Canada’s submission to UNSC Open Debate on cybersecurity

New York, 29 June 2021

We thank Estonia for organizing this Security Council session on such a timely and relevant topic. Canada is pleased to have the opportunity to contribute to this discussion.

The world is increasingly reliant on digital technologies and the Internet. Threats to international peace and security emanating from cyberspace are numerous. Interference in democratic processes is one area of particular concern. Another is the recent increase in ransomware incidents. We must therefore continue to take steps to maintain a free, open and secure cyberspace.

The agreed framework for responsible State behaviour in cyberspace is the foundation of peace and stability in this space. The framework consists of recognition of the applicability of international law to cyberspace, adherence to the internationally agreed norms, capacity building, and the use of confidence building measures. Together, these elements reduce the risks of escalation and conflict.

This framework was reaffirmed in the recent consensus reports adopted by the UN Open-Ended Working Group (OEWG) and Group of Governmental Experts (GGE).  All UN Member States have now committed to be guided by the framework.

International law is vital to ensuring that the rules-based international order extends to cyberspace.  The recent OEWG and GGE reports reaffirmed the applicability of international law in cyberspace, and made important advances in this regard. The OEWG report recommended greater cooperation on international law capacity building, in order to enable more States to develop their national views and build common understandings. In the GGE report, the applicability of international law was reaffirmed, and international humanitarian law was specifically mentioned.

The May 2021 GGE report provides guidance on the implementation of the eleven voluntary norms of responsible State behaviour adopted by the UN GGE in 2015 and endorsed by all members States through UN General Assembly resolution 70/237. Canada believes that these agreed norms and international law are largely sufficient to guide State behaviour in cyberspace. However, work remains to be done on their dissemination and implementation.

Take the recent high profile ransomware incidents perpetrated by criminal groups. These resulted in widespread disruptions of key industries such as energy and food supply. They also affected financial markets.

Although criminal groups were responsible for these acts, these examples highlight the importance of international law, and of the eleven GGE norms, several of which address ICT threats to critical infrastructure directly or indirectly. One norm stipulates that “States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts.” Another says that “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.”

Criminal actors who engage in ransomware and other criminal activities live in and work from States. They use States’ digital infrastructure to undertake their malicious activity. They are subject to those States’ laws.  When informed of potential malicious activity emanating from their territory, States have a responsibility to respond, enforcing their laws and cooperating with other States. By agreeing to be guided by the GGE norms, we have all undertaken to do this. This is also why a growing number of States have adopted strong laws to combat cybercrime. In many cases, States have based their laws on the Budapest Convention on Cybercrime, which now has parties from all regions of the world.

As we have seen in recent situations, all States do not always respect the framework of responsible State behaviour, unfortunately. Some are allowing cybercriminals to operate with impunity from their territory. Others are using proxies or purposely engaging in malicious cyber activity that goes against the framework. On several occasions, Canada has joined international partners in calling out and responding to such behaviour and the threat it poses to international peace and security.

Canada was one of the 27 signatories of the September 2019 Joint Statement on Advancing Responsible State Behavior in Cyberspace. In addition to reaffirming the framework of responsible State behaviour, we committed to “work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law.”

That is what we have been doing, and we will continue to do so. It is important to highlight counter-normative behaviour, in order to uphold the framework of responsible State behaviour. We encourage others to do the same.

Shifting to the way ahead at the UN, Canada looks forward to engaging constructively at the 2021-25 OEWG. We will also actively contribute to the development of a UN Programme of Action (PoA) on cybersecurity. Canada is a PoA co-sponsor, as we believe that the PoA could serve as a useful, action-oriented forum to promote the implementation of the framework for responsible State behaviour.

The success of these two processes will depend on their ability to integrate diverse voices and perspectives in their working methods and outputs. At the OEWG, Canada has argued for meaningful participation of non-governmental stakeholders. Civil society, academia, the technical community and the private sector have much to contribute to these discussions, as they play an important role in implementing the recommendations of GGEs and OEWGs. We will advocate for strong stakeholder engagement in the PoA as well, as it is being developed.

It will also be important to ensure that the voices of women are meaningfully heard, whether at the OEWG or PoA. Gender should be mainstreamed in both processes from the get-go, to ensure that the work of both groups addresses the gender aspects of cyber security. It has been well documented that conflict mediation processes that included meaningful participation of women led to much stronger outcomes and less chance of hostilities resuming after peace processes concluded. UN cyber processes can be similarly strengthened by including the meaningful participation of women. Inclusion is important for the success of both processes.

In short, Canada remains a steadfast supporter of the framework for responsible State behaviour in cyberspace. We will continue to promote the implementation of the recommendations of past GGEs and of the recent OEWG. We will also persist in calling out and respond lawfully to malicious cyber activity that goes against the framework. We look forward to continuing to work with the international community to promote international peace and security by enhancing stability and security in cyberspace.