IGF 2019 WS #63 Usual Suspects: Questioning the Cybernorm-making Boundaries

Organizer 1: PABLO HINOJOSA, APNIC
Organizer 2: Madeline Carr, University College London
Organizer 3: Duncan Hollis, Temple University Law School

Speaker 1: Sumon Ahmed Sabir, Technical Community, Asia-Pacific Group
Speaker 2: Mariko Kobayashi, Private Sector, Asia-Pacific Group
Speaker 3: Louise Marie Hurel, Civil Society, Latin American and Caribbean Group (GRULAC)

Additional Speakers
  • Merike Kaeo -- Strategic Security Leadership & ICANN Board Member
  • Maarten Van Horenbeeck -- Board Member, First.org / Chief Information Security Officer at Zendesk
  • Cristine Hoepers -- General Manager, CERT .br
  • Koichiro Komiyama -- Deputy Director, JPCERT/CC
  • Sheetal Kumar -- Programe Lead, Global Partners Digital
  • Liam Neville -- Assistant Director, Cyber Policy at Australian Department of Foreign Affairs and Trade
Moderator

Madeline Carr, Civil Society, Western European and Others Group (WEOG)

Online Moderator

PABLO HINOJOSA, Technical Community, Asia-Pacific Group

Rapporteur

PABLO HINOJOSA, Technical Community, Asia-Pacific Group

Format

Round Table - Circle - 60 Min

Policy Question(s)

Cybernorms Development Processes have been different in how they reach agreement; how committed they are in implementing these norms; how open they are in including different stakeholders in their discussion and their adoption; how they account for technical consequences or mediate between political motivations. What can we learn from these processes? Which ones have been more successful? Is there scope for optimism in improving these processes for them to be more effective? More inclusive? More representative? More technically feasible? More impactful in improving cooperation on cybersecurity?

SDGs

GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 11: Sustainable Cities and Communities
GOAL 16: Peace, Justice and Strong Institutions

Description: SETTING THE SCENE. 15 mins. This session will depart from a sequence of thought-provoking questions: (i) What do we understand by "Cybernorms"?; (ii) What sort of "Cybernorms" can be more effective in improving cooperation, whether in the technical arena or between States?. DISCUSSION. 20 mins. A facilitated discussion will deepen on the questions at hand: (i) What are the key characteristics (or best practices) guiding effective Cybernorms development processes; (ii) How do they differ when confronting different cybersecurity solutions? In particular, we will ask (iii). Whether more open and inclusive processes would deliver more meaningful "Cybernorms". PEAK. 10 mins. An open discussion will occur between participants: (i) Why there has been little progress of UNGGE "Cybernorms" to have meaningful impact in improving cybersecurity? (ii) What is the appropriate role of the technical community in contributing to the Cybernorms Development Process. CONCLUSION. 15 mins. How to foster Cybernorms effectiveness? Whether multilateral norms making is better (or more likely to be effective) vs. other areas where norms for industry are more needed? Which areas most need multistakeholder processes (and which don't)?

Expected Outcomes: Analyzing Cybernorms development as an Internet Governance process offers a new approach which has the potential to: 1. Offer practical solutions to solve the political impasse on the production of new Cybernorms. 2. Offer an appropriate and inclusive channel for the technical community to participate in the early stages of Cybernorms development, offering risk assessment and feasibility analysis for Cybernorms agreements, and practical steps for Cybernorms implementation. 3. Offer fresh ideas on what could constitute best practice in Cybernorm Development Processes.

There are three key ingredients that have proved a successful recipe in the previous 3 IGF workshops that we have organized: strong moderation, fast pace interactions and diverse points of view. We have had an initial core team, which includes the organizers and an initial set of speakers (which are included below). As the attendants to the IGF are confirmed, we expand this core group adding other experts as speakers. This is the reason why we keep a round table as a desired format (and not a panel): the idea is that in a short time space, there will be as many points of view being put on the table. The art of the workshop relies in the capacity of the moderators to thread these views carefully, firstly, into an intense debate, secondly, into a fresh set of agreed conclusions, which will effectively take the discussion few steps further. We will juxtapose speakers from Academia, Government, Private Sector, Technical Community, Civil Society and Youth and then build possible tracks for agreement until we conclude with a list of innovative solutions for the questions at hand.

