The United Nation Security Council held for the second time in its history a formal debate on the impact of cyberthreats on international peace and security. This meeting was called upon by the government of South Korea.
Our CEO Stéphane Duguin joined Secretary General António Guterres and Professor Nnenna Ifeanyi-Ajufo in reminding the member states about the proliferation of threat actors, the multiplicity of threats: cyber mercenaries, cyberattacks to circumvent international sanctions, cyberattacks against critical infrastructure and the risk of autonomous cyberattacks.
We welcome South Korea’s ambition to make cybersecurity a critical part to maintenance of international peace and security, and to be added to the agenda of the Security Council.
The CyberPeace Institute proposes for the Security Council to focus on
-
- Enforcement of existing laws and regulation, notably through transparent and public documentation of violations, and the measurement of harms from cyberattacks
-
- Calling out perpetrators through systematic attribution, as a critical step towards accountability in cyberspace
-
- Be ready for evolving and future threats, such as the convergence of disinformation and cyberattacks, and the unacceptable risk of autonomous cyberattacks.
You can rewatch the session including Stéphane’s speech here.
CyberPeace Institute intervention for the Security Council High-Level Open Debate on “Maintenance of International Peace and Security: Addressing Evolving Threats in Cyberspace” – Full Speech
Dear Secretary-General, Excellencies, Ambassadors, Ladies and Gentlemen,
It is an honor to address you today on a matter of critical importance: how to address the evolving threats in cyberspace. As CEO of the CyberPeace Institute, an independent and neutral non-governmental organization, I speak from experience as the Institute offers free cybersecurity assistance, monitors threat actors, provides threat detection and analysis, and advocates for respect of laws and norms in cyberspace.
As we analyze the evolution of the threat, I would like to address the cumulative effect of serious disruptions to the threat landscape, which, together, directly impacts the maintenance of international peace and security.
I will touch upon the proliferation of the threat actors, and how it increases the targeting of critical infrastructure – the mutation of the threat, today, notably with the convergence of cyberattacks and disinformation, or the usage of cyberattacks to circumvent international sanctions – and the evolution of the threat, tomorrow, with the unique risk that AI creates to cybersecurity.
These evolutions create unique challenges to international peace and security, by notably complexifying attribution – meaning identifying the perpetrator or source of a cyberattack or operation.
Proliferation
I will start with the proliferation of threat actors. Since the 2022 invasion of Ukraine by the Russian Federation, The CyberPeace Institute is documenting a proliferation of threats and threat actors siding with both belligerents. Warfare is no longer the sole preserve of states. There are a range of non-state actors from criminal groups, hacktivist collectives with geopolitical motives, and other civilians taking part in cyberattacks and operations. They pursue 4 objectives: to destroy infrastructure, to disrupt the normal functioning of essential services, to synchronize disinformation and cyberattacks, and to steal and weaponize data through infiltration and espionage.
In that context, we traced more than 3000 campaigns of cyberattacks (3,225) by 127 different threat actors, affecting some 56 countries, targeting 24 different critical infrastructure sectors. The harm caused by these cyberattacks are felt far beyond the borders of the belligerent countries, with close than 70% of all cyberattacks impacting organizations in non-belligerent countries. These metrics are freely available in our Cyberattacks in Time of Conflicts Platform.
Such a proliferation of attacks and threat actors pose the question of de-escalation in the context of a potential cessation of hostilities: how can such threat actors be made to stop their malicious activities or be brought under control in such a circumstance?
Preventing Attacks Against Critical Infrastructure, Industrial Control Systems and the Public Core of the Internet
This proliferation has a direct impact on the security of critical infrastructure. Two examples to illustrate:
In February 2022, a cyberattack, using a wiper malware called “AcidRain targeted Ukraine’s broadband satellite internet access. The impact was felt beyond the borders of Ukraine: It impacted the functioning of wind turbines across Europe, with a major German energy company losing remote monitoring access to over 5,800 wind turbines, and thousands of subscribers of satellite internet service Germany, France, Hungary, Greece, Italy, Poland were affected.
Such impacts are not solely happening in a time of armed conflict. During the COVID-19 pandemic, the CyberPeace Institute monitored 500 cyberattacks against healthcare facilities during 2 years of the COVID-19 pandemic. 500 cyberattacks are not even the tip of the iceberg, but these 500 attacks affected healthcare across 43 countries, led to the theft of over 20 millions patient data, and accounted to a cumulative disruption of healthcare of over 5 years – ambulance redirected, appointment canceled, patients with degraded access to care.
Curbing the Use of Cyber to Circumvent International Sanctions
Another aspect of the evolving threat is the use of cyberattacks to evade international sanctions, and finance illegal activities. As an example, several civil society actors, cybersecurity organizations and States have analyzed the activities of the Kimsuky and Lazarus Group, whose tactics, tools, processes and intent have been attributed to the DPRK. These criminal groups coordinate global cyberattacks of all types: attacks on the supply chain, ransomware, cyberattacks on cryptocurrency exchange and financial institutions. Beyond the important direct or primary harms and impacts they create, these cyberattacks are a vector to circumvent international sanctions. Recent estimates are that more than 3 billion US dollars have been gained by Lazarus Group and Kimsuky from such attacks.
Such an escalation of state sponsored cyberattacks can create massive harms: the WannaCry attack in May 2017, which impacted more than a quarter of a million of computer in less than 24 hours in over 150 countries, caused significant disruptions and widespread impact across healthcare, financial and transportation sectors.
The Unacceptable Risk of Autonomous Cyberattacks
To conclude on the evolution of the threats, it is important to foresee new risks, such as the threat of Quantum computing on cryptography, or generative AI on criminal models. Since the advent of generative AI and large language models, AI is used by malicious actors to augment their capability. AI is used to scale existing processes in the Cyber Kill Chain: saving time in target recognition, automating vulnerability searches, increasing the production capacity of Phishing activities (quality, language), etc. This is the first step, as groups are already experimenting the use the generative AI to automate part of a cyberattack. This bears an unacceptable risk. Successful tests carry the risk of reaching such a level of automatization, that a malicious actor could willingly or accidentally trigger an autonomous cyberattack.
Recommendations
Because of the convergence of several cumulative disruptions, and as the cyber threat landscape evolves very fast, it is complex to respond through a coherent strategy. Still, several actions can happen:
- Operationalization of laws, norms, and sanctions, notably through the transparent documentation of violations, and a future looking approach, to prevent the malicious use of cyberspace, including the misuse of AI or Quantum Computing.
- Calling out perpetrators, to enforce sanctions and to take appropriate and adequate measures. There cannot be de-escalation without attribution, as it is critical to inform decision-making about the measures to be taken, and the defenses to take. It can have a deterrence effect, as holding perpetrators accountable can enable legal and diplomatic responses, and strengthen policy development.
- Measuring what constitutes harm from cyberattacks in a comprehensive and measurable manner. The CyberPeace Institute is developing such a methodology to measure harm from cyberattack.
These aspects are critical to maintaining international peace and security, cooperating in solving the escalation of cyber threats, and harmonizing the actions of nations.
Thank you for allowing me to address this esteemed session.