The United Nations Cyber Force and Peacekeeping in Cyberspace
If there is a global "cyber emergency" or the break out of an intense cyber conflict between nations, then what are the current powers of the Security Council under the United Nations Charter? Can it handle this type of situation or would it be powerless. For example, could a "cyber war", "cyber conflict" or "global cyber emergency"(1) be taken up by the Security Council under Article 39? From the analysis infra we can conclude that the Security Council is not limited on what it can declare to be a threat to international peace and security . We know this because over time the Security Council has considered issues as general as economic underdevelopment and the environment as being possible threats to international peace and security. Although many of those issues, such as the environment and economic underdevelopment have a significant cyber component, here the Security Council was referring to the event itself and not merely to the cyber component.
If one nation attacks another using cyber weapons, then is it possible for the UN Security Council to become seized of the matter? Can the United Nations deploy a "Cyber Force"? Although a "United Nations Cyber Force" does not exist, but there is nothing in the Charter to prevent its formation under the current rules. Below is a scenario showing how the United Nations Security Council might respond to a global cyber emergency. The objective of presenting a scenario is to examine the rules in place and see how they might be exercised in handling a cyber emergency.
Bringing a Cyber Emergency Before the Security Council
The first level of consideration is defining a cyber emergency important enough to be taken up the the Security Council. A number of cyber emergency scenarios could be serious enough be brought to the attention of the Security Council. Usually, as a matter or protocol, an issue is brought to the attention of the Security Council by the use of a letter from a member State addressed to the President of the Security Council. This can occur under two conditions. First, the originator of the letter can be one of the belligerents. Second, the letter can originate from an interested Third Party, such as a neighboring State that that might fear being brought into the conflict. This first requirement acts as a screening mechanism to filter out a large number of cyber incidents. The party petitioning the Security Council must have standing. For example, if a multinational enterprise is the victim of a cyber attack, it does not have standing to bring the matter to the attention of the Security Council. Only its government as a representative of its interests might do so.
The decision by a national government to bring a matter to the attention of the Security Council is problematical for several reasons. First, a distinction must be drawn between attacks against private sector interests in a nation and attacks against the government itself. Depending on the severity of the cyber attack, the vast majority of cyber attacks against private enterprise likely would never lead to a nation approaching the Security Council. Attacks against private interests generally are not considered to be attacks on the nation State in which they reside unless the effect of the attack has a broader effect on the society as a whole. On the other hand, when cyber attacks are launched against the government itself, then this is closer in effect to a kinetic military attack and without doubt is seen as aimed at the nation State.
There is an analogy with international law, and the laws of war. It is generally unacceptable to engage in wanton military attacks against unarmed civilian populations. These rules occasionally are observed by belligerents. In the same way, when engaging in cyber conflict, the analogy would be that it is not permissible to engage in cyber destruction of civil society.
The only condition in which a nation would launch full-scale cyber attacks against the general infrastructure or civil society interests of a co-belligerent is when the conflict was serious enough to threaten the survival of one of the States or its vital interests.
It is necessary to distinguish between a sudden "out-of-the-blue" cyber attack and a continuing series of smaller attacks that perhaps are increasing in severity, but at any one point in time do not rise to the level of catastrophic damage. Although there is no barrier to placing this type of matter before the Security Council , it is less feasible. It should be recalled, however, that there are no specific rules binding the decisions of the Security Council. It can declare any event to be a threat to international peace and security.
If there were a period of heightened tensions between two States, then as part of an increase in tensions, one State might launch a cyber attack against the private interests of the other party. If that happened, and the damage was severe enough, then the State would be justified in bringing the matter before the Security Council. Here, it would not be the level of damage that is the deciding factor in making the matter important to receive Security Council attention, but instead the overall context of a wider conflict that makes a broader conflict more probable.
If the cyber attacks were taking place as part of a broader military conflict involving kinetic force, then the cyber dimension would be viewed as merely an extension of the broader military conflict. In that case, the overall breach of the peace would be placed before the Security Council , instead of moving to specifically isolate cyber as part of the conflict. When cyber attacks are in support of kinetic military operations, then the Security Council will default to consideration of the military conflict using its traditional pattern of governance.
In sum, a cyber attack launched by one State against another might rise to the level of severity as to justify taking the matter before the Security Council if the attack were against the government infrastructure of one party or it was an attack against private sector (civil society) targets within a context of heightened hostility and tension between the two parties.
The Attribution Problem
A further complicating factor serving as a barrier to approaching the Security Council is the attribution problem. The State making the request for Security Council intervention must be sure of the origin of the cyber attack. In the Cuban Missile Crisis, the initial discussions started with Russia and Cuba denying the existence of the missiles and soldiers. It was only when the U.S. Representative to the United Nations dramatically revealed photographic evidence of the rocket installations that these propagandistic denials withered.(2) In the lead up to the First Persian Gulf War, the U.S. Representative presented to the Security Council transcripts of intercepted telephone conversations purporting to show discussions regarding placement of Weapons of Mass Destruction.(3) Both of these demonstrations had a dramatic effect on the deliberations of the Security Council.
But in case of a cyber incident, it might be meaningless to come into the Security Council with photographs. If so, then what type of dramatic proof could be provided? It is almost comical to see the U.S. Representative to the United Nations standing before the international body giving a demonstration on computer code. Nevertheless, we must assume that a member State would have its reasons for attributing the cyber attacks to a specific origin.(4) Although there would almost certainly be denials on the part of the corresponding belligerent, the severity of the situation would be visible for all to see, particularly if the targets of the attack were important public infrastructure such as the equities markets, electronic trading systems, or transportation networks. In order to make the case for intervention, the destruction, disabling or other damage to these systems would be part of the evidence presented to the Security Council.
It is almost certain that the corresponding belligerent would deny responsibility, and place the blame elsewhere. There would be no way immediately for the Security Council to resolve this issue. Here, however, we are concerned only with meeting the threshold to approach the Security Council. Consequently, it would be possible for the Security Council to become seized with any cyber incident even without complete resolution of the attribution problem. It should be recalled that measures taken by the Security Council can be made without prejudice to the rights or claims of either side in a conflict.
