As the United Nations Open-Ended Working Group on Information and Communication Technologies (OEWG) convenes the 10th substantive session in New York today, cyber operations by state-affiliated groups and cybercriminals increasingly target the infrastructure and services essential to daily life. These large-scale attacks place substantial pressure on national security, particularly when interdependent sectors experience cascading disruptions. While populations at large feel the impacts, not everyone is affected equally. Context matters: a victim’s identity can determine the type of attack, its likelihood, and its consequences. Women, in particular, face heightened risks if breaches expose sensitive data or cause outages in critical public services. Despite the worsening threat landscape, United Nations (U.N.) cyber norms remain gender-blind, undermining States’ ability to protect all citizens.
Women Absorb the Fallout from Large-Scale Disruptions
The U.N. member States have repeatedly raised the alarm about the severe implications of cyberattacks against critical infrastructure. The OEWG highlighted that these persistent small-scale attacks happening below the threshold of armed conflict negatively impact people and threaten international security. The U.N. Security Council mainly addressed the evolving cyber threat landscape in informal Arria-formula meetings. However, the formal meeting of the Security Council in November 2024, called for by France, Japan, Malta, the Republic of Korea, Slovenia, the United Kingdom and the United States, focused on the use of ransomware against the healthcare sector. At this meeting, the World Health Organization Director-General stressed that cyberattacks routinely breach the confidentiality and integrity of medical data and undermine trust in the health systems. These incidents can result in patient harm and death when ransomware demands delay hospital treatments or disrupt broader biomedical supply chains.
Individuals are impacted at scale when the ripple effects of cyberattacks escalate into major disruptions. Still, the individual and community impacts vary. Incidents targeting hospitals and care centers disproportionately affect those who acutely rely on their services, care for vulnerable relatives, or already face barriers to accessing medical facilities, particularly women and children. For instance, a 2019 study into electricity outages in low and middle-income countries suggests that prolonged disruptions may force hospitals to triage and reduce hospital births. Other research based on outages during Hurricane Sandy in New York points to increased risks of pregnancy complications, including threatened or early delivery. At the same time, an analysis of healthcare outcomes during a cyberattack on an Israeli hospital in 2021 showed that the proportion of women and children among hospital admissions was higher compared to standard operations. Such disruptions further exacerbate systemic inequities and harm groups facing discrimination within and beyond healthcare systems.
Additional risks arise from the nature of compromised data. Threat actors can manipulate personal and sensitive information to deepen the exploitation of their targets through phishing attacks, social engineering schemes, identity theft, or blackmail. In both indiscriminate and targeted attacks, victims’ circumstances and identity shape the nature, probability, severity, and duration of inflicted harm. Unauthorized access to medical records violates the right to privacy. Additionally, data breaches may subject individuals to stigma and discourage them from seeking necessary care in the future, especially when involving sensitive personal information about reproductive and sexual health. In the Australian Medibank ransomware attack in late 2022, a cybercriminal gang published records of pregnancy terminations on the dark web; the BORN Ontario hack in Canada in 2023 resulted in the exposure of information related to pregnancy and childbirth, just as a ransomware attack against the Colorado Fertility Center did around the same time in the United States. Clinics providing sexual and reproductive health care are, on the one hand, attacked by cybercriminals demanding ransom and, on the other, by groups trying to disrupt their operations and dissuade women from seeking care. For example, Planned Parenthood has experienced multiple data breaches in which anti-abortion hacktivists directed attacks on their staff and patients.
Women frequently absorb the fallout from large-scale disruptions far beyond healthcare. When daycare centers and schools temporarily closed during the COVID-19 pandemic, the responsibilities of childcare and education shifted back to families — and especially to women. A similar and more severe pattern emerges when ransomware attacks paralyze services. Disruptions in public transportation can similarly overwhelm those relying on public transit for caregiving, employment, and accessing vital services, amplifying the challenges posed by societal gender expectations and economic disparities. Impact analysis of internet shutdowns also shows that interruptions in critical information infrastructure and the resulting lack of connectivity widen the digital divide in areas where women face structural barriers to accessing and using digital tools. Such disruptions limit women’s educational and economic opportunities, weakening national resilience and the economy.
Gender Perspectives Shape Cyber Norms Fit for Purpose
The Women, Peace, and Security Agenda, established by the Security Council Resolution in 2000, underlines women’s essential roles in conflict prevention, resolution, and peacebuilding and applies to emerging threats, such as the use of offensive cyber capabilities. Since the agenda’s adoption, U.N. member States have repeatedly confirmed their commitments to promote women’s participation and leadership in cyber policy decision-making and address the gender digital divide in international security discussions. The OEWG 2024 annual progress report highlights the need for a gender perspective in addressing cyber threats and encourages gender-responsive approaches capacity building. The gender and feminist perspectives focus on not only women, but also diverse identities and experiences. Several countries, including Canada, Chile, and Colombia, have adopted feminist foreign policies and promoted gender-sensitive initiatives in international cybersecurity.
