Our ever-growing digital connectivity has in many ways contributed to the empowerment of the individual, just as optimists imagined it 20 years ago when the Internet was still in its infancy. From the perspective of foreign and security policy, the empowerment of individuals through cyberspace tends to undermine state’s monopoly on the use of force. And it is doing so in a way that we don’t yet fully comprehend. That is why we must abandon the idea that the state can ever universally guarantee safety in cyberspace. Our digital lines of defense are increasingly drawn at the level of each individual company or each individual user.

As a consequence, the large private companies whose services and hardware make up the infrastructure of cyberspace are acquiring not just economic but also geopolitical relevance. It is no coincidence that the heads of technology companies like Facebook, Twitter and others now regularly meet one-on-one and at eye level with world leaders. And with power comes (or should come) responsibility – including the responsibility to contribute to adequate standards for cybersecurity, not only at the national but also at the international level.

Some of the private sector partners of the Munich Security Conference (MSC) are among the companies who have stepped up: At the Munich Security Conference 2017, Microsoft presented its ambitious proposal for a “Digital Geneva Convention”. Just as the existing Geneva Convention of 1949 commits states to protect civilians from harm in the event of war, a Digital Geneva Convention would oblige them to protect individuals from the dangers of cyber warfare. It would ban states from launching cyberattacks on private sector targets, critical infrastructure, or intellectual property. And it envisions the tech sector as a neutral “Digital Switzerland” that never assists in offensive cyber activities and wins users’ trust by protecting them impartially no matter where they are.

One year later, at the Munich Security Conference 2018, we convened a number of industry giants who, led by Siemens, signed the “Charter of Trust” (CoT). Since then, over a dozen major companies have joined this initiative. The CoT commits members to transparency about cybersecurity incidents and promotes the inclusion of cybersecurity rules in free trade agreements. The CoT demonstrates what meaningful common standard setting can look like. In the case of products, for example, it means standardizing access authorization, data encryption, and continuous security updates. By next year, the number of connected devices in use worldwide is supposed to reach 20 billion. Imagine if none of those connected products had come onto the market without meeting certain standard cybersecurity requirements. Standard setting also has the important confidence-building effect of empowering citizens and users to better protect themselves by knowing what standards the products they use had to meet or did not meet.

Now, it is incumbent upon states to step up. If governments continue to leave it to the private sector to self-regulate, citizens might lose trust in politics to manage the pressing issues of technology. That is precisely why multistakeholderism is the right approach to cyber governance. It is encouraging to see, for instance, Emmanuel Macron personally championing an initiative that brings together governments, businesses and civil society: the Paris Call for Trust and Security in Cyberspace, which draws on principles of the Digital Geneva Convention and the Charter of Trust.

When we established the MSC Cyber Security Summit in 2012 as our first regular thematic format outside the main conference in Munich, there were two messages I wanted to put on the agenda: First, that cyber security needs to be “Chefsache”, as we say in Germany – it has to be dealt with by decision makers at the very highest levels. That means by CEOs and by heads of government. And second, we need to provide adequate “translation” between those top-level decision makers and the cyber security experts in companies and think tanks who deal with the technology every day. The Charter of Trust and the Paris Call show that there is progress on both counts.

It is important that these trust-building initiatives succeed. Trust is the cornerstone for cyber diplomacy, as it is for diplomacy in general. Without mutual trust, binding norms cannot develop, much less succeed. And we still have a long way to go towards states, companies and individual users having full confidence in the cyber sphere and in each other.