Making norms work – Pursuing effective cybersecurity – PL 04 2019

From EuroDIG Wiki
Jump to: navigation, search

20 June 2019 | 9:30-10:30 | KING WILLEM-ALEXANDER AUDITORIUM | Video recording | Transcription
Consolidated programme 2019 overview

Proposals assigned to this session: ID 31, 32, 53 , 59, 74, 95, 106, 174, 202, 206 – list of all proposals as pdf

You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session mailing list and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

Cyber norms: Paris call, GCSC Singapore Norm Package, United Nation's GGE and OEWG, and other proposals put forward various suggestions to make cyberspace more stable and secure. How do we unlock their true potential, bridge the gaps between different initiatives and make them work?

Session description

The session will discuss in an interactive manner, with the input from both speakers and the audience, the following issues related to cybersecurity norm-making initiatives:

  • is there a need for new normative approaches, or do we have enough of existing initiatives?
  • should the norms be binding or non-binding? public or private?
  • how do we avoid “pulling the blanket” situations, when initiatives compete instead of complement each other?
  • in light of various processes, such as UN GGE, Paris Call, etc - how much normative alignment is needed and is this achievable?
  • how to bridge the gaps between different norm-making initiatives?
  • ultimately, which normative order will lead to stronger cybersecurity - and how to achieve this?


The goal of this session is to achieve as much interactivity as possible for the plenary session format. No lengthy speeches would be allowed: we will focus on interaction and discussion. The session with start with moderators setting the scene and ensuring that both speakers and audience are on the same page concerning the subject, and then will navigate the conversation between speakers and the audience based on the discussion questions outlined in the session description. Moderators will also use interactive tools to collect input from the audience, such a mobile surveys, word cloud and others. Remote participants are welcome and will be given the same voice as on-site participants.

Further reading

Cyberecurity norms development

International Cybersecurity Norm Development: The Roles of States Post-2017

Four Challenges for International Law and Cyberspace: Sartre, Baby Carriages, Horses, and Simon & Garfunkel Part 1

The United Nations Doubles Its Workload on Cyber Norms, and Not Everyone Is Pleased

Discussing state behaviour in cyberspace: What should we expect?

A New Cybersecurity Diplomacy: Are States Losing Ground in Norm-making?

Norm-making initiatives

A Digital Geneva Convention to protect cyberspace

The Charter of Trust takes a major step forward to advance cybersecurity

Tech Accord

Digital Peace

Dinard Declaration on the Cyber Norm Initiative

Global Commission on the Stability of Cyberspace (GCSC)

Paris Call


Until .

Please provide name and institution for all people you list here.

Focal Point

  • Dimitri Vogelaar, Deputy Head International Cyber Policy, Ministry of Foreign Affairs of the Netherlands

Organising Team (Org Team) List them here as they sign up.

  • Chivintar Amenty, YouthDIG 2019
  • Zoey Barthelemy
  • Joost Bunk
  • Jacqueline Eggenschwiler, University of Oxford
  • Carmen Gonsalves
  • Stefania Grottola
  • Arianne Janse
  • Matthias Kettemann
  • Fotjon Kosta, Coordinator of Albania IGF
  • Kristina Olausson, ETNO - European Telecommunications Network Operators' Association
  • Oksana Prykhodko
  • Ilona Stadnik, Saint-Petersburg State University
  • Michelle van Min
  • Corien van Pinxteren
  • Ben Wallis, Microsoft

Key Participants

  • Marietje Schaake - Member of the European Parliament; Commissioner, Global Commission on the Stability of Cyberspace (GCSC)
  • Uri Rosenthal - former Dutch Minister of Foreign Affairs (2010-2012), Dutch Government’s Special Envoy for International Cyber Policy (2013-2017) Commissioner, Global Commission on the Stability of Cyberspace (GCSC)
  • Thomas Grob - Senior Expert Regulatory Strategy, Deutsche Telekom AG
  • Els de Busser - Assistant Professor, Institute of Security and Global Affairs, Leiden University


  • Jacqueline Eggenschwiler- PhD candidate, University of Oxford's Centre for Doctoral Training in Cyber Security and the Faculty of Law
  • Vladimir Radunović - director of e-diplomacy and cybersecurity programmes, DiploFoundation

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.


  • Andrijana Gavrilovic, Geneva Internet Platform

The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.


