The ongoing UN dialogues about responsible behaviour in cyberspace have brought hope that a global solution can be reached to ensure peace in the cyber domain. However, there are already obstacles visible on the road ahead. This is particularly true for the overprotection of ICT infrastructure. With growing cyber insecurity amid the ongoing pandemic, it is more important than ever for the private sector to support a global cyber dialogue.
With the pandemic amplifying cyber insecurities, it is critical to safeguard the integrity of the global digital world. In this new environment, it is even more critical to acknowledge that private sector entities that own and operate a significant proportion of ICT infrastructure have responsibility to protect national and global key assets. The OEWG was created, through Resolution 73/27, to “continue, as a priority, to further develop the rules, norms and principles of responsible behavior of States, and the way for their implementation”. In early March 2020, the Chair of the UN OEWG shared the Initial Pre-draft of the OEWG report and asked delegations and interested non-state actors to share their feedback. Out of 193 UN member states, 44 submitted comments.
From the private sector perspective, there are two preliminary takeaways from the ongoing global cyber diplomacy negotiations. First, the global response remains largely fragmented: states have different views on and approaches to critical infrastructure protection (CI), and may even disagree about what it actually means. For private sector entities, this institutional fragmentation has a negative effect: it limits their ability to protect against cyber incidents and respond to them in a timely manner. Threat actors are becoming faster and more efficient, taking less time to compromise networks and systems. And current institutional fragmentation in the management and protection of ICT infrastructure makes it less reliable and less cyber resilient.
Second, the global policy response is lagging significantly behind growing threats to ICT infrastructure: the pandemic has made the situation worse and slowed down inter-state discussions. The final OEWG report was expected in summer 2020, but has now been postponed to March 2021. In the meantime, we continue “living in cyberspace” with no plan or view on a united global response to risks associated with malicious behaviour in cyberspace, though our cyber vulnerability has increased during the pandemic. As an example, just before COVID-19 hit, Kaspersky researchers detected more than 300,000 new malicious samples every day; that number is now 400,000 per day.
Looking at the documents produced as part of the UN OEWG process – the two pre-drafts and comments from the states – the private sector is currently faced with three main questions. First, what, from a state perspective, is the private sector’s role in CIP? Second, is this vision compatible with the actual views of private sector actors? And third, why is it important for the private sector to learn about and participate in global cyber diplomacy, including the development of cybernorms? Getting the answers to these questions, however, is undermined by the lack of a common vocabulary or common vision on the role of non-state actors as well as the absence of a universal approach to critical infrastructure protection.
Lack of Common Vocabulary
National submissions revealed a lack of both common terminology and concepts. This variety was apparent not just between submissions from different countries and regions, but also between submissions from countries within the EU, a single political bloc united by common values. What, for instance, is the difference between “transnational”, “trans-border” and “supranational” critical infrastructure? Can these terms be used interchangeably? What is the difference between “critical infrastructure” and “critical information infrastructure”? How should the private sector – often an owner of ICT infrastructure – determine if “supranational critical information infrastructure” is a “special category” of critical infrastructure? Or if its protection is the “shared responsibility of all States”, as mentioned in Singapore’s submission?
While many UN member states do not speak about CIP in their comments, Australia, for instance, mentions three types of ICT infrastructure – national, transnational and supranational – when commenting on capacity-building efforts. Brazil, the Republic of Korea, Turkey and Venezuela use the term “critical infrastructure”. China and Cuba speak about “critical” and “ICT” infrastructure in the same way, but highlight that states should exercise jurisdiction over the ICT infrastructure, resources and ICT-related activities within their territories, thus pointing to a “national” element in the definition. Ecuador applies the term “cyberinfrastructure”, the UK adheres to “critical national infrastructure”, Indonesia mentions both “critical national” and “international” infrastructure, while Switzerland adds a prefix “trans” and comments on “transborder or transnational” critical infrastructure. Interestingly, Egypt and Pakistan mention differences in definitions and call on UN member states to “reach an agreed common definition of what constitutes ‘critical infrastructure'”.
This mix of concepts and, as a result, risk of misunderstanding, was also highlighted by the U.S., Japan and Estonia. Interestingly, Estonia’s points about the use of unclear concepts differ from the EU’s position and those of other EU member states (such as Austria, the Czech Republic, Denmark, France, Germany, Ireland, Italy, Liechtenstein, the Netherlands, Norway and Sweden), which do not mention it at all. What is more, there is a paradox: while the EU and EU member states (except Estonia) are silent on lacking definitions, they discuss the protection of ICT infrastructure using different terms (which implies it is difficult for private sector entities to understand if this means that they have different meanings too).
