Non-state actors in Europe and beyond: The true shapers of cybersecurity norms?!

Event report

At the beginning of the session, the moderator of the workshop, Ms Jacqueline Eggenschwiler (Member, EURALO Individuals’ Association), asked the audience to use the Mentimeter online tool to express their views on the most engaged stakeholders in the norm-building process. 

The word cloud showed the prominence of the tech community, the private sector and civil society. The co-moderator, Ms Tatiana Tropina (Senior Researcher, Max Planck Institute for Foreign and International Criminal Law), noticed that this word cloud reflects people’s aspirations, rather than the real situation. 

Dr Wolfgang Kleinwächter (Member, Global Commission for the Stability of Cyberspace)continued by providing background information regarding the history of the emergence of cyber-norms. He noted that strong regulation would stifle innovation and development, but that it is necessary to stick to certain rules in cyberspace. In addition, governments cannot control cyberspace due to their lack of or limited technological knowledge, especially for attribution issues. Government have now ‘opened the door a little bit to the private sector’. However, the negotiation of legally binding norms is the states’ prerogative. 

Mr Maarten Botterman (Member, Board of Directors, Internet Corporation for Assigned Names and Numbers (ICANN)) reflected on the role of industry and soft norms. Industry has its own interest to participate in norm-making, thus allowing their market to flourish. In so doing, industry sometimes develops soft norms to keep each other under self-regulation. As for civil society, ‘they may stimulate industry to come to norms, they may stimulate states to come to agreements, but they don’t set the norms themselves’.

Mr Christoph Steck (Director Public Policy & Internet, Telefonica)provided several understandings of a norm: 1) Legal norms as regulation; 2) Self-regulation, when a particular stakeholder sets the norms of behaviour and adheres to them;  3) Co-regulation, when a third party (governments for instance) act as supervisors for self-regulating norms; and 4) Security standards for manufacturers and producers.

Ms Nata Goderdzishvili (Head of Legal Department, GeorgianData Exchange Agency) spoke from the government perspective and expressed skepticism regarding Microsoft’s proposal of a Digital Geneva Convention. ‘Big multinational companies can dictate international conventions… of course private companies have a big role in setting and applying specific standards, but it is the states who should agree on [standards]’. She noted that states have made good progress in cyber norm-building despite some failures, such as the UN Group of Governmental Experts (UN GGE) in 2017.

Ms Dominique Lazanski (Public Policy Director, GSMA)highlighted the issue of discrepancy in adopting cyber norms by certain countries, thus leading to a division in ‘western norms’ and ‘non-western norms’, so that ‘two different states are likely to be operating under their separate definitions of norms’. She mentioned, inter alia, the importance of information sharing during cyber-attacks, and the need for multistakeholder participation in the response to and mitigation of the attacks.