Internet of Things,cybersecurity and governing wicked problems: learning from climate change governance

Concepts and data gathering

In this project, we draw directly on research conducted within the PETRAS Cybersecurity of the Internet of Things research hub (now a National Centre of Excellence) between 2016 and 2019. PETRAS (and specifically the Standards, Governance, and Policy stream within which we worked) was established to provide an evidence-based overview of how we might maximise the significant potential of the IoT while mitigating against the also very significant security issues. Much of our work focused on evaluating and informing national and international policies and measures that are emerging to address the cybersecurity of the IoT. ⁴

The observation that there is inadequate integration of technical advice into the global cybersecurity governance discourse emerged through several years of observation of, and direct participation in, multilateral and multi-stakeholder meetings at the global level where cybersecurity was the central topic of discussion. These included international meetings hosted by the United Nations, the Organization for Economic Cooperation and Development (OECD), the World Economic Forum (WEF), the European Union (EU), various state-led bi-lateral meetings including Track 2 and Track 1.5 delegations, numerous government consultations or workshops and participation in the International and Telecommunications Union (ITU) eighteenth Plenipotentiary in 2018. Many of these meetings included representatives of American tech firms like Google, Amazon, Microsoft, Facebook and Apple, private sector cyber security firms, NGOs (particularly those concerned with privacy and human rights) as well as academics. From 2016 to 2019, we carried out unstructured, informal and semi-formal interviews at these events to ask participants from the global cybersecurity policy community (‘cyber-ambassadors’, diplomats and policy officials responsible for national cybersecurity strategy, the digital economy, etc.) how they envisaged the IoT impacting on their efforts to maintain a peaceful international order in the twenty-first century.

In addition to these engagements, we analysed the (unrestricted) documentation circulated in advance of these meetings and at the conclusion of them to understand how issues arising from the IoT were dealt with. We also analysed the position on global IoT security from eight international organisations. ⁵ Here, we looked at what specific issues were raised and how ‘problems’ were perceived and framed. This type of interpretive work draws on methods from the Social Construction of Technology (SCoT) – a field that focuses on human interaction with technology.

The SCoT provides tools for interpreting actor’s or group’s perceptions of problems that will or might emerge from technological change. Understanding how an actor or community perceives a ‘problem’ with technology reveals much about how they expect it to perform or ‘be’ in a perfect state. And that reveals a lot more about how they hope to shape the world than it does about technology. Debates about the trade-offs inherent in interoperability versus privacy highlight this well. Having IoT devices connect seamlessly to other devices or systems without the need for human interaction makes them easy to use (and perhaps, easier to sell) but also limits the user’s oversight of the ways in which their data may be exploited. A ‘good’ device can be one that is easy to use and easy to profit from or it could be one that promotes human rights. This is not to suggest that these attributes are mutually exclusive or incompatible but rather to highlight that a manufacturer may view the ‘problem’ with any particular technology in quite a different way to a regulator or to civil society. Tracing the perception of a ‘problem’ back to its source is also a way of identifying power dynamics in these transactions because it is those problems perceived by powerful actors that tend to be addressed. ⁶

Building on this observational and documentary work, we also designed and hosted five workshops to bring together people from the global cybersecurity community and the technical community – especially those who work in Cyber Security Incident Response Teams (CSIRTs). CSIRTs form international practitioner networks that respond to cybersecurity challenges by supporting one another and those who are at risk to mitigate against threats. In these workshops, we again employed SCoT concepts of ‘reverse salience’ and ‘closure’ to examine the range of ways in which different actors framed a common problem. ‘Reverse salience’ refers to the point at which a particular technology is being held back from developing further – the battery life of phones, for example. It is often a point at which we see increased innovation and investment. ‘Closure’ refers to the perception that a problem is ‘solved’ and is useful for understanding how different actors or groups conceptualise problems and ‘good’ outcomes. Four of these workshops were held at United Nations Internet Governance Forums in 2016, ⁷ 2017, ⁸ 2018 ⁹ and 2019. ¹⁰ The fifth workshop was held as part of the UK’s inaugural ‘Living in the IoT’ conference co-hosted by the Institute of Engineering and Technology and the PETRAS Cybersecurity of the IoT research hub. ¹¹

