Global Commission on the Stability of Cyberspace

Last updated
The Global Commission on the Stability of Cyberspace
AbbreviationGCSC
EstablishedFebruary 18, 2017
Founders Dutch MFA
French MFA
Singaporean MFA
Founded atMunich
DissolvedNovember 13, 2019
TypeMultistakeholder Commission
Purpose"To develop norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace"
HeadquartersThe Hague
Origins 4th Global Conference on CyberSpace
Co-Chair
 Marina Kaljurand
Co-Chair
Latha Reddy
Co-Chair
 Michael Chertoff
Publication Advancing Cyberstability
Website Cyberstability.Org

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. [1] It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

Contents

Origins

Together with the Global Forum on Cyber Expertise, the GCSC was a product of the 2015-2017 Dutch chairmanship of the London Process, and particularly the work of Wouter Jurgens who, as head of the cyber security department of the Dutch Ministry of Foreign Affairs, had responsibility for organizing the 4th Global Conference on CyberSpace ministerial, which was held in The Hague April 16–17 of 2015, and formalizing its outcomes. [2] [3] Jurgens had been working for several years on the topic of governmental non-aggression in cyberspace, in collaboration with Uri Rosenthal, Bill Woodcock, Olaf Kolkman, James Lewis, and others who would subsequently become GCSC commissioners. [4]

The GCSC was launched by Dutch Foreign Minister Bert Koenders at the 53rd Munich Security Conference, on February 18, 2017, with a three-year charter, [5] and issued its final report at the Paris Peace Forum, on November 13, 2019. [6]

Published norms

Norm to Protect the Public Core of the Internet

"State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace."

The Norm to Protect the Public Core is the GCSC's principal product, and has been included or referenced in many subsequent legislative and diplomatic work. It was included in the European Union's Cybersecurity Act, which extends the mandate of the European Union Agency for Cybersecurity to include the protection of the public core. [7] The Paris Call for Trust and Security in Cyberspace included a call for compliance with the Public Core norm. [8] The United Nations cites the Public Core norm in the 2019 report of the Secretary General [9] and the report of the Secretary General’s High-level Panel on Digital Cooperation, The Age of Digital Interdependence. [10]

Norm to Protect the Electoral Infrastructure

"State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites."

Norm to Avoid Tampering

"State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace."

Norm Against Commandeering of ICT Devices into Botnets

"State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes."

Norm for States to Create a Vulnerabilities Equities Process

"States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure."

Norm to Reduce and Mitigate Significant Vulnerabilities

"Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity."

Norm on Basic Cyber Hygiene as Foundation Defense

"States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene."

Norm Against Offensive Cyber Operations by Non-State Actors

"Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur."

Other publications

In addition to the Norm to Protect the Public Core and the seven subsequent norms, the GCSC has published several other documents.

Definition of the Public Core, to which the Norm Applies

Early in the process of defining the Norm to Protect the Public Core the effort was divided into two working groups, one, principally diplomatic, to specify what actions should be precluded; the other, involving subject-matter experts, to specify which infrastructures were deemed most worthy of protection. This latter working group specified a survey of cybersecurity experts, delegated implementation of the survey to Packet Clearing House, and integrated its results to form the Definition of the Public Core, to which the Norm Applies. This definition of the "public core of the Internet" to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media, with more-specific details attending to each, has since been used by the OECD and others as a standardized description of the principal elements of Internet critical infrastructure. [11]

Statement on the Interpretation of the Norm on Non-Interference with the Public Core

On September 22, 2021, the GCSC released a three-page statement responding, in large part, to Russia's submission to the ITU Council Working Group on International Internet-related Public Policy Issues, Risk Analysis of the Existing Internet Governance and Operational Model. [12] [13] The statement reiterates the GCSC's findings that state actors are the primary threat to Internet stability, not private actors; that the GCSC believes that the multistakeholder model of Internet governance is key to maintaining Internet stability, and that the Internet's critical infrastructure is principally operated by the private sector. [14]

Derivative work

In addition to the norms the commission published, several other organizations were created and efforts undertaken as byproducts of the commission's work.

