At the beginning of a week of three separate forums in Paris talking about peace, government technology and Internet governance, French President Emmanuel Macron launched the “Paris Call” a literal call to support an “open, secure, stable, accessible and peaceful cyberspace”.
This call is another example of President Macron establishing world leadership in striving for economic and social stability in the light of the rise of rampant nationalism. The Paris Call is a call for collaboration of public and private organisations and the public to create new cybersecurity standards to improve cyber protection. In particular, the Paris Call cites the need to capitalise on an existing agreement between countries to fight cybercrime, the Budapest Convention on Cybercrime. This agreement was established to harmonise criminalisation of conduct against and by means of computer systems, networks and data, to facilitate international cooperation of law enforcement agencies in sharing evidence and assisting in arrests and prosecution of criminals in this space.
The message of the Paris Call is absolutely clear. It is a call for cooperation at the international level, shunning nationalistic and isolationist rhetoric coming most recently, from leaders like US President Donald Trump.
The Paris Call makes specific mention of the rule of international human rights and the United Nations Charter and its application to information communication technologies. The role of the United Nations in bringing together countries around international agreements is key. The Paris Call was the opening statement on the Paris Peace Forum and the Internet Governance Forum 2018, both being held in Paris with the IGF taking place at UNESCO, an organisation that Trump pulled the US out of.
The Paris Call has received support from 51 states, including all EU members, 90 non-profit groups and 130 private corporations and universities. The notable absentees from signing the pledge were China, Russia, Iran, Israel and the United States, ironically the countries most likely to be in cybersecurity conflict with each other.
A particular addition to the Paris Call is contentious, if for no other reason than it will be difficult to interpret. This is a provision to prevent:
“non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors.”
“Hacking-back” is an ambiguous term that is used to describe an offensive response to a cyber-attack by private organisations or individuals. It is widely seen as a bad idea for private organisations especially to engage in this practice because it is akin to vigilantism and suffers from all the same problems. The first is “attribution” actually finding the real perpetrators behind an attack. This is notoriously hard to do and can end up with innocent parties being incorrectly retaliated against. The other problem with “hack-backs” is that retaliatory attacks can themselves cause problems and instability for Internet users as a whole with these users suffering “collateral damage” from these counter-measures. Finally, it is also highly doubtful whether private organisations acting on their own would actually succeed in achieving very much by taking this course of action rather than handing over the problem to law enforcement agencies.
it is perhaps not surprising that despite the almost universal condemnation of hacking-back, US Republican congressman Tom Graves has introduced a bill to the US Congress that would legalise private organisations wanting to take “active defence measures” while suggesting that they should also avoid “violating the law of any other nation where an attacker’s computer may reside”.
The bill has received little support and so it is interesting that the Paris Call would mention something that is universally considered a bad practice, other than to highlight again that potential policy and laws coming out of the United States should not be supported internationally.
The Paris Call is largely symbolic and does not hold signatories to any formal agreement or actions. It is also not considered perfect, even by those who have signed up to the call. Digital rights group Access Now in particular has noted particular commitments that should be re-evaluated. The first is that the cooperation and information sharing between countries when tackling cyber-criminals should be based on judicial orders and not an informal and overly broad basis for handing over of personal data from one country to another. The other weakness is seen in the commitment outlined in the Paris Call for the prevention of theft of intellectual property which, if implemented over zealously could again infringe legitimate sharing of ideas and online information and also interfere with the right to privacy.
Despite its limitations, the fact that the Paris Call has received such wide support suggests wide-scale support for the proposal among countries holding onto a notion that international cooperation is the answer to peace and stability. Only time will tell how this proposal works out in practice.