|
It is one of those surreal, ironic moments in time. This coming week, an event called the Internet Governance Forum (IGF) 2017 will be held at Geneva in the old League of Nations headquarters now known as the Palais des Nations. On its agenda is a workshop to discuss “A Digital Geneva Convention to protect cyberspace.”
If the IGF participants, as they enter the Palais grounds, simply look in the opposite direction south across the Place des Nations, they would see 100 meters away, a glass cube building provided by the Republic and Canton of Geneva. Two floors down in the deuxième sous-sol are the archives that hold the existing Digital Geneva Convention to protect cyberspace—signed and ratified by every nation in the world. The archivist would probably make the documents available for view, but thanks to one of the most extensive digital archival initiatives of treaty instruments in the world, the entire series of Digital Geneva Conventions are available together with all the treaty conference materials going back 152 years. (The previous 15 years of convention materials are still in the Austrian State Archives in Vienna.)
The existing Digital Geneva Convention was crafted when the first digital networks were interconnected across national borders in 1850. Many of the basic cybersecurity issues were vetted for weeks among the nations present and provisions placed in the treaty instrument. Protection of users, national security, privacy, identity management, structured reporting, technical protocols—the provisions are all there. As new services, facilities, and technologies emerged over the subsequent decades, the provisions were evolved and expanded. The biggest expansions were those relating to radiocommunication, undersea cables, voice communications, broadcasting, satellite communications, digital networks, and datagram internets.
Further digital cybersecurity protections were undertaken as part of this process in 1988. Prior to then, the deployment of public datagram internets based on any of the multiple internet protocols was prohibited. When the treaty conference was held, the infamous first major internet cybersecurity incident occurred—the Morris Worm—which resulted in additional cybersecurity provisions being included in the treaty. The treaty instrument enabled the offering of public datagram internet services and the considerable array of supported applications when they came into force the following year, and remain in force today—literally providing the basis in public international law for these services.
The existing Digital Geneva Convention is actually a comprehensive set of treaty instruments and technical standards together with a permanent organization with well-established, very effective, open processes, and state-of-the-art facilities provided by the Canton of Geneva. The scope encompasses all digital (and analog) communications, services, and technologies. The focus on effecting legal and policy agreements among nations on matters such as cybersecurity through ancillary technical specifications has proven an effective component in actually implementing meaningful cybersecurity capabilities. The permanent organization for the Digital Geneva Convention regime was given the name International Telecommunication Union in 1932. It owes the name to an intergovernmental treaty devised in 1920 by the U.S. Wilson Administration—the Universal Electrical Communications Union—to effect cybersecurity following events and technology developments during World War I.
Along with that history and stature as the sole global intergovernmental mechanism for digital security, comes additional features. It has a partnership with the U.N. and just about every other intergovernmental and industry body in the world. Its published documents are freely available on-line with persistent identifiers, and exist in five languages. It has one of the best information systems and meeting support capabilities in the world. It curates best-of breed cybersecurity specifications from other bodies and republishes them so as not to reinvent work already accomplished. And, it even has a free headquarters campus of elegant buildings in a country that provides ready access to every nation’s citizens, in the most international city in the world, with one of the world’s best air traffic hubs.
Following the legalization of international internets in 1988, the cybersecurity components were implemented through joint ITU-ISO specifications. Many of these were implemented by companies such as Microsoft—whose secure eMail platform is based on ITU-T X.400. The standards additionally included trusted identity management, PKI, network management, transport and network layer security, and threat sharing—that have been widely adopted and enhanced by other standards bodies, government agencies, and industry implementers. These platforms remain essential components of cybersecurity today in all networks and services.
So, the first obvious question is: why on earth would one try to invent another Digital Geneva Convention? Such a convention would have to have to replicate everything in the existing Convention ensemble that has existed and evolved over the past 167 years, and get the same 193 Nation States to sign and ratify to the provisions. Furthermore, the materials that have been introduced in the IGF2017 workshop on this topic are far less comprehensive, immature, and ignore long-standing public international law that already exists.
The second obvious question is: why don’t the participants simply exit the Palais, and walk across the Place des Nations plaza, over to the ITU campus and begin participating in the considerable array of cybersecurity technical, development, and legislative activities underway—together with all the member countries and participants. That could start by visiting the best communications network reference library in the world on the top floor above the archives. Participation can occur directly, or through a national administration, or through the many cooperating organizations.
On an especially important last point—if anyone is seriously interested in advancing the existing Digital Geneva Convention for cybersecurity to enhance it with any provisions or capabilities felt necessary, they have the opportunity to do that with all the nations of the world at the 2018 Plenipotentiary Conference at the end of October. Most national Administrations and many industry bodies are now beginning preparations.
