In Hindsight: The Security Council and Cyber Threats, an Update
When Security Council Report (SCR) published an In Hindsight on The Security Council and Cyber Threats in January 2020, the Council had never held a formal session on the effects of information and communication technologies (ICTs) on the maintenance of international peace and security. But the issue seemed likely to gain greater prominence in the Council, as incoming member Estonia had identified cybersecurity as one of its priorities, and the Council held its first formal meeting on cyber threats in June 2021.
Council members agree that implementing existing norms of responsible state behaviour in cyberspace and confidence- and capacity-building measures help minimise mistrust between member states and contribute to stability in the cyber domain. Most members believe that Security Council discussions on cyber issues raise awareness of emerging threats posed by new technologies and highlight the importance of effective deterrence against the malicious use of ICTs by states. However, there are stark divisions between members over the Council’s role in addressing cyber threats as well as the applicability of international law in cyberspace.
The Security Council and Cyber Threats since 2020
In the past two years, the Council has become progressively more involved in addressing cyber threats to international peace and security, culminating in a high-level open debate on cybersecurity on 29 June 2021. This signature event of Estonia’s presidency marked the first time the Council addressed this issue in a formal setting. By then, differences among Council members—particularly regarding the right of self-defence and the applicability of international humanitarian law in cyberspace—had become evident through several informal Council meetings on cyber during the previous fifteen months.
Consensus reports from the General Assembly-mandated Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (GGE) have acknowledged the applicability of the UN Charter in its entirety, including the principles of state sovereignty, the settlement of disputes by peaceful means and non-intervention. However, the applicability of the right to self-defence under article 51 of the UN Charter has been more contentious. Member states, including China and Russia, have supported the view that recognition of the right to self-defence may lead to the “securitisation” of cyberspace, legitimising military intervention and unilateral sanctions in the context of ICTs. In its national contribution on the subject of how international law applies to the use of ICTs by states, submitted during the 2019-2021 GGE, Russia also noted the difficulty of attributing responsibility for particular actions to states.
At the 29 June meeting, Estonia expressed its view that “existing international law, including the [UN Charter] in its entirety, international humanitarian law and international human rights law, applies in cyberspace”. Non-Council member Germany took the floor to suggest that the “common acquis is not enough” and that various instruments, including sanctions, can be considered to deter states from committing malicious cyber activities. Russia criticised certain states for “incorrectly interpreting” as “automatic” the applicability of international law in cyberspace which, they argued, “would justify unilateral pressure and sanctions…and the possible use of force” against other member states. They also objected to the Council’s engagement on this issue, saying that they oppose any attempts by the Council to “revise…the balanced agreements reached within the designated General Assembly forums”.
Following the open debate, Estonia circulated a draft presidential statement on cybersecurity to Council members. The draft text acknowledged that malicious cyber activities posed a threat to international peace and security and that, as a cross-border issue, addressing cyber threats requires multilateral cooperation. It also recognised the work of the GGE and the Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG) (see below) while seeking to differentiate their roles from that of the Council in addressing cyber threats. In addition to some Council members’ concern that a Council product would interfere with the dual-track discussions at the General Assembly, the ultimate sticking point was the inability of Council members to agree on an operative paragraph on the applicability of international law in cyberspace.
Informal Council Meetings on Cyber
When the COVID-19 pandemic immobilised life in New York City in March 2020, the Security Council relied on video teleconferencing to conduct its meetings. In many parts of the world, ICTs contributed to the resumption of business activities and essential public services, underlining the need to ensure cybersecurity.
The Council discussed states’ malicious use of cyber in three informal settings during 2020. On 5 March, Council members discussed Georgia in the context of cyber threats and hybrid warfare under “any other business”. The meeting was initiated by Estonia, the UK and the US, after Georgia informed the Council that its government and media websites had been targeted by a large-scale cyber-attack in October 2019. In a joint statement to the media after the meeting, the three members attributed the cyberattacks to Russian military intelligence agencies and said that these actions represented a wider pattern of Russia’s activities. Estonia’s Foreign Minister Urmas Reinsalu issued a press statement following the meeting, suggesting that such conduct was an “example of irresponsible behaviour” by Russia. Russia denied these accusations and said there was no evidence to support the claims.
