In the wake of the SolarWinds and Microsoft attacks, the UN has released a landmark cybersecurity report that's been two years in the making. Here's what you need to know.

Background

Back in December, SolarWinds revealed that they had been the victim of a highly sophisticated security breach, causing them to unintentionally install malware on their customers' networks via corrupted software updates. Since SolarWinds provides services to the US government and military as well as some of the largest corporations in the world, these revelations were nothing short of explosive. Days later, forensics analyses confirmed that the attacks had been ordered by the Russian government and had been executed by S.V.R., one of Russia's leading intelligence agencies, often referred to as Cozy Bear or A.P.T. 29.

Fast forward a month and this time it's Microsoft announcing that they too had been breached, and their Exchange Servers had been compromised. The attacker? A Chinese-backed group named HAFNIUM.

These twin attacks were momentous not only in terms of their scale and sophistication, but perhaps more importantly they risk normalizing digital warfare between sovereign nation-states.

It's welcome news, then, that after two years of deliberation, the United Nations Open-Ended Working Group (OEWG) on cybersecurity released their most comprehensive report to date. This is the first time that a UN working group of this size – open to all 193 member states – has negotiated and agreed upon a cyber-framework. Furthermore, the working group was open to non-state entities such as private companies (like Silent Breach), helping to foster public-private understanding and cooperation.

What's Included

While the report as a whole represents a major step forward (you can read the full report here), there are three areas in particular that deserve highlighting.

1. In 2015, the UN released a list of voluntary norms to help guide international cyber-conduct. These norms have now been re-affirmed and elevated to international law. Included is an understanding that critical infrastructure and computer emergency response teams (CERTs) may not be targeted in a cyberattack.

2. Special attention was paid to a growing need to insulate healthcare from malicious online activities. Over the last year, a concerning uptick in healthcare-targeted attacks has been documented. In particular, the extreme circumstances surrounding the global response to Covid-19 was leveraged by hackers to lodge large-scale assaults against healthcare providers, the WHO, and health-tech applications like Iran's official Covid-detection app.

3. Similarly, the report calls on governments to protect the ICT supply chain as well. The SolarWinds attack, for example, was especially damaging because it corrupted the software update process, thereby putting thousands of individuals and organizations at risk. Such attacks threaten to undermine public trust and confidence in the update process all vendors use to maintain the security of the digital ecosystem, and creates an environment of suspicion that is universally damaging.

What's Left Out

The report makes only brief references to human rights, almost entirely ignoring the need to protect basic freedoms in the digital as well as physical sphere. International humanitarian law can serve as a rubric for digital human rights, especially as several nations have moved in recent years to further restrict freedoms of speech, privacy, and religion, while simultaneously allowing online hate groups and disinformation platforms to operate virtually unchecked.

Nevertheless, this broad consensus across all 193 member states, as well as numerous advocacy groups and tech companies, represents a major step forward toward digital safety and provides a model for ongoing global collaboration.

Additional Resources:
How To Tell If The Microsoft Hack Affects You
Cybersecurity Survival Guide for Remote Working
US Companies Struggle To Notice When They've Been Hacked