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Tony
We both know the ITU has problems, but there is no other organization that includes most of the world. In particular, 14 out of 18 board members at ICANN come from the U.S. and allies. The majority of world Internet users aren’t represented.
This is unsustainable.
The focus here is on treaty instruments. The telecommunication convention treaty instruments on cybersecurity have been around 167 years and encompasses all nations. The ITU is the current permanent mechanism to support the cybersecurity treaty process.
ICANN is a private company that coordinates the offerings of a few identifier service providers, collects some of their profits and uses it to lobby for the industry and fund some standards related activities. It isn’t clear those services are sustainable, but it is orthogonal to the subject matter.
Well, the ITU is much older than the United Nations, it was created in 1865. And it is not “in partnership” with the UN, it belongs to the UN and is a full-fledged UN Specialised Agency. And its documents are in 6 languages, like all UN documents.
The biggest problem in my view is that ITU is not really open to NGOs and civil society. It has a longstanding relationship with business entities (especially in the standardization field) but all entities other than Government have to enter ITU as “sector members” and pay a fee. There is no free of cost accreditation process for civil society like in the UN. And if you look at the participants at the IGF, lots or participants are from civil society and academy. If they walk across the street to the ITU building, as you suggest, they are not welcome, because there is no mechanism to integrate them into the work of the ITU. And there is also another caveat: ITU is, since its foundation, more of a technical body. The Government representatives are from the different Ministries of Telecommunications, not from Foreign Affairs. ITU has escaped strong politisation of its work (unlike the UN) but when it comes to Cybersecurity the field is at least partly a political field, not really ITU’s business. Therefore I doubt that ITU could play a mayor role in the field of Cybersecurity, which is really a multi-stakeholder field. I know this it is the old ITU-ICANN discussion, who can better do what etc., but ITU has serious handicaps as well.
The topic here is intergovernmental agreements signed and acceded to by Nation States concerning cybersecurity. These agreements represent collective adjustments to their sovereignty. Those agreements are also adjusted further by Declarations made as part of the signatory process, and afterwards during their accession processes. Obviously, only Nation States can engage in this activity – which they do at formal meetings among representatives who have plenipotentiary power. This treaty process is distinguished from the organizational aegis - which is currently the ITU. It came into existence in 1934 as a result of the 1932 Madrid Convention. Prior to that point, there were a variety of separate multilateral treaties among different sets of Nation States that went back to 1850 at Dresden. At first, Vienna was used as a repository for the instruments. After 1868, courtesy of the Swiss government, Louis Curchod’s flat in Berne was volunteered and it was enlarged to become what is known as the Berne Bureau. The CCIF, however, had an independent secretariat in Paris. The various pieces were not completely integrated until well after World War II and under the 1947 Atlantic City Convention. (The CCIF Director preferred Paris for the secretariat.) The ITU also exists pursuant to its own treaty instruments independent from the U.N. That relationship exists pursuant to Article 49 of the ITU Constitution which references a separate agreement between the two organizations. That complex agreement is best described as a partnership. Over the past 167 years, the treaty instruments and processes here have been effective for dealing with cybersecurity because they bring together Nation States, network operators, and service providers to reach agreement on matters of law, public policy, and technology in a substantive fashion. The impediments over the past twenty-five years are due in large measure to a few Nation States pursuing their own primarily bilateral strategies to further perceived interests. Arguably, the value proposition will change with the emergence of global NFV-SDNs. The matters here ones of significant personal familiarity over the past 40 years in a variety of senior positions in the U.S. government, in different ITU organs, at academic institutions, and in industry. A good reference is still the Codding-Rutkowski book, The ITU in a Changing World.
Charles
Secretary-General Toure made it clear that the Internet Society can accredit as many members of civil society as we like. (Delegations are often 100 or more.)
He went further, saying that’s why ITU gives ISOC the sector membership without fee, to widen the base.
This was at a public meeting as he looked at the ISOC CEO sitting in the room.
ISOC has blocked this, which can and should be changed.
There’s also a procedure for other NGO/civil society groups to become sector members without charge. It has to go to the formal council meeting, but the precedent is set.
Any nation can do the same. The U.S. delegation is open - I’ve twice been offered a slot. Many in civil society go as members of the U.S. delegation. As far as I know, no U.S. civil society representative who want to be on the U.S. delegation has been turned down.
In practice, ITU is one of the most open international groups. I can and have participated in meetings without any problem.
Much of the work is done in open fora and expert groups, open to all.
In the very rare case of a vote, that is governments only. I think there’s only been one of significance in the last decade, at the WCIT.