Josh Gold is a research assistant at Citizen Lab, at the University of Toronto’s Munk School.
On April 30, the European Union (EU) condemned malicious cyber activity exploiting the coronavirus pandemic, expressing determination to “deter and respond” to these threats. Less than two weeks earlier, U.S. Secretary of State Mike Pompeo issued a statement in which he denounced malicious cyber activity against hospitals and health-care systems, warning that anyone “who engages in such an action should expect consequences.” The condemnations come in response to an overall increase in cyber-enabled disruption related to COVID-19 as well as attacks against hospitals in the Czech Republic, the U.S. Department of Health and Human Services, and the World Health Organization (WHO).
In light of growing concern about such malicious disruption during the global crisis, the United Nations’ Open-Ended Working Group (OEWG) is playing a leading role in further developing a common framework for responsible behavior in cyberspace. The OEWG is the world’s only intergovernmental forum open to all countries for deliberations on how to ensure a peaceful and secure cyberspace.
Having formally convened twice since September 2019, the OEWG secretariat is preparing a final report containing an overview of the year’s discussion. The report will cover norms, international law, capacity building, and other proposed measures to ensure a more stable cyberspace. Surprisingly, of the roughly fifty countries that made submissions to the OEWG by its mid-April deadline, only eight made proposals related to COVID-19. Of these eight, none were nearly as direct in their concern and as detailed in their prescriptions as the submission from the Netherlands.
The strongly-worded Dutch paper [PDF] states that “The Netherlands is appalled by the abuse of the COVID-19 crisis by States to conduct or effectively control non-state actors in launching cyber operations.” The Dutch government labels such operations “deplorable examples of irresponsible state behaviour.”
From these harmful cyber operations, the Netherlands identifies two examples of malicious behavior: disruption of the health-care sector, as well as “cyber-enabled information operations” that interfere with mitigation efforts and crisis response mechanisms. It insists that both of these types of cyber operations constitute violations of international law.
The Netherlands thus recommends that countries include the public health-care sector within the scope of one of the norms that was endorsed by the UN General Assembly in 2015—that states should not conduct nor support cyber activity contrary to international law “that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.”
Submissions by Australia [PDF], the Czech Republic [PDF], Denmark [PDF], Italy [PDF], Switzerland [PDF], New Zealand [PDF], and the UK [PDF] also raise concerns about cyber disruptions of critical infrastructure, including medical facilities and crisis response organizations. Switzerland recommended the OEWG report focus on the human cost of cyberattacks against the health sector, while the Czech Republic emphasized the need for “coordinated global action” to protect this sector from malicious cyber activity.
Despite the shared concerns, only the Netherlands provided concrete examples of what the COVID-related threats are, and how they fit in the existing international framework of norms. Thus, other countries missed this opportunity to apply the OEWG’s work to a global challenge, perhaps because their submissions were prepared before cyber disruption related to the pandemic became so prominent.
In addition to addressing the threat to critical infrastructure, the Netherlands is treading carefully in its condemnation of “cyber-enabled information operations” by warning that the OEWG should not be “deliberating on issues related to the content” of information and communications technology. It further insists that “any measure to counter 'disinformation' must respect fundamental rights,” including freedom of expression. The Dutch position, then, appears to be an attempt to address the real harm caused by information operations without falling into the rabbit hole of content issues—like disinformation.
This delicate framing effort is due to concern about aligning with and sparking strong reactions from authoritarian countries like Russia and China, who have for decades sought to use the UN to give legitimacy to national efforts to censor and control free speech on the internet. If the OEWG’s final report appears sympathetic to efforts to control or block content, Russia and China could ultimately stand to gain. Simultaneously, directly confronting them over coronavirus-related cyber activities could make them unamenable to a final report that they feel heavily targets them as wrongdoers.
The Netherlands thus links information operations to the international legal principles of non-intervention and non-interference, in an attempt to shift the debate back to state behavior and the transgression of law. This framing avoids the slippery debate over what kind of content is—and is not—true.
Given the ongoing threat, the OEWG’s final weeklong meeting—slated to be in New York in early July—should see further pandemic-related discussion, though the meeting is likely to be challenged by COVID-19 restrictions. Diplomats involved in the process have privately expressed doubts that it will proceed as planned, suggesting that it should be postponed. Meanwhile, achieving consensus on various thorny issues is implausible without dedicated, in-person discussion and debate.
Despite the careful politicking and inevitable bickering among countries, international cooperation on these kinds of issues is critical. Even the Trump administration, which has generally dismissed the efficacy of multilateral institutions, has signaled the importance of diplomatic efforts to obtain agreement on norms, principles, and rules for behavior in cyberspace. As Secretary of State Pompeo said in his warning on COVID-19 cyber activity, the United States and its international partners will promote “a framework of responsible state behavior in cyberspace, including nonbinding norms regarding states refraining from cyber activities that intentionally damage critical infrastructure.”
While UN Undersecretary-General Fabrizio Hochschild recently issued a well-meaning but unrealistic call for a global "digital ceasefire," the Netherlands deserves credit for bringing immediate global relevance to the OEWG’s work in calling out concrete examples of norms-violating behavior. Other countries should follow suit.
With crisis comes opportunity. The COVID-19 pandemic presents the OEWG and its proponents with an opportunity to assert its credibility as an effective and meaningful institution. If malicious cyber disruption during a pandemic does not galvanize global action on cybersecurity issues, what will?