Strengthening the protection of critical infrastructure, including the healthcare sector, has been agreed upon by all the UN Member States and should therefore enjoy the highest priority. The international community can advance this matter by implementing and building on the current UN normative framework for responsible state behaviour in cyberspace. Participants in the multistakeholder workshops, from which the input was collected and presented in the Compendium of Multistakeholder Perspectives on Protecting the Healthcare Sector from Cyber Harm, highlighted that when it comes to normative protections of the healthcare sector, many of these discussions lack a general understanding of what are the specific needs of this sector. Current protections, therefore, fall short of addressing the challenges that this sector faces and more needs to be done to increase its resilience against cyberattacks. The workshops also sent a message to states to “walk the talk” and take responsibility for implementing their commitments.
The series of workshops highlighted the need to pursue multistakeholder diplomacy in this space and encouraged stakeholders to combine their resources to support the implementation of agreed cyber norms. In their recommendations, participants proposed that States consider engaging in focused discussions with interested stakeholders, including businesses, non-governmental organizations, and academia. Discussions should inform the implementation of agreed cyber norms, to develop common understandings of the gaps in current norms implementation as well as to exchange knowledge of the potential effects that these proposed rules, norms and principles may have.
This way forward is in line with the program for discussions at the upcoming fourth and fifth substantive sessions of the Open-Ended Working Group (OEWG), as reflected in the recommended next steps in the July 2022 Annual Progress Report, which encourages the following actions: “States continue exchanging views at the OEWG with the aim of developing common understandings on, as well as facilitating the implementation of, rules, norms and principles of responsible State behaviour in the use of ICTs, including on best practices in this regard, and discuss the proposals from the non-exhaustive list in paragraph 14 (e)…” United Nations, General Assembly, Report of the Open-ended Working Group on security of and in the use of information and communications technologies 2021–2025 (A/77/275), August 8, 2022, … Continue reading In the proposed next steps, States should put deliberate emphasis on collective action where the participation of relevant non-governmental stakeholders is not only encouraged but enabled and incorporated in a formal and systematic manner.
Future permanent mechanism on advancing responsible state behaviour in cyberspace
The diplomatic community can play a key role in bringing stakeholders together by establishing a permanent UN body to focus on the implementation of agreed norms. This mechanism could also support information-sharing, encourage thematic technical exchanges on best practices, as well as sharing information on capacity building initiatives related to critical infrastructure protection. The participants urged states to support a UN Programme of Action for Responsible State Behaviour in Cyberspace (PoA) as an action-oriented and inclusive process to support states’ capacity to implement existing cyber norms, including by providing practical support for cyber capacity building in the area of critical infrastructure.
On November 3, 2022, the UN General Assembly’s First Committee on Disarmament and International Security passed a key resolution on the PoA for advancing responsible State behaviour in the use of ICTs in the context of international security United Nations, General Assembly, Resolution on Programme of action to advance responsible State behaviour in the use of information and communications technologies in the context of international … Continue reading. In the resolution, the PoA is described as “a permanent, inclusive, action-oriented mechanism to discuss existing and potential threats; to support States’ capacities and efforts to implement and advance commitments to be guided by the framework for responsible State behaviour, which includes voluntary, non-binding norms for the application of international law to the use of ICTs by States, confidence-building and capacity building measures.” It further stipulates that the programme seeks to promote engagement and cooperation with relevant stakeholders.
Regarding the next steps, the adopted resolution calls for further discussions on PoA to take place within the OEWG, and for the UN Secretary General to seek the views of Member States on the scope, structure, and content for the PoA. It also calls for preparatory work to take place and for modalities for its establishment to be discussed, and requests that the Office for Disarmament Affairs of the Secretariat convene a series of consultations to share views on the subject.
Addressing cyber threats will require a collective, coordinated, and multistakeholder response across diplomatic, policy, and technical communities, as well as among other experts. Stakeholder contributions must be prioritised when setting up a permanent mechanism. The workshops outlined how a cyber PoA could specifically be used, for example, to launch multistakeholder capacity building projects designed to protect the healthcare sector from cyber harm and to strengthen synergies between the security and development pillars of the UN system.
It was recommended that a UN clearing house could be established under the permanent mechanism for matching capacity building needs with existing resources. This should be done in close collaboration with successful capacity building mechanisms, including the Global Forum on Cyber Expertise (GFCE). States could also create a dedicated fund to support cyber capacity building related to critical infrastructure protection, with particular emphasis on meeting the specific needs of developing countries on both the digital development and cybersecurity fronts. To this end, states could design cyber capacity building activities with norms implementation components. They could achieve concrete progress by focusing on cyber norms that already enjoy stronger consensus, such as the commitment to protect their critical infrastructure.
The protection of critical infrastructure, including in the healthcare sector, is a shared responsibility among all stakeholder groups. The Compendium urges states to allow for meaningful stakeholder engagement in the current and future UN processes. This is a goal that we need to keep striving towards, at the UN and elsewhere.
Read more about protecting the healthcare sector from cyber harm through the implementation of UN cyber norms in our article: “Implementation of UN cyber norms through multistakeholder action – Part 1“
|↑1||United Nations, General Assembly, Report of the Open-ended Working Group on security of and in the use of information and communications technologies 2021–2025 (A/77/275), August 8, 2022, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/454/03/PDF/N2245403.pdf?OpenElement|
|↑2||United Nations, General Assembly, Resolution on Programme of action to advance responsible State behaviour in the use of information and communications technologies in the context of international security (L73), October 13, 2022, https://documents-dds-ny.un.org/doc/UNDOC/LTD/N22/632/19/PDF/N2263219.pdf?OpenElement|