Why the UN should promote new IT security standards and certifications for its internal IT needs to fulfill its mission in the digital age.
A recent extensive internal audit of the UN about its cyber security posture, determined that the “potential consequences of a weak cybersecurity posture go beyond the disruption of ICT infrastructure and systems – rather, it affects the ability of the United Nations to deliver its mandate is at stake”. It included among its recommendations that the UN International Computing Center “should establish a cybersecurity trust fund for the specific purpose of designing and developing the shared cybersecurity services that are most needed by the system” by the end of 2022.
As we argue below, the “services that are most needed” are those that protect the confidentiality, integrity and legal accountability of its internal sensitive and most sensitive communications in order to prevent unaccountable state and non-state entities from compromising and distorting its very mission and mandate.
In fact, even the most secure IT security standards and IT systems that are commercially available to the UN, leave a very large number of its staff at all levels - from the Secretary General to UNHCR field staff, and their close personal and professional associates - vulnerable to being spied on, continuously and undetectably, by a innumerable of state and non-state entities that have the capabilities or rent them from leading firms or criminals.
Since many advanced spyware are undetectable by the user, and do not leave any forensic trace, the scale of the problem cannot be precisely determined. Yet, recent revelations that we collected and analyzed in our recent white paper points to the fact that this may be happening at the scale for hundreds or thousands of the most sensitive and critical UN staff.
This problem is not unique to the UN, but affects elected and appointed officials of UN member states, journalists, human rights and democracy activists. UN member states' staff, including high-level diplomats, have the same problems, and in addition are subject to fragmentation of (in)secure communication apps, devices and social platforms that are most promoted by certain nations, which have more control/hacking capability on them, which degrades security and prevents a fair, secure and effective dialogue.
In addition, fast emerging widespread awareness of the vulnerability of those platforms produces - in both UN and UN member state staff - self-restraint and missed opportunities for open, fair and unbiased communication and dialogue, whereby officials always have to assume that whatever they communicate in a call, or text or group chat could be passed in a headline out of context.
This leaves UN staff and UN member states' state exposed to undue pressures, extortion and blackmailing, by such entities, and extensive self-censorship with consequent deep introduction of bias and distortions in the functions of the UN.
Concurrently, and paradoxically, the selective availability of the most advanced spyware systems, their export controls by leading cyber nations, and internal UN rules makes that cyber-investigation and intercept are often not possible by the UN on staff that have been duly identified as suspect of wrongdoing, or provide untrustworthy evidence that does not stand in the highest courts.
So, therefore, the UN may want to support or promote the creation of a new UN-like IT security standards setting and certification body - that is globally-representative, competent and resilient to the pressures of single nations or alliances - and of user-friendly, convenient and economical IT systems compliant to such standards, such as the one we are promoting with our Trustless Computing Certification Body and Seevik Net.