Multistakeholderism: the missing cyber norm?

15 Mar 2019

By Sheetal Kumar and Matthew Shears

Cyber norms are seemingly being discussed everywhere at the moment. From global expert meetings such as the Global Commission on the Stability of Cyberspace (GCSC), to bilateral negotiations, networks of private sector tech companies, regional forums and now the UN’s First Committee two parallel processes on cyber norms, there’s a new energy for discussing what states (and other actors) should and shouldn’t do in cyberspace.

But while these discussions often acknowledge the importance of broad stakeholder engagement in principle, there’s a notable lack of focus on how to make this happen – when it comes to both the development of cyber policies and their implementation. The draft GCSC Singapore Norm Package, for example, doesn’t explicitly refer to stakeholder engagement, despite purported support from many states and other stakeholders.

It is expected that the GSCS Norm Package, which includes some of the most specific recommendations on how to ensure security and stability in cyberspace we have seen so far, could influence the two UN processes. But without the explicit recognition of the need for inclusive dialogue, it would be foolish to think we can make progress on cyber norms – including on implementation of the norms that have already been suggested. There’s two key reasons for this:

1. Geopolitical tensions and national security interests

The focus of the UN cyber norms processes should be on protecting individuals, critical infrastructure and other public services that rely on the internet from attacks. These are the important things. But there’s a real risk that long-standing geopolitical tensions between states (which caused this messy two-track situation in the first place) will distract from this. We stand a much better chance of avoiding a skewed discussion by ensuring that perspectives which are not shaped by geopolitical or national security concerns are present in the room, and listened to.

2. Global cybersecurity measures can only be implemented with the commitment of a range of stakeholders

Cyberspace relies on many stakeholders to provide its services, innovate, develop and grow – and the impact of cyberattacks is broad, crossing borders and sectors. It follows that cybersecurity policies developed in an inclusive way will be easier to implement (and acquire buy in for) than those developed by only one set of stakeholders. Mauritius recently learned the pragmatic value of a more inclusive approach when it developed its national cybersecurity strategy.

This isn’t a new idea. The importance of multistakeholderism has already been widely recognised and committed to – whether that’s in national or regional cybersecurity strategies (e.g. Mexico, Chile, Ghana, and the EU strategy), or the elaboration of norms at the global level (e.g.the Paris agreement, the GCSC’s multistakeholder consultations and the FOC’s former multistakeholder Working Group on Cybersecurity). There has also been proactive engagement of non-government stakeholders in norm-building, notably from the private sector who have set out their own “rules of the road” – just look at Microsoft’s Proposal for a Digital Geneva Convention, Siemens’ Charter of Trust and, most recently, the joint assertion from a coalition of companies to the UN’s new High Level Panel on Digital Cooperation that it would “ignore a multi-stakeholder approach to cybersecurity at its peril”.


So – what’s the way forward?

In our submission to the GCSC’s consultation on its draft Singapore Norm Package we propose a norm on the multistakeholder approach to cybersecurity policy:

“States should ensure that the development and implementation of cyber-related policies are open, inclusive and transparent. The stability and security of cyberspace both affects and relies on a wide range of stakeholders, and as such requires their meaningful engagement to be effective and sustainable”.

If the international community is serious about their commitment to the multistakeholder approach in cyberspace they should adopt such a norm. This could be done through the GCSC itself, which is now reviewing the Singapore Norm Package following its consultation, but also through the discussions at the GGE and the OEWG. As a first step, the GGE should set up regular, intersessional consultations with non-government stakeholders that are open to a broad range of stakeholders. The OEWG should ensure that their sessions are as open and inclusive as possible – for example by not limiting its sessions to ECOSOC accredited NGOs only. (The UN’s OEWG on Ageing is an example of good practice in this respect).

We stand at a critical junction in the global discussion around cyber norms. There are many recommendations on the table, as well as many challenges and divisions. If we are to surmount these challenges, then more inclusive discussions need to become the norm.