From 5 to 7 November 2018, the The Hague Program for Cyber Norms hosted its first annual academic conference entitled Novel Horizons: Responsible Behaviour in Cyberspace. The conference brought together junior and senior scholars and practitioners from government and industry to discuss what responsible behaviour in cyberspace is and if and how different actors can be persuaded to behave responsibly.
The need to formulate rules of the road for state behaviour in Cyberspace has been felt for a long time and found a place in the UN system ever since Russia tabled the first proposal for a UN resolution on ICTs in the context of international security in 1998. In terms of substance, this put the issue firmly in the context of possible conflict between states. In terms of process, it led to various rounds of so called UN Groups of Governmental Experts (UN GGEs) – as Western states did not want to go down the rabbit hole of negotiating a formal treaty – seeking consensus on acceptable interstate behaviour. After a number of successful rounds, especially the 2013 and 2015 consensus reports, the fifth iteration of the UN GGE process failed to produce a consensus report in 2017. That also landed the international cyber diplomatic community in a period of soul searching: how and where do we continue the ‘norms process’?
In the meantime, scholars have been working on analysing various aspects of interstate behaviour and norms in cyberspace and some of them were our guests in The Hague. Their contributions were roughly organised around five main themes: power, international law, regional perspectives, institutional perspectives and industry and norms. Some excellent papers were presented. For example, a number of scholars dug into the diplomatic norm entrepreneurship of global tech corporations such as Microsoft. Louise Marie Hurel and Luisa Cruz Lobato raised interesting questions about the trade-off and tensions between having a global user base and a home country government. Robert Gorwa and Anton Peez highlighted the performative room that the Cybersecurity Tech Accord offers companies when they sign up to it. Or as they write, in a twist on Alexander Wendt, the ‘Cyber Tech Accord is what companies make of it’. Focusing on a much understudied region in cyberspace, James Shires analysed how the Gulf states have appropriated Europe’s Budapest convention on Cybercrime by adding language to counter political opposition and restrict citizens’ room to manoeuvre in the online public sphere. Adopting the letter of the law is not necessarily the same as the spirit of the law. Studying cyber norms is – or should be - intrinsically bound to the study of cyber practice and the actual behaviour of prominent state and non-state actors.
The various keynotes dug into different corners of the cyber norms field. Myriam Dunn Cavelty of ETH Zürich opened the conference and sketched a broad framework for the analysis of cyber conflict, highlighting a need to study the secret and invisible (her presentation can be found here). Adam Segal of the Council for Foreign Relations talked about the rise of China in the high politics of Cyberspace. One open question here is if the formulated political ambitions will be matched by implementation and by the necessary high level of innovativeness of the Chinese economy. Laura DeNardis of American University allowed the conference a sneak peek into her forthcoming book Control after the Internet: The Global Politics of Cyber Physical Things that will be published by Yale University Press in a year or so. She took us into the technicalities and standards of the ever growing Internet of Things (IoT) environment and outlined the massive challenge that regulators face in this fast moving, low security world of IoT.
On the evening of the 6th of November, most of the conference participants joined an event in the Peace Palace where Brad Smith, Microsoft Global President and Chief Legal Officer, spoke on the need for Digital Peace. This event was a run-up to the Paris Call for Trust and Security in Cyberspace presented in Paris the following week as part of the celebration of the centennial armistice of World War I. The Paris Call is a cyber norms package that, as I indicated in my speech and the debate with Brad Smith, reads like a best-of album of the past decade(s) of cyber norms. This is in itself a good thing – norms need repetition and buy-in in order to stand a chance of being meaningful – but the package is also ‘Western’ in orientation and is more likely to strengthen and sharpen the thinking of the like-minded than to cross the global divides that plague the international debate about responsible behaviour in cyberspace.
That these divides are alive and kicking was clear from the dispatches from New York where the First Committee of the UN was in session in the same week. The question ‘where should the cyber norms process move next?’ was answered in twofold. Two competing resolutions on the actions of states in cyberspace – one sponsored by Russia and one sponsored by the United States, were both adopted by the General Assembly’s First Committee. The American resolution calls for a new round of the UN GGE process, whereas the Russian resolution calls for the creation of an open-ended working group of the General Assembly. As the latter will be open to all member states, Russia is positioning itself as the advocate of participation and inclusivity in contrast to the more selective GGE process that will number 25 member states (see this blog post by Alex Grigsby for a critical review of this process). The UN has spoken and the world will now have both. Diplomats face the task to make the process of cyber norms work – or perhaps in some cases, derail – in this double setting. For scholars, the norms process has just gained new layers and dimensions to study. Good thing we organise an annual conference.