In the WSIS+10 Outcome Document1, while it was recognised that ‘there is a leading role for governments in cybersecurity matters relating to national security’, due recognition was also given to the ‘important roles and contributions of all stakeholders in their respective roles and responsibilities’. Going forward from that meeting, it was re-iterated that ‘a global culture of cybersecurity needs to be promoted and developed’ for which ‘cybersecurity measures should be implemented in cooperation with all stakeholders.’
Certainly, in many instances, governments remain in a position to lead cybersecurity efforts that involve all stakeholders. For instance, it is the government which is best suited to place substantive measures such as national cybersecurity policies that aim at protecting the critical information infrastructure from cyber attacks and building a secure and resilient cyberspace for all. Security of its citizens is indeed the primary responsibility of a government, and that is one reason why traditionally, security has predominantly been a government’s concern. In addition, in the era of the modern state, it is the government that has traditionally had the monopoly over violence and the use of force.2
But the fabric of cyberspace is rather unconventional. Most of the digital infrastructure is not in the government’s hands. Many important decisions are now taken and or influenced by other stakeholders. Even the government’s own decisions with respect to cybersecurity threats have a much larger impact on stakeholders as compared to decisions regarding conventional security threats, like proliferation of nuclear weapons. The challenges of information-technology-based threats to security can only be effectively met if states enter into arrangements with the main creators, custodians and users of cybersecurity risks, which often come from non-state stakeholders. Multistakeholderism is much needed even in cybersecurity.
There is then the important task of establishing a common awareness and understanding of cybersecurity threats among all stakeholders, as well as a common recognition of each stakeholder’s roles and responsibilities, in order to effectively deal and further counter the cybersecurity threats.
However, while some governments may wants those roles and responsibilities to be clearly defined, different stakeholders should be allowed to play different roles. Roles and responsibilities of stakeholder groups will depend on the type of process, and the specific interests involved and with a stake in the outcome of each process. Only by allowing for flexibility can the question of the roles and responsibilities of different stakeholders be settled in a manner that allows every stakeholder group to play its role efficiently, which is crucial for effectively countering cybersecurity threats.
For civil society this is particularly an issue: not only does civil society essentially represent a wide range of different but pertinent interest groups within and across countries, the same civil society group also often does so in a variety of ways. And so sometimes they intervene as experts, while sometimes they voice the concerns of the users. Sometimes they represent non-users and sometimes they are simply there to hold other stakeholders accountable.3
Civil society’s role in the development of public policy principles can illustrate this well. Civil society has acted as experts in providing input and guidance on how to approach policy issues. At other times civil society has played a ‘watch’ role to monitor the behaviour of business or government in order to protect the public interest. In particular, there are cases in which governments are not inclined to uphold the human rights of Internet users. Civil society often plays a key role in representing the interests of such users, and others whose interests are otherwise poorly represented due to democratic deficits at national and international levels.4 Civil society engagement on international governance and security matters is not new and there are scores of examples of areas in which states have accommodated such engagement. Cyber security should not be an exception. Moreover, it is an area that by its very nature and the broad range of normative concerns involved, calls for much deeper civil society engagement than experienced in other areas.5
As it has been the role of civil society that has been questioned the most in cybersecurity, it deserves to be made explicit that civil society has such a variety of roles in this field too.
Cybersecurity itself has best been managed through evolving best practices that involve communication across the user community since the first computers were networked.6 The complex nature of technology that generates cyber threats often makes it difficult to fight potential attackers in advance, therefore the adoption of technical and procedural protective measures at the user-level becomes a crucial element in ensuring cybersecurity. Users remain in key positions as they alone can install technical safeguards for IT security at the most basic level, and civil society is at the best position to mobilise users for that. They can do that by participating in/supporting capacity building efforts or organizing events in tandem with national authorities for the general populace to help understand cybersecurity risks.
Furthermore, civil society often advocates for an adequate balance of investment between the different, yet overlapping policy areas of security, defence, governance, development, and protection and promotion of human rights in cyberspace, which is much needed since a lot of these areas often come into conflict here. For example, internet shut downs in response to national security threats are not an appropriate security measure as rather than restoring order, they cut off access to vital information and prevent people from accessing emergency services. Security is of course important, but it shouldn’t have to come at the cost of risking further lives. Civil society at those times stands for a voice of reason and balance to ensure that the same rights people have offline are also protected online. This is most important to be realised in national cybersecurity policies, and something multistakeholderism can help towards.
In the end, cooperation with others is key to be able to fully understand the threats and better evaluate the effectiveness of each actor’s actions in cyberspace. Therefore, multistakeholderism is the way to go rather than multilateralism even in cybersecurity. Civil society is in a unique position to play multifaceted roles in order to address all angles of cybersecurity issues in depth. If approached effectively and coherently, civil society engagement can afford greater legitimacy and sustainability to on-going cybersecurity norms and processes. Together, these factors will allow for high-quality and balanced outcomes to be achieved for all.