Global Commission on the Stability of Cyberspace

Last updated
The Global Commission on the Stability of Cyberspace
AbbreviationGCSC
EstablishedFebruary 18, 2017
Founders Dutch MFA
French MFA
Singaporean MFA
Founded atMunich
DissolvedNovember 13, 2019
TypeMultistakeholder Commission
Purpose"To develop norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace"
HeadquartersThe Hague
Origins 4th Global Conference on CyberSpace
Co-Chair
 Marina Kaljurand
Co-Chair
Latha Reddy
Co-Chair
 Michael Chertoff
Publication Advancing Cyberstability
Website Cyberstability.Org

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. [1] It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

Contents

Origins

Together with the Global Forum on Cyber Expertise, the GCSC was a product of the 2015-2017 Dutch chairmanship of the London Process, and particularly the work of Wouter Jurgens who, as head of the cyber security department of the Dutch Ministry of Foreign Affairs, had responsibility for organizing the 4th Global Conference on CyberSpace ministerial, which was held in The Hague April 16–17 of 2015, and formalizing its outcomes. [2] [3] Jurgens had been working for several years on the topic of governmental non-aggression in cyberspace, in collaboration with Uri Rosenthal, Bill Woodcock, Olaf Kolkman, James Lewis, and others who would subsequently become GCSC commissioners. [4]

The GCSC was launched by Dutch Foreign Minister Bert Koenders at the 53rd Munich Security Conference, on February 18, 2017, with a three-year charter, [5] and issued its final report at the Paris Peace Forum, on November 13, 2019. [6]

Published norms

Norm to Protect the Public Core of the Internet

"State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace."

The Norm to Protect the Public Core is the GCSC's principal product, and has been included or referenced in many subsequent legislative and diplomatic work. It was included in the European Union's Cybersecurity Act, which extends the mandate of the European Union Agency for Cybersecurity to include the protection of the public core. [7] The Paris Call for Trust and Security in Cyberspace included a call for compliance with the Public Core norm. [8] The United Nations cites the Public Core norm in the 2019 report of the Secretary General [9] and the report of the Secretary General’s High-level Panel on Digital Cooperation, The Age of Digital Interdependence. [10]

Norm to Protect the Electoral Infrastructure

"State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites."

Norm to Avoid Tampering

"State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace."

Norm Against Commandeering of ICT Devices into Botnets

"State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes."

Norm for States to Create a Vulnerabilities Equities Process

"States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure."

Norm to Reduce and Mitigate Significant Vulnerabilities

"Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity."

Norm on Basic Cyber Hygiene as Foundation Defense

"States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene."

Norm Against Offensive Cyber Operations by Non-State Actors

"Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur."

Other publications

In addition to the Norm to Protect the Public Core and the seven subsequent norms, the GCSC has published several other documents.

Definition of the Public Core, to which the Norm Applies

Early in the process of defining the Norm to Protect the Public Core the effort was divided into two working groups, one, principally diplomatic, to specify what actions should be precluded; the other, involving subject-matter experts, to specify which infrastructures were deemed most worthy of protection. This latter working group specified a survey of cybersecurity experts, delegated implementation of the survey to Packet Clearing House, and integrated its results to form the Definition of the Public Core, to which the Norm Applies. This definition of the "public core of the Internet" to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media, with more-specific details attending to each, has since been used by the OECD and others as a standardized description of the principal elements of Internet critical infrastructure. [11]

Statement on the Interpretation of the Norm on Non-Interference with the Public Core

On September 22, 2021, the GCSC released a three-page statement responding, in large part, to Russia's submission to the ITU Council Working Group on International Internet-related Public Policy Issues, Risk Analysis of the Existing Internet Governance and Operational Model. [12] [13] The statement reiterates the GCSC's findings that state actors are the primary threat to Internet stability, not private actors; that the GCSC believes that the multistakeholder model of Internet governance is key to maintaining Internet stability, and that the Internet's critical infrastructure is principally operated by the private sector. [14]

Derivative work

In addition to the norms the commission published, several other organizations were created and efforts undertaken as byproducts of the commission's work.

