Internet today has become a pivot on which the modern life hinges. It has completely altered the way people live, share and work. Internet has opened the door to myriad opportunities and advances, but at the same time made people vulnerable to several threats. Events such as Petya/Not Petya and Wannacry ransomware attacks have not only debilitated institutions and caused considerable financial losses, but also have serious and adverse consequences for the international and national security, global economy, democratic processes, and the security, safety and privacy of individuals. The transnational characteristic of these threats is a source of grave conundrum among the nation states. This has brought to forefront the need to have some sort of common rules and regulations to govern the cyberspace.
In this context, on November 12, 2018, at the UNESCO Internet Governance Forum (IGF) meeting held in Paris, the French President Emmanuel Macron commenced “The Paris Call for Trust and Security in Cyberspace.”1 This high-level declaration on “developing common principles for securing cyberspace” has the support of various major private companies and civil society groups. Even many of the states participating in the forum have fully supported the Paris Call.
Major principles articulated in the Paris Call document talks about protecting the integrity and accessibility of the internet while preventing nefarious activities online and building resilience. The report that was released during the IGF also talks about preventing proliferation of malicious online programmes and promoting multilateral cooperation in order to prevent interference in electoral processes.
Interestingly, the Paris Call also highlights the importance of “cyber hygiene”, a term rarely used in the cyber parlance. Cyber hygiene is often equated with personal hygiene, where, just as the latter is concerned with the well-being and good health of a person, the former connotes data protection and safety. This can be ensured by following basic best practices like regularly changing the passwords, updating the software as well as the hardware, using licensed software, backing up the data regularly, etc. Thus, having a routine cyber hygiene in place for computers and software is beneficial for both “maintenance” and “security” of the system.2
IGF’s call for trust and security in the cyberspace is not the sole initiative on the subject. In 2013, a Group of Governmental Experts (GGE) at the UN came to a consensus that international laws that govern state behaviour in the international setting should also be extended to the cyberspace. In 2015, the same group charted four peace time norms in the cyberspace, which stated that “states should not interfere with each other’s critical infrastructure; they should assist other nations investigating cyberattacks; they should not target each other’s computer emergency response teams; and they are responsible for actions that originate from their territory.” 3
However, the application of international law in the cyberspace has itself become a major debating point. The United States (US) strongly promotes the stated peacetime norms especially when it comes to exercising the inherent right of self-defense and the law of state responsibility, including countermeasures in the cyberspace. It also stresses on creating a new and closed group of Governmental Experts (something akin to the UN Committee on the Peaceful Uses of Outer Space which has guided the adoption of a series of treaties and principles). However, both Russia and China oppose the US idea of forming a new group as they believe that it could be an exclusive club driven only by the US interest. China does not concur with the application of international law in general, rather it stresses on the importance of sovereignty in the cyberspace. Russia on the other hand talks about an open ended working group which would be more inclusive. Thus, increasing the legitimacy but also likely exacerbating the existing obstacles to forging consensus on the issue. Russia’s major concern has been the discussion about countermeasures. As Russia has been named in the hacking of computer network of the Democratic National Committee (DNC) and many other such nefarious cyber activities, Moscow feels that countermeasures may justify the US means of actions for hacking and information operations. 4
Interestingly, many states are of the opinion that the emerging binary model – a “complete self-management, without governance” (the US model) and “compartmented internet, entirely monitored by strong authoritarian states” (the Beijing model) – only caters to the needs of the US and China, respectively.5 The differences in the two models have made consensus building among member states a major challenge. Thus, Paris Call presents itself as a new “collegial method”, or rather a middle ground that would encapsulate not only the member states but also private entities and the civil society. It could also be seen as an effort to end the international deadlock. The fundamental idea behind Paris Call has been to further the already existing institutions to “limit hacking and destabilising activities” in the cyberspace by formulating an all-encompassing multi-stakeholder model that gives due importance to the private entities rather than trying to establish new institutions.
More than 190 signatures were obtained on the Paris Call, out of which 130 were of the private sector, 90 of the charitable groups and more than 50 of the member nations.6 Although majority of signatories are European countries, one cannot overlook the inclusion of other major countries including Qatar, Mexico, New-Zealand, South Korea, Colombia, Japan, Morocco, Canada and Senegal.7 Ironically, while several major American technologies like Facebook, Microsoft, Google, International Business Machines (IBM) Corporation and Hewlett-Packard (HP) have endorsed the agreement, the US itself took a pass at the deal.8 Even the Kaspersky Lab that was accused of assisting Russia’s hacking effort has signed. Other major players who did not sign the document were China, North Korea, Russia, Iran, Israel, Saudi Arabia and Australia despite the fact that the former four countries have an active cyberwarfare programme.9
Norms building especially in the arena of global commons has been a complex issue. Paris Call, in this context, could be seen as a positive step towards finding a middle path between Western democracies and authoritarian regimes so as to build some form of consensus on issues pertaining to cyberspace. Active participation of private players indicate how tech corporations are playing a crucial role in governing the internet.
However, one cannot deny that the Paris Call failed to put in place the “compliance” mechanism. It does not require governments or corporations legally to adhere to any specific principle. Moreover, this agreement failed to bring major players on board especially the US, China and Russia. This can be attributed to the fact that major players want their own interests and agendas to be forwarded. Many such initiatives have earlier failed to garner popular support across the international community due to divided political objectives. Nevertheless, Paris Call should be seen as a new means to achieve the long-term objectives of securing the cyberspace. By gaining support from top American tech-firms and emerging powers, it seems that Paris Call is here to stay though its impact will depend on the effectiveness of the measures it takes in the foreseeable future.
Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.