On August 26, 2020 at the initiative of Indonesia that month’s President of the UN Security Council, an informal “Arria formula” meeting was held. The theme was broadly the protection of civilian critical infrastructure (such as health and water and sanitation systems, electricity supply, installations containing dangerous forces). from cyber attacks. The vulnerability of such infrastructure, particularly in the healthcare sector to malicious cyber activity has been highlighted during the current COVID 19 pandemic.
The Council heard from several non-governmental experts, with the most prominent being Peter Maurer, President of the International Committee of the Red Cross (ICRC). Peter Maurer in his statement stressed the rising incidents of malicious cyber activity directed against a spectrum of critical infrastructure, from hospitals to nuclear facilities, noting the “significant risk they pose to human life”. He called for the protection of such infrastructure at all times and reminded states of their responsibilities under international humanitarian law to ensure that “all means and methods of warfare” were compatible with these legal provisions. His statement not only enumerated the threats and dangers associated with cyber attacks, but also made it clear that now was the time for “preventive action”.
As the body under the UN Charter responsible for the maintenance of international peace and security, it is only fitting that the Council is giving consideration to the use of Information and Communication Technology (ICT) as a means of warfare and the sabotage of infrastructure essential for society’s well-being. Given that most of the UN’s involvement in issues of malevolent cyber activity has been concentrated in General Assembly-mandated processes, it is appropriate (and some would say overdue) for the UN Security Council to take a greater interest in this subject. ICT4Peace participated in a similar “Arria-formula” session of the Security Council in November 2016, at which its President, Daniel Stauffacher made a plea for a “conflict prevention” strategy to be employed before cyberspace became a “weaponized” domain and suggested that dealing with state “offensive cyber operations against critical infrastructure” would be a good starting point.
Sadly however, the intervening four years has shown little purposeful action by states to preserve cyberspace for peaceful purposes and to foreswear the targeting of critical infrastructure.
For its part, ICT4Peace in October 2019 proposed at the UN that states demonstrate their commitment to the norm of non-targeting of critical infrastructure at all times by publicly confirming this norm in their policy and practice. This “Call to Governments” is a tangible way by which states can proactively manifest their adherence to the crucial norm that civilian infrastructure is not a legitimate target for offensive cyber operations. It represents the sort of preventive action that President Maurer advocates and ICT4Peace stands ready to partner with the ICRC in advancing, through deeds and not just words, the goal of protecting critical infrastructure from offensive cyber operations.
Ambassador (ret) Paul Meyer, Senior Advisor, ICT4Peace Foundation