The Security Council Becomes Seized of the Cyber Emergency Under Article 39
After one of the belligerents or a third party invites consideration by the Security Council , there still is no obligation to act. At this point, a number of considerations would determine if the Security Council would become "seized" of the matter. Often, matters are brought to the attention of the Security Council , but are not considered grave enough to be declared a "threat to international peace and security ". It frequently has happened also that one of the Permanent Members of the Security Council vetoes further consideration of the matter. For example, during the Cold War, it was common for one or the other super-powers for matters they considered to be taking place within their sphere of influence actively to prevent its consideration in the Security Council. In a cyber stability scenario, it is reasonable to predict that should the cyber attacks be originating from one of the Permanent Members, the matter will never be placed before the Security Council.
Under Article 39:
"The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security."
The qualifying term "any" presumably means that if a cyber emergency was severe enough to threaten international peace and security , then it would qualify for consideration. One problem is that the term "peace" is not clearly defined. In classical national security terms, "peace" refers to the lack of military ("kinetic") conflict between belligerents. No one ever has defined "cyber peace" or "cyber stability". There are two variations of how a cyber incident could be a threat to international peace and security. First is a scenario in which the severity of cyber attack is enough to cause the corresponding party to launch a military "kinetic" attack in retaliation, so as to stop the cyber attack.(5) A vast amount of ink has been spilled in discussing whether a cyber attack which causes no physical harm, but only informational harm, can justify military kinetic retaliation. For a while, there appeared to be a type of barrier to such a response, based on customary international law. However, in May of 2019, in response to a cyber attack launched by the Hamas organization in the Gaza administrative zone, Israel launched a military "kinetic" counter-attack to blow up the servers and other technology used in the attack.(6) The result answers the question of whether a cyber informational attack can give rise to a "classical" military response. So under historical precedent, there now is less of a barrier for the Security Council in finding a threat to international peace and security originating solely from a cyber attack. A complication occurs if the corresponding belligerent has no prospects of launching a kinetic counter-strike against the State responsible for the cyber incident, or if the level of attack is below the threshold needed for one belligerent to justify a kinetic response. In that case, the threat to peace must be interpreted as meaning a "threat to cyber stability". Here, the Security Council would need to find that the level of cyber disruption was so severe as to merit its attention. This might prove to be a major barrier to consideration. We only can conclude that should the demonstrated effects on society be substantial enough, it would make it easier for the Security Council to make a finding. It also is possible to draw a distinction between the effect of the cyber attack upon the society and population of the victim state compared to the effect on its cyber infrastructure. In one case, a cyber attack may harm only a restricted portion of the cyber infrastructure of the victim State, but generate substantial harm to the lives of its citizens. For example, a cyber attack targeting the distribution of drinking water may do little physical damage, but generate extreme disruption to a society. On the other hand, a cyber attack might have a substantial effect on informational resources within the victim State, but fail to have a significant effect on the lives of individual citizens, at least in the short term. For example, the national archives might be erased, or the access to property records might be suspended, or banking information might be disrupted. This type of informational attack would not kill persons, but still could be severe enough to cross the threshold needed under Article 39 by the Security Council.
It should be noted that under the language of Article 39, there is no requirement that international peace and security be breached, only that there is a threat of it being breached. Unless the demonstrated level of damage on the victim member State was convincing, the issue would not pass through this screen towards consideration by the Security Council. In the absence of any tangible evidence of harm, it would be difficult for the Security Council to make an evaluation that certain cyber activities were a "threat". How would it make this determination? This leads to the conclusion that the Security Council would most likely find a threat to international peace and security when it was shown evidence of abusive cyber activities of such a magnitude that they threatened a military "kinetic" response from another party.
The second type of triggering condition found in Article 39 is a "breach" of the peace. We know that in the original design of the Charter, this refers to the outbreak of hostilities---people start shooting at one another or blowing things up. This has never been defined for cyberspace. There is, however, no need for agreement on a binding definition of cyber "breach" because a breach is what the Security Council determines it to be. This would be determined by the effect. For example, if a cyber attack froze the financial system, causing significant financial disruption, this almost certainly would qualify as a breach of the peace. It is true that as of this time the Security Council has never made such a finding. But there never has been a major catastrophic cyber attack against the private sector of one member State that definitively can be attributed to another member State and was of such severe effect that it might merit consideration by the Security Council. In this part of Article 39, the Security Council has the option to become seized with the matter without making any determination as to attribution. It only is necessary that the level of cyber disturbance be great enough to merit international attention.
In the third level of Article 39, the Security Council finds that there has been an act of aggression. This assumes that it is possible clearly to identify the member State responsible for the aggression. It also presupposes that whatever violence is being promulgated is not in accordance with the Self-Defense provisions of Article 51, but instead is not justified. In a cyber stability scenario, it would be required for the Security Council to become aware of a serious breach to cyber stability, and have clear indications of responsibility and the source of the cyber attack. In this connection, a problem arises if the originating member State is the source of the cyber attack, but the parties conducting the attack are not part of its government. Here, there are two variations. In the first variation, the malicious cyber work is being conducted by parties that are not authorized by the member State government. An example would be if a group of paid hackers and computer criminals were interfering in the stock market of a foreign nation in a way so as to give opportunities for investment or other financial activities to rogue traders or other criminal syndicates. In this variation, the attribution problem is partially solved, because the identity of the originating member State is known. In a second variation, the malicious computer work is being performed by vigilante groups who have either the active or passive support of their government. Active support by the member State government would come in the form of financial incentives or other enabling resources including legal protection(7) being provided by their government. Passive support would be found when the member State government is not actively supporting the malicious cyber activities, but at the same time is aware of them yet has a policy of not preventing them.(8) So even if it is not possible definitely to make conclusions regarding the responsibility of the cyber attacks, there still is no barrier to the Security Council becoming seized of the matter. The only gating factor is the level of cyber disturbance and an assessment by member States that the damage is severe enough or might become severe enough to merit its attention.
