The CyberPeace Institute[1], an independent and neutral non governmental organization headquartered in Geneva, Switzerland, welcomes the call for civil society organizations to contribute to the “New Agenda for Peace”.
The cyber threat landscape is rapidly evolving with a rise in the frequency, sophistication and intensity of cyberattacks in situations of armed conflict and peace with the consequent potential for real harm of people, and severe humanitarian consequences. The CyberPeace Institute, based on its expertise, operational assistance to vulnerable populations and observations from its in-house data analysis provides the following recommendations for consideration with the aim of reducing strategic risks, reshaping responses to all forms of violence, and putting people’s needs and rights at the center of responses:
Recommendation 1: Ensure a focus on a human-centric approach to achieve peace and security
The maintenance of international peace and security needs to ensure the protection and enablement of individuals to enjoy in cyberspace their fundamental rights and freedoms as well as their rights to economic and social advancement. To comply with the law and those rights in cyberspace and ensure the trust in technology it is essential that Member States focus on the harms and impact of cyberattacks on people and society[2] and that this informs and influences decision making.
Member States should consider the impacts and harms stemming from cyberattacks to individuals and communities, with specific considerations of the disproportionate impact of cyberattacks on vulnerable groups. Peace and security in cyberspace will require the acknowledgment of a human-centric approach to security of and in the use of ICTs to facilitate a more comprehensive understanding of the impact of cyberattacks on people[3].
UN Member States must be ambitious in creating a robust framework that safeguards the peaceful use of ICTs to protect communities and individuals alike, enable enjoyment of their rights and freedoms and guarantee their safety and security.
Peace and security in cyberspace requires a collective effort and cooperation of a range of stakeholders. Member States can benefit from the research and operational expertise of the multistakeholder community. A range of stakeholders, comprising civil society organizations, industry actors, academia, and experts already play a role in exchanging technical information on the cyber threat landscape, providing knowledge of how threats impact people’s human rights and security, and thus contributing to the understanding of the differentiated impacts of cyber threats. Civil society in particular can provide knowledge of how potential threats impact human rights and human security, including gender-based threats and impacts.
Accordingly, the work and engagement of the multistakeholder community should be reflected across the priority areas and detailed recommended steps for future actions.
Recommendation 2: A focus on the importance of cybersecurity for collective security, safety, and the respect of rights and freedoms.
Cyberattacks and cybercrime are exploiting the interconnectedness and digitalization of our societies and blur the boundaries between perceptions of peace and conflict. The security of cyberspace is essential for a stable global system, thus Member States must take action to strengthen this security with approaches that enhance trust, the rights of people and resilience. The unique nature of cyberspace requires a collective responsibility from all sectors of society to ensure the protection of people and society.
Several key areas require urgent attention in this regard:
- Protection of Non Governmental Organizations (NGOs) from cyberattacks
Cyberattacks against NGOs threaten the most vulnerable individuals and communities already devastated by armed conflicts, disasters and other complex emergencies. NGOs provide emergency and essential assistance and protection to people in need and yet they are increasingly victims of cyberattacks. Malicious actors are committing cyberattacks on the sector with devastating outcomes. The Institute observed a wide range of malicious cyber threats – from exfiltrated and leaked data to disruption of systems and services causing financial loss, internal information compromise and supply chain failures.
The harm caused to organizations that experience a cyber incident can be catastrophic. As a consequence, the essential services that NGOs provide are impacted or even halted, limiting the help they can provide to people in need. Ultimately, the most vulnerable suffer.
Member States must make every effort to respect and ensure the respect of NGOs and to put an end to cyberattacks against these organizations, their operations and data, staff and volunteers, as well as beneficiaries of their activities.
- Protection of critical infrastructure
Critical infrastructure is increasingly being targeted for malicious cyber activities. Member States must ensure that state and non-state actors do not cause damage or disrupt the functioning of critical infrastructure. Critical infrastructure facilities including water plants, power stations and pipelines, must be a key focus as they provide essential services to a country’s population and ultimately the safety and wellbeing of people.
It is vital that there is an increase in the capacity and ability to improve resilience to cyber threats by critical sectors. Capacity-building should be aimed at enabling States to identify and protect national critical infrastructure and to cooperatively safeguard its operation. This includes capacity building, implementation of norms of responsible behavior, and confidence building measures.
