Advancing Cyberstability Final Report November 2019 Promoting Stability in Cyberspace to Build Peace and Prosperity

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE

ADVANCING CYBERSTABILITY FINAL REPORT NOVEMBER 2019 PROMOTING STABILITY IN CYBERSPACE TO BUILD PEACE AND PROSPERITY

The Global Commission on the Stability of Cyberspace (GCSC) will develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. www.cyberstability.org [email protected] | [email protected] @theGCSC ADVANCING CYBERSTABILITY FINAL REPORT NOVEMBER 2019

The Hague Centre EastWest Institute for Strategic Studies New York | Brussels Lange Voorhout 1 Moscow | San Francisco 2514 EA The Hague

[email protected] [email protected] www.hcss.nl www.eastwest.ngo CHAIRS Samir Saran India Michael Chertoff USA Marietje Schaake Netherlands Latha Reddy India Motohiro Tsuchiya Japan Marina Kaljurand Estonia (former Chair) Bill Woodcock USA Zhang Li China COMMISSIONERS Jonathan Zittrain USA Abdul-Hakeem Ajijola Nigeria Virgilio Almeida Brazil SPECIAL REPRESENTATIVES Isaac Ben-Israel Israel AND ADVISORS Scott Charney USA Carl Bildt Sweden Frédérick Douzet France Vint Cerf USA Anriette Esterhuysen South Africa Sorin Ducaru Romania Jane Holl Lute USA Martha Finnemore USA Nigel Inkster UK Khoo Boon Hui Singapore DIRECTORS Wolfgang Kleinwächter Germany Alexander Klimburg Austria Olaf Kolkman Netherlands Bruce W. McConnell USA Lee Xiaodong China James Lewis USA RESEARCH ADVISORY GROUP CHAIRS Jeff MossUSA Sean Kanuck USA Elina Noor Malaysia Koichiro Komiyama Japan Joseph S. Nye, Jr. USA Marília Maciel Brazil Christopher Painter USA Liis Vihul Estonia Uri Rosenthal Netherlands Hugo Zylberberg France Ilya Sachkov Russia

SECRETARIAT SPONSORS Federal Department of Foreign Affairs of Switzerland GLOBSEC Ministry of Foreign Affairs of Estonia Ministry of Internal Affairs and Communications of Japan PARTNERS SUPPORTERS African Union Commission Black Hat USA DEF CON European Union Delegation to the UN in Geneva Global Forum on Cyber Expertise Google Municipality of The Hague Packet Clearing House Tel Aviv University United Nations Institute for Disarmament Research CONTENTS

Letter from the Chairs 7

Executive Summary 8

1. Introduction 10

2. What is Meant by the Stability of Cyberspace? 13

3. The GCSC Cyberstability Framework 14

4. Multistakeholder Engagement 15

5. Principles 18

A. The Responsibility Principle 18 B. The Restraint Principle 18 C. The Requirement to Act Principle 19 D. The Human Rights Principle 19

6. Norms 20

A.The GCSC Proposed Norms 21 B. Norms Adoption 22 C. Norms Implementation 23 D. Accountability 24 E. Communities of Interest 25

7. Recommendations 26

Appendix A: Norms Adopted by the UN GGE 28

Appendix B: The Norms of the GCSC 29

Appendix C: History, Goals, and Processes of the GCSC 46

Acknowledgements 48

LETTER FROM THE CHAIRS

yberspace represents one of the greatest inventions of mankind, reshaping personal, social, business, and political relationships. Unfortunately, due to attacks on and through cyberspace, Curgent action is needed to ensure its stability. This concept of cyberspace stability—like its close cousin, international stability—requires a shared vision, one in which all parties recognize that geopolitical disagreements and changes which affect cyberspace must be managed in relative peace, and that cyberspace stability must be assured.

The Global Commission on the Stability of Cyberspace began its work convinced that an issue traditionally reserved to states—international peace and security—could no longer be addressed without engaging other stakeholders. Cyberspace is a multistakeholder environment: those who build and manage cyberspace, and those who respond to attacks on and through cyberspace, are as likely to be non-state actors as government officials. Our Commissioners were selected to reflect this characteristic. Besides former senior government officials with experience in international security issues, our ranks included acknowledged leaders from the fields of Internet governance, the human rights and development communities, and technology and industry. Together, our 28 Commissioners from 16 countries provided a wide range of experience and views, and they were aided by public comments in response to Commission outreach.

The Commission’s final report represents three years of hard work. We gratefully recognize those who made this possible: our Commissioners, our advisors and researchers (many of them also volunteers), our financial supporters, and our management board. Finally, our appreciation goes to the Secretariat, which not only ably managed the process but was instrumental in the Commission’s creation as a civil society initiative.

Throughout its work, the Commission remained cognizant of other cyberspace initiatives, both past and present. Our report—Advancing Cyberstability—complements and reinforces the work of others, while providing new ideas for advancing the stability of cyberspace.

Michael Chertoff Latha Reddy Co-Chair Co-Chair Global Commission on the Global Commission on the Stability of Cyberspace Stability of Cyberspace

