The big idea emerging from the Global Conference on Cyberspace 2015—the latest iteration of the London Process—is the Global Forum on Cyber Expertise (GFCE). According to The Hague Declaration, the GFCE will facilitate “inclusive and greater collaboration in the area of capacity building and exchange of expertise in the cyber domain.” These purposes, and the language describing them, suggest the forum will target low-hanging fruit. Although skepticism might eventually prevail, the GFCE reflects policy needs, normative principles, and political interests that make it potentially significant.
Under its Framework Document, the GFCE will be “a flexible, action-oriented and consultative forum” involving “countries, companies and intergovernmental organisations.” In a “voluntary, complementary, inclusive and resource driven” manner, the forum will “build cyber capacity and expertise” through initiatives on cybersecurity, cyber crime, data protection, and e-governance. GFCE activities will be non-binding but consistent with international law, including human rights, and will “contribute to bridging the digital divide.” The GFCE will inventory existing capacity-building activities, facilitate new projects, and host high-level policy discussions. The forum has forty-two founding members—twenty-nine countries, seven private-sector entities, and six intergovernmental organizations.
Cybersecurity policy reflects three overlapping but distinct tracks that, at present, reflect different prospects for international cooperation:
- Most countries classify cyber threats under traditional security categories—crime, terrorism, espionage, and armed conflict. Increasingly, policy and law in each category confront problems that limit the effectiveness of collective action.
- Frustrated by worsening cyber threats, a number of countries—including the United States—are developing “full spectrum” capabilities, including offensive capabilities, to deter state and non-state adversaries. This approach raises different challenges, including how deterrence works in cyberspace, but they are not traditionally addressed through international cooperation.
- Countries have adopted an “all hazards” approach to cyber threats that involves improving cyber due diligence, defensive, and resilience capacities, including information sharing, especially for cyber-enabled critical infrastructure. As The Hague Declaration observed, “the area of capacity building and exchange of expertise within the cyber domain is rapidly becoming one of the most important topics on the international cyber agenda.”
The GFCE enhances the “all hazards” track and its momentum in cyber diplomacy. It seeks to build capacity to defend against the range of cybersecurity threats, including threats from criminals and threats to digital data. The GFCE will not displace existing capacity-building activities, but it aims to link and weave these disparate efforts into a bigger, stronger global regime for strengthening cyber due diligence, defense, and resilience.
Cyber capacity building is becoming prominent because all states need to improve their cybersecurity. However, the GFCE also has a normative edge in embracing a multistakeholder approach to improving cybersecurity as part of achieving “a free, open and secure cyberspace.” This approach and rhetoric connects with the multistakeholder model of Internet governance and Internet freedom issues that have been sources of contention among states. The GFCE’s references to human rights are also important. The Hague Declaration mentions the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights. It also states the GFCE will be consistent with the UN Guiding Principles on Business and Human Rights, which addresses the human rights responsibilities of companies. These principles cover civil and political rights (e.g., not exporting technologies governments use to violate freedom of expression) and economic, social, and cultural rights (e.g., facilitating use of Internet-enabled technologies to advance the rights to education and health). Less developed is the objective of bridging the digital divide. This concept is associated more with expanding access to information and communication technologies (ICTs) than strengthening cybersecurity. These goals are not incompatible, and the GFCE might support initiatives that increase access to more secure ICT services and narrow the digital divide.
Although cyber capacity building is important to many states, the GFCE particularly aligns with U.S. interests. In keeping with its commitment to capacity building, the United States supports the GFCE and announced two initiatives with the African Union to improve cybersecurity in Africa, one with Japan and Australia on Southeast Asia, and one with Canada on worldwide cyber threats. But, the GFCE is important to the United States for reasons beyond capacity building. The GFCE allows the United States to show pragmatic leadership in an area of policy need, and the forum reinforces normative principles the United States has long championed. The GFCE helps U.S. efforts to push past damage Snowden caused to its reputation and diplomatic relations. U.S. prominence in the GFCE contrasts with the absence of China and Russia in the list of founding members. In addition, the U.S. initiatives in Africa and Southeast Asia demonstrate that, despite Snowden, countries will partner with the United States in ways and on a scale no other cyber power can match.