Imagine you awake one morning to find that your internet is down in your apartment, “No problem,” you think. You switch to your cellular service on your phone. Your phone isn’t working either. You try to turn on your TV. Also not working. Switch on the lights. Nope. Not working either. There’s also no electricity, so you go to the corner store to grab a buttered bagel, and the store is abuzz with concern. You slowly realize that it wasn’t just you who was having problems this morning, it was everyone. No one understands or knows what happened, how widespread, and how long it will last. Elsewhere, banks have no control over their systems, gas pumps are all down, and refrigeration has failed, and food has started to rot. A mass cyber-attack has occurred and the damage done is astronomical.

The above reads like the opening to a science-fiction movie, but it’s a potential reality for our future. The worlds’ ever-growing reliance on computers and technology to control everything from banking to nuclear reactors has created cracks in security, leaving space for exploitation by those who have the ability and will to do so. Cyber-terrorism and cyber-attacks are an effective and inexpensive tactic with a seemingly unlimited number of targets. One person, albeit a skilled person, with a computer and internet connection could create widespread hysteria. Due to the borderless design of the internet, this one person can be located anywhere in the world-making their identification and capture difficult.  

Now let’s imagine that the United Nations, in a parallel universe, created binding multilateral agreements to deter and dissuade cyber-terrorism and cyber-attacks. In this parallel universe, your day would go on as usual because each nation would work in cooperation to protect their citizens against these types of attacks. The United Nations, as a norm entrepreneur, should be more concerned about and focused on threats to peace and security that originate from the realm of the internet. The perpetrators of cyber those attacks should be penalized by the international community in the UN’s system of justice. Moreover, the political standing of a country within the UN should not determine their likelihood of being held responsible for launching cyber attacks.

Increasingly, cyber-terrorism and cyber-attacks can and will be state-sponsored. States use cyber-attacks to fulfill a specific political agenda, and the origin of the attacks come from within the territories of the aggressor. These conditions of state-sponsored cyber-attacks make identification of the perpetrator easier than individuals or terrorist organizations. However, state-sponsored cyber-attacks have their own set of challenges. States have political and legal rights that individuals lack. Individuals can be extradited for crimes they commit and can be sent to the International Criminal Court (ICC). While states can be taken to the International Court of Justice (ICJ), it is a more difficult process because states have to accept the jurisdiction of the ICJ. Due to political positions and alliances, it can be more challenging to determine what can be done to punish a state when they violate another states cyber-security. States’ political positions can protect them from scrutiny or from being punished. In the case of the P5 members (US, Russia, China, France, UK) their veto power could allow for any cyber-attack related actions they chose to take being overlooked. Also, even if it was possible to hold states responsible, it’s not known whether the punishment would fit the crime. We see that the UN often favors states with power, such as the P5, and allows them to operate outside of international norms. The UN favors powerful and wealthier states due to their high financial contributions to the UN. For example, in 2017 the US provided 22% of the UN’s regular budget. Additionally, powerful states can control smaller and weaker countries with economic pressure and military strength.    

The UN is responsible for creating the standards of behavior for states in the international realm. With that being said, the reach of the UN’s ability to develop norms should extend to cyber-security. Understanding how to appropriately react to cyber-terrorism and cyber-attacks is in its formative stage and needs to be discussed more often in the entire UN system. However, the General Assembly is the most appropriate place to start this discussion as it is seen as the most democratic body within the UN, with all member states having a voice. The UN should be utilizing their advantage as a norm entrepreneur to establish a policy that states would implement to prevent and discourage cyber-terrorists and cyber-attacks.

There is no cohesive definition of cyber-terrorism or cyber-warfare that exists in the international community or international law. The UN needs to construct these definitions to create continuity in the responses within the international community. A precise definition would make it possible to identify when an attack has occurred and would define what member states should perform a set of actions. Additionally, the UN needs to have a fair system in place to punish those who have violated cyber-security. The system cannot favor those that hold power within the UN, especially the P5 members.

Attacks against South Korea by Russia and China have been carried out ahead of the nuclear peace talks between the US and North Korea. The state-backed cyber-attacks targeting South Korean foreign ministries and financial institutions were the most recent in a long list of cyber-attacks that South Korea has had to endure in more recent years. North Korea has been the source of most of the cyber-warfare against South Korea. Moreover, North Korea has been slapped with sanction after sanction for their actions. However, what punishments have Russia and China suffered because of their use of cyber-attacks on South Korea? The answer is none. The reason for that can be attributed to both countries privileged political position as P5 states. Russia and China have veto power within the Security Council and any accusation brought against them in the Security Council can be rejected by either country. To bypass the veto power of the P5, the General Assembly needs to be given more power to determine how to proceed with situations of cyber-security. Another possible solution would be the adoption of resolutions that all member states are bound to that would detail what actions should be taken in the event of a cyber-attack.

The UN has much work to do to in establishing a set of norms and laws to ensure that states like China and Russia are punished for their intrusive and potentially dangerous behaviors. Severe punishments and penalties, agreed upon and implemented by the UN, can deter countries from carrying out cyber-attacks. The work needs to be done before mass turmoil occurs.


Image Credit © Crown Copyright 2013