CyberPeace Institute’s Statement at Informal dialogue with stakeholders of the Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 (OEWG)
Ahead of the fifth substantive session of the OEWG taking place from 24 to 28 July 2023, the CyberPeace Institute participated in the informal dialogue organized by Chair on 11 July 2023, as part of his systematic, sustained and substantive engagement with stakeholders. The CyberPeace Institute[1] welcomed this opportunity to highlight recent developments in regard to cybersecurity in the context of international security. We provided recommendations that support the implementation of several proposals outlined in the zero draft of the second annual progress report through a multistakeholder approach.
The use of cyber in peacetime and wartime is nowadays a reality. In connection to the international armed conflict in Ukraine, the CyberPeace Institute recorded 2114 cyberattacks and operations perpetrated by 104 different actors. These cyber incidents targeted 23 different critical infrastructure sectors and affected Ukraine, the Russian Federation, and some 49 other countries.[2]
Cyberattacks and operations can have a severe impact on civilians and civilian infrastructure and objects that they depend upon, including the information space. By choosing to deliberately aim at critical infrastructure such as the energy, financial, ICT, public administration, and health sectors, as well as humanitarian organizations, threat actors inflict harm on people and disrupt and destabilise cyberspace. These acts raise serious concerns with regard to violations of the agreed-upon framework of responsible State behaviour, in particular how States respect and abide by the existing legal framework.
At the same time as all essential services largely depend on ICT infrastructure and devices that elaborate and transmit information online, the scope and scale of malicious use of cyber have increased globally. This negative trend has a pronounced operational and security impact on governments, organizations, and communities that are targeted or otherwise affected.
States expressed concern over the increase in malicious cyber activities impacting critical infrastructure that provides essential services across borders and jurisdictions, as well as cyberattacks against humanitarian organizations.[3] The CyberPeace Institute puts forward the following proposals that capture the ways how States can work together with stakeholders toward meaningful progress in addressing the outlined challenges:
- Engaging in focused discussions with stakeholders regarding existing and potential threats that present systemic risks to sectors of critical importance. Recognising the need to share objective information on cyber threats in the context of international security, States should tap into the potential provided by civil society, industry, and academia that have already proven their track record in mapping the threat landscape in a neutral and transparent way.[4]
- Building data-driven understandings of the harm inflicted by cyberattacks. States should encourage thematic exchanges with stakeholders to foster context-aware approaches to tackling the malicious use of cyber. Civil society organizations and academia have acquired relevant expertise both through their work with affected individuals and communities and conducting research into the differentiated harm stemming from cyber incidents that different groups of people may experience, e.g., based on their gender or factors of vulnerability.[5]
- Increasing transparency in designating critical infrastructure to enhance predictability, trust and confidence between and among States. Clarity around what constitutes essential sectors and services would provide incentives and tools for States to advance national frameworks for cyber resilience, exchange best practices and information about targeted capacity building initiatives, and promote concrete and actionable cooperation with stakeholders in joint efforts to protect sectors and services of critical importance.
Addressing threats emanating from cyberspace requires a collective, coordinated, and multistakeholder response. The multistakeholder nature of cyberspace necessitates that the contributions of civil society, industry, and academia are considered across the pillars of the agreed-upon framework and integrated into its implementation. The CyberPeace Institute stands ready to work in close partnership with governments and relevant stakeholders to advance accountability, peace and security in cyberspace.
[1] The CyberPeace Institute is an independent and neutral non-governmental organization that strives to reduce the frequency, impact and scale of cyberattacks, to advocate for responsible behaviour and respect for laws and norms in cyberspace, and to assist vulnerable communities.
[2] Last updated on 21 June 2023. More information: CyberPeace Institute, “Cyber Attacks in Times of Conflict Platform #Ukraine”. Available at: cyberconflicts.cyberpeaceinstitute.org/
[3] UNODA, “Zero draft of second annual progress report,” 13 June 2023, Available at: https://docs-library.unoda.org/Open-Ended_Working_Group_on_Information_and_Communication_Technologies_-_(2021)/Letter_from_OEWG_Chair_13_June_2023_(with_Zero_Draft_Second_APR_enclosed).pdf.
[4] CyberPeace Institute developed two publicly available databases. These repositories of cyber incidents focus on the healthcare sector (Cyber Incident Tracer #HEALTH) and critical infrastructure during conflicts (Cyber Attacks in Times of Conflict #Ukraine). Our Cyber Incident Tracers provide independent, data-driven insights on the cyber threat landscape of the vulnerable communities we serve. They are developed in-house with data sourced through the regular monitoring of open sources by our researchers. The information is made publicly available for use by policymakers, journalists, academic researchers and others and informs our work across the multistakeholder community. More information: cyberpeaceinstitute.org/cyber-incident-tracers
[5] The CyberPeace Institute has been piloting a methodology that aims to measure harm from cyberattacks and operations.