Analysis: Untangling the web of multi-level cyber diplomacy
Another month and another international summit (or two) conclude with a shared commitment by participating countries to work together in order to address global threats to cyber security.
Untangling the web of international, supranational, regional, bilateral, national and increasingly corporate attempts to, invariably, deliver a free and open internet, secure global cyberspace and build cyber capabilities for a more resilient digital world, seems to be almost as complex as the challenge they are seeking to tackle.
Keeping up with the complexity & pace of international, supranational, regional, bilateral, national & corporate cyber security action
Not to mention the joint statements of public attribution of cyber attacks such as WannaCry and NotPetya to North Korea and Russia, or indeed joint warnings against Russian cyber aggression, since the beginning of this year alone.
- The UK and France signed an agreement on Cyber and Digital Security . Among other things, it seeks to create a new annual policy strategic dialogue on cyber threats and create alignment on cyber security practices for consumer of Internet of Things (IoT) devices.
- The World Economic Forum, amidst discussion at Davos on how to secure a common future in cyberspace while addressing the risks of cyber wars without rules, launched its Global Centre for Cyber Security. The centre is hailed as “the first platform for governments, businesses, experts and law enforcement agencies to tackle today’s cyber risks in a truly global manner” .
- Siemens used the occasion of the Munich Security Conference to publish its Charter of Trust for a Secure Digital Future . It is described as a “cyber security call to arms” committing companies to set baseline security standards. At time of the conference, the Prime Minister of the United Kingdom, Theresa May, called for “a truly global response (across) UK, EU, industry, government, likeminded states and North Atlantic Treaty Organisation (NATO) to strengthen our cyber security capabilities (and) defend our interests in cyber space” .
- The members of the Commonwealth signed the Commonwealth Cyber Declaration , setting out their shared vision of cyberspace and mutual assistance on cyber crime and cyber security capacity building, supported by a £15 million UK government investment. At the same time, the UK government signed Memoranda of Understanding with Singapore  including the UK’s active participation in the Association of South East Asian Nations (ASEAN) cyber capacity building programme, and India  setting out a new Cyber Relationship including an agreement on information sharing.
- A Microsoft-led alliance launched the Cyber Tech Accord  representing tech companies’ public commitment to form new partnerships and collaborate on cyber defences while pledging never to partake in cyber attacks against individuals or businesses.
- And the G7 Security Ministers in Toronto agreed to work together on outlining a coordinated approach to tackling threats to cyber security .
These developments follow the publication of the EU’s cyber security package released in September last year . It sought to strengthen the mandate of the EU’s cyber security European Agency for Network and Information Security (ENISA) and introduce a harmonised framework for cyber security certification, to make the EU “more resilient to cyber attacks and create effective cyber deterrence”.
- The publication of Australia’s International Cyber Engagement Strategy , a cornerstone in the country’s efforts to achieve “a strong and resilient cyber security posture for Australia, the Indo-Pacific and the global community”.
- A range of additional UK bilateral cyber cooperation agreements, including with Poland , committing to supporting cyber capacity building programmes in Eastern Europe and the Western Balkans, and Japan , which covers cooperation on cyber security for the 2020 Tokyo Olympics and Paralympics.
These developments will also be followed later this year, by May’s Cyber Security Summit in Tallinn  and July’s NATO Summit in Brussels where the 2016 NATO Cyber Defence Pledge will be reviewed to improve allies’ preparedness to respond to cyber threats .
Identifying shared ambitions & pin-pointing challenges
Amidst the layered complexity of summits and agreements, and the hurtling pace in which developments unfold, we attempt to take stock and outline the challenges across the multi-level maze of securing cyberspace.
It is definitely encouraging to see references that are aimed at tackling cyber threats included in multi-level agreements and commitments across the board. John McFarlane, Chairman of TheCityUK, recently commented that “it has taken little over a decade for cyber security to go from a niche issue to become a tier-one national security problem in every major state in the world” . For cyber security to have evolved in such a way that it is now receiving the global attention of political, civil society, corporate and military leaders across the world is undoubtedly a good thing and there is little to dispute this.
In addition to having achieved a firm place on summit agendas, we see a number of common themes emerge across summit agreements and conclusions, including:
- Support by like-minded states on the application of the rule-based international order in cyberspace.
- Support for states’ legitimate right to develop operational – offensive and defensive – cyber capabilities.
- Commitment to intergovernmental, cross-sector partnership working, improving cooperation and information sharing on cyber threats and responses.
- Recognition on the importance of cyber capacity building programmes, supporting national strategic planning and incident response capabilities.
- And agreement to develop common global standards and approaches for cyber security frameworks and internet-connected products, devices and services, not least in an attempt to strengthen public trust in the opportunities of the digital economy.
However, challenges and risks remain:
- Firstly, while the constant focus on cyber security in multi-level agreements is welcome, there is a risk of, at best, duplicating, or, at worst, contradicting efforts undertaken at different levels, by different actors.
- Moreover, while the repeated reiteration of the same commitments will undoubtedly serve to establish them in public (and indeed leaders’) consciousness, it might also lead to cyber fatigue.
- As a result, any new agreement on cyber cooperation is either barely registered or greeted with growing cynicism as to how meaningful it truly is. If cyber commitments become merely part of the diplomatic fabric, we might have mainstreamed cyber security, but we will not be much closer to having achieved practical solutions to the challenges it presents.
- Secondly, the emerging common themes are clearly not universally shared and agreed, but limited to a (majority) of like-minded state and non-state actors whose interests oppose those of a minority of “malicious actors” or “aggressors”. The risk of balkanisation of cyberspace and its geopolitical and geostrategic implications are well documented. While that conundrum is neither new nor exclusive to cyberspace, it is worth remembering that most new cyber cooperation commitments, at any level, are agreed from a very specific – Western – perspective.
- And thirdly, shared commitment in writing and rhetoric is absolutely a first step, and not least one that is not always guaranteed, as the 2016-17 UN Group of Governmental Experts demonstrates .
- However, for the various fora and agreements at multiple levels to retain their value and credibility, their words will have to be backed up by actions, whose progress towards achieving their shared ambition will also have to be measured and evaluated.
- For the time being, detailed implementation plans beyond high-level commitment remain sparse, and the establishment of agreed evaluation mechanisms remains a challenge even at the national level. Whether established metrics, such as the Global Cybersecurity Index  role to play remains to be seen.
A maturing field with huge potential to get it right
So, much as the field of cyber security in general, cyber diplomacy as a multi-level, multi-stakeholder response to tackling global cyber threats, is maturing. As mind-bogglingly multi-faceted and confusing as the current landscape is, the incorporation of cyber commitments across a variety of agreements is a positive reflection of the importance state and non-state actors attach to cyber security.
Moving forward, there is much scope to build on the progress to date to coordinate action, define responsibilities, implement practical measures to translate commitment into action and set out clear metrics to evaluate if the agreed ambitions have been successfully achieved.
Published date:  02 May 2018
Written by:  Katharina Derschewsky