The Security Council Recommends Provisional Measures Under Article 40 to Prevent Further Cyber Destabilization
If the Security Council becomes seized of the cyber matter, then it has the option to take action under Article 40 which specifies that it can make recommendations that hopefully will prevent the situation from getting worse. At the core of every conflict between nation states, usually there lies a source of the problem, and disagreement regarding way to get it resolved. In its activity under Article 40, the Security Council is not concerned with the details of the conflict, but instead is concerned primarily with stopping the escalation of violence. In doing this, the Security Council can call on the parties to take "provisional measures" to lower the temperature of the emerging conflict. In kinetic conflicts, this might mean a cease fire. In a cyber conflict, it might mean a temporary cessation of malware attacks, or the restoration of ICT services that may have been disrupted. A related problem arises in addressing the problem of vigilante groups or government "subcontractors" who are involved in cyber attacks. Under the assumption that it has been established with reasonable certainty that the attacks originate within a specific member State, but that State's government has declined responsibility, and yet the attacks are enough to cause the Security Council to become seized with the matter, then it might define a provisional measure that requests member States to take such measures internally to ensure that the situation is not worsened. In other words, if the cyber disturbance was being caused by vigilante groups, then the Security Council would call on the member State to send in its law enforcement to stop their activities. There are a number of options available for preventing further cyber escalation by vigilante groups. These include: (a) arresting or detaining the individuals responsible for the cyber attacks; (b) forcing telecommunications or Internet service providers from extending services to same; (c) using deep packet inspection or other techniques to filter out-going cyber attacks; (d) issuing a temporary restraining order against various entities in order to accomplish the same objective. It also would be possible for the Security Council to ask other member States to take actions that might restrain the level of cyber hostility. Examples of this type of action would be a request that Internet Service Providers within their jurisdiction take actions to prevent further cyber disturbances. Generally, however, provisional measures are aimed at the belligerents themselves, as specified in Article 40. Since there is no time schedule associated with compliance to Security Council recommendations for provisional measures, it is not possible to know how long this phase of the conflict would continue. The most important factor to consider would be the level of cyber damage that continues to be inflicted. The Security Council can become seized with a matter for years at a time.
The Security Council Makes Recommendations Under Article 39
Depending on what happens as a result of the provisional measures that may be suggested under Article 40, the Security Council has the option of either doing nothing and simply remaining seized of the matter, or taking further measures. It is possible that the result of the provisional measures is positive, and the level of cyber violence will decrease, and mechanisms including diplomacy will be able to lower the level of tension. In addition, it is possible that a member State under cyber attack might be able to put in place cyber-security measures that are robust enough to curtail the damage that other belligerents are attempting to inflict.
However, if we assume that the provisional measures are ineffective, or that one or more of the member States refuses to comply, and that the level of tension caused by the cyber emergency continues to increase, then the Security Council can make recommendations on what should be done, or can move directly to taking action under Articles 41 and 42. In practice, and by custom, the Security Council first makes recommendations directly to the belligerents. These recommendations are by no means the statements of a "paper tiger", for they are backed by the entire authority of the Security Council and in order to be made will have the support of all Permanent Members of the Council.(9)
There is a great deal of flexibility in the types of recommendations that can be made by the Security Council. It should be noted that whereas in Article 40, the instructions regarding provisional measures are made with respect to the belligerents, under Article 39, recommendations can be made to any party, to any member State. In seeking to contain a cyber emergency, the Security Council could recommend that each belligerent engage in a "cease fire", or cooperate with each other in exchanging information so as to lower the level of tensions. But the Security Council also could recommend that other member States take actions to stop the cyber emergency. This might include measures such as (a) preventing the travel of programmers; (b) stopping the export of information services; (c) ceasing access on their own territories of ICT infrastructure that might be used by the belligerents to conduct cyber attacks; (d) engage in monitoring of the Internet in order to understand the level of compliance with UN Resolutions. In this scenario, we are assuming that the nature of the instability is a cyber-based conflict, and there are no kinetic forces involved. As in the case of provisional measures, the Security Council would engage in monitoring the cyber emergency to see the level of compliance with its recommendations. Again, the amount of time to wait to see if the measures have any positive effect in mitigating the level of cyber violence is not specified. Whether or not the Security Council moves to take up further action under Articles 41 & 42 will depend on the level of cyber carnage the belligerents inflict on each other. In addition, given the interconnected nature of the Internet world-wide, there will be a severe risk that the malware tools being used in the cyber attacks will become released into the global Internet ecosystem, leading to increased danger for member States not involved in the cyber conflict. In cyberspace, the danger of a conflict breaking out and causing a chain reaction across the cyber infrastructure of the entire planet is much greater than is the danger of a regional kinetic conflict spilling and causing a larger military confrontation.
In the historical and traditional world of kinetic conflict, it is a formidable barrier for the Security Council to move to take action under Articles 41 & 42. Traditionally, this involves violence, use of military force, and war-fighting, with all of the dangers of a conflict spiraling out of control. Therefore, historically, there is a strong reluctance on the part of the international community to allow the Security Council to become engaged in this type of action. The practical result of this nature of cyber conflict is completely different. Two forces will be at play that will increase the probability that the Security Council will more rapidly move to further action under Articles 41 & 42. First, since cyber conflict for the most part will not be aimed at the destruction of human life, and will not be based on kinetic effects, then fear of untoward consequences of Security Council action will be decreased. Without potential kinetic effects, there is a lower barrier to entry for use of cyber power. Second, the sense of urgency will be much greater because of the interconnected nature of the world's telecommunications infrastructure. Whereas in the case of a kinetic conflict, there is a chance of it gradually spreading, in the case of a cyber emergency, it is possible for devastating consequences to be promulgated overnight. This danger will force a considerable speeding-up of the decision-making processes in the Security Council. To a certain extent, this might indicate an increased risk of poor decisions being taken. However, this risk must be balanced against the fear of global consequences to cyber stability if prompt and effective action is not taken.
