The roundtable discussion, moderated by Dr Roxana Radu, Manager at the Geneva Internet Platform and Internet Governance Associate at DiploFoundation, was part of the World Café Reception marking the start of the Geneva Peace Week.
Background: The global Internet regulation is in an ambiguous situation. On one hand, international law applies online, including rules on state responsibility, territorial integrity, non-intervention, and self-defence. On the other hand, there is no agreed practice nor rules on how to apply these rules to Internet disputes. The fast-growing cybersecurity challenges require faster action at an international level. Several calls were made by governments (such as those in the UN GGE) and by the private sector to start a discussion around the norms of behaviour in cyberspace. Among the latter was the recent proposal by Microsoft for a Digital Geneva Convention, which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’. According to this proposal, the Geneva humanitarian conventions provide inspiration for considering the tech sector as neutral, similarly to medical personnel in war zones.
Q1. Is a Digital Geneva Convention needed? Will it solve the issues?
There is a need to have rules for applying existing international law to online matters as well as introducing new rules whenever there are gaps. The open question is whether such rules can be introduced by a Digital Geneva Convention. The predominant view was that such an instrument is not realistic to adopt in the current international atmosphere. Some discussants argued that it is not even desirable. Since cybersecurity conflicts are likely to increase, there will be increased pressure to have some solutions at an international level. The session discussed some alternative solutions that could address two challenges: increase the clarity of applying existing international law and introduce new implementation mechanisms. One solution is the so-called Montreux process for the application of international law to private military and security companies present in an armed conflict, which apply existing rules (humanitarian law) via a multistakeholder implementation mechanism.
Courts are likely to fill this lacuna in global digital governance. For example, the Court of Justice of the European Union has created rules on mass-surveillance, the right to be forgotten, and privacy. Courts are applying rules that were formulated 20-25 years back and may not reflect today’s reality. The challenges of digitalisation – exposing all sectors to rapid tech transformations – make it urgent to agree on norms.
The perceived exceptionalism of the tech sector (limited or no regulation) is increasingly challenged and Microsoft’s initiative appears as a pre-emptive move. Many questions arise around the intent of this proposal, the target audience and the substantive provisions. Participants pointed out that many issues are left out of the discussion, in particular questions of bioweapons further powered by digital innovations, excessive collection and control of data for cybersecurity, as well as the responsibility and accountability of the private sector in these discussions. Relatedly, the increasingly asymmetrical nature of cyber warfare and the role of non-state actors were emphasised, raising doubts about the extent to which a Digital Geneva Convention would solve the key issues.
Q2. Geneva is the world’s humanitarian capital. What can the emerging digital policy field learn from the long history of humanitarian protection?
The Geneva Convention established the standards of international law for humanitarian treatment in war, and the International Committee of the Red Cross (a Swiss non-profit association) was founded as the custodian for the strict implementation of the treaties of the Convention. If we are to have a Digital Geneva Convention as proposed by Microsoft, what existing or new international organisation could take on the role of monitoring the implementation of the convention? The tech sector cannot be treated as neutral when it has vested interests and owns the Internet infrastructure. The participants to the roundtable also expressed concern around the uneven rates of Internet penetration around the world and the position of developing countries in the Digital Geneva Convention discussion. The scale and speed of technological developments should be considered in the approach to the convention, which applies in times of cyber-peace rather than cyber-war. Distinguishing between offensive and defensive attacks in cyberspace and adopting a citizen-centred perspective would also be imperative in order to substantiate the debate.