When Vice President Kamala Harris announced last week that the United States was officially endorsing the Paris Call for Trust and Security in Cyberspace, it marked a major milestone in the global fight to develop consensus international cyber norms.
The announcement moves the United States closer to aligning its official policy with longstanding rhetoric from U.S. officials. For years, successive U.S. administrations have pushed at the United Nations and other venues to develop common rules that govern when a country’s cyber-enabled operations may cross a red line.
The United States joining gives the agreement more credibility on the international stage, but in addition to sticky questions of enforcement and finding common ground with countries like China and Russia, the process is also grappling with how to best accommodate the increasing role played by another group in larger discussions around national security and cyberspace: private industry.
The Paris Call for Trust and Security in Cyberspace outlines nine principles that all states and parties agree to adhere to. They include protecting individuals and infrastructure, protecting core aspects of the open internet, guarding election infrastructure from cyber-enabled meddling, protecting intellectual property, preventing the proliferation of dangerous malware and other tools, building better patching and lifecycle infrastructure, improving cyber hygiene, banning private companies from “hacking back” and upholding international norms in cyberspace.
What makes the agreement somewhat unique is the way it is explicitly constructed to incorporate the views and perspectives of private industry to the negotiating table alongside states. It counts more than 1,200 governments, businesses and civil society organizations among its signatories and the document went out of its way to highlight the key role that industry will have to play when it comes creating and upholding any normative framework that countries agree to.
“We recognize the responsibilities of key private sector actors in improving trust, security and stability in cyberspace and encourage initiatives aimed at strengthening the security of digital processes, products and services,” the agreement reads. “We welcome collaboration among governments, the private sector and civil society to create new cybersecurity standards that enable infrastructures and organizations to improve cyber protections.”
Involving private industry in cyber policy
This framing is designed to increase voluntary buy-in from the private companies that design and produce the IT products used worldwide, as well as the entities charged with managing critical infrastructure and outside non-governmental expertise from academia and think tanks.
Incidents like the WannaCry and NotPetya attacks saw dangerous malware spread through the IT infrastructure of multiple countries and sectors, causing widespread damage. They’re the kind of broad, indiscriminate attacks that experts worry could eventually lead to escalation or military conflict, and that should be addressed proactively through international agreements that make clear what should be considered an act of business versus an act of war in cyberspace.
The U.S. supports the concept of bringing private industry into the discussion. One of the reasons that agencies like the National Security Agency and Cybersecurity and Infrastructure Security Agency have set up government centers dedicated to engaging with industry on domestic cybersecurity issues is that there are often limits to what can be accomplished through hard mandates.
Following Harris’ announcement, U.S. State Department spokesperson Ned Price specifically referenced the inclusion of private actors as a positive development for international norm building.
“We … note the commitments of private sector actors who support the Paris Call to contribute to the future of a stable cyberspace by adhering to key principles relevant to their own unique roles,” Price said. “Among other important efforts, the United States urges companies to take seriously their commitment to strengthen the security of digital processes, products and services, throughout their life cycle and supply chain.”
However, the decision to give private industry a seat at the table has led to some internal disagreement about just how much involvement private industry should have when it comes to shaping matters of international policy and security.
This week, a working group for the Paris Call agreement focused on advancing U.N. negotiations on cyber norms released a report raising questions and concerns about the increasing inclusion of private industry and other actors in the larger debate around cyber norms. The document notes that some countries are not keen to cede too much state primacy.
“From the discussions, it has emerged that the view held by several member states is that an appropriate balance needs to be found between multistakeholder inclusion and the central role of states in negotiations dealing with matters pertaining to international security,” the report notes.
Many who follow the global dialogue on international cyber norms say some level of involvement from industry and other non-governmental entities is necessary, but how much remains a tricky topic.
Further, non-state actors are increasingly being pulled into the murky world of state espionage and cybercrime. In October, a report commissioned by a U.N. working group highlighted how the increasing reliance by states on private “mercenaries” in cyberspace, most notably around commercially produced and sold spyware, muddies the jurisdictional waters around malicious cyber activities creates a whole new set of legal and policy complications for international cyber operations.
“The use of private actors poses a particular challenge to accountability for abuses that occur through cyberspace, in particular across different jurisdictions,” the U.N. experts concluded in one section. “Cyber activities complicate determination of responsibility for an attack, but they do not relieve States from their obligations under international law.”
How much is too much influence?
At the end of the day, governments will still have a major, (and in some cases final) say on the legal and regulatory landscape that these companies must operate in.
Taylor Grossman, a senior researcher at the Carnegie Endowment for International Peace, told SC Media that while it’s clear private businesses and other actors will need to have some level of participation to make many agreed-upon norms stick, much of the follow-on policy work will still involve legislation, regulation and other state-enforced mechanisms.
“I think that we can’t get very far without some private-sector engagement,” said Grossman, noting that problems like disinformation and misinformation will necessitate cooperation and buy-in from social media platforms. “I think when it comes to enforcement, that’s where a lot of this stuff really is going to have to come back to the states.”
The burgeoning role of corporations and other businesses in this discussion is perhaps best reflected in the fact that companies like Microsoft and Siemens have developed their own frameworks and agreements around responsible behavior in cyberspace. Microsoft has even set up its own office at the United Nations.
Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative, told SC Media in an interview that the issue “is not black or white.” He’s noticed a marked shift in recent years in how large companies talk publicly about the traditionally state-dominated discussion around cyber norms. Despite the important roles these businesses play in the larger IT security ecosystem, it’s still important “to treat industry like industry” and ensure their inclusion doesn’t drown out other contributions from elements of civil society, like academics and researchers.
“Microsoft is a prime example here because if you look at their [calls for a] digital Geneva Convention and these other things they say about cyber norms, they’re trying to act like they’re a government and they’re not — they’re a company,” said Sherman. “They talk like they’re a government and they say things like, ‘We’re going to develop norms.’ Microsoft is a company.”
In a Q&A conducted and published by Microsoft last year, John Frank, vice president of U.N. affairs said the company’s position is that it is “not a government; we don’t pretend to be … but there are things that we can help with” when it comes to developing international consensus.
“We think multi-stakeholderism is key. Companies ought to be showing up. Not just to talk about policy, but to work on projects together,” Frank said. “We believe this is the best model for tackling big problems. Establishing our representation office with people based in New York and Geneva is the next natural step for a company that values multilateralism and multi-stakeholder solutions to global challenges.”
In many countries, private industry holds significant ownership over the digital ecosystem and marketplace. That means that absent a willingness to take a heavy regulatory hand, government action alone will only move the needle so much when it comes to impacting the larger cybersecurity ecosystem.
“You need industry buy in to improve cybersecurity defenses, you need companies in your countries to increase investment in cybersecurity, you need the platforms and services and businesses that consumers use to better protect those consumers’ data,” said Sherman. “Much of the global internet, whether that’s marine cables or cloud server farms, are also in the hands of private companies, so if you’re talking about anything from stopping ransomware attacks on a hospital to bolstering the security of internet routing protocols, private industry is the one that actually controls and touches the infrastructure, even if a government decided to regulate.”