CyberPeace Institute

One of the most notable derivative outcomes of the GCSC's work was the formation of the CyberPeace Institute, headed by GCSC commissioner Marietje Schaake and Europol veteran Stéphane Duguin. This independent, non governmental organization has the mission to highlight the human aspect of cyberattacks. It works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. The Institute builds on the GCSC's work by monitoring compliance with its norms and coordinating cyber-attack forensic and analytic efforts that broaden public understanding of norm violations. [15]

Critical infrastructure assessment

As input to the Definition of the Public Core, a global survey of Internet infrastructure security experts was conducted in 2017 by Packet Clearing House, headed by GCSC commissioner Bill Woodcock. [11] [16]

Participants

GCSC-at-PPF-2019-945px.jpgJeff MossMarina KaljurandBill WoodcockMichael ChertoffMarietje SchaakeKHOO Boon Hui

Commissioners

Former commissioners

Research Advisory Group

Secretariat

Related Research Articles

<span class="mw-page-title-main">Internet governance</span> System of laws, norms, rules, policies and practices

Internet governance consists of a system of laws, rules, policies and practices that dictate how its board members manage and oversee the affairs of any internet related-regulatory body. This article describes how the Internet was and is currently governed, some inherent controversies, and ongoing debates regarding how and why the Internet should or should not be governed in future.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

<span class="mw-page-title-main">Federal Office for Information Security</span> German federal agency

The Federal Office for Information Security is the German upper-level federal agency in charge of managing computer and communication security for the German government. Its areas of expertise and responsibility include the security of computer applications, critical infrastructure protection, Internet security, cryptography, counter eavesdropping, certification of security products and the accreditation of security test laboratories. It is located in Bonn and as of 2020 has about 1,100 employees. Its current president, since 1 February 2016, is former business executive Arne Schönbohm, who took over the presidency from Michael Hange.

<span class="mw-page-title-main">Packet Clearing House</span> Organization maintaining the domain name system and internet exchange points

Packet Clearing House (PCH) is the international nonprofit organization responsible for providing operational support and security to critical internet infrastructure, including Internet exchange points and the core of the domain name system. The organization also works in the areas of cybersecurity coordination, regulatory policy and Internet governance.

<span class="mw-page-title-main">Bill Woodcock</span> Internet infrastructure pioneer

Bill Woodcock is the executive director of Packet Clearing House, the international organization responsible for providing operational support and security to critical Internet infrastructure, including Internet exchange points and the core of the domain name system; the chairman of the Foundation Council of Quad9; the president of WoodyNet; and the CEO of EcoTruc and EcoRace, companies developing electric vehicle technology for work and motorsport. Bill founded one of the earliest Internet service providers, and is best known for his 1989 development of the anycast routing technique that is now ubiquitous in Internet content distribution networks and the domain name system.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">Marina Kaljurand</span> Estonian politician

Marina Kaljurand is an Estonian politician and Member of the European Parliament. Kaljurand served as Minister of Foreign Affairs in Taavi Rõivas' second cabinet as an independent. Earlier, she served as the Ambassador of Estonia to the United States, Russia, Mexico, Canada, Kazakhstan, and Israel.

Critical Internet infrastructure is a collective term for all hardware and software systems that constitute essential components in the operation of the Internet.

Melissa Hathaway is a leading expert in cyberspace policy and cybersecurity. She served under two U.S. presidential administrations from 2007 to 2009, including more than 8 months at the White House, spearheading the Cyberspace Policy Review for President Barack Obama after leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. She is President of Hathaway Global Strategies LLC, a Senior Fellow and member of the Board of Regents at Potomac Institute for Policy Studies, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, and a non-resident Research Fellow at the Kosciuszko Institute in Poland. She was previously a Senior Adviser at Harvard Kennedy School's Belfer Center.

<span class="mw-page-title-main">Marietje Schaake</span> Dutch politician

Maria Renske "Marietje" Schaake is a Dutch politician who served as Member of the European Parliament (MEP) from the Netherlands between 2009 and 2019. She is a member of Democrats 66, part of the Alliance of Liberals and Democrats for Europe Party.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

The 2011 U.S. Department of Defense Strategy for Operating in Cyberspace is a formal assessment of the challenges and opportunities inherent in increasing reliance on cyberspace for military, intelligence, and business operations. Although the complete document is classified and 40 pages long, this 19 page summary was released in July 2011 and explores the strategic context of cyberspace before describing five “strategic initiatives” to set a strategic approach for DoDʼs cyber mission.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyber attacks have increased with an alarming rate for the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

<span class="mw-page-title-main">Gabi Siboni</span>

Gabriel "Gabi" Siboni is a colonel in the Israel Defense Forces Reserve service, and a senior research fellow and the director of the Military and Strategic Affairs and Cyber Security programs at the Institute for National Security Studies. Additionally, he serves as editor of the tri-yearly published, Military and Strategic Affairs academic journal at INSS. Siboni is a senior expert on national security, military strategy and operations, military technology, cyber warfare, and force buildup. Siboni is as a professor at the Francisco de Vitoria University in Madrid.

