The Cybersecurity Tech Accord response to a call for contributions from Best Practices Forum working group on ‘Cybersecurity Culture, Norms and Values’

Cybersecurity is as pressing an issue for international relations as it is for domestic policymaking. While no comprehensive statistics are available, it seems overwhelmingly clear that recent years have seen a dramatic increase in both domestic and transnational cybercrime, as well an escalation in what can be described as cyber-skirmishes between state or state-sponsored actors. The Cybersecurity Tech Accord signatories are therefore delighted that the Internet Governance Forum’s (IGF) Best Practice forum on Cybersecurity (BPF) has continued to build on its work from previous years by conducting invaluable research into initiatives dealing with the international aspects of cybersecurity.

This year’s BPF is focused on mapping existing international cybersecurity agreements, and the steps being taken by supporters to follow through on them. We believe that the attempt to map the most impactful initiatives is very valuable, and find that the analysis conducted so far provides an interesting overview of both the work on issues related to cybercrime and to international peace and stability. In our response to the Call for Contributions, the Cybersecurity Tech Accord highlights a few more examples that could be considered by the working group. Having said that, there is still much to be done, if – as indicated by the BPF’s website – the focus going forward is to be on the implementation and operationalization of these initiatives.

First and foremost, we recommend that the BPF refrains from analyzing and comparing the different initiatives only through the prism of government agreement and action. Industry and the technical expert community have a critical role to play in securing our online environment, sometimes as individual entities, sometimes in partnerships within the industry, and more often than not together with governments and civil society. The initiatives should be analyzed through the different perspectives brought forward by  all of these entities.

Secondly, and in line with that, the initiatives identified differ substantially in their objectives, as well as ability to compel compliance. Some represent voluntary action by a particular stakeholder group, for example the Cybersecurity Tech Accord, whilst others represent a commitment amongst multiple stakeholders, such as the Paris Call for Trust and Security. Finally, some are solely government driven, for example the Network and Information Security Directive. This latter category is accompanied by national rules, regulations and deadlines for implementation, which makes them inherently a different animal from what we traditionally understand to be non-binding norms of behavior for cyberspace.

Finally, it is not surprising that as a result of these differences, the elements that the BPF seeks to compare and contrast, vary as well. We note that most of the identified elements come from the peace and stability section, and we welcome that. We also hope that this will continue to be the focus for the group going forward. However, even with that in mind, we believe the comparison would benefit from an analytical structure to help differentiate – and not conflate – the different terms that are being discussed. We propose one such approach in the document.

Our full response is available here and we remain available for any further comment or clarification. We look forward to the BPF’s final report this fall, as well as the presentation of its work during the IGF meeting in Berlin this November.