4th Meeting of the first substantive session of the Open-Ended Working Group (OEWG)

Event report

The fourth meeting of the first substantive session of the Open-Ended Working Group (OEWG) discussed existing and potential threats in the sphere of information security.

The representative of Egypt underlined the possible use of information and communications technologies (ICTs) in future state conflicts, attacks targeting critical infrastructure, and the increasingly complex and sophisticated malware and viruses. Egypt stressed that the real threat is the malicious use of ICTs by terrorists and criminals. Threats related to digital identity and data protection were also mentioned. However, Egypt is of the view that the task of the OEWG is not to develop a comprehensive list of existing and emerging technologies that could represent a threat to international peace and security, but rather, to agree on a comprehensive set of binding rules for the users of such technology. The implementation of such rules could be carried out through harmonised legislation and policies on the national level, and through compliance with agreed rules and exchange of information and co-operation on the international level.

The representative of the United States noted that an arms control approach to ICTs would suppress the positive developments that ICTs could provide the world with. Some developments have been weaponised by governments, terrorists, non-state actors, etc. A binding treaty to restrain these activities would not be binding for non-state actors and terrorists. The behaviour of states, however, can be controlled. Hence, the OEWG should focus its work on possible high risk state-on-state conflicts that could pose a threat to international peace and security, and come to an agreement about the types of voluntary measures that could be taken to prevent conflict.  

The representative of Argentina stated that there are many difficulties to be found in cyberspace: problems of attribution, vulnerability of critical infrastructure, the digital divide, and issues linked to the exercise of sovereignty. Military use of cyberspace is causing distrust between states. Elements of cyberspace can, by their very nature, be weaponised and cause great harm to states. Argentina stressed that prevention, detection, analysis, research investigation, recovery capacities, and defensive response capacities are needed at the national level. International co-operation is also necessary.

The representative of New Zealand underlined reports of malicious activities undertaken to destabilise governments, undermine democracies, and damage citizens’ trust in elections; activities designed to steal intellectual property; incidents that slowed global trade and disabled critical infrastructure; and, financial cyber operations conducted by states. New Zealand stressed that the persistence of these activities points to the need to insure that all states are able to implement the already agreed upon norms and that states will hold one another accountable for their actions.

The representative of Russia highlighted the importance of updating the shared general understanding of threats in cyberspace, as well as the importance of norms on responsible state behaviour, which are going to be a reaction to the threats. As directly copying disarmament agreements into cyberspace is not going to have the desired outcome, one of the pathways to follow is the progressive development of international law. The work of the OEWG needs to be aimed at preventing military confrontation. While the GGE reached a common understanding on threats, the new report should contain an updated list of threats. It is important to see where the threats will emanate from, for example, from robots or artificial intelligence (AI).

The representative of Egypt took the floor again and spoke about taking an arms control approach to the cybersecurity issue. He argued that arms control treaties restrict behaviour –  not material – even the most restrictive arms control treaties do not put restrictions on the technologies themselves, but on what states are allowed to do with those technologies. There is room to draft more binding rules for states. An arms control approach would not have to have verification measures. It could be a set of norms for states to abide by, resolve their differences through consultations, and verify and attribute non-compliance cases.

The representative of Iran is of the view that the main threats in the cyber and ICT environments are those that weaken the national sovereignty of states and equality of sovereignty. The OEWG should work on solutions to address monopoly in cyberspace: monopoly on governance, monopoly on possession of technology, and monopoly in the capacity to deny others access to technologies and information. Iran underlined that content is as important as infrastructure in the context of threats, as well as the importance of applying restrictive measures in an ICT environment. ICTs should not be regarded from a security perspective only, but from a developmental perspective as well. Another threat is that states do not have a common understanding of all the concepts and terminology in this sphere, and the OEWG should keep this in mind.

