The Internet Governance Forum Best Practice Forum (IGF BPF) on Cybersecurity is a multistakeholder group focusing on the development of culture, norms and values in cybersecurity.
Norms have become a very important mechanism for states and non-state actors to agree on responsible behaviour in cyberspace. There are numerous initiatives underway in this regard, but with limited exceptions, such as the Global Conference on Cyberspace (GCCS) and the Global Commission on the Stability of Cyberspace (GCSC), most of these norms discussions happen in inter-state forums, and they do not always provide an open and inclusive mechanism for non-state actors to participate and to contribute. The Best Practice Forum is taking a multistakeholder view on the development of norms, both within and between participants of each IGF stakeholder community.
The 2018 IGF Best Practice Forum on Cybersecurity issued a call for contributions to gain perspectives from all interested stakeholders on existing norms development efforts, how those norms are being implemented, and whether they are successful. They are also trying to understand whether differences in design and implementation may result in a “digital security divide”: a group of “haves” and “have-nots” in terms of the protection the norms offer. To provide additional background, the Best Practices Forum has developed and released a Background paper on these issues. APC contributed to this background paper.
The call for contributions asked respondents to address the following questions:
1. How do you define a culture of cybersecurity?
2. What are typical values and norms that are important to you or your constituents?
3. Within your field of work, do you see organizations stand up and promote specific cybersecurity norms? This can be either norms at an inter-state level, or norms that only apply within your community or sector.
4. Are there examples of norms that have worked particularly well? Do you have case studies of norms that you have seen be effective at improving security?
5. Do you have examples of norms that have failed (they have not seen widespread adherence), or have had adverse effects (living up to the norm led to other issues)?
6. What effective methods do you know of implementing cybersecurity norms? Are there specific examples you have seen, or have had experience with?
7. Within your community, do you see a Digital Security Divide in which a set of users have better cyber security than others? Is this a divide between people or countries? What is the main driver of the divide?
Read APC's response to the call for contributions here.