We also drew on the literature from Public Policy on ‘wicked problems’ – specifically Daviter’s work on alternative approaches to governing them. ¹² This gave us a framework for analysing how actors are approaching the challenges of cybersecurity of the IoT. This was particularly useful because we were able to draw parallels between the governance of cybersecurity and the climate which provided some avenues for comparison with regard to ‘coping’ or ‘taming’ the perceived problem – as opposed to attempting to ‘solve’ problems.

Finally, guided by these concepts from SCoT and Public Policy, we carried out extensive desk-based research. We conducted a comprehensive analysis of other research projects that sought to address the type of international security and governance problems that we were concerned with. We looked at the research agendas of 58 projects from 26 countries to see where support for addressing this gap might be developed. The review revealed a focus amongst research institutions, both public and private, in Europe, Asia, Latin America and North America, on the technical, economic and social potential of the IoT. Key areas of research were interoperability, innovative business models and data management to ensure consumer trust. Few research projects focused on the security challenges, especially at scale, that the IoT would bring for states and the international community.

This focus on problem framing is important because identifying how problems are perceived, combined with the analysis of relative power dynamics, can be a strong indicator of which ‘problems’ will be addressed. ¹³ Overwhelmingly, through our work, two factors emerged as important in the international discussions about the IoT. First, there was considerable emphasis on how to extract maximum economic value from the IoT. Second, there was a focus on ensuring that human rights were not undermined by pervasive surveillance.

These priorities are really a continuation of those that dominated the previous digital age (characterised by the expansion of the Internet and the World Wide Web) and while they remain relevant to international security in the Fourth Industrial Revolution, they do not fully capture the challenges of the IoT. For the past three decades, the international politics of cybersecurity has largely dwelt upon intellectual property theft, financial breaches and attacks on critical infrastructure. This application of existing priorities to new security vulnerabilities holds up only in the absence of critical input from the technical community. Once their voices and perspectives are introduced, the fragility of the foundations upon which the international policy community has thus far discussed the IoT quickly become visible. Improving this interaction between policy and technical communities then, has global security implications that need to be considered. A starting point for this argument requires some background of what exactly the IoT is and why it matters for international relations.

The Internet of Things and International Relations

The IoT is not a new technology itself. Rather, the IoT refers to a set of interoperable, emerging technologies such as machine learning, algorithmic decision-making, 5G infrastructure and robotics. In 2012, the International Telecommunications Union defined the IoT as ‘a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.’ It is a term that is currently most often used colloquially to refer to household devices like smart kettles or fridges that are connected to the Internet. This usage of the term tends to trivialise cybersecurity concerns and reduce them to the everyday mundane.

In fact, the IoT is short-hand for much broader, complex ‘cyber-physical systems’ in which we see three important elements. The first is a proliferation of sensors in the natural and built environment (also, increasingly on or within the human body) that collect vast quantities of data (light, motion, temperature, etc.). Second, there are tools that analyse and make sense of those massive data flows. And finally, there are ‘actuators’ that, in response to the data analytics, make something happen in the physical world – often without direct human interaction. ¹⁴ The IoT will facilitate and hasten a transformation in how humanity sees itself, having implications for all relations (gender, racial, biocultural, sexual) leading to an expansion in posthuman knowledge systems. ¹⁵

The main distinct features of the IoT that have implications for international relations are the following.