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 7 EXECUTIVE SUMMARY

We have reached the end of a twenty-five-year period reflect this view, calling on all parties to be responsible, of strategic stability and relative peace among major exercise restraint, take actions, and respect human powers. Conflict between states has taken new forms, rights: and cyber activities are playing a leading role in this newly volatile environment. Over the last decade, the • Responsibility: Everyone is responsible for number and sophistication of cyber attacks by state ensuring the stability of cyberspace. and non-state actors have increased, thus threatening the stability of cyberspace. Simply put, people and organizations may no longer be confident in their • Restraint: No state or non-state actor should take ability to use cyberspace safely and securely, or be actions that impair the stability of cyberspace. assured of the availability and integrity of services and information. • Requirement to Act: State or non-state actors should take reasonable and appropriate steps to Against this backdrop, the Global Commission on ensure the stability of cyberspace. the Stability of Cyberspace (GCSC) was convened to make recommendations for advancing cyberstability. We began by identifying a seven element • Respect for Human Rights: Efforts to ensure the Cyberstability Framework. This framework includes: stability of cyberspace must respect human rights (1) multistakeholder engagement; (2) cyberstability and the rule of law. principles; (3) the development and implementation of voluntary norms; (4) adherence to international Building on these principles, and seeking to law; (5) confidence building measures; (6) capacity supplement and not duplicate the work of others, building; and (7) the open promulgation and the Commission crafted eight norms designed to widespread use of technical standards that ensure better ensure the stability of cyberspace and address cyberspace is resilient. After defining this framework, technical concerns or gaps in previously declared the Commission explored in depth three of its norms: elements: multistakeholder engagement, principles, and norms. 1. State and non-state actors should neither conduct nor knowingly allow activity that intentionally and Multistakeholder engagement is called for in many international agreements, yet it remains contentious. substantially damages the general availability or Some continue to believe that ensuring international integrity of the public core of the Internet, and security and stability is almost exclusively the therefore the stability of cyberspace. responsibility of states. In practice, however, the cyber battlefield (i.e., cyberspace) is designed, deployed, 2. State and non-state actors must not pursue, and operated primarily by non-state actors, and we support or allow cyber operations intended to believe their participation is necessary to ensure the stability of cyberspace. Moreover, their participation disrupt the technical infrastructure essential to is inevitable, as non-state actors often are the first to elections, referenda or plebiscites. respond to—and even to attribute—cyber attacks. 3. State and non-state actors should not tamper The Commission concluded that these non-state with products and services in development and actors were not only critical for ensuring the stability production, nor allow them to be tampered with, of cyberspace, but that they too should be guided by principles and bound by norms. The four principles if doing so may substantially impair the stability of cyberspace.

GLOBAL COMMISSION 8 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE 4. State and non-state actors should not Specifically, the Commission recommends that: commandeer the general public’s ICT resources for use as botnets or for similar purposes. 1. State and non-state actors adopt and implement norms that increase the stability of cyberspace by 5. States should create procedurally transparent promoting restraint and encouraging action. frameworks to assess whether and when to disclose not publicly known vulnerabilities or 2. State and non-state actors, consistent with their flaws they are aware of in information systems responsibilities and limitations, respond appro- and technologies. The default presumption priately to norms violations, ensuring that those should be in favor of disclosure. who violate norms face predictable and meaningful consequences. 6. Developers and producers of products and services on which the stability of cyberspace 3. State and non-state actors, including internation- depends should (1) prioritize security and al institutions, increase efforts to train staff, build stability, (2) take reasonable steps to ensure that capacity and capabilities, promote a shared un- their products or services are free from significant derstanding of the importance of the stability of vulnerabilities, and (3) take measures to timely cyberspace, and take into account the disparate mitigate vulnerabilities that are later discovered needs of different parties. and to be transparent about their process. All actors have a duty to share information on 4. State and non-state actors collect, share, review, vulnerabilities in order to help prevent or mitigate and publish information on norms violations and malicious cyber activity. the impact of such activities.

7. States should enact appropriate measures, 5. State and non-state actors establish and support including laws and regulations, to ensure basic Communities of Interest to help ensure the stabil- cyber hygiene. ity of cyberspace.

8. Non-state actors should not engage in offensive 6. A standing multistakeholder engagement mech- cyber operations and state actors should prevent anism be established to address stability issues, such activities and respond if they occur. one where states, the private sector (including the technical community), and civil society are ad- Recommendations equately involved and consulted.

Finally, recognizing both the importance of The publication of this report represents both an multistakeholder engagement and the fact that end and a beginning. The Commission has fulfilled declaring behavior normative does not make it so, its mandate. For the members and supporters of the the Commission makes six recommendations which GCSC, however, as well as all those who support its focus on strengthening the multistakeholder model, goals, the hard work required to implement these promoting norms adoption and implementation, principles, norms, and recommendations is just and ensuring that those who violate norms are held beginning. Begin it must, as the benefits of cyberspace accountable. will be lost if its stability is not ensured.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 9 1. INTRODUCTION

