UN Security Council meeting highlights the cyber peace and security challenges wrought by the COVID-19 pandemic
By Allison Pytlak
28 May 2020
The United Nations Security Council (UNSC) held its second ever Arria-formula meeting to discuss “cyber stability, conflict prevention, and capacity building” on Friday, 22 May. Taking place under the presidency of Estonia, the nearly five-hour long, entirely online session demonstrated that this is a topic of increasing priority and importance for many UN member states and also showed how UN-based discussions on this topic have evolved since the Council’s first meeting on the subject in 2016.
The debate was chaired by the Minister of Foreign Affairs of the Republic of Estonia, H.E. Mr. Urmas Reinsalu and Estonia’s Permanent Representative in New York, H.E. Mr. Sven Jürgenson. It received interventions from more from than 50 UN member states in total, comprising both UNSC members and non-members, as well as from two international organisations. The statements of Estonia, Lithuania, and Latvia were delivered by the foreign ministers of those countries. Belgium, the Dominican Republic, Indonesia, and Kenya co-sponsored the meeting.
While the meeting had not necessarily been intended to focus on cyber security challenges in the time of the COVID-19 pandemic, this nonetheless came through as an urgent and shared concern for virtually all participating states and expert briefers. The digital dimensions of the current pandemic were even less anticipated than the physical ones, leaving many individuals, organisations, and governments vulnerable and unprepared to respond to an ever-growing diversity of malicious operations and activities, ranging from the spread of disinformation, to cybercrime and outright attacks on medical facilities—at a time when global reliance on information and communications technologies (ICTs) has never been so essential.
“The ongoing global health crisis that the world is experiencing due to the Corona virus has suddenly challenged the way we live, learn, connect and work, and has highlighted our increasing reliance on the Internet, and the need for a secure, safe and free digital space,” stated Belgium, a co-sponsor of the meeting. Fellow co-sponsor Indonesia, along with the United Kingdom, Niger, Latvia, Japan, Mexico, Turkey, Germany, and Ireland, among others, also emphasised the increased reliance of individuals on digital networks during the pandemic. Switzerland said it is “concerned that cyberspace is instrumentalised for power projection and becoming more and more fragmented and destabilized.”
Lithuania, Australia, South Africa, Japan, the Netherlands, Switzerland, Ireland, and the International Committee of the Red Cross (ICRC), among others, registered concern about malicious cyber activities seeking to damage or impair health infrastructure or crisis response during COIVD-19. Estonia condemned such actions, and along with the Netherlands and Poland urged accountability for offenders. Slovakia expressed especial concern about disinformation campaigns that take advantage of the pandemic. The United Kingdom spoke in particular about the surge in websites imitating those of official organisations connected to the COVID-19 outbreak, such as the World Health Organisation.
Ms. Izumi Nakamitsu, UN High Representative for Disarmament, underscored that while “digital connectivity will be key to our recovery in the post-COVID era,” the pandemic has brought with it a spike in cybercrime, as evidenced by a 600 per cent increase in malicious emails and “worrying attacks against healthcare organisations and medical research facilitates worldwide.” Mr. David Koh, Chief Executive of Singapore’s Cyber Security Agency, who acted as an expert briefer to the meeting, noted, “Especially during these times of the pandemic, the international community must come together to resist efforts to exploit fears, disrupt computer systems and networks, and to hamper our response.” Kenya underscored the need for “common culture and practices to underpin any collective effort to address threats.”
Indonesia, the United States, the European Union (EU), the Nordic Countries, and Austria, among others, made a link between malicious cyber operations on medical and health facilities with one of the agreed norms of state behaviour in cyber space: to refrain in peacetime from cyber activities that intentionally damage critical infrastructure. While definitions of “critical infrastructure” do not necessarily derive from a single, universal source there is a growing common understanding of what that term should include and recently, calls for a new norm to protect medical services and facilities. On 26 May, just days after this meeting, more than 40 former and current international leaders from across government, industry, international and non-governmental organisations and academia called on the world’s governments “to take immediate and decisive action to prevent and stop cyberattacks that target hospitals, healthcare, research organizations, and international authorities providing critical care and guidance in the midst of the ongoing global pandemic.” This builds on an earlier call for a “digital ceasefire” from UN Under-Secretary-General Fabrizio Hochschild.