Governing wicked problems

The nature of twenty-first century global challenges such as climate change, pandemics and cybersecurity, has prompted work in the field of Public Policy on ‘wicked problems’. Wicked problems refer to those that are complex, interdependent, interconnected and resistant to solutions. That means that rather than ‘solve’ them, we work instead to ‘tame’ them by dealing with a discreet aspect of a larger problem, or to ‘cope’ with them by utilising existing institutions and mechanisms. ²⁷ This literature allows us to take a different view, not only of our perception of problems, but critically, of what might be novel or useful approaches to addressing those problems.

Wicked problems introduce unprecedented challenges for several reasons. First, wicked problems are inherently destabilising. ²⁸ Typically, they will consist of several sub-problems that have different consequences for both actors and context making any single policy approach ineffective. We already understand that cybersecurity is perceived differently in different political contexts (notions of privacy, human rights, free speech, etc.) but the IoT’s additional layer of insecurity coupled with a complex global supply chain means that it becomes very difficult to imagine any single policy approach proving implementable.

Second, not only are wicked problems difficult to comprehend, they are also difficult to resolve. Ritter observed that a wicked problem is ‘one for which each attempt to create a solution changes the understanding of the problem’. ²⁹ It is common for wicked problems to transform and morph into often more complex problems, with governance interventions frequently having unanticipated perverse outcomes that can compound the impacts. ³⁰ For example, the transition to a decarbonised global economy can result in new natural resource wars and ecosystem destruction as countries become locked into supply chains for lithium. ³¹ And sustaining a thriving data-based economy can undermine individual rights to privacy. The dynamic nature of wicked problems is compounded by an increasing awareness and sensitivity to the interconnections between humans and non-humans and an appreciation of how response measures can exacerbate existing inequities and injustices for marginalised communities.

Third, wicked problems are increasingly transnational making cooperation amongst affected states (and relevant non-state actors) essential to managing the impact. The multilevel, transnational, cross-sectoral interconnected nature of wicked problems means that there are no simple governance or technical solutions. ³² Ultimately, they are problems without an end, and ones that often only become more complex over time as the world becomes more dependent upon the system itself and/or the emergent mechanisms produced to cope with the original wicked problem (such as antibiotic drugs or the Internet).

In an escalation of terminology that recognises gradients of wicked problems, we now see the use of the term ‘super-wicked problem’. The term has increasingly been applied to climate change but can also apply to the IoT. Super-wicked problems have four key features: time is running out; the central authority needed to address the problem is weak or non-existent; those who cause the problem also seek to create a solution; and hyperbolic discounting occurs that pushes responses irrationally into the future. ³³ Climate change poses an existential crisis to the current global political economic system of a magnitude that far exceeds the IoT. Climate change is resulting in differentiated impacts upon peoples, especially vulnerable and marginalised groups (women, ethnic groups, migrants, indigenous peoples and non-human species) in many countries who did not contribute to the crisis. The IoT is frequently, alongside other parts of the emergent cyber-physical global infrastructure, identified as key to mitigating and adapting to climate change through enabling more sustainable natural resource management. The increased dependency on the IoT to address planetary environmental threats escalates the need to ensure that the challenges the technology presents in and of itself are effectively addressed. By not doing so, multiple interconnections will be open to insecurities previously unknown. To manage ‘super-wicked problems’ it is necessary to adopt a creative hybrid approach to policy design, one that has emerged from ‘thinking outside the box’.

Both climate governance and global cybersecurity governance can be described as ‘polycentric’ systems – those in which we see diverse actors exercise considerable independence to make norms and rules within a specific domain like a state or province, a region, a national government or an international regime’. ³⁴ As such, polycentric systems can have multiple governing authorities at different scales. The authorities can take many forms from technical associations to global corporations, non-governmental organisations to governments. ³⁵ We see most benefit where there is effective coordination and collaboration within multilevel, multi-actor models, where they are more fluid and less restrictive than formal state-centric multilateral approaches based on legally binding rule making. ³⁶

