International Cyber Stability Framework at the United Nations Security Council

On 22 May, Estonia, with Belgium, the Dominican Republic, Kenya and Indonesia, brought (virtually) together fourteen United Nations Security Council (UNSC) Member States and over forty Member States, who took the floor during a historic Arria-formula[1] meeting entitled ‘Cyber stability, conflict prevention and capacity building’. It was the first time the Security Council had specifically addressed the issue of conflict prevention in cyberspace and the existing cyber stability framework already put in place by the consensus reports of the UN Group of Governmental Experts (GGE) in 2010, 2013 and 2015. The significance of the framework – consisting of the applicability of existing international law, voluntary and non-binding norms of responsible state behaviour, confidence-building and capacity building between states – was reaffirmed by most states taking the virtual floor.

The event was opened by the Prime Minister of Estonia, Jüri Ratas, who in his statement emphasised the importance of the safety and security of cyberspace, especially during times of crisis, in the light of the spread of global pandemic: ‘We hold a strong view that existing international law provides comprehensive guidance for state behaviour regardless of the domain’. Several countries, international organisations and academics have expressed their concern about malicious cyber operations targeting hospitals or other medical facilities and pointed out the need to stick to the existing rules of the road.

Support for upholding the agreed cyber stability framework

After the opening speech, the floor was open for three briefers – the UN High Representative for Disarmament Affairs, Izumi Nakamitsu, Senior Vice President of the Center for Strategic and International Studies, James Lewis, and Chief Executive of Cyber Security Agency of Singapore, David Koh. All briefers pointed out how, in light of the increasing threats emanating from the malicious use of cyber means, it is vital to uphold the agreed cyber stability framework. This entails continuous co-operation on a global level while recognising the success of what has been achieved through regional collaboration. Nakamitsu, in her statement, highlighted further inclusion of representatives of the private sector, non-governmental organisations and academia to address the challenges that states face when addressing both international security and digital cooperation. As Lewis accentuated, cybersecurity’s importance continues to increase. He also said that this Arria-formula discussion seemed to suggest that there was a new agenda of work for the whole international community, which, among other areas, could include a new mechanism for regular institutional dialogue and closer links between regional and global efforts on possible responses when states violate agreed norms. Koh turned listeners’ attention towards the priority of the security of critical information infrastructure (CII) and also to supranational CIIs – for example, those which enable international financial or aviation systems to function. In his words, the preservation and security of these systems can only be achieved through international cooperation and rules-based order in cyberspace.

Every Member State of the UNSC took the floor except for Russia. In its press release, Russia said that by not attending the Russian-led meeting a day earlier on issues regarding Crimea, Estonia, with Ukraine, the UK and the US, had broken the in-place practice that all UNSC members take part in Arria-formula meetings, no matter the topic of the meeting. However, Russia did present its views on the matter of cyber security. The statement points out that there are certain ‘elite’ states which push towards the militarisation of cyberspace. This was supplemented with a notion that:

‘it is even more regrettable that certain countries are exploiting the pretext of the full and unconditional application of international humanitarian law in information space, including international humanitarian law, in an attempt to justify unilateral pressure and sanctions on other Member States and even possible use of force against them’.

This has been a long-standing claim by Russia, and one shared by China, that the applicability of international humanitarian law (IHL) somehow pushes towards the military use of cyberspace, without considering that the principles of IHL are restrictive in nature to protect civilians and civilian infrastructure and not to enable armed conflict in cyberspace.

Most representatives who took the floor offered their strong support to the ongoing processes of the GGE and OEWG and the established cyber stability framework and emphasised their importance in the ongoing global crisis which Covid-19 has brought about. They also emphasised the necessity to maintain an open, free, stable and secure cyberspace where human rights are respected and assured while states adhere to their legal obligations. Many also expressed their concern over the increased number of malicious cyber operations targeting hospitals or other medical facilities, which is why it is vital to understand that it is in the interest of all states to implement the existing framework.

