Cybersecurity Framework

Cybersecurity is an objective of major importance in the Internet governance context; in substance, it can be seen as a collective action problem. Its defin-ition, however, is still subject to debates, for example in global bodies such as the International Telecommunication Union, the Internet Society or the Inter-national Standardisation Organisation.⁴²⁵

Manifold threat agents, threat tools and threat types are causing risks to the cross-border infrastructures. Cybersecurity measures should eliminate or at least minimize risks caused by an inappropriate use of international infra-structures. Generally looking, risk is a function of the likelihood of an adverse event, conjoined with the magnitude of harm upon the occurrence of the

See Kettemann, 2020, 36 et seq.

For a detailed analysis see the GCSC-Report, 2019; a recent definition of cybersecurity as well as a cybercrime taxonomy can be found in Luca Belli, CyberBRICS: A Multidimensional Approach to Cybersecurity for the BRICS, in: Belli, 2021, 1, 7/8 and 19-22.

See also Weber, 2021a, no. 3.

For further details see Weber, 2014a, 99 et seq.

See Weber, 2020b, 280/81.

421 422

423 424 425

adverse event. Precautionary measures are to be taken by governmental and private actors.⁴²⁶ The technological setting must ensure that data (informa-tion) is real, accurate, and safeguarded from unauthorized modification.⁴²⁷ As a consequence, from a regulatory perspective, the cybersecurity framework could be established and administered through (i) private institutions with regulatory functions, (ii) hybrid intergovernmental-private arrangements, (iii) distributed regimes of regulators in co-operative schemes, (iv) collective action by transnational networks between officials, or (v) formal international organizations.⁴²⁸ The implemented measures must be adapted to the prevail-ing circumstances.

The experience during the last 15 years in the field of cybersecurity has shown that the traditional international law approach operating on the State level through multilateral treaties is hardly able to cope with the challenges of com-batting illegal cyber activities. Many expert groups, mainly mandated by the United Nations, published impressive research reports but the attempts of coming to a common understanding on certain principles remained unsuc-cessful and an implementation of political measures did not take place.⁴²⁹ Whether the recently launched initiatives with the appointment of two new intergovernmental expert bodies, namely the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE), will be more success-ful remains to be seen. The respective reports are due towards the end of 2021 but since the underlying UN Resolutions come from different political angles the outcome risks of becoming (slightly) contradictory.⁴³⁰

The only exception of a stable legal instrument is the (Budapest) Cybercrime Convention of the Council of Europe (2000)⁴³¹ having also been ratified by many (important) non-European countries (for example Argentina, Australia, Canada, Israel, Japan, United States), however, its principles are partly

out-Respective measures are particularly addressed in the International Standardisation Organisation’s standard 27001 covering “Information technology – Security techniques – Information security management systems – Requirements”.

Weber, 2021a, no. 7; Kettemann, 2020, 26.

Weber, 2020b, 307.

For further details, particularly to the five reports of the United Nations Group of Govern-mental Experts (UNGGE), see Weber, 2020b, 285-288, and Kulesza/Weber, 2021, 3-5, each with additional references.

See also Kettemann/Paulus, 2020, 3, sharing this concern.

Council of Europe, Convention on Cybercrime, ETS no. 185, Budapest, November 2001.

426

427 428 429

430 431

dated since they do not take into consideration the specifics of the Internet.⁴³² On a regional level, the European Union (EU) implemented the Network and Information Society (NIS) Directive in 2016⁴³³ and the Cybersecurity Act in 2019.⁴³⁴ These legal instruments promise to improve the integrity and security of the Internet but their geographical scope remains regional.

Assessing the previous transnational attempts of improving cybersecurity it appears to be imperative that the inclusion of a larger number of stakeholders within a new regulatory framework is unavoidable. Such kind of attempt has been undertaken by Microsoft in 2017/18, when it suggested adopting an international treaty to guarantee the peaceful use of cyberspace.⁴³⁵ The respective proposal to develop a “Digital Geneva Convention” referred to the existing “Treaty on the Non-Proliferation of Nuclear Weapons” and the “Treaty on Chemical Weapons” as examples of international regimes limiting vital threats to human existence. However, the Microsoft proposal was met with skepticisms on the part of many States and its adoption remains uncertain.⁴³⁶ In the more business-oriented world, some general security objectives includ-ing (i) confidentiality, (ii) integrity, and (iii) availability, also known as the “CIA”

triad of the information security industry, have found a certain degree of stan-dardization. The International Organisation for Standardisation (ISO) defines

“information security” as the preservation of confidentiality and availability in its “ISO/IEC (International Electrotechnical Commission) 27’000 Family of Information Security Management System Standards”.⁴³⁷

The presently incoherent patchwork of cybersecurity regulations does not adequately reflect the political needs.⁴³⁸ So far, the only exception to this pat-tern is the European Union with its mentioned (directly or indirectly

applica-For further details see Weber, 2020b, 291-294 with more references.

OJ 2016 L 119/1 of 4 May 2016.

OJ 2019 L 151/15 of 7 June 2019.

Microsoft, Cybersecurity Policy Framework, Geneva, 2018, https://www.microsoft.com/

en-us/cybersecurity/content-hub/cyberscurity-policy-framework.

Weber, 2020b, 307.

See https://iso.org/standard/54534.html.

For this reason, the Global Commission on the Stability of Cyberspace has developed sub-stantive principles (so-called “cybernorms”) to be adopted by international and national legislators (see GCSC-Report, 2019, 6/7).

432 433 434 435

436 437 438

ble) legal regime consisting of the Network Information Security Directive and the Cybersecurity Act. On the global level, however, further efforts to achieve a better coordinated regulatory framework are required.⁴³⁹