Meetings with representatives of the United Nations Office for Disarmament Affairs (UNODA) and UN Member States provided insights into the currents processes on cyber-security initiated by UNGA resolution 23/266/2018. After a split in consensus between America on the one side and Russia and China on the other, the General Assembly established in autumn 2018 two parallel processes addressing the application of international law on Cyber-Security. With a resolution sponsored by the US the Group of Governmental Experts[1] (GGE) will continue its work. This sixth GGE group comprised of 25 Member States will be chaired by Brazil and will run from 2019 -2021. The last GGE from 2016/17 failed to deliver a consensus report of recommendations on existing and potential threats in the cyber-sphere as well as possible cooperative measures to address them.

Russia and China launched an Open Ended Working Group (OEWG), which includes all member states and runs from 2019-2020. The 25 member states of the GGE can, but are not obliged to be part of the OEWG. However, many are, to ensure together with UNODA, that the two groups work complimentary.

One of the big issues in Cyber-Security is the question: How can International Law be implemented in Cyber-Space? And more specifically, how can International Humanitarian Law be applied? The difficulties are, inter alia, rooted in the issue of what constitutes an act of war in the realm of cyber space. Is an attack on vital infrastructure such as water, waste water or the energy and health sector an act of war? Or, as in conventional warfare, does an act of war occur when there is only a mass loss of life? Also, the question of self-defense according to Article 51[2] of the UN Charter raises new questions in Cyber-Space. Especially due to the issue of a ‘blended threat’, when states hire hackers to carry out attack on other states, the question of attribution becomes paramount for reactions of the international community as for the attacked country itself.  

The collection of evidence is as relevant in cyber-spaces it is for other acts of crime or terrorist threats.  The UN has established the United Nations Investigative Team for Accountability of Da’esh (UNITAD), as an independent investigative team to support domestic accountability efforts by collecting, preserving and storing evidence in Iraq of acts that might amount to war crimes, crimes against humanity and genocide committed by ISIL in Iraq. The issue for prosecutors is not only to gather the data, but also the question of jurisdiction, depending not only in which country it might be stored, but also the possibility that it is stored in a cloud. Hence, UNODC has established a Global Initiative on collecting and storing of digital evidence.

When evidence has been collected and an attribution has been achieved, the question of proportionate vs. disproportionate responses of states arises. The issue here for the UN is that international law regulates inter-state relations, and falls short of threats posed by non-state actors.

Narrowing down from the global picture to the level of member states, the delegation also met with representatives of the Permanent Mission of Estonia to the UN. Estonia has embarked on E-Governance projects since its independence from the Soviet Union in 1990 and is now one of the leaders on the UN’s E-Government Development Index[3]. Instigated by the 2007 major Cyber-Attack, Estonia, it developed a Cyber-Security Strategy. By now, Estonia has a Cyber-Security Strategy[4] as well as a yearly Cyber-Security Assessment[5] which is used to update the Strategy if necessary.

The Estonian Cyber-Security Strategy is strongly modelled on the German “Grundschutz”[6] which is based on the concept of data being stored in different places which makes it more difficult to attack. They are only connected through channels which are controlled by the government which, in case of an attack, can be cut, and the threat would not be able to spread from the one data storage it has attacked to another. The Estonian government has taken this a step further and has built a “Digital Embassy” in Luxembourg, where it stores fragments of its encrypted data. Additional locations are planned in other parts of the world too. This ensures that even if the territory of Estonia is attacked and taken over, the population’s most important data is safe. However, the distribution of data is not only important for countries; it is also practiced by private companies and highly recommended for individuals so as to keep their data protected.

“The biggest problem is between the screen and the keyboard”

Charly McGonnigal, Brookfield Properties

Representatives of the FBI, INTERPOL and the private sector however agree that no matter how safe the system is that a country or company has developed, the biggest threat to Cyber-Security is the person in front of the computer. Hence, it is of utmost importance to sensitize people to these threats through continuous training.

Throughout this dialogue program, there was one common refrain from the interlocutors: We all need to work closely with tech companies. Tech companies are ahead, not only of the UN and public sector, but also of law enforcement. INTERPOL does have an innovation lab in Singapore to anticipate future threats and implications for policing. However, on the purely technological side, no one can compete with the private sector. A similar situation arises with the UN. The UN itself has scattered expertise on Cyber-Security and its implications on peace-keeping, conflicts and natural emergencies. A first study on e.g. the implications of AI on conflict prevention[7] was only done this year. Hence, it is tantamount that the public sector, especially law enforcement, and the UN work closely with tech companies, build trust and show them that cooperation is to their long term benefit.

One solution that tech companies can implement, and improve, easily is content denial according to a representative of the United Nation Counter-Terrorism Committee Executive Directorate (CTED). When content is not uploaded to the internet, it cannot be spread.  This applies to disinformation as well as to videos of terrorist acts. With the role out of 5G almost worldwide, this is a major topic as 5G will make downloads up to 95% faster and therefore even more difficult to stop content spread, when it is on the internet. Another fear for law enforcement is the likelihood that social media companies will adapt some functions of traditional banks, whereby it will be possible that Facebook has a cryptocurrency which can be sent via WhatsApp.

“Everything you get for free on the Internet, you pay for with your private data”

Alex Gladstein, Human Rights Foundation

Currently, the tech sector is more or less self-regulatory which causes two issues: First, Tech companies act according to their own standards, which is problematic due to their ‘social and political naivety’ as one UN representative put it. The second issue is, as hindsight has shown, tech companies only act after a tragedy. A second possible regulatory approach would be a pro-active government led one, which the Counter Extremism Project is advocating.  The idea is that companies would like to follow more stringent norms regarding Cyber-Security issues, but cannot propose them as they generally go hand in hand with a loss of data in their possession and with that, a loss in revenue. However, if they are required by law to do so, a loss in revenue is no more voluntarily. A third approach was suggested by INTERPOL, whereby the UN is to set standards for regulating the Cyber-Space worldwide.

The future problems of Cyber-Security range from quantum computing and Artificial Intelligence to already existing ones, such as autonomous weapons and the use of Cyber-Space by terrorist networks. Hence, there is the need for innovative solutions and responses from new alliances.

_______________________________________________________

[1] https://s3.amazonaws.com/unoda-web/wp-content/uploads/2019/01/Information-Security-Fact-Sheet-Jan2019.pdf

[2] “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”

[3] https://publicadministration.un.org/egovkb/Portals/egovkb/Documents/un/2018-Survey/E-Government%20Survey%202018_FINAL%20for%20web.pdf

[4] https://www.mkm.ee/sites/default/files/cyber_security_strategy_2014-2017_public_version.pdf

[5] https://www.ria.ee/sites/default/files/content-editors/kuberturve/ria-csa-2018.pdf

[6] https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html

[7] https://i.unu.edu/media/cpr.unu.edu/attachment/3472/PauwelsAIGeopolitics.pdf