- During the first Wilton Park dialogue, there was broad agreement among participants that the principles of accountability, legitimacy, transparency and inclusivity are the cornerstones of responsible cyber behaviour. Participants at the second dialogue affirmed the centrality of these principles in defining responsible cyber behaviour.
- Participants discussed the United Nations’ (UN) voluntary, non-binding cyber norms. Some participants noted that the implementation of these norms is a journey and that States have different speeds and require different types of support and assistance. Other participants observed that, while at one point in time simplicity may have been a virtue of these norms, the threat landscape has evolved and they may require further elaboration. One participant explained that Norm 13(e) (on the protection of digital rights) is in particular need of elaboration because there is currently too much ambiguity as to how human rights apply online and under what circumstances their enjoyment can be lawfully restricted. Some participants went further and expressed concern that gaps in the UN’s cyber norms framework may have emerged – for instance, the theft of intellectual property in cyberspace was seen as a significant threat that may not be covered by the existing norms. However, other participants questioned the prudency of exploring whether new norms are needed, suggesting it may open up a “Pandora’s Box”.
- Participants stressed the importance of ensuringaccountability for breaches of the UN’s norms on responsible cyber behaviour. One participant suggested that States should consider moving from a retributive to a restorative model of accountability. This participant explained that, in certain circumstances, the retributive model may not always be the appropriate approach and can come across as “heavy handed”. Rather, we should think about why States have fallen short in meeting the UN’s cyber norms and work with them constructively to help raise compliance.
- Accountability was also discussed in the context of cyber capacity building, which was identified as an important tool in raising cyber security standards and ensuring responsible cyber behaviour. While participants explained that providers should be transparent about what support they offer, to whom, and on what basis, others went further and suggested that there must be accountability for the way providers engage in cyber capacity building. One participant explained that there must also be accountability for recipients in order to ensure that cyber capacity building projects are worth the time and resources. This type of accountability process requires a consideration of how the effectiveness of cyber capacity building is measured, assessed and reported.
- Participants observed that non-State actors continue to play an important role in cyber security and cyber governance and that the concept of “responsible cyber behaviour” encompasses such actors. In light of this, some participants considered whether bespoke rules and standards should be developed for the private sector, especially given the power they possess when compared with developing States – one participant even noted the potential for “big tech tyranny”. Self-regulation is important but will not always be sufficient. National and regional regulation may therefore be necessary, but even this may not be enough in a global domain such as cyberspace and thus global standards may need to be set. One participant suggested that the “Ruggie Principles” on business and human rights may be a useful model when developing standards for the private tech sector. Some participants pointed out that the private sector is not homogenous and regulatory frameworks cannot treat all private actors the same, which poses a significant challenge when developing standards of responsible cyber behaviour for these actors. Moreover, developing such standards raises the difficult question of accountability – how can private actors be held accountable to these standards and, in particular, what accountability mechanisms are available, are they effective, or will new mechanisms need to be developed?
- The shape, constitution and mandateoffuture cyber governance processeswas also discussed. Given the challenging geopolitical landscape, participants noted that national, regional and multilateral cyber governance processes have become increasingly important. However, some participants noted that the proliferation of such processes imposes significant resource costs on States and, for this reason, cyber security discussions should be centralised as far as possible in the UN or, if cyber security discussions are needed in other forums, it should be explained whether and how they relate to UN discussions. Moreover, these participants explained that to drive forward norm-development, ensure accountability, develop cyber capacity building and build confidence among cyber stakeholders, a global approach to cyber security is needed and the UN has the legitimacy to do this. One participant noted that inclusivity is critical because States are unlikely to comply with norms that they have not had the opportunity to shape.
- Some participants expressed concern as to what UN cyber governance process will take over from the UN Open-Ended Working Group (OEWG) when its mandate comes to an end in 2025. Several participants explained that whatever this future process looks like, States need to think critically about the strengths and weaknesses of the current OEWG and, in particular, how its strengths can be maintained and its weaknesses jettisoned. Noting the lack of effective participation of non-State actors in the current OEWG, these participants underscored that, if a “whole of society” approach to cyber security is to be achieved, all relevant stakeholders must have the opportunity to participate meaningfully in future cyber governance processes and initiatives.
- To enhance legitimacy and transparency, participants emphasised that States should develop legal and ethical frameworks to govern their behaviour and operations in cyberspace. In particular, this requires States to adopt national laws, policies and strategies on cyber security, as well as national positions on the application of international law to cyberspace, and to make them publicly available. Further, they explained that these initiatives should be seen as iterative processes that must evolve in-step with technological developments.