Security Council Use of Internet "Kill Switch" Under Article 41
Under Article 41, the Security Council does not take direct action against the belligerents, but instead can "call upon Members of the United Nations " to take measures that will "give effect to its decisions".
The exact wording of Article 41 is "The Security Council may decide what measures not involving the use of armed force are to be employed to give effect to its decisions, and it may call upon the Members of the United Nations to apply such measures. These may include complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio, and other means of communication}, and the severance of diplomatic relations." (emphasis added)
In this Article, the Security Council does not take action itself, but instead calls for Member States to take action.
Of particular concern for management of cyber stability is the power to call for "complete or partial interruption" of communications. This means that the Security Council has the power to call for a State to be completely cut off from the Internet. All social media, email, e-commerce, cloud services, banking transactions, even telephone communications and encrypted apps such as WhatsApp or Line would be closed down. In an advanced nation, such a shutdown would be equivalent to a cyber "atomic bomb", only for the entire society at once. This is an extremely severe measure, and it is doubtful that any nation today could survive such a shut off.
The flexibility to call for "partial" interruption has important implications for management of cyber stability. In practice it means that for any social media, cloud service, email, or other application that has any lever of control outside of the member State, it would be possible to selectively apply the restrictions. For example, it would be possible to block the communications of everyone except IP addresses originating from medical facilities. It would be possible to block the Internet communications of persons from one city but not another. It would be possible to block all Internet communications from IP addresses originating with the government or military establishment, but leave open the communications of Civil Society. If there were civil disturbances, it is reasonable to expect the capability of turning off all Internet communications of government personnel, but leaving open all Internet communications of dissidents, or of those attempting to overthrow the government. Or the other way around---the communications power of the government could be left in tact but the citizenry could be turned off. If there were specific companies, organizations, or economic sectors to be targeted, then it should be possible to selectively target them, leaving untouched and uninterrupted other sectors.
The practical effect of the Internet and the revolution in cyberspace has been a vast increase in the power of the Security Council. This is because in the original framing of the UN Charter, Article 41 envisages simply cutting off or interrupting telecommunications traffic in to and out of an offending nation State. With the penetration of social media, cloud services, digital certificates and other aspects of the Internet throughout more or less every nation, the level of inter-connectedness has vastly increased. Some nations, most notably China and Russia have done much to build their own infrastructure. In the case of China, there was a dual purpose: First, to copy the technologies of the West without paying excessive royalties for intellectual property; Second, to increase the power of the national government, since it has ultimate sovereignty over all information within its jurisdiction. But even in the case of China, it would suffer greatly if its corporations were cut off from the outside world. The same is true of Russia or of any other nation that has attempted to build informational autonomy into its national security strategy. The United States is equally vulnerable, but is at an advantage over other nations because so much of Internet technology and communications is owned by its companies. In some nations, in-country data processing requirements have been enacted into law. This requires providers of Internet based cloud services to ensure that name-linked data connected to any of its citizens be stored and processed within the country. This presumably means that should there be a cut-off from the outside, the personal data of its citizens would not be compromised. Even so, it is not clear that given a cut-off of services, these home-based information systems would continue to operate. Apart from some experimentation in Russia, there has been little reported regarding actual field testing of this type of emergency situation. Therefore, the global effects of such a cyber event are unknown, and unpredictable.
In the same way that the possession of nuclear weapons has made obsolete the notion of war between the superpowers, it is unlikely that there will be a major cyber war between the world's cyber superpowers. As a result, the Security Council will most likely become seized of matters involving cyber conflicts between states that are not cyber superpowers.
Another complicating factor in the use of Article 41 action is the relationship between government and the private sector. Almost all social media, cloud services and other Internet application platforms are owned and operated by the private sector. Consequently, a gap may emerge between government policy and what private enterprise is willing to do. For example, it is not clear that multinational enterprises would wish to be seen going forward as mere tools of government policy. There would be immediate concern regarding the long-term effect on their business in those nations against whom they were forced to take action. The reputational effect of close cooperation with a national government can be severe and have an effect on the goodwill and thus stock price of a company. An example would be Apple Computer's resistance to demands from the Federal Bureau of Investigation in the U.S. to provide tools to break the security of the encryption system used by its customers. Since providing privacy is an important feature making Apple products attractive to the consumer, giving up that privacy for all of its customers might have serious untoward consequences for Apple's business.
In a nation such as China, a multinational's long-term business interests might be greater than their future in the United States, and this would be another reason to avoid following orders from the U.S. government. In addition, if selective measures were used, such as cutting access and services to some persons or organizations and not to others, then it would reveal the level of confidential and personal knowledge the service provider has accumulated regarding its customers. It is without doubt that such enforcement action would dramatically reduce the trust in these cyber entities. A similar breach of trust occurred when it was reported that the U.S. National Security Agency (NSA) had compromised the systems of the major email providers such as Google gmail, Yahoo mail, and Microsoft's Hotmail. This had been done with full cooperation from the corporations providing the service. As a result, the European Union started to take measures to ensure that those services were provided to European citizens from computer centers based in Europe, out of the jurisdiction of the United States. There was a substantial drop in the confidence held for the security of U.S. based cloud services.
In the United States, there is no established mechanism in place that would allow the U.S. government to agree to cyberspace enforcement activities for the Security Council and then automatically have those activities carried out by the private sector. One solution to this problem would be to put in place enabling legislation that would compel social media, cloud, and other Internet service providers to follow governmental instructions if the authority came from the Security Council and was agreed upon by the U.S. government. Generally, it is U.S. policy to conduct its affairs in a way that does not contravene the recommendations of the Security Council. This type of automaticity would be the route in many countries which the government has a more commanding power over the business sector, or is a co-owner, e.g., in parastatal organizations. The United States presents a contrast. In the United States, it would be extremely difficult to get such legislation passed. Business organizations most probably would oppose the measure and predictably launch a public relations campaign along the lines that it is not a good idea to let international organizations controlled by others "dictate" to U.S. business specific things to do in their internal operations. The debate would fracture along typically conservative-liberal fault lines in the body politic and the lobbyists would do their part to influence the debate. One only can imagine the furor that would be generated if the U.S. Congress took up consideration of a law that would require Facebook, Google, Apple, Microsoft, IBM, AT&T, Verizon and others to be mandatorily bound to carry out any cyberspace policy agreed to by the U.S. in the Security Council. In the absence of this possibility, the enforcement of Security Council resolutions and recommendations by the private cyber sector in the U.S. might be carried out based on a type of voluntary industry Code of Conduct. What this means in a practical sense is that the voluntary nature of such a Code of Conduct would ensure that private enterprise has a type of veto power over the enforcement power of the Security Council. This leads to a type of absurdity that would disable an important power of the United Nations. In effect, it would leave governance of cyberspace to a group of semi-organized un-elected persons who are bound by their fiduciary responsibility to protect the economic interests of their enterprises, and are not legally required to sacrifice those interests for the purpose of international comity.
