As part of our efforts in support of the Paris Call for Trust and Security in Cyberspace, the Cybersecurity Tech Accord hosted a workshop, “Playing by the Rules: working together to reign in nation-state cyberattacks,” at the RightsCon conference in June. Over the last decade, RightsCon has brought business leaders, human rights advocates, governments, technologists and journalists together to address critical issues existing at the intersection of human rights and technology. To add to this discussion, the Cybersecurity Tech Accord’s workshop included a panel of experts who examined the evolving threat posed by state-sponsored cyberattacks, their impact on businesses and society and the government’s role in addressing this pressing issue in cyberspace. The session provided an opportunity to bring together the multistakeholder community forming around the Paris Call Working Group 3, co-chaired by the Tech Accord, which is tasked with exploring ways to make future UN discussions on cybersecurity more inclusive.
The RightsCon panel brought together speakers with a wealth of cybersecurity experience from government, industry and civil society, including:
- Kaja Ciglic – Senior Director, Digital Diplomacy, Microsoft
- Stéphane Duguin – CEO, The CyberPeace Institute
- Isaac Morales – Coordinator for Multidimensional Security, Multilateral Affairs, Ministry of Foreign Affairs of Mexico
- Sheetal Kumar – Senior Programme Lead, Global Partners Digital
- Jon Ford – Managing Director, FireEye
As the panel explained, state-sponsored cyberattacks aren’t a new phenomenon, but they have increased in frequency, sophistication and impact in recent years. A report from HP Inc. found a 100 percent increase in significant state-sponsored cyber incidents between 2017 and 2020, and that enterprises are the most common targets. The Cybersecurity Tech Accord also examined the evolving nature of the threat from nation states and its implications. Earlier this year, our study in partnership with the Economist Intelligence Unit (EIU) found that businesses from all sectors see these attacks as a major threat. During the panel, Jon Ford examined these trends and stressed the importance of collaboration. He focused on the 2020 SolarWinds cyberattack that impacted thousands of organizations across the globe and multiple sections of the U.S. Government. He emphasized that information sharing between partners, countries and organizations in response to the attack was a perfect example of how multistakeholder involvement can mitigate these threats moving forward.
Kaja Ciglic followed by elaborating on one of the key findings from the Cybersecurity Tech Accord’s study: while there is widespread concern, a clear majority of companies surveyed in the study believe that they are themselves nevertheless prepared to handle threats posed by nation-state cyberattacks. In this regard, Kaja noted that although cybersecurity practices have improved in the last few years, there is still much to be done, and some are likely experiencing a false sense of security in the face of these challenges.
And it’s not just private organizations that are impacted by these increasingly sophisticated and dangerous cyberattacks, it’s also society more broadly. Stéphane Duguin spoke about how the frequency of cyberattacks targeting the healthcare sector increased sixfold during 2020 and how the CyberPeace Institute called on governments to limit the space for malicious actors to operate and to protect healthcare industries from being victimized.
Sheetal Kumar spoke about how attacks on healthcare, critical infrastructure and other areas undermine human rights and noted that nation-states have an obligation to promote and protect those rights.
During the second half of the session, it was made clear that greater international political cooperation in this space is essential to mitigating the threat posed by state-sponsored cyberattacks. Isaac Morales joined in the discussion to communicate how important it is for as many voices to engage in this conversation as possible. He added that this would lead to the international community – including governments and the private sector – becoming more conscious of the number and impact of the threats and attacks referred to by the rest of the speakers.
The panellists expanded on this topic by discussing the accomplishments and shortcomings of the United Nation’s first Open-Ended-Working Group (OEWG) on information security. The OEWG recently concluded its deliberations and provided a critical first step in catalysing international discussions of ICT security, though it lacked more regular industry and civil society inclusion throughout. Panelists also touched on the proposal introduced by France, in collaboration with more than 40 other UN member states, to establish a permanent UN forum for discussions on international cybersecurity. This proposed standing body, the “Programme of Action,” could conceivably replace the series of ad-hoc working groups of member states that have traditionally engaged on these issues, and do so in a way that is more inclusive of regional organizations and other stakeholders.
The Cybersecurity Tech Accord is looking forward to continuing to facilitate the dialogue about multi-stakeholder approaches to discussions on international ICT security. To learn more about our efforts in this area, see our work chairing the Paris Call Working Group 3 on Supporting the Continuation of UN Negotiations with a Strong Multi-Stakeholder Approach.