The UN Joint Inspection Unit reviews the state of cybersecurity in the United Nations
In today’s digitalized world, cybersecurity has emerged as a matter of importance for international organizations, and the United Nations is no exception. The potential consequences of a weak cybersecurity posture go beyond the disruption of ICT infrastructure and systems – rather, it affects the ability of the United Nations to deliver its mandate is at stake.
The United Nations Joint Inspection Unit (JIU), an independent external oversight body that conducts evaluations, inspections and investigations in the UN, has reviewed the use of cybersecurity practices across the UN, with distinct recommendations for UN Agencies to leverage cybersecurity services from the United Nations International Computing Centre (UNICC) and for the Centre to establish a fund for donor contributions.
The JIU report, Cybersecurity in the United Nations system organizations (JIU/REP/2021/3), identifies common cybersecurity challenges and risks faced by the UN system, provides an analysis of responses to these threats and examines current inter-Agency dynamics as well as the potential for shared solutions.
The increased interconnectedness and interdependence of systems and data calls for an approach that recognizes cybersecurity risks as a cross-cutting and collective issue that cannot be addressed in isolation.Catherine Pollard, United Nations Under-Secretary-General for Management Strategy, Policy and Compliance
The JIU recommends in the report that the Director of UNICC establishes a fund for donor contributions in 2022 to complement the capacity of the Centre to design, develop and offer shared services and solutions to enhance the cybersecurity posture of the UN system.
In addition to this, the JIU recommends that the UN General Assembly takes note of the recommendation addressed to UNICC’s Director to establish a fund and invites Member States wishing to reinforce the cybersecurity posture of the system to contribute to it.
Advantages of engaging UNICC and the need for a fund
The JIU report on cybersecurity in the UN system highlights some of the benefits of engaging UNICC, primarily its strict cost-recovery model that ensures a high degree of transparency in the costing of services, ensures a continuous coordination with Partner Organizations and requires the closest possible alignment between service needs and service offer.
However, the same cost-recovery model and absence of profit-orientation can represent an obstacle, as UNICC’s service offerings are dependent on its Partner Organizations providing seed funding to cover the costs of developing new services to meet their demands.
In this regard, the main aim of the fund the JIU report is recommending would be to finance shared, cybersecurity solutions to launch cybersecurity services that would enhance the cybersecurity posture of UNICC Partner Organizations. The fund would also allow to lower the cost of some of UNICC’s current services to enable more organizations to benefit from the shared cybersecurity solutions.
The recommendations made by the Joint Inspections Unit will enable the UN system to strengthen its cybersecurity posture collectively and uniformly.Tima Soni, Chief, Cyber Security Section, UNICC
Other advantages that distinguish UNICC from commercial providers cited in the report include the progressive decrease in the cost of the services as UNICC’s Partner Organizations benefiting from these services grows, the Centre’s intimate knowledge of the system and needs of individual organizations. The objective is to render the system more secure for all, including UNICC as a member of the UN family, keeping in mind that UNICC is subject to the same administrative rules and structures as its Partner Organizations and its engagement with relevant inter-Agency forums.
UNICC shared services, the most promising to protect the UN family
UNICC’s cybersecurity solutions enable its Partner Organizations to enhance cyber resilience by strengthening governance, architecture and operational components of cybersecurity. One of UNICC’s flagship cybersecurity services is the Common Secure Threat Intelligence Network, which functions to share timely, relevant and actionable security threats and incident information to enhance the ability of its members to prepare for, respond to, and mitigate risks associated with these threats. UNICC’s Management Committee has already approved that the mechanisms set up through this service be leveraged to share timely threat intelligence information with all UNICC Partner Organizations.
The JIU auditors note that this service, which addresses a long-standing collective need, has been assessed in particularly positive terms by a majority of the Centre’s Clients. According to the report, UNICC’s Common Secure Threat Intelligence Network can be considered the most promising cybersecurity service in terms of its potential to naturally attain full system-wide subscription and realize actual protection gains for the system.
UNICC is ISO 20000, 27001 and 22301 certified. UNICC received the CSO50 award in 2017 and 2020 for the common cybersecurity services the Centre has built. UNICC also undergoes the ISAE 3402 audits to provide assurance on the services it provides.
Member States welcome the JIU report
The JIU and the United Nations Secretariat presented these findings during a special event on 4 November 2021 at the General Assembly in New York, USA, where the inspectors reiterated their request to UNICC to establish a fund to allow Member States to support the provision of shared solutions and system-wide cybersecurity services.
The event was attended by Member States delegates, UN Secretariat officials including Bernardo Mariano Joaquim Junior, Chief Information Technology Officer, UN Assistant Secretary-General, Office of Information and Communications Technology, representatives and heads of IT and cybersecurity in the UN and the Director of UNICC, Sameer Chauhan. Participants agreed on the importance of cooperation and collaboration among UN family organizations on this matter.
Tima Soni, Chief, Cybersecurity Section at UNICC, was invited to participate in the presentation to share her views on the state of cybersecurity in the UN and answer questions together with UN CITO, Bernardo Mariano Joaquim Junior.
The presentation at the General Assembly underscored the value of the JIU’s recommendations with the goal to actively share the findings across the UN family.