The Global Commission on the Stability of Cyberspace (GCSC), a group that works to develop policy the world can follow to keep the internet stable and secure, late last week delivered a final report that outlines its vision for how the nations of the world should behave online.
The GCSC exists because its founders and stakeholders believe the internet has become essential to life but is not safeguarded by the kind of conventions or norms that, in a conventional kinetic conflict, make it plain that schools or hospitals is barbaric.
The organisation is pragmatic enough to believe that some nations will never sign up to such norms because they don’t want restraints on their ability to conduct offensive online operations. But GCSC leaders also feel that if the organisation can create norms and have them adopted by nations and multilateral bodies, it will become possible to paint those who use the Net as a weapon as acting outside acceptable standards of behaviour.
Diplomats, ‘Net greybeards work to disarm USA, China and Russia’s cyber-weapons
That mission took an important step forward last week with the release of the Commission’s final report that outlines those norms.
The proposed norms are:
- State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.
- State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.
- State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace
- State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.
- States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.
- Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
- States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.
- Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.
The report describes its emergence as “both an end and a beginning.”
“The Commission has fulfilled its mandate,” the document says. “For the members and supporters of the GCSC, however, as well as all those who support its goals, the hard work required to implement these principles, norms, and recommendations is just beginning.”
The work will be hard because the United Nations has already floated its own norms, and because the GCSC’s effort goes further by seeking to involve and influence the behaviour of non-state actors.
“Multistakeholder engagement is called for in many international agreements, yet it remains contentious,” the report says. “Some continue to believe that ensuring international security and stability is almost exclusively the responsibility of states. In practice, however, the cyber battlefield (i.e., cyberspace) is designed, deployed, and operated primarily by non-state actors, and we believe their participation is necessary to ensure the stability of cyberspace. Moreover, their participation is inevitable, as non-state actors often are the first to respond to—and even to attribute—cyber attacks.”
Attempts to define international infosec rules of the road bogged down by endless talkshops, warn diplomats
With its norms now completed, the GCSC will work to have them widely adopted, and recommended “A standing multistakeholder engagement mechanism be established to address stability issues, one where states, the private sector (including the technical community), and civil society are adequately involved and consulted.” ®