Home / Blogs

The Operationalization of Norms and Principles on Cybersecurity

With two simultaneous processes getting underway in the UN General Assembly’s First Committee, the UN Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) on Cybersecurity, and several technology and multi-stakeholder initiatives pushing cybersecurity improvement, the world of cyber norms has become both more interesting and more complicated. Interesting, because a wider set of voices has the ability to share their views on processes that work to improve cybersecurity at a global level—and more complicated, as the concept of a norm has slowly been eroded by the fact that less agreement exists on a wider variety of ideas.

The IGF Best Practices Forum (BPF) on Cybersecurity is a multistakeholder group focusing on identifying best practices in Cybersecurity. From 2016-2018, the group has focused on identifying roles and responsibilities of individual stakeholder groups in cybersecurity, and it investigated the development of culture, norms and values in cybersecurity.

This year, the BPF has continued this work by identifying best practices related to implementation of the different elements (e.g., principles, policy approaches) contained within various international agreements and initiatives on cybersecurity. It has seen widespread support from a group of volunteers, including technical community members and engineers, legal scholars, and experienced human rights and cybersecurity professionals.

Earlier this summer, the group published a research paper identifying a wide set of relevant initiatives and agreements, while looking to identify overlapping elements. For instance, the group reviewed whether support for a technical process (e.g., responsible or coordinated vulnerability disclosure), or at a more abstract level (e.g., support for the applicability of international law), is encoded in many of these documents.

The review took a wide look, focusing both on inter-state agreements such as the Budapest Convention, intra-industry agreements such as the Tech Accord, and multi-stakeholder forums such as the Paris Call for Trust and Security in Cyberspace.

Agreements were included based on the following rough criteria:

  • The agreement describes specific commitments or recommendations that apply to any or all signatory groups (typically governments, non-profit organization or private sector companies);
  • The commitments or recommendations have as a stated goal to improve the overall state of cybersecurity;
  • The agreement must be international in scope - it must have multiple well-known actors that either operate significant parts of internet infrastructure, or are governments (representing a wide constituency).

In total, this initial review looked at 19 documented agreements, both global and regional.

The goal of this work is to identify best practices around the implementation of many of these principles. If a concept is widely supported, and signatories to these agreements have a wide set of experiences around the implementation of that concept, sharing this knowledge and experience will allow for its implementation to cascade. This facilitates the adoption by other parties; and as a result, improving the overall cybersecurity goals intended behind the agreement.

Following publication of our background paper, the BPF has now called for wider input from the community on the topic, focusing on the key questions of what best practices exist related to the implementation, operationalization and support of principles, norms and policy approaches of these international agreements. Organizations and individuals involved in either the development of these agreements, or the implementation of any of their concepts, are invited to share their experiences.

This input will be used to help create a final outcome document, which will drive discussion at the IGF’s 14th Annual Meeting in Berlin from November 25th to 29th of 2019. We invite you to contribute by sending your response to our Call for Contributions to b[email protected] by September 20th.

By Maarten Van Horenbeeck, Lead Expert to the Best Practices Forum on Cybersecurity

Maarten is Board Member and former Chairman of the Forum of Incident Response and Security Teams (FIRST). He also works as Chief Information Security Officer for Zendesk.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API