Multistakeholder initiatives on cyber norms

In recent years, the role of the industry in shaping cyber norms has continued to grow. What was once primarily the responsibility of governments has increasingly become a shared space, with companies actively contributing to discussions on responsible behaviour in cyberspace. Among the most prominent initiatives are Microsoft’s call for a Digital Geneva Convention, the Cybersecurity Tech Accord, the Charter of Trust for a Secure Digital World, Geneva Dialogue, and others. These efforts illustrate how the private sector is not only implementing norms but also helping to define them.

Microsoft's proposal for a Digital Geneva Convention

Microsoft’s call for a Digital Geneva Convention (February 2017) – which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’ – attracted the attention of the digital policy community. It brought into focus the idea that, in the search for a more secure and stable Internet, Internet companies need to engage with governments and work together on reasonable policy arrangements. The proposal gave rise to many pertinent questions related to the future of digital governance, in particular in the security field. Here, we address some of them.

In April 2017, Microsoft’s Brad Smith announced three new documents that continue to shape the proposal for a Digital Geneva Convention. The first carries key clauses which should form part of the convention; the second outlines a common set of principles and behaviours for the tech sector to help protect civilians in cyberspace; the third proposes the setting up of an independent attribution organisation to identify wrongdoing. In May 2017, Smith renewed the call for a Digital Geneva Convention, in response to the WannaCry ransomware attack.

 

What is the main aim of a Geneva Digital Convention?

The Geneva Digital Convention, proposed by Brad Smith, Microsoft’s President and Chief Legal Officer, aims at creating binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. Embedded within a convention, these and few other additional norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.

 

What should a Geneva Digital Convention regulate?

The six principles proposed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.

Moving from the six principles, Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity. Human security is anchored in the protection of human wellbeing. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.

If Microsoft’s proposal aims to focus on human cybersecurity, this will bring developmental aspects into discussion – ensuring means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc), as well as human rights issues, including a potential right to safe access to the Internet.

Image credit: Microsoft

Cybersecurity Tech Accord

In April 2018, 34 tech companies - including Microsoft, Facebook, LinkedIn, Arm, ABB, Telefonica, Cisco, and Dell among others - have agreed on the Cybersecurity Tech Accord, publicly committing to protect and empower all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states, and to improve the security, stability and resilience of cyberspace.

The four principles to which the companies committed, could be summarised as:

  • Stronger defence: protecting all of their users and customers everywhere, including through developing products and services that prioritize security, privacy, integrity and reliability;
  • No offense: opposing cyberattacks on innocent citizens and enterprises from anywhere, through protecting against tampering with and exploiting possible vulnerabilities in products and services, and not helping governments launch cyberattacks against innocent citizens and enterprises from anywhere;
  • Capacity building: helping empower users, customers and developers to strengthen cybersecurity protection, through providing information and tools to address threats, and supporting actors to build cybersecurity capacities;
  • Collective action: partnering with each other and with like-minded groups to enhance cybersecurity, to improve technical cooperation, coordinated vulnerability disclosure, and threat and information sharing, minimize the levels of malicious code being introduced into cyberspace, and civilian efforts to respond to and recover from cyberattacks.

Signatories of the Accord will define collaborative activities they will undertake to further the Accord and will report publicly on the progress in achieving the goals.

As of June 2018, 45 companies have signed the Accord. Out of the “big five” companies, Microsoft and Facebook have signed it, while Apple, Amazon and Google have not. Signatories of the “Charter of Trust” have not yet signed the Accord. The list of signatories is available at the bottom of the homepage of the Cybersecurity Tech Accord.

Charter of Trust for a Secure Digital World

In February 2018, several lead global technology companies - Siemens, IBM, Deutsche Telecom, Airbus and others - have presented their joint Charter of Trust for a Secure Digital World calling for shared ownership of cyber and IT security by various stakeholders, responsibility throughout the supply chain, security by default, education, certification for critical infrastructure and solution, transparency and response, regulatory framework, and joint initiatives.

The 10 principles of the Charter could be summarised as:

  1. Ownership of cyber and IT security: Responsibility anchored to the highest governmental and business levels - designated specific ministries and CISO.
  2. Responsibility throughout the digital supply chain: Risk-based rules, baseline standards (including identity and access management, encryption, and continuous protection) and protection across all IoT layers in place in companies, and governments if necessary.
  3. Security by default: Highest level of security and data protection in-built into the design of products, functionalities, processes, technologies, operations, architectures, and business models.
  4. User-centricity: Products, systems, and services as well as guidance provided based on the user’s cybersecurity needs, impacts, and risks. 
  5. Innovation and co-creation: Driving and encouraging contractual public-private partnerships to deepen understanding and adapt security practices to new threats.
  6. Education: Cybersecurity courses in schools, at universities, within professional education and trainings, introduced to enable transformation of skills and job profiles of the future.
  7. Certification for critical infrastructure and solutions: Mandatory independent third-party certification for critical infrastructure and critical IoT solutions established within companies, and governments if necessary.
  8. Transparency and response: Industrial cybersecurity network to allow for sharing information on threats and reporting incidents beyond critical infrastructure.
  9. Regulatory framework: Multilateral collaboration promoted in regulation and standardisation in line with work of the World Trade Organisation, and cybersecurity rules included into Free Trade Agreements.
  10. Joint initiatives: Collaboration through joint initiatives, and with other stakeholders.

