Impact of Good Corporate Practices for Security of Digital Products on Global Cyber Stability

Abstract

The exploitation of vulnerabilities in digital products and services is an essential component of sophisticated cyberattacks. Well-resourced adversaries increasingly exploit vulnerabilities for economic, political, or military gain, causing effects that destabilise cyberspace. Several multilateral and multi-stakeholder fora develop norms and principles to reduce such vulnerabilities. The main challenge lies in implementation. Under the Geneva Dialogue on Responsible Behaviour in Cyberspace11The Geneva Dialogue (https://genevadialogue.ch) is an initiative of the Swiss government and DiploFoundation. Partners of the Geneva Dialogue include Bi. Zone, Cisco, EnSign, FireEye Mandiant, Kaspersky, Huawei, Microsoft, UBS, PNG ICT Cluster, SICPA, Siemens, SwissRe, Tata Consultancy Services, VU, and Wisekey. Good corporate practices regarding the security of digital products and services, discussed in detail in this paper, have been developed through 15 group online meetings and continuous collaboration in the shared document, conducted over 7 months in 2020. 25 (Geneva Dialogue), a dozen leading global companies jointly developed a set of good corporate practices that translate high-level principles into day-to-day operations. This paper argues that these practices make cyberspace less vulnerable, and thus contribute to the implementation of global norms and principles. It further analyses key global norms and principles related to the security of digital products and services and the role of industry. It then presents the most relevant results of the ongoing work of the Geneva Dialogue, particularly good corporate practices related to security by design: threat modelling, supply chain security, development and deployment, and vulnerability processes. It discusses how these measures may reduce vulnerabilities, especially for smaller producers whose importance in the supply chain was elevated by COVID-19. It reflects on the need to turn good practices into baseline requirements to support market newcomers and regulators worldwide.