Best practice forum on cybersecurity: Putting agreements into action: operationalising cybersecurity norms

27 Nov 2019 15:00h - 16:30h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The Best Practice Forum (BPF) on cybersecurity investigated challenges for security teams in multistakeholder co-operation. The BPF focussed on norm operationalisation and norm implementation, addressing the question of whether norms should merely be observed or whether they should be implemented into the international system or between stakeholders.

As Ms Madeline Carr (Professor of Global Politics and Cybersecurity, University College London (UCL)) explained, norms are collective expectations of proper behaviour. They are collective, but not a universal perception within a group: the norm is respected only by those who agree with it. In other words, norms are aspirations that cannot be imposed – as opposed to rules. In the absence of enforceable rules, norms fill policy gaps and shape an understanding of collective responsible behaviour, as highlighted by Ms Sheetal Kumar (Senior Programme Lead, Global Partners Digital). However, important challenges remain, including disagreement on what ‘critical infrastructure’ identifies, on the capacity to trace or attribute incidents in cyberspace, and on clear institutional mechanisms to monitor and report compliance (especially in ensuring the respect of human rights). As explained by Ms Carina Birarda (Computer Security Incident Response Team Buenos Aires (CSIRT)), addressing these challenges requires further research and human capacity building.

The current cybersecurity scenario, however, has seen an additional category of norms developed, what Mr Olaf Kolkman (Chief Internet Technology Officer, Internet Society (ISOC)) calls ‘mutually agreed norms for security’. The distinctive characteristic of these norms is that they rely on a set of commitments to deploy or take certain actions to secure the routing system as a whole, which brings better business advantages. As Mr Alexander Klimburg (Director, GCSC Initiative and Secretariat) further explained, one of these norms is the protection of the public core of the Internet, contained in the final report of the Global Commission on the Stability of Cyberspace (GCSC) ‘Advancing Cyberstability’. The norm addresses the gaps proposed by the UN Group of Governmental Experts’ (UN GGE) report and influence discussions at the level of the UN First Committee. The norm reflects the need for a multistakeholder consensus on what constitutes responsible behaviour in cyberspace, which has achieved results in the rise of multistakeholder supporters of the Paris Call for Trust and Security in Cyberspace, as underlined by Mr John Hering (Programme Manager, Digital Diplomacy and Cybersecurity Business, Microsoft).

Concrete and specific examples of norms implementation efforts are still at their beginning stage. However, as pointed out by Kolkman, important achievements have been reached in the increase in numbers of participants and supporters of the norms, as well as in the strengthening of monitoring systems with regard to the evolution of routing incidents. While Microsoft’s initiatives in supporting election security, as well as the Oregon Observatory of Network Interference (OONI), should be stressed, new approaches were proposed. Such approaches could be the creation of peer review mechanisms in which best practice and experiences are shared; the creation of an independent CERT; and the adherence to a convention that requires entities to meet specific requirements of cybersecurity.

By Stefania Grottola