UN OEWG 2021-2025 – Existing and potential threats in the sphere of international security

Event report

Delegations shared examples of existing and potential threats in cyberspace that states face.

The USA, the UK, the Netherlands, Cuba, Ghana, Singapore, Germany, France and Timor-Leste highlighted cyberthreats to physical and digital critical infrastructure (CI). Malicious actors can also target undersea cables, oil and gas pipelines, communication networks and rail systems, the USA underscored. The Netherlands highlighted cyberattacks against electoral processes and the public core of the internet, which includes the technical infrastructure of the internet, as well as organisations critical to global routing, naming, and numbering.

Cyberattacks on the health sector, particularly on medical devices or vaccine research and trials, ransomware attacks on medical facilities, and cyberattacks on humanitarian organisations were highlighted by the USA, Australia, France, Ireland and the Netherlands. 

The International Committee of the Red Cross (ICRC) called on delegates to reaffirm that humanitarian organisations, their staff, and humanitarian data must never be targeted, whether in the physical or digital world. The ICRC recalled that it had been a victim of several hostile cyber operations aimed at the personal data of people receiving humanitarian assistance. Switzerland reported that the Swiss National Cyber Security Centre quickly aided the ICRC in dealing with malicious cyber activity. Switzerland also emphasised that the protection of humanitarian missions should include the protection of its data assets and infrastructure.

Ghana highlighted the financial sector, France the energy sector, while Turkey added transportation, water management, and other essential public service sectors.

The USA also condemned safe havens for cybercriminals and governments that allow their cyber personnel to moonlight as cybercriminals.

Emerging technologies can be misused, the USA and Iran cautioned, with the USA emphasising artificial intelligence. 

The EU, speaking on behalf of its member states, the candidate countries, North Macedonia, Montenegro, and Albania, the country of the stabilisation and association process and potential candidate Bosnia and Herzegovina, noting that Ukraine, the Republic of Moldova, and Georgia align themselves with the EU’s statement, expressed concern about cyberattacks with global consequences, such as the SolarWinds and Microsoft Exchange cyberattacks. According to the EU, the UK, Brazil, Austria, Switzerland, Indonesia, Australia, Ireland, and Germany, cyberattacks may have spillover effects. Similarly, the Netherlands expressed concern over the use of cyber instruments that ‘do not clearly distinguish between the intended cyber operation and the possible effects’. The UK and the Netherlands emphasised that hacktivism is illegal in both countries and can lead to unintended consequences.

China, Ecuador, France, Indonesia on behalf of the NAM, Iran, and Syria expressed concern that the development of cyber offensive capabilities may lead to militarisation and weaponisation of cyberspace, transforming it into a theatre of military operations. 

The NAM condemned the misuse of media platforms, including social media for ‘inciting and launching campaigns against any state in contrary to the principles of international law’. 

Iran underlined threats arising from ‘contents’, such as the use of digital platforms and social media for propaganda, misinformation, and disinformation against targeted countries. France noted disinformation campaigns over recent months as a risk to security and stability of cyberspace. The Russian Federation stated that disseminating fake information should be perceived as interference in internal affairs, saying that states should potentially be held liable for the dissemination of ‘unreliable data’. Cuba underscored the subversive use of ICT to attack systems in third countries, as well as the use of ICT ‘as a tool for interventionism’, including ‘promoting hate speech, incitement to violence, subversion, and destabilisation, the dissemination of false news and changing reality for political means and as a pretext for the threat or the use of force against states’. Syria also highlighted the spread of hate speech and intolerance. 

The UK noted the importance of the free flow of information. Pakistan stated that the spread and proliferation of disinformation necessitates the dissemination of factual, timely, accessible, and evidence-based information. Nicaragua also expressed concerns in this vein.

Indonesia on behalf of the NAM, Iraq, Kenya, Ghana, Syria, and Nicaragua spoke about the misuse of ICT to incite and commit acts of terrorism, as well as for recruitment.

Iraq noted the use of ICT to collect data for criminal purposes as a serious threat, and South Africa highlighted ‘hack-and-leak operations’.

Canada, Malaysia, South Africa, Germany, Colombia, France, and Switzerland underlined ransomware. 

Iran and Venezuela underlined the coercive use of cyber tools to violate cyber sovereignty, interference and abuse of ICT for illegitimate geopolitical goals, unilateral coercive and other measures in the ICT environment, false flag operation in the ICT environment (hostile image-building and fabricated attribution), the accountability of the private sector with extraterritorial impacts for their behaviour in the ICT environment, manipulation of ICT supply chains. France noted that cooperation with the private sector on increasing awareness of cyber hygiene practices and examining standard tools such as certification and regulations could improve supply chain security and through that, globally, increase the resilience of CII infrastructures. 

Some countries spoke about cyberthreats in the context of the Ukraine crisis.

The USA claimed that the Russian Federation conducted disruptive and destructive cyberattacks to undermine and destabilise Ukraine. These cyberattacks were designed to affect the civilian population and targeted non-military victims, such as banks, government websites, and other private sector entities. 

