UN Cyber Norm F | Do not damage critical infrastructure

A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

What is it about?

Norm (f) is about recognizing the importance of safeguarding critical infrastructure from cyber threats to prevent significant disruptions and ensure the continued provision of essential services to the public. It also highlights that states should refrain from cyber activities that could damage critical infrastructure, thus ensuring the continued provision of essential services and supporting international peace and security.

Why is it relevant?

Critical infrastructure is fundamental to a society’s vital functions, services, and activities. However, daily reports highlight cyber attacks on critical infrastructure, affecting sectors such as energy, healthcare, transportation, and more. If these were significantly impaired or damaged, the human costs and impact on a state’s economy, development, political and social functioning, and national security could be substantial.

How is it implemented?

In accordance with the clarification provided in the UN GGE 2021 report, to effectively implement the norm, states should consider the following measures:

Defining critical infrastructure and appropriate measures to protect it: Each state determines which infrastructures or sectors it deems critical within its jurisdiction, in accordance with national priorities and methods of categorization of critical infrastructure.
Developing national policies and legislation: Establish policies and legislative measures that define and protect critical infrastructure. These should ensure that ICT activities, whether conducted or supported by the state, do not negatively impact critical infrastructure or essential public services in other states.
Ensuring compliance with international obligations: Align national measures with international legal obligations. This includes adhering to relevant international treaties, agreements, and standards that govern the protection of critical infrastructure and the use of ICTs.

Who are the main actors?

Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:

International and regional organisations (e.g., OSCE, ASEAN, African Union etc.), which could be specifically helpful to provide frameworks, guidelines, and platforms for states to cooperate effectively, share best practices, and coordinate responses to cyber threats on a global scale. These organisations could also serve as platforms for facilitating the communication between states in the event of incidents affecting critical infrastructure.
National CERTs/CSIRTs and FIRST as an international community of CSIRTs to help advance detecting, investigating and responding to ICT incidents affecting critical infrastructure.
Non-state stakeholders, such as the private sector who act as owners and operators of critical infrastructure, technology and cybersecurity firms, and various industry associations.
Non-state stakeholders, such as civil society and academia which conduct studies to understand vulnerabilities and threats for critical infrastructure, and advocate for policies and monitor government and corporate actions.

Where is it discussed?

The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis.

States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Inter-agency coordination between various governments can also help develop common understanding in addressing cyber attribution and in exchanging useful information for investigation of ICT incidents.

Contacts between various technical and cybersecurity researchers, incident responders from various countries (e.g., the contact that takes place within the FIRST) is another example to operationalize the norm.

Various multistakeholder and international initiatives (e.g. such as the Geneva Dialogue on Responsible Behaviour in Cyberspace and GFCE) serve as additional platforms for discussing the practical aspects of the norm implementation.