Existing and potential threats
14 Dec 2021 20:00h - 23:00h
Delegations shared examples of urgent and challenging, existing and potential threats that states are facing. Most states which spoke on the subject emphasised threats to critical infrastructure and ransomware attacks. Other threats the states are concerned with include: cybercrime, violent extremism and cyberterrorism, fake news, deep fakes, misinformation and disinformation, data security, the use of ICTs for military purposes, state-sponsored malicious cyber activities, cyberattacks affecting democratic institutions, attacks on the supply chain, threats against OT and IoT, developments in new technologies (such as AI, Blockchain, etc.), crypto and digital currency, human rights, child safety online, the digital divide, internet fragmentation, and unilateral coercive measures.
The delegates also spoke about possible cooperative measures to prevent and counter threats in the sphere of international security.
In this regard, many states underlined the importance of capacity-building. According to South Africa, raising the general level of states’ ICT capacities would also raise the overall resilience of states to cyber threats. This was echoed by Canada, Chile, and Colombia. Brazil noted that states should cooperate to build capacities for mitigating threats to critical infrastructure.
Some of the countries underlined the significance of the OEWG in such capacity-building efforts. The UK stressed that a crucial element of the OEWG’s work is supporting states in developing the capacities and structures required to prevent, detect and respond to threats at the national level. Iran stressed that the OEWG should focus on capacity-building under the auspices of the UN, as this would ensure security, safety, and integrity of ICT supply chains. The Netherlands suggested that the OEWG can help ensure that capacity-building is sensitive to different impacts the threats have on different states, as well as increase states’ resilience. Chile suggested that the OEWG could recognise the work of various international cyber capacity-building initiatives (such as the GFCE) and work jointly with them. Indonesia also noted that the OEWG could encourage states in strengthening their institutional capacity, legal and policy frameworks, and technical capabilities. Further, the country proposed that the OEWG consider developing comprehensive guidelines covering aspects of prevention, protection, and countermeasures, for both the data users and systems. Such guidelines can then be used as a reference in helping states become better prepared for tackling threats in the sphere of information security. The OEWG could also assist states in incorporating such guidelines into domestic policies.
The necessity for the establishment of the rules, norms, and principles of responsible behavior of states which meet the challenges in the ICT sphere was highlighted by Iraq. Russia stated that, in order to counter the existing and potential new threats, there is a need for a global system of international information security under the aegis of the UN, which should be forged based on the respect of the principles of equitable safety and security of states, and equitable dispute resolution of disputes that arise from the use of ICT.
Nigeria underlined the need for legalising the already agreed-upon norms in order to ensure responsible behavior. The Netherlands also noted that states should, at all times, respect the agreed upon norms in their use of ICTs. The application of those norms could be enhanced by concrete implementation. France noted the importance of exchanges on implementation of norms of responsible behavior in cyberspace. Brazil and France underlined the exchanges of best practices in protecting critical infrastructure.
All of the UN member states should make efforts to counter any and all cyberattacks which could damage their sovereignty and undermine their good relations with other countries, Iraq underlined. Ukraine also noted that states should each increase their own ability to resist internet-based threats and enhance common cyber resilience policies.
The establishment of a multilateral mechanism for the attribution of cyber incidents within the context of the UN to unequivocally and impartially determine the source of incidents was suggested by Cuba. France emphasised the state’s due diligence obligations in the face of malicious activity conducted by non-state actors in their territory. The country also suggested that the OEWG could consider how to better control the malicious cyber tools.
On countering misinformation, Pakistan underlined the need for cooperation with the UN and relevant agencies, international cooperation, multidimensional and multistakeholder responses. Those efforts must be consistent with international law, including the humanitarian rights law. Online platforms and social media companies should ensure that their commercial objectives do not undermine human rights, and that their business models, data collection, data processing practices, and advertisement policies are compliant with the international human rights law.
On protection of personal and other data, Russia stated that defining the principles for the processing of personal data, in a manner uniform for all UN member states, is needed. This would significantly help raise the level of personal data protection, and strengthen legislation for the protection of personal data in those states which may display shortcomings in this matter.
In efforts to address ICT threats, states should not inadvertently inflict other types of harm, or further marginalise vulnerable groups, Costa Rica emphasised. Governments must engage with the local civil society organisations in order to gain understanding of how cyberthreats impact different segments of society.
Nigeria underlined the importance of robust incident management frameworks, including optionalisation of Computer Emergency Response Teams (CERTs) capacity building, different levels of multistakeholder-based engagement, and the whole of society approach to implementation of cybersecurity, cooperation between states, as well as legalising agreed upon norms to ensure responsible behavior.
Israel noted that a certification scheme for supply chain security and compliance officers that would guarantee cross border interoperability could help build trust and greatly contribute to cyber hygiene. Israel also noted that ICT companies should build products which are secure by design, meaning that the end user would, by default, get a safer version of the product with less attack surface.
Argentina underlined the exchange of information on vulnerabilities between the public and private sectors, better international judicial cooperation, and awareness-raising.
Poland would like to see national and European experiences and tools expanded to the global level for the benefit of all UN member states.
The OEWG could hold dedicated meetings on specific norms of responsible state behavior in light of specific threats the international community faces, the EU suggested. Such discussions would contribute to better understanding of the cyber threat landscape, the challenges to be addressed, and would help identify concrete solutions to advance the implementation of responsible state behavior in cyberspace. A similar suggestion, made by Switzerland and Chile, was that the OEWG could organise dedicated meetings, seminars, workshops, or conferences on specific threats. In Chile’s view, the OEWG could recommend conducting a study on threats, in coordination with regional organisations.
UN OEWG 2021-2025 1st substantive session
13 Dec 2021 - 17 Dec 2021
New York, USA