The solution to this problem is to increase the level of public-private partnership between the Security Council and the multinational cyber enterprise sector. In the same way that private sector advisory groups give guidance and crucial information to law-makers in the Congress of the United States. So-called "lobby" activity is protected by the U.S. Constitution which has a clause guaranteeing the "right of the people to petition the government". It is found in the First Amendment. Congress may not abridge "the right of the people . . . to petition the Government for a redress of grievances". the United Nations can put in place an advisory system that will enable private enterprise to inform the Security Council regarding the practical steps that might be taken to mitigate a cyber emergency. If there was agreement between the private sector advisory group and the Security Council , then there would be less of a problem at the national level compelling the subsidiaries of the multinationals to carry out the recommendations of the Security Council. At this time there is no such a collaborative and advisory system in place to inform the Security Council of the concerns and possibilities of action involving the private sector in cyberspace. This is an institutional weakness in the international system. It should be noted that in the majority of nation States, the private sector is not so independent of government policy. It most nations, it would be impossible or at best detrimental for the private sector to resist the directives of their home governments. In addition, it would be problematical for subsidiaries of foreign multinational enterprises operating in the provisioning of cyberspace services to resist the directives of the host country government. This problem would not be so difficult, except for the fact that the headquarters for the vast bulk of cyberspace is located in the United States, where business has considerable political power in comparison to the government.
The effect of a "cyber embargo" or "cyber blockade" on a nation State would be impressive. For example, if we assume that there was no agreement that the government of one belligerent was responsible for launching the cyber attacks that have led to the cyber emergency, yet during public debates in the Security Council it refuses to acknowledge responsibility but instead blames the event on vigilantes or criminal elements, then the mere threat of a cyber-blockade should serve as a strong motivator for that government to take strong action within its own jurisdiction so as to quash the parties responsible for the cyber emergency. If it is the case that the government actually is responsible for the cyber attacks, but has relied upon private sector vigilantes to carry out its aggressive policy, then the threat of a cyber-blockade will likely will compel the offending government to serve up the malicious actors under the pretense that they are the "independent" parties responsible for the cyber attacks.(10) But regardless of the subterfuge, if the level of cyber disturbance is decreased, then the Security Council will have accomplished its objectives.
There is an anomaly in Article 41 because it specifies that the measures taken must of a nature "not involving the use of armed force". However, in leading cyber powers, both offensive and defensive cyber weapons are being developed primarily by the military establishment. For example, in the United States, the national defense work in cyber is being pursued by U.S. Cyber Command, formed initially from the NSA. It follows that an important part of U.S. response in cyberspace in conjunctions with Article 41 measures would be taken by the defense establishment. Since this is a part of the "armed forces", some might interpret this to be prohibited by the limiting language of Article 41. But a literal reading of Article 41 says that the actions taken must not involve use of "armed force". It does not say that no action taken may be taken by the armed forces of a nation. After all, it often is the case that the armed forces are used for performing peaceful missions without kinetic fighting. In the case of offensive cyberspace activities conducted by the armed forces of a member State, in accordance with an adopted resolution under Article 41 of the Charter, these should be considered to be military actions "not involving the use of armed force".
A single letter makes the difference---"not involving the use of armed force" c.f. "not involving the use of armed force\emph{s}". If the language of Article 41 read "forces" (plural form), then it would prohibit cyber defense activities of the US Cyber Command and its equivalent in other member States.
Article 41 does not specify the order or sequence of member State support for the measures to be taken. It also does not require that all member States take the same type of action. The coordinated response of multiple member States to a request for a cyber embargo has never been tested. This type of event is terra incognita}. The international community is completely unprepared to conduct this type of operation, even if there were support from the Security Council. At best what we could expect is a semi-coordinated response similar to how CERT organizations correspond with one another when there is a major malware incident. In the case of a global cyber emergency, the CERT operations around the world already would be on a state of high alert. Each of these organizations has close connections with the Internet service providers within their jurisdiction. There already is in place a sophisticated system of blocking spam, and containment of cyber malware. Presumably it would be possible to block the IP addresses for entire countries or parts of targeted countries. Such blockage likely would ride up the pre-existing blocking infrastructure already in place, providing there was cooperation between the groups controlling the crucial transit points for Internet.(11) The Internet Corporation for Assigned Names and Numbers (ICANN) and Internet Engineering Task Force (IETF) would play a crucial role in coordination of activities to build the methodology for a cyber-blockade that can be put into effect in case of a cyber emergency. This is an extremely diverse groups of persons. We can expect it would be challenging to work out these procedures. The Internet Governance Forum (IGF), an activity supported by the Secretariat of the United Nations might serve as one of the initial institutions hosting discussions on how to build these capabilities for the international cyber stability community.
