In July 2024, the United Nations (UN) Open-ended Working Group on the Security and Use of Information and Communications Technologies (OEWG) will start working on its third annual progress report, which will be submitted to the UN General Assembly (UNGA)1.
The OEWG President has already sent the Zero Draft, dated May 29, 2024, to UN Member States for public discussion2. This draft outlines the evolution of the eleven voluntary non-binding norms of responsible state behaviour in the use of Information and Communications Technologies (UN non-binding norms) and includes regulatory proposals. These norms were adopted by consensus by the UN Group of Governmental Experts (GGE) in 2015 and later by the OEWG 3 . This decalogue concerns: the maintenance of international peace and security in line with the objectives and principles of the UN; the ban on using state territory for internationally prohibited activities; the peaceful use of Information and Communications Technologies (ICT) in compliance with human rights; the respect for state sovereignty; the peaceful resolution of international disputes and the prohibition of interference in the internal, and non-intervention in the internal and external affairs of states through ICT.
The Zero Draft prompts important considerations about the application of these norms in today’s digital environment4. This environment is a challenging geopolitical arena where the malicious use of IC by state and non-state actors significantly impacts national and international peace and security5.
The current cyber threat landscape is highly dynamic, constantly evolving, and complex. It is continuously redefined by the nature of hostile activities in cyberspace and the increasing number and variety of threat actors6. Hostile activities are growing in both scale and intensity, partly due to the offensive use of emerging technologies such as Artificial Intelligence (AI) and, in the near future, Post-Quantum Computing7. AI is used to create new vectors of attack by scanning the ICT systems of public and private critical infrastructures to find vulnerabilities, thereby expanding their surface of attack.
These malicious cyber operations have far-reaching impacts on public safety and national security, potentially they may cause cascading effects at national, regional, and global levels. They can include pre-positioning malware for exploitation in potential conflicts, which increases the risk of escalation and conflict both in cyberspace and beyond.
These operations can even exceed the threshold of the prohibition on the use of force, as stated in Article 2, para. 4, of the UN Charter, which prohibits “the threat or use of force against the political independence or territorial integrity of any state, or in any other manner inconsistent with the purposes of the United Nations”8.
Most hostile activities conducted so far, such as those in 2007 against Estonia, in
2019 against Georgia, and in 2014 and 2022 against Ukraine, do not violate the prohibition on the use of force or the law of armed conflict9. Instead, they violate the principles of non-intervention or of territorial sovereignty of the targeted states because ofte cyber operations are part of a composite operation. Therefore, they need to be addressed differently.
As cyberspace becomes increasingly crucial for the maintenance of international peace and security, as acknowledged by the UN Security Council in its informal meeting on the “Evolving cyber threat landscape and its implications for the maintenance of international peace and security” 10, the aim of this paper is to explain the landscape of hostile activities and of actors in cyberspace in the light of the OEWG’s contribution to the evolving framework of the UN non-binding norms. Specifically, we will analyse the action-oriented proposals of the Zero Draft and their potential role in reducing risks to international peace and security.
Malicious cyber operations are conducted using worms, logic bombs, malware, trojans, and bots to inflict ransomware, distributed denial-of-service (DDoS) attacks, cyber espionage, or to deploy wipers to disrupt and destroy large datasets in critical sectors11. These activities can cause damage in both the digital and physical worlds, across various jurisdictions, often targeting critical and strategic infrastructures within national cybersecurity perimeters. Such operations undermine the functioning of essential services like national healthcare systems, banking and financial services, large automated industrial complexes in the energy and manufacturing sectors, transportation, telecom-munications, water plants, and recently undersea cables and orbit communication systems.
From a financial perspective, cybercrime is the world’s third largest economy. Its costs reached $8.44 trillion in 2022 and, according to data from the FBI and IMF, are expected to surge to $23.84 trillion by 202712.
Malicious actors in cyberspace can be divided into two categories: states and non-state actors. States are developing ICT capabilities for military purposes and have used them in international conflicts (e.g., Russia and Ukraine), regional rivalries (e.g., India and Pakistan), and conflicts (e.g., Israel and Hamas)13. States often use their military and intelligence apparatus to organize cyber hostile operations, though they prefer to act through groups of professional criminal hackers, known as proxies (Albania)14.
