Could norms be the answer to policing cyberspace?
Without sufficient safeguards, norms provide a middle ground between rigid treaties and taking no action at all.
First published by ISS Today
Most states across sub-Saharan Africa have resisted ratifying treaties that seek to police cyberspace. A handful of governments have signed the AU Convention on Cybersecurity and Personal Data Protection (2014) and the Council of Europe Convention on Cybercrime, while cherry-picking the bits that seem most applicable to them.
Given the highly uneven levels of digital development globally and regionally, one can perhaps not blame states for resisting being ‘tied in’ to agreements that are linked to a fast-evolving and uncertain digital future.
Despite this, legal frameworks do provide an important reference point for governments trying to come up with their own laws against cyberspace threats. Indeed, as ICT Africa Executive Director Prof Alison Gillwald points out, “creating a safe and secure internet for its citizenry is today as fundamental an obligation on the state as protecting states physically”.
Mistrust of the big powers, questions of sovereignty and global uncertainty about the direction of mass digitisation lie at the heart of why many states appear to be resisting multilateral rules and ‘big ticket’ treaties for solving the world’s problems.
So could internationally negotiated “norms” or standards of conduct be the way forward for all but the most egregious of cyber violations? And furthermore, shouldn’t the tech firms themselves join governments and civil society in helping to shape those norms?
Michael Chertoff, who co-chairs the Global Commission on the Stability of Cyberspace (GCSC) and who was a United States (US) homeland security secretary in the George W Bush administration, believes norms are the way forward. They can exist in parallel with laws. Norms grounded in common values are dynamic, which is useful given the rapid evolution of technology and the polarised position of some states on questions of balancing freedom of speech and state security.
A year after the Paris Call for trust and security in cyberspace, the GCSC used the Paris Peace Forum this week to consolidate support for numerous non-binding norms. They’re calling for more private sector and civil society involvement in both setting those global standards of behaviour online, and acting as whistle-blowers when those norms are violated.
The principles the private sector is being urged to promote include protecting the integrity and public core of the internet, a pledge not to disrupt the infrastructure of elections, and a commitment that state and non-state actors avoid tampering with products for use as weapons in cyberspace.
There are further principles that shape when and how to disclose vulnerabilities in information systems and technologies, and a pledge that non-state actors (including private companies) shouldn’t engage in offensive cyber operations.
But in international politics, how helpful are norms if they are non-binding? The global landscape is shifting from one of war and peace to what the US defence department describes as “persistent engagement” – whereby attacks happen outside the classical definition of “war”.
As this happens, there’s a need to reshape the rule book, or ensure emerging tech reflects international humanitarian, human rights and domestic criminal law. Although states ultimately write law, bodies such as the GCSC seek to influence that process.
Norms also have utility given that they have built into them a social sanctioning mechanism. This may take the form of social boycotts or investor activism when entities, especially commercial firms, are seen to have transgressed.
Chertoff conceives the commission’s work as charting a path through choppy political waters and polarised views of information access and security. “If you talk to Americans about information security, it is about making sure their personal information is safe. When you talk to Russians about security they don’t want to see ideas that they don’t like.”
But protecting the infrastructure and protocols that allow the internet to function, he argues, is a common value. Perhaps more controversially, the private sector is being encouraged by the GCSC to be more transparent about vulnerabilities, resist the commandeering of others’ ICT resources for use as botnets and report transgressions.
‘One of the challenges is that nation states use surrogates to carry out attacks,’ says Chertoff, and these obscure the source or the ‘client’ behind the attacks. Therefore the idea of devising broad-based norms including input from non-state actors in the technical space, whose technology and hardware may be hijacked by other actors for nefarious ends, is gaining traction.
Borrowing an example from the aviation industry, Chertoff explains that “airlines don’t compete with each other on safety but they emphasise how safety is number one for them”. So there are clear precedents for commercial rivals to work together.
However what makes cyberspace different is that the internet is widely considered a public good and the political implications of shutting part of it down, eg in the wake of an attack or a perceived threat to state control, are far more complex.
There are African representatives on the GCSC seeking to ensure the continent’s voice is heard. Internet penetration remains low across the continent, at just over 11%, but is rapidly growing. And countries such as Kenya have been behind the revolution in mobile money which presents both an opportunity for development and a risk in terms of cybersecurity.
Africa’s vulnerability is growing. “We have seen that many poorly secured devices in Africa have become giant botnets,” says Chertoff, in part due to “the wide circulation of pirated software”. Recent ransomware attacks on South Africa’s power distribution network and increased targeting of banks have exposed a lack of safeguards, and norms may well provide a middle ground between rigid treaties and taking no action at all. DM