In the event that the threat to international peace and security in cyber space originates in non-State organizations, under almost all circumstances, responsibility for taking action would vest in member States and not arise within the peacekeeping machinery of Chapter VII of the Charter. If, however, the disturbance of global cyberspace was of great enough magnitude, then the Security Council might be seized of the matter. There is nothing in Article 41 that limits the actions of the Security Council merely against nation States. It follows that Security Council action can take place against any source of instability in global cyberspace, particularly if the source can be identified with reasonable certainty. This would be done through a Security Council resolution calling on member States to take specific actions. For example, it might call upon member States to increase cooperation between national security and law enforcement organizations so as to combat the menace of a transnational threat. It might call on member States to ensure that at the technical level of management of the Internet, member States work to ensure that there is a coherence in strategy and perhaps an accounting back to the Security Council of what steps are underway in order to address the threat. In sum, the Security Council has the power to take action not only against an aggressor nation, but against transnational non-governmental actors that threaten the international peace and security of cyberspace.
The Security Council Mobilization of "UN Cyber Force" under Article 42
If the calling upon the resources of member States to address cyber instability is not effective, then the United Nations Security Council has the power to take powerful action on its own accord. Article 42 provides that
Should the Security Council consider that measures provided for in Article 41 would be inadequate or have proved to be inadequate, it may take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security. Such action may include demonstrations, blockade}, and other operations by air, sea, or land forces of Members of the United Nations.
It is clear from the language of Article 42 that the Security Council can jump directly to direct action even without previous actions having failed. It needs to merely "consider" that lesser action would be ineffective. When the United Nations was set up, it was not designed to have its own military forces. The United Nations is not a "world government". Article 42 envisages that the United Nations utilize the "air, sea, or land forces of Members of the United Nations ". Consequently, a question arises as to whether the use of "cyber force" would be included. First of all, the wording "demonstration" and "blockade" does not limit the action to kinetic military force. In terms of "blockade" the traditional meaning of the term is the use of land or ocean forces to cut off the flow of critical supplies to the offending State. This is a 20th Century version of a medieval siege in which a city was surrounded and its supplies of food cut off until its people surrendered. What would be the equivalent in the world of cyberspace? Here a blockade would mean the interruption of social media, email, cloud, and other Internet based services. Generally, a blockade does not involve the taking of military action within the State that is being placed under pressure. In cyberspace terms, this would mean that the terminating points of data communications traffic connecting into the offending State would be filtered out. This blockage could be complete or partial; general or specific according to application. Nevertheless, the language "other operations" and its linkage with "air, sea or land forces" clearly envisages military conflict. As such, military conflict does not automatically stop at the border of the offending State. What this means in practical terms for cyberspace operations is that the armed forces, and their cyber-fighting components, are empowered through Article 42 to take actions within the national sovereignty space of the offending State. Consequently, the forces operating on behalf of the Security Council would be empowered to penetrate the firewalls and other information security barriers of the offender State and carry out offensive cyber operations for the purpose of stopping its activities that are a source of instability to global cyberspace. The wording of Article 42 also makes it clear that the Security Council is empowered to launch kinetic attacks against computer centers, Internet switching centers, and the internal telecommunications network within the offending State.(12) Although this type of scenario is interesting and even fanciful to discuss, its likelihood is very low because of all the preliminary layers of action available to the Security Council before reaching the level of urgency required to trigger Article 42. Hopefully the level of urgency of a global cyber emergency would never reach this level of urgency so as to compel coordination action under Article 42.
An additional element of consideration is the concept of "demonstration". In the kinetic world, this refers to showing force. What would this mean in cyber terms? One possible demonstration would be the temporary disruption of cyber services for a short period of time, such as 4, 8, is 12 or 24 hours. This might serve as a warning to the offending State regarding the determination of the international community to persist in imposing even stricter controls if cyber stability is not reestablished. (This type of scenario is difficult discuss without approaching the border between scholarship and science fiction.)
UN Cyberforce for Peacekeeping and Maintenance of International Peace and Security in Cyberspace
Is there an analogy between the "blue helmet" peacekeeping forces of the United Nations and its equivalent in cyberspace? In the traditional peacekeeping role for the United Nations , these forces are interposed between the belligerents in order to prevent the outbreak of hostilities. The object of this is to keep the situation stable until the Good Offices of the Secretary General or other negotiations are able to work out an agreement to resolve the situation that is the source of the violence. Some have argued that United Nations peacekeeping has never actually solved military conflicts but instead has merely acted to make the conflict continue indefinitely and never reach a resolution.(13) In this line of thinking, instead of allowing the natural process of war to play out and reach its goal, which is to burn out the desire for war between the parties, instead the interposition of peacekeeping forces tends to congeal war so that it never ends. Peacekeeping comes into play when first there is an outbreak of violence, and then by one means or another, the United Nations manages to get agreement from both sides to interject forces that will act as a "tripwire" to prevent further escalation and violence.
What would be the equivalent in cyberspace? Can there by a United Nations Cyber Peacekeeping force? If so, then how would it work? Such an action presupposes that it is possible to identify the belligerents, and then it is possible to get agreement for a role of the United Nations in keeping the peace. But the physical implementation of these measures would be completely different. In the case of a kinetic "ground" conflict, there is a definable physical border than can be specified in order to locate the United Nations peacekeeping forces. There is no such border in cyberspace. Even though it is not possible to define a physical border, it would be possible to define a logical border within cyberspace. It would be here that the United Nations would place its peacekeeping forces. In practical terms, this would imply that telecommunications operators, social media providers, cloud services and other Internet-based applications providers would act to monitor the flow of cyberspace communications so as to ensure that no aggressive cyber attack traverses the logical boundary separating the belligerents. This would imply that in order for the Security Council to put in place a cyber peacekeeping force, it would be necessary to get an agreement from the belligerents that any Internet traffic flowing from one to another would be monitored so as to ensure that it did not contain malware.
This would be equivalent to placing a nation on an enhanced "watch list" in which the Internet communications originating on its territory would be subject to enhanced scrutiny and even temporary waylaying or quarantine until such time as it was determined that the content was harmless. This would be an initial step that could be taken before there was an effort to actually severe telecommunications services or access to applications. This imposition of a "cyber quarantine" would serve as a type of warning to the offending nation that more stringent steps could be taken later unless its behavior is improved.
