New cyber norms to protect cyberspace

In the past two years, the industry has been proposing new cyber norms to protect cyberspace. The industry is increasingly stepping into a norm-developing role, which was previously mainly the ambit of governments. In this space, you can follow the developments on main proposals: Microsoft's proposed Digital Geneva Convention, Cybersecurity Tech Accord, Charter of Trust for a Secure Digital World, and Google's proposed legal framework for digital security and due process.

Events

Past events and discussion reports:

20 December 2017: The Open Forum discussion on Geneva's Platform for Global Digital Governance, during the 2017 Internet Governance Forum, saw the launch of the Geneva Initiative on Capacity Development in Digital Policy, which promotes innovative capacity development solutions to embrace digital opportunities and mitigate the risks. Learn more.
9 November 2017: In 'Current Internet governance challenges: What's next', which took place in Geneva, Microsoft President Brad Smith discussed the necessity and importance of Internet technologies to implement the 17 SDGs, and reiterateed his call for a Digital Geneva Convention. The discussion with Brad Smith was preceded by a session on Preventing Cyber Conflicts: Do We Need a Cyber Treaty?, organised at the Geneva Internet Platform in Geneva.
27-28 September 2017: The Consulate General of Switzerland in San Francisco and swissnex San Francisco, together with US, Swiss, and international partners, organised Crisis Code: Humanitarian Protection in the Digital Age conference, at swissnex San Francisco. The aim of the conference was to collectively examine international humanitarian and human rights laws, standards, and norms in light of new cyber-realities.

Microsoft's proposal for a Digital Geneva Convention

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

In April 2017, Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Digital Geneva Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing. In May 2017, Smith renewed the call for a Digital Geneva Convention, in response to the WannaCry ransomware attack.

What is the main aim of a Geneva Digital Convention?

The Geneva Digital Convention, proposed by Brad Smith, Microsoft’s President and Chief Legal Officer, aims at creating binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. Embedded within a convention, these and few other additional norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.

What should a Geneva Digital Convention regulate?

Image credit: Microsoft

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.

If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

Renewed discussions on state behaviour in cyberspace, in Issue 20 of the Geneva Digital Watch newsletter, April 2017 (pages 1, 6)
Digital Geneva Convention: multilateral treaty, multistakeholder implementation, by Dr Jovan Kurbalija, DiploFoundation & Geneva Internet Platform, February 2017

Cybersecurity Tech Accord

In April 2018, 34 tech companies - including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have agreed on the Cybersecurity Tech Accord, publicly committing to protect and empower all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states, and to improve the security, stability and resilience of cyberspace.

The four principles to which the companies committed, could be summarised as:

Stronger defence: protecting all of their users and customers everywhere, including through developing products and services that prioritize security, privacy, integrity and reliability;
No offense: opposing cyberattacks on innocent citizens and enterprises from anywhere, through protecting against tampering with and exploiting possible vulnerabilities in products and services, and not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere;
Capacity building: helping empower users, customers and developers to strengthen cybersecurity protection, through providing information and tools to address threats, and supporting actors to build cybersecurity capacities;
Collective action: partnering with each other and with like-minded groups to enhance cybersecurity, to improve technical cooperation, coordinated vulnerability disclosure, and threat and information sharing, minimize the levels of malicious code being introduced into cyberspace, and civilian efforts to respond to and recover from cyberattacks.

Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.

As of June 2018, 45 companies have signed the Accord. Out of the “big five” companies, Microsoft and Facebook have signed it, while Apple, Amazon and Google have not. Signatories of the “Charter of Trust” have not yet signed the Accord. The list of signatories is available at the bottom of the homepage of the Cybersecurity Tech Accord.

Charter of Trust for a Secure Digital World

In February 2018, several lead global technology companies - Siemens, IBM, Deutsche Telecom, Airbus and others - have presented their joint Charter of Trust for a Secure Digital World calling for shared ownership of cyber and IT security by various stakeholders, responsibility throughout the supply chain, security by default, education, certification for critical infrastructure and solution, transparency and response, regulatory framework, and joint initiatives.

The 10 principles of the Charter could be summarised as:

Ownership of cyber and IT security: Responsibility anchored to the highest governmental and business levels - designated specific ministries and CISO.
Responsibility throughout the digital supply chain: Risk-based rules, baseline standards (including identity and access management, encryption, and continuous protection) and protection across all IoT layers in place in companies, and governments if necessary.
Security by default: Highest level of security and data protection in-built into the design of products, functionalities, processes, technologies, operations, architectures, and business models.
User-centricity: Products, systems, and services as well as guidance provided based on the user’s cybersecurity needs, impacts, and risks.
Innovation and co-creation: Driving and encouraging contractual public-private partnerships to deepen understanding and adapt security practices to new threats.
Education: Cybersecurity courses in schools, at universities, within professional education and trainings, introduced to enable transformation of skills and job profiles of the future.
Certification for critical infrastructure and solutions: Mandatory independent third-party certification for critical infrastructure and critical IoT solutions established within companies, and governments if necessary.
Transparency and response: Industrial cybersecurity network to allow for sharing information on threats and reporting incidents beyond critical infrastructure.
Regulatory framework: Multilateral collaboration promoted in regulation and standardisation in line with work of the World Trade Organisation, and cybersecurity rules included into Free Trade Agreements.
Joint initiatives: Collaboration through joint initiatives, and with other stakeholders.

The nine signatories are listed in the Charter document.

Google's proposal legal framework for digital security and due process

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.

Resources

Digital Watch trend page on the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE)
Private sector proposes new cyber norms, in Issue 22 of the Geneva Digital Watch newsletter (June 2017)
Stateless Attribution: Towards International Accountability in Cyberspace. The study, by Rand Corporation, proposed the establishment of a Global Cyber Attribution Consortium which 'would provide independent investigation of major cyber incidents for the purpose of attribution'. This consortium would be composed of international experts. (June 2017)

Explore the issues

Cybersecurity

Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss. Read more about Cybersecurity

Cyberconflict

Cyber-attacks can have a background in international relations, or bring about the consequences that can escalate to a political and diplomatic level. An increasing number of states appear to be developing their own cyber-tools for the defense, offence and intelligence related to cyberconflict.
The use of cyber-weapons by states - and, more generally, the behavior of states in cyberspace in relation to maintaining international peace and security - is moving to the top of the international agenda. Read more about Cyberconflict

Global public goods

The concept of global public goods can be linked to many aspects of Internet governance. The most direct connections are found in areas of access to the Internet infrastructure, protection of knowledge developed through Internet interaction, protection of public technical standards, and access to online education. Read more about Global public goods

Other human rights

The human rights basket includes online aspects of freedom of expression, privacy and data protection, rights of people with disabilities and women’s rights online. Yet, other human rights come into place in the realm of digital policy, such as children’s rights, and rights afforded to journalists and the press. The same rights that people have offline must also be protected online is the underlying principle for human rights on the Internet, and has been firmly established by the UN General Assembly and UN Human Rights Council resolutions. Read more about Other human rights

Keep me posted! Sign up for the GIP newsletter for updates, and bookmark this page for the latest analysis and developments.

Curator: Stephanie Borg Psaila

[Last updated: 24 April 2018]