2018 BPF Cybersecurity Cybersecurity Culture, Norms & ValuesFinal Output
Executive Summary & Key Learnings To enrich the potential for Internet Governance Forum (IGF) outputs, the IGF has developed an intersessional programme of Best Practice Forums (BPFs) intended to complement other IGF community activities. The outputs from this programme are intended to become robust resources, to serve as inputs into other pertinent forums, and to evolve and grow over time. BPFs offer substantive ways for the IGF community to produce more concrete outcomes. Since 2014, the IGF has operated a Best Practice Forum focused on cybersecurity. In 2014-2015, the BPF worked on identifying Best Practices in Regulation and Mitigation of Unsolicited Communications and Establishing Incident Response Teams for Internet Security. Later, the BPF has been focused on cybersecurity; identifying roles and responsibilities and ongoing challenges in 2016, and identifying policy best practices in 2017. For 2018, the Best Practices Forum focused its work on the culture, norms and values in cybersecurity. The plan of action we took to approach this topic consisted of: ● The BPF started the process by building on its previous work on the roles and responsibilities of the IGF stakeholder groups in cyberspace and explore what norms have developed that apply to each of these groups. Some of the questions we explored relate to the behaviour of each stakeholder group, such as “state behaviour” or “industry behaviour”. The discussion of civil society’s role in norms development includes social norms of safe and secure online behaviour by individual users. ● We identified sample norms established by various forums, documenting and comparing them. We did so by engaging experts, BPF contributors and the IGF’s network of National and Regional IGF initiatives (NRIs). Through this network, BPFs can bring in a developing country perspective and connect the NRIs with the norms development communities, to promote a culture of cybersecurity. We collected information on how they are articulated, implemented and whether they are successful. ● The BPF leveraged the work from last year to identify if any of the policy recommendations may see widespread acceptance, and may have developed into a recognized “best practice”. ● We aimed to understand the impact of a “digital security divide”. When or where there’s no real universal implementation of a norm, or if the implementation of the norm has unintended consequences, or has different impacts in a different context (e.g. those with and those without effective rule of law), it may result in a group of “haves” and “have nots” in terms of the protection the norms offer. Security controls will be sufficient or meaningful in some parts of the world, and not in others. While these differences may exist regardless of norms, inappropriate norms implementation also may adversely affect users. This is an interesting area for investigation into the reasons for non-adherence or potential barriers preventing the implementation. ● Finally, we convened a meeting during the Paris IGF, bringing in experts from the norms development community to discuss the key issues in this space. At the beginning of the year, we published a Background document that was developed with support from participants in the Best Practice Forum, and serves as an introduction to the wider area. It was provided as background reading to anyone responding to our public Call for Input, which was released on August 15th. The document you are reading today brings together the research performed by the BPF, the inputs from 16 contributors to our call for input, and the contributions by experts and participants in our Paris session on November 14th. Key lessons learned in our work include: ● The importance of norms as a mechanism in cybersecurity for state and non-state actors to agree on a responsible way to behave in cyberspace, given that the speed of legislation often struggles to keep up with the pace of changes in the sphere of cybersecurity. In addition to the development of norms, it is important that stakeholders continue to focus on mechanisms for norms implementation, to ensure their effectiveness. ● The importance of multi-stakeholderism – threats to cybersecurity impact governments, private companies and people. There are a number of helpful norms, on different aspects and from various parts of the world, but more needs to be done to involve non-state stakeholders in the development and implementation of norms. It should also be noted that there are several norms developed and proposed by non-state actors, which do not always get the same level of attention. ● Cybersecurity norms and laws should be respectful of human rights, and not stray into areas such as freedom of expression and control of content online. It is important to separate the security of the infrastructure, which this BPF is focused on, from questions of content shared online. We hope this information proves useful to develop the community's understanding of the complex but important area of cyber norms development, and how we all partner on building a culture of cybersecurity that protects and enables society online. url 2018 BPF Cybersecurity Final Output : https://www.intgovforum.org/filedepot_download/6764/1437
|
2018 BPF on Cybersecurity sessionWedneday 14th Nov, 10:10-11:40 CET, Salle XIICo-moderators: Markus Kummer, Internet governance & policy consultant and Kaja Ciglic, Microsoft Format: 1. Introduction by the co-moderators (5 minutes) 2. Run-through of this year’s BPF output by Wim Degezelle, BPF Cybersecurity consultant (10 mins) 3. Interventions by a selection of the contributors to the 2018 BPF Cybersecurity output (25 mins):
4. Round-table discussion open to all participants (50 mins) |
Cybersecurity Culture, Norms and Values Background paper to the IGF Best Practices Forum on Cybersecurity The background paper was established with support from participants in the BPF Cybersecurity, and serves as introduction to the wider area of culture, norms and values in cybersecurity. It is highly recommended to anyone interested in the topic and in contributing to the work of the BPF. background document link / join the BPF mailing list BPF Cybersecurity CALL FOR CONTRIBUTIONS (closed) |
Background
In 2016, the first Best Practice Forum on Cybersecurity started off with discussions enabling participants to understand the wider context of the word "cybersecurity" for each stakeholder group. The BPF made it clear right from the beginning that this work needed to be conceived as a multi-year project. It then worked to:
● Identify the communications mechanisms between stakeholder groups to discuss cybersecurity issues;
● Understand the typical roles and responsibilities of each group in making sure the Internet is a secure and safe place;
● Identify common problem areas in cooperation, and good best practices for doing so.
