NetGov, please meet cybernorms: Opening the debate

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

The schedule of the IGF 2016 has a very limited focus on cybersecurity, which surprised some participants, yet the panel on cyber-norms appeared to be lively and constructive, and brought about some interesting proposals. The panel looked into ways to bridge the discussions on cybersecurity across policy silos: between the IG community and the security community.

Introducing the panel, Mr Pablo Hinojosa, Strategic Engagement Director, APNIC, elaborated on the differences between the two: while the IG community is traditionally inclusive and discusses a broad set of social and economic issues related to the Internet (commonly addressed by the 2nd committee of the UN) in a rather informal way, the security community is traditionally closed and particularly focused on the aspects related to international peace (commonly addressed by the 1st committee of the UN), often looking for more formal outcomes like treaties.

Ms Marilia Maciel, Digital Policy Senior Researcher, DiploFoundation, reminded the group that core values – like openness, permission-less innovation and end-to-end design – were built into the very architecture of the Internet, and certain rules were already developed by the business and technical communities when governments initiated the WSIS process. The WSIS, therefore, had individuals in the centre of discussions, which is contrary to state-centric discussions about cyberspace that traditional security communities had developed.

Mr Duncan Hollis, Professor of Law, Temple Law School, provided a review of the process of developing norms of appropriate state behaviour within the UN Group of Governmental Experts (GGE). He explained that the GGE is a state-centric environment for shaping the norms, with ‘occasional nods to multistakeholder’ when it comes to possible operationalisation of those norms and related capacity building measures.

Mr Henry Rõigas, Researcher in Law and Policy, NATO Cooperative Cyber Defence Centre of Excellence, distinguished between legal norms such as the application of international law to cyberspace, as analysed within the Tallinn Manual process, and political norms like the those of the GGE, but also the confidence building measures (CBMs) of the OSCE that are additional layers to existing normative framework.

Dr Alejandro Pisanty, Professor,  National University of Mexico and the Chair, Internet Society, Mexico, busted some common myths, explaining that security was introduced to the architecture in the early days, but at the edges rather than within the network; that the Internet was not built on contracts or formal agreements – instead, the ‘Internet runs on handshakes’ – and that the multistakeholder approach requires equal footing while, in reality, only particular stakeholders can step in to solve particular challenges.

Mr Michael Walma, Director and Cyber Foreign Policy Coordinator, Department of Foreign Affairs, Trade, and Development of Canada, and Canadian representative both in the GGE and the WSIS+10 negotiations, reiterated Canada’s position that the GGE should deal only with the issues of peace and security, rather than with broader issues like crime, terrorism, or IG since there are other multistakeholder processes where these topics are already being discussed.

Ms Irene Poetranto, Researcher, Citizen Lab at the University of Toronto, reminded the group that norms and CBMs are also discussed within regional processes, such as the OECD, ASEAN or the Shanghai Cooperation Organisation, and also focus on various specific topics, such as threats against civil society groups (referring to the recent report: ‘Communities @ Risk: Targeted Digital Threats Against Civil Society’).

Ms Izumi Okutani, Policy Liaison, JPNIC, noted that the network operators have norms as well, often in form of current best practices in different fields (such as ‘Mutually Agreed Norms for Routing Security’) which are voluntary, publicly available, and open for comments fromm anyone (unlike those prepared by states, which are often closed to states only).

Mr Paul Wilson, Director General, APNIC and Member, Advisory Board of Global Forum on Cyber Expertise (GFCE), emphasised the importance of public-private efforts for capacity building, and stated that the GFCE is a useful venue in this regards.

Mr Juan Fernandez, Senior Advisor, Ministry of Informatics and Communication of Cuba, stated that Cuba has an expert in the GGE this year who is actually a head of one of the CERTs. In contrast to Canada, Cuba’s view is that there is a strong link between IG and cybersecurity, and the two should be discussed together in multiple fora. He invited the IGF community to work on building a common terminology on cybersecurity, building on existing efforts like the ‘Critical Terminology Foundations’ (Russia-US bilateral) report by the East-West Institute.

Mr Matthew Shears, Head of Global Internet Policy and Human Rights,  Center for Democracy and Technology, asked to what extent the GGE looks to the technical community for responses, and vice versa, and shared his impression that the current GGE work hasn’t moved far from the UN GA Resolution 57/239: ‘Creation of a global culture of cybersecurity”’ of 2003.

Dr Anja Kovacs, Director, Internet Democracy Project, India, agreed that cybersecurity and IG should not be discussed separately, and that one can’t just isolate the cybersecurity discussions in the 1st Committee of the UN while there are discussions in many more venues.

Ms Camino Kavanagh, Rapporteur, GGE, attending online, asked how the IG community can engage with governments to help implementation of the norms from the GGE. In response, Maciel suggested to also look at how the Global Conference on Cyber Space (GCCS) could be utilised to merge the two communities.

A number of concrete takeaways were collected:

• According to Hollis, operationalisation of the GGE norms doesn’t have to be state-centric; in this regards, Fernandez invited the GGE to look at how to involve the technical community in helping the operationalisation of the norms;
• Shears suggested that the IG community should be invited by GGE to critique its work;
• Kovacs suggested that the next IGF should host a special session on the GGE report of 2017 (if any), while Vladimir Radunovic, Director of Cybersecurity,  DiploFoundation, attending online, noted that the IGF should also discuss norms for the Internet industry and its responsibility to address vulnerabilities, using the Microsoft proposal from 2016 as a possible start;
• Maciel suggested the GCCS as a particularly convenient venue to host a joint event of the GGE and IGF communities, and invited the IG community to initiate such an event at the 5th GCCS in 2017, and to utilise the GFCE capacity to connect both sides.

by Vladimir Radunović