IGF 2018 BPF Cybersecurity

Salle XII

2018 Best Practices on Cybersecurity

Wedneday 14th Nov, 10:10-11:40 CET, Salle XII

Co-moderators: Markus Kummer, Internet governance & policy consultant and Kaja Ciglic, Microsoft



1. Introduction by the co-moderators (5 minutes)

2. Run-through of this year’s BPF output by Wim Degezelle, BPF Cybersecurity consultant (10 mins)

3. Interventions by a selection of the contributors to the 2018 BPF Cybersecurity output (25 mins):

4. Round-table discussion open to all participants (50 mins)





- Session Type (Workshop, Open Forum, etc.): BPF


- Title: 2018 Best Practices Forum on Cybersecurity


- Date & Time: Wednesday 14th Nov, 10:10-11:40


- Organizer(s): Markus Kummer, Internet governance & policy consultant (Technical Community) and Ben Wallis, Microsoft (Private Sector)


- Moderators: Markus Kummer, Internet governance & policy consultant (Technical Community) and Kaja Ciglic, Microsoft (Private Sector)


- Rapporteur/Notetaker: Ben Wallis, Microsoft


- List of speakers and their institutional affiliations (Indicate male/female/ transgender male/ transgender female/gender variant/prefer not to answer):

Mr. Wim Degezelle, BPF Cybersecurity consultant

Mr. Louk Faesen, Global Commission on the Stability of Cyberspace (GCSC) (Technical Community)

Mr. Ephraim Percy Kenyanito, ARTICLE 19 Eastern Africa (Civil Society)

Ms. Saleela Salahuddin, Facebook / Cybersecurity Tech Accord (Private Sector)


- Theme (as listed here): Cybersecurity, Trust and Privacy


- Subtheme (as listed here): Cybersecurity best practices


- Please state no more than three (3) key messages of the discussion. [150 words or less]


  • The importance of norms as a mechanism in cybersecurity for state and non-state actors to agree on a responsible way to behave in cyberspace, given that the speed of legislation often struggles to keep up with the pace of changes in the sphere of cybersecurity.


  • The importance of multi-stakeholderism – threats to cybersecurity impact governments, private companies and people. There are a number of helpful norms, on different aspects and from various parts of the world, but more needs to be done to involve non-state stakeholders in the development and implementation of norms.


  • Cybersecurity norms and laws should be respectful of human rights, and not stray into areas such as freedom of expression and control of content online. It is important to separate the security of the infrastructure, which this BPF is focused on, from questions of content shared online.




- Please elaborate on the discussion held, specifically on areas of agreement and divergence. [150 words] Examples: There was broad support for the view that…; Many [or some] indicated that…; Some supported XX, while others noted YY…; No agreement…


The work of 2018 BPF identified the norms that exist and any best practices that can be learnt; and then looking into the question of a digital security divide in which some sets of users have better cybersecurity protections than others. It recognises that norms have become more important as a mechanism for state and non-state actors to agree on a responsible way to behave in cyberspace, partly because traditional law-making is generally not able to keep pace with the evolution of online security threats. It found that there are a great variety of norms, varying from the culture of cybersecurity within a company to behaviours of end users, including an example of a teacher in the classroom. However, norms are often developed in relatively small and close communities which focus on their areas of expertise and do not involve or communicate with others. And they are often developed by a specific group of stakeholders or countries which can make it difficult to transfer them to a multistakeholder environment. The 2018 BPF output can be seen as valuable in raising visibility of norms developed outside the intergovernmental realm, which governments are sometimes less aware of.


There are some positive recent examples of new norms being developed, including Geneva Dialogues in Switzerland, an ASEAN commitment on norms, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) and the framework developed by the US standards body, NIST. But many norms are developed between states or within the private sector. When norms are developed, it is important to find ways to bring in technical expertise and allow for the involvement of stakeholders. The November 2018 Paris Call is an encouraging exception, with almost 400 signatories coming from across governments, the private sector, the technical community and civil society, and a focus on working together with different stakeholders to tackle these challenges.


An illustrative example is the Global Commission on the Stability of Cyberspace (GCSC). It has a mandate very much focused on developing and implementing norms, and has recently adopted the Singapore Norm Package, providing six further norms to the two previously agreed, and with the express purpose of having them adopted by public and private sector actors towards an architecture to improve international security and stability in cyberspace. However, the GCSC is a discussion just between governments, and only 25 of them. It could benefit from the expertise and knowledge of stakeholders, conscious that the technical community and civil society manages much of the Internet and the private sector owns most of the critical infrastructure.


A major example of private sector efforts to develop norms is the Cyber Tech Accord which has brought together over 60 large and small companies representing network operators, software developers, social media companies and cybersecurity researchers. Its work is based around some central norms – to protect all customers, to oppose cyber-attacks on innocent citizens and enterprises, and to help empower users, customers, and developers to strengthen cybersecurity protection. Beyond developing high-level norms, it also develops capacity among its members through sharing technical information and providing training. In taking responsibility for its role, a particularly important element for the private sector is the principle of security by design, which should be enshrined in many of these norms.


- Please describe any policy recommendations or suggestions regarding the way forward/potential next steps. [100 words]


It is important to separate the security of the infrastructure, which this BPF is focused on, from questions of content shared online. Issues such as freedom of expression, data protection, intellectual property have their own separate legal frameworks and should not be taken within cybersecurity laws or norms. One panellist spoke of cybersecurity laws being adopted which also bring in non-cybersecurity measures, such as prohibiting the sharing of information over the Internet by public officials or making it illegal to question official statistics.


Capacity building is needed in terms of both financial resources. More partnerships would be an important way to help achieve this, helping to get experts in various regional levels and at the ground level to spread expertise and norms into all parts of the world.


In the discussion, it was suggested to think about the various steps required to have norms in place. Between designing norms and implementing them, there is an intermediate step which one panellist described as “norm authorisation”. This relates to identifying which kinds of bodies, beyond governments, could take on the authority for driving the implementation of norms, and could also extend to providing some kind of accountability for attributing non-compliance with norms and creating pressure which can help the norm become accepted over time. The media can also play a role in shedding light on exploitations and subversion of cybersecurity norms or drawing attention to best practices.



 - What ideas surfaced in the discussion with respect to how the IGF ecosystem might make progress on this issue? [75 words]


The IGF does not have a mandate to develop norms or to be any kind of authorisation body related to norms. However, there could be a role for the IGF to continue its intersessional work on cybersecurity by contributing to developing a narrative, e.g. what do we mean of this norm, and what should be done or not be done to essentially illustrate what could be done going forward. It could also be interesting to look at how the IGF could take forward ideas with the Paris Call for Trust and Security in Cyberspace.


- Please estimate the total number of participants.

About 65


- Please estimate the total number of women and gender-variant individuals present.


About 30


- To what extent did the session discuss gender issues, and if to any extent, what was the discussion? [100 words]

The session did not discuss cybersecurity in the context of gender; only cybersecurity as it relates to society as a whole.



Session Time