At the opening of the annual UN Internet Governance Forum (IGF), held on 12–14 November 2018 at UNESCO in Paris, French President Emmanuel Macron launched the Paris Call for Trust and Security in Cyberspace, a high-level declaration laying out common principles for securing cyberspace.
The Paris Call builds on the World Summit on the Information Society (WSIS) Tunis Agenda’s definition of the ‘respective roles’ of states and other stakeholders. It also builds on the UN Group of Governmental Experts’ (GGE) reaffirmation that international law applies to cyberspace. The declaration invites support for victims of cybercrime, both in times of peace and of armed conflict; reaffirms the Budapest Convention as a key tool for combating cybercrime; recognises the responsibilities of the private sector for digital products security; and calls for broad digital cooperation and capacity-building. It then invites signatories to, among other actions, engage in preventative measures to safeguard against damage to the general availability or integrity of the public core of the Internet, foreign intervention in electoral processes, ICT-enabled theft of intellectual property for competitive advantage, and non-state actors ‘hacking-back’.
The Paris Call has strong initial support from hundreds of signatories, including leading tech companies and many governments. Yet, the USA, Russia, and China are missing from the roll. The declaration and its impact will be revisited at the Paris Peace Forum (PPF) in 2019, as well as the 2019 Internet Governance Forum (IGF) in Berlin.
Stepping back to survey the growing cybersecurity table, there is a veritable ‘meze’ platter of initiatives and forums cluttering its surface: the UN-based GGE and now, possibly, a new open-ended group; the Global Commission on the Stability of Cyberspace (GCSC); the Geneva Dialogue on Responsible Behaviour in Cyberspace; the Global Forum on Cyber Expertise (GFCE); and more. While some of these elements individually pair well with others and some do not, presented together and consumed in balanced moderation, they represent a satisfying meal. The Paris Call is yet another ‘dish’ added to this platter. What is Macron’s secret recipe for its success in the meze? And will it be equally appetising – and consumable – to everyone?
According to Macron, the Paris Call’s added value to the meze is its response to two growing risks: the potential for cybersecurity measures leading to fragmentation of the Internet and the potential for democratic countries to block digital content in an effort to protect the network.
The Paris Call draws upon and reinforces definitions and measures outlined in other dishes within the meze. These include the WSIS Tunis Agenda’s use of ‘in their respective roles’ to delineate the responsibility of various actors for improving trust, security, and stability of cyberspace, and the UN High-Level Panel on Digital Cooperation’s support for broad digital cooperation. With regard to the UN GGE, the declaration draws upon the UN GGE Reports’ reaffirmation of the applicability of international law and human rights instruments to cyberspace. Beyond the Reports, the Paris Call also uniquely affirms that international humanitarian law and customary international law apply. The declaration also reinforces the 2015 UN GGE Report’s emphasis on the importance of confidence-building measures and norms in peacetime.
Reaffirming select existing processes, the Paris Call condemns ‘significant, indiscriminate or systemic harm’ of cyber-attacks and calls for prevention of harm to individuals and critical infrastructure in peacetime, placing an emphasis on peacetime rules. Placing additional emphasis on the protection of victims of cybercrime and of civilians – and thus on international humanitarian law – the declaration invites support for victims both in times of peace and of armed conflict. The declaration also points to the Budapest Convention as a key tool for combating cybercrime. Echoing the 2015 UN GGE Report, it also calls for coordinated vulnerability disclosure and prevention of the proliferation of malicious ICT tools. Finally, the declaration outlines its support for capacity-building; underscores the importance of a multistakeholder approach to cybersecurity, which resonates well with the GFCE’s role as a global multistakeholder platform for capacity-building in cybersecurity; and indicates support for the creation (though without mentioning the implementation) of new cybersecurity standards.