Two Arria-formula meetings related to cyber threats were held in 2020. On 22 May, Estonia organised a meeting on “Cyber Stability, Conflict Prevention and Capacity Building”, focusing on the application of international law, existing frameworks for responsible state behaviour, and capacity- and confidence-building measures in cyberspace. At that meeting, Ukraine accused Russia of committing “hybrid aggression” and advocated for the enforcement of accountability mechanisms to “bring to justice those who intentionally organise and carry out cyber-attacks”. Every Council member took the floor, except Russia, which boycotted the meeting after Estonia, the UK and the US did not participate in Russia’s Arria-formula meeting on the situation in Crimea the previous day. Russia published a statement online claiming that an “elite minority” of states were “actively pursuing the militarisation of cyberspace” and exploiting the pretext of the application of international law to “justify unilateral pressure and sanctions…and even possible use of force”.
On 26 August 2020, Indonesia organised an Arria-formula meeting on “Cyber-Attacks Against Critical Infrastructure” to raise awareness of the vulnerability and need for protection of critical infrastructure to such attacks. The meeting explored how norms of responsible state behaviour in cyberspace protect critical infrastructure and contribute to the maintenance of international peace and security. While most Council members recognised the applicability of international law in cyberspace during times of peace, divisions over its application during armed conflict came to light. Although China has recognised the importance of raising the Council’s awareness of cyber threats to international peace and security, including from emerging technologies, it indicated that the Council should approach the issue with prudence, arguing that several questions pertaining to “definition and scope” remain unanswered.
In 2021, Council members organised three Arria-formula meetings on issues related to cyberspace and peace and security. On 17 May, China convened a meeting on “The Impact of Emerging Technologies on International Peace and Security”, which also examined efforts to prevent and mitigate potential risks caused by the use of these technologies. On 28 October, Kenya organised a closed Arria-formula meeting on “Addressing and Countering Hate Speech and Preventing Incitement to Discrimination, Hostility, and Violence on Social Media”, and on 20 December, Estonia and the UK co-organised a closed Arria-formula meeting on “Preventing Civilian Impact of Malicious Cyber Activities”. At the meeting, High Representative for Disarmament Affairs Izumi Nakamitsu applauded the Council for its increasing engagement on the peace and security aspects of cyberspace.
The positions expressed in Council meetings by China and Russia echo those of several member states at First Committee meetings of the UN General Assembly and in two General Assembly-mandated processes, the GGE and the OEWG. The OEWG is open to all member states, while the GGE is composed of 25 member states, chosen on the basis of equitable geographical distribution, and with one seat reserved for each of the permanent members of the Security Council.
There have been six GGEs since 2004, and two OEWGs, the first of which was established in 2019 through a Russian-sponsored General Assembly resolution. While the GGEs can be credited with having established a set of 11 norms of responsible state behaviour in cyberspace in 2015, including recognition of the applicability of international law and the UN Charter therein, some member states such as China and Russia have repeatedly indicated that further research is needed to identify precisely when and how international law applies in the cyber domain. They maintain that international humanitarian law applies only in the context of armed conflict and on issues related to the protection of civilians and critical infrastructure.
Looking Ahead
Cyber threats to the international security environment are becoming increasingly more frequent, sophisticated and destructive. According to Secretary-General António Guterres’ 2018 Agenda for Disarmament, “global interconnectivity means that the frequency and impact of cyberattacks could be increasingly widespread, affecting an exponential number of systems or networks at the same time.” In his report “Our Common Agenda”, published in September 2021, Guterres says that the gaps in the cyber governance architecture are cause for concern and calls for a New Agenda for Peace that provides stronger measures to deter cyberattacks on civilian infrastructure and to de-escalate cyber-related tensions.
The spate of Council meetings on cyber threats has helped raise awareness in the Council and among the wider membership. Current differences suggest that member states seeking to advance discussions on cyber threats to peace and security will find greater consensus around confidence-building and cooperative measures, including prevention and risk reduction in the use of ICTs by states, and the protection of civilians and critical infrastructure in conflict situations. Discussions could also focus on identifying measures to support capacity-building in less developed countries to ensure a stable cyber environment.
A normative or legal framework addressing the applicability of international humanitarian law and self-defence in cyberspace may be distant, with divisions between members over the Council’s role in tackling cyber threats and the applicability of international law in cyberspace likely to persist. But the extent of malicious cyber activities by states gives the Council no choice but to remain engaged on the topic.