The representative of China stated that cyber-attacks, cybercrime, and cyberterrorism pose threats to the security and stability of states. Additionally, states are regarding cyberspace as a new battlefield, pursuing a strategy of retaliatory attacks, forging military alliances, introducing rules of engagement, increasing the risk of conflict in cyberspace, and undermining international peace and security. Cyber-attacks on critical national ICTs infrastructure, fake news proliferation, and leaks and abuse of personal data worsen the trust deficit. The Internet of Things (IoT), AI, big data, cloud computing, and blockchain among other emerging ICTs, bring security risks. The current distribution and management of critical Internet resources pose security threats to the functioning of critical infrastructure.
 
The representative of India underlined that cyber-attacks are moving toward the disruption and destruction of cyber physical systems, that malware has evolved into destructive malware, and that global supply chains are being tampered with. Increased Distributed Denial of Service (DDoS) attacks on government services have impacted the trust of users in ICTs. Traffic hijacking has exploited trust related gaps. Financially motivated crime or fraud has shaken the global banking sector. States are carrying out covert influence campaigns using false social media accounts, pushing fake news and malware. Malicious actors are hijacking most sensitive digital accounts, including social media, e-mails, and financial accounts to steal and launder money, and ransom the data. With the advancement of new technologies such as IoT, AI, machine learning, 5G networks, blockchain, and cloud computing, new threats will emerge. India also stated that social media companies could be held accountable for the spread of fake news, false accounts, and compromising the privacy of citizens.

The representative of Singapore is of the view that cyber-threats will become more targeted, sophisticated, and deceptive as countries transition into higher levels of connectivity. Singapore anticipates six cyber-threats in the future. First, data breaches will become more frequent, as cybercriminals will try to breach computer databases, especially those that store large amounts of private and personal information. Second, there will be an increased threat to global supply chains. Third, more disruptive attacks against the cloud are to be expected, as cybercriminals will aim to steal data, or amplify DDoS attacks. Fourth, greater risks for smart buildings and connected systems will appear as malicious actors will attack them to hold their owners ransom, to spread malware, or conduct DDoS attacks. Fifth, AI could be leveraged by malicious actors to search for vulnerabilities in computer systems and create smarter malware. Lastly, malicious actors target and manipulate biometric data to build virtual identities and gain access to personal information. Singapore believes that countries should share information and best practices in dealing with such threats.

The Cuban delegate stated that new technologies themselves do not represent a threat to international peace and security, but rather, the harmful and prejudicial use of these ICTs does. The OEWG should focus its work on the responsible use of technologies, particularly new technologies, by states. Particular focus must be put on tackling the threats faced by developing countries. A common understanding from a technical and political perspective regarding attribution needs to be achieved. Cuba also underlined the attempts to undermine and destabilise other states in cyberspace, including by strangling the flow of information and attacking the critical infrastructure of other states, by states and non-state actors, including terrorist and extremist groups. The digital divide has an adverse impact on the capacity of some states and therefore, the capacity of the international community for prevention, identification, and mitigation against the misuse and abuse of ICTs. The use of unilateral coercive measures and discriminatory practices which restrict universal access by developing countries to ICTs must end.

The representative of Mexico considers the OEWG as a good opportunity for UN member states to address issues such as cybercrime and cyberterrorism, as well as the use of the Internet and Internet platforms for the dissemination of hate speech, racist speech, and xenophobic speech. Mexico is of the view that acts that could potentially cause damage to the legitimate ICT activities of public administration and public authorities need to be addressed. The physical infrastructure of ICT networks must be protected. Mexico is also of the view that threats in cyberspace may have direct links to traditional or conventional threats in the physical world. The role of regional organisations was underscored, as they can raise region-specific questions and ensure region-wide commitment to the implementation of international instruments and agreements. Confidence building measures (CBMs) can also play a central role as they could be a useful vehicle for finding ways to mitigate threats.

