A peer-reviewed article based on this working paper was subsequently published in the Journal of Cyber Policy.
As use of the Internet has become critical to global economic development and international security, there is near-unanimous agreement on the need for more international cooperation to increase stability and security in cyberspace. Several multilateral initiatives over the last five years have begun to spell out cooperative measures, norms of behavior, and transparency and confidence-building measures (TCBMs) that could help improve mutual cybersecurity.
These efforts have been painstakingly slow, and some have stalled due to competing interests. Nonetheless, a United Nations (UN) Group of Governmental Experts (GGE) and the Organization for Cooperation and Security in Europe (OSCE) have achieved some high-level agreement on principles, norms, and “rules of the road” for national Internet activities and transnational cyber interactions. Their agreements include commitments to share more information, improve national protective capacities, cooperate on incident response, and restrain certain destabilizing state practices.
Voluntary international agreements are worth little, unless states implement their commitments. So far, implementation has been crippled by vague language, national security considerations, complex relations between public and private actors in cyberspace, and privacy concerns. This is particularly true regarding the upfront sharing of information on threats and the willingness of participants to cooperate on incident investigations, including identifying perpetrators.
With multilateral forums struggling to find a way forward with norm-setting and implementation, alternate pathways are needed to protect and build on what has been accomplished so far. Different strategies can help advance implementation of measures in the UN and OSCE agreements. Some commitments, such as establishing and sharing information about national points of contact, are best handled unilaterally or through bilateral or regional inter-governmental cooperation. Other objectives, such as protecting the core architecture and functions of the Internet that support trans-border critical infrastructure and underpin the global financial system, require a multi-stakeholder approach that includes not only governments but also private sector service providers, academic experts, and nongovernmental organizations.
This paper compares what the GGE and OSCE norm-building processes have achieved so far and what disagreements have impeded these efforts. It identifies several priorities for cooperation identified by participants in both forums. It also proposes three practical projects related to these priorities that members of regional or global organizations might be able to work on together despite political tensions and philosophical disputes. The first would help state and non-state actors share information and communicate about various types of cybersecurity threats using a flexible and intuitive effects-based taxonomy to categorize cyber activity. The second would develop a more sophisticated way for state and non-state actors to assess the risks of different types of cyber incidents and the potential benefits of cooperation. The third would identify aspects of the Internet that might be considered the core of a public utility, worthy of special protection in their own right and for their support of trans-border critical infrastructure.