The digital evolution and cyberspace have dramatically companies, and people around the world are faced transformed human existence.1 The ability to digitize, with conundrums. Governments are interested in store, analyze, and transport data around the globe protecting cyberspace, delivering public services, and has had profound effects in every sector of society, promoting other important activities (e.g., education and has changed the way we conduct personal, and online banking) but are also interested in business, and political affairs. Today, approximately advancing national security interests, including law half the world’s population is online2 and this number enforcement, intelligence, and military capabilities. is rapidly increasing. But even those not personally Companies, concerned about protecting their connected to cyberspace are affected by its reach, customers, reputations, and profits, find themselves since the entities they rely upon to provide goods and under attack, investigating malicious activities, and/ services often use cyberspace for communications, or subject to government data requests. People— logistics, and finance. whether they are themselves connected or not—are increasingly dependent on and embracing digital The benefits of cyberspace—and the need to ensure technology, but are concerned about its continued its stability—have often been discussed, as have its availability and integrity. Over the last decade, the challenges. Most notably, cyberspace may support number and sophistication of cyber attacks have both noble and ignoble purposes. For example, increased, including attacks on government systems global connectivity, anonymity, and lack of traceability and critical infrastructures.3 As such, neither the status permit individuals and machines to connect to data quo nor the observable trends are encouraging. and systems without asserting identity, but criminals can also leverage these attributes to commit Cyber attacks, which are conducted by both state and crimes with impunity. As a result, governments, non-state actors, make clear that the world needs a Cyberstability Framework. Such a framework will 1 “Cyberspace” has been defined in various ways. https:// serve to reduce the potential for significant disruptions en.wikipedia.org/wiki/Cyberspace. The dictionary definition is of cyberspace that will undermine its benefits and “an electronic system that allows computer users around the reduce people’s well-being, including their rights and world to communicate with each other or to access information for any purpose.” https://dictionary.cambridge.org/us/dic- freedoms. Clearly, well-designed and built products tionary/english/cyberspace. According to the United Kingdom, and services, managed well by IT professionals and “Cyberspace is the term used to describe the electronic medium computer users, will increase security and stability, of digital networks used to store, modify and communicate information. It includes the Internet but also other information 3 Center for Strategic and International Studies (CSIS), Signifi- systems that support businesses, infrastructure and services.” cant Cyber Incidents Since 2006, https://csis-prod.s3.amazonaws. https://www.cpni.gov.uk/cyber. As such, it is arguably broad- com/s3fs-public/190904_Significant_Cyber_Events_List.pdf; er than the Internet, which is described in popular terms as a Louis Marinos and Marco Lourenço, ed., ENISA Threat Landscape “global system of interconnected computer networks that use Report 2018, ENISA (January 2019), https://www.enisa.europa. the Internet protocol suite (TCP/IP) to link devices worldwide.” eu/publications/enisa-threat-landscape-report-2018; Abhishek See https://en.wikipedia.org/wiki/Internet. See also Internation- Agrawal et al., Microsoft Security Intelligence Report, Vol. 24 (De- al Telecommunication Union, “Defining the Internet,” discussion cember 2018), https://clouddamcdnprodep.azureedge.net/gdc/ paper (May 2013), https://www.itu.int/dms_pub/itu-s/md/13/ gdc09FrGq/original; United Nations, General Assembly, Devel- wtpf13/inf/S13-WTPF13-INF-0008%21%21MSW-E.docx. opments in the field of information and telecommunications in the 2 “Internet Usage Statistics,” Internet World Stats, last modi- context of international security: report of the Secretary-General, fied 4 October 2019, https://internetworldstats.com/stats.htm. A/74/120 (24 June 2019), https://undocs.org/A/74/120.

GLOBAL COMMISSION 10 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE just as poorly or negligently designed products and guide responsible state and non-state behavior in services, or poor or negligent operational practices, cyberspace. The GCSC will engage the full range of will undermine them. But better development and stakeholders to develop shared understandings, operations will not be enough, especially with state and and its work will advance cyberstability by non-state actors viewing cyberspace as a battlefield supporting information exchange and capacity where one can achieve political, military, or economic building, basic research, and advocacy.6 advantage. A persistent attacker can defeat security measures, giving rise to the adage that “offense beats Notably, the Commission itself is multistakeholder defense on the Internet” and creating instability.4 and global as it is comprised of individuals with diverse Thus, it is important to focus not only on technology backgrounds and expertise. Some Commissioners but on behaviors: how do we encourage all actors to have themselves served in government and were behave in responsible ways that enhance—and do engaged in bilateral and multilateral negotiations on not threaten—the stability of cyberspace? cyber issues, while others have experience in building, maintaining, and protecting the Internet itself. Others To help answer this question, several governmental have represented civil society. and non-governmental entities supported the creation of the Global Commission on the Stability of The Commission’s work does not exist in a vacuum Cyberspace (GCSC),5 noting that: and the GCSC, recognizing that many other institutions and processes (both past and present) share its We have reached the end of a twenty-five-year interest in the stability of cyberspace, has sought not period of strategic stability and relative peace to duplicate the work of others. Rather, the GCSC among major powers. Conflict between states attempts to build upon other multistakeholder and will take new forms, and cyber activities are governmental processes and influence future work. likely to play a leading role in this newly volatile These processes include the foundational and ongoing environment, thereby increasing the risk of work of the United Nations Group of Governmental undermining the peaceful use of cyberspace to Experts (UN GGE),7 the work of the Open-Ended facilitate the economic growth and the expansion of individual freedoms. 6 Global Commission on the Stability of Cyberspace, https:// cyberstability.org/. In order to counter these developments, the 7 In an important resolution, in 2015 the United Nations Gen- Global Commission on the Stability of Cyberspace eral Assembly unanimously affirmed the conclusion of the UN will develop proposals for norms and policies to GGE. See General Assembly resolution 70/237, Resolution ad- enhance international security and stability and opted by the General Assembly on 23 December 2015 [on the report of the First Committee (A/70/455)], https://undocs.org/en/A/ 4 See, for example, P.W. Singer and Allan Friedman, “The Cult RES/70/237. Thus, international law and, in particular, the Char- of the Cyber Offensive,”Foreign Policy (15 January 2014), https:// ter of the United Nations establish an exclusive framework for foreignpolicy.com/2014/01/15/cult-of-the-cyber-offensive/; international response to hostile acts that also applies to cyber World Economic Forum (WEF), The Global Risks Report 2019, operations. Our work builds on the agreement by all states at (2019), http://www3.weforum.org/docs/WEF_Global_Risks_Re- the 2015 UN General Assembly to be guided by norms of re- port_2019.pdf. sponsible behavior to increase stability and security in the use 5 For further information on the GCSC, see Appendix C: Histo- of ICTs and to meet their commitments under international law ry, Goals, and Processes of the GCSC. for due diligence and cooperation.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 11 Working Group (UN OEWG), as well as the efforts of cyberspace as a crucial dimension of global of the Global Forum on Cyber Expertise (GFCE),8 economic, social, and security interdependence only World Summit on the Information Society (WSIS), dates from the late 1990s, when broad usage of the the Global Commission on Internet Governance (the World Wide Web began. Thus, the evolving processes Bildt Commission), the Internet Governance Forum of governance are at an early stage where areas of (IGF), the Global Conference on CyberSpace (GCCS/ normative coherence and incoherence co-exist.11 the London Process), the NETmundial Initiative, the For example, while norms and institutions related to Organization for Security and Co-operation in Europe the Domain Name System are well developed, there (OSCE), the African Union Commission (AUC), the are major areas of disagreement among states and Charter of Trust, the Cybersecurity Tech Accord, The among companies related to content regulation. Hague Program for Cyber Norms, the United Nations Sometimes, state and non-state actors apply norms Institute for Disarmament Research (UNIDIR), the from other regimes such as intellectual property Paris Call for Trust and Security in Cyberspace (“the and trade and, increasingly, private companies are Paris Call”), and the UN Secretary-General’s High-level themselves setting norms.12 The purpose of our Panel on Digital Cooperation. The Commission’s work Commission is not to sort out these various questions was also informed by commissioned research and of governance, but to put them within a general requests for public comments. framework for ensuring the stability of cyberspace.