  • Norms need to be thought of and implemented in an interdisciplinary way. The engagement between disciplines should be brought into the discussion on norms on a meta level.
  • Current norms have not been effective; more norms on state behaviour in cyberspace may be needed. Norms should not only remain voluntary, but also, non-binding.
  • There is a need for more regulation on corporate behaviour.
  • All stakeholders, the tech community in particular, should be involved in both the drafting and implementation of norms, though on different levels. The tech community should be brought to the table and be involved in the debate on norm building from the ground-up.
  • Multistakeholder and multilateral mechanisms should not be put into an ideological contrast, but should be brought together.

Video record


Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234,

This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.

>> Thank you for wrapping up and answering my question that you will be available for all questions today, in the Amazon in the afternoon.

I would like to go quickly, we're running late, before that, I would really like to ask the people in the back, in the dark, please come forward, over here the discussion is taking place and it is nice for the panel to be informed and to have not so many spare spaces. Please, be polite, come sit in the front. Then I'll ask you to come up and talk about Making norms work- Pursuing effective cybersecurity, I'm looking forward to it.

>> JACQUELINE EGGENSHWILER: A warm welcome to everyone. I would like to ask my panelists to join me on the stage. We'll do this comfortable way, be seated and discuss that way. we're also, if you -- I'll move to the side, intact fact, so you can take a seat here.

We'll have to wait for our remote set up. Have had is joining us from DiploFoundation. Can you give me a short confirmation that this has been set up and he can in fact hear us? Then we'll kick off.

>> VLADIMIR RADUNOVIC: I can hear loud and clear. Good morning.

>> JACQUELINE EGGENSHWILER: Brilliant. We're good to start.

Again, it is great to see your faces in in early morning slot. It is a big room. We'll try to make this as interactive of a session as possible.

It is my pleasure to be introducing you to this first panel, and as you can already see, we have esteemed experts here on stage with me. Before going into this space, I would like to thank our focal point Dimitri and our organizing team and our subject matter expert Tonya who has supported us in making this session come to life.

This Plenary is set against an increasing Number of norms proposal, both issued by states as well as non-state actors.

We have heard in previous sessions that we have saw the emergence of two U.N. processes and concerned with security, ICT, and at the same time, we have seen multiple proposals from non--state actors including Microsoft, telephonic, et cetera, also groups of multistakeholder organizations who have engaged in norm-making processes which we'll hear more about hopefully during the discussion.

Now, this session wants to ask how the norms can be implemented and actually be made to work.

It struck me today when I came here in the morning to the venue, I passed a lot of bikers and road participants, and I thought to myself, well, they're all in a flow, they observe intrinsic norms, I didn't come across any accidents. It is probably the Netherlands, it is a prime example for this, so I asked myself how can we make cybersecurity norms equally entrenched into just standard behavior. That is exactly what I would like to discuss with my panel.

Now let meet introduce you to the experts.

Right next to me, we have Marietje Schaake, a member of the European Parliament and member of the global commission on the stability for cyberspace.

Right next to her, we have Els de Busser, assistant professor at Leiden University and we have Thomas Grob, a strategy expert at Dutch telecom and last but not least, we have Uri Rosenthal which I'm guessing the Dutch audience will be familiar with, former foreign Minister of affairs for the Dutch government.

Thank you very much for being here with me on stage. I would like to welcome you and the panel with a under are of applause, please.

Let me also introduce you to Vladimir Radunovic, I will point like this, you will see a small image of him sadly enough but he'll comoderate this panel with me. In fact, I'll hand over to him for the first question already. If you would like to take the floor, please.

>> VLADIMIR RADUNOVIC: Good morning, everyone. It is a bit weird to be so distant from you.

We're trying to push the limits of remote participation as we go beyond the remote observation and I think that the next step is holograms, and we'll work on that. Before we move on to hologram option, let's try to use the new options and a big thank you to all of you that join us this morning and also the IT tech team that helped me to make this work.

I hope it will stay that way.

We're all used to EuroDIG and we played with this last year a little bit. I would have moderation, but I'll also have a couple of questions to all of you, to share your views, I know sometimes in the morning and I saw it in the first session, people were not shy, you didn't get coffee, so on. We'll start with the polls online, grab your devices, you're connected, I know you're checking emails, everything, use them now with the session, and you see the slide on the screen, we'll start with a couple of questions around the discussion today. We'll focus on the norms. The first block will actually be sort of where are we with the current norms? What is the if he can activeness? Do we need more norms? So on. So I invite you to share your thoughts on the norms space on this question and just go ahead with that.

