The Operationalization of Norms and Principles on Cybersecurity

By Maarten Van Horenbeeck
Maarten Van Horenbeeck

With two simultaneous processes getting underway in the UN General Assembly's First Committee, the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) on Cybersecurity, and several technology and multi-stakeholder initiatives pushing cybersecurity improvement, the world of cyber norms has become both more interesting and more complicated. Interesting, because a wider set of voices has the ability to share their views on processes that work to improve cybersecurity at a global level — and more complicated, as the concept of a norm has slowly been eroded by the fact that less agreement exists on a wider variety of ideas.

The IGF Best Practices Forum (BPF) on Cybersecurity is a multistakeholder group focusing on identifying best practices in Cybersecurity. From 2016-2018, the group has focused on identifying roles and responsibilities of individual stakeholder groups in cybersecurity, and it investigated the development of culture, norms and values in cybersecurity.

This year, the BPF has continued this work by identifying best practices related to implementation of the different elements (e.g., principles, policy approaches) contained within various international agreements and initiatives on cybersecurity. It has seen widespread support from a group of volunteers, including technical community members and engineers, legal scholars, and experienced human rights and cybersecurity professionals.

Earlier this summer, the group published a research paper identifying a wide set of relevant initiatives and agreements, while looking to identify overlapping elements. For instance, the group reviewed whether support for a technical process (e.g., responsible or coordinated vulnerability disclosure), or at a more abstract level (e.g., support for the applicability of international law), is encoded in many of these documents.

The review took a wide look, focusing both on inter-state agreements such as the Budapest Convention, intra-industry agreements such as the Tech Accord, and multi-stakeholder forums such as the Paris Call for Trust and Security in Cyberspace.

Agreements were included based on the following rough criteria:

In total, this initial review looked at 19 documented agreements, both global and regional.

The goal of this work is to identify best practices around the implementation of many of these principles. If a concept is widely supported, and signatories to these agreements have a wide set of experiences around the implementation of that concept, sharing this knowledge and experience will allow for its implementation to cascade. This facilitates the adoption by other parties; and as a result, improving the overall cybersecurity goals intended behind the agreement.

Following publication of our background paper, the BPF has now called for wider input from the community on the topic, focusing on the key questions of what best practices exist related to the implementation, operationalization and support of principles, norms and policy approaches of these international agreements. Organizations and individuals involved in either the development of these agreements, or the implementation of any of their concepts, are invited to share their experiences.

This input will be used to help create a final outcome document, which will drive discussion at the IGF's 14th Annual Meeting in Berlin from November 25th to 29th of 2019. We invite you to contribute by sending your response to our Call for Contributions to by September 20th.

By Maarten Van Horenbeeck, Lead Expert to the Best Practices Forum on Cybersecurity. Maarten is Board Member and former Chairman of the Forum of Incident Response and Security Teams (FIRST). He also works as Chief Information Security Officer for Zendesk.

Related topics: Cybersecurity, Internet Governance, Policy & Regulation