CyberPeace Institute

One of the most notable derivative outcomes of the GCSC's work was the formation of the CyberPeace Institute, headed by GCSC commissioner Marietje Schaake and Europol veteran Stéphane Duguin. This independent, non governmental organization has the mission to highlight the human aspect of cyberattacks. It works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. The Institute builds on the GCSC's work by monitoring compliance with its norms and coordinating cyber-attack forensic and analytic efforts that broaden public understanding of norm violations. [15]

Critical infrastructure assessment

As input to the Definition of the Public Core, a global survey of Internet infrastructure security experts was conducted in 2017 by Packet Clearing House, headed by GCSC commissioner Bill Woodcock. [11] [16]

Participants

GCSC-at-PPF-2019-945px.jpgJeff MossMarina KaljurandBill WoodcockMichael ChertoffMarietje SchaakeKHOO Boon Hui

Commissioners

Former commissioners

Research Advisory Group

Secretariat

Related Research Articles

<span class="mw-page-title-main">Internet governance</span> System of laws, policies and practices

Internet governance consists of a system of laws, rules, policies and practices that dictate how its board members manage and oversee the affairs of any internet related-regulatory body. This article describes how the Internet was and is currently governed, some inherent controversies, and ongoing debates regarding how and why the Internet should or should not be governed in future.

<span class="mw-page-title-main">Packet Clearing House</span> Organization maintaining the Domain Name System and Internet exchange points

Packet Clearing House (PCH) is the international organization responsible for providing operational support and security to critical Internet infrastructure, including Internet exchange points and the core of the Domain Name System. The organization also works in the areas of cybersecurity coordination, regulatory policy and Internet governance.

<span class="mw-page-title-main">Bill Woodcock</span> Internet infrastructure pioneer (born 1971)

Bill Woodcock is the executive director of Packet Clearing House, the international organization responsible for providing operational support and security to critical Internet infrastructure, including Internet exchange points and the core of the domain name system; the chairman of the Foundation Council of Quad9; the president of WoodyNet; and the CEO of EcoTruc and EcoRace, companies developing electric vehicle technology for work and motorsport. Bill founded one of the earliest Internet service providers, and is best known for his 1989 development of the anycast routing technique that is now ubiquitous in Internet content distribution networks and the domain name system.

<span class="mw-page-title-main">Nathaniel Fick</span> American diplomat, executive, author, and military officer (born 1977)

Nathaniel C. Fick is an American diplomat, technology executive, author, and former United States Marine Corps officer. He was the CEO of cybersecurity software company Endgame, Inc., then worked for Elastic NV after it acquired Endgame. He was an Operating Partner at Bessemer Venture Partners. In 2022, he was selected to lead the U.S. State Department's Bureau for Cyberspace and Digital Policy.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">Marina Kaljurand</span> Estonian politician

Marina Kaljurand is an Estonian politician and Member of the European Parliament. Kaljurand served as Minister of Foreign Affairs in Taavi Rõivas' second cabinet as an independent. Earlier, she served as the Ambassador of Estonia to the United States, Russia, Mexico, Canada, Kazakhstan, and Israel.

Internet infrastructure refers to the physical systems that provide internet communication. It include networking cables, cellular towers, servers, internet exchange points, data centers, and individual computers.

Melissa Hathaway is a leading expert in cyberspace policy and cybersecurity. She served under two U.S. presidential administrations from 2007 to 2009, including more than 8 months at the White House, spearheading the Cyberspace Policy Review for President Barack Obama after leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. She is President of Hathaway Global Strategies LLC, a Senior Fellow and member of the Board of Regents at Potomac Institute for Policy Studies, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, and a non-resident Research Fellow at the Kosciuszko Institute in Poland. She was previously a Senior Adviser at Harvard Kennedy School's Belfer Center.

<span class="mw-page-title-main">Marietje Schaake</span> Dutch politician

Maria Renske "Marietje" Schaake is a Dutch politician who served as Member of the European Parliament (MEP) from the Netherlands between 2009 and 2019. She is a member of Democrats 66, part of the Alliance of Liberals and Democrats for Europe Party.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

<span class="mw-page-title-main">Gabi Siboni</span>

Gabriel "Gabi" Siboni is a colonel in the Israel Defense Forces Reserve service, and a senior research fellow and the director of the Military and Strategic Affairs and Cyber Security programs at the Institute for National Security Studies. Additionally, he serves as editor of the tri-yearly published, Military and Strategic Affairs academic journal at INSS. Siboni is a senior expert on national security, military strategy and operations, military technology, cyber warfare, and force buildup. Siboni is an Associate Professor, working specifically in the management of Cyber Security and a part-time lecturer at the Francisco de Vitoria University in Madrid

<span class="mw-page-title-main">Network sovereignty</span> Effort to create boundaries on a network

In internet governance, network sovereignty, also called digital sovereignty or cyber sovereignty, is the effort of a governing entity, such as a state, to create boundaries on a network and then exert a form of control, often in the form of law enforcement over such boundaries.

