Public-Private Cooperation, Political Will Must Drive Cyber Governance

We live in a polarized world in which political and ideological divisions directly affect the digital ecosystem, cybersecurity, and behavior of different actors in cyberspace. Some countries benefit from the advantages made possible by the digital revolution and take seriously the challenges that come with the use of information and communication technologies (ICT). Other countries, however, see the digital revolution as an enabler of domestic interference that could potentially inculcate its citizens with Western or democratic values.

It is difficult to agree on any globally binding rules, treaties or agreements as long as such differences persist and without the political will to cooperate.

Cybercrime is a particularly stark example in which contradictory political views have negatively affected global cooperation, resulting in two competing processes. First, there is the Budapest Convention on Cybercrime, enacted in 2004 as an initial attempt to mount a fight against cybercrime at the international law level. It is not perfect. It has been amended, and will be amended in the future, but it lays a solid legal ground for global cooperation. The convention is well received and recognized globally with 65 parties (67 signatories), including such non-Council of Europe states as the United States, Australia, Japan, Israel and Canada. Unfortunately, cyber superpowers, such as Russia and China, have not acceded to the Budapest Convention. Even more concerning, Russia recently submitted its own draft Convention on Countering Cybercrime to the United Nations. The Russian government insists its convention is a necessary replacement to the Budapest Convention, which it argues is outdated, too regional in scope and in violation of state sovereignty.

That may sound like a reasonable explanation on the surface, but it could also be interpreted as a tactic to postpone global cooperation in the fight against cybercrime and as an expression of distrust toward like-minded countries that are parties to the convention. By introducing a new convention rather than updating an existing agreement already accepted and in force, Russia tramples on the work already done and may impede progress on the updates the Budapest Convention legitimately needs.

Ideological division also leads to different interpretation and application, both legal and political, of internationally agreed norms and principles. Reports of the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behavior in Cyberspace, in which I participated as an Estonia expert from 2014 to 2017, reflect it clearly. All UN GGE reports have underlined the importance of promoting “an open, secure, stable, accessible and peaceful ICT environment” and the applicability of international law to cyber. All GGE reports have been adopted by the UN General Assembly, which means they are recognized globally and should be followed by all states.

But reality is very different. Application of agreed norms and rules varies from country to country. In practice, we see the attempts of balkanization of the internet and a growing number of cyberattacks either sponsored or supported by states. Cyber operations and cyberattacks are the new normal and the so-called “inadvertent escalation” — accidental war — through state behavior in cyberspace is a real and increasing threat, and one that must be urgently addressed.

At the same time, we also see that some countries lack genuine commitment toward cooperation and common application of international law to cyberspace and cybersecurity. The fact is the UN Security Council has not even held a serious discussion about cybersecurity, with the exception of an informal Security Council Arria-Formula Meeting organized by Estonia in 2021 when it chaired the council.

Cyber operations and cyberattacks are the new normal and the so-called “inadvertent escalation” — accidental war — through state behavior in cyberspace is a real and increasing threat, and one that must be urgently addressed.

Every shared space needs clear and recognized norms and rules that define what is allowed, what is not, and what the consequences will be when those norms and principles are violated. Cyberspace is not an exception. Even more troubling, this new domain, created after majority of international law was already adopted, has become a testing ground for countries to push at the limits of international norms and principles with ever more sophisticated cyber actions. 

It is also time to finally recognize, not only in words but in deeds, the inevitability of multistakeholderism — governmental cooperation with private sector, academia, IT experts and civil society. The truth is that states alone cannot be effective in the cyber domain. Indeed, if they wish to promote and support liberal democratic values, the multistakeholder model is the only way to ensure human rights and personal freedoms.

Until countries can put aside their ideological differences, unite their forces and summon the political will, there is no hope for truly effective global cooperation either in cybersecurity or in the fight against cybercrime. For now, our digital security will depend on key actions at the regional level — in the European Union and NATO in particular — in close cooperation with other like-minded states. These responsible states must work quickly and cooperatively to avert the cyber catastrophes sure to come if the domain remains ungoverned.