Before attending to the panel with some first initial thoughts, a few days ago I was in this meeting on norms settings, so on. We had a good discussion and a colleague from Spain told a story when the first car came to Madrid in I think it was 1988 or something, probably the Spanish people there would know better. It was somewhere around that time. It took five years for any sort of rules of the roads to come to place. It was a new technology, it was not -- how -- it was not said how the car should run in the middle of the carts and horses. Interestingly, a first rule, there was -- that was introduced according to him, it was when you drive the car make sure that you don't scare the horses. When we introduced the new rules of the roads, we should make sure that we don't hurt other ones and to the extent possible, we rely on the existing ones.

In the context of international security with international law, and good news, it is that -- I'm sure we're going to mention that that group of governments, that it is confirmed anyway, agreed that General Assembly of the U.N., that the existing international law applies to cyberspace. How, that's a different thing.

We should also have to look at it a bit broadly beyond the cyberlaws. We have about 1,000 instruments related to digital policies.

You have a good visual list of that on the digital observatory, if you want to look at that, over 1,000 instruments. The question, do we need more of the norms and instruments, particularly related to international peace and security, what we have currently, has it been effective enough? Should they remain voluntary and non-binding at least in the international peace and security in the international law which parts of that is binding, and do we need more norms related to the private sector? Now, turning to the distinguished panelists, and probably I'll use the opportunity to talk to Uri Rosenthal, a question to you and then I'll get back to the others, since you were there when there was the most productive phase, when the norms of the international peace and security rolled out, looking from that perspective, now six years after that standard, that first set of forms are you happy with this? Would you change anything? Just a quick comment and then we can focus more on these questions. Thank you.

>> JACQUELINE EGGENSHWILER: It is difficult to understand you. Could you please direct your question at one particular panelist again, please? It -- a bit slower so that we can all follow it. It is very hard to hear. Sorry for that. Thank you.

>> VLADIMIR RADUNOVIC: Just wave if you don't hear me well and jump in.

So the particular question, it is for Uri Rosenthal, since Uri Rosenthal was the Minister in -- well, covering the main bits of norms in 2013 to 2015, the question is for Uri Rosenthal.

Are you happy, would you say you're happy with how the things that are coming from the times that you were Minister until now when it comes to the development and the implementations of norms? I hope this is clear. Wave if you don't.

>> JACQUELINE EGGENSHWILER: I will repeat the question as far as I understood.

Are you happy with the process made with norms implementation and development since you took office?

>> URI ROSENTHAL: Thank you for the question and introduction.

I'll say the following: When I was Minister of Foreign Affairs, it looks all in the cyber domain as being a very long time ago.

In those days, 2011, 2012,py remember that we were talking about people that walked around with the Internet of us all, states were a remote kind of player in the whole thing. During Minister of office, I initiated together with Hillary Clinton the freedom of line code issue. Those days -- and it was also the days of the Arab Spring, it was speculated on the interconnectedness that the Internet provided, it would help with the Human Rights and others. I vividly remember those days again, 2011/2012 that were -- for instance, on our part, we tried to do our utmost to help out opponents of the regime in Syria with equipment to help them stay in line. Those days, optimism, et cetera, now I jump to 2019 beginning of this year, in Sweden, actually on the heart of the metal of the Internet, a bit later, May/June, a cyberattack by Hamas in Gaza on critical infrastructure which has been encountered by a physical attack on the Hamas cyber headquarter, that's where we are now. Looking to the situation at this very moment, I would say without overstating the vital importance, overstating the vital importance of having norms, et cetera, I would say that it is of great importance that for instance the global commission on the stability of cyberspace where I share membership it for instance promotes, and up until now with reasonable success the norm which aims at protecting the public core of the Internet and when we talk public core of the Internet, we're talking business in the most complete sense of the word, public and private business. It is then about protecting the domain name systems, routes, act architectures, protocols, not to forget undersea cables and satellites, and I can say that to migrate pleasure it was also through the efforts of members of European Parliament that the European Parliament was able to amend the European's cybersecurity act to insert the public core norm into the European cybersecurity act. So that's the way we should go. We should not look for a situation where we are engaging in what you could call a sort of norms factory machinery, you know, accumulating one norm on the other. We should be effective on this, but it is for me a very pertinent thing that we should aim for norms as well as for rules, confidence building measures.

Finally, in my -- in these remarks, let me say that we should also aim, and then you have from 2011 to 2019, 2011, freedom of line code issue. It is very nice to be with the like-minds, but you need also to other join. That's a task that we're facing.

Thank you.


