Global Commission on the Stability of Cyberspace

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

Origins
Together with the Global Forum on Cyber Expertise, the GCSC was a product of the 2015-2017 Dutch chairmanship of the London Process, and particularly the work of Wouter Jurgens who, as head of the cyber security department of the Dutch Ministry of Foreign Affairs, had responsibility for organizing the 4th Global Conference on CyberSpace ministerial, which was held in The Hague April 16–17 of 2015, and formalizing its outcomes. Jurgens had been working for several years on the topic of governmental non-aggression in cyberspace, in collaboration with Uri Rosenthal, Bill Woodcock, Olaf Kolkman, James Lewis, and others who would subsequently become GCSC commissioners.

The GCSC was launched by Dutch Foreign Minister Bert Koenders at the 53rd Munich Security Conference, on February 18, 2017, with a three-year charter, and issued its final report at the Paris Peace Forum, on November 13, 2019.

Norm to Protect the Public Core of the Internet
"'State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.'" The Norm to Protect the Public Core is the GCSC's principal product, and has been included or referenced in many subsequent legislative and diplomatic work. It was included in the European Union's Cybersecurity Act, which extends the mandate of the European Union Agency for Cybersecurity to include the protection of the public core. The Paris Call for Trust and Security in Cyberspace included a call for compliance with the Public Core norm. The United Nations cites the Public Core norm in the 2019 report of the Secretary General and the report of the Secretary General’s High-level Panel on Digital Cooperation, The Age of Digital Interdependence.

Norm to Protect the Electoral Infrastructure
"'State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.'"

Norm to Avoid Tampering
"'State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.'"

Norm Against Commandeering of ICT Devices into Botnets
"'State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.'"

Norm for States to Create a Vulnerabilities Equities Process
"'States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.'"

Norm to Reduce and Mitigate Significant Vulnerabilities
"'Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.'"

Norm on Basic Cyber Hygiene as Foundation Defense
"'States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.'"

Norm Against Offensive Cyber Operations by Non-State Actors
"'Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.'"

Other publications
In addition to the Norm to Protect the Public Core and the seven subsequent norms, the GCSC has published several other documents.

Definition of the Public Core, to which the Norm Applies
Early in the process of defining the Norm to Protect the Public Core the effort was divided into two working groups, one, principally diplomatic, to specify what actions should be precluded; the other, involving subject-matter experts, to specify which infrastructures were deemed most worthy of protection. This latter working group specified a survey of cybersecurity experts, delegated implementation of the survey to Packet Clearing House, and integrated its results to form the Definition of the Public Core, to which the Norm Applies. This definition of the "public core of the Internet" to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media, with more-specific details attending to each, has since been used by the OECD and others as a standardized description of the principal elements of Internet critical infrastructure.

Statement on the Interpretation of the Norm on Non-Interference with the Public Core
On September 22, 2021, the GCSC released a three-page statement responding, in large part, to Russia's submission to the ITU Council Working Group on International Internet-related Public Policy Issues, Risk Analysis of the Existing Internet Governance and Operational Model. The statement reiterates the GCSC's findings that state actors are the primary threat to Internet stability, not private actors; that the GCSC believes that the multistakeholder model of Internet governance is key to maintaining Internet stability, and that the Internet's critical infrastructure is principally operated by the private sector.

Derivative work
In addition to the norms the commission published, several other organizations were created and efforts undertaken as byproducts of the commission's work.

CyberPeace Institute
One of the most notable derivative outcomes of the GCSC's work was the formation of the CyberPeace Institute, headed by GCSC commissioner Marietje Schaake and Europol veteran Stéphane Duguin. This independent, non governmental organization has the mission to highlight the human aspect of cyberattacks. It works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. The Institute builds on the GCSC's work by monitoring compliance with its norms and coordinating cyber-attack forensic and analytic efforts that broaden public understanding of norm violations.

Critical infrastructure assessment
As input to the Definition of the Public Core, a global survey of Internet infrastructure security experts was conducted in 2017 by Packet Clearing House, headed by GCSC commissioner Bill Woodcock.

Commissioners

 * Marina Kaljurand (Co-chair 2017-2018)
 * Latha Reddy (Co-chair 2017-2019)
 * Michael Chertoff (Co-chair 2019)
 * Motohiro Tsuchiya
 * Joseph Nye
 * Christopher Painter
 * Ilya Sachkov
 * Jeff Moss
 * Khoo Boon Hui
 * Anriette Esterhuysen
 * Xiadong Lee
 * Abdul-Hakeem Ajijola
 * Virgilio Almeida
 * Marietje Schaake
 * Bill Woodcock
 * Wolfgang Kleinwächter
 * Scott Charney
 * Elina Noor
 * Isaac Ben-Israel
 * Jonathan Zittrain
 * Nigel Inkster
 * Jane Holl Lute
 * Samir Saran
 * Olaf Kolkman

Former commissioners

 * William Saito
 * Wolff Heintschel von Heinegg
 * Sigrid Kaag
 * Hugo Zylerberg

Research Advisory Group

 * Sean Kanuck (Chair)
 * Liis Vihul (Deputy Chair for Law)
 * Marilia Maciel (Deputy Chair for Internet Governance)
 * Hugo Zylberberg (Deputy Chair for International Peace & Security)
 * Koichiro Komiyama (Deputy Chair for Technical and Information Security)

Secretariat

 * Bruce McConnell (EastWest Institute)
 * Alexander Klimburg (Hague Centre for Strategic Studies)