On Nov. 11 at 11:00 a.m., more than 70 world leaders walked towards the Arc de Triomphe in Paris to commemorate the centenary of the end of the First World War and to honor the 19 million people who lost their lives in it. French President Emmanuel Macron delivered a charged speech denouncing nationalism and urging all leaders to pursue peace through multilateralism. On Nov. 12 at the Internet Governance Forum, Macron unveiled France’s first international initiative to that end, the “Paris Call for Trust and Security in Cyberspace.”

Potential Norms for Cyberspace are Fragmented

The Paris Call is not the first of its kind. In April 2018, Microsoft launched its “Digital Peace” campaign along with a “Cybersecurity Tech Accord” aimed at getting the internet and the technology industry to better protect their customers’ privacy and security against cyberattacks. Similarly, Siemens unveiled in May 2018 a “Charter of Trust” that seeks to develop adherence to security principles and processes, with the aim of developing a “global standard” for cybersecurity.

Until those recent developments, norm-building initiatives were the prerogative of states. In 2015, the U.N.’s Group of Governmental Experts (GGE) recognized that international humanitarian law applied to cyberspace, though it then deadlocked when it closed at the end of 2017. Similarly, two blocs—one group led by the United States and another by China and Russia—reached a stalemate at the U.N. Disarmament Commission.

Approaching the issue from various stakeholders’ perspectives, the Paris Call is an attempt to move away from this international deadlock. Macron, at its unveiling at UNESCO, made the case for rebuffing what he described as a binary choice between “a Californian Internet and a Chinese Internet.” So far, he argued, these two opposite narratives have monopolized the debate and imposed two radically different yet unsatisfactory alternatives: either a model of mere technical governance led by Silicon Valley, or an overwhelming regulation led by authoritarian regimes. While the former does not address issues of privacy and malicious actors, the latter cracks down on human rights and could lead to a “balkanisation” of internet and of wider cyberspace.

Same Institutions, New Methods

The Paris Call is a high-level, non-binding document. It does not set out detailed measures, nor does it seek to create new institutions. Instead, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace.

The text, written in a format reminiscent of United Nations resolutions, sets out nine goals that represent a compromise of priorities between states, corporations and civil society. Three main themes appear: an inclusive regulatory process, state sovereignty and the protection of citizens.

An Inclusive Regulatory Process

The Paris Peace Forum, an annual event which took place in parallel to the Internet Governance Forum from Nov. 11–14, aims to introduce a new way of tackling global issues by engaging states, corporations and the wider civil society in a bottom-up approach. The Paris Call represents another side of the same coin. Its primary ambition is to gather existing cyber norm initiatives in a single document and to set out a framework for further negotiations.

According to Le Monde, Microsoft first approached the French government to obtain its support for the Tech Accord. However, the country found the Accord too narrow and industry-oriented. Recognizing a trend of norms fragmentation coupled with diplomatic deadlocks, France saw an opportunity to take the lead on governance. But this was only possible if the call achieved two things: First, it needed to widen the scope of existing sector-specific initiatives (Tech Accord, GGE, For The Web) into meaningful norms all actors could get behind. Second, it needed to gather and federate existing initiatives, otherwise it would just contribute to the further fragmentation of norms. So far the call seems to have mostly succeeded, with a notable caveat among state signatories.

Among the 57 state signatories, European countries are the most heavily present. However, almost every continent is represented: among them we find Qatar, South Korea, Mexico, Japan, Canada, Colombia, Morocco, Senegal and New-Zealand. Critically, on release day, key potential signatories such as India or Brazil are not on the list. The absence of such countries may become problematic. While the U.S. (at least for now), China and Russia are unlikely to join, the call will depend on support from states like India and Brazil in order to gain traction within international institutions, primarily the United Nations. Macron, aware of this challenge, suggested that the Internet Governance Forum—a U.N. event—become responsible for monitoring the effective implementation of the call and be moved under the direct supervision of the U.N. Secretary General.

The document has already drawn support from influential non-governmental groups. The World Leadership Alliance, Chatham House, the Carnegie Endowment for International Peace, the World Wide Web Foundation and the Internet Society have committed to its principles. Technical governance bodies, such as the Number Resource Organization and the Asia Pacific Network Information Centre—the region’s internet registry—expressed interest too. Powerful business lobbies are another prominent group of signatories, including notably, Indian business guilds such as the Federation of Indian Chambers of Commerce & Industry, the Internet and Mobile Association of India and the U.S.-India Strategic Partnership Forum. In total, as many as 300 universities, NGOs and professional associations have committed to the call.

In the industrial landscape, France succeeded in attracting both major initiatives: The Tech Accord and the Charter of Trust represent a significant share of the private-sector signatories, as together they represent 85 powerful corporations such as Airbus, Cisco and Facebook. But the call is not a mere shell for existing groups. Notable newcomers include Google, Samsung Electronics, Intel Corporation, Kaspersky Lab, Thales and many other companies, ranging from the banking and insurance industries, to law, commerce and defence.

International Law and State Sovereignty

The document encourages more extensive and better coordinated regulation of cyberspace in the spirit of founding principles of the U.N. Charter, notably the maintenance of international peace and security. It recognizes not only the applicability of international humanitarian law to cyberspace, but of international human rights and customary international law more broadly as well. It also advocates for the development of new ways to prevent intellectual property theft.

The Paris Call, reflecting the view of most states on the matter, seeks to promote the exclusive role of sovereign states in hostile acts in cyberspace. It condemns corporate hack-back and other offensive operations from non-state actors. It also appeals for measures preventing interference with elections, another contemporary hot topic.

Protection of Humans and Infrastructure

Another key theme of the document is the importance of protecting individuals and critical infrastructure from harm. The document presses to safeguard the “public core of the Internet” from hostile actors. This is a clear demonstration of support for a package of norms unveiled by the Global Commission for the Stability of Cyberspace on Nov. 8 in Singapore. Part of the challenge, the signatories recognize, will be countering the proliferation of harmful technologies.

Finally, as a way to engage industries and civil society, the document promotes everyday good practices (“cyber hygiene”) and the implementation of “security by design” in products and services.

What’s Missing

Clearly absent in the text are issues of espionage and state-lead offensive operations. While espionage is and will remain states’ domaine réservé, the international community will struggle to keep offensive operations states’ prerogative, primarily because of the attractiveness of developing non-state proxies for doing states’ bidding. The need to compromise and willingness to gather support across states with various political mindsets means offensive cyber operations was probably out of scope of the call from its inception.

A Roadmap for Future Negotiations

States can no longer forge new norms on their own. In cyberspace more than in any other domain, corporations and other non-governmental organizations play a key role in governance. But states remain key regulators in their jurisdiction and within international institutions. This is why France’s proposal should be welcomed.

Initiatives to create norms in cyberspace are multiplying. But more than anything else, these initiatives seem to have fragmented political will and have so far failed to gather support across the board. Macron hopes the Paris Call will bring fresh momentum to the issue by mounting support from influential parties, notably Silicon Valley’s top companies and emerging powers. The Call is restrained in scope, avoiding the most sensitive activities such as espionage and offensive operations, but this restraint makes it more likely to receive support across a wider group of stakeholders. It is far from a silver bullet; rather it offers a fresh starting point and a framework for negotiations on values and norms of behavior in cyberspace. The Call’s enduring potential will be determined by what concrete measures it produces and how it is received by states such as Brazil and India.