How Can the UN Solve Cyber Conflict?

Figure 1. Overview of the UN GGE convened sessions.

For years, the GGE was the only format for discussions with a limited number of states. But, in 2018 the Open-ended Working Group (OEWG) was established and declared open to all states that wished to participate in the discussions. The OEWG arranged consultations with NGOs, academia, civil society and the private sector – a format that has not been observed in GGE work.

Overview of Discussions and Recommendations of the GGE/OEWG

1. Existing and Emerging Threats, Risks and Vulnerabilities

The GGE’s consensus reports identified as sources of threat – the states, non-state actors and proxies. The group pointed out that these actors can have different motivations: demonstrating technical capacity, financial or information theft, embedding harmful hidden functions or extending state conflict (developing ICT capabilities for military purposes). New possible attack surfaces were highlighted during recent OEWG sessions, among them information operations, disinformation campaigns, Internet of Things (IoT) and digitized personal data.

2. International Law

The GGE agreed in their discussions that international law applies to the use of ICTs. To date, the understanding of this applicability has been limited to academic/scholarly interpretations. The current OEWG discussions focus more on clarifying how international law can be applied. During the OEWG discussions, there were proposals for developing legally binding mechanisms surrounding the use of ICTs to better enforce the responsible behavior of states.

3. Recommendations for Rules, Norms and Principles for the Responsible Behavior of States

The 2015 GGE recommended 11 voluntary, non-binding norms (more precisely, standards of behavior) that would help reduce the risk to international peace, security and stability. The experts call on states to cooperate with other states in a broader context, as well as on criminal matters and terrorism, consider all relevant information when attributing cyber-attacks, not knowingly allow use of their territory for “internationally wrongful acts using ICTs”, not target other state’s critical infrastructure and CERTs (Computer Emergency Response Teams), respect human rights on the Internet and report ICT vulnerabilities and mitigation measures. During the OEWG discussions, some states offered to create roadmaps and conduct surveys to identify good practices of recommended norm implementation.

4. Recommendations for Confidence-Building Measures

Confidence-building measures (CBMs) have historically been used to reduce misunderstanding and prevent unintentional escalation, tensions between states. Experts have concluded that the exchange of views and information on national strategies and policies and best practices would help build confidence and trust among states. The group also recommends exchanging information between CERTs, exchanging national views of what states categorize as critical infrastructure, assigning national points of contact both at the policy and technical level, and some other measures. Some of these CMB recommendations were echoed into regional initiatives by the OSCE, OAS and ASEAN Regional Forum. The OEWG discussions introduced the idea for a global directory of points of contact.

5. Recommendations for Capacity Building

The technical capacity divide between developing states, as well as on the national level between the technical community and legislators, strategists and policymakers, is an obstacle to global cooperation on securing the use of ICTs. To support least-developed states, the GGE has proposed transferring technical and forensic knowledge. To strengthen incident response capabilities, the group suggested establishing closer cooperation between CERTs to address vulnerabilities extending beyond national borders, creating procedures for mutual assistance. The OEWG discussions complemented the proposition of developing diplomatic capacities and consideration for a cross-sectoral and multi-disciplinary approach to capacity building.

Examples of Non-Responsible Behavior

To have a positive impact on international cybersecurity, it is essential that the recommended measures are implemented widely and uniformly. A brief look at cyber incidents illustrates how states act vis-à-vis the recommendations.

Between the United States and Iran

Within the scope of foreign policy and ahead of negotiations for the Iran Nuclear Deal (JCPOA), the U.S. implemented a cyber operation that targeted an Iranian nuclear facility – the Natanz. The Stuxnet was a worm that infected computers across the world but only damaged a specific industrial control system (ICS) being used by Iran to enrich uranium. Internally, the U.S. administration referred to the project as Operation Olympic Games but, as a covert operation, it is still publicly denied by the U.S. government. In retaliation, Iran launched cyberattacks against U.S. banks.

Between Russia and Ukraine

In 2015, three regional electricity distribution companies in Ukraine experienced blackouts, impacting more than 200,000 customers countrywide, for which Russia was accused. Based on a technical analysis of the incident, the U.S. CERT issued an Industrial Control System alert. A year later, a substation outside Kiev went down. Several cybersecurity companies published their findings, and the U.S. CERT released another alert. The Ukrainian Security Services accused Russia.

