To the Open-ended Working Group on security of and in the use of information and communications technologies 2021-2025
Introduction
In anticipation of the fourth substantive session of the Open-ended Working Group (OEWG) on security of and in the use of information and communications technologies 2021-2025, and in line with our previous statement on the role of confidence building measures (CBMs) in preventing escalation and strengthening cooperation for international peace in cyberspace[1], the CyberPeace Institute[2] provides the following recommendations on operationalization of CBMs through increasing transparency around designations of critical infrastructure (CI). This contribution is evidence-based and forward-looking, responding to the needs identified in the Annual Progress Report, which called for concrete, action-oriented proposals on CBMs.
The CyberPeace Institute highlights the importance for Member States to provide information, on a voluntary basis, that would build common understandings, reduce tensions, and enhance the implementation of CBMs as an essential component of international peace and security. The non-exhaustive list included sharing information about cyber threats and vulnerabilities, national views on how international law applies in cyberspace, positive practices and existing initiatives, and national strategies and legislative frameworks related to the use of ICTs.[3]
Importantly, the statement underlined that States should provide more clarity on what constitutes critical infrastructure under their national frameworks. Increasing transparency about the designations of critical infrastructure would contribute to greater predictability, and enhance trust and confidence between and among states.
Threat landscape of cyberattacks and operations targeting critical infrastructure
Malicious cyber incidents targeting critical infrastructure violate the agreed-upon framework for state conduct in cyberspace, which prohibits attacking such infrastructure by cyber means.[4] This normative framework further mandates States to take appropriate measures to protect their critical infrastructure from cyber threats.[5]
The CyberPeace Institute has been providing insights into the malicious use of cyber in an ongoing international armed conflict[6] with a focus on 22 different critical infrastructure.
This work provides insights into cyberattacks and operations targeting critical infrastructure, which can directly impact civilians and people. The Institute’s findings highlight that most sectors have been impacted, including energy, ICT, finance, media, public administration, and transportation. Many of these sectors provide infrastructure or services essential to the survival of the civilian population.
Evidence-based understanding of the threat landscape in wartime and peacetime is essential for the implementation of the framework of responsible State behaviour in cyberspace. Gaps in understanding lead to uncertainties, which undermine accountability and general trust between actors.
Building trust between and among states necessitates recognition of a shared set of facts. It is difficult to build confidence when actors cannot collectively recognize the same challenges in a selected domain. This is particularly relevant in the cyber domain, where the threats and their connected risks and impacts are more difficult to determine, study, and understand.
Closing gaps in common baselines for designations of critical infrastructure is important in the implementation of the framework of responsible behaviour in cyberspace. This will also facilitate approaches to capacity building and resilience.[7] Streamlined and focused capacity building initiatives, among other measures, could be particularly beneficial for smaller countries with limited resources, to help them assess which infrastructure is critical and how to protect it.
Remaining gaps in designations of critical infrastructure
The CyberPeace Institute compared the designations of critical infrastructure by a number of States – indicating that definitions are generally overbroad, and only some States provide a clearer picture of the sectors they consider as critical in their national frameworks. While several countries provide guidance to their national approaches, there is no overarching direction on how to define critical infrastructure in a way that would allow an effective operationalization of the rules, norms and laws.
The 2013 and 2015 UN Group of Governmental Experts on information security established the CBMs agreed upon by all Member States. The 2015 GGE Report, in particular, includes a CBM on the voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them.[8]
The 2021 GGE report further proposes that States should voluntarily share national views on the classification of critical national infrastructure and critical infrastructure providing essential services regionally or internationally, relevant national policies and legislation, and frameworks for risk assessment and for identifying, classifying and managing ICT incidents affecting critical infrastructure.[9]
The OEWG as a process focused on the implementation of the agreed-upon framework which can serve to encourage more active participation in the implementation of the CBMs. The Group can incentivize states to “walk the talk” by operationalizing their transparency measures and reporting on lessons learned concerning protecting critical infrastructure.
While measures supporting transparency include the recommendation to encourage States to voluntarily share their positions, some countries have come forward to close this transparency gap. For example, Canada[10] and the US[11] provide a list of what is considered as CI. It would be important for other States to provide such a list.
The Institute underscores the importance for all States to form a common understanding by sharing, providing, and exchanging information that would facilitate establishing a baseline and increased transparency around what constitutes CI.
Increasing transparency around what constitutes critical infrastructure
Determining what constitutes CI is a matter of national security, but increased transparency in this regard is important to building common understanding and coordination on its protection. Transparency about how countries approach CI would reduce chances for misunderstandings and contribute to increase trust and confidence between and among States.
