GCCS2017: a cyberspace free, open and secure (but mostly secure)

Last week (November 23-24), the Indian government hosted the 2017 Global Conference on CyberSpace (GCCS2017). This was the fifth instalment of the London Process, launched in 2011 by the UK government to advance global norms for responsible behaviour in cyberspace.

GCCS2017 was the first in the series to be hosted by a non-OECD country, and arrived at a highly charged political moment. Around the world, government concerns over online activities are intensifying, while a geopolitical impasse on key issues relating to cyberspace – vividly reflected in the recent collapse of discussions at the United Nations Group of Governmental Experts – continues to harden. Many hoped that holding the GCCS in India would be an opportunity to move past the deadlock and build consensus across geopolitical and stakeholder boundaries.

GPD participated in the event and, along with a number of other civil society organisations, made an effort to promote a rights-respecting vision of cyberspace, underpinned by open, inclusive and transparent policymaking processes. These were anchored by a set of civil society messages, developed collaboratively at a pre-GCCS workshop organised by GPD.

So how did the Conference and its outcomes stack up to these priorities and the original objective of building global cooperation in cyberspace?

The focus of the Conference was inclusion, with ‘cyber4all’ serving as an umbrella for four themes: cyber4growth, cyber4digitalinclusion, cyber4security, cyber4diplomacy. This framing attracted particular interest from global South governments, with many high level representatives in attendance, including 26 ministers. This framing was also promising from a human rights perspective as it foregrounded the clear and pressing need to address the growing digital divide, both between and within countries.

Ultimately, however, the Conference not only offered little in the way of addressing this issue – it actually ended up excluding a number of critical voices from the debate.

While multistakeholder principles were endorsed in Conference speeches, implementation at the Conference fell short of the ideal. According to official figures, only 5% of participants at GCCS2017 came from academia and civil society, with attendance from the technical community and international private sector similarly thin.

But numbers, while revealing, are not the whole story. More important was the lack of meaningful opportunities to engage in and shape the Conference and its outcomes.

Inclusion at the event, civil society were to learn, was limited and conditional. A number of local groups working on cyber-related issues were unable to secure an invitation to the Conference at all. And those of us who were lucky enough to get in? Only a handful were invited to speak (and in only two of the many sessions), while the panel-heavy programme offered few opportunities for audience participation and genuine exchange of views. Introducing more dynamic session formats led by skilled moderators – now commonplace at the Internet Governance Forum, ICANN, and other multistakeholder events – would have been a welcome innovation (and made for more interesting sessions).

Opportunities to shape the Conference outcomes proved equally elusive.

While the Indian government originally intended for there to be a “Delhi Declaration” – consensus text presented on behalf of all Conference participants – this was eventually dropped in favour of a less contentious Chair’s Statement. Neither were open to non-governmental input.

This is not to suggest that organising a multistakeholder event of this scale is without challenges. Previous events in the London Process are a case in point: the Seoul edition, for example, had a tightly controlled speaker and participant selection process and excluded local NGOs, and even The Hague edition — which invited every NGO that expressed interest and went as far as opening the Chair’s Statement to non-governmental input — fell short of involving civil society in the launch of the Global Forum on Cyber Expertise (GFCE).

And for all its practical challenges, GCCS2017 did at least see multistakeholder approaches in the context of cyberspace endorsed in a number of public statements, sending a useful signal to governments both participating and observing.

The message that really failed to get any traction was the one on human rights. Compared to previous editions of the London Process, human rights barely featured in the Conference agenda and outcomes. Among the many sessions on the programme, only one panel explicitly dealt with the ‘free’ element of the GCCS2015 vision (‘free, open and secure’) and, rather than a conversation about how to implement the vision, it was framed as a question about the very possibility of a free and open internet.

The Chair’s Statement – the only official outcome document of the Conference – includes precisely zero references to human rights, although it does, in places, refer to the empowering potential of digital technologies. On balance, this is a regression from commitments made at GCCS2015.

Overall, discussions at the Conference reinforced rather than challenged the broader trend of securitisation within cyber-related debates, projecting a vision of cyberspace in which rights and freedoms are subordinate to security. This is a dangerous vision because it both legitimises the movement of discussions on a range of digital issues to closed, government-only spaces, and distracts from the pressing need to advance global cooperation on cybersecurity issues and challenges, which the London Process was set up to address.

The overriding focus on domestic digital initiatives in the host’s interventions at the Conference were no doubt valuable in terms of knowledge exchange and capacity building. But has GCCS2017 helped move the global debate forward? Some practical measures were proposed – notably a “digital knowledge-sharing platform” in the Chair’s Statement, the GFCE Delhi Communique on a Global Agenda for Cyber Capacity Building, and a call to action “to protect the public core of the internet”, issued by the Global Commission on the Stability of Cyberspace. But the lack of progress on building global consensus around norms for cyberspace at GCCS2017 was a missed opportunity.

How can we ensure that the next GCCS (likely to take place in 2019) moves forward on these questions? This edition made welcome progress in bringing global South governments to the table. The real challenge for the next GCCS host, whoever that is, will be to take this important process forward in a way which upholds and builds on existing commitments to multistakeholderism and human rights.