Empowering global cooperation on cybersecurity for sustainable development and peace

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

In his role as chair of the session, Ambassador Frank Grütter, Head of the Division for Security Policy, Directorate of Political Affairs at the Federal Department of Foreign Affairs of Switzerland, welcomed the participants and said that the session was an opportunity to introduce the views of various stakeholders. In an introduction to the session, the moderator, Mr Olusegun Hamed Olugbile, Member of the UN-IGF Multistakeholder Advisory Group and CEO of Continental Project Affairs Associates from Nigeria, reminded the participants that the transformation of our world through the sustainable development goals (SDGs) is under threat if there is no global co-operation on cybersecurity.

Mr Maarten Van Horenbeeck, Director of the Forum of Incident Response and Security Teams (FIRST) and a coordinator of the IGF Best Practice Forum (BPF) on cybersecurity, said that the BPF in 2017 came up with 18 areas of high importance for security, ranging from securying the reliability of access, to avoiding abuse by institutions. He particularly stressed the link between cybersecurity and the SDGs in the context of promoting technology to secure small and medium enterprises (SMEs) from attacks. Ms Anita Gurumurthy, Executive Director of the Indian NGO IT for change, reminded the partipants about the definition of human rights, which is linked to every-day security and freedoms, and called for a global approach to cybersecurity and well-being, to ensure sustainable development. Ms Valeria Betancourt, Manager of Communication and Information Policy Program at Association for Progressive Communications (APC), asked who do we need security for, what for, and by what means? She underlined that cybersecurity is intrinsically a human rights issue because it is about people, and spoke about particularly vulnerable groups such as women and girls, and the LGBT population. She called for a change in perception of the challenge from technological to political and societal.

Mr Jimson Olufuye, Chairman of the Africa ICT Alliance (AfICTA), put an emphasis on the need for developing countries to sustain their economic development through being proactive in co-operation, developing national strategies, laws and policies, ratifying the African Union Convention on Cybersecurity and Data Protection, raising awareness among citizens, and encouraging sub-regional and regional co-operation. He listed ‘One Network’ programme in Africa, as a good example of co-operation. Professor Uche M Mbanaso, Executive Director of the Centre for Cyberspace Studies at Nasarawa State University in Keffi, Nigeria, contrasted the small investments in cybersecurity infrastructure and capacities, with the increasing use of digital services in Africa, which causes higher cybercrime. He particularly emphasised the need for greater investments in research and development, especially as a multidisciplinary field.

A question was raised by participants on how the global norms would contribute to developing countries? Amb. Daniel Stauffacher, President of the ICT4Peace Foundation, reminded the attendees that cyber-attacks have a detrimental impact on development and growth, while Olufuye gave an example from Nigeria, where ICT contributes to some 12% of the GDP today, compared to about 2% several years ago.

Colonel Mohammed Tanimu Abdullahi, Presidential Communication Command and Control Centre in Nigeria, provided an update of the cybersecurity environment in Nigeria, including the existence of the cybercrime act, policy and strategy, the establishment of the Nigerian CERT and response teams within various institutions, a cybercrime lab for investigating crimes, and the existence of the Nigerian IGF.

Ms Carmen Gonsalves, Head of International Cyber Policy at the Ministry of Foreign Affairs of the Netherlands, said that the private sector owns the majority of infrastructure, while the technical community, academics and the private sector have stakes and roles, and called for facilitating a multistakeholder environment. She mentioned the Global Commission on Cyber Space (GCSC), that The Netherlands have helped launch, as a good example of a multistakeholder independent forum with experts from all regions of the world, and conveyed that the GCSC launched the call to protect the core of the Internet during the recent Global Conference on Cyberspace (GCCS) in India.

Stauffacher called for the existing norms and confidence building measures (CBMs), developed by the UN Group of Governmental Experts (GGE) in 2013 and 2015, to be  implemented, and suggested that the development of national strategies could also become one of the norms. As for the role of civil society, he said it should act as a sounding board, to research and test the proposals of governments and the private sector, but also provide capacity building and influence governments to implement norms. Ms Audreu Plonk, Senior Director of Global Cybersecurity and Internet Governance Policy at Intel Corporation, said that she the role of the private sector to be ensuring secure technologies and providing capacities and knowledge, as well as in assisting with mitigation of incidents. Mr Marco Obiso, Cybersecurity Coordinator at the International Telecommunications Union (ITU), reminded the attendees that – while multistakeholder dialogue is important – ultimately governments make decisions and it is important to ensure that the they take into account the deliberations of the multistakeholder fora such as the IGF; in this regard, he saw the role of the intergovernmental organisations and in particular the UN institutions play, in ensuring that governments embrace multistakeholder approach, also on national levels.