The London Process is a series of multistakeholder meetings held biennially since 2011 under the name Global Conference on Cyberspace or GCCS. In each GCCS meeting, governments, the private sector and civil society gather to discuss and promote practical cooperation in cyberspace, to enhance cyber capacity building, and to discuss norms for responsible behavior in cyberspace. The London Process was proposed by British Foreign Secretary William Hague at the 2011 Munich Security Conference.

A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.

The Cyberspace Solarium Commission (CSC) was a United States bipartisan, congressionally mandated intergovernmental body created by the John S. McCain National Defense Authorization Act for Fiscal Year 2019. Its purpose was "to develop a strategic approach to defense against cyber attacks of significant consequences" to the United States. The commission was sunsetted on December 21, 2021, but is continuing its work as a non-profit in 2022, led by Mark Montgomery, the commission's former executive director at the non-profit organization Foundation for the Defense of Democracies (FDD) with a limited staff and the support of a small number of senior advisors. Known as CSC 2.0, this project preserves the legacy and continues the work of the CSC.

The Office of the National Cyber Director is an agency in the United States Government statutorily responsible for advising the President of the United States on matters related to cybersecurity. It was established in 2021.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

<span class="mw-page-title-main">Forum of Incident Response and Security Teams</span> Engineering societies based in the United States

The Forum of Incident Response and Security Teams, or FIRST, is a global forum of incident response and security teams. They aim to improve cooperation between security teams on handling major cybersecurity incidents. FIRST is an association of incident response teams with global coverage.