According to Black, a normative framework can help to support the emergence of customary practice between all actors contributing to a more predictable and stable, transnational, multilevel order. ³⁷ The rationale here is that stability and predictability can foster more effective cooperation, resulting in a more resilient dynamic governance environment in which innovation can be perpetually nurtured. In such conditions, as the wicked problem morphs over time, it can continue to be managed. Overarching rules or norms then, are important to effectively cope with global wicked problems. ³⁸

Establishing norms is a social process that requires agreement about what constitutes acceptable behaviour amongst relevant parties. ³⁹ However, in climate or cybersecurity governance, the sheer number and heterogeneity of relevant stakeholder configurations can intensify questions of who should be involved in consultation and governance processes. ⁴⁰ It also intensifies the challenges of establishing and maintaining interconnections and communication across all kinds of intellectual and value-based divisions and boundaries. Ostrom argues that in order to avoid the spectre of the Tower of Babel in these settings, a common language framework is needed. ⁴¹ Folke observes that for any common language to be resilient in the long-term, all agents engaged in governance processes must contribute to and share it. ⁴²

Science communication has gained new currency through efforts to deal with the 2020 Covid-19 global pandemic but communicating complex scientific or technical material to a non-specialist audience has long been recognised as key to sound, evidence-based policy making. ⁴³ Although climate governance is far from perfect, one factor that has made a positive contribution to agreed outcomes is the mechanism for reaching some consensus on the science behind climate change and proposed initiatives prior to diplomatic negotiations. Cybersecurity lacks this mechanism in general and that has always been one of the impediments to more coordinated global governance of this issue. But, as discussed above, the IoT exacerbates cybersecurity challenges and makes this all the more urgent to resolve. Looking to other domains like climate governance, where knowledge exchange instruments and processes are more mature, can provide impetus and precedent for implementing similar practices here.

Science advice and communication in climate governance

As noted earlier, the IoT has many similarities to the challenges that have emerged within the climate change context. In both cases, the problems are transboundary in nature, occur at multiple levels across sectors, between institutions, and will impact all actors, both public and private, in complex ways. Issues of accountability, responsibility, liability and rights that the IoT raises for law and policy makers challenge established governance models. As with climate change, state centric, multilateral governance initiatives on cybersecurity are encumbered by political legacy and are unable to address the security complexities. However, we have seen some progress in the context of climate governance that has yet to be matched in the context of the IoT.

Over the last decade a polycentric governance approach to climate change, in which multiple actors are involved in addressing the problem has emerged. ⁴⁴ The most significant milestone in this transition is the Paris Agreement to the UN Framework Convention on Climate Change (UNFCCC). The Paris Agreement emerged in 2015 after two decades of multilateral struggle within the UN system where developed and developing states were pitted against each other over debates about what constituted fair and equitable governance approaches to mitigating against and adapting to climate change. ⁴⁵ A growing frustration with the perceived failure of the UN negotiations to arrive at an agreement fuelled non-state actors’ initiatives and activities, including from those who felt excluded from formal processes especially women, ethnic minorities, indigenous peoples, and children. These actors independent and complementary processes had a lasting legacy on the outcome of the formal UN process. In contrast to the top-down structure of the UNFCCC’s Kyoto Protocol, adopted in 1997, the Paris Agreement has a bottom up structure that formally recognises opportunities for non-state actors to be involved in processes to reach zero net emissions by 2050. ⁴⁶ This is seen as an expression of innovation in governing super-wicked problems with all stakeholders, not just states, encouraged to engage more directly to achieving the overall objective. ⁴⁷ Actors and sectors that are significant greenhouse gas emitters such as aviation, ⁴⁸ cities, ⁴⁹ and forestry, ⁵⁰ set their own targets, standards and ambitions to contribute to the Paris Agreement objective. Critically, through its implementation framework, the Paris Agreement will facilitate monitoring and reporting processes that will help to build reflexive and agile governance models based on data from a wider range of actors.