Relevance to Theme: Several groups, bodies, and organizations have been involved in developing "Cybernorms" as an answer to cybersecurity needs and promoting responsible State behavior in cyberspace. Most formally, there is the UN Group of Governmental Experts (UNGGE). But there are other initiatives that are fostering cooperation on cybersecurity: most recently G7 Dindard Declaration, the "Paris Call for Trust and Cybersecurity in Cyberspace" and the ongoing work of the "Global Commission on the Stability of Cyberspace". At the regional level, different organizations have been discussing "Cybernorms" as well: ASEAN, OSCE, OAS, AU, SCO, NATO, EU, etc. Despite the best efforts of all these groups, bodies and organisations, there has been little progress for these "Cybernorms" to have meaningful impact in improving cybersecurity. This is most true in the political domain. Be it the failure of the GGE or the emergence of two-track processes (GGE and OEWG), such developments have played a key role in resurfacing fundamental questions related to the implementation and objective of these Cybernorms. Meanwhile, in the technical domain, we observe a range of widely accepted norms, but not well known or understood in the political arena. These are widely acknowledged, agreed principles, practices and behaviours (or restraint from behaviors), such as MANRS, RIR policies, the IETF Best Current Practices, etc., efforts that have guided cybersecurity efforts and have had positive impact throughout the years. It is important, then, to discuss what is the appropriate role of the technical community in contributing to the Cybernorms Development Process. How to foster Cybernorms effectiveness, by eliciting an expectation of justification by States if meddling with technical norms. Whether multilateral norms making is better (or more likely to be effective) vs. other areas where norms for industry are more needed, and, of course, which areas most need multistakeholder processes (and which don't).

Relevance to Internet Governance: This roundtable will be the fourth in a series of efforts at the IGF to bring the global policy and technical communities into closer and more effective dialogue. By focusing on technical perspectives on "Cybernorms", we may be able to move the dial on stalled debates and, at the same time, we may develop useful insights into the inherent problems with the processes and mechanisms that have been leaned on to develop "Cybernorms" thus far. In our first workshop in 2016, "NetGov, please meet Cybernorms. Opening the debate", participants agreed that there are many elements in the Internet Governance history and processes worth considering when developing "Cybernorms". In our second workshop in 2017, "International Cooperation Between CERTS: Technical Diplomacy for Cybersecurity", we explored the importance and the value of the technical community's involvement in international discussions on cybersecurity. In our third workshop in 2018, "Whois Collected, Disclosed and Protected: CERTs Viewpoint" we deepened the discussion into an example of how State led regulatory efforts can have unintended consequences affecting cybersecurity cooperative efforts. We have strong foundations to argue that the Cybernorms Development Processes are and should be intrinsically related to Internet Governance debates and the former could greatly benefit by exploring best practices on more open and inclusive processes -- that is, including the views of the technical community. Moreover, the 2019 edition of the Best Practice Forum on Cybersecurity is currently working on exploring best practices in different Cybersecurity Initiatives and the implementation of suggested measures. Our workshop is relevant and complements the work of the BPF on Cybersecurity.

Online Participation

We will be promoting the workshop widely, not only to IGF registered participants, but also for people to follow it live through online channels. We will be using social media as additional channels for participation. In spite of technical challenges, we have successfully added voices from remote participants to our sessions. Via live video, just audio and also channeling questions and views through interventions via the chat boxes. We encourage remote participation.

Proposed Additional Tools: Maybe. We are open to use survey apps or other tools to facilitate the discussion.

Agenda

PART I

[3 mins] Background to the four year process and purpose of this session. Pablo

[3 mins]  Why we have been focused on improving the knowledge exchange between the tech and policy communities. Madeline

[3 mins] “Official requests for assistance” UNGGE Norm used as an artefact for the conversation. Luise Marie.

[5 mins] The Estonian case as it relates to Norm 7. Merike.

[5 mins] Case study 2: (WannaCry?) as it relates to Norm 7. Maarten.

