The Department of Foreign Affairs and Trade (DFAT) has been consulting with industry to determine Australia’s engagement with two United Nations (UN) processes on what is deemed as responsible state behaviour in cyberspace.
The United National General Assembly (UNGA) established the two processes in December 2018: the Group of Governmental Experts (GGE) and the Open Ended Working Group (OEWG).
Australia is a member of both groups.
“The groups present an important opportunity to promote a peaceful and stable online environment and enhance international security,” DFAT explains.
“A key Australian objective is for the inaugural OEWG and/or the sixth GGE to provide practical guidance on implementation of the agreed norms of responsible state behaviour, backed up by recommendations on better coordinating global cyber capacity building, so that all countries are in a position to observe and implement the Framework.”
In its submission [PDF] to DFAT, Microsoft said while it was respectful of the unique responsibility governments have in matters of national security, it said the inherently shared nature of cyberspace requires collaboration between and across stakeholder groups to protect the safety and integrity of the online world.
While Microsoft said it agrees with Australia’s position that the so-called “Framework for Responsible State Behavior in Cyberspace” — which is comprised of the 2010, 2013, and 2015 GGE consensus reports — lays an important foundation for protecting and maintaining a safe, secure, and rights-respecting online world, it said the contents of the framework have been “insufficient thus far to prevent the escalating numbers of sophisticated cyberattacks we see today”.
Microsoft said it would encourage the GGE and OEWG to strengthen existing UN norms and establish necessary additional norms.
“The current GGE and the OEWG should reaffirm the validity and authority of all 11 norms recognised in the 2015 GGE report, in their entirety,” Microsoft said.
“They should also explain what the implementation of these norms is expected to look like to improve state compliance.”
It also said in order to further strengthen the 2015 norms, both UN bodies should strive to turn the politically binding commitments into legally binding rules.
“Such efforts should be based on the premise that a) existing international law applies to cyberspace, and b) any new instrument that is developed would need to be consistent with, and operate in support of, international human rights law [including freedom of expression and the right to privacy],” it wrote.
Additionally, Microsoft suggested the adoption of additional Paris Call norms.
“Given the widespread, global, multistakeholder support for the nine principles included in the Paris Call for Trust and Security in Cyberspace, the UN dialogues should recognise the three principles included in the agreement that were not reflected in earlier GGE reports, and adopt them as additional norms,” it continued.
It also encourages Australia to support the recognition by the GGE and OEWG of the eight norms introduced by the Global Commission for the Stability of Cyberspace (GCSC), which include expectations for both state and non-state actors.
Also making a submission [PDF] to DFAT was Russian cybersecurity firm Kaspersky.
Kaspersky recommended the establishment of an effectively working framework for Responsible State Behaviour. It also recommended that such collaboration is transparent and included the exchanging of best practices and initiatives that are already taken by different stakeholders at global and regional levels.
It also wants to see capacity building efforts with the participation of a wider community, including technical, academia, and private sector entities.
Kaspersky believes that further global cyber capacity building might be improved through the open sharing and exchange of national cybersecurity strategies, such as best practices on designing policies and drafting legislation among states and with the private sector; creating a cybersecurity competence network for greater coordination between research centres, small to medium sized-entities, and cybersecurity companies; the organisation of large-scale national awareness cybersecurity campaigns for “greater cyberhygiene”; and contributing to public-private partnerships in cybersecurity.
The role of business, government, NGOs, and the academic community, Kaspersky said, should be to work together to further develop security requirements and technical standards for cybersecurity products and services; to promote responsible vulnerability disclosure and establishing country-specific transparent policies and guidelines; and to create open platforms for public-private cooperation in cybersecurity and for threat information sharing.