Statement of Estonia at the Security Council Arria-formula meeting organised by US, Albania, co-sponsored by Estonia, Ecuador
“The Responsibility and Responsiveness of States to Cyberattacks on Critical Infrastructure”
Delivered by H.E. Mr. Rein Tammsaar, Permanent Representative of Estonia to the UN, 25 May 2023
Thank you Chair.
Allow me to start by expressing my appreciation to Albania and the United States for convening this very timely Arria-formula meeting of the Security Council. I also thank the briefers for their insightful perspectives.
We are honoured to co-sponsor this event which continues to draw the Security Council’s attention to the implications of cyber threats to international peace and security. Since Estonia brought the topic of cybersecurity to the Council two years ago, the security and stability of cyberspace remain to be of great concern. Malicious cyber operations are on the rise worldwide, employed against public and private targets as well as part of military conflict.
Critical infrastructure is essential for the functioning of our societies. However, our dependence on digital solutions and the use of ICTs in critical infrastructure systems renders such systems more vulnerable. Cyberspace is not separate from the physical world, and cyber operations against critical infrastructure – such as energy and water – may have devastating results, sometimes with spill-over effects. As such, cyber-attacks against critical infrastructure have also clear implications on international peace and security, calling for the attention of the Security Council.
How to mitigate these risks and how can the Security Council contribute?
First, in order for the Security Council to uphold international peace and security in a comprehensive way it needs to be up to date with cyber threat landscape. The current Russian aggression against Ukraine has clearly demonstrated that cyber operations are employed to support conventional military operations and form an integral part of the modern armed conflict. The increasing number of ransomware attacks is another issue of great concern that can bring along devastating effects. In some countries they have constituted a state of national emergency.
Second, the Security Council must take a clear and firm stance in underlining the application of the framework of responsible state behaviour, and in particular, international law in cyberspace. A broad consensus exists that the long-standing principles set by the existing international law apply in cyberspace. Existing international law, including the UN Charter, provides guidance as to what conduct in cyberspace by States is acceptable and which is forbidden. The principle prohibiting one state from attacking others applies here as it does elsewhere. To ensure the protection of civilians and civilian infrastructure in situations of armed conflict, which the Security Council also regularly discusses, it is vital that any use of cyber capabilities in this context would be subject to obligations deriving from international humanitarian law.
Third, the Security Council has an essential role in managing conflicts. These conflicts may include cyber operations, including attacks against critical infrastructure. Managing conflicts may entail measures for de-escalating violence, offering a platform for communication and information sharing in times of crisis, enabling humanitarian access to those most suffering, or building pressure on those responsible for such illegal behaviour.
To conclude – by raising awareness of the threat landscape, stressing the consensus agreement on the applicability of international law in cyberspace, and upkeeping the role of managing conflicts – the Security Council can contribute to reducing the risk of conflict arising from malicious cyber operations and mitigating their negative effects. This work entails also awareness raising and training professionals – for this reason, Estonia is hosting another Summer School of Cyber Diplomacy in June with a global focus and participants from almost 50 countries.
I thank you.