My name is Allison Pytlak and I am participating in today’s informal consultation with stakeholders as the Program Lead for Cyber with the Stimson Center, a research institute promoting international security and shared prosperity through applied research and independent analysis, global engagement, and policy innovation.
Before getting into my planned remarks, I wish to acknowledge the comments of some other stakeholders that have spoken before me and particularly the comments made in relation to the uptick in critical infrastructure attacks, including by states; on the risks of artificial intelligence; about the role of mercenary actors; and the need for attribution capacity building.
In the context of today’s focus on the topic of “existing and potential threats in the field of ICT security” we want to draw attention to an aspect of this topic that has not been extensively considered within the OEWG, but that does fit well within a discussion about threat vectors and evolving threat landscapes: the risks which ICT vulnerabilities, and offensive or malicious cyber operations, pose to international peace and security when they target or intersect with the safety and security of other domains.
For instance, Stimson’s work in nuclear cybersecurity has explored the increased vulnerabilities facing the nuclear sector. Next generation nuclear technologies, including small modular reactors, are highly digitized while existing legacy systems are being replaced by digital ones. Increased digitization can mean more users, more service providers and a need for more trust in and amongst critical networks and the assets contained within them, including relevant supply chains. Stimson’s nuclear cybersecurity research has also shown that one of the threat activities generating some of the strongest consequences are when malicious actors use deep fakes to perpetrate disinformation around an attack of any type (cyber, blended, direct) with the goal being to disrupt incident response, in order to increase the consequences of the original attack or operation.
Cyber threats also extend to the outer space domain, a nexus that Stimson anticipates exploring further this year. The February 2022 cyber operation targeting Viasat illustrates well what can happen when cyber operations are directed against segments of space systems, in particular their digital components. The growing number of active satellites in space corresponds with growing human reliance on the systems they provide, for communication and navigation, financial transactions, transportation, and weather forecasting. This constitutes yet another expansion of the cyber threat landscape.
Chair, I have highlighted the digital and cyber threats to nuclear and outer space security because they are relevant to the OEWG’s discussion of threats and risk. For example, some of these risks could be mitigated or reduced by better implementation of the cyber norms or existing law, and they underscore the importance of incident disclosure and information sharing, including through confidence-building measures. The nuclear and outer space examples demonstrate that there is a need for robust implementation of the normative framework in order to help counter the cyber risks and threats facing other important areas of international peace and security. We encourage the OEWG to consider these wider implications and the applicability of its work on other aspects of international peace and security, many of which are directly relevant to the UNGA First Committee, in its continued discussion of threats.
In response to your guiding question about how stakeholders can work with the international community to develop a deeper understanding about risks, I want to re-state a point Stimson has made in past meetings, and build on the comments I’ve just outlined, which is that much can be learned from researching the approaches of the international community to reduce risks in other aspects of global security. The Stimson Center is building on its extensive experience in other areas of international and regional security as well as global governance to find lessons that can be applied to the cyber domain. I’m pleased to share that work is now well underway on our research project into other areas of international risk and threat, in which we will consider other domains, other dual-use items, and relevant other behavior types to identify and recommend processes and mechanisms to support strengthened implementation of the UN cyber norms, and thereby reduce cyber threats including by promoting accountability. In this work we are collaborating with a diversity of other stakeholders, many of whom are on this call, as well as supportive and interested Member States.
Finally Chair, I wish to say a few words about the importance of bringing gender analysis into threat analysis. Gender analysis can reveal the differentiated cyber threats and vulnerabilities that people experience in relation to their gender identity, but it can also open new ways to understand or approach other of the threats this Group has been discussing. For example, in January 2022 I participated in a closed-door roundtable convened by the Centre for Feminist Foreign Policy, the German government, Microsoft, and the Women’s International League for Peace and Freedom (WILPF) in which we examined how a feminist and gender analysis can be a useful tool for widening our approach to what we designate as “critical infrastructure”. Here, a gender analysis can be a basis for reframing and expanding what is understood as “critical” and be a way to document, understand, and better respond to the human and humanitarian impacts of such operations.
