UN Cyber Norm K | Do no harm to response teams
States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
What is it about?
Norm (k) emphasises that states should refrain from conducting or supporting activities that harm the information systems of another state’s authorised emergency response teams, such as CERTs or CSIRTs. It also prohibits states from using these teams to engage in malicious activities internationally.
Why is it relevant?
The CERT/CSIRT community, traditionally founded on trust and cooperation, has come under heightened scrutiny and pressure in recent years as cyber issues have become increasingly politicised and securitised. Thus, CERTs and CSIRTs operate in a complex and interconnected cyber regime. They are not isolated entities but function within a broader environment shared with various institutions and organisations that may have divergent laws, interests, and cultural contexts. This complexity requires clear norms to prevent misunderstandings, conflicts, or misuse of CERTs/CSIRTs for purposes beyond their intended roles, such as intelligence gathering or law enforcement.
How is it implemented?
In accordance with the clarification provided in the UN GGE 2021 report, to effectively implement the norm, reasonable steps include:
- Avoiding politicisation: CERTs/CSIRTs should not be politicised or coerced into activities that could compromise their independence or neutrality. Upholding this norm helps preserve the integrity and trustworthiness of CERTs/CSIRTs as impartial entities focused solely on responding to and mitigating cyber incidents for the broader benefit of international peace and security.
- Recognising the critical role of CERTs/CSIRTs: In recognition of their critical role in protecting national security, the public and preventing economic loss deriving from ICT-related incidents, many states categorise CERTs/CSIRTs as part of their critical infrastructure.
- Developing special measures to provide more protection: In considering how their actions regarding emergency response teams can contribute to international peace and security, states could publicly declare or put in place measures affirming that they will not use authorised emergency response teams to engage in malicious international activity and acknowledge and respect the domains of operation and ethical principles that guide the work of authorised emergency response teams.
- Establishing national ICT-security incident management frameworks: States could also consider putting in place such frameworks with designated roles and responsibilities, including for CERTs/CSIRTs, to facilitate cooperation and coordination among CERTs/CSIRTs and other relevant security and technical bodies at the national, regional and international levels. Such a framework can include policies, regulatory measures or procedures that clarify the status, authority and mandates of CERTs/CSIRTs and that distinguish the unique functions of CERTs/CSIRTs from other functions of government.
Who are the main actors?
Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:
- CERTs/CSIRTs themselves: These teams need to operate within established norms, and ensure their activities are focused on their core functions of cybersecurity incident response and mitigation.
- International and regional organisations (e.g., FIRST, OSCE, ASEAN, OAS, African Union etc.), which could facilitate the cross-border cooperation between such teams and states in the event of incidents. For instance, the OAS established the network of government cyber incident response teams (CSIRT) of OAS Member States. The CSIRTAmericas Network is now a cybersecurity community which includes over 47 CERTs from 22 countries along with 379 professionals.
- Non-state stakeholders, such as the private sector which can also play a role by supporting and collaborating with CERTs/CSIRTs, as well as adhering to norms that promote trust and cooperation in cybersecurity efforts.
- Non-state stakeholders, such as civil society and academia who could contribute to the implementation of norms by advocating for transparency, accountability, and the protection of cybersecurity infrastructure, including CERTs/CSIRTs.
Where is it discussed?
The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis.
States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Coordination between states at the level of their competent national authorities can also help operationalise the norm, i.e. by coordinating their approaches to national ICT-security incident management with designated roles for CERTs/CSIRTs. Inter-state cooperation could also stimulate greater information sharing between relevant CERTs/CSIRTs teams.
Within regional, international and specialised organisations, e.g. such as Forum of Incident Response and Security Teams, FIRST, such teams may collaborate and coordinate their cybersecurity incident response efforts, exchange best practices, and support each other in the event of incidents. FIRST, in particular, also plays an important role in promoting capacity building initiatives by organising training workshops, conferences, and seminars aimed at enhancing the technical skills and knowledge of cybersecurity professionals working in incident response.