open, secure, and multistakeholder-led Internet”. Under the auspices of the OEWG, Canada has argued that “member States must make cyber security capacity development a priority at the highest level” and that “it is […] important to analyze and assess the capacity building needs collaboratively and agree on a collective approach”. Through the Anti-Crime Capacity Building Program (ACCBP), Canada has committed $27.7M to cyber capacity building, primarily in Latin America. ACCBP also assists countries in developing their own national cyber strategies and cybersecurity standards while also ensuring respect for human rights and privacy for all citizens. Meanwhile, Canada has been cooperating with several international and regional organizations on the development and implementation of Confidence-Building Measures (CBMs); for instance, there have been several Canadian initiatives at the OSCE, including workshops on international law and cyber operations as well as scenario-based discussions on CBM 5 (information sharing about national responses to regional cyber incidents). Canada believes that capacity-building should be multistakeholder and integrate the insights of the technical community as much as possible. The Canadian representative at the OEWG has also highlighted the importance of gender balance and the participation of women in capacity-building efforts.

Brazil originally refrained from signing the Budapest Convention on Cybercrime and had expressed scepticism in response to invitations to accede. The argument advanced was that the treaty is Western-biased and lacking in inclusivity, given that Brazil was not part of the original drafting process. During voting for UNGA Resolution A/74/401, the Russian-sponsored proposal for a new binding Cybercrime Convention, Brazil abstained; during meetings with the BRICS leaders, however, Brazil had endorsed Russian pleas for a new cybercrime instrument to replace the Budapest regime. Upon invitation by the Council of Europe, Brazil finally initiated the process of accession to the Convention in December 2019 and is now an observer country.

Albania is a party to the Budapest Convention on Cybercrime, with the Albanian Parliament ratifying the Convention in 2002 [x]. Since then, however, national strategic documents have been acknowledging the incomplete harmonisation of national legislation with Budapest provisions. The most recent five-year National Cybersecurity Strategy states that “legislation in the cybersecurity field should be harmonised with EU legislation, thus creating a complete and codified mechanism to adequately address and resolve issues. Besides, where possible, international internet security mechanisms should be accessed, signed, ratified, and implemented”. The Strategy also places special emphasis on children’s online protection, elevating it into a key priority [x]. Aiming to implement the policy goals listed within the National Cybersecurity Strategy, the Strategy for Investigation of Cybercrime (2021-2025) lays out a number of objectives for law enforcement [x]: (1) extending the cybercrime investigation structure throughout the country and building technological and legal capacity; (2) presenting a prompt and efficient response to cybercrime, raising public awareness, taking legislative initiatives, and building professional capacity; (3) presenting a rapid and professional response to the prevention, prosecution, and investigation of cybercrime against children; and (4) increasing national and international cooperation in the field of cybercrime investigation with strategic partners. Albanian police forces have also collaborated with Europol in coordinated action against cyber fraud and through the launch of the Sell Safe awareness campaign. [x]

Canada’s National Cyber Security Strategy identifies the activities of malicious cyber actors as a “growing challenge”. Following the adoption of the ‘Protecting Canadians from Online Crime’ Act, Canada acceded to the Council of Europe’s Budapest Convention in 2015 and has since consistently promoted the instrument as the “best tool to fight cybercrime at the international level”. Canada has specifically “encourage[d] countries to bolster their anti-cybercrime efforts by becoming Parties to the Convention, or using it as a model to implement their own cybercrime laws”. Moreover, upon Canada’s initiative, the Quintet of Attorneys General (which brings together Attorneys General from Canada, the US, Australia, New Zealand and the UK) issued a public statement at their July 2019 meeting, expressing their support for the Budapest Convention as a “necessary basic framework for fighting cybercrime” and for the work of the United Nations Open-Ended Intergovernmental Expert Group on Cybercrime (UNIEG). Being part of the ‘like-minded’ group of states, Canada voted against the Russian-sponsored UNGA Resolution 74/247 aiming at establishing an alternative cybercrime instrument; upon the passage of 74/247 and its follow-up UNGA Resolution 75/282, however, Canada has been a vocal member of the Ad Hoc Committee on Cybercrime. Prior to the Committee’s May 2021 organizational session, the Canadian position paper on the Implementation of 74/247 noted that the Committee must “ensure consistency with existing UN treaties in the field of crime prevention and criminal justice, in particular the United Nations Convention against Transnational Organized Crime, the United Nations Convention against Corruption and take into account multilateral instruments that have already proven their usefulness in the fight against cybercrime, in particular the Council of Europe Convention on Cybercrime”. In the same document, Canada emphasized the need for an “inclusive, transparent, constructive, and consensus-based process that will lead to a fair outcome to the benefit of all”. The first session of the Ad Hoc Committee will be held in New York from 17 to 28 January 2022. Canada’s perspective on the scope, objectives, and structure of the convention was submitted to the Ad Hoc Committee in advance of the start of the first negotiation session (E).