Adherence to rules and accountability essential to halt malicious ICT activity

Nakamitsu gave an example of how a global crisis has affected the growth of some types of malicious conduct; during the pandemic, the number of phishing emails has increased by 600%. To counter this increased malicious activity, most states agreed that further cooperation is necessary and vital as no state can ensure the security of its systems alone in a borderless domain. In this regard, Norway, which took the floor on behalf of the Nordic countries, called for states to exercise due diligence which would entail taking appropriate measures to halt malicious ICT activity originating from their territory. Australia argued that we do not need more or new rules, but states need to adhere to the ones already in place and there should be greater accountability if those rules are not followed. This was echoed by the Netherlands. Japan said that states should be ready to act under Chapters 6 (peaceful settlement of disputes) and 7 (action concerning threats to and breaches of the peace, and acts of aggression) of the UN Charter and should reaffirm their commitment to vital principles of the UN Charter to ensure peace and stability in cyberspace.

Egypt observed that there had been several attempts to create a conflict prevention framework, where the UN General Assembly had invited States to adhere to norms of responsible behaviour, but that these had not been implemented due to their voluntary character and therefore a tool of a more binding nature was necessary. This notion that there is a need for a new legally binding instrument was supported by Qatar, according to whom we should consider a new instrument to safeguard information security.

The meeting was summed up by statements by the ICRC and Interpol. The ICRC understandably turned its attention towards the applicability of IHL and noted several key concerns raised during the meeting – for example, unlawful cyber operations targeting health-care facilities and unjustified interference in impartial humanitarian aid efforts. The representative from Interpol drew viewers’ attention to its Global Cybercrime Programme, which aims to mitigate, prevent, detect and investigate cybercrime on a national, regional and global scale.

Growing reliance on safe and secure cyberspace underscores the need for continued efforts

Although a noteworthy event, it is not the first time cyber security issues have been brought to the attention of the Security Council. In March, Estonia, the UK and the US raised the issue of Russian malicious conduct towards Georgia. The Foreign Minister of Estonia, Urmas Reinsalu, in his press release mentioned that such conduct by the Russian Military Intelligence Service is ‘another example of irresponsible behaviour and violation of stability in cyberspace by Russia’. The three countries expressed the need for the international community as a whole to continue their efforts to uphold the international framework of responsible state behaviour in the use of ICTs, which has been endorsed by all UN Member States. During the Arria-formula meeting, the representative of Ukraine raised his increasing concern over his country being a target of Russia’s hybrid aggression and argued that we need to ‘bring to justice those who intentionally organise and carry out cyber-attacks’; he offered solidarity to Georgia. This issue was brought forward by Georgia, stating that use of malicious cyber capabilities has become a pattern in Russia’s behaviour while reaffirming its commitment to continuous efforts to strengthen national and international cybersecurity.

In conclusion, now that the issues surrounding the prevention of cyber conflict and maintaining stability in cyberspace have been brought to the attention of the Security Council, it has opened up a new forum for these discussions. Although a new format, wide support was offered to the ongoing processes taking place under the First Committee and that the work of the Security Council must be based on agreements endorsed by the General Assembly. Many states agreed that, in this time of crisis, we are more reliant on a safe and secure cyberspace, so it was a timely and necessary discussion to have at the Security Council. In the middle of June, virtual meetings of the Open-ended Working Group took place, which continued to discuss the recently published second pre-draft of the consensus report of the group. So international law applicable to state use of ICT, norms of responsible state behaviour, increasing trust between states and building further capacities to gap the digital divide are more relevant than ever at the various layers of the United Nations.

Statements given by the Estonian Prime Minister, Foreign Minister, briefers and other State representatives can be found here. In addition, the Arria-formula meeting on cyber stability, conflict prevention and capacity building can be re-watched here.

Author: Maria Tolppa, NATO CCDCOE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

[1] Arria-formula meetings are an informal type of meeting which allow Security Council members open discussion within a flexible procedural framework