Exploring neutrality: a multistakeholder cyber norms dialogue

Event report

The participants of this session discussed what neutrality means in the context of cyberspace and provided mapping of different viewpoints on the importance and functionality of neutrality from the perspective of the state, private sector, civil society, and computer emergency response teams (CERTs). The session touched upon the existing international law in cyberspace. 

The session started by defining neutrality and its importance for achieving stability in cyberspace. Mr Sean Cordey (Researcher, Center for Security Studies at ETH Zurich) pointed out that neutrality is not only a core legal concept, but extends to rights, duties, behavioural traits, and is linked to expectations of non-participation, impartiality, and due diligence. Cordey pointed out that that the concept of neutrality has moved to digital and foreign security policies, facilitating dialogue, capacity development, fact-finding, and forensic analysis exercise. Cordey concluded that neutrality in cyberspace remains a niche topic, which only several states (Switzerland, USA, Romania, and France) have discussed in their legal opinions.

Cordey then introduced a recent publication with Mr Kevin Kohler (Researcher, Center for Security Studies, ETH Zurich), ‘The Law of Neutrality in Cyberspace’, on the historical and technological background to neutrality, and breakdown of the legal debates regarding the application of the law of neutrality in cyberspace.

The participants shared their views on the concept of neutrality in the context of growing tensions of state-sponsored cyberattacks.

Mr Jan Lemnitzer (Assistant professor, Department of Digitalisation, Copenhagen Business School) pointed out that the most relevant part of neutrality is the due diligence norm. Lemnitzer argued that old rules of neutrality are still applicable, illustrating the examples of Corfu Chanel case that the due diligence norm does not require attribution. He also pointed to the Alabama Tribunal case showing that states expect certain levels of capability from each other and are not afraid to demand compensation. Lemnitzer concluded that due diligence duty definitions and laws on neutrality in cyberspace develop in crisis situations.

Speaking from the position of a neutral state, Mr Maurice Eglin (Head external relations, crisis coordination and training, Federal Department of Defence, Civil Protection and Sport of Switzerland) stressed the importance of conceptualisation of activities within neutrality. Eglin spoke about the implications of being neutral internally within the state (in terms of the type of security, the scope of defence, partners, critical infrastructure) and externally (sharing experience and best practices, strategic view on neutrality and related thresholds). Eglin pointed out the role of cyber diplomacy in this context.

Ms Ottavia Galuzzi (Cyberoperations officer, CyberPeace Institute) spoke about neutrality as a humanitarian value, its role in stability and security in cyberspace. Galuzzi pointed out that cyberspace was conceived as neutral, and that neutrality is an issue of access to knowledge and protection. She explained their work in tracking cyberattacks in the healthcare sector via the Cyber Incident Tracer.

Presenting the view of the private sector, Ms Anastasiya Kazakova (Senior Public Affairs Manager, Kaspersky) stated that although 100% neutrality cannot exist, in the event of a cyber incident, the private sector will help their users first. She emphasised the importance of drawing the lines between peace and wartime in cyberspace and the related rights and obligations of actors.

Mr Koichiro Komiyama (Director of the Global Coordination Division, JPCERT/CC, the Japanese Computer Emergency Response Team) explained the neutrality dilemmas from the point of view of CERTs. While CERTs ensure the neutrality of states, the question of how to deal with tech giants remains. He pointed out that the autonomous and shared nature of the internet is rapidly disappearing and that tech giants are not neutral in cyberspace, citing the example of Microsoft cooperating with the US Department of Defense.

The participants then moved on to discuss the second issue of how can neutrality operate in the context of UN norms of responsible state behaviour in cyberspace. They discussed norm 3 (prevent misuse of ICTs in the state’s territory), norm 6 (do not damage critical infrastructure), norm 7 (protect critical infrastructure), norm 8 (requests for assistance), and norm 11 (do not harm emergency response teams), agreeing on the lack of specificity in the norms. Lemnitzer pointed out the controversial position of the state obligation of due diligence in cyberspace, which is included in the UN GGE report, but was dropped in the final UN OEWG report. He also spoke about the lack of definition of critical infrastructure. Eglin pointed out the need for informational exchange to contribute to the maturity and resilience of critical infrastructure, while Galuzzi emphasised the need for multistakeholder approach in protecting human rights and vulnerable communities in cyberspace. Kazakova stated that many of the norms are already operationalised and there is a need to understand how these norms coexist with international law. In reference to norm 11, Komiyama said that national CERTs are becoming more integrated with the functions of government and are causing changes to neutral protection from cyberattacks.

Within the discussion, Mr Craig Jones (Director of Cybercrime, INTERPOL) as a participant referred to the role of INTERPOL as a neutral interlocutor in the cybercrime setting. Referring to the discussions at the UN on a new cybercrime treaty to take place next year, Jones shared the input of INTERPOL submitted to this process.

The participants concluded by discussing specifics of health as a vital sector in protection against cyberattacks, data integrity issues, the politicisation of cybercrime, and humanitarian aspects of cyberattacks.

By Pavlina Ittelson

Session in numbers and graphs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.