Between Armenia and Azerbaijan

Cyber interactions between Armenia and Azerbaijan have been ongoing for more than a decade in tit-for-tat attacks as an extension of adversarial behavior in different fora and occasions. During the 2016 Four Day April War, both parties were actively engaged in cyber operations, including information operations. Just recently, on July 12, 2020, fighting broke out across the Armenia-Azerbaijan border, in the Tavush region, and both Armenia and Azerbaijan used cyber operations to retaliate against each other. In Armenia, efforts are made to warn against phishing attacks and provide guidance on how to protect social media accounts against hijacking that aims to spread disinformation.

Between the United States and Russia

In 2016, Russia was blamed for targeting the Democratic National Committee (DNC) and interfering in the U.S. presidential election. In 2018, a technical alert issued by the U.S. CERT warned against Russian state-sponsored cyber actors compromising network infrastructure, affecting switches, network-based intrusion detection system (NIDS) devices and routers that targeted well-known CISCO devices. Earlier that same year, the U.S. Cyber Command conducted a cyber operation against the Internet Research Agency (IRA), which the U.S. claims is a Russia-led troll farm that spreads disinformation.

Between North Korea and the United States

In 2014, as retaliation against Sony Pictures for releasing the political satire movie called The Interview, about a CIA plan to assassinate Kim Jong-un, the company experienced a cyber-attack, causing substantial damage to proprietary information and employees’ personal data. In a media briefing, President Obama stated that the U.S. would respond. In 2017, the North Korean test launch of an intercontinental ballistic missile (ICBM) failed. In a tweet, President Trump suggested that the launch “won’t happen”. It was later revealed that the Pentagon had a program known as “Left of Launch”, initiated during the Obama administration, with the aim of disrupting missile launches before they take off.

Between China and the United States

China has notoriously been blamed for cyber espionage against U.S. government agencies and private companies. In 2010 there were a series of cyber-attacks targeting several tech companies. There was speculation that some of the technology incorporated into the J-20 stealth fighter jet, tested by China in 2011, had been stolen from the U.S. Air Force’s F-35 Joint Strike Fighter Project. In 2014, a Chinese national was accused of hacking a U.S. defense contractor to steal sensitive military information. In 2015, Barack Obama and Xi Jinping, in a joint press conference, agreed to not engage in (economic) cyber espionage.

Between India and Pakistan

The relations between India and Pakistan are rooted in unresolved conflict. Both countries have been using ICTs to target each other. In 2012, a considerable amount of websites in Pakistan were targeted. Similarly, several Indian government websites were hacked. The research paper published by cybersecurity company Trend Micro highlights how geopolitical events can trigger web-based attacks.

Between Georgia and Russia

In 2008, tensions between Russia and Georgia over the South Ossetia region escalated into a military confrontation. Georgian government, media and financial sector websites became the target of cyber-attacks, for which Georgia accused Russia. In 2019, Georgia experienced another cyber-attack targeting a web-hosting company, affecting nearly 15,000  websites.

The 2019 cyber-attacks against Georgia struck a nerve within the international community. The Five Eye intelligence alliance (U.S., U.K., Canada, New Zealand and Australia) and several European countries condemned Russia for targeting Georgia, violating its sovereignty and territorial integrity and disrespecting responsible state behavior. In a letter to the UN Secretary-General and the President of the Security Council (UNSC), Georgia called on the international community to give an “appropriate reaction”. A joint statement from Estonia, the U.K. and U.S. followed. Estonia used the occasion to organize an Arria-Formula meeting (UNSC informal meeting) to invite a broader community to brief the Security Council and UN member states on cybersecurity issues.

Future Outlook

For two decades, experts have met to discuss and offer recommendations for mechanisms to help reduce misunderstanding and build trust between states, but they have not achieved a concrete solution. Meanwhile, states have discovered that they can use ICT as a tool for (any) policy implementation. And states that have fallen victim to cyber operations are asking for “justice” from the UN Security Council. However, as the Handbook of International Cybersecurity points out, the “effectiveness in decision-making is highly dependent on the climate between the Permanent Members.” How do we imagine Russia taking up a case against its own interest in the Security Council? The same question applies to the United States.