On that note, I will turn to you, Marietje Schaake, because you both share membership of the commission as well, and Uri raised valid points in terms of effectiveness that we also want to get at. The commission has been underway now for a good two years, two and a half almost, how would you deem its success in terms of effectiveness and what, in fact, do we need to do when that applies to all of news the room as well to make these norms implementable and to actually lift them as to walk the talk.

>> MARIETJE SCHAAKE: Thank you very much for including me in this panel.

Good morning, everybody.

Our work is not finished. I think it is most important also what Uri sketched to actually stop the sense of Lawlessness and unaccountability when it comes to breaches in the online, digital world.

So norms are merely a vehicle to achieve that.

Sometimes I think, it is an imperfect vehicle, a legally binding Human Rights open Internet enhancing cybersecurity approach which we all know which is very difficult to achieve in today's world where the stakes are high and governance body models differ and a lot of countries even of the so-called like-minded are not always aligned unfortunately.

So what we have tried to do, it is to suggest, to offer for suggestion and input, I know that this EuroDIG session has been very important for that, we offer a number of suggested norms.

So the way in which you can help, it is to share with us what you think about them, and also how you think they can be improved, where you see connections forgetting them to be adopted and implemented. We work in a multistakeholder fashion, obviously, but that could risk becoming a bit of a jargon if it doesn't have meaning. We hope that the norms that are now being finalized with a number of recommendations for different actors on how to take on the norms and what's the concrete steps that need to be taken between the thought of the norm that we have put a lot of energy and effort into, taken a lot of input into to actually make them change behavior.

We hope that you, from Civil Society, from the technical community, from different governments, from academia, wherever you may sit, it will also work -- you will work with the norms and hopefully adopt them. We have seen Part of our norms package reflected in the Paris call that was adopted, we have seen some of the norms that we suggest adopted in the tech accord in the E.U. cybersecurity laws as mentioned, and so for us, in the commission, it really feels like we're still before the start. We're still really working out the details and then hoping that our norms will have wings and will change the behavior where I think that is the goal and we need to end the sort of Lawlessness, lack of accountability and sometimes very malicious behavior in the online world.

>> JACQUELINE EGGENSHWILER: Thank you. Coming from an academic perspective, where do you see -- do we need to act and work to really make these norms the basis for interaction?

>> ELS DE BUSSER: Thank you for the question. Thank you for inviting me to had this panel.

As an academic, of course, we like to Zoom out and take an abstract view on things.

In that sense, it was indeed a bit hard to understand Vladimir Radunovic but I caught some meta levels of norms which is something I would like to turn to in a minute.

First I want to say that the whole debate on cyber norms, which has been going on for quite some time now, I was thinking this morning, it is quite extraordinary and I think that cybersecurity, it is one of the only areas or maybe even the only discipline where there is so much attention to the process and the development of norms, usually you see norms developing kind of in the background without them being called out as norms as such. In cybersecurity, we see a lot of attention to this development and to this process as such.

With that being said, I think going to this meta level of norms, what we see, a lot of academia, is that there is a need to had think in an interdisciplinary way.

If you look at the crowd here, I'm sure it is a mix of people with governance background, people with a technical background, people with a policy background, I think this is something that we need on a meta level, we need to think of norms also more in an interdisciplinary way.

We often see confusion about even what the terminology means, what a norm means, whether it is binding or not. Coming from a specific discipline that might give you a specific view on things, so these disciplinary lenses, the engagement between the disciplines I think should be brought into the whole discussion on a meta level, maybe it should even be a norm to implement interdisciplinarity in the whole thinking about this as well as in the implementation. First we need to think about norms in an interdisciplinary way and then start implementing them in an interdisciplinary way. If we understand each other a bit more because we could be using the same terms and understanding something completely different behind these terms, I think that would be a good step ahead.


Turning to Thomas now, with maybe a more technical perspective given your affiliation to digital telecom as well, what do you see emerging here as well. Els mentioned we may need an interdisciplinary understanding, would you share that view in terms of making these norms that we're discussing implementable in terms of the telecom or in the case of -- or as a member of this charter for trust, do you see that there is a lack of engagement from other parties or where do you see the need for action.

>> THOMAS GROB: Thank you for the excellent question.

To answer the first one, yes, of course, I would fully subscribe to the need for an interdisciplinary approach as well as for actually applying an understanding of cybersecurity that's very wide and an extensive one and it touches a lot of different aspects in society, but also for us, as a business, we feel a strong responsibility towards both our customers, but also as we're operating critical infrastructure towards government and as a whole. It having said that, we engaged in the charter of trust as you mentioned, we see definitely a value in the processes of developing non-binding norms, trying to reach consensus, we have also appreciated that thousand it looks like we're extending the charter of trust to Asia with partners from that continent.

