Advancing cyberstability – final report of the Global Commission on the stability of cyberspace

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The session discussed the final report of the Global Commission on the Stability of Cyberspace (GCSC) ‘Advancing Cyberstability’, the norms developed since the establishment of the Commission in 2017, and the recommendations proposed to achieve cyberstability.

Inspired by the Global Conference on Cyber Space, also called the ‘London process’, the GCSC was established with the goal to influence responsible behaviour in cyberspace. As Ms Latha Reddy (Co-Chair, GCSC; and former Deputy National Security Advisory, India) explained, the commission was initiated by the Hague Centre for Strategic Studies (HCSS) and the EastWest Institute (EWI), aiming to bring a strong multistakeholder approach into a state-led dialogue on international peace and security.

Among the items that feature the GCSC framework, three stand out: the multistakeholder engagement, the implementation of cyberstability principles, and the development and implementation of voluntary norms. As explained by Mr Christopher Painter (Former Coordinator for Cyber Issues, US State Department), cyberstability is defined by a status quo in which ‘everyone can be reasonably confident in their ability to use cyberspace safely and securely’. With this approach, the work of the GCSC in ensuring cyberstability has been based on four principles: the shared responsibility of the different stakeholders involved, restrain of state and non-state actors in engaging in harmful actions, the requirement to reduce the escalation of tensions, and the respect for human rights. As Reddy further highlighted, the GCSC aims to represent an addition to the existing ecosystem of multiple initiatives and its success is clearly shown by the endorsement of the GCSC principles in the TechAccord and the Paris Call for Trust and Security in Cyberspace, as well as its embedment into European Union’s Cybersecurity Act.

The report identifies eight norms, described by Mr Olaf Kolkman (Chief Internet Technology Officer, Internet Society (ISOC)) and Ms Anriette Esterhuysen (Director of Global Policy and Strategy, Association for Progressive Communications).

1. The first norm relates to the protection of the public core of the Internet and to the prohibition of conducting malicious activities meant to damage ‘the notion of general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace’. While a definitive definition of the public core of the Internet has not been agreed upon, a working understanding of it includes but it is not limited to packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media.
2. The second norm refers to the protection of the electoral infrastructure as an important component for keeping states and cyberspace stable. This norms explicitly focuses on the technology aspect in ensuring that cyber activities do not disrupt the infrastructure behind elections, referenda, or plebiscites.
3. The third norm requires the avoiding of tampering activities with products and services.
4. The fourth norm requires state and non-state actors not to commandeer the general public’s ICT resources for use as botnets or for similar purposes.
5. The fifth norm calls upon states to create procedurally transparent frameworks to disclose vulnerabilities through the Vulnerability Equity Processes (VEP).
6. Similarly, the sixth norm refers to the reduction of significant vulnerabilities: all actors have a duty to share information to mitigate malicious cyber-actions.
7. The seventh norm refers to the establishment of basic hygiene as a foundational defense by public and private entities.
8. Finally, the eighth is strictly meant to prevent non-state actors in engaging in malicious cyber-activities and calls for accountability under the International law of those governments sponsoring these non-state actors.

Mr Wolfgang Kleinwächter (Professor Emeritus, University of Aarhus, former member of the ICANN Board of Directors, and former Special Ambassador of the NETMundial Initiative) complemented this framework by highlighting the six recommendations proposed in the report. These recommendations call for both state and non-state actors to promote stability, ensure that violations of the norms have meaningful consequences, foster the sharing of information, stress the importance of stability in cyberspace, and finally, to strengthen multistakeholderism in promoting responsible behaviour in cyberspace. As Kleinwächter further added, the Internet is a decentralised system and it requires decentralised governance.

Questions from the audience raised the issue of ensuring the effectiveness of the implementation mechanisms, especially in implementing principles in a context guided by power and interests, as well as highlighted how different organisations and initiatives can create a ‘silotisation’ of the efforts. Mr Alexander Klimburg (Director, GCSC Initiative and Secretariat) addressed these concerns explaining that different organisations have diverse mandates and therefore the goal should be a coherence of silos rather than a convergence of different silos.

By Stefania Grottola