Global commission on stability of the cyberspace, towards a cyber stability framework

Event report

[Read more session reports and live updates from the EuroDig 2019]

This session, organised by the Global Commission on the Stability of Cyberspace (GCSC), featured discussions on recent actions of the GCSC in developing a definition and underlying principles of cyber stability and addressing gaps in the international cybersecurity architecture.

Ms Latha Reddy (Co-Chair, GCSC) introduced the work of the Commission, launched at the 2017 Munich Security Conference to develop norms and policies to enhance international security and stability and guide responsible state and non-state behaviour in cyberspace. Apart from norms and definitions, the GCSC is also working on a regime complex tool, to be released with its final report, to analyse the approximately 150 draft norms proposed by various organisations in the field, and see how they could fit together.

The session moderator, Mr Alexander Klimburg (Director, GCSC Initiative and Secretariat), then invited members of the commission to present the eight draft norms that will be fully released by the end of the year.

Mr Wolfgang Kleinwächter (Professor Emeritus, University of Aarhus) presented the early work of the Commission, in particular its first norm to protect the public core of the Internet. Kleinwächter indicated that in recent months, there was an increase of attacks against the public core of the Internet, and this should trigger a wake-up call for all actors.

Ms Marietje Schaake (Member of European Parliament) then presented the Commission’s norm to protect electoral infrastructure. This norm takes its roots partly in the UN Charter (with the principle of ‘non-interference’). Electoral manipulations are a very important issue, and there need to be national measures taken by states, as well as an international co-operation to address intrusions, but commitments should also involve all stakeholders, including the private sector.

Mr Bill Woodcock (Executive Director, Packet Clearing House) presented the draft norm to avoid tampering with digital products and services. This norm targets in particular the issue of nation-states tampering with tech companies, an action which often leads to undermining users’ trust in the private sector, including in relation to cryptography.

Mr Xiaodong Li (Research Professor of the Chinese Academy of Sciences and CEO of China National Engineering Laboratory of Internet Naming and Addressing Technologies) then presented the norm against commandeering of ICT devices into botnets. For Li, the more devices are connected to the Internet, the more botnets become a significant issue, especially with the rise of Distributed Denial of Service (DDOS) attacks.

Mr Christopher Painter (Former Coordinator for Cyber Issues, US State Department) detailed the norm for states to create a vulnerability equities process. This norm stems from the recognition that there is a tension between, on the one hand, the fact that vulnerabilities discovered should be made public to manufacturers, and, on the other hand, the wish of states to retain such vulnerabilities for criminal. This norm outlines that there must be reasons why states retain vulnerabilities, and that the default solution should be disclosure. Painter also elaborated on the draft norm to reduce significant vulnerabilities. A lot of norms from the United Nations Group of Governmental Experts (UN GGE) are directed towards state actors, but the private sector also bears responsibility. This norm thus states that developers and producers of core parts of the Internet should prioritise stability and security, and that all actors have the duty to share information.

Mr Abdul-Hakeem Ajijola (Founding & Steering Committee Member, Organisation of Islamic Cooperation – Computer Emergency Response Team (OIC-CERT)) presented the norm on basic cyber hygiene as foundational defence. Ajijola argued that responsibility is distributed among all actors. Fundamental measures can be taken by all to prevent, mitigate, and recover from certain types of cyberattacks.

Ms Anriette Esterhuysen (Director of Global Policy and Strategy, Association for Progressive Communications) concluded by detailing the norm against offensive cyber operations by non-state actors. Several non-state actors believe that they should have the right to hack back, in automating responses to cyber-attacks. This situation generates instability, and there is a need for states to control and respond to such developments.

Then, Painter presented the Commission’s work on definitions of cyber stability in cyberspace, and of stability itself. Both definitions are not static as they refer to dynamic concepts and environments. More importantly, stability is based on adherence to the existing international law, common understandings of acceptable behaviour, transparency, and confidence-building measures facilitated through capacity-building.

Schaake and Kleinwächter pointed out that a number of national and international actors have already partly endorsed these draft rules and principles, which were also referred to in the Paris Call, the new EU Cybersecurity Act, and the Microsoft-led Tech Accord in the past months.

Several members of the Commission signalled their intention to find a new context to bring these draft norms forward, referring for instance to the London Process, as well as the Internet Governance Forum (IGF). Kleinwächter argued that these are only the early days of the international cybersecurity architecture, and that creativity is needed to develop new mechanisms to address these issues.

Concluding the session, two observers were provided with the opportunity to offer their perspective on these developments. Ms Lynn St Amour (Chair of the IGF’s Multistakeholder Advisory Group) argued that norms are useful, but tend to proliferate. There is a need for a more concise approach to norms-setting, especially as most do not offer mechanisms to actually enforce and monitor them (as shown by the Paris Call). The IGF appears as an appropriate vehicle to advance these issues and help validate norms at the global level.

Mr William Drake (International Fellow, University of Zurich) reflected on the current scepticism around norms’ institutionalisation. If some argue that only binding norms have impact on states’ behaviours, norms remain really important, as they reshape discussions and international dialogues. To be influential, they need to be embedded in an international regime, as shown by recent work at the level of the World Trade Organization (WTO). The IGF appears thus as a good avenue in moving further, as it already provides with high-level discussions at ministerial level between states to engage on these issues.

By Clément Perarnaud