(circa 20 mins)

 

PART II

[5 mins] Summary and open the floor for comments.

[5 mins] Open the floor for policy questions (Liam and Madeline can pose some to get started).

(circa 30-35 mins)

 

PART III

[3 mins] Respond to questions. Cristine Hoepers

[3 mins] Respond to the policy questions. Sumon Ahmed Sabir

[2 mins] Points out the tech community methodology. How are we now thinking about the value of using scenarios to develop norms rather than to validate them?

 

PART IV

[8 mins] Open for comments

(circa 45-55 mins) (If time, we can bring in other voices but I think we’ll actually be pushing against the hour by now.)

Reflections from Louise-Marie, Madeline, Pablo

Close.

 

1. Key Policy Questions and Expectations

The UNGGE cyber norms have been designed with international peace and security in mind - specifically, with providing the kind of predictability that helps states avoid an unintended escalation of tension into dangerous kinetic conflict. As such, they have been written in rather abstract terms using open, flexible language. 

However, with the growing emphasis on implementation of the proposed norms, this diplomatic process now comes into conversation (or collision) with the pragmatic reality of how security practitioners work on the ‘front line’ when they collaborate to respond to cyber incidents. Here, we find a preference for much more specificity and clarity. 

This workshop brought out the (sometimes conflicting) views on the operationalisation of cyber norms. We asked how the proposed norms could be mapped onto the incidents. Did the norms have a positive impact on incident response in these scenarios? Did they have negative (unintended) consequences? Were they relevant?

2. Summary of Issues Discussed

There was broad agreement that the UNGGE Norm 8/H is important - [...states should respond to requests for assistance…]. However, there were several interventions that raised questions about who exactly would issue and respond to such a request. In many instances, the technical community pointed out, these requests would not naturally loop in the national CERT or other governmental actors. Indeed, doing so could potentially introduce a level of latency that would undermine rather than support cyber security practitioners to resolve an incident.

There was also broad agreement that the UNGGE norms are somewhat abstract. They lack the specificity that the technical community feels would be required to guide their actions, but the governmental policy representative pointed out that they were not written with this operational level in mind. 

3. Policy Recommendations or Suggestions for the Way Forward

We identified at least three key questions to advancing the dialogue between the technical and policy communities in the implementation of cyber norms:

  • "What kind of implementation are we referring to?" The dialogue between the incident response community and policy community needs to advance in considering what kind of implementation is achievable and desirable for both ends. Second, both communities operate in different  

  • "What are the mechanisms necessary to respond in time?" Both communities have different understandings of temporality. On the one hand, the technical experts highlighted the inherently immediacy of response required to handle and manage incidents. On the other hand,  

  • "How can we advance the conversation (knowledge exchange, trust-building) between both communities?"  

5. Making Progress for Tackled Issues

The technical community (CSIRTs and network operators) had a productive dialogue with the policy community on Cybernorms by expanding on a UNGGE Norm as an example (that about answering to appropriate requests for assistance), in light of cybersecurity incidents, as lived by the technical players that first responded to them.

Speakers from the technical community presented stories about the Estonian cyberattacks in 2007, Bank Heist in Bangladesh in 2016, and the NotPetya and Wannacry incidents in 2017. Looking at these incidents from the perspective of how the Norm supported these response activities, the group proposed a new framework of analysis to measure the value of the norms and their applicability in real world situations.

6. Estimated Participation

Approx. 50 people in the room. Fair gender and geographic representation among speakers. Slightly less women than men in the room.

8. Session Outputs
  • A proposed approach to scrutinize norms implementation through a case-study analysis of incident and response to incidents that have occurred in the past. Through the lense of practical experience, the effectiveness of these norms can be evaluated.
  • That this approach can help to bridge a dialogue between policy and technical communities, raising understanding of different mindsets and communities with different objectives. Also, this dialogue through practical examples can inform future norm-developing processes by considering lessons learned and preventing un-intended consequences.
  • On the normative matter of "Appropriatee requests for assistance" participants agreed that introducing latency can undermine incident response, also can damage established informal networks of trust.