Increased transparency around designations of CI would:
- Provide both incentives and tools for increasing the understanding of the threats to CI – allowing for capacity building and resilience measures to be adapted based on the evolution of the threat landscape. This increased understanding could help mitigate current or emerging cybersecurity threats to critical infrastructure.
- Advance national frameworks for strengthening and maintaining secure, functioning, and resilient critical infrastructure. Knowing which sector is critical can help to prioritize capacity building, including through investments in cyber resilience, cyber capabilities, and learning, and ensure that states can ensure their accessibility.
- Promote concrete and actionable discussions and practical cooperation in protecting CI through a multistakeholder approach at all levels.
- Facilitate further development of best practices, public-private partnerships.
- Enable the development of a repository which can play an important role in capacity building. Countries with limited resources can learn from others about practical ways to recognize and establish CI, including shaping positions about international law and implementation of cyber norms.
- Highlight due diligence in CI as an important positive obligation under international law to address cyber threats.
Lessons learnt from protecting the healthcare sector
The essential needs of states and societies depend on infrastructure and processes that have become digitized and digitalized. While digital transformation brought multiple benefits it also introduced new vulnerabilities into systems, which need to be addressed through increased cybersecurity efforts. Recognizing the escalating volume and frequency of cyberattacks targeting hospitals and other healthcare services during the COVID-19 pandemic, the protection of the healthcare sector as part of critical infrastructure has been a primary focus of action for many States. As seen in the 2021 OEWG consensus report, and acknowledged by the 2021 GGE Report, the COVID-19 pandemic led a majority of States to take further action in protecting healthcare infrastructures.
Concurrently, the CyberPeace Institute launched a series of operational initiatives tailored for the healthcare sector, including providing assistance, investigating cyberattacks, and informing policy and decision-making relevant to protecting this sector. A key resource for identifying critical gaps that need to be addressed to protect the healthcare sector as well as providing recommendations is compiled in the Compendium of Multistakeholder Perspectives on Protecting the Healthcare Sector from Cyber Harm.[12]
In this year-long project, the CyberPeace Institute, the Government of the Czech Republic, and Microsoft partnered to bring healthcare and cybersecurity professionals together at multistakeholder workshops also attended by a diverse group of experts, practitioners, and stakeholders Key recommendations, lessons learned, and good practices were collected and presented in the Compendiumlaunched on the sidelines of the third substantive session of the OEWG.
The workshops identified that the exponential increase in cyberattacks targeting healthcare organizations is one of the most worrying trends of recent years and that the increasing number and sophistication of cyberattacks necessitates the need to strengthen the sector’s resilience. This project also highlighted important gaps in interpreting and clarifying existing rules and identified gaps in the operationalization of the framework of responsible behaviour in cyberspace. A summary of recommendations can be found in the annex.
This initiative can serve as a concrete example addressing the protection of critical infrastructure, and of how states can cooperate with stakeholders to facilitate and participate in focused discussions including with non-state actors. This initiative could be scaled up as a model under the common framework of protecting CI, using the multistakeholder model to meaningfully strengthen cyber resilience. Through such initiatives, States and non-state actors can foster a sense of shared responsibility for the protection of critical infrastructure.
Conclusion
Achieving secure, stable, and peaceful cyberspace requires building trust, and reducing tensions, and strengthening confidence between States. Voluntary communication, information sharing and transparency mechanisms related to what constitutes critical infrastructure for States is a necessary step. The 2015 UN GGE norms and the Organization for Security and Cooperation in Europe (OSCE) 16 ICT confidence building measures should be fully leveraged in this regard. Among other measures, it is also that all efforts are undertaken to refrain from targeting critical infrastructure.
Annex
The Multistakeholder Compendium for protecting the healthcare sector offers a set of recommendations, including:
Threat landscape
– Communicate information regarding cybersecurity incidents in a thoughtful way to maintain the public’s confidence in the healthcare system.
– Provide policymakers with data regarding the effects of cybersecurity incidents in a way that resonates with them.
– Increase the accessibility of healthcare-specific threats and incident data to decision makers so they have a better understanding of the cybersecurity capacity needs of the healthcare sector.
– Combine assessment of how malicious cyber activities fit within the rules of international law with what can be done about them.
Operational measures
– Reframe cybersecurity as an integral part of the delivery of patients’ healthcare. Investments into both medical care and cybersecurity need to be seen as mutually reinforcing, rather than trade-offs.
– Educate practitioners and management in cybersecurity good practices, including the fundamentals of cybersecurity hygiene, such as two-factor authentication, simulations and exercises.
– Test the cybersecurity readiness of healthcare staff and infrastructure by conducting exercises that incorporate phishing and ethical hacking.
Capacity building
– Tailor capacity building to the specific context and environment that the effort targets.
– Adapt capacity building and resilience measures based on the evolution of the threat landscape.
