Rules, laws, and norms: Stakeholders’ commitments to rules, norms, and principles

Event report

Through resolution 73/27, the UN General Assembly established the Open-Ended Working Group (OEWG) on developments in the field of information and telecommunications in the context of international security which – in addition to the intergovernmental nature of its work – also provides the possibility of holding intersessional multistakeholder consultations. The first intersessional consultative meeting took place on 2-4 December 2019 with sessions that included the tech industry, civil society, academia, and member states.

The third meeting focused on the stakeholders’ commitment to rules, norms, and principles.

There is more agreement than there are differences on the key norms for responsible behaviour in cyberspace, the Microsoft Corporation noted in its scene setting presentation. Governments, tech companies, and civil society agree that human rights protected in the physical world must also be protected online; that critical infrastructure and democratic processes must be safeguarded; and that ICT-enabled theft of intellectual property must be prevented. Microsoft recommended that five steps be taken in the coming years. First, existing norms, particularly the 11 norms outlined in the 2015 UN GGE report, should be implemented swiftly by member states, industry, and civil society. This should be achieved through concrete actions such as: awareness raising efforts, hands-on training for less developed countries, and improved tracking of the impact of cyber-attacks. Second, states should endorse the Paris Call for Trust and Security in Cyberspace and join multistakeholder communities of action, which are meant to advance the Call’s 9 principles through concrete projects. Third, the international community should support the vision outlined in the report of the UN High-Level Panel on Digital Cooperation, to advance a global commitment on digital trust in security. Fourth, multistakeholder cybersecurity initiatives should find a better way to engage with the UN, and regular dialogue among governments, industry, and civil society on cybersecurity issues should be established. Finally, member states should explore the viability of a legally binding instrument on the protection of people in cyberspace, as well as accountability mechanisms for violations of international law or established norms of responsible behaviour.

The second scene setting presentation was given by France. France noted that the Paris Call enables different stakeholders from different communities to work together to develop concrete recommendations to strengthen security in cyberspace. Its nine protocols aim at developing a healthy online environment for all actors, taking measures to prevent non-state actors from engaging in cyber offensive operations, promoting the implementation of international standards for responsible behaviour online, as well as promoting confidence building measures (CBMs) to reduce the risks to the stability of cyberspace. The Call is a declaration of intent and it is political in nature; however, it is not legally binding. It is intended to recall the principles which should govern the actions of those using cyberspace and possibly serve as a springboard for binding rules, norms, and principles. It is a starting point for negotiations and work on cyber issues that is currently underway within the setting of the UN.

The intersessional meeting then featured a multistakeholder discussion with two guiding questions: what are the commonalities between the different multistakeholder initiatives on cybersecurity, such as the Tech Accord, the Charter of Trust, the Global Transparency Initiative, and the Paris Call; and, what synergies should be encouraged between intergovernmental and multistakeholder initiatives?

On commonalities between the different multistakeholder initiatives, the Igarapé Institute highlighted the importance of a multistakeholder approach and said that they are committed to increasing the capacity of these stakeholders to address cyber threats and build resilience. They also recognised that stakeholders have a shared responsibility for a stable and secure cyberspace, and outlined the actions they should take, as well as the type of behaviour they should refrain from. The multiplication of multistakeholder initiatives shows that there is interest in addressing cybersecurity challenges, the Cyber Peace Institute stated, further noting that the core outputs of these different initiatives align.

On synergies between intergovernmental and multistakeholder initiatives, Global Partners Digital noted that commonalities between the different proposals and implementation processes should be identified, to prevent the doubling of stakeholders’ efforts. On the other hand, the University of Hong Kong suggested that separate paths do not have to lead to negative outcomes, but could be opportunities to engage stakeholders that were previously on the sidelines of policy discussions, or participants in multilateral frameworks not of their own design. This could prompt the discussions to mature in their local, national, and regional contexts; and extend leadership for norm development outside of the traditional players. These parallel initiatives can be supported by informal dialogue tracks, which would then tie disparate conversations and stakeholders together.

Almost all state delegations spoke about the applicability of international law in cyberspace. The USA, Pakistan, and Canada reaffirmed the applicability of international law; while Japan and Australia underlined the applicability of the UN Charter; and Egypt, Argentina, and Colombia further stated that international humanitarian law is also applicable. However, how international law applies still needs to be discussed, stressed delegates from Australia and Colombia.

The legal nature of norms governing cyberspace was raised by many speakers. Pakistan and the Huawei Corporation stressed the need to move towards legal commitments. Egypt suggested that legally binding norms and voluntary norms do not have to be mutually exclusive, and that both can be developed in parallel. For states not to develop malicious capabilities or not to weaponise certain technologies, legally binding norms are needed. Microsoft reiterated Egypt’s point on the parallel development of legally binding norms and voluntary norms, suggesting that more binding rules are needed for accountability and enforcement of already agreed upon norms. Argentina noted that a consensus on legally binding and non-binding norms is necessary. On the other hand, many of the speakers noted that the existing international law, as well as voluntary, non-binding norms are sufficient. The USA does not believe a new international legal instrument is necessary. It considers existing international law to be a sufficient legal framework; and with the addition of non-binding norms and confidence building measures, it can achieve practical results. The Global Forum on Cyber Expertise (GFCE) stated that non-binding and voluntary norms are not paper tigers – they can be enforced through collective action. Canada and the Igarapé Institute underlined the implementation and operationalisation of voluntary norms. Japan and Colombia stated their support for the development of voluntary norms of responsible behaviour. The USA and Australia noted that the international community does not have the time to negotiate the new legally binding rules – by the time the new instrument is drafted and ratified, its provisions will be obsolete. Brazil also noted that cyberspace is shifting quickly and that stakeholders are not equipped to negotiate a legally binding instrument as they do not know what the provisions need to address. However, it might be necessary to negotiate one in the future. The Shanghai Institute recommended more theoretical studies on the dilemma.

Furthermore, implementation of the agreed norms in the 2015 final report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) was underlined by the Global Commission on the Stability of Cyberspace (GCSC), GFCE, the Igarapé Institute, the R Street Institute, and the delegates from the USA, Colombia, Australia, and Canada. The GFCE further noted that many states need to be made aware of the norms enshrined in the report.

Attribution and accountability are tied together, as Huawei noted and Australia reiterated. The myth that that attribution is impossible has been dispelled, and it has now been acknowledged that it is possible, yet difficult. Attribution mechanisms should be neutral, ICT4Peace noted, and aware of national security concerns, Australia underlined. ICT4Peace also proposed that attribution mechanisms could take the form of public-private partnerships, while Australia warned that such public-private alternatives to formal attribution mechanisms should be geared towards the capacity building of states by the private sector. Microsoft, ICT4Peace, the IGF Best Practice Forum on Cybersecurity, the Global Cyber Alliance (GCA), Huawei, Australia, and Canada noted that moving towards accountability mechanisms is necessary to ensure responsible behaviour in cyberspace.

The Central European University (CEU) brought attention to the concept of norm contestation, which the IGF Best Practice Forum on Cybersecurity echoed. This concept suggests that only a contested norm is a robust, legitimate, and sustainable norm, which reflects the realities of different stakeholders. Contestation does not end when a norm is adopted, but continues throughout the ordinary life of a norm. Actors may agree on the general purpose of the norm, but at the same time, they can contest when and how the norm should be applied. Norm breaches are also important for understanding how norms work, as they may define the scope of the application of the norm.