Proliferation, cyber stability and state responsibility

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

The instability of cyberspace undermines the benefits of technology for our society. While international humanitarian law applies in wartime, in peacetime the rules are not clear. In this context, states have a role to play, as well as self-interests in protecting themselves from cyber-attacks. With this regard, the notion of Non-Interference with the Public Core identifies the fundament for the creation of almost worldwide agreed norms of behaviour; while the concept of due diligence strengthens the responsibility of states to do their best to prevent a trans-boundary attack. This framework represents a starting point that needs to be reinforced with a multi-stakeholder effort of governments, civil society, the private sector and experts with specific capabilities. 

The moderator, Ms Frederick Douzet, Professor of Geopolitics, Paris8 University France, introduced the framework of the discussion by arguing that the stability of cyberspace is at risk. The global Internet is underpinned by many flaws and vulnerabilities of technology. Moreover, other actors with crucial capabilities create additional conditions of instability: States and non-states development of malware is only one example. This puts the benefits of cyberspace and the future of a digital economy in jeopardy, raising issues of accountability and liability. Who is, therefore, ultimately responsible for the security and stability of cyberspace, and what is the responsibility of the state? This introduces the discussion on the cybersecurity dilemma. 

Mr Chris Painter, Commissioner, Global Commission on Stability of Cyberspace; Former Coordinator for Cyber Issues, US State Department, started his speech with two remarks. First, the cyberspace environment is very unstable and featured by a multitude of actors and variables such as states developing cyber capabilities, criminal and malicious actors; and finally, the existence of major vulnerabilities. Second, attacks can originate from states or non-state actors but we increasingly see the emergence of hybrid threats. Thus, the more we become dependent on these technologies to have social interactions, economic growth, and freedom of speech, the more we should focus on the existing vulnerabilities. It is impossible to benefit from technology if it is not based on a good stable environment. States have a role to play and responsibility to respect; however, states also have self-interest in looking for agreement on the subject. As the speaker argued, while in wartime you have international humanitarian law applying, in peacetime you do not know what rules apply and you do not want attacks to happen. He complemented the remark highlighting the new US strategy for cyberspace, based on the principle of ‘better acting together to combat the threats than to deter the threats’. Finally, he concluded his speech stressing the multistakeholder approach as a crucial feature to tackle the issue: governments, the private sector, and civil society, have a role to play in achieving a stable cyberspace environment and all should have an appropriate voice in achieving that goal.

Mr Bill Woodcock,Technical Community, Western European and Others Group (WEOG), addressed the issue of drafting norms and encouraging states adopt such norms. The starting point of this process is the concept of Non-Interference with the Public Core, defined as follow: ‘without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace’. The wording off ‘public core’ identifies a neologism supplied by the Dutch government to substitute the phrase ‘critical infrastructure’ on which there is not a general agreement on the meaning. However, an agreement has been found around the following four categories, clearly dividing the critical infrastructures of the Internet itself, such as core routing and Internet exchange routes, and information and communications technology (ICT) enabled and internet accessible aspects of traditional critical infrastructure, such as the portions of the healthcare system that are computerised and the control systems for nuclear power plants or air traffic control. 

• Packet routing and forwarding. 
• Naming and numbering systems
• Cryptographic mechanisms of security
• Physical transmission media.

These four categories identify a starting point agreed by states. Leaving the door open to the expansion of definition, the WEOG identified the following insular norms providing additional bits of protection or clarity for different purposes.

• Norm to avoid tampering.
• Norms for states to create Vulnerability Equities Process
• Norm to reduce and mitigate significant vulnerabilities
• Norm on basic cyber hygiene as foundational defence.
• Norms against offensive cyber operations by non-state actors

Only six states, US, China, Russia, Israel, North Korea, and Iran are not following these rules. 

Ms Joanna Kulesza, Civil Society, Eastern European Group, covered the issue of state responsibility with regards to international law. International law does not allow states to be claimed responsible for private actors’ actions. There is a need to demonstrate that the private actor was acting on behalf of the state, that authorised the attack under its control. Thus, the international community is working on the prevention of proliferation of cyber attacks through cyber weapons by private actors. She argued that when an attack interferes with critical infrastructures and the core of the Internet, the effect will be significant transboundary harm. Tackling the prevention of significant trans-boundary harm, the principle of due diligence should be introduced. It implies a theoretical model of good government: a government would do its best to prevent a trans boundary attack or the use of malware or cyber weapons. It does not have to effectively prevent that attack. Moreover, the principle of due diligence is linked to the concept of neighbourliness and what would be expected of a good neighbour, especially with regards to the prevention of harm if the attack is directed to vital interests. It must be noticed that the obligation of due diligence stops when, for instance, a government acting according to due diligence is not able to discover clandestine and hidden activities. Thus, a question can be raised of how is it possible to enforce such an obligation? States should introduce national laws that would set a standard of care enforceable against private actors.

Ms Anriette Esterhuysen, Former Executive-Director, Association for Progressive Communications (APC), argued that the ongoing debates are focused on the security of states rather than on the security of users and individuals, content or systems. The feeling is that the failure of states efforts in establishing security through national cybersecurity legislation is due to the fact that the focus is not on the protection of users and tackling cybercrime. Moreover, processes of surveying, intercepting, and monitoring create more and more uncertainty in the Internet business model environments. Another concern is related to the not inclusivity of the cybersecurity process: it does not represent a transparent process. In this context, state responsibility is not being adhered to in the context of international law and international human rights law.

Mr Bruce McConnell, Vice-President, EastWest Institute, argued that cybersecurity and cyber stability is no longer about cyberspace but about everything we do in our lives. Second, the consensus on norms exists and it is possible to talk about the wording and the applicability of them. Talking about the notion of public core, he argued that norms do not say that the public core should not be attacked: they say they should not be attacked so badly to affect the stability of cyberspace. He argued that the current processes are not based on the right conversation: he stated that there is a need to talk to the people with the capabilities such as the military intelligence communities.

By Stefania Grottola