Cyberattack Revelations Appear To Undercut Russia's UN Efforts

The recent revelations about the cyberattacks conducted by Russian military intelligence (GRU) in several countries did not come as a surprise. The UK and its allies have been calling for public attribution of cyberattacks coupled with, when appropriate, a series of diplomatic and economic responses, and even retaliation-in-kind

The thinking behind this is that attribution, coupled with sanctions initiated by a united front of like-minded states, could create a deterring effect.

However, these revelations also play into wrangling over cyber regulation at the UN level. Russia is planning to submit two UN resolutions later this month, one on a code of conduct to regulate states behaviour in cyberspace and one on a new UN cybercrime convention.

It is expected that the US and EU countries will reject these proposals, in line with their previous positions. Coordinated revelations about Russia’s behaviour could be part of a negotiation strategy that the UK and its allies are implementing with the aim of challenging Russia’s negotiating position, as it tries to lobby other countries to endorse its resolutions.

This is a critical juncture in the debate over the future of cyberspace. Russia, together with China and other countries, is pushing for more regulations to clarify how international law applies to cyberspace, with the aim of exercising more sovereignty – and state control – over the internet.

The US, the UK and other likeminded states oppose this approach as they claim it would ‘legitimize repressive state practices’ and instead want to largely preserve the idea of an open, free and stable  internet, and instead to focus on the application of existing rules of international law as the basis for maintaining security and for conflict prevention. Common ground between the two sides is diminishing and views are diverging rather than converging.

It was not always this way. In 2015, after the UN established a Group of Governmental Experts (UN GGE) on the security of information and communication technologies, a consensus was reached by participating countries, including Russia. It affirmed that international law applies to cyberspace and recommending norms and principles for responsible state behaviour in cyberspace.

However, in 2017, when the UN GGE tried to take the process a step further and discuss the application of international law to cyber conflicts, it was faced with a deadlock. Some countries, including Russia and China, opposed the mention of international humanitarian law, the law of self-defence and the right of states to take countermeasures. They claimed this would lead to the militarization of cyberspace.

Since then, little has been achieved in public diplomacy terms to bring the two sides together. Instead, Russia has been trying to rally endorsement for its proposals from other countries – notably those in the Collective Security Treaty Organization, the Shanghai Cooperation Organization and the BRICS.

Its first resolution to be proposed in the First Committee of the UN General Assembly will be based on the SCO International Code of Conduct for Information Security (opens in new window), and the second resolution in the Third Committee will propose a draft convention on cybercrime. The draft convention has been circulated on a number of occasions as an alternative to the Council of Europe convention on cybercrime, known as the Budapest Convention.

From the perspective of Western states, no additional regulations are needed. Cyberspace is not lawless, and international law applies to peace and cyber conflicts. However, given the nature of cyberspace, states need to clarify their positions on the application of international law, which is what countries like the UK have started doing.

On the issue of cybercrime, Western states have always opposed a new convention to replace the Budapest Convention and have been supporting numerous efforts to expand its membership, currently at 61 countries. They would rather reinforce what exists already. In the absence of an agreement on the rules of engagement in cyber space, the approaches that are being adopted consist of imposing costs on adversaries for their malicious cyber activities and pursuing bilateral agreements when needed.

Given that Russia has been calling for rules in cyberspace based on UN Charter principles such as respect for national sovereignty and non-interference in internal affairs, exposing its numerous attacks which go against these same principles undermines Moscow’s stance.

By strategically timing the announcement – it has been almost six months since GRU operators were caught in an attempted hack and signals interception of the Organization for the Prohibition of Chemical Weapons – the UK, the US and their allies hope to weaken Russia’s position in the UN deliberations.

As the new wave of UN discussions begin this month, they may lead to several countries leaving the Russian camp.

By Joyce Hakmeh Cyber Research Fellow, International Security Department, Royal Institute of International Affairs.

@joycehakmeh

Chatham House:     

You Might Also Read: 

Britain Plots Cyber Revenge On Russia For Novichok Poisonings:

 

« Pentagon Weapons Systems Vulnerable To Cyber-Attacks
New Google App Fights Censorship »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Security Compass

Security Compass

Security Compass, the Security by Design Company, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows.

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

Granite Partners

Granite Partners

Granite is a cloud service for the development of business risk management, cyber security and privacy and occupational safety and health.

TUV Sud

TUV Sud

TÜV SÜD is a leading technical service organisation. We specialize in testing, certification, auditing, training, and advisory services for different industries.

Lanner Electronics

Lanner Electronics

Lanner Electronics is a leading hardware provider for advanced network appliances and industrial automation solutions including cyber security.

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

NAVEX Global

NAVEX Global

NAVEX Global’s compliance management system consolidates your entire GRC program onto a scalable cloud-based platform.

Sanderson Recruitment

Sanderson Recruitment

Sanderson is a recruitment company providing expert recruitment services in areas including Cyber & Information Security.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

GLESEC

GLESEC

GLESEC offer a complete range of Cyber Security services from Operations & Intelligence Services to Auditing & Compliance and Simulation and Training.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric cybersecurity practitioners charged with defending hybrid cloud environments.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

SpireTec Solutions

SpireTec Solutions

SpireTec Solutions is an IT management training company offering 1500+ courses with state of art training facilities backed by a team of industry experts in various domains including cybersecurity.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.