IGF 2019 WS #63 Usual Suspects: Questioning the Cybernorm-making Boundaries

Relevance to Theme: Several groups, bodies, and organizations have been involved in developing "Cybernorms" as an answer to cybersecurity needs and promoting responsible State behavior in cyberspace. Most formally, there is the UN Group of Governmental Experts (UNGGE). But there are other initiatives that are fostering cooperation on cybersecurity: most recently G7 Dindard Declaration, the "Paris Call for Trust and Cybersecurity in Cyberspace" and the ongoing work of the "Global Commission on the Stability of Cyberspace". At the regional level, different organizations have been discussing "Cybernorms" as well: ASEAN, OSCE, OAS, AU, SCO, NATO, EU, etc. Despite the best efforts of all these groups, bodies and organisations, there has been little progress for these "Cybernorms" to have meaningful impact in improving cybersecurity. This is most true in the political domain. Be it the failure of the GGE or the emergence of two-track processes (GGE and OEWG), such developments have played a key role in resurfacing fundamental questions related to the implementation and objective of these Cybernorms. Meanwhile, in the technical domain, we observe a range of widely accepted norms, but not well known or understood in the political arena. These are widely acknowledged, agreed principles, practices and behaviours (or restraint from behaviors), such as MANRS, RIR policies, the IETF Best Current Practices, etc., efforts that have guided cybersecurity efforts and have had positive impact throughout the years. It is important, then, to discuss what is the appropriate role of the technical community in contributing to the Cybernorms Development Process. How to foster Cybernorms effectiveness, by eliciting an expectation of justification by States if meddling with technical norms. Whether multilateral norms making is better (or more likely to be effective) vs. other areas where norms for industry are more needed, and, of course, which areas most need multistakeholder processes (and which don't).

Relevance to Internet Governance: This roundtable will be the fourth in a series of efforts at the IGF to bring the global policy and technical communities into closer and more effective dialogue. By focusing on technical perspectives on "Cybernorms", we may be able to move the dial on stalled debates and, at the same time, we may develop useful insights into the inherent problems with the processes and mechanisms that have been leaned on to develop "Cybernorms" thus far. In our first workshop in 2016, "NetGov, please meet Cybernorms. Opening the debate", participants agreed that there are many elements in the Internet Governance history and processes worth considering when developing "Cybernorms". In our second workshop in 2017, "International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity", we explored the importance and the value of the technical community's involvement in international discussions on cybersecurity. In our third workshop in 2018, "Whois Collected, Disclosed and Protected: CERTs Viewpoint" we deepened the discussion into an example of how State led regulatory efforts can have unintended consequences affecting cybersecurity cooperative efforts. We have strong foundations to argue that the Cybernorms Development Processes are and should be intrinsically related to Internet Governance debates and the former could greatly benefit by exploring best practices on more open and inclusive processes -- that is, including the views of the technical community. Moreover, the 2019 edition of the Best Practice Forum on Cybersecurity is currently working on exploring best practices in different Cybersecurity Initiatives and the implementation of suggested measures. Our workshop is relevant and complements the work of the BPF on Cybersecurity.