posted on Tue 25 Aug 2020 9:16 PM
Arria-formula Meeting on Cyber-Attacks Against Critical Infrastructure

Tomorrow afternoon (26 August), there will be an Arria-formula meeting via videoconference on: “Cyber-Attacks Against Critical Infrastructure”. The meeting has been organised by Indonesia, in cooperation with Belgium, Estonia and Viet Nam, and the International Committee of the Red Cross (ICRC). Ambassador Dian Triansyah Djani (Indonesia) will chair the meeting. Briefings are expected from: Peter Maurer, the President of ICRC; Ramesh Rajasingham, Acting Assistant Secretary-General for Humanitarian Affairs and Deputy Emergency Relief Coordinator at OCHA; and Renata Dwan, Director of the UN Institute for Disarmament Research (UNIDIR).

Following statements by Council members, other member states will have the opportunity to make brief statements, if time allows. The meeting will be live-streamed on the website of the Permanent Mission of Indonesia to the UN.

In preparation for the meeting, Indonesia has circulated a concept note that describes unprecedented levels of digitalisation and increasing dependence on information and communication technology (ICT) in public, private, and government sectors. The note emphasises that in addition to bringing many benefits, increased reliance on ICT poses many potential risks.  In this regard, malign actors have used cyber-attacks to target critical infrastructure for years, exposing the vulnerability of various ICT systems. Cyber-attacks have the potential to cause serious harm to human life and the non-virtual sphere when targeted, for example, against infrastructure in the health care and civil aviation sectors.

According to the concept note, the main objective of the meeting is to raise awareness of the vulnerability of critical infrastructure against cyber-attacks and to advance discussions on the need to protect critical infrastructure against this threat. The meeting will also explore how norms of responsible state behaviour in cyberspace protect critical infrastructure and contribute to the maintenance of international peace and security.

The concept note invites member to explore the following questions:

  • Which present and future cyber threats against critical infrastructure do member states observe or anticipate? When do such threats pose a risk to international peace and security? To what extent are cyber threats different from traditional, non-cyber threats?
  • Which measures and policy options can member states take to protect critical infrastructure against cyber-attacks?
  • Which measures should member states take to better implement the existing international law framework as well as voluntary, non-binding norms, rules, or principles of responsible behaviour of states which protect critical infrastructure?
  • How could the Security Council play a more important role in addressing this issue with regard to the maintenance of international peace and security?
  • How could existing capacity-building efforts be leveraged to support critical infrastructure protection?

Formal meetings on cyber-related issues have been held in the General Assembly but not in the Security Council. However, Council members have begun to pay more attention to the implications of cyber threats for international peace and security in recent years and have held a number of informal meetings related to this issue.  In this respect, Arria-formula meetings have become a vehicle for addressing cyber-security. This will be the fifth Arria-formula meeting on cyber-related issues. Previously, Council members held an Arria-formula meeting on cybersecurity and international peace and security, organised by Spain and Senegal on 28 November 2016. Cyber threats were also addressed in the context of Arria-formula meetings organised by Ukraine on the protection of critical infrastructure against terrorist attacks on 21 November 2016 and on hybrid wars as a threat to international peace and security on 31 March 2017. Most recently, Estonia organised the Arria-formula meeting on: “Cyber Stability, Conflict Prevention and Capacity Building” on 22 May.

On 5 March, Estonia and the US initiated a discussion under “any other business” on cyberthreats and hybrid warfare, after Georgia informed the Council that its government and media websites had been targeted by a large-scale cyber-attack in October 2019. In a joint statement to the media after the meeting, Estonia, the UK, and the US accused Russian military intelligence of these attacks, saying that they represent a wider pattern of behaviour by Russia. Russia has denied these accusations and said that there is no evidence to support these claims.

For more on the Council and cybersecurity, please see our January 2020 In Hindsight: The Security Council and Cyber Threats.