Cybersecurity
Expected Council Action
In June, the Republic of Korea (ROK) is organising a high-level open debate on cybersecurity as a signature event of its presidency.
No outcome is expected.
Background and Key Recent Developments
Over the past several years, the Council has become increasingly involved in addressing cyber threats to international peace and security. The COVID-19 pandemic, along with a surge in the use of digital technologies, has heightened Council members’ awareness of this issue. To date, most of the discussions among Council members on cybersecurity-related issues have occurred in informal settings, such as Arria-formula meetings. These discussions have covered a wide range of issues, from cyber-attacks on critical infrastructure to efforts aimed at countering hate speech and preventing the incitement of discrimination, hostility, and violence on social media.
The Security Council held its only formal meeting on cybersecurity on 29 June 2021, during Estonia’s presidency of the Council. Other meetings on related aspects include a formal meeting on the use of technologies in maintaining international peace and security that the US convened during its May 2022 presidency and a July 2023 high-level briefing on artificial intelligence organised by the UK.
The Council has also discussed states’ malicious use of cyberspace in country-specific situations. For example, on 5 March 2020, Council members discussed Georgia in the context of cyber threats and hybrid warfare under the “any other business” agenda item. The closed meeting was initiated by Estonia, the UK, and the US, after Georgia informed the Council that its government and media websites had been targeted by a large-scale cyber-attack in October 2019. In a joint statement to the media after the meeting, the three members attributed the cyberattacks to Russian military intelligence agencies and said that these actions represented a wider pattern of Russia’s activities. Estonia’s Foreign Minister Urmas Reinsalu issued a press statement following the meeting, suggesting that such conduct was an “example of irresponsible behaviour” by Russia. Russia denied these accusations and said there was no evidence to support the claims.
Most recently, on 4 April, Security Council members held an Arria-formula meeting titled “Evolving Cyber Threat Landscape and its Implications for the Maintenance of International Peace and Security”. The meeting was organised by the ROK and co-hosted by Japan and the US. At that meeting, the briefers highlighted key trends in the field of cybersecurity, including the increasing sophistication of ransomware attacks, the emergence of cybercrime as a global service, the proliferation of commercially available cyber-intrusion capabilities such as surveillance technologies, and the effects of emerging technologies such of artificial intelligence and quantum computing on the cybersecurity landscape.
Several Council members emphasised how illicit cyber activities enable both state and non-state actors to circumvent Security Council-mandated sanctions, thereby undermining the efficacy of some tools available to the Council. In particular, members highlighted the challenges these illicit activities pose to the non-proliferation regime. Many members referred to reports by the Panel of Experts of the Democratic People’s Republic of Korea (DPRK) sanctions regime, which have documented the involvement of DPRK actors in cyberattacks targeting financial institutions and critical infrastructure. Additionally, the DPRK has been implicated in the illegal transfer of cryptocurrencies and money laundering. The Panel has stressed that the DPRK’s use of cyberattacks provides an opportunity for sanctions evasion involving minimal resources while offering low-risk, high-reward opportunities.
Several members expressed regret that the Council failed on 28 March to adopt the draft resolution extending the mandate of the Panel of Experts assisting the 1718 DPRK Sanctions Committee. The draft resolution was vetoed by Russia. All other members—except China, which abstained—voted in favour of the text. In its statement prior to the vote, Russia claimed that the Panel of Experts had ceased to carry out its obligations and said that the sanctions regime no longer reflected realities on the ground and had failed to achieve the international community’s stated aims. Other Council members strongly criticised Russia’s veto, arguing that it undermines the global non-proliferation regime and emboldens the DPRK in its attempts to evade sanctions. Several members—including France, Japan, the ROK, the UK, and the US—linked the veto to Russia’s alleged purchase of arms from the DPRK.
The final report of the Panel, issued on 7 March, noted that the Panel was investigating reports of arms transfers from the DPRK to other member states, including Russia, and said that the DPRK had continued to flout the 1718 sanctions regime, including by further developing nuclear weapons, producing nuclear fissile materials, importing refined petroleum products, and receiving income from DPRK nationals working overseas. In relation to the DPRK’s cyber activities, the report observed that the Panel was investigating 58 cyberattacks on cryptocurrency-related companies executed between 2017 and 2023, valued at approximately $3 billion, adding that these attacks have reportedly funded the DPRK’s weapons programmes. The Panel’s mandate expired on 30 April.