The London Process is a series of multistakeholder meetings held biennially since 2011 under the name Global Conference on Cyberspace or GCCS. In each GCCS meeting, governments, the private sector and civil society gather to discuss and promote practical cooperation in cyberspace, to enhance cyber capacity building, and to discuss norms for responsible behavior in cyberspace. The London Process was proposed by British Foreign Secretary William Hague at the 2011 Munich Security Conference.

The President's Commission on Enhancing National Cybersecurity is a Presidential Commission formed on April 13, 2016, to develop a plan for protecting cyberspace, and America's economic reliance on it. The commission released its final report in December 2016. The report made recommendations regarding the intertwining roles of the military, government administration and the private sector in providing cyber security. Chairman Donilon said of the report that its coverage "is unusual in the breadth of issues" with which it deals.

<span class="mw-page-title-main">Cybersecurity Law of the People's Republic of China</span> Law of China

The Cybersecurity Law of the People's Republic of China, commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of a wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included a Law on National Intelligence, the National Security of the People’s Republic of China and laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.

<span class="mw-page-title-main">Office of the National Cyber Director</span>

The Office of the National Cyber Director is an agency in the United States Government statutorily responsible for advising the President of the United States on matters related to cybersecurity. It was established in 2021.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

Tuya Inc. is a Chinese artificial intelligence and Internet of things (IoT) platform as a service (PaaS) provider founded in 2014.

<span class="mw-page-title-main">Forum of Incident Response and Security Teams</span> Engineering societies based in the United States

The Forum of Incident Response and Security Teams (FIRST) is a global forum of incident response and security teams. They aim to improve cooperation between security teams on handling major cybersecurity incidents. FIRST is an association of incident response teams with global coverage.

