Cybersecurity: Open Debate
Tomorrow (20 June), the Republic of Korea (ROK) will convene a high-level Security Council open debate on cybersecurity as a signature event of its June presidency. The ROK’s Minister of Foreign Affairs, Cho Tae-yul, is expected to chair the meeting. The anticipated briefers are Secretary-General António Guterres; Stéphane Duguin, the CEO of the CyberPeace Institute, a non-governmental organisation (NGO) that provides cybersecurity assistance to NGOs and other critical sectors; and Nnenna Ifeanyi-Ajufo, Professor of Law and Technology at Leeds Beckett University and Vice Chair of the African Union Cyber Security Experts Group.
Over the past several years, the Council has taken a more active role in addressing cyber threats to international peace and security. To date, Council members have mostly discussed cybersecurity in informal settings, such as Arria-formula meetings. These discussions have encompassed a broad range of topics, from cyberattacks on critical infrastructure to efforts aimed at countering hate speech on social media. Most recently, on 4 April, the ROK convened, together with Japan and the US, an Arria-formula meeting titled “Evolving Cyber Threat Landscape and its Implications for the Maintenance of International Peace and Security”. (For more information, see our 3 April What’s in Blue story.)
A Council meeting on cybersecurity took place via videoconference on 29 June 2021, during the presidency of then-Council member Estonia. (For more background, see the brief on cybersecurity in our June 2024 Monthly Forecast.)
According to the concept note prepared by the ROK, the objective of tomorrow’s open debate is to foster a common understanding among member states of how to enhance the Security Council’s role in addressing cyber threats. The concept note says that proactive engagement in cybersecurity enables the Council to effectively respond to malicious cyber activities, thereby contributing to the establishment of a globally secure, open, and peaceful cyberspace. In this regard, it outlines potential actions for the Council, which were raised at the 4 April Arria-formula meeting, including regular briefings by the UN Secretariat to inform the Council about the evolving cyber threat landscape as it pertains to the Council’s mandate. Another suggestion is for the Council to consider integrating cyber, or concerns related to the use of information and communications technologies (ICTs), when addressing country-specific situations and thematic issues on the Council’s agenda.
The concept note poses several questions to help guide tomorrow’s discussion, including:
- How does the malicious use of ICTs serve as a “threat multiplier” on existing conflicts in ways that necessitate the engagement of the Security Council?
- What specific role can the Security Council play in addressing the challenges to international peace and security stemming from cyberspace, and how can this role develop within its mandate in a mutually reinforcing and complementary manner alongside the existing work of other UN bodies?
- How can the Security Council effectively mainstream cyber or ICT-related concerns into its existing body of work?
At tomorrow’s meeting, Council members are expected to highlight their respective national cybersecurity priorities. Members are likely to note the significant national security implications of cyberattacks on critical infrastructure, emphasising how such attacks can exacerbate tensions and potentially trigger armed conflicts.
Additionally, some Council members may discuss the repercussions of digital technology misuse on human rights and fundamental freedoms, its interference in democratic processes, and its role in exacerbating conflicts. These members may underscore the need to tackle online hate speech, disinformation, and the misuse of commercial spyware, while recognising that emerging technologies such as artificial intelligence (AI) and quantum computing may amplify these threats. In this regard, some members may advocate for a human rights-based approach to digital technologies governance. Currently, a multistakeholder process is underway to develop a Global Digital Compact ahead of the September 2024 Summit of the Future. Negotiations are also ongoing for a Pact for the Future, which aims to address challenges arising from emerging domains such as cyberspace.
Based on themes contained in the concept note, some Council members may reference the use of tactics such as cryptocurrency theft to support terrorist activities and to fund weapons of mass destruction programmes. Several members are expected to mention the activities of the Democratic People’s Republic of Korea (DPRK) in cyberspace, a priority issue for the ROK, Japan, and other like-minded members. They might refer to reports by the Panel of Experts (PoE) assisting the 1718 DPRK Sanctions Committee, which have documented DPRK actors’ involvement in cyberattacks targeting financial institutions and critical infrastructure. On 28 March, the Council failed to adopt a draft resolution extending the PoE’s mandate owing to a veto cast by Russia; the Panel’s mandate expired on 30 April. (For more information, see our 22 March What’s in Blue story.)
The PoE’s final report, published on 7 March, reported that the DPRK had continued to flout the 1718 sanctions regime and noted that the Panel was investigating 58 cyberattacks on cryptocurrency-related companies between 2017 and 2023, totaling approximately $3 billion, with proceeds reportedly helping to fund the DPRK’s weapons programmes. It also noted that the Panel was investigating reports of arms transfers from the DPRK to other member states, including Russia.
Tomorrow, some Council members may criticise Russia’s veto, arguing that it served to undermine the global non-proliferation regime and embolden the DPRK’s sanctions evasion. Several members—including France, Japan, the ROK, the UK, and the US—have linked the veto to allegations of Russia purchasing arms from the DPRK for use in Ukraine. Today (19 June), Russian President Vladimir Putin met with DPRK leader Kim Jong-un in Pyongyang, where the two leaders signed a comprehensive strategic partnership agreement. At the time of writing, the details of the agreement have not been disclosed. At a press conference following the talks, Putin said that the agreement stipulates “mutual assistance in the event of aggression against one of the parties”.
Council members generally agree on the importance of implementing existing norms of responsible state behaviour in cyberspace and undertaking confidence- and capacity-building measures to reduce mistrust among member states and promote stability in cyberspace. While most member states acknowledge the Security Council’s role in addressing cybersecurity issues, opinions vary on the extent of its desired involvement. Some have expressed support for the Council’s role as a platform for raising awareness and discussing emerging threats posed by new technologies. Others have advocated for more active engagement, potentially involving investigations under Article 34 of the UN Charter into specific cyberattacks and dispute resolution under Chapter VI. (Article 34 provides that the Security Council may investigate any situation which might lead to international friction or give rise to a dispute, while Chapter VI concerns the pacific settlement of disputes.)
The threshold for determining when a cyberattack warrants the Security Council’s attention remains a subject of debate among member states. Additionally, member states recognise the difficulty of attributing responsibility for malicious cyber actions. In this regard, some states have proposed establishing a global accountability mechanism for cyberspace, in line with the recommendations of the Secretary-General’s policy brief, A New Agenda for Peace.
Russia and other member states have maintained that the Security Council is not the appropriate forum for discussing cybersecurity, arguing that it should defer to the specialised expertise of such entities as the General Assembly-mandated Open-ended Working Group (OEWG) on the security of and in the use of ICTs.
Council members are also likely to display diverging views on the applicability of international law in cyberspace and the need for developing additional legally binding obligations. (For more information on Council dynamics on this issue, see the brief on cybersecurity in our June 2024 Monthly Forecast.)
