This week, as the United Nations’ (UN) leading forum on cybersecurity convenes in New York, the Cybersecurity Tech Accord is calling for the group to embrace an unambiguous international norm to prohibit state-sponsored cyberattacks targeting the ICT supply chain. Established in 2021, the UN Open Ended Working Group on the security of and in the use of information and communications technologies (OEWG) has a mandate to develop the “rules, norms and principles of responsible behaviour of States” online. As a community of more than 150 technology firms from around the world, we can say with confidence that cyberattacks against the ICT supply chain can never be consistent with responsible state behavior as they are inherently indiscriminate, irresponsibly disrupting individual citizens’ lives and livelihoods.
Our coalition is committed to advancing cybersecurity and fostering trust online. We are deeply concerned by the rising number of state-sponsored cyberattacks targeting the ICT supply chain in recent years. Prominent attacks like those against Solarwinds and Kaseya, providers of software and cloud services, compromised the systems thousands of organizations worldwide. By compromising the software update mechanisms of these vendors, attackers were able to infiltrate and potentially disrupt the networks and systems of a large number of public and private entities, regardless of whether or not they were an intended target. This includes everything from government agencies to critical infrastructure operators to small and medium-sized businesses.
These incidents are not isolated cases, but rather part of a growing trend of state-sponsored cyberattacks targeting the IT sector to the point that it is now one of the most targeted sectors. And it’s not hard to see why; threat actors hope to compromise an IT vendor in order to have access to its clients’ systems. Recent reporting from the nonprofit CyberPeace Institute further documents how these attacks have significant humanitarian, social, and economic impacts, affecting the delivery of essential services such as healthcare, education, and banking, as well as undermining the trust and confidence – and everyday lives – of users and customers in an increasingly digital world.
These attacks pose a serious threat to the security and stability of cyberspace, as well as to the norms and principles that govern its peaceful and cooperative use. They violate the sovereignty and territorial integrity of states, infringe on the human rights and privacy of individuals, disrupt the lives of individual citizens, and undermine international cooperation. They also create a dangerous precedent for other states and non-state actors to engage in similar or more destructive activities, or to simply to take advantage of systems that were unintentionally compromised in the attack.
A Proposal for a New International Norm
To address this challenge, the Cybersecurity Tech Accord signatories are calling for a new voluntary international norm to be established by the United Nations. This would not be a legal requirement but rather a new commitment to complement the existing 11 UN norms for responsible state behavior online. While existing UN norms suggest that “States should take reasonable steps to ensure the integrity of the supply chain…” this has clearly not been understood as a prohibition on attacks against it. And while states should, together with the private sector, indeed work to improve security in the ICT supply chain due to its significance, that same significance should also oblige states to not target the ICT supply chain with cyberattacks.
To this end, our proposed norm would read as follows:
“States should not engage in, or allow any persons within their territory or jurisdiction to engage in, cyber operations that would compromise the general availability, security, integrity or confidentiality of commercial ICT products and services, in particular as it relates to software and security update mechanisms. This would include, but not be limited to, operations intended for espionage that affect ICT products or services in general use.”
This proposed norm is consistent with the existing framework of international law and norms that apply to cyberspace, as well as with the recommendations of the previous UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, which were endorsed by the UN General Assembly in 2021. It would also complement and reinforce other existing norms that aim to protect critical infrastructure like electricity and water, healthcare facilities, financial institutions, and electoral systems from cyberattacks.
A foundation for accountability
While a new norm will not, on its own, prevent states from targeting the ICT supply chain, it would send a strong signal about responsible behavior, encouraging states to more carefully consider collateral damage and discourage attacks that put others needlessly at risk. Moreover, setting such an expectation would allow other states to take steps to promote accountability, including by adopting transparency measures regarding targeting decisions and calling out when the norm is violated in public attribution statements. This would help foster a culture of responsibility and restraint among states and other actors in cyberspace, and contribute to the development and observance of a rules-based order that respects the sovereignty, rights, and interests of all parties.
The ICT supply chain is a vital and strategic asset for the global digital ecosystem, and its security and resilience are essential for the well-being and prosperity of all. The norm we propose here aims to protect the availability, security, integrity, and confidentiality of commercial ICT products and services. It would help to prevent the unintended harm and disruption that such attacks cause to the users and customers of these products and services, as well as to the broader digital ecosystem. It is imperative that the United Nations take actions in accordance with this guidance.