IGF 2020 BPF Cybersecurity

Information

Session

Time:

Tuesday, 17 November, 2020 - 12:50 to 14:20 UTC

Room:

Room 1

About this Session:

'Exploring best practices in relation to international cybersecurity initiatives.' Join the BPF in discussing what cybersecurity can learn from normative principles in global governance and in exploring best practices in relation to international cybersecurity initiatives.

Session agenda

1. Introduction to the work of the BPF in 2020

2. Norms development in cyber vs. the real world

3. Analysis of new cybersecurity agreements

4. Discussion

5. Wrap up

Confirmed panelists

Moliehi Makumane, Government of South Africa
Pablo Hinojosa, APNIC
Sherif Hashem, SUNY Polytechnic Institute
Louise Marie Hurel, Igarapé Institute
Isaac Morales, Government of Mexico
Stéphane Duguin, CyberPeace Institute
Aude Gery, GEODE

Discussion leads

John Hering, Microsoft
Sheetal Kumar, Global Partners Digital
Maarten Van Horenbeeck, First

Presentation of the BPF background paper

Anastasiya Kazakova, Kaspersky
Apratim Vidyarthi, University of Pennsylvania Law School

BPF Cybersecurity webpage

https://www.intgovforum.org/multilingual/content/bpf-cybersecurity

BPF papers

Background paper What Cybersecurity Policymaking Can Learn from Normative Principles in Global Governance (.pdf)
Research paper - Exploring Best Practices in Relation to International Cybersecurity Agreements (.pdf)

Theme:

TRUST

Report

1. Key Policy Questions and related issues:

What trends and commonalities can be identified between different international agreements and initiatives on cybersecurity?

To what extent do international agreements and initiatives on cybersecurity include one or more of the 11 norms contained in the 2015 Report of the UN Global Group of Experts (adopted under UN GA Resolution A/RES/70/237)?

What can cybersecurity policymaking learn from normative principles in global governance?

2. Summary of Issues Discussed:

Looking at norms developed in other fields can provide useful lessons for better development, implementation and respecting of norms in the area of cybersecurity.

The development and implementation of norms should include both policy / diplomatic professionals as well as technical experts.

Norms development should be open and inclusive in order to include developing countries and stakeholders.

3. Key Takeaways:

Even if not binding themselves, norms can play an important role in helping to interpret and implement binding aspects of international law. Norms matter for cybersecurity because the internet is a decentralized, multinational entity that is hard to govern. Internet governance therefore relies on multistakeholderism, which forms the basis for norms. There are useful lessons to learn from norms developments in other areas:

Successful norms are concrete, specific, and often create processes to foster implementation and accountability
Powerful norm promoters can be critical for success, as can be incentives and persuasion
Failures happen and are inevitable but can become the basis for success
Norms development, even without results, creates socialization, which can be critical for further success

While norms are often developed via multilateral diplomacy and state-driven efforts, there is an important role for non-state actors from private sector and civil society, providing expert input into both the substance of the norms as well as how they can be implemented. It is also important to involve technical experts, both in the development of norms (to avoid creating unintended negative consequences on the technical operation of the Internet), and to bring technical and policy professionals together to work on implementation of norms.

There are challenges in both developing norms that have wide support and then subsequently in having them implemented. Guidelines can be helpful in supporting implementation of norms.

There are also concerns that cybersecurity norms development processes are not always open and inclusive to all countries and stakeholders.

The work of the BPF has been valuable in tracing norms and finding commonalities, even where there are differences in language and terminology.

4. Policy Recommendations or Suggestions for the Way Forward:

Issue and Recommendation:

Governments, international bodies and stakeholders interested in cybersecurity norms should look to norms developed in other fields can provide useful lessons for better development, implementation and respecting of norms in the area of cybersecurity. When developing and implementing norms to improve cybersecurity, governments should take a joined-up approach by ensuring the involvement of technical experts alongside the policy experts which often tend to lead the processes. Governments and bodies working on norms should be open and inclusive in order to benefit from technical expertise and diverse viewpoints, and to ensure that developing countries and stakeholders are able to participate.

6. Final Speakers:

1. Introduction to the work of the BPF in 2020

Maarten Van Horenbeeck, FIRST

Sheetal Kumar, Global Partners Digital

2. Norms development in cyber vs. the real world

Apratim Vidyarthi, University of Pennsylvania Law School

Anastasiya Kazakova, Kaspersky

3. Analysis of new cybersecurity agreements

John Hering, Microsoft

4. Discussion

Moliehi Makumane, Government of South Africa

Pablo Hinojosa, APNIC

Sherif Hashem, SUNY Polytechnic Institute

Louise-Marie Hurel, Igarapé Institute

Isaac Morales, Government of Mexico

Stéphane Duguin, CyberPeace Institute

8. Session Outputs:

Full details of the BPF’s work this year can be found at the BPF’s webpage - https://www.intgovforum.org/multilingual/content/bpf-cybersecurity. These include:

What Cybersecurity Policymaking Can Learn from Normative Principles in Global Governance - Background document (download .pdf)

The Internet Governance Forum’s thematic intersessional work on cybersecurity intends to guide submissions to the 2020 Best Practice Forum on Cybersecurity’s final, annual report. By taking the time to identify successful norms initiatives and their role in policy change, the BPF Cybersecurity grounds its analysis of a wide variety of Cyber Norms initiatives in the lessons learned throughout the stages from early development to implementation. The examples studied in this review were chosen for their effectiveness and are not necessarily related to or even tangential to technology or the internet. By looking to successful norms frameworks the BPF Cybersecurity, and the initiatives it has invested in, might better understand the strengths, flaws, and why some norms initiatives have ultimately succeeded.

Exploring Best Practices in Relation to International Cybersecurity Agreements - draft Research paper (download .pdf)

The IGF 2020 Best Practice Forum (BPF) on Cybersecurity’s workstream on exploring best practices in relation to international cybersecurity agreements is focused on updating and further advancing the analysis of the 2019 BPF report on the state of international cybersecurity agreements, with a more narrow focus on cyber norms agreements. Its work includes:

Identifying new agreements and developments since last year to include in the analysis.
Reviewing and refining the scope of agreements to be included in the report.
Identifying a core group of agreements to include in the 2020 analysis.
Identifying trends and commonalities between contents of cyber norms agreements.
Releasing a call for contributions to gain further input on these selected agreements and their implementation.
Updating last year’s research paper with new learnings about implementation regarding these core agreements.

Identifying additional international agreements and initiatives on cybersecurity, and performing a deeper analysis of a set of agreements - Call for contributions

In 2020, the BPF Cybersecurity is building on its 2019 report by focusing on identifying additional international agreements and initiatives on cybersecurity, and performing a deeper analysis of a narrower set of agreements. In this deeper analysis, we’re looking specifically at whether the agreement includes any of the UN-GGE consensus norms; and whether any additional norms are specifically called out.

The narrower set of agreements is focused on those that are specifically normative, rather than having directly enforceable commitments. The Best Practice Forum on Cybersecurity is calling for input for its 2020 effort. Input will feed into the BPF discussions, the BPF workshop during the virtual IGF2020 and this year’s BPF output report.

Main menu

You are here

IGF 2020 BPF Cybersecurity

Information