Some of the efforts listed focused, in part, on We also note that those concerned with the stability cyberspace stability, and were concerned that of cyberspace have struggled to keep up with those cyberspace stability and governance are inextricably who seek to undermine it, as well as keep pace with linked. That is, absent a robust governance model, technological developments and the evolution of society lacks the interactions and decision-making geopolitical conflicts. Part of the challenge is that processes necessary to ensure stability. For example, cyberspace has transformed the way actors pursue the Bildt Commission proposed a multistakeholder political and military objectives; with low barriers social compact for the digital privacy and security to entry, it is less difficult to become a cyber power “between citizens and their elected representatives, than a traditional military power. Additionally, the judiciary, law enforcement and intelligence with new technology in their toolkits, some are agencies, business, civil society and the internet hesitant to adopt constraints, particularly if those technical community, with the goal of restoring trust constraints are not widely honored. What is needed and enhancing confidence in the internet.”9 is an overarching Cyberstability Framework for the international community, one that promotes the We commend these prior efforts at developing stability of cyberspace yet remains useful as the principles, rules, and norms to apply to behavior in pace of technological change continues to increase. the turbulent new domain of cyberspace and believe We therefore start with defining the core objective: that a comprehensive framework is necessary to protecting the stability of cyberspace. increase the stability of cyberspace. The historical record shows that societies and governments may in some cases take decades to develop broad, formal international governance structures for important new disruptive technologies.10 The emergence

8 The GFCE has been particularly active in capacity building. 11 This early stage has been called a “regime complex.” See Jo- See, for example, “Delhi Communiqué on a GFCE Global Agenda seph Nye, “The Regime Complex for Managing Complex Global for Cyber Capacity Building,” Global Forum on Cyber Expertise Cyber Activities,” Global Commission on Internet Governance, (24 November 2017), https://www.thegfce.com/delhi-communi- No. 1 (May 2014), https://www.cigionline.org/sites/default/files/ que/documents/publications/2017/11/24/delhi-communique. gcig_paper_no1.pdf. 9 Global Commission on Internet Governance, One Internet 12 See, for example, the norms developed by ISOC and Mic- (2016), p. IX, https://www.cigionline.org/sites/default/files/gcig_ rosoft: “Mutually Agreed Norms for Routing Security (MANRS),” final_report_-_with_cover.pdf. “We call on governments, private Internet Society (2014), https://www.manrs.org/; Angela McKay corporations, civil society, the technical community and individ- et al., International Cybersecurity Norms Reducing Conflict in an uals together to create a new social compact for the digital age.” Internet-dependent World, Microsoft (December 2014), https:// 10 Perhaps the most pertinent example of a governance struc- query.prod.cms.rt.microsoft.com/cms/api/am/binary/REVroA; ture of this kind relates to nuclear weapons, which took significant and Scott Charney et al., From Articulation to Implementation: time and effort to establish. Even now, 60 years on from the Trea- Enabling Progress on Cybersecurity Norms, Microsoft (June 2016), ty on the Non-Proliferation of Nuclear Weapons (NPT), the gover- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/ nance of nuclear weapons continues to be a security concern. REVmc8.

GLOBAL COMMISSION 12 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE 2. WHAT IS MEANT BY THE STABILITY OF CYBERSPACE?

DEFINITION: Stability of cyberspace means everyone can be reasonably confident in their ability to use cyberspace safely and securely, where the availability and integrity of services and information provided in and through cyberspace are generally assured, where change is managed in relative peace, and where tensions are resolved in a non-escalatory manner.

While the Commission’s definition builds on the standard definition of “stability,”13 it is more nuanced in two ways. First, there is the reference to user confidence. Confidence is important because human decisions may be based upon perceptions, not just facts, and if someone perceives a lack of stability, they may be reluctant to use cyberspace and obtain its benefits. By way of example, the use of cyberspace may streamline processes and make them more efficient, thus suggesting that certain functions (e.g., access to government services, online banking) could benefit from leveraging cyberspace. But if such systems are unreliable—or there is a perception that such systems are unreliable—their use will be limited, and the benefits of the technology lost.

Second, it must be remembered that cyberspace is a domain of constant change. There are changes in technology, in business models, in functionality, and in societal expectations about the role of technology in daily life. Thus, unlike the dictionary definition of “stability” which includes “returning to an original condition,” what we need are agile mechanisms to ensure the stability of cyberspace as technologies evolve. Simply put, everyone must remain confident in the availability and integrity of cyberspace even as it—and the world around it—changes.

