Remarks at a UN Security Council Arria-Formula Meeting on Cyber Attacks Against Critical Infrastructure (via VTC)

Rodney Hunter
Political Coordinator
U.S. Mission to the United Nations
New York, New York
August 26, 2020


Thank you, Mr. President. I will try to keep this as short as possible. Thank you, as well, to Indonesia, Belgium, Estonia, and Viet Nam for calling this very important meeting today. Thank you, as well, to Ramesh, Peter, and Renata for your really informative briefings. It was great to hear what you had to say today.

The United States believes strongly that all UN member states must work together to safeguard the extraordinary benefits of cyberspace. UN member states have been considering the security of cyberspace for more than two decades, and remain focused on two areas of work: domestic cybersecurity policy best practices and how to achieve and maintain international cyber stability. Throughout all these discussions, the security of critical infrastructure has been of paramount importance.

The COVID-19 pandemic has only served to underlined the importance of these issues to all of us. Not only do we all rely increasingly on information and communication technologies for our daily life and business, as you, Mr. President, are showing very clearly through this virtual discussion today, but they have also become vital tools in the fight to contain the spread of the virus and to ensure the implementation of health care strategies.

The United States is increasingly concerned about cyber risks to hospitals, pharmaceutical companies, and the broader healthcare systems that rely on ICT infrastructure to function. We are further concerned that malicious cyber activity, which impairs the ability of hospitals and healthcare systems to deliver critical services, could have deadly results.

To protect against these risks and threats, we are working with partners across the globe to issue technical alerts and to raise the level of awareness and provide mitigation recommendations. These alerts include warning organizations researching COVID-19 responses of likely targeting and network compromise by malicious actors, as well as partnering with other countries to raise awareness on Advanced Persistent Threat activity targeting healthcare and essential services.

Malicious activity against critical infrastructure is deeply irresponsible and it’s dangerous, as has been mentioned by many today. Anyone who engages in such actions should expect consequences. The United States has zero tolerance for malicious cyber activity designed to undermine U.S. and international partners’ efforts to protect, assist, and inform the public at any time, but especially during this global pandemic.

Through several consensus General Assembly resolutions in the late 1990s and early 2000s, the UN has outlined a set of best practices for national approaches to cybersecurity. States must have effective domestic policies and strategies to manage cyber risks and protect networked critical infrastructure. Establishing threat information sharing processes with private sector infrastructure owners and operators is one example of these best practices. When states do not have the resources to do so themselves, cyber capacity building can assist in these efforts.

The UN First Committee has confronted existing and potential threats posed by the use of ICTs since 1998 in a coordinated international effort to enhance international stability in cyberspace and prevent conflict between states arising from such ICT use. In particular, the UN Group of Governmental Experts, or the “GGE”, reports of 2010, 2013, and 2015 outline a framework of responsible state behavior in the area of international stability in cyberspace.

The United States has been, and will continue to be, a leader in these efforts and continues to advocate for states to implement and adhere to the GGE framework, which consists of the application of relevant international law to state activities in cyberspace, voluntary non-binding norms of state behavior applicable in peacetime, and the implementation of practical Confidence Building Measures. The United States joined the unanimous commitment in GA Resolution 70/237 to have this framework guide states’ use of ICTs.

This robust program of work at the UN has provided important guidance for UN member states in the area of critical infrastructure. First, states are responsible for ensuring that their own domestic infrastructures are protected from cyber risks. Second, all responsible states should adhere to the framework of responsible state behavior, which includes refraining from malicious cyber activity that intentionally damages critical infrastructure in peacetime as well as respecting the robust protections for such infrastructure in international law. And third, in the event of a cyber incident affecting critical infrastructure, states should cooperate with each other to mitigate damage, assist victims, and hold those responsible accountable.

Unfortunately, despite the commitments that all member states have made to be guided by the framework, some have conducted irresponsible state behavior. The international community must be prepared to hold these bad actors accountable for their irresponsible actions.

The ongoing GGE and the OEWG have been tasked to build upon the UN’s robust work in this area, including the framework for responsible State behavior in cyberspace. It is only through member states’ full implementation of these recommendations, and our willingness to hold these states accountable when they act contrary to the framework, that we will be able to fully achieve international cyber stability.

The United States will always work to uphold the stability of cyberspace and the related framework on responsible state behavior, including through the two UN mechanisms. Despite the challenges posed by the COVID-19 pandemic, the international community must continue to work together to safeguard the extraordinary benefits of cyberspace for everyone. The United States will continue to lead the way on that.

Thank you, Djani.