Debates on Global Governance and Cybersecurity

IGP led two thought-provoking discussions of the relationship between cybersecurity and Internet governance in Brussels last week. An event at the Center for European Policy Studies (CEPS) opened with Milton Mueller’s thoughts on “Cybersecurity as an Internet governance problem,” followed by Jan Neutze’s talk on Microsoft’s call for a Digital Geneva Convention. At RightsCon, a conference attended by 1,300 human rights advocates and analysts from civil society,

government and business, IGP’s Milton Mueller and Karl Grindal held a debate with Sandro Gaycken of the ESMT Digital Society Institute and European Commission Director Megan Richards. With Australia’s Cyber-Ambassador Tobias Feakin as moderator, the debate considered the proposition: “Cybersecurity governance mechanisms that are transnational, rooted in nonstate actors and relatively open should be favored over solutions based on national states and intergovernmental organizations.” Some highlights of these discussions are set out below.

At the CEPS event, Dr. Mueller opened by laying out the argument that cybersecurity is fundamentally an internet governance problem. “Cybersecurity became a globally prominent issue only because the Internet protocols made all the networks that used them interoperable and accessible.” He also noted that “the production of cybersecurity is closely linked to, if not a byproduct of, the production of Internet access, products and services.”

While the industry participants there tended to accept the argument, it was clear from the ensuing discussion that the European Commission still puts cybersecurity and internet governance in separate categories and does not fully appreciate their interdependence. Heli Tiirmaa-Klaar, who heads Cyber Policy Coordination within the Conflict Prevention and Security Policy unit, reiterated that Internet governance and cybersecurity are in different boxes at the Commission. She noted that some aspects of critical infrastructure are not connected to the Internet. Lisa Fuhr of ETNO, however, seemed to agree that cybersecurity governance is

Internet governance, observing that some cybersecurity efforts can “create fear of using the internet,” and could also “create a platform that helps states to not respect human rights and freedom of expression.”

Jan Neutze of Microsoft made it clear that his company is quite serious about its calls for a “digital Geneva Convention” and for platform companies to become a “neutral digital Switzerland.” The company has followed up Brad Smith’s RSA speech with handouts describing in more detail three elements of the initiative: one on “the substance of a Digital Geneva Convention for peacetime,” a second on “A Tech accord to protect people in cyberspace,” and a third on the possibility of creating an “International Cyberattack Attribution Organization.” Several panelists agreed that Microsoft’s Brad Smith did the Internet community a service by putting these ideas on the table.

In general, the CEPS audience was very receptive to the Tech Accord and International Attribution organization, but was more critical of the Digital Geneva Convention. Mueller raised questions about whether states could or would be bound by such an agreement. Ms. Tiirmaa-Klaar said that the European Commission does not support new laws and treaties, because authoritarian governments want to use them to legalize more control over cyberspace. She thought existing laws, specifically the law of armed conflict based on the interpretations in the two Tallinn manuals, could be applied in ways that addressed Microsoft’s concerns. A new UN treaty, she said, will end up with no agreement after 20 years, but in the meantime the negotiations will prevent African countries from implementing existing laws and norms. We need more analysis about what current law does not cover, she claimed, but if this is done in a global forum the discussion will go in bad directions. A participant from the Belgian Ministry of Foreign Affairs said that the Geneva convention gives us a standard with which to blame bad actors, but doesn’t really work to settle disputes, because sovereign states can just ignore it.

The idea of a “Tech Accord” received strong support. The Tech accord would be a collective industry commitment to “a common set of principles and behaviors in cyberspace,” such as “no assistance for offensive cyber operations,” and a refusal to “traffic in cyber vulnerabilities.” Mueller, CDT’s Jepperson and Lorenzo Pupillo of CEPS agreed that there was a need to develop norms to protect civilian uses of cyberspace and a need to avoid a cyber arms race and collateral damage to civilians. The Attribution agency was also seen as a creative idea and many panelists wanted to see it taken forward. Others expressed some skepticism about its effectiveness. One participant noted that when the Ukrainian airliner was shot down, there was general agreement on attribution amongst independent sources, but since Russia denies involvement no action could be taken. Fuhr of ETNO also noted that ICANN is not the right place to situate the Attribution Council, which should stick to its focus on DNS governance.

The debate at RightsCon generated lively exchanges. Mueller opened the case for the affirmative by arguing that the growing linkage between cybersecurity and national security was pulling Internet governance away from the civil society-based, multistakeholder and transnational governance model that ICANN pioneered, toward a nation-state driven model. This would lead to national partition of the net and a cyber arms race that undermines civilian security.

Speaking for the negative, Sandro Gaycken surprised the attendees by arguing that the security problem has in fact been solved. There is, he claimed, already an unhackable computer operating system that is capable, he implied, of eliminating all cybersecurity problems. It hasn’t been adopted, Gaycken asserted, only because Silicon Valley doesn’t want it to be. To block it the Internet industry funds conferences and think tanks that subvert the entire knowledge ecosystem. Gaycken also accused industry influence with preventing software liability. The multistakeholder model in security is a “complete disaster” because of this subversion, according to Gaycken. Governments with control of weapons and access to intelligence must take the lead in cybersecurity. The private sector is the cause of the problem, he said; don’t ask them to solve it. Civil society is not much better, in his view; it is heavily biased against security actors, uninformed and naïve.  A key premise underlying Gaycken’s approach was the equation of cybersecurity with national security.

DG Connect’s Megan Richards tried to straddle the fence on the debate proposition. There are two kinds of cybersecurity, she said, one associated with the military and the other associated with critical civilian infrastructure. She explained how the European Commission divided responsibility, with Internet governance in DG Connect and responsibility for the military side in the Vice President for European External Action. For the civilian critical infrastructure, Richards said she was 100% behind the transnational, private sector-based governance model; for the other side, states should lead. We need to come up with different names for these two cybersecurities, Richards argued. An audience participant from the French Foreign Ministry agreed, while expressing confusion about the multiple meanings of the term “cybersecurity” and expressing the belief that the debaters were talking past each other.

The problem with Richards’ argument, Grindal and Mueller argued, is that both types of cybersecurity are combined on the public infrastructure. Internet and digital technologies are dual use. Even something as seemingly military-focused as Stuxnet relied heavily on exploits affecting Microsoft operating systems and SCADA that are commonly used in the economy. The affirmative team also dismissed Gaycken’s argument that Silicon Valley subversion is the only obstacle to cyber security. Security is often a behavioral and institutional problem, not just a technical one, with phishing being a good example. Why wouldn’t militaries and governments adopt this entirely unhackable ecosystem if it was really as secure as claimed? Gaycken also avoided the issue of who owns this technology, how it would be commercialized and popularized, and how well it scales.

Ambassador Feakin posed an interesting question to the affirmative side: even assuming we wanted to go the multistakeholder route, why would a senior government official give up control of such a vital area of policy? How do you get from point A to point B? At the beginning and end of the debate, Feakin called for a show of hands to see who supported and who opposed the resolution. At the beginning only three or four opposed the Proposition. At the end, a couple of votes seem to have voted both for and against the proposition, reflecting Richards’ argument that different governance models should be used in different cases.