So having said that, I think the most important recognition here, we have just the one Internet and ultimately we need to come to global solutions which is a monumental task I would say and even though we know it is very difficult at Dutch telecom we have come to the conclusion that the non-binding way will ultimately not be sufficient, meaning we will have to arrive at some kind of a cybersecurity convention that's agreed multilaterally that will take time and will be very difficult, but better start in and out to work on it than to just always say it is too difficult to be tackled because we think we have done a lot of awareness rising and there is a very good consensus among the willing, but for the challenge, it is how do you make those norms also minding -- binding for the ones that are not willing or working explicitly -- you have the states, the governments, we need to define clear responsibilities and we also need to harmonize enforcement and penalties.

>> JACQUELINE EGGENSHWILER: Thank you very much for that, Thomas.

You have raised a valid point on enforcing the norms and that's what we're trying to get at here as well.

Having said that, let me turn now to Vladimir and maybe I can comment on the mentor, the results, we see there as well, 4.1, we need more regulation of corporate behavior which might go into the direction of binding regulation or not, that's something that we can discuss. I would also like to ask the audience if there are questions to please queue up in front of the mic so we can take your question indeed.

The floor is yours.

>> VLADIMIR RADUNOVIC: Thank you. We have played with the voice a bit. Wave if you don't or you do.

I'll try to speak slower.

Thank you so much for sharing your views. We have 51 persons that responded to the questionnaire and I have to admit it is something that I expected the results would been, and it reflects the discussions at the global level to some extent.

I think that it was well noted, the geometries also, the global commitment, it is not to become a norms factor, and we definitely may need some more norms, not only talking about new technologies that are coming like Artificial Intelligence, but possibly also reflecting some of the current -- particularly the State of let's say the peacetime rather than just the conflict, war time. It reflects the concern whether the non-binding approach is enough, is sufficient, and my subquestion, maybe I'll go back to you at some point, it could be to what extent possible minder binding measures could interfere with the openness of the Internet, with the innovation, with this economic part and how it impacts the other two bits in this triangle of security, Human Rights, development.

It is food for thought.

Back to you for possible questions in the audience, and then after that I'll turn the blank slide for any sort of comments that anyone can have in the next block, which Jacqueline Eggenschwiler will coordinate.

Back to you.

>> JACQUELINE EGGENSHWILER: Unfortunately, it is still very hard to hear you. If we can get some technical assistance, maybe that would rectify that problem, that would be great.

If not, let me turn to the second question to the panel: We start again with Uri, please. If we were in a world where you would have a wish for how perfect implementations of these norms would look like, who would you call on to help you implement what you have drafted as part of the global commission on cyberspace for example and what is needed? Three wishes.

>> URI ROSENTHAL: Let me -- let me be straightforward on this and explicit.

When you talk about these sorts of things, I'm talking about the importance of being able to appeal to the urgent need of something and who are those whom you address your message to, the powers that be. Simple. Powers that be.

Let me say that for that matter, and it is also part of our discussions in the global commission, when you look at how you could get things on the move, we have for instance the process which is a global conference on cyberspace which actually a few years ago was being organized here in the Hague. There you see one of those fora where the powers that be, political leaders, they're indeed joining the multistakeholder context and I would say that's most important.

Secondly, having had been an active politicians pie self, I hope, for instance, that others will endorse my observation, when you want to be effective, you have to be effective in your communication to people who are not very -- sometimes very digitally literate.

For that matter again, I would for instance nearly say -- I'm -- I'm not shy to say so. A little bit my love baby in this is the norm of protection of the public. That's what they do understand, they do understand that it might be in their own well understood self, institutionally, state interest, to join forces here. You have to be concrete, appeal to the feeling of urgency for them, et cetera.

That's one point..

The second, totally different. Unfortunately, a totally different story. When we talk also about global commission, on norms, it is always a fight in a way to say not only is it about states, but it is about non-state actors. Not the least the big five, big six, big seven. They have been lagging behind for a long, long period of time and only now they begin to understand that something should be done.

They should also -- and there also, you know, I'm -- I would say I'm not in the eve. If they go to that, for more regulation, they do so it because of their own interest, nobody among those billion uses of the Internet, the billion users of the Internet are starting to understand that they don't get the data for good. There is not an offer of free access but there is driving business case behind it.

