On June 20th, 2024, the Republic of Korea (ROK) will organize a High-Level Open Debate on cybersecurity as the signature event of its UN Security Council (UNSC) presidency. This follows on from ROK’s co-hosting of an Arria-formula meeting in April 2024 with Japan and the United States. The Arria-formula meeting focused largely on the ever-evolving cyber threat landscape, while also creating an opportunity for states and briefers to comment on how the UNSC’s role in addressing cyber threats can be enhanced.
The focus of June’s Open Debate will be on the “Maintenance of International Peace and Security: Addressing Evolving Threats in Cyberspace”. It is anticipated that the meeting will build on April’s Arria-formula meeting by continuing to consider cyber threats but in this instance ROK is also encouraging states to look ahead and consider the way forward: what are the specific roles and actions that the Security Council undertake to address the challenges emanating from cyberspace, how are cyber threats interlinked with other agenda items of the Security Council, and how can the Council avoid duplicating work undertaken in other parts of the UN system?
Since 2016, several Arria-formula meetings have considered cyber security in the context of international peace and security, hybrid warfare, its implications for critical infrastructure protection, and preventing civilian impact. Other meetings have considered adjacent issues such as emerging technologies, the role of social media in inciting discrimination, hostility, and violence, and more recently, artificial intelligence. Cyber has also surfaced in relation to discussions about operations against Georgia and as part of regional meetings in the Middle East.
In 2021, Estonia convened the Council’s first High-Level Open Debate on the topic with the objective of contributing to a better understanding of the growing risks stemming from malicious activities in cyberspace and their impact on international peace and security as well as addressing the global efforts to promote peace and stability in cyberspace.
While these meetings and efforts have proven highly beneficial, deeper and more regular exchange on cyber threats and related issues is needed. There are different views among states about if and how the Council should address ICT and cyber issues—while many states are supportive of doing so, some have not expressed views and a few oppose it. An important baseline consideration is the relevance of the topic to the Council’s responsibility for upholding international peace and security; a connection that many have noted explicitly and ample research supports. As the UN High Representative for Disarmament Affairs noted in her remarks to the 2021 Debate, “Given these implications for the maintenance of international peace and security resulting from ICT threats, engagement by the Security Council on this issue is paramount.”
The State of Play: Stimson’s Initial Research Findings
Assuming that there is general and sufficient agreement about the need for the Council to engage more, the next question becomes: what does this look like practically?
That is the focus of a Stimson Center project examining the potential ways in which the UNSC can more robustly and regularly address the impact of information and communications technologies (ICT) and digital on international peace and security. Since January, Stimson’s cyber program has been conducting desk research and consulting with states and stakeholders in order to better understand both the opportunities and sensitivities. We have reviewed statements and contributions to multiple relevant meetings and have engaged with states, the UN Secretariat, as well as nongovernmental stakeholders. Our initial findings will be published in a “food for thought” paper as a catalyst for further dialogue and action.
About the Policy Memo
This policy memo provides early observations in advance of the Open Debate. For research and analytical purposes, the proposals we’ve uncovered can be organized into three broad categories: general views about the approach or role of the Council on cyber in relation to its mandate; the linking of cybersecurity and cybercrime to thematic items already being considered by the Council; and proposals for specific Council actions or activities. In our view, these general (and very informal) categories are mutually reinforcing and interrelated. Bearing in mind the importance of “form following function”, we also believe there is value in first clarifying the substantive links and areas of convergence in order to best determine future action.
Mandate and Role of the UN Security Council
As already described, what comes through strongly in reviewing relevant materials and our consultations are the efforts to demonstrate and reinforce the relationship between cyber and international peace and security. This has been affirmed in statements as well as concept notes for relevant UN Security Council meetings. Presumably, this is because one of the main arguments against Council action on cyber has been to question its relevance as a topic. During the April 2024 Arria-formula meeting, for example, Russia asked what instances of malicious use could be confidently described as a risk to IPS?