The use of data mining and profiling through social media allows the Security Council to engage in the equivalent of "precision cyber bombing". If the same type of algorithms were used for targeting of offending groups as are used in the provisioning of online advertising, then it would be possible for the Security Council. to target via cyber tools very specific sub-groups of persons. It would be possible, for example, to temporarily suspend the Internet activities of all men in a country if it were engaged in the harassment of persecution of women. It would be possible to turn off Internet services for only certain cities, or neighborhoods associated with where government workers live. It would be possible to target universities or scientific research establishment, or the government or military without harming or interrupting the Internet activities of others within the society. This is an extremely powerful weapon that could be put into play during a social disturbance. For example, in the midst of a social revolution within a country, it would be possible to disable the government but allow the social media services of the dissidents and revolutionary forces to continue their operations without interruption. This type of intervention into the social dynamics of a country would be extremely significant. An example of the dynamics in such a situation would be the role of social media during the Arab String when the Internet was used as a powerful organizing tool for the dissidents seeking to overthrow the government. The practical implication of this flexibility in the targeting of cyber sanctions is that the effective power of the Security Council has been significantly increased in comparison to what is possible using conventional military forces.
It also implies that the peacekeeping operation within the Security Council would be given access to real-time reporting of any cyber events that were flowing between the belligerents. In the same way that the United Nations does not possess a military force, it does not possess a cyber force. Consequently, in order to make peacekeeping work, it would be necessary for those private sector and government-based cyber monitors involved in peacekeeping to provide a stream of regular reporting of their information to a United Nations based cyber operation. There is no such operation within the United Nations and in order to carry out cyber peacekeeping, it would need to be configured. One complimentary aspect of cyber peacekeeping is that since it involves the use of virtual force, the operational costs of such action likely would be far less than that associated with the deployment of "boots on the ground" under the older form of peacekeeping. There would be cost in providing a unified systems application interface that could be monitored by a staff that then could report its results to the authorities within the United Nations.
Does this mean that the Security Council. wold be able to "fight" a cyber conflict? It depends on the definition of "fighting". This depends on the level of effective coordination between the underlying groups controlling the Internet and the Security Council.
Public-Private Partnerships Between the United Nations and Enterprises Providing Global Cyberspace Security
The trend towards the creation of partnerships between the United Nations and private enterprise arose as part of the trend towards a multi-stakeholder approach. Any effort to establish cooperation between the United Nations and the private sector in the realm of cyberspace must be seen within the context of the historical emergence of the multi-stakeholder model of governance. The multi-stakeholder approach for tackling international public policy issues is not something that was forced upon the United Nations. Instead, it was the United Nations itself that invented it. The United Nations recognized the promise of this new model, and acted. Consequently, we can say that multi-stakeholder-ism at its core is "true blue". See Figure 3.
By the time of the 55th session of the General Assembly (2001), the idea of "global partnerships" had emerged.
"[E]fforts to meet the challenges of globalization could benefit from enhanced cooperation between the United Nations and all relevant partners}, in particular the private sector, in order to ensure that globalization becomes a positive force for all." (emphasis added)(14)
The following year (2002) the General Assembly emphasized "developing partnerships through the provision of great opportunities to the private sector, non-governmental organizations and civil society in general".(15)
There was a learning curve for the United Nations. In 2003 it was "still learning how best to utilize the potential benefits of partnerships [and there were] [e]fforts . . . to scale up promising approaches and to learn from experience".(16) Yet, by the 56th session, the United Nations Millennium Declaration(17) was referenced and the definition of external partners continued to expand.(18) This phase of partnerships was an exploratory one, and by the 58th session (2004), some mention was made of "adher[ing] to a common and systematic approach to partnership . . . without imposing undue rigidity in partnership agreements".(19) There also was a reminder that "voluntary partnerships . . . are . . . not intended to substitute for the commitments made by Governments" and much emphasis was placed on the "exchange of . . . information [between the partnerships and] Governments [and] other stakeholders". These resolutions would indicate that there had been perhaps complaints about rigidity, lack of sufficient exchange of information and reporting, and ambiguity regarding the role of governments when one of these new forms of partnership were put in place.
It is clear that the United Nations was going through an adjustment phase. The multi-stakeholder approach was new, and there were inevitable bugs that had to be worked out. Nevertheless, it was recognized that "partnerships are an integral part of the work of much of the United Nations system".(20) By 2005, it was recognized that the United Nations needed to change its own operations to accommodate this new approach including "increasing institutional capacity in country offices, . . . training of staff, [and] streamlining . . . [of] guidelines". By 2007, it was able to say that "since the 1990s, the private sector and other stakeholders have increasingly become active partners in helping the Organization achieve its goals, as a complement to Government action."(21) The multi-stakeholder approach was being used in a variety of ways including training and sharing of best practices. Nevertheless, there was a recognition that the United Nations was compelled to assess its own institutional capacity for effective partnering. In addition, much thought had to be put into the legal relationship between the United Nations and external partners, particularly as regards contracts and liability.
"Nothing in such a partnership shall be deemed to establish either party as the agent of the other party or create a 'legal' partnership or joint venture between the parties. Neither party has power to bind the other party or to contract in the name of the other party or create a liability against the other in any manner whatsoever". (United Nations, Guidelines on Cooperation between the United Nations and the Business Sector, 20 November 2009, para. II.6)
In its relationship with the business sector, the United Nations set up a number of "internal and external information sharing platforms" to exchange information. For the management or even monitoring of cyberspace necessary for peacekeeping operations, these information sharing arrangements have not been as well developed as they would need to be.
It is important to keep in mind, however, that the concept of multi-stakeholder-ism has nothing to do with actual control over setting of international public policy. There is nothing in any United Nations document that suggests even in the most remote sense that anyone other than governments will set policy. The sharing of information, and the joint conducting of activities between the United Nations and businesses, or NGOs or others, is designed to carry out the policies that have been set by the General Assembly or in some cases the Security Council. In other words, multi-stakeholder-ism was designed to assist the United Nations in carrying out its objectives, but it was not designed to change in any way the multilateral nature of the institution, and the same model has been propagated to subsidiary parts of the United Nations system such as the World Health Organization (WHO), the International Civil Aviation Organization (ICAO), and essentially to all subsidiary UN bodies.
