The recent Global Conference on Cyber Space (GCCS) conference in Delhi brought together governments, businesses and civil society groups to address the future of cyberspace. Amongst the plethora of discussions and sessions, a significant paper on Norms for Cybersecurity in ASEAN (Policy Options for Collaborative Security in the ASEAN Region) was published by the Cyber Security Agency of Singapore (CSA), supported by Amazon Web Services (AWS), Dell Technologies, Intel and Microsoft.
Why is this paper significant? For a number of reasons. Having a range of significant tech sector companies align with a leading global cybersecurity regulator is more than window-dressing. Cooperation between public and private sectors underpins the multi-stakeholder approach to cybersecurity and cyberspace that Microsoft has long argued for. Harnessing these different groups’ perspectives, skills and (even) objectives seems to be the only way to reliably make progress towards a cyberspace that is secure for all participants, be they big or small, governmental or commercial or otherwise.
More than this, the report is significant because it makes clear that norms (defined by the report as “principles or standards of behavior expected of a member of a group”) can be used to build a safer and freer global cyberspace than the one we have today. The potential of norms was previously underlined by the UNGGE 2015 Report, which referenced both norms that encouraged positive duties for states and norms that limited negative actions. This was an exceptionally important attempt at the global level, via the United Nations, to shape responsible behavior by states in cyberspace.
The subsequent UNGGE 2017 process encountered some political setbacks that prevented the U.N. from building on the 2015 consensus and the norms it set out. While disappointing in and of itself, this development has not invalidated those norms. Indeed, the political and diplomatic roadblocks encountered within the UNGGE only serve to highlight the flexibility and applicability of norms themselves, which are easier to define and agree amongst governments than detailed obligations or treaties. These characteristics make norms ideal, in fact, for use in regional cybersecurity initiatives. The report’s authors make a strong case for regional activity being a way to make progress even if the global process has stalled. And this is where the role of the CSA and of ASEAN comes into focus.
ASEAN’s member states are rapidly coming online, with expanding numbers of internet users and burgeoning connectivity. This brings positives (more innovation and economic growth) and negatives (greater exposure to cybercrime and translation of long-standing geopolitical disagreements into cyberspace) to the states involved. As a result, ASEAN governments are having to pay attention to a policy area that virtually didn’t exist a decade ago. Being able to turn to norms, ideally norms based on the UNGEE 2015’s work, gives those governments a reliable starting point.
Indeed, the use of established norms will give individual states both the flexibility to address domestic cybersecurity needs and also the consistency to ensure their approaches will mesh with other jurisdictions (which is essential when you consider that cyberattackers rarely respect national borders). As the report makes clear, where the cybersecurity differences between states are pronounced (and there are some big differences in ASEAN), those with more advanced capabilities can help with capacity building (as the CSA has). And where there are concerns about potential cyberconflict between “real world” rivals, then confidence building measures (CBMs) can be used, as indeed ASEAN has been doing in recent years.
Norms in cybersecurity are not, however, simply a matter for governments. As the participation in this report by Microsoft and others shows, norms are also matter to the companies that build and run critical cyber-infrastructure. Norms also matter to those who rely on cyberspace, including communities and individual citizens. Involving all three of these groups in developing norms is essential, and one of the problems of the UNGGE process was that non-governmental groups were simply not as involved as they should be. The report’s concluding recommendation (after establishing a common glossary of cybersecurity terms, coordinating vulnerability disclosure, cooperating in information exchange and promoting data protection and privacy) is that “a multi-stakeholder process for norm development should be of paramount importance.”
If ASEAN and other regions build on the norms-led, multi-stakeholder options set out in the report, they could make a major contribution to rebooting the global cybersecurity process. Microsoft has made no secret of our belief, shared by others, that the world needs a Digital Geneva Convention to ensure cyberspace is a safer, freer place for everyone. Given that the UNGGE is in abeyance, work with norms at the regional level may be the best short-term way to advance the protection of civilians in cyberspace. The alternative scenario, where global progress remains frozen as cyberattacks relentlessly escalate until a catastrophic cyber-event forces governments back to the table, benefits nobody except those behind cyberattacks.