[Read more session reports and live updates from the 13th Internet Governance Forum]
Global Commission on the Stability of Cyberspace (GCSC) has presented its eight proposed norms for state and non-state behaviour: the initial two – on protecting the public core of the Internet, and protecting the electoral infrastructure - were followed by another six norms of the 'Singapore package', with focus on tampering with products, vulnerability disclosure and responsibility, botnets, cyber-hygiene, and conduct of offensive cyber operations by non-state actors. Discussion particularly focused on the ways to enforce norms in general, and the difference in positions of main global actors.
Welcome remarks to the session were provided by Ms Marina Kaljurand, Chair of the GCSC and former Foreign Minister of Estonia. Mr Michael Chertoff, GCSC Co-Chair, Co-founder and Executive Chairman at the Chertoff Group, and former Secretary of the US Department of Homeland Security, reminded us that the GCSC was launched in 2017 at the Munich Security Conference, to promote norms for state behaviour as well as non-state behaviour, that could contribute to the stability and security of cyberspace. GCSC brings not only governments but also civil society and other actors into this dialogue, as its commissioners are former government officials, technical community experts, and academics. GCSC has also launched its research programme to support discussion of norms.
The eight norms, thus far developed and proposed by the GCSC, were presented briefly. According to Mr Wolfgang Kleinwächter, Professor Emeritus, University of Aarhus, former ICANN Board Member, and former Special Ambassador of the NETMundial Initiative, a call to protect the public core of the Internet was introduced to protect the naming and numbering system. Even though ICANN, that manages critical internet resources, has its own stability and security committee, the increasing risks of attacks on the root service system requires joint efforts to prevent such operations. GCSC further defined that the public core of the Internet includes ’packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media‘. The call to protect electoral infrastructure was issued in response to increasing threats to the election infrastructure and democratic processes. Ms Marietje Schaake, Member of the European Parliament, introduced the norm, emphasising that its purpose is to protect voting as the universal human right.
Opening the box of the 'Singapore package', Mr Bill Woodcock, Executive Director of Packet Clearing House, presented the norm to avoid tampering as looking at indirect effects of actions against products (or pre-positioning the attack as the military jargon would have it) rather than at direct attacks: how to avoid compromising products before they are shipped to end-users. The two main problems with tampering are that the embedded vulnerabilities get exploited by others as well, not just by the authors, and that this destroys trust in digital products and services. Mr Olaf Kolkman, Chief Internet Technology Officer of the Internet Society (ISOC), presented the norm against commandeering of information and communications technology (ICT) devices into botnets. He explained that commandeering means using the device without the knowledge of the user, and for malicious purposes, and that the focus on botnets was made because of increasing use of botnets for cyber-attacks.
The two norms presented by Mr Christopher Painter, Former Coordinator for Cyber Issues in the US State Department, Principal Visiting Fellow at The Hague Centre for Strategic Studies, focus on vulnerabilities. Norms are for states to create a vulnerability equity process responding to the reality in which states increasingly stockpile and use vulnerabilities to support their intelligence and cyber-operations. While disclosing them to vendors would increase the security of products, it is realistic to ask states to build a transparent process whether and when to disclose not publicly known vulnerabilities, how this is done and by whom. The norm to reduce and mitigate significant vulnerabilities underlines the responsibility of other actors, particularly developers of products and services to do the maximum to increase the stability of cyberspace.
Defence is vital, and cyber-hygiene is an important component, said Ms Anriette Esterhuysen, Director of Global Policy and Strategy, Association for Progressive Communications, presenting the norm on basic cyber hygiene as foundational defence. While responsibility is distributed across all actors, including users, there is a bigger responsibility for institutions to help with wide-spread adoption of cyber-hygiene, and with capacity building, to enable more safe and secure use. The final norm of the ‘Singapore package’, the norm against offensive cyber operations by non-state actors, reflects on the reality in which there are increasingly cyber-attacks by non-state actors. Mr Frederick Douzet, Professor at the French Institute of Geopolitics at Paris 8 University & Chairwoman of the Castex Chair of Cyber Strategy, underlined that states have the international obligation for due diligence, i.e., to prevent or react to attacks originating in their territory. She warned that some states cannot control non-state actors on their territory, some states prohibit such practices under law, while some other states do not. In essence, offensive measures should be reserved for states only, not for non-state actors.
The discussion that followed revolved mainly around interests of states to accept these norms, enforcement of the norms, and benefits and limitations of the ‘name-shame’ approach towards states. A particular thread was about philosophical differences between the main geopolitical actors, the importance of the concept of sovereignty for international relations and the duties of states, and defining the increasingly popular concept of cyber-sovereignty to possibly help bridge the gaps. As next steps, it was commented that GCSC might develop one or two more norms (possibly on artificial intelligence (AI)), but it will put more focus on exploring the ways to steer other processes with its proposed norms.
By Vladimir Radunović