The United Kingdom ranks 10^th in the 2021 Network Readiness Index (NRI), 9^th in the 2021 Digital Skills Gap Index and 14^th in the 2021 IMD World Digital Competitiveness Ranking. The British digital sector contributes roughly £149 billion each year to the economy and employs more than 1.5 million people [x]. The country also remains Europe’s unofficial ‘start-up capital’, with British tech startups attracting more than $15 billion in venture capital investment in the midst of a global pandemic. Nevertheless, new and emerging challenges to peace and security in cyberspace represent pressing concerns for the UK [x]. Over the course of 2021, the UK’s National Cyber Security Centre dealt with 777 significant incidents, with around 20% of supported organisations being linked to the health sector and Covid vaccines [x]. In the face of ever-increasing cyber vulnerabilities, the UK government has recently adopted a strategy of ‘levelling up’ protection for British cyberspace. This has brought international collaboration on cyber issues to the forefront of Britain’s diplomatic agenda. British diplomacy has traditionally championed the rules-based international system both online and offline, placing great emphasis on human rights, democratic values and free trade.

The digital economy is amongst the most powerful loci of Canadian economic growth; over the past decade, the digital economy grew roughly 40 per cent faster than – and generated almost four times as many jobs as – the overall economy. However, this spurt has also led to increased vulnerabilities in relation to cybersecurity; in 2020, successful cyber attacks affected 78% of Canadian companies. Canada has quietly developed a robust cyber diplomacy approach aiming at promoting a rules-based international order in cyberspace, in line with the goals of other ‘like-minded’ states (including European Union countries). Both the EU and Canada share a vision of cyberspace as a domain of human activity that is open, free, and secure, and which is characterized by due regard for fundamental rights and democratic values. As such, Canada is an important strategic partner for Europe.

Thanks to its regulatory powers, robust digital economy, and active foreign and security policy, the European Union is one of the key players in cyberspace. The EU strongly promotes the position that international law, and in particular the United Nations (UN) Charter, applies in cyberspace. As a complement to binding international law, the EU endorses the voluntary non-binding norms, rules and principles of responsible State behaviour that have been articulated by the UN Group of Governmental Experts. It also encourages the development and implementation of regional confidence building measures, both in the Organisation for Security and Co-operation in Europe and other regions. On a bilateral level, the EU has established cyber dialogues with strategic partners to reinforce the exchange of good practices, lessons learnt and further the idea of responsible state behaviour in cyberspace.

The UK views international law as “a critical tool for ensuring stability and security in cyberspace”. In accordance with the 2013, 2015 and 2021 UNGGE reports as well the 2021 OEWG report, the UK has affirmed that international law, including the UN Charter in its entirety, applies in cyberspace; a position paper notably states that “we do not consider it is for States to pick and choose which international law instruments are applicable”. This includes the prohibition of the use of force (Article 2(4)), the peaceful settlement of disputes (Article 33) and the inherent right of states to act in self-defence in response to an armed attack (Article 51). The law of state responsibility applies to cyber operations in peacetime, including the doctrine of countermeasures in response to internationally wrongful acts. Meanwhile, the country has professed a strong commitment to the respect of human rights law in cyberspace, co-sponsoring the 2012, 2014, 2016, 2018 and 2021 UN Human Rights Council resolutions on the protection, promotion and enjoyment of human rights on the Internet. Likewise, the UK believes in the application of international humanitarian law (IHL) to cyber operations in armed conflict. In response to concerns expressed by other states that this might lead to an undue ‘militarisation’ of cyberspace, the UK has responded that the application of IHL does not encourage armed conflict but only serves to limit humanitarian consequences in the event of such conflict. In addition, the country has stated and that there are ways for cyber capabilities to be developed in a manner “consistent with international law” and called on states to be transparent about the existence of their own capabilities. Those statements do not entirely dismiss the idea of cyberspace as a new military domain, with the British position at the OEWG being that “the use of ICTs in military contexts may be preferable to use of kinetic weapons and can be de-escalatory”. The UK is against the establishment of new, binding international instruments to regulate state behaviour in cyberspace, arguing that “pursuing […] the development of new treaties is only likely to entrench existing divides in this area and will progress us no further on the question of how International Law applies”.

As per the conclusions of the 2013, 2015, and 2021 UN GGE (Group of Governmental Experts) reports, Canada believes that international law applies in cyberspace and is “essential to maintaining peace and stability” as well as “promoting an open, secure, peaceful, and accessible ICT environment”; according to Canada, the applicability of international law “puts guardrails on states’ behaviour in cyberspace”. Applicable legal instruments include the UN Charter, the law on state responsibility (including countermeasures), International Human Rights Law, and International Human Rights Law (IHL). Canada does not favour the establishment of a treaty or binding legal instrument on cyber issues, arguing that it would undermine existing international law and norms of responsible state behaviour. Instead, Canada believes that existing international law and agreed-upon norms are sufficient to guide State behaviour in cyberspace.

