Cyber-threat landscape: Existing and emerging cyber-threats

Event report

Through resolution 73/27, the UN General Assembly established the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security which – in addition to the intergovernmental nature of its work – also provides the possibility of holding intersessional multistakeholder consultations. The first intersessional consultative meeting took place on 2-4 December 2019 with sessions that included the tech industry, civil society, academia, and member states, and addressed the following points in the agenda:

1. Cyber-threat landscape: Existing and emerging cyber-threats

2. Rules, laws, and norms: Creating a cyberspace based on rules, laws, and norms: How can stakeholders support governments?

3. Rules, laws, and norms: Stakeholders’ commitments to rules, norms, and principles

4. Confidence-building measures and capacity-building: Confidence-building between states and between states and the private sector

5. Confidence-building measures and capacity-building: Engaging all stakeholders to enhance capacity-building efforts

6. Conclusion: Ways forward on a multistakeholder approach

Introducing the work of the intersessional meetings, Ms Izumi Nakamitsu (UN Under-Secretary-General and High Representative for Disarmament Affairs) recalled the importance of creating a legitimate space in which all stakeholders can express their views and perspectives. Indeed, given that no one is secure unless everybody is secure, it is necessary to foster multistakeholder synergies as has been started by initiatives such as the Cybersecurity Tech Accord, the Siemens’ Charter of Trust, Kaspersky Lab’s Global Transparency Initiative, and the Paris Call for Trust and Security in Cyberspace.

As the Chair of the OEWG Mr Jürg Lauber (Ambassador Permanent Representative of Switzerland to the UN) stressed, the intergovernmental nature of the OEWG process should be separated by the intersessional consultations: for this reason, the intersessional meeting is moderated by another Chair, Mr David Koh (Chief Executive, Cyber Security Agency, Singapore). Nevertheless, as further underlined by Lauber, this does not undermine the value of multistakeholder consultations and inclusivity processes: it is important to include all the voices and perspectives of other stakeholders. In the words of Koh, cybersecurity should be seen as a prerequisite and enabler for people in their use of technologies. He used the analogy of the breaks on a car to explain cybersecurity, saying that without them, nobody would dare to drive fast and take advantage of the benefits and opportunities created by new technologies.

The first meeting ‘Cyber- threat landscape: Existing and emerging cyber- threats’ featured an interactive discussion with questions on the current and most significant cyber-threats and how they are expected to change; on the main threats to critical infrastructures; on the implications for the digital economy; and, on how new developments such as artificial intelligence (AI) and blockchain will alter the threats landscape.

The Forum for Incident Response and Security Team (FIRST) and the Cybersecurity Expert Association of Nigeria set the scene by highlighting the status of digital interdependence and the vulnerability of the technologies currently in use. As FIRST pointed out, three major challenges should be understood and appropriately tackled. First, only a few tech giants can truly own their technology and modify it without relying on standards. Second, while more innovative technologies are developed and put on the market, the half-way life of technology is long, and new technologies still face and have to interact with old ones. As a result, the Internet is inevitably resilient to disruption. Third, the tendency to increase interaction leads developers to build on existing technologies and vulnerabilities. With this in mind, two main takeaways need to be considered: when the second half of the population is brought online, there will be an even stronger need to understand how these technologies are built to foster awareness about cyber-threats; and second, while current discussions focus on state-sponsored behaviour, the majority of incidents that take place are on the level of cybercrime and should be appropriately tackled.

The Cybersecurity Expert Association of Nigeria recalled the presence of three elements (people, process, and technologies) and underlined how holistic solutions for cybersecurity need to take the threats to these three elements into account. Cybercrime is growing, especially with regards to phishing activities which are becoming more sophisticated and targeted. As Trend Micro (multinational cybersecurity and defense company) further explained, there is a high amount of professionalisation and filtering of phishing activities: if before high-level attacks were filtered down to cybercrime, now is the opposite, and it goes from cybercrime to highly sophisticated attacks. Therefore, there is a need to think of how new technologies such as AI will increase the scale and sophistication of such attacks. If so far phishing is limited to e-mail, AI could represent a means to compromise videos and teleconferencing.

On the question of current and most significant cyber-threats, in addition to the increase of cybercrime through – but not limited – to phishing activities, delegates highlighted the threats posed by data breaches, as pointed out by Mozambique; malware; terroristic propaganda as mentioned by Healthtech and Society and Jordan; commercial surveillance technologies and technologies that hamper human rights, as stressed by CitizensLab, AccessNow and the Women’s International League; as well as vulnerabilities in the weapons and weapons systems such as Lethal Autonomous Weapons Systems (LAWS) as also mentioned by the Women’s International League. Additional threats were mentioned, such as: upcoming cyber weapons, attacks to the public core of the Internet, as stressed by the Association for Progressive Communications (APC); and the undermining of trust, as mentioned by the World Economic Forum.

Introducing solutions and approaches to solutions, Global Partners Digital underlined how the way threats are defined forges the relative actions to solve them. Indeed, the organisation, supported by R3D, proposes to have a human-centric approach. Additionally, addressing the hybrid nature of cyber-attacks, the Cyberpeace Institute proposed two approaches for accountability that would strengthen actionable and evidence-based frameworks. First, a top-down approach led by the international community that would enact norms, and second, a bottom-up approach that would increase the role of grass-roots experts in designing accountability mechanisms. As the institute further continued, there is a need for a collective response in the analysis of major attacks: collective responsibility should be complemented by a co-ordinated analysis capacity.

On the main threats to critical infrastructures, members stressed the threats posed by attacks that undermine the public core of the Internet, and recalled the role and outcomes of the Global Commission on the Stability of Cyberspace in establishing norms that defend the public core.

On the implications for the digital economy, Chatham House highlighted how the use of ICTs affects economic development. Damages can result in the loss of intellectual property, add to the cost of information security and reducing public trust in the organisations or entity involved.

Finally, additional remarks on current challenges were proposed by the Commonwealth Telecommunication Organization (CTO) which underlined how the lack of adequate financial infrastructure and technical complexity in developing frameworks for adequate cybersecurity, requires rethinking how we pursue awareness development and knowledge sharing.