UN Cyber Norm G | Protect critical infrastructure

 Computer Hardware, Electronics, Hardware, Symbol

States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions.


What is it about?

Norm (g) underscores the obligation of all states to protect critical infrastructure within their jurisdiction from cybersecurity threats. It can be interpreted as advocating for the establishment of national regulations to safeguard various sectors such as energy, transportation, and finance. It also suggests implementing security measures specifically for critical infrastructure under government control.

Why is it relevant?

Critical infrastructure is fundamental to a society’s vital functions, services, and activities. However, daily reports highlight cyber attacks on critical infrastructure, affecting sectors such as energy, healthcare, transportation, and more. If these were significantly impaired or damaged, the human costs and impact on a state’s economy, development, political and social functioning, and national security could be substantial.

How is it implemented?

In accordance with the clarification provided in the UN GGE 2021 report, to effectively implement the norm, states should consider the following measures:

  • Designating critical infrastructure: Each state identifies and designates specific infrastructures or sectors as critical. This can include sectors such as energy, water, healthcare, finance, transportation, and telecommunications. In addition to this, each state establishes criteria to determine what qualifies as critical infrastructure based on the potential impact on national security, public health, and economic stability.
  • Determining security measures for critical infrastructure protection (CIP): Each state determines the structural, technical, organisational, legislative and regulatory measures necessary to protect their critical infrastructure and restore functionality if an incident occurs.
  • Ensuring the safety and security of ICT products: Encouraging measures to ensure the safety and security of ICT products throughout their lifecycle.
  • Classifying ICT incidents: Encouraging measures also include developing a classification system for ICT incidents based on their scale and seriousness.
  • Encouraging cross-border cooperation: For states that serve as hosts of infrastructures that provide services regionally or internationally, it is especially important to encourage cross-border cooperation with relevant infrastructure owners and operators to enhance the ICT security measures accorded to such infrastructure and strengthen existing or develop complementary processes and procedures to detect and mitigate ICT incidents affecting such infrastructure. Otherwise, ICT threats to such infrastructure could have destabilising effects. 

Who are the main actors?

Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:

  • International and regional organisations (e.g., OSCE, ASEAN, African Union etc.), which could be specifically helpful to provide frameworks, guidelines, and platforms for states to cooperate effectively, share best practices, and coordinate responses to cyber threats on a global scale. These organisations could also serve as platforms for facilitating the communication between states in the event of incidents affecting critical infrastructure.
  • International standards organisations (e.g., ISO and IEC) which could be helpful to develop and promote global cybersecurity standards for protection of critical infrastructure.
  • National CERTs/CSIRTs and FIRST as an international community of CSIRTs to help advance detecting, investigating and responding to ICT incidents affecting critical infrastructure.
  • Non-state stakeholders, such as the private sector who act as owners and operators of critical infrastructure, technology and cybersecurity firms, and various industry associations. 
  • Non-state stakeholders, such as civil society and academia which conduct studies to understand vulnerabilities and threats for critical infrastructure, and advocate for policies and monitor government and corporate actions.

Where is it discussed?

The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis. 

States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Inter-agency coordination between various governments can also help develop interoperable approaches to critical infrastructure protection, i.e. by developing common technical, organisational, regulatory and other measures. 

Public-private partnerships at a national or regional level also serve an important platform for a dialogue between state and relevant non-state stakeholders to discuss the operationalisation of this norm.

Contacts between various technical and cybersecurity researchers, incident responders from various countries (e.g., the contact that takes place within the FIRST) is another example to operationalize the norm.

Various multistakeholder and international initiatives (e.g. such as the Geneva Dialogue on Responsible Behaviour in Cyberspace and GFCE) serve as additional platforms for discussing the practical aspects of the norm implementation.

Relevant normative frameworks

Latest news