Apart from references related to the pandemic, it was interesting that most statements from the Arria-formula meeting were organised around the same points of discussion—and contention—that are on-going within the two UN General Assembly (UNGA)-mandated bodies that cover this subject in the context of international peace and security. The work of those bodies was described in detail by Mr. Jim Lewis, Director for Technology Policy at the Center for Strategic and International Studies, one of the briefers to the meeting.
There is usually a demarcation between UNSC and UNGA issues, or their respective approaches to common issues, that sometimes owes more to political than practical divisions of labour and has contributed to broader siloing within the UN system. Given the challenges of holding physical, and even virtual Open-Ended Working Group (OEWG) and Group of Governmental Experts (GGE) meetings at the moment, this Arria-formula meeting was a welcome way to maintain momentum within those two bodies by hearing from member states on the same key topics of discussion within them and introducing new ones. These topics included the threat landscape; international law; norms, rules, and principles; capacity building; confidence building measures; and the future of regular institutional dialogue.
A non-exhaustive overview of how these, and other, topics were taken up is described below in the ‘Highlights’ section.
Conspicuously absent from the meeting was Russia, a UNSC permanent member that has also tabled several ICT-related initiatives in the UN General Assembly, including the resolution that established the OEWG. Russia has been a consistent member of every GGE on information and communication technologies (ICTs). Its absence was in response to Estonia, the United Kingdom, the United States and others having not attended an informal meeting that it sponsored on the Crimea earlier in the week, in violation of established practice.
Highlights from the meeting
Law and norms
- Many delegations, including Estonia, the United States, the United Kingdom, the Nordic Countries, France, Switzerland, and Canada, among others, noted that a global cyber security framework already exists, through existing law as well as the norms and confidence building measures agreed to by UN member states.
- Many delegations including Estonia, South Africa, Belgium, Japan, the United States, Slovakia, Switzerland, and Germany reiterated the applicability of international law to cyberspace. Many of these countries also specifically stressed adherence to the UN Charter and international humanitarian law (IHL).
- China stated that the applicability of the law of armed conflict to cyber space should be treated with prudence.
- Egypt expressed that while efforts toward a framework have been made, the implementation of the “modest norms” remains minimal due to their voluntary nature and a lack of any follow-up mechanism. It suggested that the existing norms can form the basis “for politically or legally binding rules, especially that they are derived from the principles of international law and the UN Charter.” Egypt said that such rules “will not limit or prohibit any action that is otherwise consistent with international law.”
- France encouraged clarifying national doctrines. Turkey urged conducting a survey of national regulatory approaches and codes of conducts while also stressing the need to develop a common understanding and definitions of threats; as well as the “boundaries of the right of self-defence in cyber space.” Canada explained that it has submitted to the OEWG its national interpretation of the existing norms.
- The Nordic Countries stressed that “norms play a key part in strengthening our ability to react to fast-changing technological developments, in ways that lengthy negotiations on international treaties would not allow for.” This was echoed by the EU. Australia noted that rather than establishing new rules, existing ones need to be implemented and “greater accountability for when they are broken” is necessary. Ireland noted that it has called for guidance to all states on how existing norms can be implemented and operationalised.
- The Netherlands urged “consolidating the rules of the road in cyberspace.”
- Belgium and Liechtenstein urged an alignment with international criminal justice. Liechtenstein, with support from Belgium, has started an initiative to create a Council of Advisers on the Application of the Rome Statute to Cyberwarfare in order to explore the role the International Criminal Court could play in this new regulatory framework.
- The ICRC observed that the UNSC has adopted many resolutions that call upon belligerents to respect the fundamental rules of IHL, stating that these must also be observed in cyberspace.
- Estonia, Ecuador, Japan, Switzerland, the Nordic countries, the Netherlands, and several EU states expressed support for open, free, and stable cyber space in which human rights and fundamental freedoms are respected. Austria stressed that “states cannot justify restrictions on human rights and fundamental freedoms through cyber means by referring to their state sovereignty.”
