The international cyber security community has not been immune to the global political trend of diminished public trust in globalism and establishment institutions. The ideal of a universally accessible “open internet” is increasingly under stress. China is striving to assert more control of the internet by buying up international data centres, while Russia is more determined than ever to foster instability in the global system. Meanwhile, smaller and developing countries are growing skeptical that the vision of the open internet promoted by liberal democracies is in their interest.

At the same time, billions of consumer devices with questionable security are...

Critical infrastructure sectors and services such as electricity generation, gas and oil production, telecommunications, water supply, transportation and financial services are becoming uniquely vulnerable to malicious attacks because of their increased automation, interconnectedness and reliance on the internet. This infrastructure-internet entanglement has become a strategic vulnerability for most countries around the world, which are realizing that this profound weakness can threaten their national security and, potentially, international peace and stability. This realization came to the forefront a decade ago, when a malicious computer worm known as Stuxnet was used to degrade and ultimately shut down Iran’s nuclear facility in Natanz...

Concern over the risk of cyber attack led Russia in 1998 to propose at the United Nations a treaty to limit the use of cyber attack and cyber weapons. The Russian proposal drew on the experience of arms control and disarmament, but it found little support and was opposed by the United States. During the same period, there were also various proposals from the academic community for some sort of formal international cyber security convention, but many of these proposals were impractical and they too garnered little support.

Agreement on a binding treaty or convention was politically impossible, given the...

At the February 2017 Munich Security Conference, Dutch Minister of Foreign Affairs Bert Koenders announced the formation of a new non-governmental Global Commission on the Stability of Cyberspace (Government of the Netherlands 2017). The commission will supplement the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), which began in 2010 to develop proposals for norms for responsible state behaviour in cyberspace. The commission will encourage more non-governmental input into the formulation of norms. Normative constraints arise over time from formal agreements among states, the practices of governments...

Since 1998, many small battles to clarify what rules apply in cyberspace have been fought under the umbrella of the UN General Assembly’s First Committee, which deals with disarmament, global challenges and threats to peace that affect the international community.

The First Committee process started with a Russiansponsored resolution (UN General Assembly 1999), which, over the past decade, has come to be supported by more than 100 nations. Under the resolution, 64 countries have used the opportunity to share their national positions on the issue of information and communications technologies (ICTs) as a threat to international peace and security, and...

The challenges that cyberspace presents to the international community have evolved dramatically since the initiation in 2013 of the United Nations’ Group of Governmental Experts (GGE) process¹ and the international cyber norms agenda. This growth is a product of not only the expanded range of threats but also the accompanying recognition in the international community’s discussion that not all threats originate from the actions of state actors.

Further, the community has come to recognize that the security paradigm often applied to the cyber challenge could be usefully complemented by taking an approach closer to that of public health, by broadening...

The single-most crucial cyber security issue facing the international governance community is systemic, society-wide digital insecurity brought on by the digitization of society and global connectivity. This is not merely one issue — it is the issue. Citizens, consumers, businesses — even government agencies — seem powerless to protect themselves as their confidential, proprietary or personal digital communications and data are hacked. The international community must not stand by as a “new normal” develops — an environment in which daily data breaches, digital identity theft, ransomware attacks and weaponization of information are passively accepted. We need a society-wide paradigm shift...