Industry cyber norms

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

In April 2017, Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Digital Geneva Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing. In May 2017, Smith renewed the call for a Digital Geneva Convention, in response to the WannaCry ransomware attack.

What is the main aim of a Geneva Digital Convention?

What should a Geneva Digital Convention regulate?

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.

If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

In April 2018, 34 tech companies - including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have agreed on the Cybersecurity Tech Accord, publicly committing to protect and empower all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states, and to improve the security, stability and resilience of cyberspace.

The four principles to which the companies committed, could be summarised as:

• Stronger defence: protecting all of their users and customers everywhere, including through developing products and services that prioritize security, privacy, integrity and reliability;
• No offense: opposing cyberattacks on innocent citizens and enterprises from anywhere, through protecting against tampering with and exploiting possible vulnerabilities in products and services, and not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere;
• Capacity building: helping empower users, customers and developers to strengthen cybersecurity protection, through providing information and tools to address threats, and supporting actors to build cybersecurity capacities;
• Collective action: partnering with each other and with like-minded groups to enhance cybersecurity, to improve technical cooperation, coordinated vulnerability disclosure, and threat and information sharing, minimize the levels of malicious code being introduced into cyberspace, and civilian efforts to respond to and recover from cyberattacks.

Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.

As of June 2018, 45 companies have signed the Accord. Out of the “big five” companies, Microsoft and Facebook have signed it, while Apple, Amazon and Google have not. Signatories of the “Charter of Trust” have not yet signed the Accord. The list of signatories is available at the bottom of the homepage of the Cybersecurity Tech Accord.

In February 2018, several lead global technology companies - Siemens, IBM, Deutsche Telecom, Airbus and others - have presented their joint Charter of Trust for a Secure Digital World calling for shared ownership of cyber and IT security by various stakeholders, responsibility throughout the supply chain, security by default, education, certification for critical infrastructure and solution, transparency and response, regulatory framework, and joint initiatives.

The 10 principles of the Charter could be summarised as:

1. Ownership of cyber and IT security: Responsibility anchored to the highest governmental and business levels - designated specific ministries and CISO.
2. Responsibility throughout the digital supply chain: Risk-based rules, baseline standards (including identity and access management, encryption, and continuous protection) and protection across all IoT layers in place in companies, and governments if necessary.
3. Security by default: Highest level of security and data protection in-built into the design of products, functionalities, processes, technologies, operations, architectures, and business models.
4. User-centricity: Products, systems, and services as well as guidance provided based on the user’s cybersecurity needs, impacts, and risks. 
5. Innovation and co-creation: Driving and encouraging contractual public-private partnerships to deepen understanding and adapt security practices to new threats.
6. Education: Cybersecurity courses in schools, at universities, within professional education and trainings, introduced to enable transformation of skills and job profiles of the future.
7. Certification for critical infrastructure and solutions: Mandatory independent third-party certification for critical infrastructure and critical IoT solutions established within companies, and governments if necessary.
8. Transparency and response: Industrial cybersecurity network to allow for sharing information on threats and reporting incidents beyond critical infrastructure.
9. Regulatory framework: Multilateral collaboration promoted in regulation and standardisation in line with work of the World Trade Organisation, and cybersecurity rules included into Free Trade Agreements.
10. Joint initiatives: Collaboration through joint initiatives, and with other stakeholders.

The signatories are listed on the Charter website.

At the opening of the annual UN Internet Governance Forum (IGF), held in 2018 at UNESCO premises in Paris, French President Emmanuel Macron launched the “Paris Call for Trust and Security in Cyberspace”, a high-level declaration on developing common principles for securing cyberspace. The Paris Call builds on the WSIS Tunis Agenda’s definition of the ‘respective roles’ of states and other stakeholders. It also resonates with the UN Group of Governmental Experts reaffirmation that international law applies to cyberspace. The declaration invites for support to victims both during peacetime and armed conflict, reaffirms Budapest Convention as the key tool for combating cybercrime, recognises the responsibility of private sector for products security, and calls for broad digital cooperation and capacity-building. It than invites signatories to, among other, prevent damaging general availability or integrity of the public core of the Internet, foreign intervention in electoral processes, ICT-enabled theft of intellectual property for competitive advantage, and non-state actors from ‘hacking-back’.

Paris Call for Trust and Security in Cyberspace outlines 9 key principles for trust and security in cyberspace that are relevant for both states and the private sector:

1. Assisting individuals and infrastructure to prevent and recover from malicious activities;
2. Protecting the public core of the Internet;
3. Defending electoral processes;
4. Preventing theft of intellectual property;
5. Preventing the proliferation of malicious software and practices;
6. Strengthening the security of digital processes, products, and services;
7. Advancing cyber hygiene;
8. Restraining from ‘hacking back’; and
9. Promoting acceptance and implementation of international norms of responsible behaviour.

Paris Call was signed by over dozens of countries and hundreds of businesses and organisations worldwide. The USA, Russia, and China, as well as some of the lead tech companies, are missing.

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.