Arria-formula Meeting on “The Responsibility and Responsiveness of States to Cyberattacks on Critical Infrastructure”
This afternoon (25 May), Security Council members will hold an Arria-formula meeting titled “The Responsibility and Responsiveness of States to Cyberattacks on Critical Infrastructure”. The meeting is being co-organised by Albania and the US, with co-sponsorship by Ecuador and non-Council member Estonia. The expected briefers are High Representative for Disarmament Affairs Izumi Nakamitsu, International Policy Director at Stanford University’s Cyber Policy Center Marietje Schaake, and Cybersecurity Researcher at the UN Institute for Disarmament Research (UNIDIR) Moliehi Makumane. The meeting is open to representatives of all UN member states, permanent observers, UN entities, civil society organisations, and members of the press.
The meeting, which will begin at 3 pm EST in the Trusteeship Council chamber, will not be broadcast on UNTV, after Russia raised an objection to webcasting the meeting on the official UN channel. In line with established practice, the webcasting of Arria-formula meetings can be blocked if a single Council member objects. This will mark the fifth time in the past two months that a Council member has opposed the webcasting of an Arria-formula meeting. The co-organisers intend to livestream the meeting on the YouTube channel of the Permanent Mission of the US to the UN.
The concept note prepared by the co-organisers says that the meeting is expected to focus on the importance and relevance of addressing responsible state behaviour in the use of information and communication technologies (ICTs), arguing that this falls under the Council’s responsibility for maintaining international peace and security. It maintains that the Council should take a leading role in promoting norms of responsible state behaviour and underscoring the applicability of international law in cyberspace to member states. Moreover, the concept note argues that by identifying and condemning counter-normative or unlawful state conduct and encouraging positive actions to improve the security and stability of cyberspace, the Security Council can reduce the risk of conflict arising from malicious actions, particularly those affecting critical civilian infrastructure. The concept note also articulates the need for greater public-private partnerships at the national and international levels to combat cyber threats.
In the past three years, the Security Council has become progressively more involved in addressing cyber threats to international peace and security. The Council’s latest formal meeting on the matter, which was organised by the US during its May 2022 presidency, focused on the use of technologies in maintaining international peace and security. Prior to that, then-Council member Estonia and the UK organised an Arria-formula meeting in December 2021 which sought to foster discussion on ways to prevent and mitigate the consequences of malicious cyber activities targeting critical civilian infrastructure.
Although the Council has increased its engagement on cybersecurity, discussions on the matter have primarily taken place in two General Assembly-mandated processes: the Group of Governmental Experts (GGE) on advancing responsible state behaviour in cyberspace in the context of international security, and the Open-ended Working Group (OEWG) on security of and in the use of ICTs. There have been six GGEs since 2004, and two OEWGs, the first of which was established in 2019 through a Russian-sponsored General Assembly resolution. The GGEs have established a set of 11 norms of responsible state behaviour in cyberspace, which include three negative and three positive measures that specifically address threats to critical infrastructure. These include commitments by states to avoid conducting or knowingly supporting ICT activity contrary to their obligations under international law that intentionally damage critical infrastructure; to take appropriate measures to protect their critical infrastructure from ICT threats; and to respond to requests for assistance by another state whose critical infrastructure has been targeted by malicious ICT acts.
The concept note prepared by the co-organisers for today’s meeting poses several questions to help guide the discussion. Among others, these include:
- What actions can the Security Council take to address cyberattacks against critical infrastructure perpetrated by states?
- What role can the Council play to ensure a secure and peaceful cyberspace, build trust between states, and prevent conflicts arising from the malicious use of ICTs by states or non-state actors?
- What are the possible venues and mechanisms for a closer partnership between public and private entities for concerted and coherent defense and responses to cyberattacks?
At today’s meeting, the briefers are likely to emphasise that malicious cyber activities—from denial-of-service attacks to large-scale ransomware operations—pose a significant threat to critical civilian infrastructure given its reliance on ICTs to function. Nakamitsu may note that attributing responsibility for cyberattacks is difficult, which could lead to unintended armed responses and escalation. She might refer to the Secretary-General’s agenda for disarmament titled “Securing Our Common Future”, published in 2018, which stresses the need to comprehend and address a new generation of technology that could threaten existing legal, humanitarian, and ethical norms as well as peace and security. Schaake may stress the need to expand the criteria for what constitutes critical infrastructure, noting that data and knowledge centres must also be protected. She may also highlight the need to focus on assessing the potential risks stemming from the currently under-governed application of artificial intelligence technologies. Makumane may refer to the implications of emerging technologies for security, particularly in developing countries.
Council members agree that implementing existing norms of responsible state behaviour in cyberspace and confidence- and capacity-building measures help minimise mistrust between member states and contribute to stability in the cyber domain. Most members believe that Security Council discussions on cyber issues raise awareness of emerging threats posed by new technologies and highlight the importance of effective deterrence against the malicious use of ICTs by states. However, there are stark divisions between members over the Council’s role in addressing cyber threats as well as the applicability of international law in cyberspace.
Several Council members, including the co-organisers, have expressed the view that the Security Council should respond to incidents in which malicious cyber activity exacerbates conflict or causes humanitarian suffering, just as it would to threats posed by conventional means. Russia, on the other hand, has maintained that the OEWG remains the main platform for considering this issue. At today’s meeting, it may argue that the Council should focus on supporting General Assembly processes and avoid discussing the OEWG’s work and recommendations.
Several Council members are expected to express the view that international law, and in particular the UN Charter, is applicable in cyberspace. These members may propose focusing on the implementation of the agreed-upon norms of responsible state behaviour in cyberspace, as established by the GGE and OEWG processes. On 7 December 2022, the General Assembly adopted a resolution welcoming a proposal to establish a programme of action (PoA) to advance responsible state behaviour in the use of ICTs in the context of international security (A/RES/77/37). The resolution was co-sponsored by numerous countries, including Council members Albania, France, Japan, Malta, Switzerland, the UK, and the US. The PoA is envisioned as an action-oriented mechanism to support states’ capacities and efforts to implement the voluntary, non-binding norms established by the GGE and OEWG.
Some members—including China and Russia—may emphasise that further research is needed to determine when and how international humanitarian law applies in cyberspace. While members agree on the applicability of international law, particularly the UN Charter, in cyberspace, China and Russia have been uncomfortable with determining the applicability of the right to self-defence under article 51 of the Charter. These members have supported the view that recognition of the right to self-defence may lead to the “securitisation” of cyberspace, legitimising military intervention and unilateral sanctions in the context of ICTs.
Russia may also voice a preference for a more legally binding instrument to dictate responsible state behaviour in cyberspace. On 7 March, Russia submitted to the OEWG its vision for a Convention of the UN on Ensuring International Information Security. The concept paper emphasises that a “growing need for states to conclude a legally binding multilateral treaty within the [UN] to ensure the prevention and settlement of inter-State conflicts in the global information space, to promote the entirely peaceful use of information and communications technologies and to provide a framework for cooperation among States for these purposes”.
