UN Cyber Norm C | Prevent misuse of ICTs in your territory
States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
What is it about?
Norm (c) underscores the concept of due diligence in international law, particularly concerning the use of ICTs. It suggests that states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs. It emphasises states’ responsibilities to prevent and react to such acts, aligning with broader goals of international peace and security in the digital age.
This norm also requires that a state make reasonable efforts to stop any illegal activities occurring within its territory. These efforts should be proportionate, appropriate, and effective, and must comply with both international and domestic laws. However, the norm acknowledges that states cannot and should not be expected to monitor all activities conducted over information and communication technologies (ICT) within their borders.
Why is it relevant?
This norm is highly relevant because it addresses the growing threat of cyberattacks on critical infrastructure, where many of such attacks are transboundary in nature and can severely affect national security, economic stability, and public safety. Due diligence is essential in mitigating these threats because actions in one state’s territory can have significant effects on other states and global networks. Norm (c) underscores the need for states to take proactive measures to prevent such transboundary harm.
How is it implemented?
In accordance with the clarification provided by States in the UN GGE 2021 report, the implementation of this norm involves several key steps:
- Seeking assistance: If a state becomes aware of internationally wrongful acts being conducted using ICTs within its territory but lacks the capability to address them effectively, it should consider seeking assistance. This assistance can be sought from other states or the private sector, ensuring that all actions taken are consistent with international and domestic laws. Establishing structured mechanisms to handle requests for assistance can aid in implementing this norm effectively. It is essential that states providing assistance act in good faith and adhere to international legal standards, avoiding any malicious activities against the requesting state or any third party.
- Notification and cooperation: When an affected state identifies that harmful activities are emanating from the territory of another state, it should notify that state promptly. The notified state should acknowledge receipt of the notification to facilitate cooperation and clarify the situation. The notified state should also make reasonable efforts to assist in determining whether an internationally wrongful act has occurred. Importantly, acknowledging receipt of the notification does not imply agreement with the content of the notification itself.
- Attribution of responsibility: It is crucial to understand that an ICT incident originating from the territory or infrastructure of a third state does not automatically assign responsibility to that state for the incident. Similarly, notifying a state that its territory is being used for wrongful activities does not automatically make it responsible for those activities. These clarifications help in establishing clear responsibilities and avoiding misattributions of blame.
Who are the main actors?
Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:
- International and regional organisations (e.g., OSCE, ASEAN, African Union etc.), which could be specifically helpful in crisis and incident management, and in fostering cooperative and partnership arrangements between governments.
- National CERTs/CSIRTs and FIRST as an international community of CSIRTs to help advance detecting, investigating and responding to ICT incidents.
- Non-state stakeholders, specifically the private sector and cybersecurity, threat intelligence companies and researchers who conduct such research to identify, analyse, and understand new and emerging cyber threats, vulnerabilities, and attack methods.
- Non-state stakeholders such as academia and civil society who could be important to help clarify legal nuances related to cyber attribution.
Where is it discussed?
The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis.
States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Inter-agency coordination between various governments can also help develop common understanding in addressing cyber attribution and in exchanging useful information for investigation of ICT incidents.
Contacts between various technical and cybersecurity researchers, incident responders from various countries (e.g., the contact that takes place within the FIRST) is another example to operationalize the norm.
Various multistakeholder and international initiatives (e.g. such as the GFCE) serve as additional platforms for discussing the practical aspects of the norm implementation.
Relevant normative frameworks
- Paris Call principles
- Norms by the Global Commission on the Stability of Cyberspace (GCSC)
- Cyber/ICT Security CBMs by the Organization for Security and Co-operation in Europe (OSCE)
- OAS CBMs related to cyberspace