Together with the Global Forum on Cyber Expertise, the GCSC was a product of the 2015-2017 Dutch chairmanship of the London Process, and particularly the work of Wouter Jurgens who, as head of the cyber security department of the Dutch Ministry of Foreign Affairs, had responsibility for organizing the 4th Global Conference on CyberSpace ministerial, which was held in The Hague April 16–17 of 2015, and formalizing its outcomes.[2][3] Jurgens had been working for several years on the topic of governmental non-aggression in cyberspace, in collaboration with Uri Rosenthal, Bill Woodcock, Olaf Kolkman, James Lewis, and others who would subsequently become GCSC commissioners.[4]
"State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace."
The Norm to Protect the Public Core is the GCSC's principal product, and has been included or referenced in many subsequent legislative and diplomatic work. It was included in the European Union's Cybersecurity Act, which extends the mandate of the European Union Agency for Cybersecurity to include the protection of the public core.[7] The Paris Call for Trust and Security in Cyberspace included a call for compliance with the Public Core norm.[8] The United Nations cites the Public Core norm in the 2019 report of the Secretary General[9] and the report of the Secretary General’s High-level Panel on Digital Cooperation, The Age of Digital Interdependence.[10]
Norm to Protect the Electoral Infrastructure
"State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites."
Norm to Avoid Tampering
"State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace."
Norm Against Commandeering of ICT Devices into Botnets
"State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes."
Norm for States to Create a Vulnerabilities Equities Process
"States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure."
Norm to Reduce and Mitigate Significant Vulnerabilities
"Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity."
Norm on Basic Cyber Hygiene as Foundation Defense
"States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene."
Norm Against Offensive Cyber Operations by Non-State Actors
"Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur."
In addition to the Norm to Protect the Public Core and the seven subsequent norms, the GCSC has published several other documents.
Definition of the Public Core, to which the Norm Applies
Early in the process of defining the Norm to Protect the Public Core the effort was divided into two working groups, one, principally diplomatic, to specify what actions should be precluded; the other, involving subject-matter experts, to specify which infrastructures were deemed most worthy of protection. This latter working group specified a survey of cybersecurity experts, delegated implementation of the survey to Packet Clearing House, and integrated its results to form the Definition of the Public Core, to which the Norm Applies. This definition of the "public core of the Internet" to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media, with more-specific details attending to each, has since been used by the OECD and others as a standardized description of the principal elements of Internet critical infrastructure.[11]
Statement on the Interpretation of the Norm on Non-Interference with the Public Core
On September 22, 2021, the GCSC released a three-page statement responding, in large part, to Russia's submission to the ITU Council Working Group on International Internet-related Public Policy Issues, Risk Analysis of the Existing Internet Governance and Operational Model.[12][13] The statement reiterates the GCSC's findings that state actors are the primary threat to Internet stability, not private actors; that the GCSC believes that the multistakeholder model of Internet governance is key to maintaining Internet stability, and that the Internet's critical infrastructure is principally operated by the private sector.[14]
In addition to the norms the commission published, several other organizations were created and efforts undertaken as byproducts of the commission's work.
CyberPeace Institute
One of the most notable derivative outcomes of the GCSC's work was the formation of the CyberPeace Institute, headed by GCSC commissioner Marietje Schaake and Europol veteran Stéphane Duguin. This independent, non governmental organization has the mission to highlight the human aspect of cyberattacks. It works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. The Institute builds on the GCSC's work by monitoring compliance with its norms and coordinating cyber-attack forensic and analytic efforts that broaden public understanding of norm violations.[15]
Critical infrastructure assessment
As input to the Definition of the Public Core, a global survey of Internet infrastructure security experts was conducted in 2017 by Packet Clearing House, headed by GCSC commissioner Bill Woodcock.[11][16]
Sharwood, Simon (2018-03-22). "Diplomats, 'Net greybeards work to disarm USA, China and Russia's cyber-weapons". The Register. Archived from the original on 2021-06-25. Retrieved 25 June 2021. The USA, China and Russia are doing all that they can to avoid development of a treaty that would make it hard for them to conduct cyber-war, but an effort led by the governments of The Netherlands, France and Singapore, is using diplomacy to find another way to stop state-sponsored online warfare. The group making the diplomatic push is called the Global Commission on the Stability of Cyberspace (GCSC). One of the group's motivations is that state-sponsored attacks nearly always have commercial and human consequences well beyond their intended targets. As explained today in a keynote at Black Hat by GCSC commissioner and executive director of Packet Clearing HouseBill Woodcock, those behind state-sponsored attacks are usually either hopelessly optimistic, or indifferent, to the notion that their exploits will be re-used. The results of that faulty thinking are history: the likes of Stuxnet, Flame, Petya and NotPetya did huge damage well beyond their intended targets, imposing massive costs on the private sector.
"Wouter Jurgens". MUNK School of Global Affairs. The University of Toronto. Archived from the original on 26 June 2021. Retrieved 26 June 2021. Wouter Jurgens is heading the cyber security department at the Ministry of Foreign Affairs of the Netherlands. He is responsible for the preparations of the 4th Cyber Space Conference to be held in The Netherlands in 2015. This ministerial conference is part of the London Process and will bring together ministers, policy makers, private sector and civil society to discuss, cyber security, freedom & privacy, economic growth & innovation as well as cyber issues related to international peace and security and capacity building.