Third, last point, very brief, there is often said, you know, it is always a thing, United States implement, China implicates and the E.U., they regulate. And there is a tendency to look a little bit negative, pessimistic on this European contribution. I would say that by now the world is changing, and I think that the European Union by now has done some -- has made some remarkable steps just on the regular -- into the regulatory domain, and the well-known directive, the security act, the cybersecurity act which I was talking about, they're good steps forward.

More so, because when you talk norms, last point, when you talk norms, you don't just simply talk about something that should be done, but that they should be done because they have to be with value, the European brings values into the equation -- the European Union brings values in the equation and the values are based on the applicability of international law, also in the online space. When we talk -- when you talk international law, we talk Human Rights, we talk rule of law, and let's also not be naive, also the law of armed conflict. That is my contribution to your narrative.

>> JACQUELINE EGGENSHWILER: Building on that, it was said that the E.U. regulates and China imitates, do you share that view and also building on what Vladi said and Thomas earlier on, you see the need for binding regulation.

Let me zoom out a bit.

I, of course, echo the wish for many more love babies, I had think that is something that we can all agree to. But also caution a bit, love can blind. I'm only halfway kidding when I say that. In this community when we think about multistakeholder, multidisciplinary, this is all very much desired, and I agree with it.

Let's also be a bit more precise on what we mean and be clear on what's not at the table.

Sometimes multistakeholder processes can be a bit self-electing, self-serving and also legitimatizing decisions that are made by powerful, unaccountable players while they are sort of clad in the notion of everybody was at the table so therefore it must have been a quasi-democratic result.

So I think we have to continuously be clear on the means and the ends. So when I think about the norms process vis-a-vis the law, basically your question, then on a good day, it is a step in the right direction.

It is a way to bridge the gap between unaccountability and sort of legally binding principles.

So it is a way to bring people to the table that may otherwise not be interested in talking about any kind of accountability.

On a bad day, the non-binding nature of norms can also be used as a shield to never have any binding principles. Again, these discussions, they don't happen in isolation as we speak here, laws are being made, countries are making governments, governments are making laws continuously and I also argue that big companies are effectively setting norms by the way they use technology, by the kind of rules they apply on their platforms, for example, about free speech or competition.

Let's not be drawn into an tunnel vision although the open Internet, they need defending, we have to be real that the stakes are very high and that the governments are making laws.

I think in that sense it is high time that a coalition of sort of -- I look at it from a European point of view, more broadly from a democratic world point of view, they come together in a more strategic way, in a more strategic way to articulate what kind of principles should not be disrupted by technology, should also not be overran by more dictatorial ways of either governing or governing technologies, governing outside of the digital world or through the digital world.

So I guess my point is that both are true, laws are being made, and it doesn't help to suggest that these are two worlds apart. I think that the best way to look at it is how to be best strategic in the democratic world and use it in a step in the right direction or towards changed behavior and there has to be accountability and in an ideal world it is through laws that continue to respect Human Rights, fundamental freedoms, international law, et cetera.


The question to you, Els, given this huge space of norms floating around, it draws on what was said as well, do we need more alignment if of the norms or kind of a global understanding? We see a bit of scattered initiatives rising here and there, how can we draw the line and create this global sense or more strategic effort to make these norms work or actually know what to protect.

>> ELS DE BUSSER: The world global scares me a little bit.

Speaking of norms. Also keeping one eye on the score here. I see a very low score for the statement current norms have been effective, I want to pick up also on what we said about the E.U. and why does this work, why is the E.U. seen as a regulator, and you mentioned the word values, which I very much appreciate. Why is this so successful? I dare to say it is successful because this is a relatively small group of states with I say relatively common values, which means that norms were built from the ground up. You have the smaller groups -- group of states, you have them around the table, the easier it will be to find common ground. Look at criminal law cooperation, smaller stakes, or you see some E.U. agreements being almost copy pasted into council the Europe level. You see the effect of the E.U. data protection regulation on a worldwide basis. Why is it so successful? We have smaller groups of states that have a common history, common political views, a common set of values that will trickle down into a certain norm setting. When that is built from the ground up, you're -- you're building a consensus basis that could then be successful.

I think that's where the effectiveness really lies. Picking up on the low score here.

>> JACQUELINE EGGENSHWILER: It is a matter of sharedness as well.


>> Values, yes, but interest also.

>> JACQUELINE EGGENSHWILER: On that note, Thomas, common interest from an industry perspective, is there something that we can learn from industry of how to get behind certain principles or norms? The standards, the security guidelines for product it is, et cetera, PP?

