The cyber threat landscape is rapidly evolving with a rise in the frequency, sophistication, and intensity of cyberattacks. Malicious cyber incidents against critical infrastructure have an important human component. These attacks put the population at risk of harm and expose the vulnerability of services on which our society and economies depend.
The CyberPeace Institute has been documenting cyberattacks on the healthcare sector, humanitarian organizations, and other critical services which create the backbone of essential infrastructure to the public[1]See more about the CyberPeace Institute’s incident tracers here: https://cyberpeaceinstitute.org/cyber-incident-tracers/. When a cyberattack targets the healthcare sector, the impact on the safety and well-being of people is clear. Disruptions to patient care can endanger lives and erode trust in the healthcare system. Likewise, attacks on humanitarian organizations can disable the provision of critical services to vulnerable populations in contexts experiencing violence, armed conflict, and natural or man-made disasters.
Implementing cyber norms
Malicious cyber incidents targeting critical infrastructure violate the agreed-upon framework for state conduct in cyberspace, which prohibits attacking sectors providing vital services to the public by cyber means. Its provisions further urge States to take appropriate measures to protect their critical infrastructure from cyber threats.
The normative framework developed by the United Nations (UN) Groups of Governmental Experts (GGE)[2]The UN Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (GGE) agreed norms of responsible state behaviour in cyberspace by … Continue reading and confirmed by the Open-ended Working Group (OEWG)[3]The UN Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG) 2019-2021 confirmed the framework for responsible … Continue reading to promote responsible State behaviour in cyberspace provides rules of the road in cyberspace.[4]The normative framework is based on four pillars: international law; 11 voluntary norms setting out what states should and should not do in cyberspace, confidence building measures, and capacity … Continue reading Governments now need to “walk the talk” and take responsibility for operationalising their commitments. Although the 11 non-binding norms have been endorsed by all member States, they will be ineffective if they are not implemented through national and regional frameworks.
To support practical implementation of cyber norms, countries can inform the international community about how they have implemented the norms in their national contexts or present proposals on the implementation to serve as a guidance to others. Building on its work on norms implementation text at the 2019-21 OEWG, Canada [5]Canada, “Threats and Norms,” Open-ended Working Group on security of and in the use of information and communications technologies, December 6, 2022, available from: … Continue reading has been working with the CyberPeace Institute and other key stakeholders on updating this norms guidance text as part of an inclusive process that reflects on multistakeholders’ views. The CyberPeace Institute put forward the following actionable recommendations – in line with our mission to protect people from the harm of cyberattacks – focusing on norms that strengthen the protection and resilience of critical infrastructure.
Do not damage critical infrastructure
Under norm (f), States have agreed to “not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure.”[6]United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22 2015 available … Continue reading However, it is the responsibility of each State to determine which infrastructure or sectors it considers critical. Approaches in this regard vary significantly.
States should increase transparency around the designations of critical infrastructure to further strengthen the protection of these sectors both in this negative obligation to not damage these sectors and in the following positive obligation to protect them. Increased transparency around the categorization of critical infrastructure would allow for the eventual emergence of common understanding without precluding States from designating other infrastructures as critical or condoning malicious activity against other categories of critical infrastructure.
Countries can advance this, for example, by putting forward their national views of categories of infrastructure that they assess as critical and national efforts to protect them.[7]For example, Canada, the UK and the US provide a list of what is considered as critical infrastructure. Public Safety Canada, “Canada’s Critical Infrastructure,” available from: … Continue reading Governments can also consider selecting sectors that enjoy broader recognition of their essentiality across regions. The OEWG already underscored that all countries considered healthcare infrastructure, medical services and facilities to be critical infrastructure.[8]For the purposes of norms (f) and (g). The need to affirm the protection of health infrastructure was felt particularly strongly given that the OEWG developed its report in the context of the ongoing … Continue reading The potentially harmful effects of malicious use of ICTs against organizations in the humanitarian sector and the need to increase the protection of humanitarian organizations is also vital and to be assured under this norm.
Humanitarian organizations, their staff, and humanitarian data should be recognised as off limits for malicious cyber incidents and their protection under international legal and normative frameworks ensured, clearly stipulated and adequate. This includes States acting in line with their obligations under international law and human rights obligations.
Countries should further develop clarification on the application of international law and international humanitarian law in the use of ICTs for the protection of critical infrastructure. This can be, among other measures, advanced when governments and state agencies publicly attribute attacks. Specifying which laws or norms have been violated following a malicious cyber incident that they have attributed to another State would both increase the transparency of attributions and contribute to building capacity of other countries in applying the framework of responsible behaviour.
Protect critical infrastructure
A positive obligation under norm (g) mandates countries to “take appropriate measures to protect their critical infrastructure from ICT threats”.[9]United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22, 2015, available … Continue reading The effective building cyber resilience must be informed through needs-driven approaches based on data and evidence. To this goal, States should promote building common understandings of the threat landscape relevant to critical infrastructure. Such efforts can include mapping existing and potential ICT threats, collecting evidence of malicious use of ICTs against critical infrastructure, and building transparent repositories of such incidents.