In the UN climate change governance model, technical advice is continually provided to the climate change negotiations through the International Panel on Climate Change (IPCC), and the Subsidiary Body on Science and Technological Advice (SBSTA). The IPCC’s knowledge claims have underpinned the slow but steady push for global policy action since the late 1980s. Key claims from IPCC reports inform the UNFCCC negotiations, especially the annual Conference of the Parties (COP). Advisory bodies, such as the SBSTA, also rely on the IPCC for scientific experts when invited by parties to draft text on specific issues related to mitigation and adaptation policies and measures. The IPCC collates peer-reviewed research in a format that is usable for negotiators, policy makers, business and civil society and it has maintained a solid foundation for knowledge sharing and the emergence of a common language, no matter how disputed the findings may be for policy development.

This means that there is a common scientific language for negotiators to draw on at the COPs and these knowledge sharing mechanisms have been fundamental to enabling greater collaboration across a fragmented institutional and organisational landscape. Indeed, the IPCC reports have an influence well beyond the UNFCCC negotiations. IPCC reports, and the scientific data they draw on, also inform the policies and measures of many other international environmental agreements such as those on biodiversity, pollution, as well as human rights and indigenous peoples’ approach to climate change related issues. Also, numerous organisations focused on specific sectors and aspects of climate change, for instance the World Trade Organisation, the International Civil Aviation Authority, and the International Maritime Organisation use IPCC reports to inform their climate related negotiations.

It is important to acknowledge that having a recognised foundation of best available knowledge like the IPCC source does not prevent disputes over policy priorities and regulatory approaches. Jasanoff has argued that the IPCC has ‘projected an impersonal, apolitical and universal imaginary of climate change science that cuts against the grain of common sense’ denying other sites of knowledge production such as indigenous peoples. ⁵¹ The IPCC’s ‘performative’ power that shapes fields of political possibility – to put certain policy options on the table, while potentially obscuring others – is increasingly becoming a significant source of social, economic and political contestation as the world looks to decarbonise. ⁵²

These blurred lines between scientific advice and shaping the policy landscape are not new – they have been evident in the context of digital technologies for decades and are central to current work on science diplomacy. ⁵³ Despite the IPCCs flaws and with a full appreciation of the underlying, and ongoing issues that have surfaced during its history, the IPCC can become a reference point for future decision-making, knowledge exchange and learning. ⁵⁴ It can also become a model for improving the technical support needed by those involved in global security issues that take the form of similarly super-wicked problems.

In the context of the IoT, a foundation for an international framework could yet emerge to facilitate coordinating initiatives, establishing platforms for knowledge exchange and capacity development. Yet the form that any international framework might take will no longer necessarily mirror traditional international governance arrangements such as treaties, conventions and declarations. An emergent polycentric governance model for the IoT and cyber physical technologies for the twenty-first century may well not require the same institutional structures of those adopted by states in the late twentieth century. What emerges from current and future multilevel and multi-stakeholder initiatives may reflect the paradigm shift that Durante argues is taking place in ICT in which the world is ‘moving from a State-based form of regulation towards multi-agent and multi-level forms of regulation’. ⁵⁵

In the next section we demonstrate how a polycentric governance system is emerging to address security issues in relation to the IoT but that the continued lack of coordination of recognised technical advice (in part indicative of embedded differences between states like the US, China and Russia) is holding back progress.

The IoT and global governance of cybersecurity

States first seriously addressed cybersecurity related issues within a multilateral forum after 1998 when the UN General Assembly passed a Russian-sponsored resolution expressing concern that information and communication technologies (ICTs) could be used for purposes that may ‘adversely affect the security of States’ ⁵⁶ and ‘divert an enormous amount of resources that are so necessary for peaceful creativity and development’. ⁵⁷ In response, the UN Committee for Disarmament and International Security (the First Committee) which deals with disarmament and threats to the international community, established a Group of Governmental Experts on Developments (UNGGE) in the Field of Information and Telecommunications in the Context of International Security in 2004. Subsequently, states regularly meet within the UNGGE – always the five permanent members of the Security Council plus a growing list of increasingly interested states. The primary focus during this time has been on avoiding state sponsored cyber warfare and preventing escalation to a kinetic conflict.