Not surprisingly, the use of cyber and information and communications technology (ICT) in conflict situations is often highlighted in relation to the Council’s mandate, as well as the role that cyber tools and tactics can play in the escalation of tension and the related need for de-escalation. In his statement to the April 2024 Arria-formula meeting, the head of the UN Institute for Disarmament Research (UNIDIR) reminded that “The Security Council has a crucial role in de-escalating tensions and promoting accountability when significant ICT incidents occur.”
Or, as noted in the concept note for a 2023 Arria-formula meeting on cyber threats to critical infrastructure, identifying and condemning counter-normative or unlawful state conduct and encouraging positive actions to improve the security and stability of cyberspace is a way for the Council to reduce the risk of conflict arising from malicious actions.
The transboundary nature of cyber threats is sometimes referenced; for example, speaking at the 2021 Debate, the Prime Minister of Niger stated that the Council should give more attention to issues such as cybersecurity and climate change, which “know no borders.”
Thematic Links
Past Council meetings on cyber and ICT have helped to unpack the points of connection between cyber and some of the existing geographic and thematic items on its Agenda. The impact of cyber operations on peacekeeping and peacebuilding missions is an area of growing concern and one of the more immediately obvious points of connection, as are non-proliferation and counterterrorism. ROK’s April Arria-formula meeting helped to shine a light on what it describes as “grey area threats” where criminal behavior in cyberspace has growing implications on international peace and security.
There is a growing body of evidence and research about gender-based digital violence and cyber which is spurring a move to update national Women, Peace and Security (WPS) action plans accordingly.
The role of surveillance software (spyware) against journalists and human right defenders in contexts relevant to the Council is also increasingly well-documented, as is the growing frequency of internet shutdowns in conflict and crisis situations.
Meetings on non-cyber topics have also clarified the points of connection between cyber issues. Estonia’s concept note for the 2021 Open Debate recalled that as part of a Council debate on complex contemporary challenges to international peace and security organized by Japan, the UN Secretary-General identified cybersecurity as one of the escalating dangers to international peace and security. The concept note further recalls that during a 2019 open debate on challenges to peace and security in the Middle East, Poland suggested as an organizer that members consider “[h]ow to counteract cyber threats, including threats to energy infrastructure, in terms of promoting cooperative mechanisms for deterring and responding to significant cyber incidents in the Middle East”. In April 2021, under the presidency of Viet Nam, briefers as well as several participants of the high-level debate on “Protection of civilians in armed conflict: indispensable civilian objects” pointed to the threats that malicious cyber activities pose to critical infrastructure, notably medical facilities.
The process of identifying these linkages also informs the approach—for example, cyber-related concerns could be “mainstreamed” or integrated within work on the existing geographic and thematic files.
Actions
Building on the above, there are diverse ideas about practical and tangible actions that could be pursued.
One pathway forward relates to taking action in the context of thematic items, such as non-proliferation. For example, during the April Arria-formula meeting Japan suggested that the work of the 1540 Committee could be continuously updated to reflect the use of ICTs and noted the growing cyber threat to arms control and nonproliferation regime; France, ROK, and Switzerland have suggested a more proactive role in monitoring the role of cyber/ICT in sanctions evasions. As part of this approach, the Council could update or revise existing mandates to account for cyber implications in order to address cyber threats comprehensively. Council members and other member states could more regularly reference cyber-related concerns, developments, or threats within statements and actions on priority issues or in relation to country and regional work, or receive threat briefings.
A second pathway forward would involve the Council taking action to address incidents where cyber or ICT activity exacerbates conflict or to address severe malicious cyber incidents. Some states, including Slovenia (2024) and the United Kingdom (2021), have likened this response to how the Council would respond to threats posed by conventional means. In this context, cyber sanctions or establishing a dedicated cyber monitoring body under a Council mandate could be relevant.
This is where the Council’s ongoing consideration of cyber threats is significant and should continue to deepen in granularity. For the UNSC to investigate and determine if a cyber operation or incident poses a threat to peace or constitutes an act of aggression, more discussion is needed about how the Council can better define and prioritize cyber threats that pose a risk to international peace and security: what are the key indicators that a threat has escalated to a level warranting Council’s attention? Are there measures to be taken by which the Council can prevent escalation of cyber threats? All UN Member States have agreed that international law including the UN Charter are applicable to state use of ICTs, but what does this mean in practice?