The signatories are listed on the Charter website.

Paris Call for Trust and Security in Cyberspace

At the opening of the annual UN Internet Governance Forum (IGF), held in 2018 at UNESCO premises in Paris, French President Emmanuel Macron launched the “Paris Call for Trust and Security in Cyberspace”, a high-level declaration on developing common principles for securing cyberspace. The Paris Call builds on the WSIS Tunis Agenda’s definition of the ‘respective roles’ of states and other stakeholders. It also resonates with the UN Group of Governmental Experts reaffirmation that international law applies to cyberspace. The declaration invites for support to victims both during peacetime and armed conflict, reaffirms Budapest Convention as the key tool for combating cybercrime, recognises the responsibility of private sector for products security, and calls for broad digital cooperation and capacity-building. It than invites signatories to, among other, prevent damaging general availability or integrity of the public core of the Internet, foreign intervention in electoral processes, ICT-enabled theft of intellectual property for competitive advantage, and non-state actors from ‘hacking-back’.

Paris Call for Trust and Security in Cyberspace outlines 9 key principles for trust and security in cyberspace that are relevant for both states and the private sector:

  1. Assisting individuals and infrastructure to prevent and recover from malicious activities;
  2. Protecting the public core of the Internet;
  3. Defending electoral processes;
  4. Preventing theft of intellectual property;
  5. Preventing the proliferation of malicious software and practices;
  6. Strengthening the security of digital processes, products, and services;
  7. Advancing cyber hygiene;
  8. Restraining from ‘hacking back’; and
  9. Promoting acceptance and implementation of international norms of responsible behaviour.

Paris Call was signed by over dozens of countries and hundreds of businesses and organisations worldwide. The USA, Russia, and China, as well as some of the lead tech companies, are missing.

Google's proposal legal framework for digital security and due process

The Internet industry is under increasing pressure by governments to provide digital information to be used in criminal investigations and anti-terrorist activities. Traditional channels for international cooperation are slow and cumbersome. A regular legal process for obtaining digital evidence via Mutual Legal Assistance Treaties (MLATs) may take at least ten months. To bring the legal system up to speed for the digital era, Google has proposed new norms for providing digital evidence to foreign governments.

Google’s proposal would allow law enforcement to request digital evidence directly from Internet companies, bypassing the need to go through MLAT channels. According to the proposal, this would work only between countries that adhere to privacy, human rights, and due process standards.

Geneva Dialogue on Responsible Behaviour in Cyberspace

The Geneva Dialogue on Responsible Behaviour in Cyberspace is a global, multistakeholder process that brings together various actors to advance the implementation of agreed cyber norms. Initiated in 2018 and led by the Swiss Federal Department of Foreign Affairs and implemented by DiploFoundation with the support of several partners,  the Dialogue provides a platform where diverse actors can exchange perspectives and build shared understanding on how international norms can be translated into practical measures.

A particular focus of the Dialogue is on the roles and responsibilities of the private sector and other non-state stakeholders in supporting international peace and security in cyberspace. Through research, expert consultations, and scenario-based exercises, the process explores how companies and organisations can contribute to reducing risks, protecting critical infrastructure, and fostering trust.

Practically, the Geneva Dialogue organises regular consultations to document stakeholder agreements and disagreements on the interpretation and implementation of the agreed norms, while gathering best practices that can inspire the international community. These findings are published in the Geneva Manual on Responsible Behaviour in Cyberspace, which serves as a reference tool for practitioners. The first chapter of the Manual focused on agreed norms related to ICT supply chain security and the responsible reporting of ICT vulnerabilities, offering concrete insights into how these commitments can be operationalised.

In its next phase (2024–2025), the Geneva Dialogue is analysing the implementation of agreed cyber norms and confidence-building measures (CBMs) related to critical infrastructure protection (CIP). The second chapter with the focus on the CIP related norms and CBMs was announced in 2025.

By connecting policy discussions at the United Nations with concrete practices on the ground, the Geneva Dialogue strengthens the global framework for responsible state behaviour in cyberspace. Its inclusive approach seeks to bridge gaps between different communities, promote cooperation, and provide practical guidance on implementing norms in a rapidly evolving digital environment.

Pall Mall Process

The Pall Mall Process is an international, multi-stakeholder initiative, launched by France and the United Kingdom, to address the proliferation and irresponsible use of commercial cyber intrusion capabilities, including by cyber mercenaries. Grounded in the Pall Mall Declaration—a non-binding framework built on four pillars: accountability, precision, oversight and transparency—the process promotes cooperation among governments, industry and civil society to advance responsible practices and norms for the development and use of these tools.

On 3–4 April 2025, France and the United Kingdom convened the second Pall Mall Process Conference in Paris, which brought together 45 States and international organisations, alongside a broad coalition of representatives from the private sector, civil society and academia. At this conference, participating actors adopted a Code of Practice, already endorsed by 25 States, to establish voluntary political commitments and practical recommendations to address the challenge. Unique in its content, form and breadth of support, the Code reflects a shared understanding of the threat, reaffirms the relevance of existing international legal and normative frameworks, and sets out practical measures across different political levers.

By contributing to the implementation of the United Nations framework on responsible State behaviour in cyberspace and the principles of the Paris Call for Trust and Security in Cyberspace, the Pall Mall Process strengthens collective efforts to foster accountability and stability. Taking an inclusive approach, it will continue to disseminate good practices widely and track progress on their implementation.