The representative of Canada stated that issues such as interference, using cyber means in elections, the risk of miscalculation and conflict, and the unintended consequences of malicious state behaviour can affect international peace and security. The OEWG could be a forum for discussing potential future threats stemming from IoT, AI, 5G networks, and quantum computing, as these developments can affect the threat landscape as well as relations between states. She also stated that women and human rights defenders or advocates can be differentially affected by threats, and that there would be value in looking into that.

The Netherlands stated that it would be beneficial if the OEWG were to acknowledge that developing offensive and defensive military ICT capabilities is an indisputable fact. In order to limit the risks and threats related to these capabilities, it is necessary for states to be transparent about the nature and purpose of their capabilities, the circumstances under which they will be used, the political control over them, as well as to have international co-operation to prevent inadvertent escalation, miscommunication, and miscalculation. Two specific threats highlighted by the Netherlands were state sponsored unlawful network disruptions, and state sponsored cross border cyber-attacks on freedom of expression online (such as blocking access to legitimate online content, intimidating ICT users, or harming intermediary technology and companies). The Netherlands also stated that it would be beneficial if the OEWF were to acknowledge that the lack of resilience presents the international community with risks for international stability. This would make addressing these resilience gaps one of OEWG’s priorities. One of the tools to do so is capacity building.

The United Kingdom stated that it is important to model responsible state behaviour, as well as call out irresponsible state behaviour. Deterrence continues to be an important component in international relations in cyberspace. Developing ICT capabilities for military purposes is legitimate, as it could be de-escalatory, compared to other options. However, it must be in line with the country’s rights and obligations under international law, and meet the tests of legality, necessity, and proportionality. The UK has stated that consensus could be built around emerging threats, states holding each other accountable, thinking about the implications of emerging technologies, the issue of tech transfers, the development aspect of technology, and cybercrime.

The representative of Australia expressed concern about the scale, scope, and sophistication of malicious cyber activity. Australia identified three groups of malicious activities in cyberspace: cybercrime, cyberterrorism, and activities by state actors. The OEWG should discuss foreign state actors acting in ways that are inconsistent with international law, and the already agreed upon norms. Australia emphasised that the OEWG should be looking at the activity both above and below the threshold of use of force. Australia reminded everyone that there are already bodies of work within the UN that deal with cybercrime and cyberterrorism, and urged the OEWG to focus on state behaviour online and threats associated with state behaviour. Australia also encouraged the OEWG to retain a technology neutral approach to the recommendations in the future report.

The representative of the Syrian Arab Republic stated that an agreement to a convention, which would be legally binding is necessary. However, this agreement should not take an arms control approach, as that would constrain the development that technology enables.

The representative of Japan highlighted the increased concerns of future attempts to target weakness in IoT and supply chains by malicious cyber actors. On the necessity of legally binding frameworks, he stated that cyber technology develops very fast, while forming consensus on legally binding norms will take a long time. Therefore, Japan considers that it is important to begin by developing non-binding norms and steadily implementing them.

The representative of Spain underscored that the OEWG should not just identify what the cyber threats are, but focus on the relevance of those threats, and reflect that in its final report. To achieve this, consensus is necessary, and it can only be achieved if the responsibilities of the states and the CBMs between states are highlighted. Spain stressed that the work of the OEWG must bring added value, and that the group should think about how to build on the 2015 GGE report and how it can be turned into tangible action.

The representative of Finland reiterated that the mitigation of threats cannot limit the spread of ICTs and technology transfer. The OEWG needs to make sure that members share the same common concepts and ideas, which is problematic in the case of new technologies. In this regard, the OEWG could benefit from consulting with experts from industry and civil society. Finland also underlined threats against human rights and fundamental freedoms, and privacy, as issues that need to be considered in the OEWG.

The representative of Austria stated that a starting point of discussion within the OEWG could be one of the recommendations of the 2015 GGE report: that a state should not conduct or support any ICT activity contrary to its obligations under international law, and that intentionally damages critical infrastructure or impairs the use and operation of critical infrastructure – and that the OEWG could add CBMs and capacity building to this. Austria also reiterated the issue of common terminology and the threats to human rights online.

