In 2004, UN Secretary General Kofi Annan challenged the Internet policy community to develop the right governance structures. “In managing, promoting and protecting [the internet's] presence in our lives, we need to be no less creative than those who invented it. Clearly, there is a need for governance, but that does not necessarily mean that it has to be done in the traditional way, for something that is so very different."^[1] In the 15 years since, the rise of cyberspace, and the Internet as its most visible representation, has continued to challenge governments.

Not only does cyberspace stretch across every single domain of human behavior and touch on every aspect of government – it is even unclear to what extent it can be managed by government at all. Today it is obvious that while private sector own nearly all of the Internet, and the civil society (using a wider description of the term) is responsible for much of its basic coding and maintenance, the role of government is less clear. Of course, states can seek to regulate various behaviors, manage data, prescribe information security standards, and have some influence on how parts of the underlying hardware are used. Their most important behavior is however not constructive, but destructive – states remain the most powerful attackers in cyberspace. It is therefore not surprising that when states started to show an increasing concern with the Internet, it was in the context of national security, or in foreign policy in international peace and security. Unfortunately for them, they still decided to adhere to the standard formats of disarmament discussions with only government, and sometimes even only diplomats, responsible in pushing the discussion forward. This made international cybersecurity an outlier among all cyberspace policy fields – an intergovernmental-only discussion in a field dominated by the multistakeholder approach. This is despite the increasing awareness that international cybersecurity required a multistakeholder input – the only challenge so far has been exactly how this should be enabled.

The core of the multistakeholder approach to governance has always been an inclusive approach that, however, acknowledges leadership of relevant actors where appropriate. Both the 2005 and 2015 declarations of the World Summit on the Information Society (WSIS) made it clear that the main actor groups should each take the lead “within their respective roles and responsibilities”. This can be interpreted that while naturally some groups would play a more important role than others depending on the specific fora, no actor group would completely “own” any specific field. This included national security.^[2] This realization was already starting to sink in by 2011, when the G8 stated that:

“The security of networks and services on the Internet is a multi-stakeholder issue. It requires coordination between governments, regional and international organizations, the private sector, [and] civil society (…) Governments have a role to play, informed by a full range of stakeholders, in helping to develop norms of behavior and common approaches in the use of cyberspace."^[3]

The reference to the discussion on norms of behavior was important. The principal focus of the international cybersecurity discussions within the United Nations 1^st Committee, the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of Information Security (UN GGE for short), has long been on agreeing voluntary norms of behavior for states, so-called “rules of the road” for cyberspace. The most notable developments were the 2013^[4] and 2015^[5] reports of the GGE, the latter of which also included a number of clear peacetime injunctions to states – for instance to not interfere with another nation’s critical infrastructure, or that CERTs should be protected from attack.

Unfortunately, these laudable norms were drafted and adopted without any discussion or consultation with the non-state actors that they referred to. As it became apparent in subsequent years, the vast majority of CERTs had no idea that they had been accorded special protected status, and therefore how they could contribute to the implementation or enforcement of the norm. This one example of many illustrates the practical shortcomings of not including relevant non-state actors in the consultations of the UN GGE – no matter how well-formulated the norms, without buy-in from the crucial “other” actors there was clearly going to be a missing step. Both the 2013 and 2015 GGE reports include references on the importance of including non-state actors in their work^[6], but this was never executed – including in the subsequent round^[7] (the fifth, which ended in 2017 without a report) and the present iteration^[8] (the sixth, which was to start in December 2019).

A competing UN 1^st Committee group, the Open-Ended Working Group, started its work in September 2019 with an initial promise to have a nonstate consultation.^[9] At the first meeting it became apparent however that this consultation was to be very limited, and that the same lack of willingness to engage with civil society and the private sector persisted in the governmental arms control community.