The EU itself goes further and adds that “critical infrastructures are no longer confined to the borders of States but are increasingly becoming transnational and interdependent”. However, EU law (the respective ECI Directive and NIS Directive) does not offer any definition of “transnational” or “supranational” critical infrastructure. However, this could change after the review of the NIS Directive and update of the ECI Directive later this year.
Lack of Common State Approach to the Role of Non-State Actors
The states’ submissions also reveal a lack of common understanding about non-state actors’ role in CIP. Russia notes that the importance of a “‘multi-stakeholder approach’ […] is artificially exaggerated”. In commenting on CIP, China does not mention other stakeholders and adds that since the “OEWG is an intergovernmental process, discussion should focus on the role played by states and governments, not the opposite”. Cuba underlines the “current and insufficient regulation of private sector activities in the field of ICTs”, but remains silent on what “regulation” specifically implies. Many other states either did not comment on non-state actors’ role in CIP, or simply expressed general positive views about a multi-stakeholder approach (such as Argentina, Australia, Canada, Colombia, Ecuador, Egypt, Indonesia, Japan, Mexico, Pakistan, the Republic of Korea, Serbia, Singapore, Switzerland and the UK).
But there are some exceptions. The EU, expressing its own position and that of its member states, highlights a shared-responsibility approach that “entails involvement and partnership”, including with the private sector. Croatia, Finland, France and Slovenia, in their earlier united Non-Paper, stressed that “a broad range of actions can legitimately be undertaken by private entities” with regard to “mitigating malicious ICT activity aimed at critical infrastructure”. Germany and the Netherlands stressed the role of non-state actors in securing technical infrastructure essential to elections. Finally, Italy broadly supports seeing the role of other stakeholders become “more evenly reflected” in the report.
Lack of Universal Approach to Implementation of Critical Infrastructure Protection
Finally, states seem to lack a common approach to CIP implementation. Several non-binding 2015 UN GGE norms focus on CIP and instruct states not to conduct or support ICT activity that intentionally damages critical infrastructure (CI) (norm “f”); to take appropriate measures to protect CI (norm “g”); and to respond to appropriate requests for assistance by other states whose CI is under cyberattack (norm “h”). However, it is not clear if there are new sectors (e.g. healthcare, retail, electoral infrastructure) to be included in the list of CI or what the overall criteria for the identification of CI are. What actions should be taken for making these norms work? And speaking of “supranational” or “trans-border” CI, how should cyber incidents be handled? And how would states cooperate in this case? If the private sector – the owner of CI – has to report cyber incidents, to whom should these incidents be reported? And what are the thresholds triggering incident notification?
Following the national submissions, only Croatia, Finland, France, Germany and Slovenia stressed that countries should work with the private sector to “develop concrete tools such as certification processes, best-practice guides, incident response mechanisms and, as appropriate, national regulations”. But this seems insufficient: nobody should left to deal with a cyberattack on CI – whether national or “supranational” – alone. Norm “h”, in particular, should be implemented, providing cross-border cooperation and clarifying what qualifies as an “appropriate” request for assistance, how these requests should be processed, etc.
Practical Implications for the Private Sector
Reaching a consensus between member states in inter-state negotiations requires time and effort. But the private sector should be part of this process from the beginning. The are several practical implications for the private sector that flow from the current international debates.
First, most states agree that the private sector – as the owner of ICT infrastructure in most cases – has certain responsibilities to protect it. However, it remains unclear what the private sector should do, particularly, for operationalisation of non-binding CIP-related norms. Ideally, the UN cyber dialogue should help define these responsibilities and provide guidance on what should be considered critical infrastructure in the new reality brought on by the pandemic (and other global crises in the future).
Second, it seems that the private sector is more or less aligned on the need for greater cooperation, as well as on what could be best practice implementation in this regard. This implies a clear institutional framework, including security baseline requirements, clear incident notification and reporting policies. Risk-based certifications, standards and vulnerability management and disclosure policies should also be developed for enhancing product security in CIP. In the case of cyberattacks on CI – whether national or “supranational” – modalities for cooperation between the private sector, national authorities and computer emergency response teams (CERTs), as well as among states, should be clarified. In that sense, Kaspersky’s position, for instance, is aligned with positions expressed by states calling for more work with the private sector for critical infrastructure protection.
Finally, the fact that the private sector’s ideas, as described above, have not yet been implemented shows why companies should learn more about cybernorms and the UN OEWG. It is in the private sector’s interest to prevent fragmentation in the regulation and protection of ICT infrastructure. And while there are more discussions about “supranational” CI to be had, the global UN cyber dialogue remains – for the moment – the only place for the private sector to participate and support states in delivering CIP. Such a structured dialogue through the regional organisations would be welcome in the future.