Outlook on Internet governance: Is it time for a digital Geneva Convention?


Is cybersecurity an appropriate issue for internet governance? Should cybersecurity governance follow the multi-stakeholder approach? These questions, which focused the debate at the first event of the Cybersecurity@CEPS Initiative on March 29th, are becoming increasingly relevant given the increasing concern over the proliferation of state-led cyber-attacks. The equation of cybersecurity with national security automatically implies a major role of the government as decision-maker. If we look at cybersecurity as a means of defending critical infrastructure, however, multi-stakeholder governance becomes possible and even necessary.

In the debate, Microsoft presented the idea of a Digital Geneva Convention. Just as the fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Convention that commits governments to implement the norms needed to protect civilians on the internet in times of peace. The proposal envisages initiatives such as no targeting of tech companies, the private sector or critical infrastructure and the creation of an independent organisation mandated to investigate the attribution of nation state attacks to specific countries in a manner similar to the role played by the Atomic Energy Agency. The reaction from the different stakeholders was quite interesting: the European Commission stated that there are already rules to protect the civilian use of the internet and there is thus no need for a new convention. Conversely the private sector and the civil society applauded the initiative as a potential vehicle for bringing a new impetus to the debate for a more stable and secure internet.