References

  1. Sharwood, Simon (2018-03-22). "Diplomats, 'Net greybeards work to disarm USA, China and Russia's cyber-weapons". The Register. Retrieved 25 June 2021. The USA, China and Russia are doing all that they can to avoid development of a treaty that would make it hard for them to conduct cyber-war, but an effort led by the governments of The Netherlands, France and Singapore, is using diplomacy to find another way to stop state-sponsored online warfare. The group making the diplomatic push is called the Global Commission on the Stability of Cyberspace (GCSC). One of the group's motivations is that state-sponsored attacks nearly always have commercial and human consequences well beyond their intended targets. As explained today in a keynote at Black Hat by GCSC commissioner and executive director of Packet Clearing House Bill Woodcock, those behind state-sponsored attacks are usually either hopelessly optimistic, or indifferent, to the notion that their exploits will be re-used. The results of that faulty thinking are history: the likes of Stuxnet, Flame, Petya and NotPetya did huge damage well beyond their intended targets, imposing massive costs on the private sector.
  2. "4th Global Conference on CyberSpace in The Hague". Diplomat Magazine. 2015-04-05. Retrieved 26 June 2021.
  3. "Wouter Jurgens". MUNK School of Global Affairs. The University of Toronto. Retrieved 26 June 2021. Wouter Jurgens is heading the cyber security department at the Ministry of Foreign Affairs of the Netherlands. He is responsible for the preparations of the 4th Cyber Space Conference to be held in The Netherlands in 2015. This ministerial conference is part of the London Process and will bring together ministers, policy makers, private sector and civil society to discuss, cyber security, freedom & privacy, economic growth & innovation as well as cyber issues related to international peace and security and capacity building.
  4. "Side Event on Cybersecurity and the Way Forward". United Nations Office for Disarmament Affairs. United Nations. 23 October 2015. Retrieved 26 June 2021. The side event was moderated by Wouter Jurgens, Head of the Cyber Security Department at the Dutch Ministry of Foreign Affairs. Uri Rosenthal, Dutch Special Envoy for International Cyber Policies discussed the Global Conference on CyberSpace. The GCCS2015 underlined the importance of the applicability of the UN Charter and international law in the cybersphere. Key points of discussion were measures concerning responsible State behavior, and the protection of critical infrastructure and components of the global Internet. To bring all parties together, the Netherlands has developed the Global Commission on the Stability of Cyberspace. This platform will include all stakeholders and academics to develop new ideas on norms and actions for cyberstability. James Lewis laid out two options to protect cybersecurity. One is to choose the path of disarmament, and ban specific cyberweapons. The other is to choose the path of arms control, and regulate the use of cyberweapons, agreeing on principles of how to use them responsibly, controlled by the laws of armed conflict.
  5. "Launch of Global Commission on the Stability of CyberSpace". The Hague Security Delta. 7 March 2017. Retrieved 13 July 2021. The Kingdom of the Netherlands, together with The Hague Centre for Strategic Studies (HCSS) and the EastWest Institute (EWI) recently announced the establishment of the Global Commission on the Stability of Cyberspace (GCSC): a global body formed to convene key global stakeholders to develop proposals for norms and policy initiatives to improve the stability and security of cyberspace. In 2016 during the Munich Security Conference (MSC) The Netherlands Minister of Foreign Affairs Bert Koenders announced the intention of his government to support the establishment of a GCSC. The GCSC, based in The Hague, will be chaired by Marina Kaljurand, former Foreign Minister of Estonia, and will be composed of over two dozen prominent independent commissioners, from over 15 countries, with the expertise and legitimacy to speak on different aspects of cyberspace. The Commission will develop proposals for norms and policies to enhance the stability of cyberspace.
  6. Blok, Stef (12 November 2019). "Speech by the Minister of Foreign Affairs, Stef Blok, at the launch of the report by the Global Commission on the Security of Cyberspace (GCSC) at the Peace Forum in Paris, 12 November 2019". Dutch Ministry of Foreign Affairs. Retrieved 13 July 2021. This report, compiled by a group of Commissioners from all over the globe, does a number of important things. It consolidates a set of norms and principles for the behaviour of state and non-state actors in cyberspace. It confers a legitimacy that goes beyond the regular dialogues we have in the United Nations. This is because it was a truly multi-stakeholder effort, with the involvement of governments, the tech community and civil society. And finally, it serves as a reminder of the value of consensus. This may not sound spectacular, but it is. There are a lot of divergent opinions out there: About what the rules of the road should be, about who should bear responsibility for what happens, and about how to deal with transgressions. There should be no tampering with the public core of the internet. Internet infrastructure should be regarded as the backbone of modern society. Undersea cables and other vital elements should be off limits. The Global Commission rightly identifies these areas as sacrosanct.
  7. "Regulation (EU) 2019/881 of the European Parliament and of the Council". European Union. 17 April 2019. The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone.
  8. "Paris Call for Trust and Security in Cyberspace" (PDF). French Ministry of Foreign Affairs. 12 November 2018. We affirm our willingness to work together to prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.
  9. Guterres, António (4 March 2019). "Report of the Secretary-General" (PDF). United Nations.
  10. "The Age of Digital Interdependence" (PDF). United Nations. Archived from the original (PDF) on 2019-09-04. Retrieved 1 June 2019.
  11. 1 2 "Definition of the Public Core, to which the Norm Applies" (PDF). Global Commission on the Stability of Cyberspace. 21 May 2018. Retrieved 25 June 2021. As input to its process, a working group of the GCSC conducted a broad survey of experts on communications infrastructure and cyber defense to assess which infrastructures were deemed most worthy of protection. On a scale of zero to ten, with zero being 'unworthy of special protection' and ten being 'essential to include in the protected class,' all surveyed categories ranked between 6.02 and 9.01. Accordingly, the Commission defines the phrase 'the public core of the Internet' to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media.
  12. Russian Federation (9 September 2021). "Risk Analysis of the Existing Internet Governance and Operational Model" (PDF). International Telecommunication Union.
  13. Sharwood, Simon (24 September 2021). "Stop worrying that crims could break the 'net, say cyber-diplomats – only nations have tried". The Register. Retrieved 27 September 2021. Despite recent attempts to cast the main threat to the public core as resulting from cybercriminals, it is in fact states and their affiliates whose activities pose the greatest risks. The document cites an International Telecommunication Union document, submitted by the Russian Federation, suggesting that nation states need to safeguard the Internet core. The GCSC statement points out that Internet governance organisations are not run by governments.
  14. "Statement on the Interpretation of the Norm on Non-Interference with the Public Core" (PDF). Global Commission on the Stability of Cyberspace. Retrieved 22 September 2021.
  15. Untersinger, Martin (26 September 2019). "Le Cyberpeace Institute: une ONG pour défendre la "cyberpaix"". Le Monde. Retrieved 22 September 2021.
  16. Report of the GCSC Critical Infrastructure Assessment Working Group (PDF). Global Commission on the Stability of Cyberspace. November 20, 2017. p. 61. Archived from the original (PDF) on 2021-06-26. Retrieved 26 June 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.