>> THOMAS GROB: Tough question.

I'll try to be brief.

Business is pretty simple, pretty much aligned globally, we want to earn money and we have a problem with being attacked constantly, not only from Europe, but actually from all over the world.

I mean, it is nice to have regional solutions, but I repeat myself here, it is one Internet and it is global.

I think it is very important to go ahead, to find regional consensus as these are first steps to then maybe scale them to global. Of course, we also value the work that has been done in Europe, but I'm afraid I'm not as positive as you are about the effectiveness that should be improved.

Having said that, what can you learn from business? Business tends to be very efficient or try to be efficient when going about the developments. I think if we manage to get business actually at the table and be honest about their real interest, this can be speeding up the processes.

I think it is important to actually listen to what we have to country bought from a business side as ultimately we will be the ones implementing and we will be also, of course, telling what we think is not implementable or is not efficiently implementable and that needs to be kept in mind when designing norms.

>> I want to make a small comment. I think it is very good to have a dialogue. At the same time, there has to be enforceable minimum standards. Try to imagine replacing the digital context here with for example climates. Then having all of these businesses saying, well, you have to listen to us, because at the end of the day we have to implement the policies, people would probably say, well, we have tried that for a while, it is not always successful.

I think it is going to -- it is going to almost be inevitable that there will be minimum thresholds, let's stick to Europe for the moment, and I wish there was still an open Internet, but I think it is already being sort of eaten away at.

That there will also be -- it is easy to comply with for well-willing businesses, thresholds that everybody has to meet in order to make sure that the businesses who don't sit like this, who don't step forward to engage are also being bound to behave well.

>> To be fully aligned on this one, yeah.

>> JACQUELINE EGGENSHWILER: Thank you for that.

Al I'm turning to you, mindful of time to the last question and probably also -- oh, I see we have comments from the audience.

I'll take these first.

Nigel, if you want to start.

>> Yes. Thank you very much. I really wanted to pick up a point that was made I think more in the first set of questions: This is this whole notion of how multistakeholder approach is so important in this rule making, in this norm-making. What I was hoping the panel may address is that rather than debating the value of the norms, and personally, I think that the work of the global commission is something important, in this we tried in the London process, I was involved in the beginning of that, we tried in that process and I think that the global commission had a far superior way of taking on that role.

When we have the norm setting, while we have incredible and positive things coming out of the European Commission and the European Parliament, we have two U.N. processes, multilateral taking place, there is a confusion between multilateral and multistakeholder, and we have to pin down that issue in the report as well. The two processes in New York are multilateral. The government group of experts made up of 25 Member States coming up with perhaps rules, guidelines, leading to a cyber treaty perhaps, 25 Member States. We have the open ended Working Group. Ironically with more Member States backed by Russia. With stakeholders in an observer role, with stakeholders able to be go to the table, which I think is at least good because that's got transparency, but in a very observable, unable to make any of the decisions. So contrast that with the multistakeholder, the bottom-up process we have in the global commission and elsewhere, and then I think that's where some of the debate ought to focus.

Thank you.

>> JACQUELINE EGGENSHWILER: Anyone have a reaction to that?

>> URI ROSENTHAL: Well, thank you for this excellent reflection, sir.

I think it is -- it is at the heart of the matter in many ways.

It looks as though you, sir, were participating in the discussions which we have had in the global commission, even a few days ago in here in the Hague. There we were talking about the fact -- not about the fact, but the idea that we should perhaps be less ideological than we have been before on a sort of pure contradiction between the multilateralism on one hand, and Mull at a stakeholderism on the other.

I have been a part of this discussion throughout the years, I should say that I vividly remember that in the -- that I was in one of the big gatherings in India a few years ago and there were people talking about the model of multistakeholderism. I said I don't like the word model. I like the word approach. I like the word mechanism. It gives a sort of action mold to the story. I would say that actually it all boils down for me, also on the basis of what was said here before to the very fact that the cyberspace is still as it is sometimes called more or less an unchartered territory. If you are talking about that, I would say that you have to understand today that when you look at global diplomacy the 1.0 track simply government states around the table with the pinnacle of the United Nations security council, then you are talking perhaps a little bit in some sort of ways, in an outdated session because the 1.5 track, where Civil Society gets in, it is a full- fledged Part of the game today.

Let me say that throughout the years, also something to remember, there were some of the swing states who were actually on the purely multilateral side who started to understand that Civil Society, technical community, academia, NGOs, they're part and parcel of what we're doing. We can't do without them.