There is, nevertheless, a widely-held notion that these partners of the United Nations can do very much to influence public policy setting. Throughout the United Nations system, these partners provide advice, identify key issues, give options for possible policies, make suggestions for improvements, and in general support policy-making, and this incoming information is widely considered to be vital.
Nevertheless, when it comes to actually setting the policy, it is the nation states that do it. Member states of the United Nations listen to everyone, but they make their own decisions.
So the role of the private sector in helping carry out the resolutions of the Security Council would sit solidly within the evolving multi-stakeholder efforts of the United Nations, but we can also see that these efforts themselves are not static or sufficiently defined and consequently would represent a learning curve for everyone involved. One lingering question, however, is whether the private sector community managing cyberspace can increase its activities in providing insights or advice for global cyber stability.
NOTES
(1) There is no legal definition of "global cyber emergency". Here, we refer to an event that has at a minimum the following characteristics: (a) is global in character, having a simultaneous effect on multiple jurisdictions (nations); (b) interferes with critical infrastructure in a way that is substantially harmful to the economy or to the continued operation of important social and cultural activities; (c) the source of the cyber disturbance can reasonably be identified as originating an intentional interference with cyberspace, and thus is not a freak accident or unintended consequence of the world's cyber complexity; (d) is broad and substantial enough to be declared a national emergency by the governments of one or more nation states.
(2) The speech was given by Adlai Stevenson in the Security Council October 25, 1962. "I want to say to you, Mr. Zorin, that I do not have your talent for obfuscation, for distortion, for confusing language, and for double talk. And I must confess to you that I am glad that I do not!"
(3) See United Nations Press Release, Briefing Security Council, US Secretary of State Powell Presents Evidence of Iraq’s Failure to Disarm , SC/7658, 5 Feb. 2003, 4701st Meeting (AM) (It turned out later that the conclusions drawn from this evidence were not accurate.)
(4) See Lindsay, "Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack", 1 J. of Cybersecurity 53--67, 2015 "Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic about cyber deterrence. The attribution problem appears to make retaliatory punishment, contrasted with defensive denial, particularly ineffective."; see also Tsagourias, "Cyber attacks, self-defence and the problem of attribution", 17 J. of Conflict and Sec. L. , 229--44, 2012 "[T]he victim State can use force by way of self-defence against another State if the attack has been committed by the latter's organs or agents or has been committed by non-State actors tolerated by that State."; Rid & Buchanan, "Attributing Cyber Attacks", 38 J. of Strat. Stud. 1--37, 2015; Wheeler & Larsen, Techniques for Cyber Attack Attribution , Alexandria, Va.: Institute for Defense Analysis, Paper P-3792, 2003
(5) If the responding nation State launched a kinetic counter-attack, such as by dropping bombs on the computer facilities responsible for origination of the cyber attack threatening its sovereignty, then it would quickly ease the barrier to Security Council consideration of the matter.
(6) See Catalin Cimpanu, "In a first, Israel responds to Hamas hackers with an air strike", ZDNet (online) May 5, 2019
(7) Example: Exemption from prosecution for computer crimes.
(8) This is sometimes referred to as "plausible deniability", but increasingly has grown thin as a believable defense.
(9) In many cases, one or more of the Permanent Members will abstain from voting on an action by the Security Council. When this happens, it still is possible for the recommendation to pass. By not disagreeing directly with the recommendation through use of its veto, the abstaining Permanent Member is signalling that although it is very much concerned with the matter, it will not necessarily support stronger action of the Security Council that might be suggested under Articles 41 and 42.
(10) In the veiled and deceitful world of international diplomacy, it would be possible for a member State to go so far as to take convicted murders away from death row and serve them up as members of a vigilante cyber band. This would accomplish several goals: (a) it would "save face" in the international community so as to keep a patina of innocence for the belligerent government; (b) it would satisfy external observers that the recommendations of the Security Council were being carried out in "good faith"; (c) it might provide the death row inmates with a chance of avoiding their sentence should they continue to cooperate in the charade. The substitution of one person for another in manipulation of perception in international affairs is commonplace during times of national emergency.
(11) At the top level, "Tier 1" networks operated by large telecommunications providers link together very high speed networks. 'Tier 2" and lower level networks provide their services by purchasing service from the Tier 1 companies. Internet Exchange Points (IEPs) link these larger networks to multiple Internet service providers. In addition, there are a number of sub-networks that perform specialized functions, such as support specialized research institutions.
(12) There is been a significant amount of debate regarding the bleed-through of the barrier between "kinetic" and "cybernetic" conflict. Much of this work has turned upon the legal definition of warfare, at least in the conventional sense. However, as can be seen from a careful reading of the United Nations Charter, this bleed-through already is written in because of the insertion of "definition-expansion" words such as "other operation". The word "other" has no clear bounded definition.
(13) See Edward Luttwak, Presentation, "How war can bring peace", Creative Innovation conference, Melbourne, 2012 at https://youtu.be/XTTruD9WTvc
(14) Resolution adopted by the General Assembly, Towards global partnerships, 6 March 2001, A/RES/55/215, para. 4.
(15) See General Assembly A/RES/56/76 of 24 January 2002
(16) Report of the Secretary-General, Enhanced cooperation between the United Nations and all relevant partners, in particular the private sector, 18 August 2003, A/58/227.
(17) See A/RES/55/2
(18) See "[D]eveloping partnerships through the provision of greater opportunities to the private sector , non-governmental organizations and civil society in general so as to enable them to contribute to the realization of the goals and programmes of the Organization" (emphasis added), A/RES/56/76, para. 5
(19) Towards global partnerships, A/RES/58/129, numbered paragraph 2 (emphasis added)
(20) See Report of the Secretary-General, Enhanced cooperation between the United Nations and all relevant partners, in particular the private sector, 10 August 2005, A/60/214.
(21) See Report of the Secretary-General, Enhanced cooperation between the United Nations and all relevant partners, in particular the private sector, 14 September 2007, A/62/341.
Comments