The 2017 BPF explored how cybersecurity influences the ability of ICTs and Internet technologies to support the achievement of the SDGs. Among other things, it
- examined the roles and responsibilities of the different stakeholder groups; and
- aimed to identify options for policy mitigations that could help ensure that the next billion(s) users can be connected in a safe and reliable manner and fully benefit from existing and future technologies.
About the 2018 Cybersecurity BPF
For 2018, a number of directions were considered for further examination. Two main themes found broad support: the digital divide which develops when some Internet users can afford security, and others cannot; and culture, norms and values of cybersecurity, and how they are important. While it was found that the two themes are interconnected, the proposal for 2018 is to focus on culture, norms and values in cybersecurity.
● Norms have become a very important mechanism for states and non-state actors to agree on responsible behaviour in cyberspace. There are numerous initiatives under way in this regard, but with limited exceptions, such as the Global Conference on Cyberspace (GCCS) and the Global Commission on the Stability of Cyberspace (GCSC), most of these norms discussions happen in inter-state forums, and they do not always provide an open and inclusive mechanism for non-state actors to participate and to contribute. In this way, a continuing BPF on Cybersecurity would build on the specificity of the IGF and add value in providing a complementary forum for multistakeholder feedback on this topic.
● The BPF could start the process by building on its previous work on the roles and responsibilities of the IGF stakeholder groups in cyberspace and explore what norms have developed that apply to each of these groups. Some of the questions to be looked into relate to the behaviour of each stakeholder group, such as “state behaviour” or “industry behaviour”. The discussion of civil society’s role in norms development would include social norms of safe and secure online behaviour by individual users.
● Further work will identify norms established by various forums, documenting and comparing them. Of particular value would be the IGF’s network of National and Regional IGF initiatives (NRIs). Through this network, the BPF can bring in a developing country perspective and connect the NRIs with the norms development communities, to promote a culture of cybersecurity. Part of this process would be to make sure that their norms are well known and understood, and to provide a space for discussion.
● This process will result in the development of a document, while the norms development bodies can participate in the BPF for more real-time feedback.
● The BPF can also leverage the work from last year to identify if any of the policy recommendations may see widespread acceptance, and may have developed into a recognized “best practice”. This could then lead to other norms development bodies considering them as new norms - consistent with one of the IGF’s purposes to bring emerging issues to the attention of the relevant bodies.
● Focusing on culture, norms and values will lead us down the path of understanding the impact of a “digital security divide” as well. When or where there’s no real universal implementation of a norm, it may result in a group of “haves” and “have nots” in terms of the protection the norms offer. Security controls will be sufficient ormeaningful in some parts of the world, and not in others. This will be an interesting area for investigation into the reasons for non-adherence or potential barriers preventing the implementation.
Multistakeholder Engagement and Horizontal Areas of Focus for 2018
The BPF intends to reach out to all stakeholders and make full use of its existing network of contacts and the mailing list. In addition, this year the BPF plans extra effort to:
● Work proactively to get more governments involved, by collecting best practices which everyone should apply, but which may not be universally known.
● Further engage with the NRIs and get them proactively involved. Perhaps try to find a volunteer in each region to present at their regional events on the topic of norms in cybersecurity, and drive conversation.
Mailing List Sign-up
The BPF Cybersecurity mailing list is open to all stakeholders interested in or with expertise on related issues.
Sign-up at http://intgovforum.org/mailman/listinfo/bpf-cybersecurity_intgovforum.org
Documents
Background paper: Cybersecurity Culture, Norms and Values
Meeting Summaries
2018
Virtual Meeting I - 5 June 2018
Virtual Meeting II - 5 July 2018
Meeting between the NRIs and the BPF Cybersecurity - 17 July 2018
2017
Informal Virtual Meeting I - 17 January 2017
Informal Virtual Meeting II - 24 March 2017
Virtual Meeting I - 20 May 2017
Virtual Meeting II - 21 June 2017
Virtual Meeting III - 7 August 2017