Excellencies, Ladies and Gentlemen,

ICT4Peace calls upon governments, especially those possessing offensive cyber capabilities, to publicly confirm that they will respect the norm prohibiting cyber operations directed at critical infrastructure. This will provide a proactive means of assuring the international community that these states are committed to acting in a responsible manner in cyberspace.

“A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public”.

This norm is one of eleven such principles for the responsible behaviour of states in cyberspace recommended in the consensus report of a UN Group of Governmental Experts (GGE) released in 2015. (i) A year later, the UN General Assembly adopted a resolution which called upon member states “to be guided in their use of information and communications technologies (ICT) by the 2015 report” of the GGE. (ii)

ICT4Peace believes that the norm on the prohibition of cyber operations that deliberately damage critical infrastructure upon which the public depends has special importance. The welfare of global society is heavily dependent on the proper functioning of critical infrastructure across a wide spectrum of services, from water treatment to electricity generation, from transportation systems to financial networks. This infrastructure is increasingly controlled by computer systems vulnerable to disruptive cyber operations. If some or more of this infrastructure failed to perform, the impact on societies and individuals could be enormous.

Unfortunately, and despite the fact that the vast majority of this infrastructure is of civilian nature, damaging cyber operations have already occurred against it, by states and non-state actors alike (iii). The experience to date underlines the potential for massive negative effects on infrastructure essential for the safety and well-being of the public.

It is only by means of a demonstrable commitment by states to abide by this norm that it will be possible to begin to solidify, in policy and practice, the still fragile restraint measure represented by the prohibition against cyber interference with foreign critical infrastructure.

ICT4Peace believes that there is a pressing need to reinforce the nascent normative framework set out in the UN GGE report, by operationalising these norms, and in particular, the norm concerned with the protection of critical infrastructure.

ICT4Peace, therefore, calls upon governments, especially those possessing offensive cyber capabilities, to publicly confirm that they will respect the norm prohibiting cyber operations directed at critical infrastructure. This will provide a proactive means of assuring the international community that these states are committed to acting in a responsible manner in cyberspace.

The full text of the call to Governments can be found here.

Yours sincerely

Daniel Stauffacher

©ICT4Peace Foundation, Geneva, 21 October 2019

###

i Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN General Assembly, A/70/174, 22 July 2015

ii Developments in the field of Information and Telecommunications in the Context of International Security, UN General Assembly Resolution, A/71/28, 5 December 2016

iii For a valuable resource detailing the scope and implications of attacks on critical infrastructure, see The Potential Human Cost of Cyber Operations, The International Committee of the Red Cross, 20 June 2019, https://www.icrc.org/en/publication/potential-human-cost-cyber-operations.