Cyberattack Revelations Appear To Undercut Russia's UN Efforts

The recent revelations about the cyberattacks conducted by Russian military intelligence (GRU) in several countries did not come as a surprise. The UK and its allies have been calling for public attribution of cyberattacks coupled with, when appropriate, a series of diplomatic and economic responses, and even retaliation-in-kind

The thinking behind this is that attribution, coupled with sanctions initiated by a united front of like-minded states, could create a deterring effect.

However, these revelations also play into wrangling over cyber regulation at the UN level. Russia is planning to submit two UN resolutions later this month, one on a code of conduct to regulate states behaviour in cyberspace and one on a new UN cybercrime convention.

It is expected that the US and EU countries will reject these proposals, in line with their previous positions. Coordinated revelations about Russia’s behaviour could be part of a negotiation strategy that the UK and its allies are implementing with the aim of challenging Russia’s negotiating position, as it tries to lobby other countries to endorse its resolutions.

This is a critical juncture in the debate over the future of cyberspace. Russia, together with China and other countries, is pushing for more regulations to clarify how international law applies to cyberspace, with the aim of exercising more sovereignty – and state control – over the internet.

The US, the UK and other likeminded states oppose this approach as they claim it would ‘legitimize repressive state practices’ and instead want to largely preserve the idea of an open, free and stable  internet, and instead to focus on the application of existing rules of international law as the basis for maintaining security and for conflict prevention. Common ground between the two sides is diminishing and views are diverging rather than converging.

It was not always this way. In 2015, after the UN established a Group of Governmental Experts (UN GGE) on the security of information and communication technologies, a consensus was reached by participating countries, including Russia. It affirmed that international law applies to cyberspace and recommending norms and principles for responsible state behaviour in cyberspace.

However, in 2017, when the UN GGE tried to take the process a step further and discuss the application of international law to cyber conflicts, it was faced with a deadlock. Some countries, including Russia and China, opposed the mention of international humanitarian law, the law of self-defence and the right of states to take countermeasures. They claimed this would lead to the militarization of cyberspace.

Since then, little has been achieved in public diplomacy terms to bring the two sides together. Instead, Russia has been trying to rally endorsement for its proposals from other countries – notably those in the Collective Security Treaty Organization, the Shanghai Cooperation Organization and the BRICS.

Its first resolution to be proposed in the First Committee of the UN General Assembly will be based on the SCO International Code of Conduct for Information Security (opens in new window), and the second resolution in the Third Committee will propose a draft convention on cybercrime. The draft convention has been circulated on a number of occasions as an alternative to the Council of Europe convention on cybercrime, known as the Budapest Convention.

From the perspective of Western states, no additional regulations are needed. Cyberspace is not lawless, and international law applies to peace and cyber conflicts. However, given the nature of cyberspace, states need to clarify their positions on the application of international law, which is what countries like the UK have started doing.

On the issue of cybercrime, Western states have always opposed a new convention to replace the Budapest Convention and have been supporting numerous efforts to expand its membership, currently at 61 countries. They would rather reinforce what exists already. In the absence of an agreement on the rules of engagement in cyber space, the approaches that are being adopted consist of imposing costs on adversaries for their malicious cyber activities and pursuing bilateral agreements when needed.

Given that Russia has been calling for rules in cyberspace based on UN Charter principles such as respect for national sovereignty and non-interference in internal affairs, exposing its numerous attacks which go against these same principles undermines Moscow’s stance.

By strategically timing the announcement – it has been almost six months since GRU operators were caught in an attempted hack and signals interception of the Organization for the Prohibition of Chemical Weapons – the UK, the US and their allies hope to weaken Russia’s position in the UN deliberations.

As the new wave of UN discussions begin this month, they may lead to several countries leaving the Russian camp.

By Joyce Hakmeh Cyber Research Fellow, International Security Department, Royal Institute of International Affairs.

@joycehakmeh

Chatham House:     

You Might Also Read: 

Britain Plots Cyber Revenge On Russia For Novichok Poisonings:

 

« Pentagon Weapons Systems Vulnerable To Cyber-Attacks
New Google App Fights Censorship »

Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

eBook: Practical Guide to Security in the AWS Cloud

eBook: Practical Guide to Security in the AWS Cloud

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

2Secure

2Secure

2Secure is one of Sweden's largest private security companies. Service inlcude personal security, corporate security, information and cyber security.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

SAI Global

SAI Global

SAI Global provide products and services for enterprise risk management including Governance, Risk & Compliance and Digital Risk solutions.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Information and Communication Technology Authority (ICT Authority)

Information and Communication Technology Authority (ICT Authority)

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.