Microsoft has proposed a Digital Convention on cyber security and this commentary seeks to evaluate the inputs made in the proposal and how these inputs could inform future efforts in the field of cyber governance. The first part of the research presents the Microsoft proposal, and the way in which some of the legal gaps that it highlights could be filled by existing international law principles. The second part underlines that the Microsoft proposal is relevant to the behaviour of States, not common criminals, in cyberspace, and it highlights that the private sector’s control of the technical infrastructure on which the internet operates is novel and thus central to the security discussion in cyberspace. The third part provides a description of the existing framework relevant to State behaviour in cyberspace, noting that the effectiveness of such framework is undermined by the voluntary and non-binding nature of States’ commitment to the norms that they propose The fourth part presents three case studies of cyber events, assessed in the light of the Microsoft’s proposal rules, and the 2015 UN GGE voluntary norms on Responsible State Behaviour in the Cyberspace. Lastly, the fifth part follows up on the Microsoft’s suggestion of a third-party entity that could serve key functions in cyber governance, as the next necessary step to achieve a more secure cyber environment. The commentary suggests that the starting point for the creation of such an entity could be a multi-stakeholder discussion around the Tech Accord, as cyber security is a concern that touches upon private and public interests together.
<br>
<br>
<b> Authors: Francesca Casalini; Stefania Di Stefano; Fabiola Rosi (Graduate Institute of International and Development Studies, Geneva)</b>