New cyber norms to protect cyberspace

In the past two years, the industry has been proposing new cyber norms to protect cyberspace. The industry is increasingly stepping into a norm-developing role, which was previously mainly the ambit of governments. In this space, you can follow the developments on two main proposals: Microsoft's proposed Digital Geneva Convention, and Google's proposed legal framework for digital security and due process.

Quicklinks: Latest updates | Events | Microsoft's proposal | Google's proposal | The industry's role | Explore the issues

Latest updates

  • 17 April 2018: 34 tech companies, including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have the Cybersecurity Tech Accord, publicly committing to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. The companies committed to four principles: the protection of all of their users and customers everywhere; opposition to cyberattacks on innocent citizens and enterprises from anywhere; helping empower users, customers and developers to strengthen cybersecurity protection; partnering with each other and with like-minded groups to enhance cybersecurity. Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.
  • 3 June 2017: Stateless Attribution: Towards International Accountability in Cyberspace. The study, by Rand Corporation, proposed the establishment of a Global Cyber Attribution Consortium which 'would provide independent investigation of major cyber incidents for the purpose of attribution'. This consortium would be composed of international experts.
  • 14 May 2017: In response to the WannaCry ransomware attack, Microsoft CEO Brad Smith renewed the call for a Digital Geneva Convention.
  • 13 April 2017: Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Digital Geneva Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing.


Past events and discussion reports:


Microsoft's proposal for a Digital Geneva Convention

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

In April, Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Geneva Digital Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing.

What is the main aim of a Geneva Digital Convention?

The Geneva Digital Convention, proposed by Brad Smith, Microsoft’s President and Chief Legal Officer, aims at creating binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. Embedded within a convention, these and few other additional norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.

What should a Geneva Digital Convention regulate?

Image credit: Microsoft
The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.
Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.
If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

Read more:



Google's proposal legal framework for digital security and due process

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.



The norm-developing role of the Internet industry

Microsoft’s proposal for a Digital Geneva Convention marks a new phase in the Internet industry’s diplomatic efforts. Microsoft is among the few Internet companies that have embraced diplomacy as an approach to shaping global public policies. For example, in 2015, after following closely the diplomatic dialogue shaping norms of state behaviour in cyber-space and confidence-building measures (CBMs), especially within the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) and the Organization for Security and Co-operation in Europe (OSCE), Microsoft proposed a set of cyber-norms for states, which was further updated with the proposal of cyber-norms forthe ICT industry in 2016.

Read more:



Explore the issues


Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss. Read more about Cybersecurity


Cyber-attacks can have a background in international relations, or bring about the consequences that can escalate to a political and diplomatic level. An increasing number of states appear to be developing their own cyber-tools for the defense, offence and intelligence related to cyberconflict.
The use of cyber-weapons by states - and, more generally, the behavior of states in cyberspace in relation to maintaining international peace and security - is moving to the top of the international agenda. Read more about Cyberconflict

Global public goods

The concept of global public goods can be linked to many aspects of Internet governance. The most direct connections are found in areas of access to the Internet infrastructure, protection of knowledge developed through Internet interaction, protection of public technical standards, and access to online education. Read more about Global public goods

Other human rights

The human rights basket includes online aspects of freedom of expression, privacy and data protection, rights of people with disabilities and women’s rights online. Yet, other human rights come into place in the realm of digital policy, such as children’s rights, and rights afforded to journalists and the press. The same rights that people have offline must also be protected online is the underlying principle for human rights on the Internet, and has been firmly established by the UN General Assembly and UN Human Rights Council resolutions. Read more about Other human rights


Keep me posted!  Sign up for the GIP newsletter for updates, and bookmark this page for the latest analysis and developments.

Curator: Stephanie Borg Psaila

[Last updated: 24 April 2018]


The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee


GIP Digital Watch is operated by

Scroll to Top