The representative of France underscored two risks to cyberspace. First, states need to promote a cyberspace which is free and full of political and socio-economic promise. Second, the threats that technologies could pose is not dependent on the level of their sophistication. The OEWG should discuss, in depth, how responsible behaviour could be promoted in a transparent manner, and how each country could protect its own security, therefore contributing to the protection of global security. This is why capacity building and co-operation need to be considered.

The representative of Iran raised the question of the OEWG’s mandate being limited to state actors. He also spoke about the threats emanating from the activities of the social media platforms. The OEWG should discuss how to hold social media platforms accountable and responsible, and made to observe rules and norms in order to help ensure a more secure ICT environment.

The Syrian Arab Republic took the floor again to state that the OEWG’s mandate should include looking at state actors, but also cyberterrorists and cybercriminals who are non-state actors that may have connections with states or act independently. The Syrian delegate also brought forth the question of whether the freedom of expression enables the proliferation of terrorist material online.

The representative of Poland stated that rules that exist in the real world should also apply online, and that a culture of accountability and adherence to norms, rules, and principles for responsible behaviour must be fostered. It is important to have clarity and unity regarding responses to malicious cyber activities because it could discourage further attacks and prevent the escalation of potential conflicts. A required level of transparency regarding national strategies and doctrines could serve as a CBM. Attacks on democratic or electoral infrastructure could be very damaging for the trust and confidence in the functioning of state institutions.

The representative of Spain stated that some aspects and elements relating to the threats posed by non-state actors should be duly considered in the OEWG. CBMs must be identified, and cyber capacity building should be addressed. If the OEWG discusses cyber capacity building in full, a broad approach will need to be taken to ensure that capacity to address all cyber threats is built.

The representative of Denmark underlined that the OEWG should focus on responsible state behaviour. The OEWG should also discuss cybercrime and cyberterrorism as threats a state must address. Denmark also stated that they agree with France and Australia that the development of offensive cyber capabilities is legitimate and necessary for countries’ defence. The responsible approach to developing these capabilities is one of restraint and transparency, within the bounds of international law.   

The representative of France stressed that freedom of expression does not encompass freedom to sow terrorism, organise a terrorist act online, or influence an election. France, together with many partners, has taken strong actions following the Christchurch Call in order to ensure better control over terrorist activity on the Internet. At the most recent G7 Summit, major social network platforms and Internet platforms were called upon to exercise their social responsibility.

The delegate of Pakistan expressed concerns about the malicious use of ICTs by state actors as well as non-state actors for criminal and terrorist purposes. Deployment of cyber capabilities by states for political and military purposes, as well as non-state actors for malicious purposes, the absence of a common understandings on acceptable state behaviour, and wide disparities in the capabilities of states in addressing risks were also cited. State sponsored actions to suppress legitimate freedom of expression and the use of ICTs for spreading hate speech, racist, xenophobic, and inflammatory content are also among the country’s concerns.

The representative of Costa Rica expressed the country’s view that international law, international human rights law, and international humanitarian law must be taken into consideration in the OEWG’s discussions on threats in cyberspace.

The representative of Columbia reiterated that any measures that the OEWG adopts should not hamper the enjoyment of the socio-economic benefits provided by ICTs. The OEWG should also discuss new trends generated by emerging technologies.

Syria took the floor again to stress the need to acknowledge that states are capable of engaging in destructive use of technology. It is necessary to discuss instigation, incitement, maluse, and abuse of ICTs by states for destructive purposes, such as the destabilisation of countries.

The representative of Brazil spoke about the offensive and defensive use of cyber capabilities, expressing concerns about the weaponisation of ICT tools, as it increases the unpredictability in international relations. Regarding the role of non-state actors in cyberspace, he stated that states may often wish to use non-state actors as a proxy for offensive actions in cyberspace.