Cyberattacks and operations against critical infrastructure and civilian objects in situations of armed conflict[4] can lead to potential devastating humanitarian consequences for civilian populations. It is critical that States not only acknowledge that international law applies in cyberspace but also of how and when International Humanitarian Law (IHL) applies to cyber operations, and to ensure that the protection of civilians and civilian infrastructure, ICTs and data remains paramount.
Cyber threats to the healthcare sector have increased dramatically in recent years. Access to healthcare is a fundamental right of every human being that should be protected as such, and cyber threats can impede upon the enjoyment of this right. In 2021, the Open-ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG)[5] and the UN the Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security (GGE)[6] unanimously agreed that healthcare and medical facilities should be explicitly included under critical infrastructure under applicable cyber norms. UN Member States now need to identify critical gaps in the implementation of the normative framework to be addressed to protect the healthcare sector from harm. States should study the continuously evolving threats that the healthcare sector faces, with a particular focus on their impact on individuals. Studying these threats will provide the data and context necessary to effectively respond and increase the overall capacity and resilience of the sector to cyber threats. Civil society, academia, and the private sector can help these efforts with providing research and technical expertise from in-depth monitoring of the threat landscape. Healthcare facilities as part of critical infrastructure must enjoy the highest level of protection.
Recommendation 3: Confidence Building Measures among states
The malicious use of ICTs contributes to the destabilization of cyberspace and threatens the safe, secure, and trusted use of ICTs. Moreover, the risks of conflicts resulting from misperceptions between countries have become more acute. Member States must focus on cyber confidence building measures built with the idea of increasing trust and understanding between and among states. Such measures are essential for deepening common understandings, avoiding misunderstandings, reducing the risks of misperception and escalation, and increasing predictability and stability in cyberspace. Their effective operationalization and reinforcement are therefore important contributions to an open, secure, stable, and peaceful ICT environment.
Confidence building measures have previously been developed as peacetime diplomatic instruments, and would be key to supporting the protection of designated critical infrastructure sectors and the protection of people and to de-escalate cyber tensions between and among states.
Building confidence is a long-term and gradual process, which requires sustained engagement at multilateral fora. The shared commitment of all actors to building trust and understanding toward the aim of de-escalating potential tensions is particularly important.
Recommendation 4: Preserve the universal character of the Internet
The fragmentation of the Internet creates boundaries in cyberspace, increases the risks of an information vacuum and the spread of misinformation and disinformation, and undermines the Internet as a motor of global trade. The Internet’s strength is its distributed nature but this also makes it fragile. The Internet’s openness depends on trust and this trust is undermined when access to the Internet is blocked in times of war or other crisis. Member States must make appropriate efforts to preserve the universal character of the internet, and to prevent activity that intentionally damages the availability and/or integrity of the public core of the internet.
[1] The CyberPeace Institute’s mission is to reduce the harms from cyberattacks on people’s lives, provide assistance to vulnerable communities, and call for responsible cyber behavior and accountability. The Institute analyzes cyberattacks, exposes their societal impact, and how international laws and norms are being violated, and advance responsible behavior to enforce cyber peace.
[2] For example, the Cyber Incident Tracer (CIT) #Health documents cyberattacks against the Healthcare sector. This repository of data on cyberattacks over a two year period is being used to inform the development of a harm methodology to measure the impact of cyberattacks on individuals, and society as a whole. This is vital to inform technology, regulatory, and standards initiatives that will reach their ultimate goals – the protection of individuals and safe enjoyment of technology and connectivity.
[3] For example, cyberattacks on the healthcare sector impact the delivery of healthcare and medical services, cyberattacks against non governmental organizations in the humanitarian and development sectors disrupt and limit their ability to provide critical services to populations in need and other vulnerable communities.
[4] Cyberattacks during the ongoing armed conflict in Ukraine, since the 2022 military invasion by Russia, have heavily disrupted critical infrastructure and services. The CyberPeace Institute has monitored more than 850 cyberattacks and operations in relation to this armed conflict affecting 22 different sectors and in 36 countries. Attacks on critical infrastructure affect people as they imperil the services vital for the survival of the civilian population.
[5] United Nations, General Assembly, Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, Final Substantive Report, A/AC.290/2021/CRP.2, March 10, 2021, https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf.
[6] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (A/76/135), July 14, 2021, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement.