Understanding cyber norms

- [Instructor] The principles tabled at the First Cyberspace Conference have evolved into the United Nations Cyber Norms, the rules of normally acceptable behavior for any nation using the internet. These are managed by the group of governmental experts at the UN's Office for Disarmament Affairs, UNODA. The United Nations encourages peaceful use of the internet through adherence to the set of cyber norms and through an active program of cyber diplomacy. UNODA provides a full training course on cyber diplomacy, which includes a module on cyber norms, rules and principles. Implementing cyber norms isn't always easy, however. The first cyber norm is cooperation between states in order to increase stability and cybersecurity, and to discourage harmful cyber practices, particularly those that might impose threats to international peace and security. There's been a lot of progress on cooperation, with nations maintaining a technical focus and avoiding political issues. The second cyber norm is a duty of care over incidents. This means not jumping to conclusions and making sure that all aspects of the incident are considered. This includes addressing the challenges of determining accurate attribution and understanding the impact that's occurred. This is important to avoid misunderstandings and wrongful blame escalating into a more serious event. The third cyber norm is that states should not knowingly allow their territory to be used for malicious cyber activities, including launching cyber attacks and running malicious servers. This is a challenging norm to uphold, especially when private citizens or groups respond to international events by launching private attacks or when a state relays their attacks through another country. The fourth cyber norm is similar to the first in that it involves cooperation between states. However, the focus in this norm is to counter terrorist and criminal use of cyber. The norm suggests that nations exchange information, assist each other and pursue prosecution as part of bi and multilateral cooperation. The fifth cyber norm is to respect human rights on the internet, including freedom of expression and privacy online. There are many cultural challenges in meeting this norm and challenges also with the growing use of misinformation and oversight of social media. As a result, this norm encourages nations to apply the same rights online as exist in their nation offline. The next norm is similar to the third norm, encouraging nations not to carry out or support malicious cyber activities, but with a focus on those that impact critical infrastructure. This is the first of three norms relating to critical infrastructure. Following this is the second critical infrastructure norm, encouraging nations to proactively protect their critical infrastructure from attack. The third critical infrastructure norm is that nations are encouraged to respond to requests from other nations whose critical infrastructure is under attack, particularly where that attack emanates from or relays through their nation. The ninth cyber norm is to take steps to protect the supply chain from being compromised. Starting with nations where information technology products are designed and developed. This is a challenging norm for technology-producing countries where the temptation to subvert equipment is high. The 10th norm is about sharing vulnerability information between nations to support early global mitigation. The final norm, again, encourages nations not to carry out or support malicious cyber activity, this time with a focus on the systems of the Computer Emergency Response Teams of other nations. Take a moment to consider the fifth cyber norm which covers freedom of expression and privacy online. We're seeing a lot of hateful commentary on the internet, some of which is nation-state generated to influence another nation's opinion. Is this okay, because we're encouraging freedom of speech? Consider the privacy of terrorists communicating about an attack they're planning. Should they be allowed to do this in private? And if not, then how do we manage legitimate privacy concerns? The United Nations cyber norms set out what are generally-accepted behaviors on the internet and have evolved significantly from the initial London principles. While laudable, there is a big gap between what nations accept as global norms and what they practice as global participants.