13 “Stability” is defined as “the state of being stable.” https://www.lexico.com/en/definition/stability. Stable means (1) not likely to give way or overturn; firmly fixed; (2) not likely to change or fail; firmly established; and (3) not liable to undergo physical changes. See https://en.oxforddictionaries.com/definition/stable. In international relations, one of the most consistent definitions of the term international stability has been “the probability that the [international] system retains all of its essential characteristics; that no single nation becomes dominant; that most of its members continue to survive; and that large-scale war does not occur.” Karl W. Deutsch and J. David Singer, “Multipolar Power Systems and International Stability,” World Politics, Vol. 16, No. 3 (April 1964): 390-406, http://users.metu.edu.tr/utuba/Deutsch.pdf.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 13 3. THE GCSC CYBERSTABILITY FRAMEWORK

To address the challenges described above, the GCSC, as others have done,14 proposes a comprehensive Cyberstability Framework. This framework includes (1) multistakeholder engagement; (2) cyberstability principles; (3) the development and implementation of voluntary norms; (4) adherence to international law; (5) confidence building measures; (6) capacity building; and (7) the open promulgation and widespread use of technical standards that ensure cyberspace is resilient. The GCSC’s efforts have focused primarily on three of these items—the multistakeholder approach, principles, and norms—and are addressed in Sections 4, 5, and 6, respectively. Regarding norms, we focused not just on their development, but on the more difficult issues of adoption, implementation, and accountability for violators.

We would note that there are many current efforts addressing individual elements of this Cyberstability Framework and these efforts are—like cyberspace itself—decentralized. To make progress, the GCSC believes that a concerted, global multistakeholder effort is required. Therefore, in addition to addressing substantive issues, the GCSC makes process recommendations that attempt to leverage and complement existing efforts and, perhaps, give them new energy.

14 See, for example, The Age of Digital Interdependence: Report of the UN Secretary-General’s High-level Panel on Digital Cooperation (June 2019), p.39, https://digitalcooperation.org/wp-content/uploads/2019/06/DigitalCooperation-report-web-FINAL-1.pdf. “We recommend the development of a Global Commitment on Digital Trust and Security to shape a shared vision, identify attributes of digital stability, elucidate and strengthen the implementation of norms for responsible uses of technology, and propose priorities for action.”

GLOBAL COMMISSION 14 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OFThe CYBERSP CyberstabilityACE Framework image uses icons made by Freepik, monkik, smalllikeart, Eucalyp, Itim2101 from www.flaticon.com. 4. MULTISTAKEHOLDER ENGAGEMENT

Notwithstanding a plethora of international the Heads of State in the WSIS Tunis Agenda declared agreements among states citing the importance of a that “A working definition of Internet governance is multistakeholder approach, it remains contentious. the development and application by governments, For some, the debate is philosophical and focuses on the private sector and civil society, in their respective the comparative roles of state and non-state actors in roles, of shared principles, norms, rules, decision- technology policy and international affairs. For others, making procedures, and programmes that shape the multistakeholder processes are practical, holding that evolution and use of the Internet.”16 states acting alone or with only minimal non-state input cannot ensure the stability of cyberspace.15 We This view was reaffirmed ten years later by the High- agree with this latter view. Level Meeting of the UN General Assembly on the overall review of the implementation of the WSIS This debate on the merits of multistakeholder outcomes which also stated in UN resolution 70/125 engagement has gone on for decades. Often, the issue (2015): arose in the context of managing Internet resources, but the question of norms and national security We reaffirm, moreover, the value and principles of were also raised. For example, during the second multi-stakeholder cooperation and engagement phase of the UN World Summit on the Information that have characterized the World Summit Society, the United Nations Working Group on on the Information Society process since its Internet Governance (WGIG) rejected the concept of inception, recognizing that effective participation, single stakeholder leadership. Rather, it concluded partnership and cooperation of Governments, that the Internet is too large to be managed by one the private sector, civil society, international stakeholder group or one organization alone and organizations, the technical and academic proposed a multistakeholder approach. Thus, in 2005, communities and all other relevant stakeholders, within their respective roles and responsibilities, 15 “The WSIS definition (2005) introduced the concept of the ‘re- especially with balanced representation from spective roles’ and the philosophy of ‘sharing’. The NETmundial developing countries, has been and continues to Declaration (2014) defined key elements as bottom up, openness, be vital in developing the information society.17 transparency, inclusiveness and human rights based. In other words, we have some general guidelines for a multistakeholder approach, but we do not have a single multistakeholder model. So far, two different multistakeholder models have emerged: the con- sultative model and the collaborative model.” Wolfgang Kleinwäch- ter, “Towards a Holistic Approach for Internet Related Public Policy 16 “Tunis Agenda for the Information Society,” WSIS (18 Novem- Making,” Global Commission on the Stability of Cyberspace (Janu- ber 2005), Paragraph 34, https://www.itu.int/net/wsis/docs2/tunis/ ary 2018), https://cyberstability.org/wp-content/uploads/2018/02/ off/6rev1.html. GCSC_Kleinwachter-Thought-Piece-2018-1.pdf. For an additional 17 See United Nations General Assembly resolution 70/125, Out- discussion on multistakeholder models, see Virgilio Almeida et al., come document of the high-level meeting of the General Assembly on “The Origin and Evolution of Multistakeholder Models,” IEEE Internet the overall review of the implementation of the outcomes of the World Computing, Vol. 19 (January-Feburary 2015): 74-79, https://doi.ieee- Summit on the Information Society, A/RES/70/125 (16 December computersociety.org/10.1109/MIC.2015.15. 2015), Paragraph 3, https://undocs.org/en/A/RES/70/125.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 15 Again, the statement went beyond the management Member States should consider how best to of critical Internet resources and directly to the heart cooperate in implementing the above norms and of national security issues: principles of responsible behaviour, including the role that may be played by private sector and civil We recognize the leading role for Governments society organizations.21 in cybersecurity matters relating to national security. We further recognize the important These positions were reaffirmed in the UN GGE’s roles and contributions of all stakeholders, in 2015 report, where it was declared that: their respective roles and responsibilities.18 While States have a primary responsibility Regarding norms specifically, the Group of Eight (G8) for maintaining a secure and peaceful ICT declared in 2011 that: environment, effective international cooperation would benefit from identifying mechanisms for The security of networks and services on the the participation, as appropriate, of the private Internet is a multi-stakeholder issue. It requires sector, academia and civil society organizations.22 coordination between governments, regional and international organizations, the private sector, This statement was repeated in a 2018 General [and] civil society…Governments have a role to Assembly resolution on Advancing responsible State play, informed by a full range of stakeholders, behaviour in cyberspace in the context of international in helping to develop norms of behaviour and security.23 Other international agreements clearly common approaches in the use of cyberspace.19 express the same sentiment; for example, the Paris Call stated, “We recognize the necessity of a Two years later, in 2013, the UN GGE issued its strengthened multi-stakeholder approach and of Report on Developments in the Field of Information additional efforts to reduce risks to the stability of and Telecommunications in the Context of International cyberspace and to build-up confidence, capacity and Security. In a section entitled “Building cooperation for a trust.”24 peaceful, secure, resilient and open ICT environment,” the UN GGE noted that “[w]hile States must lead in addressing these challenges, effective cooperation would benefit from the appropriate participation of the private sector and civil society.”20 The report went 21 Id., p.8, Paragraph 25. on to say, in a section entitled “Recommendations on 22 United Nations General Assembly, Report of the Group of Gov- norms, rules and principles of responsible behaviour ernmental Experts on Developments in the Field of Information and by States,” that: Telecommunications in the Context of International Security, A/70/174 (22 July 2015), p.13, Paragraph 31, https://undocs.org/A/70/174, (hereinafter, UN GGE 2015 Report). 18 Id., Paragraph 50. 23 United Nations General Assembly resolution 73/266, Advanc- 19 Group of Eight, “G8 Declaration: Renewed Commitment for ing responsible State behaviour in cyberspace in the context of interna- Freedom and Democracy,” G8 Deauville Summit (27 May 2011), tional security, A/RES/73/266 (22 December 2018), https://undocs. Paragraph 17, http://www.g8.utoronto.ca/summit/2011deau- org/en/A/RES/73/266. ville/2011-declaration-en.html. 24 Ministry for Europe and Foreign Affairs of France, “Paris Call 20 United Nations General Assembly, Report of the Group of Gov- for Trust and Security in Cyberspace” (11 November 2018), https:// ernmental Experts on Developments in the Field of Information and www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918. Telecommunications in the Context of International Security, A/68/98 pdf. See also, NETmundial, “NETmundial Multistakeholder State- (24 June 2013), p.7, Paragraph 12, https://undocs.org/A/68/98, ment” (24 April 2014), http://netmundial.br/wp-content/up- (hereinafter, UN GGE 2013 Report). loads/2014/04/NETmundial-Multistakeholder-Document.pdf.

