The launch of the Geneva Digital Talks series – organised by the Canton of Geneva – gathered around 80 representatives from the technical, governmental, business, not-for-profit and academic communities. The speakers included representatives from the Canton of Geneva, the International Committee of the Red Cross (ICRC), the EPFL’s School of Computer and Communication Sciences, Deutor Cyber Security Solutions, the Federal Department of Foreign Affairs (FDFA), the University of Geneva, FONGIT (Geneva's high-tech start-up incubator), and the Geneva Internet Platform (GIP). The key messages of the launch event revolved around the need to understand cybersecurity in a multidisciplinary way.
At the start of the discussions, we were reminded that Geneva is, above all, a platform of dialogue and a place for finding sustainable solutions. Moreover, Geneva has a reputation as an ecosystem for stakeholder engagement, where the digital discussions can be people-focused.
Security is key to modern societies, but it was not originally built into the Internet. Addressing it now is comparable to repairing a plane while flying it. To understand the issue, the discussions followed the journey of an Internet data packet that crosses national borders, that is vital to digital economy and innovation, and is ultimately crucial in high-level negotiations impacting a number of sectors.
The interplay between the Silicon Valley as a place of technological development and social disruption, and Geneva as a constructive, human rights-oriented policy space, set the tone of the discussion. Recent calls from the private sector to advance discussions on a cyber treaty, brought forward the need to have a shared understanding of the vulnerabilities, issues and prospects of cyberspace. If a cyber incident amounts to a kinetic attack, international law applies, but for everything in between, there is a ‘grey zone’, just as there is for a distinction between ‘civilian’ and ‘military’ in digital terms. Previously, key conventions have been negotiated with the involvement of non-state actors in equally sensitive fields, such as the Biological and Toxin Weapons Convention or the Chemical Weapons Convention.
On its journey, the Internet data packet is first tested physically: the integrity and correctness of the code are essential, as there is no bug-free software or liability for software in place. While we are getting better at writing and verifying software in safety-critical applications, trust in the ability of others, who are unknown to us, to fix it is gradually eroding if we can no longer distinguish between good and bad intentions.
To diminish the risks of interference and misuse, the Internet data packet should be protected by a community that understands infrastructure, relevant technology and invests in security. Suggestions were made to eliminate the prevalent ignorance and complacency about security, also distinguishing between IT security and cybersecurity. The latter concerns a criminal network with a goal. Effective co-operation needs to include users (to notify about breaches) and providers (to react to vulnerabilities or breaches) working together. Regulation can also be used as a carrot to incentive and a stick to sanction those who do not comply, thus increasing the overall level of security.
When it comes to the framework for state action, different instruments are currently deployed. In addition to the guidelines provided by the UN Group of Governmental Experts in their 2015 report (11 voluntary norms), international law, and in particular the UN Charter, includes provisions on the use of force, the interference in the domestic affairs of states, the peaceful means to solving conflicts, but also, self-defense. International customary law covers state responsibility, even when using proxies, and due diligence for international wrongful acts that apply to digital space. In international humanitarian law, if the kinetic dimension is reached in cyberattacks, cyber means amount to armed conflict. Moreover, the human rights obligations of states apply online, as they do offline (e.g. freedom of expression). Confidence building measures, such as the ones put forward by the Organisation for Security and Cooperation in Europe (OSCE), represent additional means to strengthen collaboration at the global level. With this multi-layered framework in place, it is important to build awareness and strengthen the capacity of states to understand and apply it before new binding rules are discussed.
When discussing the attribution of risk and responsibility, there is a danger of substantive fragmentation: we have global technologies, but local laws and there is an overlap of regulations and sets of conflicting norms, that may be detrimental or counterproductive. The question here is whether we can move from the Geneva Digital Talks to policies, or even to the Geneva Digital Courts to address the needs of regulators. As the birthplace of international arbitration, Geneva has a unique role to play in the attempt to solve Internet-related disputes.
From a digital economy perspective, the Internet data packet has recently been carrying more and more sensitive records, including health and personal data, or social security information. With the advent of the Internet of Things (IoT), we will move from cyber to digital security in a much broader sense. Every second, 95 passwords are stolen around the world, showing that security by itself is no longer enough. There is a need to move from security by reaction to security by interaction. The Internet giants that operate most online services need to be brought into the conversation about norms, key responsibilities and regulation.
The Geneva Digital Talks will continue with a series of events in the build-up to the Internet Governance Forum. The focus of the GDT will be set on the following aspects, identifying key competencies available in Geneva: technological, legal, social and political.
More information on the GDT and online exchanges can be found here: https://www.giplatform.org/geneva-digital-talks.