IGF 2022 BPF Cybersecurity

Event report

The Best Practice Forum on Cybersecurity is a recurrent IGF intersessional activity meant to identify cybersecurity activities and initiatives; to raise the voices of those affected by cyberattacks; and to analyse the landscape of norms and cybercrime legislation. In the past year, norms have increased on responsible behaviour, electoral security, restraints regarding what governments agree not to do, and on combating ransomware as a national security threat.

The BPF is articulated around four workstreams: agreements, storybanking, outreach, and mythbusting.

The first workstream, agreements, looks at new international norm agreements. In the past twelve months, two new agreements have been created, namely the Danish Copenhagen Pledge on Tech for Diplomacy and the United States-led Declaration for the Future of the Internet. Norms can be categorised into six groups: rights and freedom, information, security, resilience norms, reliability of product, cooperation and assistance, and technical and operational cyber norms. What we have witnessed in the recent year is an increase in norms on responsible behaviour and a focus on elections and security of democratic processes; we have also seen a rise in restraint norms regarding what governments agree not to do. Finally, a growing trend in norms and agreements sees combating ransomware as a national security threat.

The second workstream, storybanking, complements the agreement picture by looking at whether norms are helpful in the case of a cyberattack. This workstream brings voices of those most affected by cybersecurity events forward to foster decision-making on issues.

Significant policy distinctions between cybersecurity and cybercrime look at how lobbying efforts can better support a human rights-focused approach to internet regulation.

Mythbusting clarifies confusions and myths about the key policy differences between cybersecurity and cybercrime from a human rights centric approach to internet governance. In its Mythbusting: cybercrime versus cybersecurity draft paper, the BPF notes five myths.

1. Myth 1: They are two sides of the same coin: Cybersecurity policy is proactive and cybercrime policy is reactive. They are not two sides of the same coin: Cybersecurity defines a technical approach to securing such systems from attacks or errors; and cybercrime is about punishing unauthorised access to such systems with criminal intent.
2. Myth 2: Considerations for human rights are equally compatible with cybercrime and cybersecurity policy. The punitive, remedial, carceral and securitisation framing of cybercrime means that human rights must be balanced against, for instance, national security interests in investigating crimes. However, with cybersecurity, human rights can be more aligned with and compatible when people are placed at the centre of the security of cyberspace.
3. Myth 3: The security of information is a consideration for both cybercrime and cybersecurity. In some parts of the world, the term information security is used as a term covering many other problems of the information space – for instance cultural and political stability. From a human rights perspective, both cybercrime and cybersecurity discussions should steer clear of addressing information security, as that could very well mean addressing content issues.
4. Myth 4: Countering cybercrime improves cybersecurity. In reality, mature cybercrime laws can hurt cybersecurity defenders.
5. Myth 5: Cybercrime and cybersecurity both improve with enforcement. While cybersecurity does have compliance as the enforcement component. However, more is needed to build healthy cybersecurity, namely culture, education, awareness and norms.

By Stefania Grottola and Andrijana Gavrilovic

The session in keywords