The Geneva Dialogue on Responsible Behaviour in Cyberspace was launched in 2018 to investigate the different roles and responsibilities of different actors – states, civil society, the academic and technical communities, and the private sector – in increasing the security and stability of our online environment. In its first phase the effort resulted in a baseline framework that explored the different roles of the various players, specifically calling out the private sector and the civil society. The Cybersecurity Tech Accord was called out as one of the normative initiatives contributing to peace and stability online.
Therefore, we are particularly excited to be participating in the second phase of the Dialogue. This second phase focuses on identifying global industry recommendations on best practices to operationalize cybersecurity norms. The Cybersecurity Tech Accord submitted feedback on the initial action plan and a number of our signatories, including ABB, Cisco, FireEye, Microsoft, VU Security and WISEkey, are actively contributing to the ongoing series of online discussions on how the private sector can contribute to increasing international peace and security in cyberspace. Moreover, the Dialogue is a fantastic opportunity to stress and to demonstrate the importance of multistakeholder action in this domain.
The Cybersecurity Tech Accord signatories especially welcomed a window into international cooperation in this space. While the industry wants to participate in the United Nations discussions, they frequently find it difficult to do so – not solely because the processes are often only open to governmental actors. There is limited awareness of the potential impact of the decisions being made, and more often than not the industry players do not understand the venues or processes – simply because of a lack of resources. Updates on multilateral processes such as the ones offered as part of the Geneva Dialogue represent an important step towards greater inclusion – and as a result, better outcomes – of international negotiations on cybersecurity.
A clear example is the implementation of the norms agreed in the United Nations Group of Governmental Experts’ Consensus Report from 2015. A number of these require action by private sector entities and it was encouraging to hear about how different countries are reaching out to the broader multistakeholder community to understand how best to go about implementation. Coordinated vulnerability disclosure, an issue close to the heart of the Cybersecurity Tech Accord signatories, was discussed at some length in the Geneva Dialogue with companies offering suggestions on how governments can encourage its greater adoption and use. The need for safe harbors for those who find and report vulnerabilities in good faith was particularly underlined.
The norm on ensuring cybersecurity of supply chains through increasing security of technology across the board was also raised. Participants effectively discussed capacity building for the industry – how to share existing good practices around software development and risk management more broadly to ensure that companies with fewer resources, or those whose primary area of expertise is not the online world, are also able to raise their levels of security. The group agreed that a balance needs to be struck between self-regulation, developing and harmonizing cybersecurity standards, and regulation.
The question of how to make sure that balance is appropriate and that the private sector is doing their part to operationalize norms emerged as the million-dollar question. Participants agreed that transparency, trustworthiness, and accountability should represent the guiding principles for the industry, but it quickly became clear that common definitions of these three critical issues will be difficult to achieve. Companies have taken different approaches to demonstrate their commitments to them, for example, interpreting transparency as opening up access to their source code, highlighting the standards used in their business operations, or sharing elements of their security and integrity processes.
The above were only a few of the thorny issues tackled in the Geneva Dialogue webinar series, and nearly all of them need further discussion and debate. Nevertheless, we are hopeful that the discussions alone spur further thinking and encourage nontraditional players to embark on the path to great cybersecurity. Everything beyond that is a net benefit and we are therefore grateful to the Swiss government and the DiploFoundation for organizing this set of though provoking conversations and are looking forward to their continuation.