Under the auspices of the UN, the EU and its Member States have consistently reaffirmed that a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law. 
Addressing issues as to how existing international law and international humanitarian law, including the principles of humanity, necessity, proportionality and distinction, apply to the use ICTs by States is necessary to increase accountability and transparency. International humanitarian law is fully applicable in cyberspace and this should not be misunderstood as legitimising the use of force between states in the cyber domain. The EU has typically opposed calls for the need to adapt existing international law as a means to develop a new legal instrument for cyber issues.

The UK regards voluntary, non-binding norms of responsible state behaviour as one of the three key pillars upon which the framework for international stability in cyberspace is currently built, the other two being international law and confidence-building measures (CBMs). The British have argued that “stronger awareness and understanding by all countries of the framework in general” is necessary and stated that they “remain concerned that the elaboration of new norms could undermine the existing norms by weakening the overarching protection they provide, or their technology neutral and ‘future-proofed’ nature”. The focus should instead be on the universalisation, operationalisation and implementation of existing norms, with regional organisations and capacity-building efforts playing a central role in this endeavour.

Canada regards the applicability of norms of responsible state behaviour in cyberspace, together with existing international law, as the “foundation of sustaining international peace and security […] in cyberspace”. This is why it has strongly promoted the adoption and implementation of the UN GGE norms in various fora, including the G7, G20, North American Leaders’ Summit, NATO, ASEAN, and the OSCE. From Canada’s perspective, there is no need to develop new norms; international cooperation efforts should instead focus on fostering States’ capacity-building abilities, as well as the implementation and operationalization of existing norms. Canada has also been the biggest proponent of taking gender considerations into account when discussing the implementation of cyber norms, advocating for greater women’s participation and gender equality in the field of cybersecurity.

Since 2014, the EU’s ambition has been to act as an ‘honest broker’ on multilateral discussions surrounding issues of cyber governance and norms of responsible state behaviour, aiming to ensure the support and partnership of proactive players in the context of the global debate. The EU has long promoted the need for voluntary, non-binding norms. It believes that norms crystallised under the UN GGE process should generally not be revisited and that progress should be made on matters relating to their implementation. 
Within the OEWG, the EU advanced a suggestion to develop a global repository of existing practice within the United Nations, which would enable UN member states to showcase how they are implementing the voluntary norms of responsible state behaviour, confidence building and other measures.

The July 2021 policy paper on Global Britain in a Competitive Age makes extensive reference to resilience in the post-Covid ICT environment, pledging that the UK will “strengthen global resilience” and “ensur[e] that more resilient countries worldwide can come together through stronger international institutions to act on the most pressing shared challenges”. In the cyber domain, this pledge has been further operationalised by the 2022 National Cyber Strategy, which frames cyber resilience in terms of risk awareness, system security and preparedness. The Strategy prioritises capacity building, adopting a whole-of-government approach and focusing on three elements: protecting critical international supply chains and infrastructure, advancing the secure use of digital technologies and working with industry partners and academia. Since 2016, the UK has worked through the National Cyber Security Centre (NCSC) to adopt an integrated approach to cyber incident management, streamlining across the public and private sectors. Meanwhile, Britain has championed
capacity-building assistance efforts abroad by providing advice, training and exercises and enabling the creation and maintenance of national Computer Security Incident Response Teams (CSIRTs). It has also provided funding to international capacity-building platforms, such as the Forum of Incident Response & Security Teams (FIRST) and the Americas CSIRT network. The UK has been working with partners within the OSCE to encourage the implementation of confidence-building measures (CBMs).

The Canadian National Cyber Security Strategy puts an emphasis on “secure and resilient Canadian systems”, specifically critical infrastructure such as electricity grids, communications networks, and financial institutions. The ambition to help other countries expand their capacity building activities has been a key aspect of Canada’s cyber engagement strategy and its concurrent aim of promoting an “open, secure, and multistakeholder-led Internet”. Under the auspices of the OEWG, Canada has argued that “member States must make cyber security capacity development a priority at the highest level” and that “it is […] important to analyze and assess the capacity building needs collaboratively and agree on a collective approach”. Through the Anti-Crime Capacity Building Program (ACCBP), Canada has committed $27.7M to cyber capacity building, primarily in Latin America. ACCBP also assists countries in developing their own national cyber strategies and cybersecurity standards while also ensuring respect for human rights and privacy for all citizens. Meanwhile, Canada has been cooperating with several international and regional organizations on the development and implementation of Confidence-Building Measures (CBMs); for instance, there have been several Canadian initiatives at the OSCE, including workshops on international law and cyber operations as well as scenario-based discussions on CBM 5 (information sharing about national responses to regional cyber incidents). Canada believes that capacity-building should be multistakeholder and integrate the insights of the technical community as much as possible. The Canadian representative at the OEWG has also highlighted the importance of gender balance and the participation of women in capacity-building efforts.

