In July 2021, on the heels of a relentless series of ransomware incidents against U.S. critical infrastructure launched by actors located in Russia, President Biden and senior administration officials informed the American public that the United States regularly communicates with Russia about cybersecurity incidents of national concern, including ransomware attacks. In using channels like the “red phone” hotline to discuss cybersecurity incidents of national concern, originally intended for nuclear crisis communications, the United States and Russia were employing a well trodden communications pathway, one that has been used to avert crises, including nuclear escalation, between the two nations for years. But what do countries that don’t have regular high-level security communications pathways do when their critical digital infrastructure is under cyber attack, and the cyber attack appears to be coming from the territory of a country on the other side of the globe? An ongoing negotiation convened under the United Nations First Committee is building a structure to make clear and urgent communication on cybersecurity incidents accessible to every government.
As noted in the IST Ransomware Task Force Report, ransomware is one example of an urgent national security threat posed by insecurity of connected technologies. Ransomware attacks (see note below) can shut down access to medical services, impair use of critical infrastructure, or persistently disable government networks. As ransomware and other cybersecurity incidents continue to wreak havoc across the globe, governments have recognized that they can have geopolitical implications, such as when incidents cross borders and damage another country’s critical infrastructure, or when misperception about an incident could lead to increased tensions between states.
As part of the effort to reduce the risk that serious cybersecurity incidents pose to global peace and security, governments convened in May with members of the private sector, civil society, and the technical community to talk about how to reduce the risk to global security posed by information and communications technologies (ICTs). The United Nations Open Ended Working Group on Security of and in the Use of Information and Communications Technologies (OEWG) focuses on a framework for how governments should act responsibly in cyberspace, and seeks to prevent the misuse of ICTs and to avoid escalation that leads to conflict. Under these negotiations, states have committed to create a points of contact (POC) directory for governments to reach out to one another in the case of a cybersecurity incident that rises to the level of a national security concern.
At IST, we have been eagerly tracking progress on the points of contact directory. When states have a clear and operable list of senior government counterparts that they can call in case of a serious incident that crosses borders, they can work to de-escalate incidents of concern and seek help with threats that might otherwise be perceived as aggression by other states. These types of political-level points of contact have been implemented for many years within regionally-focused fora, such as the Organization for Security and Cooperation in Europe (OSCE). While these points of contact aren’t always perfect at resolving concerns, particularly when the malicious actor is deliberately or tacitly supported by the government of the territory in which they operate, they can provide at minimum a way to raise concerns in an urgent manner.
These points of contact are different from points of contact for the technical incident response community, such as those facilitated by the Forum for Incident Response and Security Teams (FIRST). They are also distinct from collaboration to address cybercrime, such as the 24/7 Network facilitated under the Convention on Cybercrime and the ongoing global efforts to collaborate to negotiate a global cybercrime treaty organized under the U.N. Third Committee. Instead, these UN-organized points of contact — which are intended to include both a technical point of contact and a diplomatic point of contact — are the people or entities within governments that states can call to alert their counterpart government that an incident is of serious national importance.
While these efforts are primarily focused on the behavior of States and their implications for peace and security, addressing ransomware incidents of national security concern could become part of how states utilize the POC directory. Imagine that a ransomware attack occurs—one that shuts down health services or the provision of electricity and could lead to loss of life or serious damage. A state could use the POC directory to express concern about the ransomware attack with partners and allies globally, communicate the serious nature of the incident, and call on their counterparts to take reasonable action to address the threat. In some cases the state may, in the short term, be unable to address the incident due to technical difficulties or insufficient technical or law enforcement capacity, but the very fact of communicating can help reduce tensions and point to areas where long term progress can be made.
While a point of contact directory won’t immediately change the calculus of states that turn a blind eye to criminals, hopefully when governments are able to reach one another in the face of an urgent threat, we will see more action to reduce the harm caused by these serious threats to peace and security.
(Note: This blog uses the term ransomware attack and cybersecurity attack to refer to a cybersecurity incident in which ransomware is used to threaten the integrity, confidentiality, and/or availability of data stored on computers. This is not intended to refer to armed attacks under international law.)