I often find it hard to explain anything in the cyber policy realm without pointing out how weird an idea "copyright" is. The easiest way to read Cat's article in the Washington Post is that the PR minions of most big companies wants to make it seem like some sort of similar global controls over cyber vulnerabilities and their use are a natural thing, or at least as natural as copyright. In some sense, it's a coalition of the kinda-willing, but that's all the PR people need since this argument is getting played out largely in newspapers.
But just to take one bullet point from the Paris text:
- Develop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm;
What ... would that mean? you have to ask yourself.
You can paraphrase what software (and other) companies want, which is to find a way to ameliorate what in the industry is called "technical debt" by changing the global environment. If governments could assume the burden of preventing hacking, this can allow for greater risk-taking in the cyber realm by companies. I liken it to the credit card companies making it law enforcement's problem that they built an entire industry on the idea of everyone having a secret number small enough to memorize that you would give to everyone you wanted to pay money to.
From the WP article:
This could make way for other players on the global stage. France and the United Kingdom, Jordan said, are now emerging as leaders in the push to develop international cybersecurity norms. But the absence of the United States also reflects the Trump administration’s aversion to signing on to global pacts, instead favoring a transactional approach to issues, Singer said.
It's not so much "transactional" as it is "practical and workable" because to have a real agreement in cyber you need more trust than is typical of most arraignments. This is driven by the much reduced visibility into capabilities that is part and parcel of the domain, which frankly I could probably find a supporting quote for in Singer's new book :).
Aside from really asking yourself what it would MEAN IN REAL PRACTICAL TERMS for humanitarian law to apply to the cyber domain, you also have to ask yourself if all the parties in any particular group would AGREE on those meanings.
And then, as a follow up, ask yourself what the norms are that the various countries really live by, as a completely non-aspirational practicality, and especially the UK and France.