Joint Nordic Statement at the Arria formula meeting of the Security Council on Cyber-Attacks against Critical Infrastructure
Delivered by Ambassador Martin Bille Hermann on the occasion of the Arria formula meeting of the Security Council on "Cyber-Attacks against Critical Infrastructure" 26 August 2020
I have the pleasure to speak on behalf of the Nordic countries: Finland, Iceland, Norway, Sweden and my own country, Denmark. We are grateful to the Indonesian presidency for placing this very pertinent topic on the Council’s agenda. This allows us to build on the discussions on Cyber Stability, Conflict Prevention and Capacity Building we had under the Estonian presidency in May this year.
As we and many other countries stressed during our cyber-discussions in May, the COVID-19 pandemic has underscored just how dependent the world has become on information and communications technology (ICT). Not just in the way we communicate with each other, but in the operation of critical infrastructure vital to manage the health crisis. Consequently, a globally accessible, free, open and secure cyberspace is now, more than ever, fundamental to how the world operates.
Unfortunately, the increase in malicious cyber activity witnessed during the last decade has not slowed with COVID-19. In fact, the year 2020 has revealed that malicious state and non-state actors will take advantage of any opportunity in cyber space, even a global pandemic. Since the beginning of the crisis, we have witnessed significant phishing and malware distribution campaigns, scanning activities and distributed denial-of-service attacks targeting institutions working on defeating the pandemic. Some of these malicious cyber activities have even targeted our hospitals.
Such deplorable activities endanger the lives of our citizens at a time when these critical sectors are needed most, and jeopardizes our ability to overcome the pandemic as quickly as possible. We condemn this malicious behavior in cyberspace and express our solidarity with all countries that have fallen victim to such activities. We call upon all states to exercise due diligence and take appropriate action against malicious cyber activity originating from their territory.
The world has benefited in countless ways from the rapid development in information and telecommunication technology. However, weaknesses in our information and telecommunication systems also make our societies more vulnerable. This is particularly true for our critical infrastructure where the potential consequences of cyber-attacks are enormous. Attacks such as WannaCry and NotPetya not just resulted in vast financial losses; they also affected ICT-systems at hospitals and in certain cases struck industrial control systems crippling electricity supply. Consequently, with these types of attacks being recklessly unleashed we should consider ourselves lucky we have not seen loss of lives yet.
For this reason, upholding a strong cyber resilience throughout our societies is crucial not only to our security, but to the enjoyment of human rights, such as the right to health. This also implies the international community has a responsibility to assist in capacity building efforts in countries requesting assistance. However, such efforts cannot stand alone. We must aim to raise the cost of malicious cyber activity by collectively holding those responsible to account. . We also welcome the efforts by the Secretary-General in the area of cyber, new technologies and digitalization and support his agenda moving forward.
Once again, we draw the attention to the important milestones from the two consensus reports of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security from 2013 and 2015. With resolution 70/237, we agreed in the General Assembly that International law, including the Charter of the United Nations in its entirety, applies to States’ behavior in cyberspace, and that the same is true for international humanitarian law and international human rights law. We reiterate that efforts to promote norms and stability in cyberspace must ensure that cybersecurity underpins the protection and promotion of human rights online
Moreover, as a complement to binding international law, the 2015 report by Group of Governmental Experts formulated 11 voluntary non-binding norms for responsible state behavior in cyber space. Where international law regulates state behavior, norms guide it. We call for stronger adherence to the norms, of which several are intended to strengthen the protection of critical infrastructure. We draw particular attention to the norm emphasizing that: “A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.”
In conclusion, we stress that any cyber-attack attempting to hamper the ability of civilian critical infrastructures vital to manage health crises is in clear violation of international law, and goes against the spirit of the agreed voluntary non-binding norms. It is therefore unacceptable. All states have an important role to play in promoting and upholding a rules-based, predictable, open, free, and secure cyber space.
I thank you Mr. President.