References

  1. Sharwood, Simon (2018-03-22). "Diplomats, 'Net greybeards work to disarm USA, China and Russia's cyber-weapons". The Register. Archived from the original on 2021-06-25. Retrieved 25 June 2021. The USA, China and Russia are doing all that they can to avoid development of a treaty that would make it hard for them to conduct cyber-war, but an effort led by the governments of The Netherlands, France and Singapore, is using diplomacy to find another way to stop state-sponsored online warfare. The group making the diplomatic push is called the Global Commission on the Stability of Cyberspace (GCSC). One of the group's motivations is that state-sponsored attacks nearly always have commercial and human consequences well beyond their intended targets. As explained today in a keynote at Black Hat by GCSC commissioner and executive director of Packet Clearing House Bill Woodcock, those behind state-sponsored attacks are usually either hopelessly optimistic, or indifferent, to the notion that their exploits will be re-used. The results of that faulty thinking are history: the likes of Stuxnet, Flame, Petya and NotPetya did huge damage well beyond their intended targets, imposing massive costs on the private sector.
  2. "4th Global Conference on CyberSpace in The Hague". Diplomat Magazine. 2015-04-05. Archived from the original on 2021-06-26. Retrieved 26 June 2021.
  3. "Wouter Jurgens". MUNK School of Global Affairs. The University of Toronto. Archived from the original on 26 June 2021. Retrieved 26 June 2021. Wouter Jurgens is heading the cyber security department at the Ministry of Foreign Affairs of the Netherlands. He is responsible for the preparations of the 4th Cyber Space Conference to be held in The Netherlands in 2015. This ministerial conference is part of the London Process and will bring together ministers, policy makers, private sector and civil society to discuss, cyber security, freedom & privacy, economic growth & innovation as well as cyber issues related to international peace and security and capacity building.
  4. "Side Event on Cybersecurity and the Way Forward". United Nations Office for Disarmament Affairs. United Nations. 23 October 2015. Archived from the original on 26 June 2021. Retrieved 26 June 2021. The side event was moderated by Wouter Jurgens, Head of the Cyber Security Department at the Dutch Ministry of Foreign Affairs. Uri Rosenthal, Dutch Special Envoy for International Cyber Policies discussed the Global Conference on CyberSpace. The GCCS2015 underlined the importance of the applicability of the UN Charter and international law in the cybersphere. Key points of discussion were measures concerning responsible State behavior, and the protection of critical infrastructure and components of the global Internet. To bring all parties together, the Netherlands has developed the Global Commission on the Stability of Cyberspace. This platform will include all stakeholders and academics to develop new ideas on norms and actions for cyberstability. James Lewis laid out two options to protect cybersecurity. One is to choose the path of disarmament, and ban specific cyberweapons. The other is to choose the path of arms control, and regulate the use of cyberweapons, agreeing on principles of how to use them responsibly, controlled by the laws of armed conflict.
  5. "Launch of Global Commission on the Stability of CyberSpace". The Hague Security Delta. 7 March 2017. Archived from the original on 13 July 2021. Retrieved 13 July 2021. The Kingdom of the Netherlands, together with The Hague Centre for Strategic Studies (HCSS) and the EastWest Institute (EWI) recently announced the establishment of the Global Commission on the Stability of Cyberspace (GCSC): a global body formed to convene key global stakeholders to develop proposals for norms and policy initiatives to improve the stability and security of cyberspace. In 2016 during the Munich Security Conference (MSC) The Netherlands Minister of Foreign Affairs Bert Koenders announced the intention of his government to support the establishment of a GCSC. The GCSC, based in The Hague, will be chaired by Marina Kaljurand, former Foreign Minister of Estonia, and will be composed of over two dozen prominent independent commissioners, from over 15 countries, with the expertise and legitimacy to speak on different aspects of cyberspace. The Commission will develop proposals for norms and policies to enhance the stability of cyberspace.
  6. Blok, Stef (12 November 2019). "Speech by the Minister of Foreign Affairs, Stef Blok, at the launch of the report by the Global Commission on the Security of Cyberspace (GCSC) at the Peace Forum in Paris, 12 November 2019". Dutch Ministry of Foreign Affairs. Archived from the original on 13 July 2021. Retrieved 13 July 2021. This report, compiled by a group of Commissioners from all over the globe, does a number of important things. It consolidates a set of norms and principles for the behaviour of state and non-state actors in cyberspace. It confers a legitimacy that goes beyond the regular dialogues we have in the United Nations. This is because it was a truly multi-stakeholder effort, with the involvement of governments, the tech community and civil society. And finally, it serves as a reminder of the value of consensus. This may not sound spectacular, but it is. There are a lot of divergent opinions out there: About what the rules of the road should be, about who should bear responsibility for what happens, and about how to deal with transgressions. There should be no tampering with the public core of the internet. Internet infrastructure should be regarded as the backbone of modern society. Undersea cables and other vital elements should be off limits. The Global Commission rightly identifies these areas as sacrosanct.
  7. "Regulation (EU) 2019/881 of the European Parliament and of the Council". European Union. 17 April 2019. Archived from the original on 20 January 2022. Retrieved 22 September 2021. The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone.
  8. "Paris Call for Trust and Security in Cyberspace" (PDF). French Ministry of Foreign Affairs. 12 November 2018. Archived (PDF) from the original on 5 September 2021. Retrieved 22 September 2021. We affirm our willingness to work together to prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.
  9. Guterres, António (4 March 2019). "Report of the Secretary-General" (PDF). United Nations. Archived (PDF) from the original on 27 September 2021. Retrieved 22 September 2021.
  10. "The Age of Digital Interdependence" (PDF). United Nations. Archived from the original (PDF) on 2019-09-04. Retrieved 1 June 2019.
  11. 1 2 "Definition of the Public Core, to which the Norm Applies" (PDF). Global Commission on the Stability of Cyberspace. 21 May 2018. Archived from the original (PDF) on 8 March 2021. Retrieved 25 June 2021. As input to its process, a working group of the GCSC conducted a broad survey of experts on communications infrastructure and cyber defense to assess which infrastructures were deemed most worthy of protection. On a scale of zero to ten, with zero being 'unworthy of special protection' and ten being 'essential to include in the protected class,' all surveyed categories ranked between 6.02 and 9.01. Accordingly, the Commission defines the phrase 'the public core of the Internet' to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media.
  12. Russian Federation (9 September 2021). "Risk Analysis of the Existing Internet Governance and Operational Model" (PDF). International Telecommunication Union.
  13. Sharwood, Simon (24 September 2021). "Stop worrying that crims could break the 'net, say cyber-diplomats – only nations have tried". The Register. Archived from the original on 27 September 2021. Retrieved 27 September 2021. Despite recent attempts to cast the main threat to the public core as resulting from cybercriminals, it is in fact states and their affiliates whose activities pose the greatest risks. The document cites an International Telecommunication Union document, submitted by the Russian Federation, suggesting that nation states need to safeguard the Internet core. The GCSC statement points out that Internet governance organisations are not run by governments.
  14. "Statement on the Interpretation of the Norm on Non-Interference with the Public Core" (PDF). Global Commission on the Stability of Cyberspace. Archived (PDF) from the original on 22 September 2021. Retrieved 22 September 2021.
  15. Untersinger, Martin (26 September 2019). "Le Cyberpeace Institute: une ONG pour défendre la "cyberpaix"". Le Monde. Archived from the original on 29 July 2021. Retrieved 22 September 2021.
  16. Report of the GCSC Critical Infrastructure Assessment Working Group (PDF). Global Commission on the Stability of Cyberspace. November 20, 2017. p. 61. Archived from the original (PDF) on 2021-06-26. Retrieved 26 June 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.