In the nearly thirty years that I have been involved in cyber and Internet issues, much has changed for both better and worse. The technical and policy threats to cyberspace have grown in number and sophistication and have had far greater impact because we are all increasingly dependent on computer networks for our everyday lives. A wide range of state and nonstate actors are penetrating and attacking computer systems leading to greater instability and some states wish to fundamentally change the way the Internet is run risking fragmentation of a technology that aspires to be unified and global. On the positive side, we are paying more attention to combating threats in cyberspace and seizing the many opportunities it offers. Not so many years ago, if you raised a cyber issue with a Cabinet Secretary, Minister or other very senior government official, they would treat it as a niche technical issue and relegate it to a lower level. This lack of understanding and priority was also the norm in the C-Suite of many businesses. Today, largely because of the threats we are seeing, that has slowly but surely changed. Though much more needs to be done to mainstream cyber and Internet policy, increasingly governments are seeing it as not just a technical issue but a core issue of national security, economic prosperity, human rights and, ultimately foreign policy. The private sector at the C-Suite level is also beginning to treat the issue as more than a technical cost issue but one on which the future of their businesses may depend.

While slow but steady progress in prioritizing cyber issues is foundational, one enduring challenge is bringing the right stakeholders into important conversations and decisions regarding cyberspace and bridging the gaps between various stakeholder communities. Even traditional stakeholder groups are not monolithic. Within government, for example, there are vast differences in perspective and expertise between the security, economic and human rights communities. While I was at the White House and we were beginning to write the first International Strategy for Cyberspace, I convened many different agencies in a room for an entire day and the result can best be described as “creative cacophony.” Even the language each community used was different – the security community used “cyber policy” and the economic community used “Internet policy.” Of course, there is vast differentiation in other traditional groups such as “the private sector”, “civil society”, “the academic community” or the “technical community” as well, so the challenge is not only to promote meaningful interaction both between and within these groups.

When my then office was created at the US State Department in 2011 – the Office of the Coordinator for Cyber Issues – it was the first high-level diplomatic office in the world devoted to the full scope of cyber and Internet issues. Now there are over thirty cyber offices in foreign ministries around the world – a testament to the priority of these issues as a matter of foreign policy. In establishing the office at State, we recognized that cyber and Internet issues could not be adequately addressed in stovepipes, that many cyber issues were cross cutting and it was important to make sure that our policies reflected all of our national priorities across security, economic and human rights dimensions. That meant working with seemingly diverse stakeholders across our own and other governments and with many and diverse nongovernmental stakeholders in recognition that no one group has all the answers and that our policies are stronger and more complete when they are informed by a number of different perspectives.

For example, the US Government consulted private sector and civil society groups in formulating its International Strategy for Cyberspace and conducted many bilats with other countries that included a private sector and civil society component. In addition, many countries are working with nongovernmental stakeholders in writing their national cyber strategies and incident response plans.

The idea of a “multi-stakeholder” approach is a flexible one, with different stakeholders having different roles depending on the issue at hand. In some areas, like the governance of the technical aspects of the Internet, governments are only one stakeholder among many. In others, like law enforcement and international peace and security, governments have a more dominant role. But even with respect to these later issues, there is an important role for nongovernmental stakeholders and governments do not have an absolute monopoly. I once had representatives of another government who was, at the time, skeptical of the multi-stakeholder approach, ask if it meant that they had to consult all the other stakeholders before defending themselves from an ongoing severe cyberattack. Clearly not – but building a response plan and policies with other stakeholders in advance could make any defense or response stronger. Similarly, only states can prosecute and arrest the perpetrators of cybercrime – but the private sector and others can help trace the perpetrators and provide critical evidence of the wrongdoing.

In the area of international stability, only states can agree to restrain certain destructive state actions, decide whether to obey particular agreed upon norms of state behavior or employ a range of state tools such as diplomacy, economic sanctions or force to respond to a norm violation. But here too other stakeholders have an important role. Among other things, they can help inform the discussion of what the rules of the road should be or how best to implement them given their technical or other experience. For example, the Forum of Incident Response and Security Teams (“FIRST”) – a group composed of Computer Incident Response Teams – can play a vital role in raising awareness of the UNGGE agreed norm protecting CSIRTS from state cyberattack. The Global Commission on the Stability of Cyberspace, comprised of former government representatives and members of the private sector, academia and civil society with expertise on issues ranging from hard security to human rights, has been working to help inform and supplement that government debate on these issues as have a number of other initiatives including the Paris Call and a number of industry led efforts. Other stakeholders can also agree on norms involving their own conduct and help call out violations of agreed norms by both states and nonstate actors leading to greater accountability. In addition, other stakeholders, working with governments, play a critical role in capacity building – including capacity building aimed at more widespread adoption of international law and norms. For example, the Global Forum for Cyber Expertise -- a collection of governments, private sector, academic and other organizations – has made capacity building on international security issues a priority.

Although, ultimately, governments will negotiate the conclusions of these processes, the newly formed UN Open Ended Working Group and Group of Governmental Experts on cyber stability both offer a unique opportunity for engagement with nongovernmental stakeholders. Although the focus should be firmly on international cyber stability issues, such engagement would benefit from a wide range of private sector and civil society members and any final report will be better informed by such engagement. Of course, the conversation on these issues should happen in other global and regional venues as well to both help inform the UN processes and make sustained progress more generally.

The IGF offers one important, though non-exclusive, forum for discussions around growing peace and security issues. There has been discussion on international security issues before in the IGF and it offers a forum comprised of many stakeholders who do not regularly deal with peace and stability issues. Its strength is that it can expose these stakeholders, many from the technical and Internet Governance communities, to the debates that are being held by those in governments and others who are steeped in hard security issues, helping raise awareness and helping both groups appreciate the potential effects those negotiations will have on the larger cyber ecosystem. The IGF’s weakness, however, is that members of the international peace and security community often don’t attend the IGF, particularly at a high level. For example, though many ICT Ministers and senior officials attend at least part of the meeting, they are seldom attended by foreign, defense or interior ministers who are focused on security and stability issues. For the IGF to be a more effective venue for these kinds of discussions, more attendance from the traditional security community should be sought and prioritized.