On 6 and 7 April 2017 a large international conference on cyber and international security was held in Paris. It was organized on the behalf of the Secrétaire général de la Défense et de la Sécurité Nationale by the French government cyber defence agency (Agence nationale de la sécurité des systèmes d'information, ANSSI) and researchers at University Grenoble-Alpes, and hosted by UNESCO. Central to the conference was a report written by Karine Bannelier and Theodore Christakis, titled ‘Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors’. The report presents a good overview of how states can respond to cyber-attacks in accordance with international law. The old Principle of due-diligence (and the concept of cyber-diligence which is built upon by this study) is particularly well worked out, and implies that states have a responsibility to prevent and react to malicious cyber activities emanating from their territory, conditional to their own capacity.
Presentations were given by high-level public officials, business representatives, academics and members of NGO’s. From the government side, David Martinon, France’s cyber ambassador, eloquently made the case for the application of the principle of due diligence to cyberspace, an item undoubtedly also on the agenda of the United Nations Group of Governmental Experts (UNGGE). Australia’s ambassador for cyber affairs, Toby Feakin, emphasized the importance of clearly delineating what is acceptable in cyberspace and what is not, with norms of state behaviour and capacity building as avenues for more international cooperation. Mrs Qi Xiao Xiao, representing the Cyberspace Administration of China, also mentioned the need for more international cooperation, but at the same time highlighted the importance of cyberspace sovereignty and ‘order’ to her country.
From Microsoft, Scott Charney reflected on his company’s ongoing effort to advance trust in the global ICT ecosystem by developing 'rules of the road' for nation-states engaged in cyber operations. Ken Hu, the deputy chairman of Huawei – an IT-giant with over 180 thousand employees and responsible for producing over 100 million IT-devices in the past three years, explained how his company integrated security in the product as well as the process, and that an independent security verification centre had the power to veto any product. Richard Stallman from the free software foundation reminded the audience of the difference between a hacker and a cracker, and then proceeded to offer a very original take on cyber security. If security is defined as only the user being able to control/instruct a computer, then proprietary software is per definition insecure, as this often collects data or directs the computer to work against its owners.
There were many other great speakers, and the set-up of the conference allowed different stakeholders to present their views and approaches to the pressing problem of international cyber security. There are many bridges to build: between different nation states and their cultures, between the private and public sector and between the technical and non-technical communities, to name but a few. The conference, attended by around 800 people, also offered a welcome change from the generally dominant Anglo-Saxon role in cyber security research and thinking. The practical Anglo-Saxon approach has great value, but cultural and linguistic nuances often mask inherent predispositions and the subtle promotion of their own national interests. From this perspective, the conceptual clarity and autonomous thinking offered in Paris offered a new and refreshing take on cyber operations and international law.