This development brought unequaled opportunity and growth, at least for the roughly 50% of the world’s population that has access to the internet. But it has also brought a sharp divide between the haves and the have nots, and a constant and increasing set of threats and challenges. Protecting our identity, our privacy, our data, our assets, is becoming increasingly difficult, just as it is difficult to decide who and what to rely on when it comes to protecting ourselves from online harm.

Realistically, cybercrime pays, and state and non-state actors mostly get away with malicious behaviour. From a governance point of view, we face a set of challenges that are not easily tackled. And to complicate things further, with an ever-increasing speed of technology development we are shooting at a moving target. Keeping up with the evolving threats is a challenge in itself. Working in government, we concentrated on agreeing rules of the road in cyberspace, trying to catch the bad guys, and building cyber capacity in less developed countries.

It is important to acknowledge that whilst the Internet is universally recognised as part of our critical infrastructure, the ownership makes it different from, say, the public road, which is owned by the government that can decide on the maximum speed and other traffic rules.

But the internet is not, it is owned by everyone, which means the governance and management is shared between governments, private entities, tech platforms, civil society, and so on.

In other words, the rules of the road, the do’s and don’ts, have to be established in dialogue between all these stakeholders. But where do they meet, do they speak the same language, do they share the same sense of responsibility?

So, the rules of the road of the internet are developing slowly, mostly on a voluntary basis, definitions of war, peace and crime are still relatively unclear. The discourse on this between all stakeholders is ongoing and reflects fundamental difference of world views, for example about the relationship between state and citizen. In the meantime, law and order is difficult to maintain.

And even if we do, if the state tries to enforce the rules, if social media take responsibility for the content on their platforms, imposing consequences on those who break the rules is not a given. States get away with cyber operations in other countries, online criminals have a low risk of getting caught, and private companies that abuse your personal data largely go unpunished. Discouraging (deterring) unwanted behavior seems far from effective.

We need far better situational awareness, for example through threat intelligence sharing between public and private entities, to facilitate attribution, and to enable decision making on what to do in response to transgressors. Public-Private cooperation in this area is far from perfect, and those in possession of threat intel are mostly focused on protecting the target rather than on identifying the culprit through sustained forensic work.

Apart from establishing the rules of the road in cyberspace, and raising the chance of catching the bad guys, governments have a clear responsibility to assist those nations that are less well equipped. A large number of nations are still not capable of protecting their critical infrastructure against cyber-attacks, giving their entire population access to a free and safe internet, affording them the opportunity to benefit from development, and protection of their human rights online. Cyber capacity building is therefore important and in our own interest; violations in our neighbour’s cyberspace will almost certainly spill over into ours. The United Nations have taken the lead in trying to close the digital divide, develop international norms for online behavior, and include cybersecurity into the so-called Sustainable Development Goals. But also, a project like the Global Commission on Stability of Cyberspace made an important contribution (www.cyberstability.org) This all sounds rather bureaucratic and political but is very much needed as one of the building blocks of a safe and free internet for all.

One thing is clear; the internet is a multi-stakeholder undertaking, and so is cybersecurity; governments, the private sector, civil society and academia must work much closer together, and it must be a combination of good governance and technical solutions.

After leaving government, I now work with a number of stakeholders who contribute in their own way to security and privacy online. Quad9 DNS for example is a recursive DNS resolver that combines a very high level of security with 100% privacy. This Swiss based non-profit offers a free DNS service around the world, protecting infrastructure, institutions and end users against all sorts of online harm. With server locations in about 100 countries Quad9 contributes to multi-layer protection for all, including in places where users are most vulnerable to online attacks from crime, spying and in some cases (their own) governments.

Being involved with this effort is very rewarding to pursue the goals that I worked on in government, as it allows me to bring together the technical, diplomatic and human rights communities and contribute to the universal cause of a safe and free internet for all.