One of the key achievements of the UNGGE has been the development in 2015 of 11 proposed norms of responsible state behaviour in cyberspace. Although the UNGGE failed to reach consensus on how to progress those norms during the 2017 negotiations, both Russia ⁵⁸ and the United States ⁵⁹ have subsequently sponsored UN General Assembly resolutions calling for meetings between sovereign states to resume in order to continue to focus on advancing international cooperation on ICT and cybersecurity issues. ⁶⁰ This has been expanded to include the Russian initiative of the Open Ended Working Group which allows all states to participate.

Within the UNGGE process, several countries have promoted the IoT as a separate discussion point. However, they did so without tabling any concrete views on what it is about the IoT that differs from, or additionally informs, the international cybersecurity discourse. ⁶¹ Other countries pointed out that without a clear understanding about whether and how the emergence and proliferation of the IoT affects international peace and security, there is no reason to address the issue in the UNGGE. The IoT has only featured in three written submissions to the UNGGE. One expert specifically mentioned the IoT as a low priority for the purposes of the UNGGE. Another expert emphasised that whatever new technologies will be addressed, it is essential to keep in mind the determination of threats to international peace and security deriving from Article 39 of the UN Charter. ⁶² The third expert wrote that (developing) countries will need assistance in developing IoT related policies.

Those UNGGE participants that did appear to have more than a superficial understanding of the IoT still regarded it as too complex to discuss. At the fifth UNGGE in 2017 it was suggested that ‘new and serious threats are brought about by new technological systems, notably by the IoT, autonomous robotic systems, ICT abuse in the political interests on the cognitive levels etc.’ and that experts were expected to discuss ‘norms addressing new emerging threats, e.g. IoT’. ⁶³ Importantly, a technologically advanced country pointed out that the development of technologies, such as the IoT, may further blur data jurisdiction in the future. However, the expert of this country concluded that although an interesting academic issue, this was too complex an issue to discuss in the UNGGE at this time. The interim conclusion of the UNGGE was to focus on continued technological development and the growing technological divide rather than singling out or addressing the IoT.

This sense of being overwhelmed by the implications of emerging technologies is understandable – especially for those in domestic or international policy roles who may have a complex portfolio or who may have transitioned into a cybersecurity role from an unrelated previous post (or both). This is exactly where technical advice and support becomes so important but in the UNGGE process, this takes place at a domestic level rather than a joined up, international level. In an effort to inject some much needed technical literacy into the process, UNIDIR hosted a day-long meeting in August 2019 at which technical experts and policy academics were asked to present high level introductions to some emerging technological systems – including the IoT. ⁶⁴ Essentially though, this forum remains devoid of any coordinated, agreed technical or science advice.

Recognising the need to incorporate more actors into discussions of global cybersecurity, the UN Secretary General launched a Strategy on New Technology and established a High-level Panel on Digital Cooperation (HLPDC) that included leading figures from the international technology business community from the global north and the global south. ⁶⁵ The HLPDC report was published in June 2019 and several governance approaches to foster cooperation and collaboration were proposed. ⁶⁶ One concrete proposal was for the UN Secretary-General to appoint a Special Envoy on Technology akin to the UN Secretary-General’s Special Envoy for the 2019 Climate Change Summit (which has subsequently happened) – a clear indication that the existing lack of technical knowledge exchange that we have identified in our own research is becoming increasingly seen as a limiting factor in global governance of emerging technologies. In May 2020, a Roadmap for Digital Cooperation was agreed to by the UN to implement the HLPDC in which it was agreed the Special Envoy on Technology would be appointed by 2021 to facilitate capacity building, especially in developing countries.