Mr Andrey Krutskikh, Ambassador-at-Large and the Special Representative of the President of the Russian Federation for International Co-operation in Information Security, warned that some 130 countries are conducting training on performing cyber-attacks, and commented that it the global community still has not agreed on how, when and by whom the international humanitarian law (IHL) can be implemented in cyberspace. He said that Russia has proposed a Code of Conduct related to what can and what should not be done in cyberspace, which would serve as a basis for further discussions under the auspices of the UN, being the only space where there is a responsibility of states for international conduct.

Ms Sarah Taylor, Director of cyber at the National Security Directorate of the UK Foreign and Commonwealth Office, spoke of the London process, how the Global Conference on Cyber Space (GCCS), which was started in 2011 to get cybersecurity on the political agenda, emphasises the merits of cyberspace that need to be protected, and introduces broader multistakeholder discussion. She stated that cyberspace is not an unregulated environment, since the International humanitarian law (IHL) – including the UN Charter – applies in its entirety. Ms Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC), said that the GCSC is one among more than 100 contemporary discussions on cybersecurity, yet it is global and multistakeholder. The GCSC proposes voluntary norms and recommendations for anyone to pick up, such as the recently released Call to protect the public core of the Internet.

A question from the floor was posed on_ how can the IGF address the most urgent issues for all stakeholders and combine their views, facilitate the commitment of the stakeholder, and connect the dots between various discussions – such as from the GCSC and the IGF Best Practices Forum for instance? Another question asked was: how to have norms that promote sustainable development?

Obiso reiterated the role of the ITU – as a UN institution having private sectors as members – in engaging other stakeholders, yet invited all to look for options to not only connect the dots but also aggregate discussions from the ITU, the IGF, and the GCCS. Ms Taylor reminded the participants that there already exists an enormous amount of co-operation, such as within the First Committee of the UN, in the ITU, the GCCS, the Global Forum on Cyber Expertise (GFCE), etc. She mentioned the international stability framework in the UK, emphasising that norms are not a different way of writing laws, but ways to describe behaviour, and that the Confidence Building Measures (CBMs) support the norms while capacity building (CB) increases states’ ability to participate in discussions. Gurumurthy dissected the norms into three components – a network and software layer, a data layer, and an information layer – and asked for a different approach and actions for each layer, as they cannot be addressed in the same way. She also reminded the participants that developing countries have more concerns than just cyber-armament, including privacy and data ownership. Gonsalves called for additional work to clarify how the existing solid framework of IHL applies to cyberspace, which could enhance stability and responsible state behaviour.

Ms Anja Kaspersen, Director of the United Nations Office for Disarmament Affairs (UNODA) in Geneva, talked about emerging threats, including undermining public trust in democracy and elections, and the application of artificial intelligence (AI) in military operations, and called on leaders to better understand cybersecurity and build digital literacy and capacities. Mr Jan Neutze, Director of Cybersecurity at Microsoft, warned of the risks from increasing cyber-armament by states, and presented the three elements of their Digital Geneva Convention proposal: a peace-time norms calling on governments to adopt legally binding commitments to avoid attacks on infrastructures below the threshold of armed attacks, a call on the industry to do more, including issuing patches and not picking sides in conflicts, and a proposal for a better attribution system that could hold accountable the actors that violate norms.

Kaljurand called for the greater involvement of counties in Group of Governmental Experts (GGE)-like processes, the discussion on how IHL applies to cyberspace to be continued – especially in a multistakeholder environment, and invited her peers from the GGE to talk openly about what was discussed and what was in the draft report. As for the 2013 and 2015 UN GGE reports on the applicability of IHL, she said that both reports were adopted by the UN General Assembly. Mr Miguel Gutiérrez, General Director of the Security Office for Computer Networks at the Ministry of Communications of Cuba, responded that parties that were not involved in previous rounds of the GGE cannot endorse every bullet – such as those on sovereignty, applicability of IHL and the UN charter – and that the truly global consensus is needed.

Mr Long Zhou, Coordinator for Cyber Affairs at the Ministry of Foreign Affairs of China, called for cyberspace to be a place of peace, not of battlefield, and for increased defence rather than offence. He also called fora rule-based and structured governance of cyberspace, and a multilateral democratic and transparent cyber order. Zhou praised the work of the GGE and called for continuation, which could lead to an open and inclusive process within the UN in the future. Gonsalves mentioned the Tallinn Manual 2.0 as the work of academics on how IHL applies to cyberspace, as well as of the law of states responsibility for internationally wrongful acts, which is applicable to attacks under the threshold of armed attack.

Krutskikh commented on Microsoft’s Digtal Geneva Convention proposal as a positive phenomenon, understanding the vulnerability of big business and that societal revolution driven by new technologies (such as the Internet of Things and artificial intelligence) cannot develop without a secure environment. He expressed his support of the discussions under the G8, and particularly the Declaration of the G8 Summit of Deauville in 2011, including the multistakeholder approach the declaration invited for. Finally, he announced that the new GGE could possibly be convened next year. Gutiérrez suggested possible next steps, including analysing the existing legal framework to define legally binding instruments that complement IHL, further work on attribution processes, as well as building up a shared terminology among states. He also warned that war in cyberspace could be legitimised through linking cyberspace with the right to self-defence of the UN Charter.

