Last minute geek

last minute tech news from around the net

Tuesday, Apr 23rd

Last update04:31:00 AM

You are here: English CircleID Taking a Multi-Stakeholder Look at Cyber Norms

Taking a Multi-Stakeholder Look at Cyber Norms

User Rating: / 0

Recently we've seen several examples of likely state-sponsored security incidents of which the appropriateness was later strongly debated. Incidents such as states impacting commercial enterprises during cyber attacks; purported sabotage of critical infrastructure, and attacks on civilian activists have all, to a greater or lesser degree, led to concerns being raised by both civilian watchdog groups, academics, technologists and governments.

International "hard" law has often been slow to respond to these new challenges, and for various technical reasons, including the difficulty of attribution in cyberspace, has not always been able to successfully drive change. However, alternate mechanisms for addressing some of these challenges has been developing. Recently, several bodies, including the UN Government Group of Experts (UNGGE), the Global Commission on Cyberspace (GCSC) and Microsoft identified and published rules of the road, or acceptable behaviors in cyberspace, so-called "cyber norms".

Social scientist Katzenstein defined norms in 1996 as "collective expectations for the proper behavior of actors with a given identity". In an internet that is managed by a wide variety of stakeholders, and where there is no central authority, these types of rules can help us all work together more cooperatively, and most of all, reduce uncertainty in how we work together.

Much of this development has historically happened in closed, single stakeholder groups, and often the fruits of their labor were invisible to all but a few experts and specialists focused on the area. For instance, when in 1995 the UNGGE published a norm stating "states should not conduct or knowingly support activity to harm the information systems of another state's emergency response teams (CERT/CSIRTS)", the existence of this norm was not widely known to many incident responders from the incident response community, such as in the Forum of Incident Response and Security Teams (FIRST).

Earlier this year, the Internet Governance Forum, a multi-stakeholder policy forum which was conceived in 2005 as an outcome of the World Summit on the Information Society, decided to focus its Best Practices Forum (BPF) on Cybersecurity on the multi-stakeholder investigation of cyber norms. The BPFs have been introduced as an intersessional activity of the IGF since 2014, dealing with a wide range of issues which are perceived as valuable by its multi-stakeholder group of participants such as Internet Exchange Points (IXPs), IPv6, local content or unsolicited communication (spam) and CERT/CSIRT. In 2017, the BPF on Cybersecurity collected policy best practices that can help drive the sustainable development goals.

To start its work, the Best Practices Forum has recently published a background paper, with a variety of contributors from civil society, academia, private sector and the technical community, on cyber norms. It explores the wide variety of norms development bodies, including those which may not be considered when norms are only considered to cover state behaviors, such as the Internet Society's Mutually Agreed Norms for Routing Security and civil society groups such as the Electronic Frontier Foundation and Article 19's Manila Principles. It acknowledges that norms may arise between various stakeholder groups, and apply to actions in cyberspace by others than states.

The paper also explores proposals and suggestions to put norms into practice, and actually ensure they become more widely entrenched in the international community. Finally, it investigates the risks of a "digital security divide", where specific internet users may be less protected overall, by being in a minority group not well covered by a norm, or resident in a country where a particular norm may not be fully implemented.

Following to the background paper, the BPF has now called for wider input from the community on the topic, focusing on the key questions of how international communities have seen a "culture of cybersecurity" develop, and asking for examples of norms that have worked well, and those which have not. This input will be used to help create a final outcome document, which will drive discussion at the IGF's 13th Annual Meeting at the UNESCO headquarters in Paris, from 12th to November 14th 2018. If you have experience or thoughts on the direction cyber norms should take, we invite you to contribute by sending your response to our Call for Contributions to This e-mail address is being protected from spambots. You need JavaScript enabled to view it by September 15th.

Written by Maarten Van Horenbeeck, Lead Expert to the Best Practices Forum on Cybersecurity

Follow CircleID on Twitter

More under: Cybersecurity, Internet Governance, Policy & Regulation

Read all
Comment Policy:
We pre-moderate any comments and welcome all kinds of thoughts, supportive, dissenting, critical or otherwise. We delete or censor comments that are:

* abusive
* off-topic
* contain personal attacks, or against any company or organization
* promote hate of any kind
* use excessively foul language
* is blatantly spam or advertising

We do not discriminate based on the person who is posting, and we never censor comments for political or ideological reasons. We never delete an appropriate comment because we disagree with its viewpoint or ideology, and we never publish an inappropriate comment because we agree with or support its viewpoint or ideology.

Attention spammers: we manually approve all comments. Spamming and blatant advertising will NOT be published on this site and is deleted immediately, you've been warned, do not waste your time here.

Add comment

Security code