The declaration also issues a series of specific calls. Among these is a call to strengthen the security of digital products, alongside recognition of key private sector actors’ responsibilities in this regard. While the 2015 UN GGE Report addresses supply chain protection, the Paris Call established a clear trend in explicitly pointing to the role and responsibilities of the private sector. The declaration further calls for strengthening of general cyber-hygiene, which also emphasises the role of average users and, more broadly, civil society. In doing so, it links back somewhat to discussions surrounding the Geneva Dialogue, as well as GCSC-proposed norms.
In a series focused on preventative measures, the declaration calls for prevention of damage to the general availability or integrity of the ‘public core’ of the Internet. This also recalls GCSC-proposed norms, as the GCSC has previously defined the ‘public core’ of the Internet. Interestingly, the declaration does not invite preservation of confidentiality, which is the first of the ‘CIA’ triad of fundamental parameters of information security, followed by availability and integrity. The declaration also calls for prevention of foreign intervention in electoral processes, again recalling GCSC-proposed norms; prevention of ICT-enabled theft of intellectual property for competitive advantage, which, though not in the UN GGE Reports, is already floating on various agendas and was agreed upon within G20, select bilateral agreements, and more; and prevention of non-state actors ‘hacking-back’. Though the term ‘hacking-back’ is undefined in the final text, in previous versions, the term ‘conducting offensive cyber operations’ was used it in its place. The earlier term was likely replaced due to its primary association with state conduct.
Finally, the declaration calls for ‘widespread acceptance and implementation of international norms’. Notably, the term ‘development […] of norms’ was used in earlier drafts of the text. Its removal from the final draft possibly signals diminished support for development of further norms.
With regard to next steps, progress surrounding the Paris Call will be assessed at the PPF in 2019, though the issues to be addressed at the PPF extend beyond cyber. Assessment will also take place at the 2019 IGF in Berlin. The second assessment was scheduled in later drafts to ensure that the Paris Call will not duplicate – but will rather complement – efforts in the IGF process. At the moment, additional details remain unknown.
Thus far, over 50 countries have signed the Paris Call. These include France and the UK (two of the UN Security Council’s five permanent members), as well as Germany. They do not include Russia, the USA, and China. Hundreds of private companies and organisations have also signed, including three of the Big Five in tech: Microsoft, Google, and Facebook. Amazon and Apple have notably abstained. All signatories to the Cybersecurity Tech Accord and the Charter of Trust, as well as Kaspersky, have also signed the Paris Call. No Chinese companies are involved.
One should often not discuss differing tastes and diets. However, in the case of this meal, crafted by chefs who envision it served around the world, it is certainly appropriate to consider the ingredients – and even allergens – that might not suit all diners. In particular, mention of the Budapest Convention and acknowledgement that international customary law – and even international humanitarian law, explicitly – applies to cyberspace will likely be distasteful, if not allergy-inducing, to some of the biggest international actors, primarily Russia and China. It looks as if Macron actually primarily intended to meet the tastes and dietary requirements of his broader allies with the Paris Call, in an effort to get them around the same table first, before appealing to a wider range of diners. Whether the chef – and his guests – will consider altering the recipe in response to incoming dining reviews is still to be seen.
In the immediate wake of the 2018 IGF, several key takeaways have emerged. First, lead European economies are stepping up in the cyber diplomacy field. Second, governments are strengthening rules for cyberspace. Despite this, the private sector is increasingly on board. Third, the Paris Call is serving as a useful buzz for cybersecurity overall, generating further discussion and bringing more diners to the table. Fourth, though this particular dish was primarily devised to attract key French partners and then to draw in other parties, it has ultimately proved its broad appeal. While the forward process remains unclear, it seems there is plenty of space for other interested parties – states, as well as industry and organisations – to suggest improvements and next steps. This will occur mainly through the French Ministry of Foreign Affairs and Microsoft, which was highly supportive of the Paris Call.
For more on the Paris Call, the UN GGE, cyber norms, and other related developments, you may follow https://dig.watch.