The Geneva Internet Platform (GIP) organised a webinar entitled ‘What is the role of civil society and communities towards a peaceful cyberspace?’ within the framework of the Geneva Dialogue on Responsible Behaviour in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA), in co-operation with the GIP, the United Nations Institute for Disarmament Research (UNIDIR), ETH Zurich, and the University of Lausanne. This webinar was the second in the series, building upon the first webinar, ‘What is responsible behaviour in cyberspace?’. In the discussion moderated by Mr Vladimir Radunović (DiploFoundation), Mr Serge Droz (FIRST/ICT4Peace) and Ms Lea Kaspar (Global Partners Digital) discussed the roles of civil society and the technical community in ensuring international peace and security through responsible behaviour in cyberspace. They linked these roles to norms development processes, confidence building measures, and to the work of the United Nations Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security in particular. The participants also discussed the functions of civil society and the technical community in ensuring the peaceful use of cyberspace.
The diversity of civil society and the technical community
Kaspar pointed out that civil society is sometimes understood as everything that other stakeholder groups – states and the private sector – are not. However, organisations within civil society differ, their engagement differs, and modalities for their engagement should be quite different. Kaspar pointed out that the diversity of civil society comes from different interests, ideologies, and opinions of civil society organisations, but also from the different geographic locations of those organisations. She suggested that civil society should be thought of as actors that act in the public interest.
Explaining why the technical community is discussed separately from civil society, Radunović pointed out that communities around ISOC, IETF, ICANN or CERTs do not necessarily see themselves as a part of civil society.
Droz agreed with this point. He pointed out that the technical community is a very closed one, and one of the oldest communities on the Internet. According to Droz, the neutral part played by the technical community – merely trying to keep the Internet running smoothly – is no longer an option, and the community must find a new role. At the same time, policy-makers have to understand that there is a technical community that makes the Internet run. Droz also agreed with Kaspar’s point that the existence of cultural difference on the Internet is often forgotten about.
Is there a place for civil society and the technical community in international peace and security in cyberspace?
In the sphere of traditional international peace and security, civil society already has a role in norms development as well as in the implementation, enforcement and operationalisation of norms, Kaspar noted. She stated that it may be argued that having non-governmental stakeholders involved in cyberspace and Internet related policy is needed due to the nature of cyberspace. It is impossible to secure the network systems without the involvement of the technical community and without the private sector which owns most of the infrastructure, meaning that there is a clear role for these two stakeholders groups in the implementation and operationalisation of norms. Civil society should also have a role in cyberspace, Kaspar stressed, which has already been reinforced in a number of international commitments, including the UN GGE 2015 report. However, norms development seems to be under the purview of governments, Kaspar noted. She highlighted that according to the ‘Tunis agenda for the information society’, civil society has an important role in Internet matters, especially at the community level; which she considered a limited and narrow understanding of the role of civil society. Kaspar stated that there is an inherent tension between principles that underpin discussions about international peace and security. These principles are – on the one hand, the sovereignty of nation-states, and on the other, the multistakeholder approach, openness and interoperability – principles that are considered a given in Internet governance. In bringing civil society into the discussions, Kaspar noted that there is an important distinction between having an independent seat at the table for non-governmental stakeholders, a horizontal integration of non-governmental stakeholders and discussions either through consultations or advisory bodies, and a vertical integration of stakeholders within delegations of nation states where civil society organisations cannot have an independent position outside of the position of that government.
Droz pointed out that the technical community has common standards (i.e. norms), common protocols, and tries to have the same understanding of security issues. What is new to the community are non-technical norms i.e. behavioural norms. One particularly important norm from the UN GGE 2015 report stipulates that states should disclose vulnerabilities to the technical community. He stated that the challenge for the technical community is to take a stand in regards to this norm and other non-technical norms. The Internet has made us more equal, and that is why civil society needs to be at the table; at the moment, the UN GGE norms do not reflect this; they are very high level and Droz cautioned it will be challenging to break them down so in order for them to have an implication for civil society, and even harder to break them down so in order for them to have an implication for the technical community.
The role of civil society and the technical community in norms development
Kaspar stressed that it is important not to forget the role of civil society in the development of policies and norms. However, she also underlined the importance of the operationalisation of the multistakeholder model – once the norms are developed, there is a number of functions that non-governmental stakeholders will have to play. These functions can be categorised in different ways: e.g. awareness-raising, capacity-building, research and education, holding the government to account to their commitments; or effective engagement in developing the policies, transparency and accountability, and deepening knowledge.
Droz stated that the technical community is not involved in norm building often. The community should offer to policymakers a better understanding of the technological background of the systems policymakers are trying manage. Droz also stated that the technical community can apply technical solutions to some problems which have political implications, such as human rights.
Relevance of UN GGE norms
According to Kaspar, in the UN GGE 2015 report, the norm which leaves the most space for the engagement of independent civil society organisations is norm 13(e), which stipulates that states must guarantee full respect for human rights.The importance of independent organisations who play a role in making sure that governments are accountable and have obligations under the International Human Rights framework is clear. Civil society also has an important role in education, awareness raising and research. Kaspar stated that if the security of a system is as weak as its weakest link, and the weakest link is the user, then the role of civil society for capacity building, digital security training, and building cyber hygiene is obvious. Civil society also has an important role in developing norms and the operatisationalition of norms related to critical infrastructure.
According to Droz, in the UN GGE 2015 report, the norm that is most relevant for the technical community is norm 13(k), which says that states should not conduct or knowingly support any activity which would harm the information systems of the authorised emergency response teams (i.e. CERTs). Droz stated that private emergency response teams should not be attacked either. In his opinion, norms need to take into account emergency response teams so that these teams can do their work. Most importantly, these teams maintain the Internet as a critical infrastructure.
Roles of civil society and the technical community in terms of critical infrastructure
Droz stated that critical infrastructure has to be redefined because a lot of critical infrastructure is in the hands of very few actors. In his opinion, people are going to depend more and more on devices inside cyberspace which are operated by people in civil society. Therefore, these people have to be brought to the table, they have to be involved in the discussions, and they have to be protected. Non-critical infrastructure can become critical infrastructure if a significant part of it is affected, as the Mirai botnet showed.
Kaspar stated that the role for civil society is to participate in developing the framework that will be used in case of an incident response by other stakeholders.
Radunović pointed out that in case of a critical infrastructure attack, civil society can help governments with informing and warning people, as it has a huge outreach and reacts quickly in disasters. Civil society can also play an important role in ‘track 2’ dialogues among states, which can reduce tensions and prevent misunderstandings and possible cyber-incidents.
There is a need for more multistakeholder dialogues on these topics, and for governments to be present in the discussions of other stakeholders. The Geneva Dialogue on Responsible Behaviour in Cyberspace was recognised as one such venue with potential, and its continuing work is welcome by the participants.