GLOBAL COMMISSION 16 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE Most recently, in June 2019, the UN Secretary- cyber weapons. Rather, the technical community, civil General’s High-level Panel on Digital Cooperation, in society, and individuals also play a major role in the its report, The Age of Digital Interdependence, stated: protection of cyberspace, including the promulgation of standards. Therefore, the multistakeholder Effective digital cooperation requires that approach is necessary to improve outcomes and multilateralism, despite current strains, be ensure that the norms and policies supporting the strengthened. It also requires that multilateralism stability of cyberspace are well-formed and avoid be complemented by multi-stakeholderism— unwanted consequences. cooperation that involves not only governments but a far more diverse spectrum of other Equally important, even if states wish to go it alone, stakeholders such as civil society, academics, they cannot. The participation of non-state actors technologists and private sector.25 in matters affecting the stability of cyberspace is unavoidable. For example, many members of the While the idea of a multistakeholder approach has private sector and technical community may be proven to be successful, it is not universally supported. responsible for critical protocols and services, and Some governments continue to believe that ensuring they may protect states that use their commercial international security and stability is almost exclusively and open source products. Additionally, even the the responsibility of states. This more traditional view investigation and attribution of attacks, a traditional of security springs from the notion that states have role for and political prerogative of governments, is no the responsibility to protect their citizens from attack longer their sole area of knowledge and responsibility; through forceful means, an idea reflected in the some notable state attacks have been identified and responsibilities of the United Nations Security Council publicized by non-governmental entities. In short, as codified in Article 24 of the UN Charter.26 This line even though states have a unique role to play during of thinking may also be reinforced by past experience and after an attack (including law enforcement activity because, in the physical domain, governments not and/or taking diplomatic or other state actions), they only enjoyed a monopoly over the legitimate use of have no monopoly on investigation and attribution, force, but were also in control of the military grade nor can they effectively exclude non-state actors. As weapons (e.g., airplanes, tanks) used to attack and a result, developing successful cyberspace norms defend that domain. and policies—and ensuring adherence to them— requires participation by, and is a responsibility of, In practice, the cyber battlefield (i.e., cyberspace) all stakeholders, and governments must focus on is designed, deployed, and operated primarily by creating mechanisms that effectively incorporate the private sector. Governments are, despite their participation of the private sector, the technical unique responsibilities, not the exclusive protectors community, academia, and other representatives of of this domain. Even if governments maintain a de civil society. This is exactly what many governments jure monopoly over the legitimate use of force in have called for. cyberspace, they no longer have a practical monopoly on attacking and protecting this domain, nor can they prevent the proliferation and use of powerful

25 The Age of Digital Interdependence, p. 7, https://digitalcooperation.org/wp-content/uploads/2019/06/DigitalCooperation-report-web-FINAL-1.pdf. 26 Charter of the United Nations, “Chapter V – The Security Coun- cil,” Repertory of Practice of United Nations Organs, http://legal. un.org/repertory/art24.shtml.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 17 5. PRINCIPLES

