IGF 2021 BPF Cybersecurity

Event report

Since 2018, the IGF Best Practice Forum on Cybersecurity (BPF) has focused its efforts on the evolution, implementation, and impact of international cybersecurity norms. In 2021, the BPF continued this work via multiple workstreams.

The BPF Cybersecurity 2021 on the use of norms to foster trust and security has been divided into three workstreams.

Mr Maarten van Horenbeeck (BPF Lead expert) introduced the work that the IGF’s BPF team has done over the past year. He introduced the three workstreams groups. Workstream 1 (WS 1) – updating the BPF’s mapping of agreements, took a deeper look at the drivers of cyber norms, including concerns raised by internet users, security incidents, and other events. Workstream 2  (WS 2) – testing norms concepts against internet events, discussed which core ideas behind the normative agreements had the most continuity through various incidents. Workstream 3 (WS 3) – BPF outreach and cooperation with other IGF initiatives, in accordance with the United Nations Secretary-General’s Roadmap for Digital Cooperation and strengthened IGF, worked with stakeholders to drive engagement and participation in the BPF. van Horenbeeck summarised the work the BPF’s team has focused on by saying ‘It is really about identifying how the rules of the road actually meet the rubber of the road.  So where is it that these rules are truly taking effect, and where are they having value?  Where are the challenges?’

Mr Pablo Hinojosa (Strategic Engagement Director, APNIC, the regional internet address registry for the Asia-Pacific region) presented some of the key findings of WS1 and explained how the group conducted its research.  WS1 continued to unpack the collection of norms and mapped and analysed these norms and agreements. He made a point that there were special criteria – these agreements had to be international in scope, have a mission to improve the overall state of cybersecurity, and apply to all groups signing these agreements. Compared to the previous report in 2020 when there were 22 agreements, today the BPF has identified 36 agreements to work on. For every agreement included, the BPF determined which norms elements (rights and freedoms, information security and resilience, reliability of products, cooperation and assistance, restraint on developments and use of cyber capabilities, and technical and operational) it reflected to identify trends and shared priorities across agreements. As Honjosa pointed out, ‘The findings are not intended to be authoritative, but they are trying to aid the conversation, and try to improve our understanding of this.’

Ms Mallory Knodel (Lead BPF Workstream 2, Center for Democracy and Technology) talked about WS2’s methods and how the team approached their research. The main research question was how effective specific norms would have been in mitigating adverse cybersecurity events. She explained that the first step was to determine which incidents to study out of the vast choice of cybersecurity incidents that had had a significant impact. Second, they had an ambitious plan to look at most cybersecurity events in the last couple of decades, not only to do general research to understand them better, but they also tasked themselves with doing more qualitative analysis.

Knodel pointed out that the team sought to interview and better understand the impacts of the people who were most affected by these cybersecurity events, and then those who mitigated them as well.  So it was ‘time-intensive but incredibly rewarding and it allows us to really lift up the voices of those most affected into a platform like the IGF and hopefully we have their ongoing involvement as these reports and findings make their way into treaty-level discussions where we can start building a story bank of how cybersecurity will really impact people.’ The people-centred approach to cybersecurity proves to be really important.

Mr Chris Painter (President, Global Forum on Cyber Expertise) stressed that when it comes to the norms, there is also an issue of accountability, and whether there is accountability for violations of norms. If not, he added, one of the questions is if there is no calling out of norms violations, do those norms continue to have any force?

Mr Sherif Hashem (Board Member, FIRST), highlighted the importance of bridging different silos – government officials, industry, civil society, the general public, and infrastructure. They don’t usually meet or work together unless there is a special effort targeted; we should bring them together when it comes to applying cyber norms.

Cyber norms were developed by states and are part of the UN mandate.  According to Hashem, ‘It’s always the case that we talk about state responsibilities, but when it comes to reality, it has to be in partnership, and there are some norms that target or highlight the importance of multi-stakeholder approach when it comes to implementing norms, and that’s the part of the roles and responsibilities of various stakeholders. It’s really important to bring them all together.’ Likewise, the trust relationship is an important ingredient that should be built ahead of time. It’s important for different stakeholders in partnership to recognise best practices and how to make them work in reality. 

By Kristina Hojstricova

Session in numbers and graphs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu.

The automated summary of this session can be found at this link.