– Discuss practices and challenges to capacity building in regional and global forums to facilitate information sharing across the globe.
– Build the capacity of states to better understand, interpret, comply with, and implement international law in cyberspace, including via multistakeholder initiatives.
– Create a dedicated fund to support.
Policy measures
– Adopt a human-centric approach to cybersecurity that takes into consideration all the ways in which cyberspace impacts human life and conditions.
– Form multistakeholder partnerships to drive the implementation of critical infrastructure commitments. Stakeholders need to combine their resources to support the implementation of the UN framework of responsible state behaviour in cyberspace. A multistakeholder, whole-of-society approach is needed to protect this critical sector.
[1] See the full statement here: CyberPeace Institute, “The role of confidence building measures (CBMs) in preventing escalation and strengthening cooperation for international peace in cyberspace,” December 5, 2022, available from: https://cyberpeaceinstitute.org/news/the-role-of-confidence-building-measures-cbms/
[2] The CyberPeace Institute is an independent and neutral non-governmental organization that strives to reduce the frequency, impact and scale of cyberattacks, to advocate for responsible behaviour and respect for laws and norms in cyberspace, and to assist vulnerable communities.
[3] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (A/76/135), July 14, 2021, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement; Article 84 of 2021 GGE Report on transparency measures states: “States can also avail of these existing fora to clarify positions and voluntarily exchange information on: national approaches to ICT security; data protection; the protection of ICT-enabled critical infrastructure; and ICT-security agency mission and functions, and ICT strategy at the national or organizational level, and the legal and oversight regimes under which they operate.”
[4] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22, 2015, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement; The 2015 GGE Report states: 13(f) States should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.
[5] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22, 2015, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement; The 2015 GGE Report states: 13(g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions.
[6] Findings are available on the Cyber Attacks in Times of Conflict Platform #Ukraine: https://cyberconflicts.cyberpeaceinstitute.org
[7] United Nations, General Assembly, Open-ended Working Group on developments in the field of information and telecommunications in the context of international security, Final Substantive Report, A/AC.290/2021/CRP.2, March 10, 2021, https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf; The 2021 OEWG consensus report states: “Capacity-building aimed at enabling States to identify and protect national critical infrastructure and to cooperatively safeguard critical information infrastructure was deemed to be of particular importance. Capacity-building may also help States to deepen their understanding of how international law applies. Information sharing and coordination at the national, regional and international levels can make capacity-building activities more effective, strategic and aligned to national priorities.”
[8] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22, 2015, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement; The 2015 GGE Report states: (d) The voluntary provision by States of their national views of categories of infrastructure that they consider critical and national efforts to protect them, including information on national laws and policies for the protection of data and ICT-enabled infrastructure. States should seek to facilitate cross-border cooperation to address critical infrastructure vulnerabilities that transcend national borders. These measures could include:
(i) A repository of national laws and policies for the protection of data and ICT-enabled infrastructure and the publication of materials deemed appropriate for distribution on these national laws and policies;
(ii) The development of mechanisms and processes for bilateral, subregional, regional and multilateral consultations on the protection of ICT-enabled critical infrastructure;
(iii) The development on a bilateral, subregional, regional and multilateral basis of technical, legal and diplomatic mechanisms to address ICT-related requests;
(iv) The adoption of voluntary national arrangements to classify ICT incidents in terms of the scale and seriousness of the incident, for the purpose of facilitating the exchange of information on incidents.
[9] United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (A/76/135), July 14, 2021, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement; Article 85 of 2021 GGE Report on transparency measures states: “The recommendations on CBMs in previous GGE reports provide a cooperative basis for addressing growing threats to critical infrastructure-related challenges and for implementing the relevant norms. States are encouraged to continue raising awareness on the importance of critical infrastructure protection, promoting information sharing among critical infrastructure stakeholders and sharing of good practices and guidance. Where appropriate, they can use existing platforms and reporting modalities (see paragraph 86) to voluntarily share national views on the classification of critical national infrastructure and critical infrastructure providing essential services regionally or internationally, relevant national policies and legislation, and frameworks for risk assessment and for identifying, classifying and managing ICT incidents affecting critical infrastructure.”
[10] Public Safety Canada, “Canada’s Critical Infrastructure,” available from: https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspx
[11] US Cybersecurity and Infrastructure Security Agency of the United States (CISA), “Critical Infrastructure Sectors,” available from: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors
[12] The Compendium of Multistakeholder Perspectives on Protecting the Healthcare Sector from Cyber Harm offers healthcare institutions, governments, international organizations, and other stakeholders a useful resource to support their efforts to safeguard the healthcare sector from cyber threats. The Compendium is available here: https://cyberpeaceinstitute.org/wp-content/uploads/Compendium-of-Multistakeholder-Perspectives.pdf