Arria-formula Meeting on Cybersecurity
Tomorrow afternoon (4 April), Security Council members will hold an Arria-formula meeting titled “Evolving Cyber Threat Landscape and its Implications for the Maintenance of International Peace and Security”. The meeting is being organised by the Republic of Korea (ROK) and co-hosted by Japan and the US. Briefings are expected from Deputy to the High Representative for Disarmament Affairs Adedeji Ebo; Director of the UN Institute for Disarmament Research (UNIDIR) Robin Geiss; and Valerie Kennedy, Director of Intelligence Solutions for Investigations and Special Programmes at Chainalysis, a blockchain analysis firm.
The meeting, which will begin at 3 pm EST and take place in the ECOSOC Chamber, will be broadcast on UNTV. It is open to all UN member states, permanent observers, non-governmental organisations, and the press.
The concept note prepared by the meeting’s co-organisers emphasises the importance of previous Council discussions on cybersecurity-related issues, while recognising that the threat landscape continues to evolve and change. It suggests that the Council could benefit from further discussions on current and evolving threats in cyberspace and their implications for international peace and security.
According to the concept note, the objectives for tomorrow’s meeting include raising member states’ awareness of the latest developments in cyberspace; promoting a better understanding of cybercrime activities in relation to international peace and security; and providing recommendations on improving the Council’s role in addressing these threats, in a manner that complements the ongoing work in the UN General Assembly (UNGA).
The concept note lists some of the main evolving threats in cyberspace, such as ransomware attacks, cryptocurrency-related crimes, and the proliferation of malicious actors. It indicates that there has been a major spike in ransomware attacks worldwide targeting both private and public sector actors. In this regard, it cites some recent instances of ransomware attacks on governments and critical infrastructure, such as the 2014 attack against the Korea Hydro and Nuclear Power, which operates large nuclear and hydroelectric plants in the ROK; the worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm; and the 2021 ransomware-as-a-service (RaaS) attack on Colonial Pipeline, the largest pipeline system for refined oil products in the US.
The concept note argues that cryptocurrency theft by state and non-state actors requires greater attention from the Council. It further says that some profit from these malicious activities is used to fund the development of nuclear weapons programmes and to finance terrorist activities. The concept note also emphasises that certain entities leverage the use of cybercrimes to evade Security Council sanctions.
The concept note poses several questions to help guide the discussion at tomorrow’s meeting. Among others, these include:
- What actions can the Security Council take to effectively address the evolving nature of cyber threats?
- What emerging trends in cyberspace pose additional challenges to international peace and security?
- How do criminal activities in cyberspace exacerbate existing threats and challenges to international peace and security?
- What existing and innovative collective measures can the international community leverage to counter the existing threats, and what are necessary capacity-building efforts in this regard?
While the concept note describes issues related to cyber threats in general, some members might use this opportunity to discuss these threats in the context of country-specific situations. All three co-hosts have a strong interest in the situation on the Korean Peninsula and might reference the activities of the Democratic People’s Republic of Korea (DPRK) in cyberspace. The final report of the Panel of Experts assisting the 1718 DPRK Sanctions Committee (S/2024/215), which was published on 7 March, noted that the DPRK continued to engage in cyberattacks on cryptocurrency companies, stealing assets valued at around $3 billion between 2017 and 2023. Some member states have reported to the Panel that the DPRK is using some of these profits to fund its weapons of mass destruction programme. In addition, the Panel of Experts report also cites multiple other instances of the DPRK’s alleged use of malicious cyber tools targeting public and private entities globally.
Although the DPRK sanctions regime—which is open-ended—remains in place, its Panel of Experts may soon cease to operate. On 28 March, the Council failed to extend the panel’s mandate due to a veto cast by Russia. China abstained, while the remaining 13 members voted in favour. (For more information, see our 22 March What’s in Blue story.) At the time of writing, it was unclear whether Council members supportive of retaining the Panel of Experts will pursue another product to extend its mandate, which expires on 30 April. At tomorrow’s meeting, some members might address issues that may arise from a lack of reporting on the DPRK’s use of cyber threats in the absence of a Panel of Experts.
Some members might also address the use of malicious cyber activity in the context of the conflict in Ukraine. Since Russia’s full-scale invasion of the country in February 2022, there have been numerous reported cases of cyberattacks on Ukraine. Both Russia and Ukraine have accused each other of perpetrating such attacks.
Over the past several years, the Council has become increasingly involved in addressing cyber threats to international peace and security. The COVID-19 pandemic and a surge in the use of digital technologies have greatly accelerated Council members’ awareness of this issue. To date, most of the discussions among Council members on cybersecurity-related issues have taken place in informal meetings such as Arria-formula meetings. The Security Council held its only formal meeting on cybersecurity on 29 July 2021 during Estonia’s presidency of the Council. Other meetings on related aspects include a formal meeting on the use of technologies in maintaining international peace and security that the US convened during its May 2022 presidency and a July 2023 high-level briefing on artificial intelligence organised by the UK.
Council members generally agree that implementing existing norms of responsible state behaviour in cyberspace and confidence- and capacity-building measures help reduce mistrust among member states and contribute to stability in the cyber domain. Most members believe that Security Council discussions on cyber issues raise awareness of emerging threats posed by new technologies and highlight the importance of effective deterrence against the malicious use of information and communication technologies (ICTs) by states and other actors. There are stark divisions between members over the Council’s role in addressing cyber threats as well as the applicability of international law in cyberspace, however.
Several Council members have expressed the view that the Security Council should address incidents in which malicious cyber activity poses a threat to international peace and security, just as it would to threats posed by conventional means. Russia, on the other hand, has maintained that the Security Council is not the appropriate body to address these issues. It believes that the Council should defer to the two specialised expert platforms operating under UNGA auspices: the Group of Governmental Experts (GGE) on Advancing responsible State behaviour in cyberspace in the context of international security and the Open-Ended Working Group (OEWG) on security of and in the use of ICTs. Tomorrow, Russia might stress that the Council should focus on supporting these two processes at the UNGA. (For background and more information on the Council’s engagement on cyber treats, see the In Hindsight titled “The Security Council and Cyber Threats, an Update” in our February 2022 Monthly Forecast.)
