The Cybersecurity Tech Accord response to a call for contributions from Best Practices Forum working group on ‘Cybersecurity Culture, Norms and Values’

Cybersecurity is as pressing an issue for international relations as it is for domestic policymaking. While no comprehensive statistics are available, it seems overwhelmingly clear that recent years have seen a dramatic increase in both domestic and transnational cybercrime, as well an escalation in what can be described as cyber-skirmishes between state or state-sponsored actors. The Cybersecurity Tech Accord signatories are therefore delighted that the Internet Governance Forum’s (IGF) Best Practice forum on Cybersecurity (BPF) has continued to build on its work from previous years by conducting invaluable research into initiatives dealing with the international aspects of cybersecurity.

This year’s BPF is focused on mapping existing international cybersecurity agreements, and the steps being taken by supporters to follow through on them. We believe that the attempt to map the most impactful initiatives is very valuable, and find that the analysis conducted so far provides an interesting overview of both the work on issues related to cybercrime and to international peace and stability. In our response to the Call for Contributions, the Cybersecurity Tech Accord highlights a few more examples that could be considered by the working group. Having said that, there is still much to be done, if – as indicated by the BPF’s website – the focus going forward is to be on the implementation and operationalization of these initiatives.

First and foremost, we recommend that the BPF refrains from analyzing and comparing the different initiatives only through the prism of government agreement and action. Industry and the technical expert community have a critical role to play in securing our online environment, sometimes as individual entities, sometimes in partnerships within the industry, and more often than not together with governments and civil society. The initiatives should be analyzed through the different perspectives brought forward by  all of these entities.

Secondly, and in line with that, the initiatives identified differ substantially in their objectives, as well as ability to compel compliance. Some represent voluntary action by a particular stakeholder group, for example the Cybersecurity Tech Accord, whilst others represent a commitment amongst multiple stakeholders, such as the Paris Call for Trust and Security. Finally, some are solely government driven, for example the Network and Information Security Directive. This latter category is accompanied by national rules, regulations and deadlines for implementation, which makes them inherently a different animal from what we traditionally understand to be non-binding norms of behavior for cyberspace.

Finally, it is not surprising that as a result of these differences, the elements that the BPF seeks to compare and contrast, vary as well. We note that most of the identified elements come from the peace and stability section, and we welcome that. We also hope that this will continue to be the focus for the group going forward. However, even with that in mind, we believe the comparison would benefit from an analytical structure to help differentiate – and not conflate – the different terms that are being discussed. We propose one such approach in the document.

Our full response is available here and we remain available for any further comment or clarification. We look forward to the BPF’s final report this fall, as well as the presentation of its work during the IGF meeting in Berlin this November.

Read more about "The Cybersecurity Tech Accord response to a call for contributions from Best Practices Forum working group on ‘Cybersecurity Culture, Norms and Values’"

Response to GCSC’s request for input on the ‘Norm Package Singapore’

The Cybersecurity Tech Accord signatories welcome the work of the Global Commission on the Stability of Cyberspace on promoting awareness and understanding of issues related to international cybersecurity, peace and stability, and in this context the Singapore norms package. We share the Commission’s concern that an increasing number of nations see cyberspace as an unconstrained area of conflict. Indeed, in recent years, malicious actors with motives that range from criminal to geopolitical have inflicted economic harm, put human lives at risk, and undermined the trust that is essential to an open, free, and secure internet. We have seen attacks on the availability, confidentiality, and integrity of data, products, services, and networks that have demonstrated the need for constant vigilance, collective action, and a renewed commitment to cybersecurity.

Read more about "Response to GCSC’s request for input on the ‘Norm Package Singapore’"

Response to the UN High Level Panel on Digital Cooperation

Digital technology powers every aspect of business, society and our individual lives: from improving education and healthcare to advancing agriculture, from creating jobs to enhancing environmental sustainability. It keeps us informed, connected, entertained and inspired; opening the doors to an ever-bigger world of opportunity. The creation of the UN Secretary-General’s High-Level Panel on Digital Cooperation (“the Panel”) earlier this year marked an important moment, as it recognized the criticality of technology to the realization of the 2030 Agenda for Sustainable Development.

Read more about "Response to the UN High Level Panel on Digital Cooperation"

Policy position on Vulnerability Equities Process (VEP)

Modern warfare has moved online and the “fifth domain” of cyberspace is today a battlefield in its own right. But in many ways that is where the similarities to other domains end, as cyberweapons and the techniques used to develop and employ them are meaningfully distinct from the conventional weapons of modern warfare. To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or “vulnerabilities” found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses. The damaging effects of the resulting cyberweapons – especially when mishandled – can extend far beyond an intended target, potentially impacting millions of innocent users around the world.

Read more about "Policy position on Vulnerability Equities Process (VEP)"

Policy position on WHOIS

One of the essential functions of the Internet Corporation for Assigned Names and Numbers(ICANN) is to oversee domain names. In line with this objective, its WHOIS protocol has been used for over two decades to record and display the contact details of domain name registrants. In addition, the registered contacts in WHOIS provide clear point of contacts for Certification Authorities (CAs) to seek authorization when issuing SSL certificates. This WHOIS data provides much needed transparency online and as such protects users, customers and the Internet ecosystem as a whole.

Read more about "Policy position on WHOIS"