New cyber norms to protect cyberspace

This year, the industry proposed new cyber norms to protect cyberspace. The industry is increasingly stepping into a norm-developing role, which was previously mainly the ambit of governments. In this space, you can follow the developments on two main proposals: Microsoft's proposed Digital Geneva Convention, and Google's proposed legal framework for digital security and due process.

Upcoming

The Consulate General of Switzerland in San Francisco and swissnex San Francisco, together with US, Swiss, and international partners, will hold the Crisis Code: Humanitarian Protection in the Digital Age conference, on 27–28 September, at swissnex San Francisco. The aim of the conference is to collectively examine international humanitarian and human rights laws, standards, and norms in light of new cyber-realities.
Join us also for a session on Preventing Cyber Conflicts: Do We Need a Cyber Treaty?, on 9 November 2017, from 10.00 - 11.45 CET, at the Geneva Internet Platform, WMO building, 2nd floor, 7 bis Avenue de la Paix, Geneva.

Latest updates

3 June 2017: Stateless Attribution: Towards International Accountability in Cyberspace. The study, by Rand Corporation, proposes the establishment of a Global Cyber Attribution Consortium which 'would provide independent investigation of major cyber incidents for the purpose of attribution'. This consortium would be composed of international experts.
14 May 2017: In response to the WannaCry ransomware attack, Microsoft CEO Brad Smith renewed the call for a Digital Geneva Convention.
13 April 2017: Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Digital Geneva Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing.

Microsoft's proposal for a Digital Geneva Convention

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

In April, Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Geneva Digital Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing.

What is the main aim of a Geneva Digital Convention?

The Geneva Digital Convention, proposed by Brad Smith, Microsoft’s President and Chief Legal Officer, aims at creating binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. Embedded within a convention, these and few other additional norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.

What should a Geneva Digital Convention regulate?

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.

If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

Renewed discussions on state behaviour in cyberspace, in Issue 20 of the Geneva Digital Watch newsletter, April 2017 (pages 1, 6)
Digital Geneva Convention: multilateral treaty, multistakeholder implementation, by Dr Jovan Kurbalija, DiploFoundation & Geneva Internet Platform, February 2017

Google's proposal legal framework for digital security and due process

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.

The norm-developing role of the Internet industry

Microsoft’s proposal for a Digital Geneva Convention marks a new phase in the Internet industry’s diplomatic efforts. Microsoft is among the few Internet companies that have embraced diplomacy as an approach to shaping global public policies. For example, in 2015, after following closely the diplomatic dialogue shaping norms of state behaviour in cyber-space and confidence-building measures (CBMs), especially within the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) and the Organization for Security and Co-operation in Europe (OSCE), Microsoft proposed a set of cyber-norms for states, which was further updated with the proposal of cyber-norms forthe ICT industry in 2016.

Private sector proposes new cyber norms, in Issue 22 of the Geneva Digital Watch newsletter, June 2017

Explore the issues

Cybersecurity

Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss. Read more about Cybersecurity

Cyberconflict

Cyber-attacks can have a background in international relations, or bring about the consequences that can escalate to a political and diplomatic level. An increasing number of states appear to be developing their own cyber-tools for the defense, offence and intelligence related to cyberconflict.
The use of cyber-weapons by states - and, more generally, the behavior of states in cyberspace in relation to maintaining international peace and security - is moving to the top of the international agenda. Read more about Cyberconflict

Global public goods

The concept of global public goods can be linked to many aspects of Internet governance. The most direct connections are found in areas of access to the Internet infrastructure, protection of knowledge developed through Internet interaction, protection of public technical standards, and access to online education. Read more about Global public goods

Other human rights

The human rights basket includes online aspects of freedom of expression, privacy and data protection, rights of people with disabilities and women’s rights online. Yet, other human rights come into place in the realm of digital policy, such as children’s rights, and rights afforded to journalists and the press. The same rights that people have offline must also be protected online is the underlying principle for human rights on the Internet, and has been firmly established by the UN General Assembly and UN Human Rights Council resolutions. Read more about Other human rights

Keep me posted! Sign up for the GIP newsletter for updates, and bookmark this page for the latest analysis and developments.