Recent Posts

Archive

Tags

A "Digital" Geneva Convention to Project Cyberspace?

Microsoft has proposed a Digital Convention on cyber security and this commentary seeks to evaluate the inputs made in the proposal and how these inputs could inform future efforts in the field of cyber governance. The first part of the research presents the Microsoft proposal, and the way in which some of the legal gaps that it highlights could be filled by existing international law principles. The second part underlines that the Microsoft proposal is relevant to the behaviour of States, not common criminals, in cyberspace, and it highlights that the private sector’s control of the technical infrastructure on which the internet operates is novel and thus central to the security discussion in cyberspace. The third part provides a description of the existing framework relevant to State behaviour in cyberspace, noting that the effectiveness of such framework is undermined by the voluntary and non-binding nature of States’ commitment to the norms that they propose The fourth part presents three case studies of cyber events, assessed in the light of the Microsoft’s proposal rules, and the 2015 UN GGE voluntary norms on Responsible State Behaviour in the Cyberspace. Lastly, the fifth part follows up on the Microsoft’s suggestion of a third-party entity that could serve key functions in cyber governance, as the next necessary step to achieve a more secure cyber environment. The commentary suggests that the starting point for the creation of such an entity could be a multi-stakeholder discussion around the Tech Accord, as cyber security is a concern that touches upon private and public interests together.

Clinic: Graduate Institute, Fall 2017

Beneficiary: Geneva


Executive Summary

The full report can be accessed and downloaded here.


This is a commentary for the State of Geneva that aims at evaluating the Microsoft’s proposed “Digital Geneva Convention” on cyber security. It evaluates the inputs that come from this proposal, and it tries to understand how these inputs could inform future efforts in the field of cyber governance.


The Microsoft proposal addresses the issue of State-sponsored cyberoperations which affect internet infrastructure and software. The six principles that Microsoft proposes indeed highlight important questions, and they underscore the main novelty of the cyberspace: the defence responsibility of the private sector.


This commentary highlights that, in reality, States are already discussing these problems. However, although there is agreement that international law applies to cyberspace across State-led initiatives, States have not been outspoken about how they believe that international law should apply to governmental cyber activities in the specific.


Rather, States’ efforts have been limited to producing norms of responsible State behaviour in cyberspace which are only voluntary. The non-binding nature of these norms is challenging from the point of view of compliance and enforcement. An argument could be made that international law principles already prohibit conducts outlined in these voluntary norms, but this has not been explicitly recognized by States for the time being.


This commentary is divided into 5 parts. The first part presents the Microsoft proposal, and the way in which some of the gaps that it highlights could be filled by existing international law principles. The second part underlies that the Microsoft proposal is relevant to the behaviour of States, not common criminals, in cyberspace, and it highlights that the private sector’s control of the technical infrastructure on which the internet operates is novel and thus central to the security discussion in cyberspace. The third part provides a description of the existing framework relevant to State behaviour in cyberspace, noting that the effectiveness of such framework is undermined by the voluntary and non-binding nature of States’ commitment to the norms that they propose The fourth part presents three case studies of cyber events, assessed in the light of the Microsoft’s proposal rules, and the 2015 UN GGE voluntary norms on Responsible State Behaviour in the Cyberspace. This exercise highlights that Microsoft identifies existing gaps in the current legal framework, but it also shows that States are already aware of them. This finding makes the prospect of a convention constraining State behaviour in the cyberspace unlikely in the short term, and it suggests looking for unconventional, ad hoc, tools, to achieve more responsible State behaviour in cyberspace. Lastly, the fifth part follows up on the Mi