- Eritrea and Saint Vincent and the Grenadines raised concerns about the spread of disinformation online and the need to reform the prevailing surveillance-based business models of companies in order to safeguard elections.
- Australia, Canada, Ecuador, Ireland, and Italy recognised the gender dimensions of cyber security. Italy made the link to the upcoming anniversary of UNSC Resolution 1325 on Women, Peace and Security as well as Sustainable Development Goal 5, on gender equality. Australia and Canada spoke of the Women in Cyber fellowship programme that helped to achieve gender parity in interventions during second substantive session of the OEWG.
Risks and threats
- Germany highlighted the risks of easy conflict escalation in cyber space, stating that “conflicts today do not start with guns and armies but rather with IP theft and electoral disruption.”
- The ICRC reminded that new technologies “must not lead to an escalation of conflict between States” but rather should contribute to prevention efforts rather than impede them.
- Niger, Egypt, and Kazakhstan, among others expressed concern about malicious cyber operations conducted by non-state actors, such as terrorists and criminals.
- Guatemala said it is concerned with the development of ICTs for military purposes.
- Lithuania condemned a recent attack on the state institutions of Georgia, which it said Russia is believed to be responsible for. In this context, Lithuania urged greater accountability, “including by applying relevant sanctions regimes” to send a message of deterrence. Georgia also described the recent attack as well as those from 2008 and those in 2007 against Lithuania and Estonia. It called for the international community to increase attention “towards malicious ICT activities of the Russian Federation in Georgia and other parts of the world.”
- Ukraine spoke in detail about cyber operations from Russia on Ukrainian critical infrastructure as part of an on-going “hybrid war”.
- Qatar spoke of a 2017 operation against its National New Agency in 2017 and the “attribution of fabricated statements to the leadership of the country”.
Processes and institutions
- The majority of delegations welcomed the establishment of the GGE and OEWG and many expressed the hope that they would reach mutually complementary and positive outcomes. Germany noted that the third substantive session of the OEWG is being moved to spring 2021, which was the first time that many listeners had heard this information.
- The Netherlands reflected on the significance of having this debate at the level of the UNSC. Brazil spoke about the role of the UN Security Council in UN and multilateral discussions about cyber security, urging its it work in this area to be guided by promoting adherence to decisions taken in the UN General Assembly. Japan said that the UNSC should be “ready to act” under Chapter 6 or Chapter 7 of the Charter to prevent or to respond to a “grave situation involving cyber activities.” Mexico noted that in order to prevent cyber affairs from escalating to the level of UNSC involvement, states should preventively seek to ensure that “that cyberspace does not become a hostile domain and that we take a proactive collaborative approach instead of competitive zero-sum national calculations”.
Cooperation and other stakeholders
- Most statements stressed the involvement of other actors, although some referenced the private sector exclusively, while others noted the role of civil society and academia too.
- Virtually every statement emphasised the importance of cooperation, and many spoke to regional cooperation in particular, whether with respect to capacity or confidence building, and sometimes both. Regional organisations and groups named by states include the Association of Southeast Asian Nations (ASEAN); the African Union (AU); the League of Arab States; the Organisation for Security and Cooperation in Europe (OSCE); the Organisation of American States (OAS); and the Shanghai Cooperation Organisation.
- Australia referenced its joint OEWG proposal on how the Group’s final report might “best address unacceptable COVID-19 related cyber activity”. The Czech Republic said it is supportive of this.
- Around half of all statements referenced specific national cyber security strategies and initiatives.
A video recording of the session and many of the statements can be found on the website of the Permanent Mission of Estonia to the United Nations. A longer summary of human rights references has been prepared by Human Rights Watch.
 The sixth UN Group of Governmental Experts on ICTs has been meeting since December 2019 and will continue to do so throughout most of 2021. The UN Open-ended working group (OEWG) on “developments in the field of information and telecommunications in the context of international security” began work in September 2019 and was scheduled to have its final session in July 2020, but this is likely to be delayed until 2021 because of the pandemic. Virtual informal consultations have just been scheduled for mid-June.