Preventing Cyber Conflicts: Do We Need a Cyber Treaty?

13 Nov 2017


Geneva, Switzerland

Event report

The third session of the Geneva Digital Talks (GDT) ‘Preventing Cyber Conflicts: Do We Need a Cyber Treaty?’ was also part of the Geneva Peace Week  – a collective action initiative facilitated by the United Nations Office at Geneva (UNOG), the Graduate Institute of International and Development Studies (IHEID), and the Geneva Peacebuilding Platform, in collaboration with the Swiss Confederation.

Dr Jovan Kurbalija, Director of DiploFoundation and Head of the Geneva Internet Platform, welcomed the audience by contextualising the discussion: this event built upon Microsoft president Brad Smith’s call for a Digital Geneva Convention ‘to implement international rules to protect the civilian use of the Internet’.

Dr Eneken Tikk, Senior Advisor at ICT4Peace, launched the panel discussion by stressing that facing existing cybersecurity challenges requires most importantly a mentality shift: technological, legal, and political solutions are ineffective if we fail to keep in mind that such solutions also affect society: ‘peace cannot be indoctrinated but it needs to be discussed as a mentality, as a climate’ – she stated. She further considered that the nature of a possible agreement on cyberconflict needs to be specified. According to her, the discussion should first consider that ‘convention’ as a concept does not simply designate a treaty among states parties, but rather it encompasses a social dimension because after all, it is a social contract. In other words, ‘Do we need a convention? Yes. ‘Do we need a treaty? Not sure’, she affirmed. She further considered that the need for a binding legal agreement depends mostly on whether the existing legal framework is lacking in addressing the issue at stake. The answer to this question requires a cyberconvention feasibility study considering, firstly, the kind of methodology to be chosen (either qualitative or quantitative approach – or both – when current norms are inapplicable) and, secondly, a multidisciplinary approach looking at the different aspects at stake from different points of view (e.g. legal, technical, political) in order to avoid ‘silos-thinking’.

Ms Anne-Marie Buzatu, Deputy Head of the Public-Private Partnerships Division at the Geneva Centre for the Democratic Control of Armed Forces (DCAF) stressed the importance of a multistakeholder approach to the drafting of the convention. As an example, she referred to the Montreaux Document on Private Military and Security Companies signed in 2008 by over 70 countries, upholding the respect of international humanitarian law and human rights law whenever private military and security companies (PMSCs) are present in armed conflicts. Although non-binding, the document is the result of a multistakeholder effort that produced an accountability mechanism through a certification and monitoring process for PMSCs vis-à-vis their relation with governments. She concluded that applied to cyber governance, the ‘Montreaux approach’ would result in ensuring an effective control of all actors involved, i.e. giving governments, information and communications technology (ICT) companies, and users, an equal seat at the discussion table in order to develop codes of conduct and mutual legal assistance agreements.

Dr Richard Hill, independent consultant, concluded the session by considering the vulnerability of the existing computer software used by governments in order to fight terrorism. He warned against the stockpiling of the so-called ‘zero-day exploit’ vulnerabilities by governments, i.e. the time between the discovery of a breach and when it is fixed. For example, the WannaCry ransomware attack originated from leaked NSA stockpile. Hill welcomed Microsoft’s proposal on the grounds that it calls for governments to take action in order to address vulnerabilities and externalities. Joining the previous speakers, Hill praised the need for an agreement but highlighted that this does not necessary entail the need of a new text, because such a convention could be seen as a complement to the existing International Code of Communication of the International Telecommunication Union.