In Hindsight: The Security Council and Cyber Threats
The world’s first electronic computer, ENIAC (Electronic Numerical Integrator and Computer), was completed in 1945, the year the United Nations was created. ENIAC’s applications were military: it was financed by the US Army. Nearly 75 years later, technology has vast reach and destabilising potential: a recent United Nations University report says that the combination of artificial intelligence (AI) and other powerful dual-use technologies places the world at “a time of technological rupture with implications for large-scale crisis prevention”. There are innumerable life-improving applications, but a far-reaching dark side.
Technology has been used to misinform and deceive populations in ways that subvert national unity and coherence, whip up polarising and deadly hatreds, and disrupt public infrastructure. Facial recognition technology offers behavioural—and political—microtargeting and with it the potential to intimidate and control populations, potentially infringing on human rights including freedom of expression and peaceful assembly. By weaponising societal disruption, cyber technology has brought a new elasticity to concepts of threats to international peace and security.
Military cyber applications are evolving rapidly. Many technologies are broadly accessible not only to states but also to cyber-mercenaries and terrorists. Their capacity for concealment and anonymity can make attribution of responsibility for violations of international law—and therefore accountability—extremely difficult.
The range of potentially aggressive actions coming under the cyber rubric is vast, yet apart from autonomous weapons systems and robotics, and the threat of a cyberattack on nuclear weapons systems, few of these actions carry the same level of threat perception as does a violent military or terrorist attack.
Cyber threats have been discussed in many international forums, including the First Committee of the UN’s General Assembly and in two General Assembly-mandated processes, the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG) and the Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE). According to its founding resolution, adopted in December 2018, the OEWG strives to “further develop the rules, norms and principles of responsible behaviour of States…and the ways for their implementation” regarding information and telecommunications in the context of international security. Unlike the OEWG, which is open to all member states, the GGE, with a similar mandate, is composed of 25 member states. A series of GGEs began in 2004, intended to help promote cooperation among states in addressing security threats from information and communications technology.
Several other intergovernmental, private sector, and civil society actors and processes contribute to proposed cyber norms, including Microsoft’s Cybersecurity Tech Accord, the Paris Call for Trust and Security in Cyberspace, and the Global Commission on the Stability of Cyberspace.
The Security Council has not yet held a formal, dedicated debate on the impact of information and communication technologies on the maintenance of international peace and security, though it has considered the issue in informal meetings and as part of a broader discussion. In August 2019, a concept note for a ministerial-level debate on challenges to peace and security in the Middle East, organised by Poland, suggested that members consider “[h]ow to counteract cyber threats, including threats to energy infrastructure, in terms of promoting cooperative mechanisms for deterring and responding to significant cyber incidents in the Middle East”, and several participants addressed this in their interventions.
Speaking at the annual “Hitting the Ground Running” workshop organised by Finland, in 2017, Secretary-General António Guterres told current and incoming Council members that cyber warfare had become a first-order threat to international peace and security and that “[m]assive cyberattacks could well become the first step in the next major war”. He highlighted the need for the Council to conceptualise its role in anticipating, preventing and, if necessary, responding to such threats to global security.
To date, the two discussions held by Council members on cyber threats have been open Arria-formula meetings. Spain and Senegal jointly convened an Arria-formula meeting, “Cybersecurity and International Peace and Security”, in November 2016, and Ukraine did so in March 2017 with “Hybrid Wars as a Threat to International Peace and Security”, during which cyber threats were among those discussed.
The November 2016 Arria-formula meeting discussed the challenges resulting from the use of information and communications technologies (ICTs) that can threaten international peace and security. It was pointed out that countering cyberattacks can be particularly challenging because of, among other factors, the speed at which these attacks can be carried out and the difficulty of attributing their source and ultimate responsibility. Council members were encouraged to explore ways to assess vulnerabilities and prevent cyberattacks while developing national strategies and policies, including sharing best practices, committing to international cooperation, and forming partnerships among governments, businesses, regional and sub-regional organisations, and civil society.
The 2017 Arria-formula meeting on hybrid wars covered a broad range of hostile interventions. According to the concept note for the meeting, these included “advanced weapons systems, cyber-attacks, interference with political processes, quasi-military activities, systematic dissemination of propaganda domestically and internationally, secret intelligence operations and abuse and manipulation of available international instruments…used to achiev[e] political objectives”. Hybrid warfare, the note went on to say, “involves actions designed to fall below military response thresholds to deny or de-legitimate a military response from the target”.
There have been some Council discussions of cyber threats at the subsidiary-body level. For example, the Counter-Terrorism Committee held a special meeting in late 2016 on preventing the exploitation of ICTs for terrorist purposes. Sanctions evasion is one Council entry point to this discussion. In February 2019, the Panel of Experts’ report on the Democratic People’s Republic of Korea (DPRK) noted that DPRK actors have engaged in cyberattacks on financial institutions and infrastructure. The country also engaged in the illegal transfer of crypto-currencies and money laundering. The panel has stressed that the DPRK’s use of cyberattacks provides an opportunity for sanctions evasion involving minimal resources while offering low-risk, high-reward opportunities. According to some estimates, the DPRK has managed to generate around $2 billion using cyberattacks, which represents a significant portion of the DPRK’s revenue stream. The panel recommended that the Council consider, when drafting future sanctions measures, the significance of the DPRK’s use of cyber technology to evade sanctions.
Technology has amplified the reach of hate speech, which has been subject to Security Council sanctions since 2004 when the 1572 Côte d’Ivoire Sanctions Committee incorporated hate speech as a designation criterion. Hate speech was added to the South Sudan sanctions regime in 2016 and to that of the Central African Republic (CAR) in 2018. The report of the Myanmar Fact-Finding Mission—whose head, Marzuki Darusman, briefed the Council in October 2018—found that in Myanmar, Facebook had been “a useful instrument for those seeking to spread hate”. Peacekeeping actors have been threatened by disinformation or anti-UN campaigns on social media in the CAR, the Democratic Republic of the Congo and elsewhere. This, along with the military cyber capabilities of a range of armed actors, is likely to remain a challenge to UN peace operations.
With Estonia’s interest in cybersecurity—which it identified as one of its priorities during its campaign for the 2020-2021 term—the topic can be expected to become a focus of more formal discussion among Council members. Members bring different levels of familiarity in this field. In addition to some lack of trust among stakeholders and the sensitivity of the issue among several of the permanent members, this factor may present initial obstacles to discussion and challenges to normative advances. At the same time, the declared priority of a member state may open the door for the Council’s more serious exploration of an issue which, as the Secretary-General has pointed out, presents a threat to international peace and security of the first order.