IFSH research focus International Cybersecurity recently held its second interdisciplinary workshop, focusing on which actors and procedures could advance the implementation of the UN norms of responsible state behaviour in cyberspace. The short presentations by Jacqueline Eggenschwiler (University of Oxford), Alexander Klimburg (Global Commission on the Stability of Cyberspace), Sheetal Kumar (Global Partners Digital) and Mischa Hansel (IFSH) shed particular light on the role and competencies of non-state actors. The subsequent discussion was chaired by Marina Favaro (IFSH). More than 50 academia, business, diplomacy, politics, and media representatives took part in the workshop.
Cyber space is no longer a rule-less, anarchical space. However, while international agreements exist, implementation is still limited, as recent international cyber incidents have shown. This is especially true of the UN norms of responsible state behaviour, which were reaffirmed and further clarified yet again this year. Several countries have already proposed a Programme of Action (PoA) to accelerate the implementation but other actors also have to be considered. Contributions during the workshop made it clear that civil society actors have a key role to play, as does the private sector. Transnational companies or research institutes have often set their own priorities and thus influenced the international agenda already in the early phase of norm development. The development and enforcement of technical standards, for example in the area of secure digital supply chains, not only supports but often provides the basis for norm implementation.
Although a multistakeholder approach has a larger prospect of succeeding, constructive cooperation between state and non-state actors is not always a given. At the international level, sporadic consultations, as in the course of the last Open-Ended Working Group (OEWG), are not enough, as several participants emphasised. Instead, non-state actors need to be fully informed and given the opportunity to provide substantive input on a regular basis. It is equally important to ensure that civil society actors in particular are involved in shaping cyber strategies that conform to norms at the national level. The expertise of non-state actors is also indispensable with regard to the development of indicators and monitoring, both of which are possible focal points within the framework of a PoA. Numerous instruments and best practices have already been tested in recent years, which should now be referred to in the implementation phase of the UN cyber norms.
Elsewhere, the challenge is rather to maintain autonomous spaces for non-governmental cooperation and not to politicise their activities. In this context, the practical and cross-border cooperation of Computer Emergency Response Teams (CERTs) was mentioned, as were the various responsible vulnerability disclosure processes used by security researchers. Both these areas are also addressed in the UN norms catalogue. However, recent regulatory approaches, such as restricting participation at international competitions or in bug bounty programmes, fuel concerns about nationalisation tendencies. At the very least, these endeavours contradict the spirit of the UN norms. Another risk is that non-governmental norm-building and implementation approaches are instrumentalised and reinterpreted by state actors, a topic discussed using the example of protecting the public core of the internet.
Yet, counteracting the tendency towards political appropriation is not enough. The panellists also emphasised that greater awareness of the UN cyber norms as a legitimate global orientation framework has to be raised. This is especially true within industry and the technical community, where in some cases these norms are completely unheard of. Here, too, the multistakeholder approach provides a useful guideline for raising awareness and offering opportunities for participation on a voluntary basis.