A digital Geneva Convention to protect cyberspace (WS34)

19 Dec 2017 10:45h - 12:15h

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

The moderator, Mr Duncan Hollis, Professor of Law at Temple Law School, explained the workshop would concentrate on the context of the proposal of the Digital Geneva Convention (DGC). He asked participants to raise their hands if they feel cybersecurity is doing great – nobody did. Clearly, he said, everyone in the room agrees that the current state is not secure and ways to change this need to be thought of.

Mr Paul Nicholas, Senior Director for Microsoft’s Trustworthy Computing, said that multistakeholders have contributed in advancing ideas, opportunity and innovation. There is a need for a strategic cybersecurity framework to protect people in times of peace. Attacks in the last years have been different and we have to recognise that governments do not actually do cyber defence sufficiently. More than 30 governments have offensive capabilities, and while they need twentieth century capabilities, cyberspace is not a physical territory. Nations do not control it. There is a lack of public private dialogue in this and this is a risk. Microsoft came up with the proposal for the DGC, with the objective to start the dialogue.

Mr Ben Hiller, Cybersecurity Officer at OSCE, alerted that at times when international law and norms are being broken, we are almost using customary law. Investments in cyber capabilities will continue. It validates what Microsoft is trying to do, and looking at whether we need a more legally binding rule in the future.

Dr Konstantinos Komaitis, Director of Public Policy at the Internet Society, stressed that for the past two years, cybersecurity conversations have come more to the forefront. Governments often speak behind closed doors and other stakeholders are asked to follow what they decide. It would be a step backwards according to him not to include other stakeholders in this discussion. Currently governmental processes do not seem to work, as we have seen on the example of the UN GGE.

In the discussion among panellists, Ms Marília Maciel, Digital Policy Senior Researcher, DiploFoundation, called for more evidence-based research to map the capabilities. She highlighted the work of her organisation, DiploFoundation which developed a map of countries that have cyber capabilities of offensive nature. Nicholas was wondering whether we should sometimes try things. It is better to learn about these things now, he claimed, rather than in the times of a crisis. Komaitis stressed that application of international law clearly has challenges, but reminded there are valid questions that remain such as what constitutes a cyber attack. Cyber operations in crises have to obey the international humanitarian law so it is not true that there would be a total vacuum. Ms Elina Noor, Director of Foreign Policy and Security Studies at the Institute of Strategic and International Studies in Malaysia, stressed there is a need for rules, power and values. It is, however, not clear, whose rules we are talking about. She provided perspective from South East Asia and stressed that while we often hear how democratic ideals should be preserved, in her region, various government systems or ideals are present and this question is complicated, whether we like it or not.

Ms Yvette Issar, researcher at the University of Geneva, where she studies norms by non-state actors in particular, called on more research, not only on the capabilities and gaps but also on who should be involved and how. There are important ownership questions and ownership of norms which brings the issue of their adherence. There are different levels and different actors. While this is a big challenge there are examples in two fields we should look into, arms control and disarmament treaties, and business and human rights multistakeholder initiatives. Beyond multilateral agreements, bilateral and regional agreements, as well as soft law, have a crucial role.

Remote moderator Mr Vladimir Radunovic, Director of Cybersecurity at DiploFoundation, brought questions from remote participants. One wondered whether DGC is not rather like a disarmament treaty of the 1920s which are hard to monitor and easy to evade, using a hashtag #DidntStopHitler. Dr Tobias Feakin, Australian Ambassador for cyber affairs, stressed that we should not forget some successes of the UN GGE. Nations are not trying to shy away from the agreements on norms reached. Mr Richard Hill reminded of the international telecommunication regulations at the ITU, which would be a good space for the dialogue if states agree. The IFRC could provide another interesting example. An unintroduced participant posed a question on what is Microsoft doing in weaknesses of its own products. Nicholas responded that if you build a product that goes under systematic targeting, you would never have a perfect product.

Maciel further stressed that we should avoid falling to the notion of good and evil. Different actors need to take responsibility. Private companies need to take responsibilities too.

By Tereza Horejsova