Proposals have also been made about meetings and products, all of which would contribute to awareness and understanding. Some include the suggestion to convene an annual discussion focused on the cyber threat landscape; requesting the UN Secretary-General to release an annual report on cyber trends; regular cyber threat briefings for Council members; or the convening of emergency meetings, if and as needed.
Multiple countries have also stressed a need for the Council to affirm and uphold the UN Framework of Responsible Behavior in Cyberspace, which is premised on the consensus agreement about the applicability of international law to cyberspace and a set of 11 voluntary, peace-time behavioral norms developed by the 2015 Group of Governmental Experts (GGE) on ICTs and endorsed by the UN General Assembly on multiple occasions. In the context of upholding law and norms, a few states and stakeholders consulted with have indicated that there might be a role for the Security Council in enforcing accountability measures in relation to the malicious use of ICT. This could take the form of more proactively encouraging the development of capabilities to track and attribute cyber activities more accurately, as a way for the UNSC can enhance its ability to hold actors accountable.
A third pathway forward would involve cyber or ICT becoming its own thematic item. At present, there has not been any suggestion of doing so; rather there is more support for improving how the Council can address the cyber dimension of existing thematic and geographic items. That said, should the Council begin to address other technological issues in a more regular and focused way, one suggested approach has been to ‘bundle’ cyber with other adjacent concerns such as artificial intelligence.
Developing A Value Proposition
In a commentary that Stimson published in April, we noted that “Future engagement from the Council will need to identify what its unique role and value-add will be, and how any future work or uptake can complement other UN processes.”
This last point may be the stickiest to sort out, for reasons both political and practical. One of the main arguments against Council action on cyber-related issues is that there are other bodies within the UN system to deal with cyber. The Open-ended Working Group (OEWG) established by the UNGA’s First Committee is cited most often in the context given that the First Committee also deals with matters of international security and disarmament. Russia established the OEWG. It is also a P5 and has so far been vocal about not seeing a role for cyber within the Council. Yet, other topics that are within the purview of the First Committee such as small arms and light weapons, and WMD non-proliferation, have found a place within the UNSC either as their own thematic issue or in the context of existing thematic or geographic items.
Most states and stakeholders agree that complementarity is vital, even those that envision a more robust or vocal role for the Council on cyber-related topics. At a minimum, discussion within the Council should invoke and be premised on the consensus decisions that make up the UN Framework and reflect outputs developed by the OEWG. The Council pursues areas where it has clear authority and capability, such as sanctioning known malicious actors or facilitating international cooperation and information sharing.
Speaking at the 2021 High-level Open Debate, the Estonian Prime Minister observed that “Even as we face a number of new challenges, the values and principles agreed upon in the Charter of the United Nations 76 years ago remain just as valid today. Upholding them in our increasingly digital future has become one of the most pressing global tasks.”
The value of addressing cyber threats and impacts in fora like the UNSC is that it offers states an opportunity to play a role in developing responses to and mitigating the cyber threats they face individually—and collectively. There are important questions about diplomatic relations and geopolitical realities that need to be considered, but downplaying or continuing to overlook the impacts of cyber or other so-called emerging technologies brings into question the relevance and future viability of the Council, at a time when disillusionment over its ability to take meaningful action is especially high.
ROK’s efforts to elevate the topic throughout its time on the UN Security Council have been crucial for raising awareness and building momentum. “The open debate is an opportunity to gather the collective wisdom of all UN member states on how the Council as the primary organ responsible for the maintenance of international peace and security will address this important issue,” noted Joonkook Hwang, ROK’s permanent representative in an interview with PassBlue. The Council should leverage the current momentum among states to engage more constructively on this question. Cybersecurity and cybercrime do not exist in a vacuum but have widespread impacts that affect the international community as a whole.
This post was originally published on the 3rd party site mentioned in the title of this this site