Against this backdrop it is unsurprising that a number of multistakeholder initiatives have been formed to formulate their own norms, and seek to engage directly in international cybersecurity. Siemens and Microsoft have taken the lead with two different initiatives, the Charter of Trust^[10] and Digital Peace Initiative^[11], respectively. The French government, under President Macron’s direction, has sponsored the multistakeholder Paris Call for Trust and Security in Cyberspace.^[12] And a Dutch think-tank, The Hague Centre for Strategic Studies (HCSS), took the lead to establish the Global Commission on the Stability of Cyberspace (GCSC), which presented its report in November 2019.^[13]

One of the conclusions of the GCSC is that the multistakeholder approach is not only needed to formulate norms (eight of which, including the protection of the pubic core of the Internet, were formulated by the GCSC)^[14], but also to help implement and monitor them. Drawing on governmental and non-governmental experiences with like-minded groups^[15], it is advocating for a select group of state and non-state actors to come together in small community of interest groups dedicated to one specific norm. These groups can help better define what exactly a specific norm means, what the requirements of implementation really are, and also potentially how monitoring and even enforcement of the norms should be construed.

The key here is that the work of a particular norm that already has widespread endorsement (for instance through the GGE, or Paris Call) is taken forward by a group of actors who are particularly interested in that norm’s success. The exact weighting of the group – more governmental, or private sector, or civil society orientated - would change as appropriate to the norm in question. Like its cousins in precedent in international security and Internet governance, the legitimacy of the group derives from the widespread adoption of the general principle of the norm in question, and the ability of a subgroup of its supporters in supporting its implementation. In many of the norms in question, including many of the UN GGE itself, the input of private sector and civil society will undoubtedly be key to its success.

The multistakeholder approach has clearly established itself as the backbone of all Internet-related policy making. It is increasingly obvious that many of the challenges that international cybersecurity faces – specifically in the adoption and implementation of norms of behavior – would benefit from the application of this approach. How exactly this is accomplished will however require some more of the creative thinking that Kofi Annan demanded.

^[1] https://www.un.org/press/en/2004/sgsm9220.doc.htm

^[2] For instance, the 2015 WSIS report says "We recognize the leading role for Governments in cybersecurity matters relating to national security. We further recognize the important roles and contributions of all stakeholders, in their respective roles and responsibilities." (https://undocs.org/en/A/RES/70/125, Paragraph 3.)

^[3] See http://www.g8.utoronto.ca/summit/2011deauville/2011-declaration-en.html, Paragraph 17.

^[4] UN General Assembly: Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. U.N. Doc A/68/98, https://undocs.org/A/68/98

^[5] UN General Assembly: Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. U.N. Doc A/70/174, https://undocs.org/A/70/174

^[6] For example, see the UN GGE Report /69/96 (2013), ¶12, 7; see also the UN GGE Report A/70/174 (2015), ¶31, 13

^[7] UN General Assembly: Resolution adopted by the General Assembly on 5 December 2016. A/RES/71/28, https://undocs.org/A/RES/71/28

^[8] UN General Assembly: Resolution adopted by the General Assembly on 22 December 2018 A/RES/73/266, https://undocs.org/en/A/RES/73/266

^[9] UN General Assembly: Resolution adopted by the General Assembly on 5 December 2018 A/RES/73/27, https://undocs.org/en/A/RES/73/27

^[10] Siemens Charter of Trust on Cybersecurity: https://assets.new.siemens.com/siemens/assets/public.charter-of-trust-presentation-en.pdf , 2019

^[11] Microsoft Digital Peace Now https://digitalpeace.microsoft.com/. Microsoft will soon also launch a nonprofit calling out cyberattacks https://www.cyberscoop.com/microsoft-cyber-peace-institute-hewlitt-foundation-brad-smith/

^[12] Paris Call for Trust and Security in Cyberspace, 2018: https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf

^[13] The GCSC assembled 28 senior experts from different parts of the wider cybersecurity ecosystem and different regions of the globe, and is dedicated to developing “norms and policy initiatives”. It is primarily supported by three governmental and three non-governmental organizations. https://cyberstability.org/

^[14] Global Commission on the Stability of Cyberspace: Singapore Norm Package. 2018 https://cyberstability.org/wp-content/uploads/2019/04/singaporenew-digital.pdf

^[15] In international security, the Proliferation Security Initiative generated its own smaller like-minded group to pursue implementation and enforcement. In the Internet Engineer Task Force both the Birds of a Feather (BOF) and Special Interest Group (SIG) represent similar like-minded sub-groups that self-organize, bottom-up, to address specific topics.