Home / Blogs

Taking a Multi-Stakeholder Look at Cyber Norms

Maarten Van Horenbeeck

Recently we've seen several examples of likely state-sponsored security incidents of which the appropriateness was later strongly debated. Incidents such as states impacting commercial enterprises during cyber attacks; purported sabotage of critical infrastructure, and attacks on civilian activists have all, to a greater or lesser degree, led to concerns being raised by both civilian watchdog groups, academics, technologists and governments.

International "hard" law has often been slow to respond to these new challenges, and for various technical reasons, including the difficulty of attribution in cyberspace, has not always been able to successfully drive change. However, alternate mechanisms for addressing some of these challenges has been developing. Recently, several bodies, including the UN Government Group of Experts (UNGGE), the Global Commission on Cyberspace (GCSC) and Microsoft identified and published rules of the road, or acceptable behaviors in cyberspace, so-called "cyber norms".

Social scientist Katzenstein defined norms in 1996 as "collective expectations for the proper behavior of actors with a given identity". In an internet that is managed by a wide variety of stakeholders, and where there is no central authority, these types of rules can help us all work together more cooperatively, and most of all, reduce uncertainty in how we work together.

Much of this development has historically happened in closed, single stakeholder groups, and often the fruits of their labor were invisible to all but a few experts and specialists focused on the area. For instance, when in 2015 the UNGGE published a norm stating "states should not conduct or knowingly support activity to harm the information systems of another state's emergency response teams (CERT/CSIRTS)", the existence of this norm was not widely known to many incident responders from the incident response community, such as in the Forum of Incident Response and Security Teams (FIRST).

Earlier this year, the Internet Governance Forum, a multi-stakeholder policy forum which was conceived in 2005 as an outcome of the World Summit on the Information Society, decided to focus its Best Practices Forum (BPF) on Cybersecurity on the multi-stakeholder investigation of cyber norms. The BPFs have been introduced as an intersessional activity of the IGF since 2014, dealing with a wide range of issues which are perceived as valuable by its multi-stakeholder group of participants such as Internet Exchange Points (IXPs), IPv6, local content or unsolicited communication (spam) and CERT/CSIRT. In 2017, the BPF on Cybersecurity collected policy best practices that can help drive the sustainable development goals.

To start its work, the Best Practices Forum has recently published a background paper, with a variety of contributors from civil society, academia, private sector and the technical community, on cyber norms. It explores the wide variety of norms development bodies, including those which may not be considered when norms are only considered to cover state behaviors, such as the Internet Society's Mutually Agreed Norms for Routing Security and civil society groups such as the Electronic Frontier Foundation and Article 19's Manila Principles. It acknowledges that norms may arise between various stakeholder groups, and apply to actions in cyberspace by others than states.

The paper also explores proposals and suggestions to put norms into practice, and actually ensure they become more widely entrenched in the international community. Finally, it investigates the risks of a "digital security divide", where specific internet users may be less protected overall, by being in a minority group not well covered by a norm, or resident in a country where a particular norm may not be fully implemented.

Following to the background paper, the BPF has now called for wider input from the community on the topic, focusing on the key questions of how international communities have seen a "culture of cybersecurity" develop, and asking for examples of norms that have worked well, and those which have not. This input will be used to help create a final outcome document, which will drive discussion at the IGF's 13th Annual Meeting at the UNESCO headquarters in Paris, from 12th to November 14th 2018. If you have experience or thoughts on the direction cyber norms should take, we invite you to contribute by sending your response to our Call for Contributions to bpf-cybersecurity-contribution@intgovforum.org by September 15th.

By Maarten Van Horenbeeck, Lead Expert to the Best Practices Forum on Cybersecurity Maarten is Board Member and former Chairman of the Forum of Incident Response and Security Teams (FIRST). He also works as Chief Information Security Officer for Zendesk. Visit Page
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

One thing: there seems to be a Todd Knarr  –  Aug 27, 2018 11:13 AM PDT

One thing: there seems to be a conflation in practice between what stakeholder groups want to be the norms vs. what the norms actually are. Per Katzenstein's definition the 1995 UNGGE "norm" wouldn't have been a norm. It was what the UNGGE _wanted_ to be the norm, but it wasn't what collectively was the norm. I like to distinguish between the two cases, using "proposed norm" for a suggestion as to what the norm should be and reserving "norm" for the actual widely-accepted normal behavior.

Follow-up on proposed norms Maarten Van Horenbeeck  –  Aug 29, 2018 2:16 PM PDT

Hi Todd,

Thank you for your comment. This is a very important distinction, and I'm happy you decided to share this comment. There is definitely a distinction between those who consider norms as "having to be proposed" and implemented/integrated, versus the more conventional view of norms as "rules of the road" that are mostly confirmed when behaviors that violate them are actively contested. In the case of the UNGGE, you have a little bit of a middle ground as they actually took into account the views of a number of governments whom all agreed in consensus on the appropriateness of a set of behaviors, and the behaviors mostly reflect actions of governments.

I'd definitely invite you to give the set of questions in our Call for Contributions some thought and send this and any other feedback you may have to bpf-cybersecurity-contribution@intgovforum.org. We're excited to learn of your views.

Cheers,
Maarten

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC