Disconnects in state cyber behaviour: Accountability for attacks on Critical Infrastructure
Last October, ICT4Peace launched a “Call to Governments on Offensive Cyber Operations and Critical Infrastructure” . This initiative was designed to strengthen a vitally important norm that had been agreed, alongside ten others, in a consensus report of the 2015 UN Group of Governmental Experts on “Developments in the Field of Information and Communications Technology (ICT) in the context of International Security”.
Specifically, this norm stipulated that: “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public”.
While all the norms recommended by the UN GGE were worthwhile, ICT4Peace believed that this norm was of pre-eminent importance, given the potentially devasting consequences of a cyber attack against critical infrastructure upon which the public depends. The fact that these norms were agreed by consensus and that the UN General Assembly in the fall of 2015 adopted a resolution indicating that all member states should be guided by these norms in their use of ICTs suggested that they would be respected in practice.
Regrettably, indications continued to emerge that offensive cyber operations were continuing to be conducted against elements of critical infrastructure in foreign states. In our view, further action was needed to raise the profile of this norm of non-targeting critical infrastructure and to ensure that states were adhering to it in practice. Hence the call to governments, especially those possessing offensive cyber capabilities to pro-actively and publicly confirm that they would respect this norm in their policies and actual cyber operations at all times. This last element was inserted to ensure that states recognize this as a permanent and comprehensive prohibition as some states were drawing distinctions between peacetime and wartime conduct that were mudding the waters for this restraint norm, especially given on-going legal debates over the nature and limits of offensive cyber operations.
Our call was submitted to the UN’s Open-Ended Working Group (OEWG) on Cyber security that has been underway since September 2019 and is currently developing a report with a view to its finalization this summer. Several states and other stakeholders contributing to the OEWG have also flagged the threat that offensive cyber operations pose for critical infrastructure. In particular the evidence of cyber-attacks directed against hospitals and health care services during the current COVID 19 pandemic has prompted wide condemnation. Some NGOs have pressed for more attention to this malign activity and have offered remedial assistance, such as the Cyber Peace Institute’s Cyber4Healthcare initiative.
ICT4Peace is supportive of such steps, but believes that the emphasis must be maintained on the prohibition against cyber attack on all critical infrastructure at all times. Unfortunately, reports continue to indicate that a variety of critical infrastructure from energy grids to water management to transportation facilities are being targeted by states or their proxies. One can only question whether such actions represent a disconnect within certain governments with their Foreign Ministry endorsing UN-generated norms while at the same time units of their military or intelligence agencies are violating these norms through their cyber operations.
If such contradictory actions are to be discouraged, states need to be subject to some scrutiny by concerned stakeholders. Accountability on the basis of credible attribution of problematic activity is a key missing ingredient of an international regime promoting responsible state behaviour in cyberspace.
ICT4Peace has put forward proposals(1) to address this lacuna in international cyber security cooperation. We hope states and non-governmental stakeholders alike will recognize the necessity of adopting such measures if the track record of norm violation is not to result in the undermining of these norms to the detriment of human security and wellbeing.
Paul Meyer – Senior Advisor, ICT4Peace
1. Such as the ICT4Peace Proposed “States Cyber Peer Review Mechanism” for state-conducted foreign cyber operations and the Proposal for an Independent Network of Organisations Engaging in Attribution Peer-Review.