For instance, Brazil came in on this and even today with a totally different regime as five years ago, they're still hanging on it.

India has more or less also come in to join the club in this way.

So we should not give up on this importance of the multistakeholder mechanism. At the same time, when I look at the way within the U.N. context that is also -- and it was also well said by -- it is also very implied in the question when I look at the U.N. today it is also opening up in some ways and I should say that the Secretary-General is really going for that too.

You know, so don't get into an ideological contradiction between the multilateralism and the multistakeholderism and we have to say full stop, that it doesn't work.

We have to bring them together. Thank you.


You had a reaction?

>> MARIETJE SCHAAKE: I really encourage everybody to take this notion that actually states are powerful, non-democratic states together are more forceful than the democratic states of this world. That's why the U.N. is in such a bad place on for example protection of civilians, intervening in the worst kind of conflict.

Let it be a wake-up call, a sense of urgency for the multistakeholder community to actually lead to results because process and results, they're not the same.

I think if you want to sort of prove that the multilateral approach is not going to replace or should not replace or is not as effective at the multistakeholder approach, then make it work.

Let it lead to results. I think that's the best way to get ahead of this game.

>> JACQUELINE EGGENSHWILER: I'll take one last question. Sorry to train all your standing muscles, I'll go to Luis for this one, if I could ask you to make the question brief and also the responses fairly brief before we wrap up.

>> Perfect, thank you all for the excellent discussion.

I have with two very quick questions, the first one, it is we talked about like-mindedness. We talked about how do we build consensus, how do we make sure that these norms kind of have a trickle-down effect that they're implementable in certain way, but I wanted to ask about the role of the so the called swing states. I think we talked about Brazil, India, but I do think that is one of the concerns at least that I see coming from academia that there is a concern specifically at the open ended Working Group and the U.N. GG of making sure that you know states understand where these swing states are at, and so my question would be with regards to how do you see the role of swing states, and the other question I think sometimes we overlook the role of the technical community -- the echo is horrible over here, I'm sorry -- but sometimes we overlook the role of the technical community and specifically in cybersecurity we don't talk as much as we could. Even though these norms actually address them in certain ways. That would be my second question thank you.

>> JACQUELINE EGGENSHWILER: Thomas, you want to respond to the last question regarding the technical community and then maybe Els for the first one?

>> THOMAS GROB: I would gladly take the second part.

I think that the there is a huge responsibility and it is actually taken quite offensively and also quite effectively, both by technical standardization, fora, but also by the community of network operators, Internet service providers, in the domain of cybersecurity and fighting cybercrime also, the problem is that you cannot always be transparent about what you're doing. My observation is that the actual experience and networking that is existing in that community is not usually integrated in multistakeholder discussions, it is difficult, but it is happening and it is with regard to the U.N. process, I think that they should be mindful of what is actually going on in the tech level and I believe that they are.

That is happening.

We have to be mindful that not everything that is knowledge in those very specialized circles can be transparently shared and made public.


What's the role of swing states in in game?

>> ELS DE BUSSER: A difficult question. Thank you for that.

I was thinking of swing states -- let me rephrase that.

If a debate, any debate is crowded by let's say the usual suspects, the bigger state players, it can also work refreshing, to have new players come in, that may not have been bias already by an ongoing debate, who can make the usual suspects see things from a different perspective.

So I would say as an academic thinking, what is a he will are of swing states, that I think would be a very positive role that they can bring into the debates.

If I could also say something about the other question, that's exactly what I mean with interdisciplinary, bring the technical community to the table and also make them involved in the debate from the ground-up.

>> JACQUELINE EGGENSHWILER: Thank you very much.

Mindful of time, Valadi, I'm going to turn to Andrijana Gavrilovic who will kindly read out the messages I hope.

>> ANDRIJANA GAVRILOVIC: This is very difficult to sum up.

>> JACQUELINE EGGENSHWILER: We didn't want to make it easy for you.

>> ANDRIJANA GAVRILOVIC: If it will be all right for you, I would like to have some more time to reflect on this and then I would send the messages to the Secretariat who will share it all with you.

I don't want to not do justice to this session if that is all right.


We have careful deliberation going on in the background, but looking at the watch now, I would like to thank this esteemed panel for their contributions and discussions. Highly appreciated. Give them a round of applause. Please.

Valadi, sorry we couldn't be more interactive with this setup. It is very difficult to hear you. Also thank you very much for Vlad for his moderation skills here.

Thank you, in difficult circumstances.

Thank you very much.

This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.