The EU and Canada stated that the current actions of the Russian Federation in Ukraine violate the already agreed-upon norms of responsible state behaviour in cyberspace.

The Russian Federation underlined ‘ongoing cyberattacks from the collective West’ on state agencies, mass media, and critical infrastructure and facilities, as well as fake news aimed at discrediting Russian armed forces. The country also noted that new threats have cropped up, including disconnecting a country from the internet and cutting it from the international payment system. It was referring to the fact that it was cut off from SWIFT, noting that it is ‘technically possible because the management of such a system is in the hands of just one or a very narrow group of countries’. Russia also underlined ‘cutting off media of undesirable states’, referring to bans on Russia Today and Sputnik. 

Germany underlined threats targeting state interests, such as the protection of democratic processes, government and citizen data, and economic espionage with a focus on high tech companies. Timor-Leste also highlighted that misinformation undermines public trust and confidence in political and electoral processes.  

France ​​noted that vulnerabilities in ICT products increase the surface area of cyberattacks. France brought up the threat relating to internet fragmentation and risks it brings: ‘If we have several different internets, states might decide to engage in malevolent activities if they feel they could do this by protecting a precarious internet and have another one in addition to that. OEWG should take this into account and redouble our efforts to preserve the architecture of a single, open, stable, and safe internet’.

The threat that the widening digital divide between countries poses to the global ICT environment  was brought up by Brazil, Pakistan, Argentina and Venezuela. Brazil stressed that weak states should be supported while they are maturing their capacities. Venezuela stated that the ‘oligarchical nature of the ICT industry […] endangers the pluralistic and democratic nature of the communication process and interferes in our ability to guarantee a broad spectrum of social rights.’

Pakistan highlighted threats associated with manipulation and theft of digital identity,  targeted propaganda campaigns that could undermine national economies and security, as well as personal security.

Possible cooperative measures to prevent and counter cyberthreats

The need for collaboration was also underlined by the Russian Federation, the UK, and Egypt. Similarly, the Russian Federation noted that for threats to be eradicated, relevant authorities need to be in contact. The key to ensuring that the latest threats are understood and mitigated effectively is to strengthen the relationship between government departments, regulators, and private sector operators, the UK noted. Egypt also underlined the cooperation between the government and the private sector, while South Africa added that civil society should also be included.

The EU suggested that dedicated meetings on specific norms of responsible state behaviour in cyberspace in light of specific threats should be held. Iraq suggested ‘charting a roadmap for international support as per prioritisation of threats’. Egypt suggested that a preliminary agreement on a regularly updated list of existing and potential cyberthreats is necessary. 

Encouraging UN member states to address cybersecurity in the national legislations, identify their CI facilities, and encourage them to establish national computer emergency response teams (CERTs) to respond to cyberthreats was highlighted by Egypt. The UK stated that states should make their approaches to cybersecurity, resilience, and CI protection publicly available. Costa Rica emphasised the multistakeholder approach because the private sector, civil society, and researchers’ analysis, information, and capacity on threats, their potential impact, and approaches to mitigating them are invaluable.

On combating fake news, the Russian Federation stated that confirming the principles of personal data protection at the global level would help decrease the use of false information. Cuba advocated for the ‘right of states to counter this [false information] within their own constitution the dissemination of fake news or distorted news that could be interpreted as interference in internal matters or could be harmful for peace and cooperation and friendly relations’.

Cuba suggested the establishment of a multilateral mechanism within the UN for impartial attribution of cyberattacks.

Timor-Leste noted the high importance of regional international cooperation for developing states, mentioning ASEAN initiatives.

Mexico would like to see a follow-up on the survey on the implementation of recommendations to assess the degree of adoption. The OEWG needs to identify the areas of cooperation, and particularly the contacts between national contact points that will help promote cyber diplomacy. This multilateral coordination could lead to an international repository of cyberattacks occuring nationally and internationally.

Venezuela added that a regular compendium of existing threats accompanied by best practices to address the said threats could be created under the UN auspices.

Answers to Chair’s guiding questions

• What preventative and response measures can states consider implementing in response to potential threats identified at the first substantive session?

Malaysia underlined cybersecurity baselining understandable to all stakeholders. The Republic of Korea stated that the OEWG is not ready to design and adopt specific measures against cyberthreats. The country posited that the OEWG should focus on building an architecture flexible enough to respond to potential threats, such as cooperation networks for a hub of cooperation for confidence building measures (CBMs), capacity building, and implementation. Costa Rica stated that security by design is critical to ensuring that state systems and infrastructure are less vulnerable. National policies should be based on industry best practices, international standards, and other efforts from academia, the technical community, and civil society to create more secure digital products. The country also emphasised a human-centred approach to cybersecurity. Ecuador agreed with Costa Rica, but added that all of those could benefit from a multilateral ongoing platform for implementation, meaning the French-Egyptian proposal for the Programme of Action. 

El Salvador suggested cybersecurity capacity building for officials at all levels to ensure the safe use of ICT, reduce threats of ransomware, and promote data security.

