Findings from the IGF’s Best Practice Forum on Cybersecurity

Last year, I participated in the UN’s Internet Governance Forum’s (IGF) Best Practice Forum (BPF) on Cybersecurity. The BPF working groups form part of the IGF’s intersessional work between annual forums, and are designed to facilitate collaborative, community-led research around a certain topic affecting the internet and internet governance. Participating in the BPF  was a great opportunity to lend the DemTech team’s perspective as global democracy advocates, and to elevate the voices of our partners in increasingly critical conversations on global internet governance and cybersecurity. As one of a team of co-authors working on the research paper presented by the BPF at the 2021 IGF, titled Testing Norms Concepts against Cybersecurity Events, my group focused on analyzing how effective specific norms have (and haven’t) been at mitigating adverse cybersecurity events.

If you’re reading this blog, you might know that 2021 wasn’t the best of years for democracy and human rights on the internet. According to the most recent Freedom on the Net report, officials suspended internet access in at least 20 countries last year, while at least 45 countries were suspected of obtaining sophisticated spyware. This year isn’t shaping up to be much better. The presence of sophisticated spyware and its negative impact on democracy advocates stretches back years, and human rights defenders have long been dealing with spyware’s devastating effects. Last year, however, the Pegasus Project revealed to a broader set of actors, including tech companies and governments, just how widespread, unregulated, and unmitigated the private spyware industry has become.

Given this context, we thought it critical in our BPF’s research to center the NSO Group Pegasus incident(s), elevate the voices of those most affected by the gross human rights violations enabled by spyware and the lack of guardrails for its use, and highlight how recent months have seen potentially groundbreaking responses from the global community to the threat of private spyware, both normatively and from a regulatory and policy perspective.

As just one example, the aftermath of the Pegasus Project’s revelations showed what can go right when the private sector takes action against the misuse of its hardware and software, demonstrating responsibility over its users no matter how targeted or at-risk of attack. Take a look at our paper if you’re interested in more specific findings, as well as recommendations for future steps. If you are interested in joining the community of contributors to future reports like this one, join the IGF Best Practice Forum on Cybersecurity!