Neutze elaborated on Microsoft’s proposal related to improved attribution, suggesting bringing the technical data of various actors to develop a common methodology and do an analysis related to attacks. He suggested that the international group of organisations (preferably from the private sector and academia) should be formed to pull sources and make statements about theorigins of cyber-attacks with a sufficient degree of confidence. Mr Van Horenbeeck invited for a multistakeholder discussion to build a culture of cybersecurity and identify core shared values, out of which specific legal or operational tools can be developed. As an example, he mentioned developing ‘duties of care’, bringing the responsibilities of individual stakeholders, and said that the IGF BPF outcome document will be published soon.

Stauffacher called for capacity building of CERTs, diplomats and policy people, as well as parliamentarians who ultimately make decisions, and suggested more work with the Inter-Parliamentary Union. He also spoke of preventing the use of ICT for terrorist purposes, where civil society started dialogue with private sector. Mbanaso underlined that aggressive education is needed, since everyone connected has to have some form of training – from hygiene to advanced; he explained, however, that different sets of education are needed for users, ISPs, software developers, human resource managers, supply chain, etc. Betancourt reiterated that human rights should become the basis of discussions, and mentioned the Freedom Online Coalition and Netmundial as good examples of fora following that approach, and invited the GCSC and other fora to translate human rights to cybersecurity in action.

A question from the floor asked: how can we enforce IHL – norms and even treaties – since we know IHL is being broken every day, attribution is still a big problem, and cyber-armament is growing? A mapping by DiploFoundation of more than 20 countries (and growing) that confirmed own offensive cyber-capabilities has been presented, followed by the question of whether it is realistic to expect cyber-disarmament under these circumstances? A comment from the floor suggested a pilot activity of the IGF to have no device on the market with a default password, as a possible hands-on achievement of the IGF. Another comment reflected that disarmament is not impossible, and that the eventual attribution organisation would need to be in an institutional connection to the UN – such as through the Security Council which requires proof of violation of UN Charter – but also that the governments need to receive evidence of violation, especially if they want to go to the international courts. An online participant asked about the role of young people in contributing to a safer environment, and on ways in which to protect children online. Another question from the floor was about the ways in which to make discussions future-proof by involving younger generations, as well as those not yet connected (many of whom will be women). A final comment invited for the involvement of peace communities in the dialogue, and asked how the norms could be enforced and who is responsible to hold parties accountable?

Taylor responded that there are examples of disarmament in the non-cyber field, including conventions on the export of weapons such asthe  Wassenaar agreement, and that further discussions are needed. Yet, she called counterparties for a greater transparency on their cyber-capabilities, citing the UK as an example of transparency. As an example of possible attribution, she said that the UK National Cyber Security Centre (NCSC) just attributed a Wannacry ransomware to the infamous Lazarus group through technical, legal and political attribution. Finally, she said the UK is looking for a code of practice for the security of new devices, and that the IGF could be a good place for such a multistakeholder conversation. Zhou confirmed that solutions may be found among various political options, yet only if there is an international consensus on disarmament, and invited for serious discussions on that issue. Obiso reminded the participants that, in order for countries – especially developing ones – to participate in discussions and endorse norms and CBMS, they need to develop national capacities, including those on attribution. Stauffacher called for building capacities of the peace-related NGOs, in order to enable them to become part of the dialogue. Gurumurthy mentioned that states have the responsibility to protect public good, while Olufuye emphasised the responsibility of end-users when it comes to basic digital hygiene like anti-virus and passwords.

Gonsalves added that there is a need to build capacities in the legal sphere as well, especially for diplomats, in order to allow more countries to get involved. Mbanaso invited African countries to take strong leadership in cybersecurity. Betancourt suggested that strengthening national and regional IGFs (NRIs) has the potential to bring in new voices, but also called for mechanisms of those voices to be heard globally, beyond the IGF. Kaspersen added the need for capacities of ’translators’ between professional silos, such as courses for ‘technomats’ or ’diplotechs.

Closing the session, the MAG Chair Ms Lynn St. Amour reminded the attendees that the IGF does not make binding decisions, but serves to take messages to local levels and back – through NRIs and BPF, among other. In his closing words, Grütter suggested that all parties agree on a multistakeholder process, the need for voluntary norms, usefullness of CBMs and especially capacity building, applicability of IHL to cyberspace and open interpretations on how it applies. He stressed that for Switzerland, the UN Charter applies in its entirety (including Article 51 that can be applicable under some circumstances), and the international customary law which stipulates that countries have to try everything to stop internationally wrongful acts coming from their territories. He concluded that the IGF continues to have an important role in bringing all stakeholders together.

By Vladimir Radunović