New cyber norms to protect cyberspace

Events

Past events and discussion reports:

• 20 December 2017: The Open Forum discussion on Geneva's Platform for Global Digital Governance, during the 2017 Internet Governance Forum, saw the launch of the Geneva Initiative on Capacity Development in Digital Policy, which promotes innovative capacity development solutions to embrace digital opportunities and mitigate the risks. Learn more.
• 9 November 2017: In 'Current Internet governance challenges: What's next', which took place in Geneva, Microsoft President Brad Smith discussed the necessity and importance of Internet technologies to implement the 17 SDGs, and reiterateed his call for a Digital Geneva Convention. The discussion with Brad Smith was preceded by a session on Preventing Cyber Conflicts: Do We Need a Cyber Treaty?, organised at the Geneva Internet Platform in Geneva.
• 27-28 September 2017: The Consulate General of Switzerland in San Francisco and swissnex San Francisco, together with US, Swiss, and international partners, organised Crisis Code: Humanitarian Protection in the Digital Age conference, at swissnex San Francisco. The aim of the conference was to collectively examine international humanitarian and human rights laws, standards, and norms in light of new cyber-realities.

What is the main aim of a Geneva Digital Convention?

What should a Geneva Digital Convention regulate?

Image credit: Microsoft

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Read more:

• Renewed discussions on state behaviour in cyberspace, in Issue 20 of the Geneva Digital Watch newsletter, April 2017 (pages 1, 6)
• Digital Geneva Convention: multilateral treaty, multistakeholder implementation, by Dr Jovan Kurbalija, DiploFoundation & Geneva Internet Platform, February 2017

Cybersecurity Tech Accord

In April 2018, 34 tech companies - including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have agreed on the Cybersecurity Tech Accord, publicly committing to protect and empower all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states, and to improve the security, stability and resilience of cyberspace.

The four principles to which the companies committed, could be summarised as:

• Stronger defence: protecting all of their users and customers everywhere, including through developing products and services that prioritize security, privacy, integrity and reliability;
• No offense: opposing cyberattacks on innocent citizens and enterprises from anywhere, through protecting against tampering with and exploiting possible vulnerabilities in products and services, and not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere;
• Capacity building: helping empower users, customers and developers to strengthen cybersecurity protection, through providing information and tools to address threats, and supporting actors to build cybersecurity capacities;
• Collective action: partnering with each other and with like-minded groups to enhance cybersecurity, to improve technical cooperation, coordinated vulnerability disclosure, and threat and information sharing, minimize the levels of malicious code being introduced into cyberspace, and civilian efforts to respond to and recover from cyberattacks.

Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.

As of June 2018, 45 companies have signed the Accord. Out of the “big five” companies, Microsoft and Facebook have signed it, while Apple, Amazon and Google have not. Signatories of the “Charter of Trust” have not yet signed the Accord. The list of signatories is available at the bottom of the homepage of the Cybersecurity Tech Accord.

Charter of Trust for a Secure Digital World

In February 2018, several lead global technology companies - Siemens, IBM, Deutsche Telecom, Airbus and others - have presented their joint Charter of Trust for a Secure Digital World calling for shared ownership of cyber and IT security by various stakeholders, responsibility throughout the supply chain, security by default, education, certification for critical infrastructure and solution, transparency and response, regulatory framework, and joint initiatives.

The 10 principles of the Charter could be summarised as:

1. Ownership of cyber and IT security: Responsibility anchored to the highest governmental and business levels - designated specific ministries and CISO.
2. Responsibility throughout the digital supply chain: Risk-based rules, baseline standards (including identity and access management, encryption, and continuous protection) and protection across all IoT layers in place in companies, and governments if necessary.
3. Security by default: Highest level of security and data protection in-built into the design of products, functionalities, processes, technologies, operations, architectures, and business models.
4. User-centricity: Products, systems, and services as well as guidance provided based on the user’s cybersecurity needs, impacts, and risks. 
5. Innovation and co-creation: Driving and encouraging contractual public-private partnerships to deepen understanding and adapt security practices to new threats.
6. Education: Cybersecurity courses in schools, at universities, within professional education and trainings, introduced to enable transformation of skills and job profiles of the future.
7. Certification for critical infrastructure and solutions: Mandatory independent third-party certification for critical infrastructure and critical IoT solutions established within companies, and governments if necessary.
8. Transparency and response: Industrial cybersecurity network to allow for sharing information on threats and reporting incidents beyond critical infrastructure.
9. Regulatory framework: Multilateral collaboration promoted in regulation and standardisation in line with work of the World Trade Organisation, and cybersecurity rules included into Free Trade Agreements.
10. Joint initiatives: Collaboration through joint initiatives, and with other stakeholders.

The nine signatories are listed in the Charter document.