Coupled with these efforts, governments should also increase transparent reporting on the malicious use of ICTs against critical infrastructure. Reporting is particularly pertinent towards clarifications on how existing and potential threats are experienced differently by countries and diverse sectors of critical infrastructure. Reporting can make critical sectors safer, increase cyber resilience, prevent further revictimization, and provide a body of knowledge for decision-makers about ICT threats such as the vector, tool, actor, and impact.
Additional sectors of critical infrastructure can be recognised to affirm, increase, and incentivise their protection. Increased transparency about approaches to designating critical infrastructure can help inform targeted capacity building efforts and build sector-specific understanding by connecting operational realities with the diplomacy and policy levels.
Build capacities to support norm implementation
Increasing cyber resilience across sectors requires access to adequate resources and capacity building that enhances national capabilities to implement cyber norms. Best practices include conducting cybersecurity incident exercises with all relevant stakeholders, supporting the creation of national or regional point of contact networks of critical infrastructure operators, and helping other States in developing effective policies and structures for critical infrastructure because cyberspace is an interconnected space.
Promoting cooperation with the private sector, civil society, academia and the technical community in capacity building is a necessary step contributing to a holistic cyber resilience of designated sectors and infrastructure. States are encouraged to bolster the cooperation between public and private actors in the cyber domain, for instance through public-private partnerships and timely sharing of threat information. Governments also need to engage in broad multistakeholder consultations to increase the resilience of critical infrastructure, including by identifying gaps in norms implementation that need to be addressed to further protect critical infrastructure from the malicious use of ICTs.
Civil society organizations play a key role in providing input on the cyberspace landscape such as the impact of cyberattacks on human rights and human security, and implementation challenges of the agreed upon norms in practice. This approach is particularly important as building a global culture of cybersecurity must be developed inclusively and seek to address the gender dimensions and the needs of vulnerable communities. Including multistakeholders’ views in the capacity building process is therefore necessary when working towards an effective and sustainable operationalization of the framework.
Collective and coordinated response
Implementing the normative framework of responsible State behaviour in cyberspace is a State-led process. However, the specificities of cyberspace and the challenges in implementation call for an inclusive, evidence-driven, and action-oriented practice based on public-private partnerships and cooperation across groups of stakeholders to leverage their respective strengths and capabilities. Addressing cyber threats and the impact and harm they inflict on people will require a collective and coordinated response across diplomatic, policy, and technical communities, as well as other experts. The UN system can and should be leveraged to carry out multistakeholder consultations and initiatives designed to defend critical infrastructure in cyberspace.
References
| ↑1 | See more about the CyberPeace Institute’s incident tracers here: https://cyberpeaceinstitute.org/cyber-incident-tracers/ |
|---|---|
| ↑2 | The UN Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security (GGE) agreed norms of responsible state behaviour in cyberspace by consensus in 2010, 2013, 2015, and 2021. See the 2021 census report here: https://www.un.org/disarmament/group-of-governmental-experts/ |
| ↑3 | The UN Open-ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG) 2019-2021 confirmed the framework for responsible state behaviour in cyberspace by consensus in 2021. See the 2021 census report here: https://www.un.org/disarmament/open-ended-working-group/ |
| ↑4 | The normative framework is based on four pillars: international law; 11 voluntary norms setting out what states should and should not do in cyberspace, confidence building measures, and capacity building. |
| ↑5 | Canada, “Threats and Norms,” Open-ended Working Group on security of and in the use of information and communications technologies, December 6, 2022, available from: https://docs-library.unoda.org/Open-Ended_Working_Group_on_Information_and_Communication_Technologies_-_(2021)/Canada_6_Dec_Threats_and_norms_speech.pdf |
| ↑6 |
United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22 2015 available from:https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement; The 2015 GGE Report states: 13(f) States should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public. |
| ↑7 |
For example, Canada, the UK and the US provide a list of what is considered as critical infrastructure. Public Safety Canada, “Canada’s Critical Infrastructure,” available from: https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cci-iec-en.aspx National Cyber Security Center, “CNI Hub,” available from: https://www.ncsc.gov.uk/section/private-sector-cni/cniUS Cybersecurity and Infrastructure Security Agency of the United States (CISA), “Critical Infrastructure Sectors,” available from: https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors |
| ↑8 | For the purposes of norms (f) and (g). The need to affirm the protection of health infrastructure was felt particularly strongly given that the OEWG developed its report in the context of the ongoing COVID-19 pandemic. |
| ↑9 |
United Nations, General Assembly, Report of the Group of Governmental Experts on Advancing responsible State behaviour in cyberspace in the context of international security, July 22, 2015, available from: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N15/228/35/PDF/N1522835.pdf?OpenElement The 2015 GGE Report includes: 13(g) States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions. |