Toward Norms in Cyberspace: Recent Progress and Challenges

The development and spread of the internet have led to vast socio-economic improvements and opportunities that are having an increasingly critical impact on the lives of billions of people across the globe. Indeed, since it became publicly available in 1991, the internet has become an essential part of our daily existence. But misuse and malicious behaviour have led to firm calls by governments, international organisations, law enforcement agencies and the public to better govern this decentralised and widely distributed space. Furthermore, given our increasing reliance on the internet, conflict in cyberspace could potentially cause major economic and social disruption, and possibly lead to human casualties.

Some multilateral action to address gaps in cybersecurity and to improve internet governance was announced late last year in France, during the so-called “Paris Digital Week,” a series of conferences focused on digital issues. Specifically, the French government identified the following three questions as central: how to govern the latest digital technologies; the impact of technological transformation on the relationship between state and citizen; and how to deliver public services in the digital age. Chief among the conferences was the 13^th Internet Governance Forum (IGF), an annual UN-backed event that brings together a wide range of stakeholders in global internet governance to discuss public policy issues. The IGF is one of the few forums where state and non-state internet stakeholders are able to interact freely and on the same level. Yet the IGF is not a decision-making body, and problems remain around how to transfer conclusions from the IGF into inter-governmental processes.

Internet governance refers to the management of the world’s internet resources. According to UNESCO, it is the development of “shared principles, norms, rules, decision-making procedures, and activities that shape the evolution and use of the Internet” – by diverse stakeholders and parties. This year’s IGF brought together almost 3000 participants from 143 countries to discuss widespread issues through 171 different workshops and sessions. Discussion themes were as wide-ranging as cybersecurity, gender and youth, accessibility and inclusion, human rights, and technical topics, among others. The conference was marked by an opening speech by French President Emmanuel Macron, who stressed the importance of continuing to develop the opportunities offered by the internet, while also calling for stronger international efforts to prevent its malicious use.

At the IGF, Macron launched the Paris Call for Trust and Security in Cyberspace. The Paris Call is a high-level nonbinding declaration aimed at developing common cyberspace security principles. It has already received the support of over 50 states, including Canada, and hundreds of organisations, civil society groups, and major firms. Macron labeled the Paris Call “the first declaration to call on states, international organisations, NGOs, businesses, local authorities and local actors to work together to uphold international law in cyberspace, protect rights online, fight against destabilising activities and ensure the security of digital products.”

Macron stressed the importance of quality of information for the protection of democracy, arguing that regulation is necessary for assuring trust, security and stability – as well as for preventing the fracturing of the internet. Such regulation would include guidelines to prevent harmful, criminal and deceptive content, as well as the enhancement of data protection and citizen rights. Macron believes that two types of internet have emerged: a ‘Californian’ model dominated by strong, global private firms who self-manage their services; and a ‘Chinese’ model whereby the government firmly monitors and controls information and data.

For Macron, neither of these models is truly democratic. Regulation by governments––acting together with civil society and other internet stakeholders––is his preferred way forward. However, while this “third way” is noble and largely sensible, such regulation could be seen as a classic response to compensate for a lack of domestic innovation and private sector tech success in Europe.

Macron also pushed for global standards, fairer ways of taxing tech giants, and international collaboration on artificial intelligence (AI) development, all while stressing the importance of continuing to create economic value through the internet. The Paris Call further reaffirms the applicability of international law and international human rights law to cyberspace, strengthens calls against aggressive and destabilising behaviour, and calls for the acceptance of norms for responsible behaviour in cyberspace.

Also at the IGF, the Global Commission on the Stability of Cyberspace (GCSC) presented its new norms package, which proposes six new global norms of behaviour for both state and non-state actors. The GCSC is an independent group of experts from around the world that has sought to develop universally accepted norms to help promote international security and stability in cyberspace, and to thus also help set international due diligence principles in cyberspace. In the context of stability in cyberspace, due diligence refers to a general duty for states to mitigate or prevent cyber operations that might have a detrimental impact on the rights of other states.

In 2017, the GCSC announced a norm on “non-interference with the public core” of the internet. The term “public core” was accompanied by a specific definition, to be used instead of the more vague term “critical infrastructure.” Definitions of what constitute “critical infrastructure” differ among states, leading to difficulties in agreeing to meaningful red lines on targeting such infrastructure. The “public core” of the internet refers only to internet communications infrastructure, instead of the widespread public services usually included in the “critical infrastructure” definition. After a year of further deliberation, the six new global norms presented at the IGF included:

• Norm to avoid tampering [during product development and production];
• Norm against commandeering of Information and Communication Technology (ICT) devices into botnets;
• Norm for states to create a vulnerabilities equities process;
• Norm to reduce and mitigate significant vulnerabilities;
• Norm on basic cyber hygiene as foundational defence; and
• Norm against offensive cyber operations by non-state actors.

The norms package is designed to be a living document, open to change, and one that various stakeholders across the world can get behind. In a bid to avoid political disputes, the norms are minimalistic yet carefully thought-out. They aim to create a centre of gravity around which other rules can grow. Discussing the norms, GCSC commissioner Bill Woodcock stressed their universal nature, explaining that in creating them, he felt as if he were “documenting the shared understanding of most of the world.” Recognising the difficulties around norms adoption when pushed from the top down, the GCSC sought to reflect preexisting best practices in private industry, civil society and individual states. It calls this a “bottom-up to top-down” approach.

Remaining apolitical in the norms process was challenging, especially given the putative global fragmenting of the internet governance debate into the ‘free internet’ versus ‘cyber sovereignty’ blocs, as Macron spoke to. But in the GCSC process, this was addressed through digging deeper to focus instead on common interests, abilities, and infrastructure – rather than on values and beliefs.