For many, the attraction of the IoT is in capturing the economic value and exploiting the potential of new business models. In 2017, the McKinsey Institute estimated that by using the IoT to link the physical and digital worlds ‘up to $11.1 trillion a year in economic value’ could be generated by 2025. ⁶⁷ In an early effort to engage with this issue, the Organisation for Economic Cooperation and Development (OECD) emphasised the necessity of technical security if the economic value was to be fully harnessed in a 2016 report. ⁶⁸ The OECD’s report however placed more focus on individual products rather than the potential economic instability that could result from the IoT being embedded within critical infrastructure such as health, energy, and transport systems. Other forums, such as the G7 and G20 have taken a similar approach to the OECD, focusing on consumer products more so than critical infrastructure and the industrial IoT. However, the coordination and joined up thinking necessary to approach a complex technological shift like the IoT remains missing in these forums.

Some forums do explicitly bring together the policy and technical communities. The UN Internet Governance Forum (IGF) is an annual event at which issues of global internet governance and cybersecurity are discussed in a multi-stakeholder setting. While the IGF does attract a good mix of technical, policy and industry participants, somewhat frustratingly (although also predictably) they tend to cluster in likeminded groups rather than using the opportunity to explore alternate perspectives. While some policy participants will use the opportunity to learn more about technical elements they are engaged with, it is less common to have technical participants join in policy sessions. In effect, the policy and technical communities can quite easily spend a week at the same venue and rarely interact – an indication that proximity alone is not an adequate catalyst for real interconnections.

In recent years, there have been plenty of technical sessions on the IoT and related developments at the IGF. Perhaps one of the most significant policy relevant initiatives emerged at the 2014 IGF, when a Dynamic Coalition on IoT ⁶⁹ began to develop a ‘good practice’ paper to promote the ethical development of IoT. Through a multi-stakeholder process including intersessional regional workshops and online forums the Dynamic Coalition on IoT developed a draft ‘IoT Good Practice’ paper placing emphasis on procedural norms such as transparency, usability and accountability. ⁷⁰

As a forum with no decision-making authority, the IGF sometimes struggles for relevance. To some extent, we see a power shift away from this and other multi-stakeholder Internet forums established in the 1990s by the US under a neo-liberal order. Yet European preference for the IGF as an advocate of a rights-based model for cyber systems governance, including the IoT, remains high. This was evident when the President of France, Emmanuel Macron, proposed that the IGF report directly to the UN General Secretary, receive a budget (currently the IGF relies on donations) and help promote multilateralism. ⁷¹ The future of the IGF will depend on developments out of its control. For now, Europe appears to be taking it on to bolster its rights-based approach to cyber stability including the IoT. Meanwhile the HLPDC’s Road Map for Digital Cooperation has the IGF as the lead forum to build cooperation globally.

The International Telecommunications Union (ITU), a technical standard setting body, was an early advocate of the need to consider the security of the IoT. The ITU does provide space for the engagement of technical and policy groups, but the processes are deeply politicised for a number of complex reasons – not least being the ‘one flag, one vote’ principle that promotes lobbying of disinterested countries by major powers or alliances. In addition, the ITU is a hybrid UN organisation which is member based and not as transparent in its processes as other agencies. Access to materials is restricted so important deliberations that will affect the governance landscape of the IoT globally, based on different jurisdictional approaches, receives limited analysis by researchers.

One organisation that has adopted an assertive approach to addressing this governance gap in cybersecurity of the IoT is the World Economic Forum. The WEF has integrated agendas on the environment, economy and technology to invest in research to advance ideas that support a sustainable IoT. ⁷² As the founding organisation for the concept of a Fourth Industrial Revolution, the WEF is keen, like many state and non-state actors, to promote the potential transformative benefits of the IoT, not just economically, but also socially and environmentally. ⁷³ With a vision of the interconnections between these domains, the WEF also recognises the failure by states to address pressing issues regarding digital technologies, security, and governance which hold back the secure widespread adoption of these technologies.

