GENEVA MANUAL

Six United Nations Groups of Governmental Experts (GGE) on information and communications technology (ICTs) have been convened since 2004, resulting in a UN normative framework to promote responsible state behaviour in cyberspace (further referred to as ‘cyber-stability framework’) which includes four pillars: international law, 11 voluntary non-binding norms, confidence-building measures (CBMs), particularly to improve transparency, predictability and stability in the digital space, and capacity building. In 2021, this framework was endorsed and reaffirmed by all the UN member states through adopting the final report of the UN Open-ended working group (OEWG).

However, the ICT infrastructure that makes the digital space such a unique and valuable place is neither owned or operated by states, nor do states have the sole ability to govern it, due to its transnational nature. In fact, most of the ICT infrastructure is owned and operated by thousands of private companies, which also produce the devices, from traditional computers to medical devices, connecting to, and utilising the internet. In addition, technical community sets the standards and has the hands-on knowledge and expertise on running and securing the ICT environment, while civil society, with its broad understanding of social and economic context, wide networks, and ability to reach out to end-users, plays and can play an important role to enhance citizens’ awareness and advocate for their safety and rights.

These stakeholders are often only spectators to the normative processes by states, yet, in the end, they play an important role for the implementation of this normative framework.

Meanwhile, the use of information and communication technologies (ICT) and digital products can be abused by other actors for malicious purposes. This raises security concerns at various levels – from the security of particular users, to matters of international peace and security. States carry primary responsibility for security of its citizens and infrastructure; however, this responsibility is not absolute, as it is clear that they cannot meet these expectations about cyberspace without engaging with other actors: a cooperation between states, private sector, academia, civil society, and technical community is required to ensure an open, secure, accessible, and peaceful cyberspace.

How can non-state stakeholders support states in the implementation of the agreed UN cyber norms and CBMs? Which responsibility do they have and which contribution can they make to address cyber risks and promote responsible behaviour in cyberspace?

The Geneva Dialogue on Responsible Behaviour in Cyberspace (Geneva Dialogue) was established by the Swiss Federal Department of Foreign Affairs and led by DiploFoundation with the support of the Republic and State of Geneva, Center for Digital Trust (C4DT) at EPFL, Swisscom, and UBS to map the roles and responsibilities of various actors in ensuring the security and stability of cyberspace. The Geneva Dialogue stems from the principle of ‘shared responsibility’ and focuses on the implementation of the agreed UN cyber norms by relevant non-state stakeholders as a means to contribute to international security and peace.

Concretely, the Geneva Dialogue organises regular consultations to discuss stakeholders’ agreements and disagreements on the interpretation and implementation of the agreed norms and CBMs, while gathering good practices that can inspire the broader international community. Representatives from four stakeholder groups – private sector, academia, civil society, and the technical community (including the open-source community) from all over the world – actively participate in these regular discussions as Geneva Dialogue experts.

These findings are published in the Geneva Manual on Responsible Behaviour in Cyberspace and offer possible guidance for the international community in advancing the implementation of the agreed norms and establishing good practices. The Geneva Manual offers a multistakeholder perspective on these issues and highlights several open questions to which the Dialogue and international community have yet to provide answers, but which are important for states to better understand the challenges they face.

The inaugural chapter of the Geneva Manual focuses on two UN GGE norms: supply chain security and the responsible reporting of ICT vulnerabilities. The second chapter provides an outlook on three additional UN GGE norms and several confidence-building measures (CBMs) aimed at protecting critical infrastructure.

The Geneva Manual offers an action-oriented approach to cyber stability: it explores the roles (Who), responsibilities and actions (What), and challenges. We also connect actions to norms: in sharing stakeholders’ interpretations of the norms and drawing a direct line between practical actions and diplomatic agreements, the Geneva Manual thus facilitates the understanding of the UN cyber-stability framework and its effective implementation by relevant non-state stakeholders.