[Read more session reports and live updates from the 12th Internet Governance Forum]
In April 2017, the Dutch Cybersecurity Council (CSR), a high-level public-private-academic advisory body to the Dutch Cabinet, published the document Every Business has Duties of Care in the Field of Cyber Security. The document presents a case for why companies using ICT have duties of care, for themselves, for their customers, and for their environment. This session aimed to involve participants from different stakeholder groups and regional backgrounds, including from governments, industry, the military, regulators, civil society, and the Internet industry, to debate the current state of affairs pertaining to duties of care, based on the CSR study.
Ms Andrea Bakker, Deputy Secretary of the CSR, provided the background to the session, mentioning that ‘the Netherlands has the ambition to be a secure and open cyber domain in which the opportunities offered to our society by digitalisation are exploited, threats are mitigated, and fundamental rights and values are protected.’ Regarding the CSR’s guide for businesses, she stressed that ‘every business has duties of care in the field of cybersecurity. And the goal of this document was to make Dutch legislation in the field of duties of care accessible and manageable.’
The moderator of the session posed the following questions for the panel members and participants:
Mr Paul Mitchell, General Manager Technology Policy at Microsoft Corporation, also representing the International Chamber of Commerce, stated that ‘there are generally a lot of questions around duties of care concepts’. He further mentioned that the good news is that the discussion is progressing and there is a general agreement on the need to understand current practices as they exist in various places. Accordingly, he emphasised the need for a multistakeholder model of cooperation. Regarding the challenges currently faced by the community, he mentioned that ‘laws and regulations surrounding the operation of networks vary widely around the world. So, the issues in scope in a duties of care discussion are not universally understood. The Internet itself is not a uniform thing, but rather a collection of disparate systems and processes that work together loosely based on agreed technical protocols. And in this kind of a system, the responsibility boundary between the various players can be unclear and often is.’
Mr Navad Paulo, working with a human rights and consumer protection organisation, commenting on the Microsoft proposal for the Digital Geneva Convention, stated that this initiative, which started as a civil society movement, has become a governmental enterprise, and accordingly people are getting ‘upset with an absolutely unbearable situation.’ He recommended that the movement should be advanced by civil society, along with some industry involvement. Once this case is developed to the point where it becomes acceptable and looks feasible for governments to get involved, then they should do so.
A representative from the IGF Best Practice Forum on Cybersecurity, underscoring the need for harmonisation within the cybersecurity space, suggested that ‘there needs to be a culture of cybersecurity. And that culture needs to be underpinned with a set of values.’ He said that to make progress beyond a point in the cybersecurity realm and implementation, the ‘community needs to find ways to gain a shared sense of responsibility for every stakeholder. Stakeholders need to have a clear idea of what is expected of them to help make that cybersecurity culture a real outcome.’ Responding to a question from the moderator on a potential forum to discuss such issues, he said ‘for finding the balance, what better place than the IGF? The IGF sets out not to come to conclusions about what needs to be done, but at least to discuss topics and determine what is relevant and how could we go about it.’
By Mohit Saraswat