Normative behavior derives from values. Declaring A. The Responsibility Principle those values, whether they relate to individual responsibilities, state responsibilities, or fundamental The first principle speaks to the decentralized and human rights, must therefore be our starting distributed nature of cyberspace. It reaffirms the point. Indeed, differing values can make achieving need for a multistakeholder approach to ensuring consensus difficult, as well as result in differing country the stability of cyberspace and, notably, extends or regional interpretations and implementations of “stakeholders” to include every individual. Every international agreements. This is not to suggest that individual has responsibilities, in a personal and/ an agreement on principles is required for progress or professional capacity, to ensure the stability of to be made; sometimes, parties agree on acceptable cyberspace. While it may be obvious that those behaviors even if their motives for doing so differ. But responsible for government cyber policies and shared principles and interdependence can lead to employees that manage cloud services have a role to deeper commitments and reduce the risk of future play, every individual connected to cyberspace must disagreements or conflicts. It is therefore important take reasonable efforts to ensure their own devices that parties have candid discussions about the high- are not compromised and, perhaps, used in attacks. level principles which guide their thinking and from Even those who are not connected to the Internet which norms flow. may be dependent upon its capabilities to receive goods and services, and they too have a stake in The following four principles are critical to ensuring ensuring that cyberspace policy is being addressed the stability of cyberspace: appropriately in their communities. 1. Responsibility: Everyone is responsible for ensuring the stability of cyberspace. B. The Restraint Principle 2. Restraint: No state or non-state actor should The second principle contains a general requirement take actions that impair the stability of of restraint. For states, this is consistent with the 2018 cyberspace. resolutions of the United Nations General Assembly 3. Requirement to Act: State or non-state actors (UNGA) concerning responsible state behavior in 27 should take reasonable and appropriate steps to cyberspace and the 2015 UN GGE report which ensure the stability of cyberspace. notes that “Consistent with the purposes of the United Nations, including to maintain international peace and 4. Respect for Human Rights: Efforts to ensure security, States should…prevent ICT practices that are the stability of cyberspace must respect human acknowledged to be harmful or that may pose threats rights and the rule of law. to international peace and security...”28 But it is not just about states, as non-state actors can also engage in actions, such as hacking their attackers, that might also undermine the stability of cyberspace.

27 United Nations General Assembly resolution 73/27, Devel- opments in the field of information and telecommunications in the context of international security, A/RES/73/27 (5 December 2018), https://undocs.org/en/A/RES/73/27; and UN General Assembly resolution 73/266, https://undocs.org/en/A/RES/73/266. 28 UN GGE Report 2015, p.7, Paragraph 13(a), https://undocs. org/A/70/174.

GLOBAL COMMISSION 18 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE C. The Requirement to Act Principle Rights.30 Additionally, a large number of international agreements providing for a variety of specific human rights have been adopted and create binding The third principle contains a general requirement legal obligations for state parties. In the context of to take affirmative action to preserve the stability of cyberspace, the applicability of international human cyberspace. When acting, states should take care to rights law has been explicitly confirmed on several avoid inadvertently escalating tensions or increasing occasions by the United Nations General Assembly,31 instability. This is consistent with the obligation the UN Human Rights Council (HRC),32 as well as noted in the 2015 UN GGE report to “cooperate the UN GGE reports of 2013 and 2015.33 Upholding in developing and applying measures to increase rights and ensuring users trust that their rights are stability and security in the use of ICTs.”29 But again, being respected is critical to ensuring the stability of it is not just about states, as private companies and cyberspace. individuals can also take cooperative steps to help ensure the stability of cyberspace. For example, We note that the four principles are not intended to be private companies can work together to mitigate all-inclusive or cover every aspect of cyberspace policy, cyber threats, and individuals can ensure they are and there are many organizations that have produced employing best practices, such as upgrading, patching, broad-based sets of principles covering a wide and using multi-factor authentication, to reduce the variety of issues. There are also other organizations risk that botnets will take over their machines and focused on issues relating to Internet governance then be used to launch broad-based attacks that and human rights online (including privacy, freedom threaten the stability of cyberspace. of expression, and freedom of association). Our goal is to achieve widespread acceptance of principles D. The Human Rights Principle that support the stability of cyberspace, especially in an era of unprecedented and sophisticated hostile The fourth principle recognizes the importance of activity where rules may be unclear or, even if clear, safeguarding human rights as an important element may be neither embraced nor enforced. of cyberspace stability. As the reliance of individuals on information and communications technologies increases, the disruptive effect on human activity resulting from threats to its availability or integrity is amplified. Thus, it is imperative that as states pursue their national strategic interests in cyberspace, they give due consideration to the resulting impact on individuals, in particular their human rights. In a 30 United Nations General Assembly resolution 217 A (III), Uni- similar vein, non-state actors should consider and versal Declaration of Human Rights (10 December 1948), https:// minimize risks that their activities pose to individuals’ www.un.org/en/universal-declaration-human-rights/. enjoyment of their rights online and offline. At 31 See United Nations General Assembly resolution 68/167, a minimum, compliance with the Human Rights The right to privacy in the digital age, A/RES/68/167 (18 December Principle requires that states abide by their human 2013), https://undocs.org/A/RES/68/167; and United Nations rights obligations under international law as they General Assembly resolution 69/166, The right to privacy in the engage in activities in cyberspace. digital age, A/RES/69/166 (18 December 2014), https://undocs. org/A/RES/69/166. Universally accepted human rights have been 32 United Nations Human Rights Council, The promotion, enshrined in the Universal Declaration of Human protection and enjoyment of human rights on the Internet, A/ HRC/20/L.13 (29 June 2012), https://undocs.org/A/HRC/20/L.13. 33 UN GGE 2013 Report, https://undocs.org/A/68/98 and UN 29 Id. GGE 2015 Report, https://undocs.org/A/70/174.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 19 6. NORMS