The EU places great importance on cyber resilience and capacity building. Internally, the Union has built a robust legal acquis in relation to the resilience of critical infrastructures, the cornerstone of which rests upon the 2016 Network and Information Security (NIS) Directive and the 2013 and 2019 Cybersecurity Acts. This legal meshwork seeks to integrate cybersecurity into all elements of the supply chain and introduce soft law mechanisms like the EU cybersecurity certification scheme. In doing so, it harmonises national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU. 
In the coming months, the Commission intends to add upon the existing cyber-acquis by introducing an array of new initiatives, such as the updated NIS Directive (the so-called NIS2), a proposal on a Critical Entities Resilience (CER) Directive, and a plan to launch a network of Security Operations Centres across the Union. The aim is to create a Union-wide ‘cybersecurity shield’ that will facilitate the detection of cyberattacks and provide an impetus for proactive action. 
This internal buildup of capabilities is supplemented by the development of a specialised ‘cyber diplomacy toolbox’ that allows the Union and its Member States to address cyber incidents through various joint policies, from cooperation and stabilisation measures to restrictive measures and attribution.

According to the 2022 National Cyber Strategy, the UK is committed to promoting the Council of Europe’s Budapest Convention on cybercrime as the primary international instrument for inter-state cooperation, while simultaneously engaging constructively with the UN process to develop a new international cybercrime treaty that will sit comfortably alongside the Budapest regime. In terms of law enforcement, the UK has developed well established mechanisms through the National Cyber Crime Unit (NCCU), operating under the umbrella of the National Crime Agency (NCA). The NCCU is tasked with leading the operational response, coordinating activity across different stakeholders and providing specialist cyber support across the law enforcement domain. The NCA has also developed a network of international liaison officers, which regularly cooperate with Interpol and Europol. Bilateral cooperation with international partners occurs on the basis of the Budapest Convention and associated Mutual Legal Assistance Treaties (MLATs), which facilitate information sharing amongst signatory states. The UK has been an active participant – and has provided voluntary contributions – in the context of discussions for developing a Second Additional Protocol to the Convention to enhance the speed and efficiency of international evidence sharing; the Protocol will be opened for signature in May 2022. The UK has also provided capacity-building assistance to over 100 partner countries, especially in Eastern Europe, Southeast Asia and Africa.

Canada’s National Cyber Security Strategy identifies the activities of malicious cyber actors as a “growing challenge”. Following the adoption of the ‘Protecting Canadians from Online Crime’ Act, Canada acceded to the Council of Europe’s Budapest Convention in 2015 and has since consistently promoted the instrument as the “best tool to fight cybercrime at the international level”. Canada has specifically “encourage[d] countries to bolster their anti-cybercrime efforts by becoming Parties to the Convention, or using it as a model to implement their own cybercrime laws”. Moreover, upon Canada’s initiative, the Quintet of Attorneys General (which brings together Attorneys General from Canada, the US, Australia, New Zealand and the UK) issued a public statement at their July 2019 meeting, expressing their support for the Budapest Convention as a “necessary basic framework for fighting cybercrime” and for the work of the United Nations Open-Ended Intergovernmental Expert Group on Cybercrime (UNIEG). Being part of the ‘like-minded’ group of states, Canada voted against the Russian-sponsored UNGA Resolution 74/247 aiming at establishing an alternative cybercrime instrument; upon the passage of 74/247 and its follow-up UNGA Resolution 75/282, however, Canada has been a vocal member of the Ad Hoc Committee on Cybercrime. Prior to the Committee’s May 2021 organizational session, the Canadian position paper on the Implementation of 74/247 noted that the Committee must “ensure consistency with existing UN treaties in the field of crime prevention and criminal justice, in particular the United Nations Convention against Transnational Organized Crime, the United Nations Convention against Corruption and take into account multilateral instruments that have already proven their usefulness in the fight against cybercrime, in particular the Council of Europe Convention on Cybercrime”. In the same document, Canada emphasized the need for an “inclusive, transparent, constructive, and consensus-based process that will lead to a fair outcome to the benefit of all”. The first session of the Ad Hoc Committee will be held in New York from 17 to 28 January 2022. Canada’s perspective on the scope, objectives, and structure of the convention was submitted to the Ad Hoc Committee in advance of the start of the first negotiation session (E).

The EU has been an early champion of the Budapest Convention signed under the auspices of the Council of Europe, given the overlapping membership of the two organisations. Much of the EU’s cyber diplomatic efforts have focused on promoting the Convention as the main instrument of choice for fighting cybercrime on a global level. EU member states have consistently opposed Russian bids for replacing this regime with another legal framework. 
The Union is represented in the recently constituted Ad Hoc Committee established by UNGA resolution 74/247 by its Member States and is currently focused on ensuring that the process is inclusive, transparent, consistent with the progress of the UNGGE and OEWG processes, and committed to legal consistency.