Non-state actors include individuals, groups, companies, or private military and security companies that now demonstrate ICT capabilities that previously were only available to states. This shift is partly due to the cheap commercial availability of ransomware tools (ransomware-as-a-service), leading to the privatization of offensive cyber capabilities. Non-state actors can be terrorists, criminal groups, hacktivists, patriotic hackers, Advanced Persistent Threats (APTs), and cyber mercenaries. The latter are private actors engaged by states to conduct offensive or defensive cyber operations to weaken the military capacities of adversary forces or undermine the integrity of other states’ territories15.
Criminal hackers typically pursue economic and political goals. Economically motivated cybercrimes can generate profits from hundreds to millions of dollars, enabling their self-financing. Politically motivated cyber activities often reflect the geopolitical positions of hacktivist groups or states on specific issues, such as the conflict in Ukraine or the conflicts between Israel and Hamas.
From the European Union (EU) perspective, a key trend in cyberspace is the blurring of lines between state-sponsored and criminal or financially motivated actors16. States increasingly act through non-state actors, who have assumed a prominent role in modern conflicts. This strategy allows states to elude international responsibility for malicious activities committed by non-state actors, given the high evidential standards required for attribution in international law17. Additionally, the anonymity provided by cyberspace, especially using Onion Router (Tor) and Virtual private networking (VPN), makes it difficult to identify both the individual responsible for the malicious activities and the sponsoring state18. The use of these tools can lead to misattribution, as in the case of false flags operations, where a target state reacts against an incorrect party19. The cited difficulties in collecting the digital evidence needed for attribution in international law require alternative solutions to prevent states from orchestrating cyber proxy wars.
To address the multifaceted nature of cyber threats, the UN has consistently worked to build a consensus on the applicability of international law to activities in cyberspace. Significant contributions in this sector come from the GGE, whose reports were agreed upon by consensus in 2013, 2015, and 2021, and the OEWG, whose reports were adopted in 2021, 2022, and 202320. These two working groups, established by the UNGA, have similar mandates, although different geopolitical origins. They promote the UN non-binding norms of responsible state behaviour, based on international law, particularly the UN Charter, “which is applicable and is essential to maintaining peace, security and stability in the ICT environment”21.
The OEWG’s mission is to contribute to the creation of an open, safe, secure, stable, accessible, and peaceful ICT environment to maintain international peace and security by proposing an open, non-exhaustive list of rules, norms, principles of international law, and confidence-building measures and consensus-building22.
The OEWG’s confidence-building measures intend to operationalize the UN non-binding norms, particularly regarding sovereignty, non-intervention in internal and external state affairs, peaceful settlement of disputes, state responsibility, due diligence, and the application of international humanitarian law in armed conflicts 23 . States recognize the importance of these discussions within the OEWG’s yearly sessions as they lead to the common understandings on how international law applies to ICT use, increasing the predictability of state behaviour, reducing the risk of miscalculation in attributing cyber activities, and clarifying the consequences of unlawful state behaviour24.
The OEWG has put forth several concrete and actionable proposals regarding the interpretation and application of international law principles in cyberspace, as outlined in the Zero Draft. These proposals serve as a practical checklist for implementing the UN non-binding norms.
Beginning with the notion of state sovereignty, which extends to jurisdiction over ICT infrastructure within its territory, these proposals advocate for states to apply existing international law obligations to protect their ICT infrastructure from cyber threats25. Such measures are crucial for ensuring the prompt addressing of ICT vulnerabilities, thereby reducing the risk of exploitation by malicious actors. Timely discovery, disclosure, and addressing of ICT vulnerabilities can prevent harmful practices, foster trust and confidence, and reduce threats to international security and stability.
Furthermore, in accordance with the principle of non-intervention, states must refrain from intervening, directly or indirectly, in the internal and external affairs of other states also through ICT.
Aligned with the principle of state sovereignty, Norm C of the UN non-binding norms emphasizes that states should not knowingly allow their territory to be used for wrongful acts via ICT. Under its corollary, the principle of due diligence principle, states should “not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public” of other states26. In the event of malicious cyber activities occurring within or transiting through a state’s territory, the state is expected to take reasonable, proportionate, and effective measures to halt such activities, consistent with international law. However, it is not expected that the state should monitor all ICT activities within its territory.
Discussions among states also revolve around how to address the transborder nature and anonymity of ICT operations under international law, particularly concerning when malicious activities reach the threshold of the use of force and, eventually, constitute an armed attack. States are encouraged to respond to requests for assistance and mitigation from other states whose critical infrastructure has been targeted by malicious activities, especially if they pose threats to international peace and security.