Belgium recently championed a victim-based approach to the U.N. framework of responsible state behavior in cyberspace that would acknowledge the human impacts of cyberattacks. The proposal includes the creation of a Committee on Victim Assistance within the future permanent mechanism that will succeed the current OEWG, whose mandate expires in July this year. The Committee would help States increase their understanding of the human suffering caused by cyberattacks and guide national efforts to advance victim assistance. Although important, none of these proposals aims to update the framework’s foundations — cyber norms. The 11 voluntary norms, agreed by the U.N. Group of Governmental Experts (GGE) in 2015, prescribe, prohibit, and permit certain activities conducted by States in the cyber domain.
Recommendations for Gender-Sensitive Cyber Norms
Despite multiple updates to the norm guidance text in subsequent reports, the existing consensus still fails to address the gendered impacts of cyberattacks and requires revision. The evolving threat landscape is marked by a surge in attacks on critical infrastructure, with perpetrators increasingly exploiting gendered societal norms to inflict harm. A gender-sensitive approach to cybersecurity is therefore not merely a matter of social justice—it is essential for strengthening national resilience and security. Moreover, adopting inclusive perspectives is not an isolated effort; it reinforces core principles such as transparency, accountability, and equal participation. These considerations must be embedded across the U.N. framework, particularly within the future permanent mechanism, to enhance its real-world impact, relevance, and credibility. To those ends, the framework should be updated along the following lines.
Consider All Relevant Information and Define Impacts
Cyber norm (b) of the U.N. framework incentivizes States to take into account all relevant information in the event of a cyber incident, such as the nature and extent of its consequences. These are understood as the technical attributes of the incident, including its scope, scale, and impact. However, specific considerations are missing when defining the impacts of cyber incidents. Research institutions attempted to close this gap by providing a taxonomy of cyber harm, mapping harms caused by ransomware, and developing a standardized harms methodology. The last acknowledges the importance of identifying a gender perspective when qualifying and quantifying harm from cyberattacks. The accompanying norm guidance text should encourage States to consider the differentiated harm caused by cyberattacks and gather large-scale disaggregated data that meet the standards for evidence-based policy design.
Data collection is essential for understanding how communities and individuals experience cyberattacks and recover from inflicted damage. Without this information, States can only estimate the impacts of cyber incidents based on partial analysis and testimonies. However, they lack the ability to compare evidence across different contexts, preventing a full understanding of the effects on specific groups of citizens. Collecting data and adopting methodologies that document harms through quantitative and qualitative indicators, including those that are gender specific, would reveal the range and frequency of vulnerabilities present within populations and their subsets. Adopting data-driven approaches to human harm can elucidate impacts beyond the damage to the systems and services currently measured in financial loss and operational downtime and lead to better-informed resilience efforts and resource allocation.
Protect Critical Infrastructure and Account for Diverse Needs
Norm (f) of the framework requests States not to conduct or knowingly support cyber activity that intentionally damages critical infrastructure or disrupts its operations in another country. Norm (g) further reinforces that States should take appropriate measures to protect these systems and services from cyber threats. Implementing both norms necessitates identifying components of critical infrastructure. While assigning these designations is the State’s prerogative, norm guidance should support methods of categorizing critical infrastructure that account for diverse needs. Classifying incidents in terms of severity under these norms should further consider the increasing impacts on people and various physical, financial, psychological, and societal harms, as well as the ramifications for a person’s dignity and economic security. Other vital factors that should be considered include the incident’s scale, irreversibility, and the number of victims.
Critical infrastructure risks often occur in complex combinations. Data breaches can trigger chain reactions when the initial breach results in service disruptions across multiple organizations due to interdependencies between diverse sectors. Gender-sensitive approaches can help identify what constitutes critical infrastructure and provide an understanding that moves beyond military and economic priorities. Such perspectives allow States to prioritize systems whose disruption creates widespread impact, consider those who are overly affected, and enhance societal resilience. For example, according to recent studies, research and education sectors are the least likely to be designated as critical infrastructure worldwide. Even within this category, science and technology, higher education, and research receive the most attention. At the same time, schools have seen a sharp increase in cyber incidents across regions when ransomware attacks caused prolonged disruptions. These attacks create additional burdens for individuals with caregiving responsibilities and reduce workforce participation.
Finally, norm (e) of the framework requests States to respect human rights and privacy. Implementing this norm should urge States to ensure the general availability and integrity of essential facilities, assistance, and information related to gender-specific needs. Such guidance is crucial given the increasing attacks on sexual and reproductive health clinics. Additionally, norm guidance should encourage States to regulate how national and private providers manage recovery efforts, particularly considering the harm to a person’s privacy and dignity resulting from data breaches of sensitive personal information. Victims are often left navigating the aftermath of cyberattacks on their own to seek information about operational disruptions and the potential misuse of their data for identity theft or privacy violation. Post-recovery measures should require providers to notify affected individuals, offer appropriate compensation, and implement an insurance reimbursement policy for potential fraud incidents.