This is a commentary for the State of Geneva that aims at evaluating the Microsoft’s proposed “Digital Geneva Convention” on cybersecurity. It evaluates the inputs that come from this proposal, and it tries to understand how these inputs could inform future efforts in the field of cyber governance.
The Microsoft proposal addresses the issue of State-sponsored cyberoperations which affect internet infrastructure and software. The six principles that Microsoft proposes indeed highlight important questions, and they underscore the main novelty of the cyberspace: the defence responsibility of the private sector.
This commentary highlights that, in reality, States are already discussing these problems. However, although there is agreement that international law applies to cyberspace across State-led initiatives, States have not been outspoken about how they believe that international law should apply to governmental cyber activities in the specific.
Rather, States’ efforts have been limited to producing norms of responsible State behaviour in cyberspace which are only voluntary. The non-binding nature of these norms is challenging from the point of view of compliance and enforcement. An argument could be made that international law principles already prohibit conducts outlined in these voluntary norms, but this has not been explicitly recognized by States for the time being.
This commentary is divided into 5 parts. The first part presents the Microsoft proposal, and the way in which some of the gaps that it highlights could be filled by existing international law principles. The second part underlies that the Microsoft proposal is relevant to the behaviour of States, not common criminals, in cyberspace, and it highlights that the private sector’s control of the technical infrastructure on which the internet operates is novel and thus central to the security discussion in cyberspace. The third part provides a description of the existing framework relevant to State behaviour in cyberspace, noting that the effectiveness of such framework is undermined by the voluntary and non-binding nature of States’ commitment to the norms that they propose The fourth part presents three case studies of cyber events, assessed in the light of the Microsoft’s proposal rules, and the 2015 UN GGE voluntary norms on Responsible State Behaviour in the Cyberspace. This exercise highlights that Microsoft identifies existing gaps in the current legal framework, but it also shows that States are already aware of them. This finding makes the prospect of a convention constraining State behaviour in the cyberspace unlikely in the short term, and it suggests looking for unconventional, ad hoc, tools, to achieve more responsible State behaviour in cyberspace. Lastly, the fifth part follows up on the Microsoft’s suggestion of a third-party entity that could serve key functions in cybergovernance, as the next necessary step to achieve a more secure cyber environment. The starting point for the creation of such an entity could be a multi-stakeholder discussion around the Tech Accord, as cybersecurity is a concern that touches upon private and public interests together. The entity could develop to serve as a centre for the evolution of standards in a fast-developing technology landscape; it could allow the strategic inclusion of the private sector in cybersecurity discussions; it could work as an attribution centre and peaceful dispute settlement organ; and it could become a centre for response coordination in defence from harmful cyber events.
In conclusion, a more engaged cooperation between States and the private sector is necessary in order to achieve efficient and universally harmonised solutions. Dialogue to understand both private and public interests is still needed, before finding conventional legal means to reconcile the two.
Finally, Annex I contains a brief analogy between the principles proposed by Microsoft and the 1949 Geneva Conventions on the Laws of Armed Conflict; Annex II contains a discussion of the general legal issues to keep in mind when attempting to regulate the cyberspace; Annex III contains a more detailed description of the case studies analysed in the main text.
The full report can be accessed and downloaded here: https://georgetown.box.com/s/ocqdtim7if3xvry5aa9j8v3g1f58gn5f