Arria-formula Meeting on “Preventing Civilian Impact of Malicious Cyber Activities”
Tomorrow (20 December), Security Council members will hold a closed Arria-formula meeting on “Preventing Civilian Impact of Malicious Cyber Activities”. The meeting is being organised by Estonia and the UK. The expected briefers are High Representative for Disarmament Affairs Izumi Nakamitsu and ICRC Director for International Law and Policy Helen Durham.
The meeting will take place at 3 pm EST and participation is limited to current and incoming Council members.
According to a concept note prepared by the co-organisers, the objective of tomorrow’s meeting is to foster discussion on ways to prevent and mitigate the consequences of malicious cyber activities targeting critical civilian infrastructure. The meeting will also serve as a platform for Council members to discuss the diplomatic tools available to states to respond to such activities. The concept note says that cyberattacks targeting critical civilian infrastructure pose a significant threat to the well-being and livelihood of civilian populations, and that preventing and limiting the effects of malicious activities “can be of crucial importance for conflict prevention”.
The concept note also describes the normative framework for responsible state behaviour in cyberspace, mentioning the consensus reports adopted by the Group of Governmental Experts (GGE) in 2010, 2013, 2015 and 2021 and the Open-Ended Working Group (OEWG)’s consensus report in 2021. The GGE and OEWG are General Assembly-mandated processes. According to its founding resolution, adopted in December 2018, the OEWG strives to “further develop the rules, norms and principles of responsible behaviour of states…and the ways for their implementation regarding information and telecommunications in the context of international security”. While the OEWG is open to all member states, the GGE, with a similar mandate, is composed of experts who represent 25 member states.
The co-organisers propose several questions to help guide the discussion at tomorrow’s meeting, including:
What are the most pertinent threats and risks to civilian infrastructure stemming from the malicious use of cyberspace?
How can states mitigate the humanitarian effects of the malicious use of information and communications technologies (ICTs) in conflict situations?
What peaceful options and diplomatic tools are available to states in responding to cyber-attacks?
What kind of capacity-building measures can states take to further reduce the potential civilian impact from malicious cyber incidents?
In organising tomorrow’s meeting, Estonia apparently seeks to build on its efforts to raise awareness of the challenges posed by cyber activities to international peace and security. Estonia has identified cybersecurity as one of its main priorities during its two-year Council term, which will conclude at the end of December, and has sought to facilitate discussions on the Council’s role in addressing this issue. On 5 March 2020, Estonia and the US initiated a discussion under “any other business” on cyber threats and hybrid warfare, after Georgia informed the Council that its government and media websites had been targeted by a large-scale cyber-attack in October 2019. In a joint statement to the media after the meeting, Estonia, the UK, and the US accused Russian military intelligence of these attacks, saying that they represent a wider pattern of behaviour by Moscow. Russia denied the accusations and said that there is no evidence to support those claims.
In May 2020, Estonia organised an Arria-formula meeting on “Cyber Stability, Conflict Prevention and Capacity Building”, focusing on issues related to the application of international law in cyberspace, existing frameworks for responsible state behaviour, and capacity and confidence-building measures in cyberspace. In August 2020, Indonesia, together with Belgium, Estonia and Viet Nam, organised an Arria-formula meeting on “Cyber-Attacks Against Critical Infrastructure”. Estonia convened a high-level open debate on cybersecurity during its June Council presidency, which was the first formal Council meeting on this topic.
The need to protect critical civilian infrastructure—a focus of tomorrow’s meeting—has been emphasised by Council members on several occasions. On 27 April, Viet Nam convened a virtual high-level open debate, which focused on safeguarding objects indispensable to the survival of the civilian population, such as medical facilities, energy systems and water installations. On the same day, the Council unanimously adopted resolution 2573, condemning attacks against civilians and civilian objects in situations of armed conflict and urging all parties to conflict to protect civilian infrastructure that is critical to the provision of essential public services.
At tomorrow’s meeting, the briefers are likely to emphasise that cyber-attacks pose a significant threat to critical civilian infrastructure given its reliance on ICTs to function. Nakamitsu may note that attributing responsibility for cyber-attacks is difficult, which could lead to unintended armed responses and escalation. She may refer to the Secretary-General’s “Securing Our Common Future: Agenda for Disarmament”, published in 2018, which stresses the need to comprehend and address a new generation of technology that could threaten existing legal, humanitarian and ethical norms as well as peace and security. Durham is likely to call on member states to reaffirm and clarify the legal framework that protects critical civilian infrastructure against malicious cyber activities, particularly in the context of armed conflict. She may also urge member states to carry out confidence-building measures to complement the legal framework.
A persistently divisive issue among Council members is whether existing international humanitarian law applies to cyberspace. The 2021 GGE consensus report noted that “international humanitarian law applies only in situations of armed conflict”. Several Council members, including the co-organisers of tomorrow’s meeting, are likely to express the view that existing international humanitarian law applies to cyberspace. These members may contend that the international humanitarian law principles of humanity; military necessity; proportionality; and distinction between civilians and combatants, and between civilian and military objects—which aim to limit the effects of armed conflict—apply to the use of ICTs by states in conflict situations. Some Council members, including Russia, may emphasise that the question of international law’s applicability to cyberspace should be discussed by the OEWG. At the June open debate on cybersecurity, Russia criticised the practice of “incorrectly interpreting the applicability of international law in the digital sphere as being ‘automatic’ in order to justify the use of force and present national views as a product of global consensus”.
Some members, including Russia, are likely to warn against the justification of unilateral sanctions and the use of force against other member states on the basis of GGE and OEWG recommendations. Russia has previously cautioned against the concept of “preventive military cyberstrikes”, including against critical infrastructure, maintaining that this doctrine is counterproductive in preventing conflict arising from the use of ICTs.
Another contentious issue is whether the Security Council should play a role in addressing the threats to peace and security posed by cyber-attacks. Several Council members, including the co-organisers, have expressed the view that the Security Council should respond to incidents in which malicious cyber activity exacerbates conflict or causes humanitarian suffering, just as it would to threats posed by more conventional means. Russia, on the other hand, is likely to maintain that the General Assembly remains the main platform for considering this issue. It may argue that the Council should focus on supporting General Assembly processes and avoid discussing GGE and OEWG recommendations.