There’s hope that countries will lower their cyberattacks against other nations’ critical infrastructure thanks to a United Nations committee’s final report, but experts say it won’t completely stop attackers.
After nearly two years of deliberations, the Open-Ended Working Group (OWEG) on security in information and telecommunications technologies (ICTs) issued a report last month that agreed by consensus of 193 countries to follow voluntary and non-binding norms for responsible behaviour in cyberspace. Countries that agreed included Russia and China.
However, according to one Canadian commentator, Iran went so far as to “disassociate,” itself from it, given what it called the report’s “unacceptable content.” Josh Gold, a visiting fellow at the Canadian International Council, also noted in his blog Iran didn’t block consensus on the report.
However, he said in the blog, “disassociation is an uncommon UN practice which provides Iran with some basis to claim it is not bound by the report’s conclusions.”
It wasn’t the only country unhappy with compromises in the final wording.
Considering the “general sense of dissension,” the U.S. successfully demanded that the phrase “states agreed” be struck from the final report. Which is why the report’s wording includes awkward phrases like “states take into account.”
“But, in the spirit of compromise, the United States and other liberal democracies permitted changes which, to them, were unpalatable yet bearable,” Gold added. “For example, the U.S. criticized—but ultimately accepted—the inclusion of a reference to the possibility of ‘international legally binding obligations,’ the elimination of references to international humanitarian law, and a diluted emphasis on human rights.”
Despite some vagueness in the wording, Christian Leuprecht a professor at Royal Military College in Kingston, Ont., and an expert on security and defence at the Macdonald Laurier Institute, called the agreement “a significant achievement.”
”It’s the first time states have agreed to some sort of ground rules,” he said in an interview. “Once you have rules in place then hopefully people will say it’s probably everybody’s interest to stick to them.”
On the other hand, he acknowledged it may take decades for nations to agree to norms of behaviour.
“So I don’t think this will have an immediate effect but it will hopefully stop some of the reckless behaviour. And eventually, as people play by the rules it will be agreed certain behaviour is not acceptable.”
But this won’t completely stop attackers.
“The risk is hostile actors will take greater efforts to hide their tracks,” Leuprecht admitted. “Attribution is already difficult in this space, and everybody knows it. To apply these rules you need to be able to attribute” a cyberattack.
Ways countries can respond
Countries can deny and demand evidence. But that means disclosing secret methods and capabilities, which no one wants to do.
“So part of the reason why I think it’s safe for everyone to sign on to this is because they can say, ‘Look we’re responsible members of the international community,’ knowing full well it will be extremely difficult for someone to provide the threshold of evidence that will be necessary to attribute something to a hostile actor beyond a reasonable doubt,” Leuprecht said. “There will always be the ability to say, ‘We had nothing to do with it (a cyberattack). Where’s your proof?’”
The hope is this document will at least reign in some of the worst conduct that news cycles frequently pick up.
“Even getting people to start to adhere to some of these rules would be a significant win for humanity,” he said.
In a blog earlier this week Kate O’Sullivan, Microsoft’s general manager of digital diplomacy, said more needs to be done while calling the final report a “historic and much-needed step of agreeing on expectations for responsible nation-state behaviour online.”
To observers, the key part of the report is that it says states will “avoid and refrain” from the use of ICTs not in line with voluntary, non-biding norms for responsible state behaviour adopted in consensus reports by UN Group of Government Experts in 2010, 2013 and 2015. These previous resolutions now form an initial framework for responsible behaviour by nations in the use of ICTs, says the report.
Those Group of Experts (GGE) meetings involved several dozen participants. This report involved 193 countries, giving the report of the Group of Experts more legitimacy. In particular, the 2015 GGE report — which was adopted by the UN General Assembly — said one voluntary norm is “states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs” and that “a state should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.”
In a statement, the federal government’s Global Affairs department said Canada is pleased that the OEWG on information and communications technologies and international security was able to achieve a consensus outcome.
“In particular, we are pleased to see all UN member states reaffirm the framework for responsible State behaviour in cyberspace, anchored in the applicability of international law and norms of responsible state behaviour recommended by the 2013 and 2015 Group of Governmental Experts (GGE) reports.”
The final OEWG report also says states
- Will take into account former UN General Assembly resolutions agreeing that international law, including the Charter of the United Nations, is applicable “to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment.”
- ”Should not conduct or knowingly support ICT activity contrary to their obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public. Furthermore, states should continue to strengthen measures to protect of all critical infrastructure from ICT threats, and increase exchanges on best practices with regard to critical infrastructure protection.”
- Concluded the COVID-19 pandemic has accentuated the importance of protecting healthcare infrastructure through the implementation of norms of behaviour affirmed by a previous UN resolution.
- States agreed to take reasonable steps to ensure the integrity of supply chains and seek to prevent the proliferation of malicious ICT tools and the use of harmful hidden. functions. States also agreed to encourage “the responsible reporting of vulnerabilities.”
- Concluded that ICT activity contrary to obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public, could pose a threat not only to security but also to state sovereignty, as well as economic development and livelihoods, and ultimately the safety and well-being of individuals.
- The report also says states may find it useful to have national “Points of Contact”
diplomatic, policy, legal and technical exchanges, as well as incident reporting and response, as one of a number of confidence-building moves to preventing conflicts, avoiding misperception and misunderstandings, and the reduction of tensions.
“It was an achievement,” Christopher Painter, a former U.S. cyber diplomat who is now president of the Global Forum on Cyber Expertise, said in an interview. “Not because the report itself was that momentous or ground-breaking. There were a few new things in there. Most were not new. But it affirms the GGE that had already been agreed to about the 11 norms of responsible state behaviour, the application of international law and the UN charter, the importance of things like capacity building. These had been previously agreed to. The difference is all 193 countries came together … and there was no backsliding. There was a lot of fear people would say ‘We don’t agree with international law and this and that,’ and that didn’t happen.”
And while there had been consensus agreement on previous GGEs (but not in 2017), those sessions had a smaller number of participants. This time, he said, there were many more countries, including developing nations.
“It gives even more legitimacy to the norms,” he said. “
“Nothing in this document means that people will abide by it. The fact that countries agree on voluntary norms of state conduct doesn’t mean there won’t be violations … Yes, really clever sophisticated countries can try to avoid attribution [of an attack] by going through proxies, but the fact is sophisticated nation-states are good a picking up on these things. And if it’s a long-term serious course of misconduct even if they don’t figure it out right away, they can often figure it out – Russia with the NotPetya worm, North Korea with the WannaCry worm.”
However, he did acknowledge the OEWG report doesn’t deal with what will happen to countries that violate the norms of behaviour in cyberspace.