As part of the Stimson Report: “Cyber Accountability – Improving cyber accountability and deterring malicious cyber activity” (see the full report here), Anne-Marie Buzatu, Executive Director of ICT4Peace and James Siebens of Stimson wrote this comprehensive end very informative case study:

“Private Actors, State Responsibility – What lessons does the private security industry hold for regulating private sector actors in cyberspace?” See the Case Study here.

“This case study delves into the crucial role of the Montreux Document and the International Code of Conduct for Private Security Service Providers (ICoC) in clarifying states’ responsibilities and legal obligations under international law, and setting standards for Private Military and Security Companies (PMSCs). These mechanisms for accountability challenge the assumption that private operators and proxies in cyberspace are ungovernable. Instead, the authors argue that a mosaic approach can reaffirm the responsibilities of both states and private companies under international law. This case study illustrates how the combination of international legal interpretations, contractual agreements, voluntary codes of conduct, industry standards, and national legislation can create strong market incentives and shape behavior.”

 

Key Takeaways and Recommendations

“The successful implementation of the UN Framework for Responsible Behavior in Cyberspace can be significantly enhanced by adopting a model akin to the Montreux Document and ICoCA.

This approach would necessitate a multi-stakeholder forum, fostering a collaborative environment for states, private sector entities, civil society, and international organizations. Clients, academics, and other subject-matter experts could also provide useful contributions.

Such a platform would not only encourage dialogue but also facilitate the sharing of best practices and experiences. Drawing inspiration from the International Code of Conduct for Private Security Service Providers, a specialized code of conduct tailored for cyberspace actors could be developed.

This code would outline responsible behavior and practices in line with international norms, emphasizing the need for a human rights-centric approach in the digital age. Regular review and adaptation of these norms would ensure their relevance in the face of evolving cyber threats and technological advancements.

Accountability and transparency are pivotal in the realm of cyberspace governance, much as they are in the regulation of private military and security companies. Robust mechanisms to monitor adherence to these norms, similar to the third-party audits and assessments used for private security companies under the ICoCA, would be instrumental.

For instance, in cases of information communication technology (ICT) incidents, two of the voluntary and non-binding norms for responsible state behavior in the use of ICTs that have been adopted by the UN would benefit from these suggested accountability practices.

Norms 13 (b) and 13 (h) encourage states to actively participate in information exchange and mutual assistance, in a process organized by a centralized platform with a multistakeholder oversight framework.

Moreover, the implementation of the norm that calls to ensure the integrity of the ICT supply chain (which also relates to Norm 13 (i)) and the non-harming of other states’ emergency response teams (Norm 13 (k)) would greatly benefit from enhanced international cooperation and accountability measures that could be provided under such a platform.

Operationalization of the 11 norms for Responsible State Behavior in Cyberspace would be bolstered through a collaborative and multi-faceted, multistakeholder approach, underpinned by the principles of accountability, international cooperation, and human rights.

The Montreux Document and ICoCA can serve as inspiration, demonstrating the effectiveness of meaningful multistakeholder engagement and the adoption of a code of conduct in addressing complex security issues. By drawing on these models, the implementation of the norms can be strengthened, ensuring a more secure, stable, and responsible cyberspace for all actors involved.

***********

Kindly see also Anne-Marie Buzatu’s groundbreaking ICT4Peace paper of 2022 “From Boots on the Ground to Bytes in Cyberspace: A Mapping Study on the use of ICTs in Security Services by Commercial Actors”    https://ict4peace.org/wp-content/uploads/2022/09/ICT4Peace_Mapping_Study_ICTs_PSCs.pdf

 

Private Actors, State Responsibility