In May 2019, working alongside major tech companies, multinationals, government representatives, academics and civil society, the WEF established six Global Fourth Industrial Revolution Councils, including one on the IoT, to guide multistakeholder collaboration, research and thought leadership. The initiative is indicative not only of the WEF’s belief in cyber physical systems as fundamental to achieving sustainable future economic growth but also that the international governance and legal system is not fit to deliver the coordinating framework any time soon. Signalling its intent to prioritise this, the WEF will intends to host a tier one summit in late 2020 – on the same level as the annual WEF Davos meeting.

Such a circumvention of traditional international institutions at points of deadlock in negotiations is not unusual. Forest certification emerged when international negotiations over an international treaty became gridlocked. ⁷⁴ What could be different with this particular private sector governance initiative over emerging technologies globally is the unprecedented scale and potential political, economic, social and environmental implications that such interventions could have. The absence of effective international leadership in assuming responsibility for setting and steering the strategic governance design to cope with the super-wicked problem of IoT security issues is becoming all too evident. Particularly lacking is the necessary engagement with the technical sector which will be essential if any significant progress is to be made to create a more cyber secure environment in the near-future.

Conclusion

Geopolitics remains as integrally linked to technological innovation as it ever did but future collaboration on global ‘super-wicked problems’ may well be more problematic now as interests are not so clearly aligned. In the first two decades of the twenty-first century, the diverse interconnections between humans and non-humans at multiple scales across time and space are coming to shape international relations responses to global problems. It is clear that governing the IoT will not, indeed arguably cannot, take the same trajectory as the one adopted to address climate change. Climate change governance had its foundational roots firmly set within the state centric exclusive international relations systems. However, those seeking to tame the ‘wicked problem’ of IoT cybersecurity can draw on the hybrid manoeuvre which the Paris Agreement demonstrated to circumvent gridlock within state-based negotiations to draw upon the potential of other vested interests, business especially, to become part of a more diffused governance approach. Having a shared language such as that provided by the IPCC would contribute to easing collaboration between the technical community, businesses and government policy-makers. ⁷⁵ The appropriate organisation to fill this role is not immediately apparent though perhaps a UN digital technology advisor as proposed by the UNHLP on Digital Cooperation would be one option as a first step.

What has become increasingly clear is that the mechanisms, forums and instruments developed to address the global security problems of emerging technologies are not able to cope with the demands of the last decade of technological innovation and are in no way equipped to move forward into the next decade. The Paris Agreement broke the mould in which it was cast: that being a state-centric hierarchical rules based top-down treaty. In doing so, Falkner argues, it lay the foundations for a ‘the new logic of international climate politics’. ⁷⁶ The Paris Agreement created spaces for the multiple interconnections that existed globally to be made visible. It modelled a path for those impacted, not only by climate change but also by the response measures, to have their voices heard, to begin to claim power, and to shape policy that addressed their own priorities – especially women in developing countries, indigenous peoples and displaced peoples. Arguably, the same needs to happen in the global governance of technology and it is the capacity for IoT systems to result in physical harm that are most likely to be the catalyst for this transformation.

Governing the global security challenges that emerge from the IoT will call for state level regulation, international coordination and the involvement of a broad array of other public and private actors. Central to and essential to sound decision-making in this sphere, will be much improved mechanisms for providing technical support to the policy community. We are not without precedent for significant progress in the mitigation of global security problems. But it is clearly past time to stop looking over the same ground within cybersecurity, strategic studies and international relations for inspiration to move forward in the governance of emerging technologies. Multidisciplinary approaches are essential at the academic level, bringing together computer science, engineering, economics, diplomacy and legal scholars is an integral element to strengthening both technical and policy discussions in practice settings. How to do that effectively will be the challenge of our time and achieving it will transform global cyber (in)security more profoundly than any technical innovation alone.