European External Action Service

05/26/2023 | Press release | Distributed by Public on 05/25/2023 23:10

EU Statement – UN Security Council Arria-formula meeting: Responsibility of States to cyberattacks on critical infrastructure


EU Statement - UN Security Council Arria-formula meeting: Responsibility of States to cyberattacks on critical infrastructure

25 May 2023, New York - Statement on behalf of the European Union by H.E. Ambassador Olof Skoog, Head of the Delegation of the European Union to the United Nations, at the Arria formula meeting on the Responsibility and responsiveness of States to cyberattacks on critical infrastructure

Mr./Ms. Chair,

Thank you for the opportunity to participate at this topical meeting. I have the honour to speak on behalf of the European Union.

Mr./Ms. Chair,

Malicious behaviour in cyberspace from both State and non-State actors has intensified in recent years, including a sharp and constant surge in malicious activities targeting the EU and its Member States' critical infrastructure, supply chains and intellectual property, as well as a rise in ransomware attacks against our businesses, organisations and citizens.

Cyberattacks are a threat to peace and security and a game changer in conflict and the conduct of war.

Well-targeted attacks, including on critical infrastructures, have increasingly harmful effects on economies and daily lives, including on EU Member States and our partners. Last year's attacks against Ukraine as well as on Montenegro and Albania, EU candidate countries, or the ransomware attacks affecting Costa Rica, are just mere examples here.

With the attacks, perpetrators affected critical digital government infrastructure and direct impact the delivery of public services to people and businesses.

The EU expressed solidarity with the victims of such attacks and continues to strongly condemn this unacceptable behaviour in cyberspace.

Such destabilizing and irresponsible behaviour seeks to threaten the integrity and security of a sovereign country, its institutions, values and principles. It also attempts to undermine democratic institutions and societies at large, and could potentially have spill-over effects to other countries. We continue to urge states to respect international law and to refrain from such conduct in cyberspace.

As mentioned in the UNSG Our Common Agenda Report, cyberattacks are one of the main strategic risks we are currently facing. To meaningfully address them, we should implement stronger measures to prevent, detect, deter and respond to cyber-attacks, notably those on critical as well as on civilian infrastructure and to ease cyber related tensions.

With the unstable cyber threat landscape, all States need to continue to step up their ability to strengthen situational awareness, prevent infrastructure on their territory from being misused, enhance their ability to handle cyber incidents and ensure solidarity and mutual assistance. We continue to work with partners to address cyber-attacks by strengthening cyber resilience, through effective cyber crisis management, dealing with the causes and the impact, as well as by enhancing accountability in cyberspace. The lessons learned from the Russian aggression against Ukraine in cyberspace is that enhanced resilience and preparedness is essential to face such malicious behaviour in cyberspace.

Adding to the EU's tools to address cyber-attacks, the recently proposed EU Cyber Solidarity Act aims notably at increasing preparedness of critical entities across the EU as well as the solidarity by developing common response capacities against significant or large-scale cybersecurity incidents, with the support on the private sector. Trusted cybersecurity service providers could be an amplifier of public capacities in particular in a context of skills shortages across the world. At EU level, the creation of a Cyber Emergency Mechanism is a step in the right direction to continue to build an efficient cyber crisis management ecosystem.

In particular with regard to the protection of critical infrastructure, while recognising the central role of States, the private sector has a wide range of expertise, knowledge and capabilities to maintain cyberspace global, open, free, stable and secure. The industry has an overview of the most prominent vulnerabilities, threats and activities, to reinforce situational awareness and cooperation to prevent, detect and mitigate the impact of cyber-attacks.

Mr./Ms. Chair,

The EU and its Member States are continuously reinforcing their capacity to prevent, discourage, deter and respond to and immediately recover from malicious cyber activities. The revision of the EU Cyber Diplomacy Toolbox, also part of the EU's full-spectrum approach to address cyber-attacks, allows the EU to use diplomatic, political, legal, strategic communication, technical, operational or economic measures to enhance resilience, effectively respond to cyber-attacks, and by that contribute to conflict prevention, cooperation and stability in cyberspace.

What should be clear to everyone is that cyberspace is not a lawless domain. All United Nations Member States have agreed that international law, including the UN Charter in its entirety, applies in cyberspace. With that, States bear responsibilities to ensure international peace and security in cyberspace and can gain support from international law to protect them against malicious cyber activities.

To strengthen international security, we should advance our common understanding of the application of international law in cyberspace. What is illegal in the physical domain, is also prohibited in the cyber domain, and we should work together to ensure international law is respected. To this end, we should hold states that engage in irresponsible and unlawful behaviour in cyberspace accountable, as is also done in the physical world. Existing international law provides us tools for doing so - the rules of legal attribution under the law of state responsibility, means of peaceful settlement of disputes, including the possibility of turning to international courts and tribunals.

Last but not least, it is to be recalled that through the OEWG on ICT, we continued to strive to find common ground on the whole range of efforts to enhance international security, including the identification of existing and potential threats, capacity building, CBMs and/or regular institutional dialogue. The establishment of a permanent platform to discuss these issues within the First Committee through a Cyber Programme of Action will allow us to continue our work, in addition as to cooperation on cyber capacity building. With that we can make a significant effort to make the digital as well as the real world a more secure place, prepared to face the new challenges.

Thank you