Estonia emphasised building up resilience, transforming cyber hygiene into a daily routine, sharing experiences, holding exercises both at the technical and political levels, partnership with the private sector, capacity building, and advocating the agreed normative framework. Australia also highlighted the implementation of previous agreements.

Pakistan noted that it is necessary to collaborate with the UN system, including communications departments in relevant agencies, to combat the spread of disinformation.

Colombia proposed strengthening initiatives that will allow for centralised resources to facilitate threat analysis, detection, containment, and eradication. Projects such as No More Ransom should be promoted.

• How can states enhance the protection of critical infrastructure, including critical information infrastructure, from existing and potential threats? 

Malaysia noted the importance of clear strategies, capacity development, national legislation, and proper control measures by the CI owner. On the matter of ransomware, an appropriate recovery plan of services, data, and systems needs to be in place. Countries have a responsibility to work together in order to reach agreements to secure and stabilise the ICT environment, Costa Rica noted. 

Botswana suggested the establishment of a permanent forum for exchanging knowledge at the policy and technical levels, for sharing best practices regarding CI protection, national cybersecurity risk assessments, and cybersecurity drills.

El Salvador highlighted the development of norms that will enable the classification of national assets, and then create strategies to defend them.

Switzerland underlined proactive sharing of technical information and continuous threat assessments and advisories at the national and sectoral levels.

Ghana noted that discussions at the OEWG should encourage states to consider designating CII and ensuring their adequate protection.

Turkey stated that informed decisions must be made regarding capacity-building efforts that cover a wide range of areas at the technical and policy levels. Turkey suggested that criteria used by the International Telecommunication Union – the Global Cybersecurity Index (GCI) can be utilised, as well as proposed national survey of implementation.

Japan emphasised the importance of safeguarding the entire supply chain. The first steps in its protection are simple preventive measures such as keeping all software up to date, changing passwords on a regular basis, and educating employees not to open unknown links.

The Philippines noted that protection of CI should be done primarily through compliance and assessment activities at three levels – inventory, readiness of CI, and compliance via assessments by a third-party institution. Another major activity is participating in international drill exercises.  

Colombia stressed the implementation of a precise methodology to identify, prioritise, catalogue, and protect all essential services at the national level, increase technological capacity in order to identify threats quickly, increase the capacity of competent authorities to carry out immediate investigations, and establish coordination with service providers, web hosts, and public-private alliances for the protection of CI. 

Indonesia suggested that the OEWG develops comprehensive compendiums or guidelines pertaining to efforts and experiences of states regarding the protection of CI, including implementation of the norms 6 and 7 of responsible state behaviour in cyberspace.  

• How can states work together to share best practices with regard to critical infrastructure protection, at the bilateral, regional, and global levels?

States can use existing bilateral, regional, and global platforms to discuss cybersecurity, as well as recognise cross-sectoral and sector-specific best practices, Malaysia emphasised. Existing channels for exchanging best practices and information sharing were also noted by Costa Rica. States can draw from industry best practices and international standards for protecting critical infrastructure, Costa Rica noted. States can exchange experiences on conducting cybercrime time management exercises, Singapore stated. Regionaly, the OAS has provided technical assistance for the establishment of CSIRTs and El Salvador and Argentina have benefited from that technical assistance. 

Switzerland underlined various initiatives, such as the Geneva Dialogue, the OSCE, the OEWG, and UNIDIR.

• How can states work together to share new information on existing and potential threats in real time? 

Merging and extending existing regional mechanisms into cross-regional and global mechanisms was presented as an option by the Republic of Korea. Exchanges between national CERTs and regional associations of CERTs were underlined by Singapore and Pakistan. The Republic of Korea highlighted the need for stronger collaboration between policymakers, experts, law enforcement, and strategy levels. Formal communication channels were highlighted by Costa Rica. The country stressed fostering points of contact (PoC) networks at the regional level or creating a PoC network at the international level. Similarly, India underlined identifying PoCs of national CERTs and cybersecurity incident response teams (CSIRTs) and regular interaction between competent authorities. The Philippines also highlighted the importance of PoC not only for sharing best practices, but also  for helping to address threats during uncertain situations. Turkey expressed support for establishing points of contact networks, and a global directory of points of contacts.  Ecuador noted there is some controversy over who would manage these lists.

Switzerland stated that in order to establish a sustained and robust real-time information exchange and cooperation between states, trusted processes and formats must be used at the technical level, such as the former CSIRTs network and FIRST, as well as the GFCE and the Geneva Dialogue.

The last speaker on the sub-topic of threats was the International Chamber of Commerce (ICC), talking about the dramatically rising costs of cyberattacks and non-monetary losses as disruptions of the normal activities of business and everyday life. The ICC suggested looking at the model of sustainable development goals to formulate cyber development goals (CDGs) that would define the necessary technical, legal, and policy frameworks and capacities needed for implementation and inspire collective action. The CDGs would be primarily a capacity-building instrument at the national level and would depend on states commitment to systematically track and report implementation.