Earlier this month, a United Nations (UN) working group open to all member states took the historic and much-needed step of agreeing on expectations for responsible nation-state behavior online. This comes at a critical time, on the backs of two major nation-state attacks – Nobelium and Hafnium – and a wave of attacks targeting health care organizations during the Covid-19 pandemic. While more needs to be done, we should all be encouraged by the UN’s progress and the solidarity taking shape against indiscriminate nation-state attacks that cause widespread harm.
This new consensus was reached via the UN’s Open-Ended Working Group (OEWG) on cybersecurity, which issued its final report after nearly two years of deliberations. This is the first time such a document has been negotiated and agreed upon in a working group open to all 193 UN Member States. Previous UN agreements on cyber-rules were negotiated in comparatively smaller settings – and it has been over five years since these processes had come to an agreement on expectations for responsible behavior online. In the meantime, sophisticated attacks and nation-state conflicts have continued to escalate.
The OEWG also set new precedent for the UN by being more open to input and participation from organizations outside government, including companies like Microsoft. Cyberspace is largely developed and maintained by private organizations, and battlefields online are by no means constrained by physical borders, so private-sector engagement is critical to protecting cyberspace. Building on this legacy of multistakeholder participation will be essential to future progress.
While the entire report is a major step forward, three aspects are particularly noteworthy.
First, it elevates and affirms the authority of international law in cyberspace and the set of norms for responsible behavior that were adopted as voluntary standards in 2015. These norms set apart things like critical infrastructure and computer emergency response teams (CERTs) as being off limits to cyberattacks by governments. To this end, the report also encourages states to be transparent and concrete about how they understand these rules apply and what they are doing to implement them.
Second, it recognizes a need to protect healthcare from cyberattacks, including medical services and facilities. Amid the ongoing global pandemic, such attacks have targeted hospitals and health care organizations across the United States and organizations around the world, including Brno University Hospital in the Czech Republic, Paris’s hospital system, the computer systems of Spain’s hospitals, hospitals in Thailand and even international bodies such as the World Health Organization.
Third, it calls on states to protect the information communications technology, or ICT, supply chain. The Nobelium attack against SolarWinds was just the latest example of a supply chain attack with far-reaching consequences that should not be tolerated. By corrupting the software update process, Nobelium put thousands of individuals and organizations at undue risk, and such attacks threaten to undermine public trust and confidence in the update process all vendors use to maintain the security of the digital ecosystem. Similar statements have been made by the UN before, however, so we hope to see further action in the days ahead to uphold this commitment.
Beyond these specific areas, the group also recognized the importance of cybersecurity capacity building as a linchpin for all these commitments. Nations around the world have vastly different capacities and implementing international expectations in cyberspace will require new investments, especially in emerging economies. All this diplomatic work will be for naught if states are unable to follow through on their own commitments and recommendations. Cybersecurity is not zero-sum, and when any one nation is more secure, we all reap the benefits.
While we are encouraged by the OEWG report, there is one place where we urge all UN member states to take more action: human rights. The report regrettably contains only cursory references to human rights and omits any reference to international humanitarian law, both of which should be upheld in cyberspace as they are in the physical domain.
Achieving consensus on this report is indeed an important win for inclusive multilateralism and diplomacy, as well as for cybersecurity, but more work is required in the near-term. We urge states to continue to build on this positive outcome to turn the tide against escalating conflict online by continuing to engage in robust and inclusive dialogues. The French government’s proposed Programme of Action (PoA) is one possible path forward that could consolidate UN cyber deliberations into a single standing process while helping to facilitate and streamline necessary multistakeholder inclusion. We are grateful to the governments that have wrestled with these issues for years, and we at Microsoft will support the next steps required to protect our shared cyberspace.