"Side Event on Cybersecurity and the Way Forward". United Nations Office for Disarmament Affairs. United Nations. 23 October 2015. Archived from the original on 26 June 2021. Retrieved 26 June 2021. The side event was moderated by Wouter Jurgens, Head of the Cyber Security Department at the Dutch Ministry of Foreign Affairs. Uri Rosenthal, Dutch Special Envoy for International Cyber Policies discussed the Global Conference on CyberSpace. The GCCS2015 underlined the importance of the applicability of the UN Charter and international law in the cybersphere. Key points of discussion were measures concerning responsible State behavior, and the protection of critical infrastructure and components of the global Internet. To bring all parties together, the Netherlands has developed the Global Commission on the Stability of Cyberspace. This platform will include all stakeholders and academics to develop new ideas on norms and actions for cyberstability. James Lewis laid out two options to protect cybersecurity. One is to choose the path of disarmament, and ban specific cyberweapons. The other is to choose the path of arms control, and regulate the use of cyberweapons, agreeing on principles of how to use them responsibly, controlled by the laws of armed conflict.
"Launch of Global Commission on the Stability of CyberSpace". The Hague Security Delta. 7 March 2017. Archived from the original on 13 July 2021. Retrieved 13 July 2021. The Kingdom of the Netherlands, together with The Hague Centre for Strategic Studies (HCSS) and the EastWest Institute (EWI) recently announced the establishment of the Global Commission on the Stability of Cyberspace (GCSC): a global body formed to convene key global stakeholders to develop proposals for norms and policy initiatives to improve the stability and security of cyberspace. In 2016 during the Munich Security Conference (MSC) The Netherlands Minister of Foreign Affairs Bert Koenders announced the intention of his government to support the establishment of a GCSC. The GCSC, based in The Hague, will be chaired by Marina Kaljurand, former Foreign Minister of Estonia, and will be composed of over two dozen prominent independent commissioners, from over 15 countries, with the expertise and legitimacy to speak on different aspects of cyberspace. The Commission will develop proposals for norms and policies to enhance the stability of cyberspace.
Blok, Stef (12 November 2019). "Speech by the Minister of Foreign Affairs, Stef Blok, at the launch of the report by the Global Commission on the Security of Cyberspace (GCSC) at the Peace Forum in Paris, 12 November 2019". Dutch Ministry of Foreign Affairs. Archived from the original on 13 July 2021. Retrieved 13 July 2021. This report, compiled by a group of Commissioners from all over the globe, does a number of important things. It consolidates a set of norms and principles for the behaviour of state and non-state actors in cyberspace. It confers a legitimacy that goes beyond the regular dialogues we have in the United Nations. This is because it was a truly multi-stakeholder effort, with the involvement of governments, the tech community and civil society. And finally, it serves as a reminder of the value of consensus. This may not sound spectacular, but it is. There are a lot of divergent opinions out there: About what the rules of the road should be, about who should bear responsibility for what happens, and about how to deal with transgressions. There should be no tampering with the public core of the internet. Internet infrastructure should be regarded as the backbone of modern society. Undersea cables and other vital elements should be off limits. The Global Commission rightly identifies these areas as sacrosanct.
"Regulation (EU) 2019/881 of the European Parliament and of the Council". European Union. 17 April 2019. Archived from the original on 20 January 2022. Retrieved 22 September 2021. The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top-level domains), and the operation of the root zone.
"Paris Call for Trust and Security in Cyberspace"(PDF). French Ministry of Foreign Affairs. 12 November 2018. Archived(PDF) from the original on 5 September 2021. Retrieved 22 September 2021. We affirm our willingness to work together to prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.
Guterres, António (4 March 2019). "Report of the Secretary-General"(PDF). United Nations. Archived(PDF) from the original on 27 September 2021. Retrieved 22 September 2021.
"Definition of the Public Core, to which the Norm Applies"(PDF). Global Commission on the Stability of Cyberspace. 21 May 2018. Archived from the original(PDF) on 8 March 2021. Retrieved 25 June 2021. As input to its process, a working group of the GCSC conducted a broad survey of experts on communications infrastructure and cyber defense to assess which infrastructures were deemed most worthy of protection. On a scale of zero to ten, with zero being 'unworthy of special protection' and ten being 'essential to include in the protected class,' all surveyed categories ranked between 6.02 and 9.01. Accordingly, the Commission defines the phrase 'the public core of the Internet' to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media.
Sharwood, Simon (24 September 2021). "Stop worrying that crims could break the 'net, say cyber-diplomats – only nations have tried". The Register. Archived from the original on 27 September 2021. Retrieved 27 September 2021. Despite recent attempts to cast the main threat to the public core as resulting from cybercriminals, it is in fact states and their affiliates whose activities pose the greatest risks. The document cites an International Telecommunication Union document, submitted by the Russian Federation, suggesting that nation states need to safeguard the Internet core. The GCSC statement points out that Internet governance organisations are not run by governments.