The GCSC norms are meant to work hand-in-hand with other norms processes for securing and stabilising cyberspace. One such initiative is the Microsoft-led Cyber Tech Accord, a public commitment between over 60 global firms to improve the security, stability and resilience of cyberspace. Microsoft has generally been at the forefront of cybersecurity norms action, calling in early 2017 for a ‘Digital Geneva Convention’ focused on binding rules for state conduct in cyberspace.

The most prominent norms process aimed at state behaviour and use of ICT is that of the UN Group of Governmental Experts (GGE). Canada has played and continues to play an important role in the GGE, which works to promote peace and stability in state use of Information and Communication Technology (ICT). The group has issued consensus reports in 2010, 2013 and 2015, all jointly agreed upon by representatives of different member states involved in the process. The GGE, which failed to reach a consensus in 2017, may now see a revival – albeit one as politically divided as ever. In early November 2018, two separate resolutions were approved in the UN: one US-led, pushing for a new GGE, and one Russian-led, calling for an open-ended working group (OEWG) on rules, norms and responsible state behaviour. As argued in a Council on Foreign Relations piece, the difference is significant; while GGEs are time-constrained and have a small membership, OEWGs can include all UN members and are open-ended. Russia’s proposal would likely delay meaningful action by hampering efforts to reach consensus.

Unsurprisingly, Canada voted for the US proposal. While Canada remains hopeful that the GGE process will move forward, the government stated in a joint declaration that November’s approval of two parallel processes is “to the potential detriment of respect for international law and the established global norms in cyberspace.” Canada has been represented at the previous UN GGE efforts and sees a lot of value in the GGE-driven work, maintaining that international law, international humanitarian law, and human rights must all apply in cyberspace.

Yet norms and their adoption are generally complicated, and especially so in cyberspace. Just a few months after agreeing––at the 2015 UN GGE––to an international norm of state behaviour specifically condemning attacks against critical infrastructure, the first known successful cyberattacks on a power grid cut off electricity to 225,000 people in several Ukrainian towns and cities at the height of winter, and were widely attributed to Russia.

Problems surrounding norms adoption in cyberspace are not just limited by malicious actors. Countries like the United States and Israel, neither of whom signed the Paris Call, have legitimate concerns around any agreement that might limit certain types of action––such as espionage or sabotage––especially given that such activity might contribute to their security or help give them an edge in future conflict. It is hard to predict where technology and cyber defence thinking will be even in five years from now; committing to avoid the use of certain techniques may be unwise in such a fast-changing and uncertain domain. Democratic countries tend also to be more burdened than their authoritarian counterparts by accountability to their commitments; while North Korea and Iran might flout international norms to which they have agreed, it is much more difficult for the United States or Canada to do so. Given the June 19 passing in the House of Commons of Bill C-59, which would authorise Canada’s Communications Security Establishment to engage in “active cyber operations” (read: offensive cyber operations), Canada must carefully consider what kind of behaviour it will agree to limit in cyberspace.

Effective ‘cyber’ norms are further limited by the expansive nature of cyberspace itself. Norms work may be most realistic when targeting subsets of issues in cyberspace, for example the Budapest Convention on cybercrime, or the Tallinn Manual process of NATO’s Cooperative Cyber Defence Centre of Excellence, which deals with the applicability of international law to cyberwarfare. Other subset areas of norms in cyberspace might include surveillance, data, and perhaps also civilian cybersecurity – the latter referring to much of the already established grassroots cooperation and work between Computer Emergency Response Teams (CERTs) and other technical cybersecurity or internet actors.

Disagreement as seen at the UN may actually reduce the likelihood of norms adoption. Thus effective action may have to come from smaller groups, such as NATO, or be embedded in different types of bilateral or multilateral agreements such as trade deals – as Peter Cowhey and Jonathan Aronson argue in their recent book Digital DNA: Disruption and the Challenges for Global Governance. Ultimately, though, norms are only as good as their enforcement, and how to enforce them remains a major challenge.

Regardless of how norms creation will play out in cyberspace, Canada has a major role to play in this effort. Achieving truly global norms will be difficult if led by the United States, whose credibility is hampered both by the legacy of the Snowden revelations (which revealed the massive reach of US global surveillance through cyberspace), and by shifting political trends to inwardness. China’s authoritarian internet model prevents it from taking the lead. Yet Canada’s normative record provides an important source of legitimacy for driving global consensus building. Canada should work on this together with the EU which, like Canada, is respected both as an exporter of norms and as a force for upholding the rule of law in international relations.

As a major economic power with an advanced technological base coupled with international recognition as a fair global actor, Canada should continue its legacy of strengthening and upgrading the multilateral and rules-based international order. Laying out an international strategy for cyberspace, as the US did already in 2011, would be a good start. For this, the GCSC norms could provide valuable inspiration. Global Affairs Canada, which has opened a small section focused on cyber foreign policy, should publicly outline a Canadian approach to maintaining a stable and peaceful cyberspace in line with our values, including our engagement with partners across the globe. Indeed, Canada should steadfastly keep itself at the forefront of any norms processes for the internet and cyberspace. Failure to do so may result in damaging consequences for liberal democracies and the values we cherish.

Josh Gold is on the executive of the CIC’s Toronto Branch and is a student at the University of Toronto. His bachelor’s thesis examined Estonia’s strategic use of cybersecurity. In summer 2018 he interned at the NATO Cooperative Cyber Defence Centre of Excellence. He is currently working on a policy paper examining how Canada fits within international cyberspace governance.

Twitter: @joshgold3