States are also asked to facilitate the tracing of hostile activities on critical information infrastructures and, when appropriate, disclose this information to other states. In case of an ICT incident, the affected state should notify the state from which the hostile activity is emanating, although the receiving of the notification does not imply the acknowledgment of the responsibility on the receiving state.
In this context, the paper entitled “Draft Elements for the Open-Ended Action-Oriented Permanent Mechanism on ICT Security in the Context of International Security” proposed by the OEWG’s Chair deals with the establishment of a Permanent Mechanism on ICT Security27. This mechanism, to be submitted for states’ approval in July 2024,
will foster regular institutional dialogue to develop the application of international law in ICT use, particularly in responding to malicious cyber activities attributable to states. It is expected to serve as a scenario-case discussion to address such activities in accordance with states’ obligations under international law.
Regarding the application of the obligation of peaceful solutions of disputes between states (Article 2, para. 3, UN Charter), the OEWG proposes the establishment of a global, inter-governmental Points of Contact (POC) directory. This directory aims to facilitate secure and direct communications between states during urgent and significant ICT incidents, helping to build confidence, de-escalate tension, and prevent misunderstandings and misperceptions that could lead to international crisis.
The manager of the POC directory will be the UN Office for Disarmament Affairs (UNODA) and the Zero Draft suggests that all interested states should nominate their national POCs. Standardized templates could further optimize direct communications between states during significant ICT incidents through the POC directory; it could ensure clarity and timeliness while maintaining flexibility and voluntariness especially in cases of urgent request.
Another notable initiative is the creation of a Global Cyber Security Cooperation Portal (GCSCP), which could complement the proposal for a repository of best practices in ICT security capacity-building. This measure aims to address the lack of awareness of existing and potential threats and the lack of technical capacities among states to detect and defend against malicious ICT activities, especially in case of developing countries.
The evolving cyber threat landscape presents significant challenges to international peace and security. The increasing sophistication and frequency of cyber-attacks by state and non-state actors highlight the urgent need for a robust and adaptive international legal framework. As cyber operations continue to blur the lines between conventional and unconventional warfare, the international community must work together to address these emerging threats.
Moreover, the challenges of attribution, accountability, evidentiary issue require innovative and cooperative solutions28. The complexity of cyberspace demands that states not only strengthen their defensive capabilities but also engage in proactive measures to prevent cyber incidents. By adopting and operationalizing the proposed confidence-building measures, states can enhance the predictability of their behaviour in cyberspace, thereby reducing the risk of miscalculations and conflicts.
In this scenario, the OEWG plays a crucial role in shaping this framework by promoting the implementation of voluntary non-binding norms of responsible state behaviour in cyberspace and crafting the essence of cyber diplomacy.
Key proposals from the Zero Draft, such as enhancing state sovereignty over ICT infrastructure, ensuring non-intervention, and promoting due diligence, provide a solid foundation for building trust and cooperation among states. These measures, coupled with the establishment of a global Points of Contact directory and the reaffirmation of international humanitarian law in cyberspace, offer practical steps toward reducing the risks of cyber conflicts and their humanitarian impact.
The Zero Draft of the OEWG’s third annual progress report underscores the necessity of the application of these norms and proposes actionable measures to mitigate cyber threats. By fostering dialogue and consensus among UN Member States, the OEWG aims to enhance cyber international peace and security.
In conclusion, the OEWG’s initiatives represent significant progress towards establishing a secure, stable, and peaceful ICT environment especially because the proposed solutions are sustainable, effective, and affordable. By embracing these proposals and fostering greater collaboration, UN Member States can ensure that the digital realm contributes to international peace and security rather than becoming a source of conflict and instability. However, the development of international cyber law faces significant challenges, and several critical factors hinder progress. For instance, states are reluctant to formalize the UN’s non-binding rules into an international treaty due to geopolitical rivalries, to concerns about protecting fundamental rights and freedoms, and to unclear national positions on how international law applies to ICT activities29.The path forward requires sustained commitment, cooperation, and innovation to navigate the complexities of the cyber threat landscape and to protect the integrity and stability of our interconnected world.The international community stands at a critical juncture in the governance of cyberspace next July and for the next decades.
Cybersecurity in the Digital Era:
European Perspectives (CDeEP)