Although the Council has increased its engagement on cybersecurity, discussions on the matter have primarily taken place in two General Assembly-mandated processes: the Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security, and the Open-ended Working Group (OEWG) on security of and in the use of information and communication technologies (ICTs). Since 2004, there have been six GGEs and two OEWGs. The GGEs have established a set of 11 norms of responsible state behaviour in cyberspace. These include commitments by states to avoid conducting or knowingly supporting ICT activity contrary to their obligations under international law that intentionally damage critical infrastructure; to take appropriate measures to protect their critical infrastructure from ICT threats; and to respond to requests for assistance by another state whose critical infrastructure has been targeted by malicious ICT acts.
Council and Wider Dynamics
Council members generally agree that implementing existing norms of responsible state behaviour in cyberspace and confidence- and capacity-building measures help reduce mistrust among member states and contribute to stability in the cyber domain. Most members believe that Security Council discussions on cyber issues raise awareness of emerging threats posed by new technologies and highlight the importance of effective deterrence against the malicious use of ICTs by states and other actors.
There are stark divisions between members over the Council’s role in addressing cyber threats, the applicability of international law in cyberspace, and the need for the development of additional legally binding obligations. Several Council members have expressed the view that the Security Council should address incidents in which malicious cyber activity poses a threat to international peace and security, just as it would in respect of threats posed by conventional means. These members often highlight how cyber-attacks targeting critical infrastructure can have devastating effects on civilians, exacerbate tensions, and even trigger armed conflicts. Conversely, Russia has maintained that the Security Council is not the appropriate forum for discussing cybersecurity. Instead, it argues that the Council should defer to the specialised expertise of the OEWG on the security of and in the use of ICTs.
Consensus reports from previous GGE meetings have acknowledged the applicability of the UN Charter in its entirety, including the principles of state sovereignty, the settlement of disputes by peaceful means and non-intervention. However, the applicability of the right to self-defence under Article 51 of the UN Charter has been more contentious. Member states, including China and Russia, have expressed concerns that recognition of the right to self-defence may lead to the “securitisation” of cyberspace, legitimising military intervention and unilateral sanctions in the context of ICTs. In its national contribution on the subject of how international law applies to the use of ICTs by states, submitted during the 2019-2021 GGE, Russia also noted the difficulty of attributing responsibility for particular actions to states.
Russia has also voiced a preference for a legally binding instrument to regulate states’ relations concerning the security and use of ICTs. In March 2023, Russia, along with Belarus, the DPRK, Nicaragua, Syria, and Venezuela, submitted an updated concept note to the OEWG for a UN Convention on Ensuring International Information Security. The concept note emphasised a “growing need for states to conclude a legally binding multilateral treaty within the [UN] to ensure the prevention and settlement of inter-State conflicts in the global information space, to promote the entirely peaceful use of [ICTs] and to provide a framework for cooperation among States for these purposes”.
Many member states have raised concerns about the proposal, arguing that the existing cybersecurity framework—which includes international law, the UN Charter, confidence-building measures, and agreed norms of responsible state behaviour in the cyber domain—is sufficient for maintaining a safe and secure cyberspace. In December 2022, the General Assembly adopted a resolution welcoming a proposal to establish a programme of action (PoA) to advance responsible state behaviour in the use of ICTs in the context of international security (A/RES/77/37). The PoA is envisioned as an action-oriented mechanism to support states’ capacities and efforts to implement the voluntary, non-binding norms established by the GGE and OEWG. The resolution was co-sponsored by numerous countries, including Council members France, Japan, Malta, ROK, Slovenia, Switzerland, the UK, and the US.
| Security Council Meeting Records | |
| 18 July 2023S/PV.9381 | This is the meeting record on a high-level briefing on “Artificial Intelligence: Opportunities and Risks for International Peace and Security”. |
| 23 May 2022S/PV.9039 | This was a briefing on technology and security. |
| 29 June 2021S/2021/621 | This letter transmitted the briefings from the high-level virtual debate on cybersecurity. |
