8 November 2012
Cyber Security Conference UNIDIR 2012
Opening Remarks by Mr. Kassym-Jomart Tokayev
United Nations Under-Secretary-General
Director-General of the United Nations Office at Geneva
Cyber Security Conference UNIDIR 2012
Room XXIV, Palais des Nations
Thursday, 8 November 2012 at 09:15
Ladies and Gentlemen
It is a pleasure to welcome you all to the Palais des Nations.
The topic of our meeting is extremely important and acute. Cyber Security has become a matter of grave concern for the whole international community.
This morning I'd like to share with you a few thoughts on an issue that I think is at the core of the challenges facing international society today: The establishment of confidence building measures to address the threats facing all of us in cyberspace and how to implement them effectively.
In the 20th century, our world has witnessed several strategic technological leaps. From the Spirit of St.Louis to the Sputnik our ability as the human race to turn quantum leaps of technology to project power and strength across all domains - land, sea, air, space, - with the objective to harm each other seemed to know no limits.
Securing these domains helped ensure that these breakthroughs in human knowledge were used to advance peace and prosperity and were not used to promote war and aggression.
It is with that same goal in mind, that we now have to address a new domain that we must secure to work towards achieving peace and prosperity in the world of the 21st Century. This is the unenviable task ahead of us.
Cyberspace has fundamentally transformed the global economy and our way of life, providing more than two billion people across the world with instant access to information to communication, to economic opportunities.
Cyberspace is the new frontier, full of possibilities to advance security and prosperity in our time. And yet, with these possibilities, also come new perils and new dangers.
The Internet is open. It's highly accessible, as it should be. But that also presents a new terrain for warfare. It is a battlefield of the future where adversaries can seek to do harm to their militaries, to the economy, and to each others citizens.
When people think of cyber-security today, they worry about hackers and criminals who prowl the Internet, steal people's identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today.
But there is even a greater danger . A cyber attack perpetrated by nation states and violent extremists groups could be as destructive as any conventional war or terrorist attack. Such a destructive cyber-terrorist attack could virtually paralyze any nation or region even the whole worldwide communication and financial networks.
Nor is this kind of war a game of a figment of our imaginations. Let me give you a couple of recent examples of the kind of attacks that have already taken place in the private sector.
Last month some large financial institutions in New York City were hit by so-called Distributed Denial of Service attacks. These attacks delayed or disrupted services on customer websites. It affected almost 200,000 customers. While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented.
Last summer, in August, an even more alarming attack took place when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a 'wiper', coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional data that overwrote all the real data on the terminal. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.
Imagine the impact of an attack like that would have on a city like Geneva.
Furthermore, far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets, and missiles.
Let’s take a couple of minutes to look at some potential scenarios: An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical communication or information nodes. They could, for example, contaminate the water supply in major cities or shutdown the power grid across large parts of a country or region. An escalation scenario could contemplate to derail passenger trains and re-route planes/ships, or even more dangerous, to derail trains loaded with lethal substances or guide toxic cargo vessels to specific population centers.
The most destructive scenarios contemplated involve cyber actors launching several attacks on critical infrastructure at one time, in combination with a physical attack.
The collective result of these kinds of attacks could be a cyber blitzkrieg; an attack that would cause severe physical destruction and extensive loss of life. In fact, it would paralyze and shock any nation and create a new, profound sense of vulnerability among its inhabitants.
And moreover these cyber threats have the potential to grow exponentially. With dramatic scientific advances, this is an area of dramatic developments in cyber technology. With that happening, potential aggressors are exploiting vulnerabilities.
Cyber attacks are every bit as real as the more well-known threats like terrorism, nuclear weapons proliferation and the turmoil that we see in the Sahel, Middle East, South Asia and Northeast Asia and should be addressed as such.
If we could put this genie back in the bottle, we should, but we can’t.
Therefore, we need to embark on a complex series of tasks: to understand what cyber war is, to learn how and why it works, to analyze the risks, to prepare for it, and to think about how to control and deter it. Like in the past the establishment of Confidence Building Measures is pivotal to our success.
Let me briefly update on the United Nations role to date:
The issue of information security has been in on the United Nations agenda since the Russian Federation first introduced a draft resolution in 1998 on the subject in the First Committee of the UN General Assembly.
In 2004 and 2010, there were two UN Groups of Governmental Experts (GGE) that have examined the existing and potential threats from the cyber-sphere and possible cooperative measures to address them.
As the Secretary-General pointed out in his foreword to the report of the 2010 UN Group of Governmental Experts, “the task is arduous and we have only begun to develop the norms, laws and modes of cooperation needed for this new information environment.”
The 2010 Group in particular recommended developing norms aimed to protect critical infrastructures and confidence-building and risk reduction measures, exchange of information on national legislation, strategy, policies and technologies, and building capacity in less developed countries.
A third group was convened in 2012 and resumed the work in that direction. It will continue its deliberations at the sessions in January and June 2013.
In this regard, I do believe that this Conference will provide a good opportunity for exchange of views and interesting ideas which eventually would be submitted and contribute to the work of the UN Groups of Governmental Experts.
And here in Geneva the technical contribution of the ITU especially in the realm of capacity building is laying down a strong foundation for future progress particularly in the developing countries.
This city of ours is also the ideal venue to discuss such cross cutting matters that can contribute to a debate on Cybersecurity that is both inclusive and holistic. With the wealth of experience and knowhow in the humanitarian, technical and human rights fields - embodied in pivotal institutions such as the Human Rights Council, the ITU, Internet Governance Forum and, goes without saying, UNIDIR – to ensure that all aspects of this very important work can be brought together and provide concrete results that leave no angle untouched.
In closing, let me emphasize something: the warning signs are already here. Systems will never be impenetrable just like physical defenses are not perfect, that is why the setting up of Confidence Building Measures will contribute to the stability and trust needed in this new frontier to ensure that cyberspace continues to bring prosperity to people across the world.
I wish you a productive and enlightening Conference
Thank you very much.