While principles are a key starting point for establishing to protect the public core of the Internet38 and a norm policy and guiding tactical actions, their high level of to protect electoral systems.39 Similarly, while the UN abstraction requires that they be supplemented with GGE norm refers to the “integrity of the supply chain,”40 more granular agreements that define acceptable a GCSC norm speaks more specifically to the types of behavior. This means that principles must be supply chain attacks that must be addressed.41 supplemented by norms. Norms represent social behaviors that are expected and appropriate.34 It The other major difference between the UN GGE is impossible to discuss norms without referencing norms and those proposed by the GCSC is that the work of other organizations, especially the UN 35 GGE and its 2015 report. The UN GGE recognized 38 Global Commission on the Stability of Cyberspace (GCSC), that “[g]iven the unique attributes of ICTs, additional Call to Protect the Public Core of the Internet (New Delhi, November 36 norms could be developed over time,” and the 2017), https://cyberstability.org/wp-content/uploads/2018/07/ GCSC’s mandate was, in fact, to “develop proposals call-to-protect-the-public-core-of-the-internet.pdf. An early for norms and policies to enhance international proponent of identifying the public core of the Internet for spe- security and stability.” To build on prior work and cial protection was Dennis Broeders, a Dutch researcher. See identify where additional norms may be warranted, it Dennis Broeders, The Public Core of the Internet: An International is important to start with the norms agreed to in 2015 Agenda for Internet Governance (Amsterdam: Amsterdam Univer- which can be found, in their entirety, in Appendix A. sity Press, 2015), http://www.oapen.org/download?type=document&docid=610631. 39 Global Commission on the Stability of Cyberspace (GCSC), As the UN GGE noted in 2015, it was tasked to, among Call to Protect the Electoral Infrastructure (Bratislava, May other things, “identify where additional norms that 2018), https://cyberstability.org/wp-content/uploads/2018/05/ take into account the complexity and unique attributes GCSC-Call-to-Protect-Electoral-Infrastructure.pdf. 37 of ICTs may need to be developed.” Since that time, 40 UN GGE Report 2015, p.8, Paragraph 13(i). “States should ICT products and services—as well as their misuse— take reasonable steps to ensure the integrity of the supply have continued to change. To address this, the GCSC chain so that end users can have confidence in the security of focused on filling gaps in the current set of norms, ICT products. States should seek to prevent the proliferation of adding technical specificity to the norms discussion, malicious ICT tools and techniques and the use of harmful hid- and addressing issues of implementation. Regarding den functions.” filling gaps, for example, the GCSC endorsed a norm 41 Global Commission on the Stability of Cyberspace (GCSC), Norms Through Singapore (November 2018), https://cyberstability.org/wp-content/uploads/2019/04/singaporenew-digital.pdf. 34 https://en.oxforddictionaries.com/definition/norm. “State and non-state actors should not tamper with products 35 UN GGE 2015 Report, https://undocs.org/A/70/174. and services in development and production, nor allow them 36 Id., p.8, Paragraph 15. to be tampered with, if doing so may substantially impair the 37 Id., p.7, Paragraph 11. stability of cyberspace.”

GLOBAL COMMISSION 20 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE the GCSC believes that responsibilities should be general availability or integrity of the public imposed on non-state actors as well, as they must core of the Internet, and therefore the stability exercise restraint or take affirmative steps to ensure of cyberspace. the stability of cyberspace. We are not referring here to cyber attacks by criminals; criminals who are not deterred by government action will not be deterred 2. State and non-state actors must not pursue, by norms. But since technology changes rapidly and support or allow cyber operations intended to laws do not, it is helpful to be precise about what non- disrupt the technical infrastructure essential state behaviors should be encouraged or discouraged to elections, referenda or plebiscites. even in the absence of laws. For example, some are advocating that victims of hacking should be allowed 3. State and non-state actors should not tam- to “hack back.” Even in the absence of laws permitting or prohibiting such conduct, the GCSC believes it per with products and services in develop- inadvisable for several reasons, including the fact ment and production, nor allow them to be that the initial attacker may be routing its attack tampered with, if doing so may substantially through third-party systems (e.g., a cloud provider or impair the stability of cyberspace. a hospital) and hacking back may therefore impact innocent users (e.g., cloud customers or patients). 4. State and non-state actors should not com- Additionally, due to these attacks on innocent victims, the hack back may be viewed as, or provoke, an mandeer the general public’s ICT resources for escalation. In short, due to the complexities raised, use as botnets or for similar purposes. even in the absence of laws, a norm restraining private sector actors may influence behavior and thus 5. States should create procedurally transparent serve a salutary purpose. frameworks to assess whether and when to disclose not publicly known vulnerabilities or A. The GCSC Proposed Norms flaws they are aware of in information systems and technologies. The default presump- With the above points in mind, the GCSC developed the following proposed norms: tion should be in favor of disclosure.

1. State and non-state actors should neither 6. Developers and producers of products and conduct nor knowingly allow activity that services on which the stability of cyberspace intentionally and substantially damages the depends should (1) prioritize security and

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 21 stability, (2) take reasonable steps to ensure electoral systems, a concern that became more acute that their products or services are free from after 2015.43 While electoral systems may be covered significant vulnerabilities, and (3) take mea- in some countries by reference (i.e., some states now consider electoral systems to be critical infrastructure, sures to timely mitigate vulnerabilities that are thus bringing them within the ambit of critical later discovered and to be transparent about infrastructure norms),44 certain countries may not their process. All actors have a duty to share follow this approach. Thus, while cyberspace is global, information on vulnerabilities in order to help normative protections may not be. To help address prevent or mitigate malicious cyber activity. interpretation issues regarding the GCSC norms, the Commission decided to provide background text for each norm described above (see Appendix B). 7. States should enact appropriate measures, including laws and regulations, to ensure basic Finally, norms for behavior in cyberspace cannot be cyber hygiene. static. The GCSC norms reflect a moment in time in a continually changing technology landscape. 8. Non-state actors should not engage in offen- State and non-state actors should be prepared to sive cyber operations and state actors should develop new norms as technologies advance, and as our understanding of the implications of existing prevent such activities and respond if they technologies change. occur. Whether focused on UN GGE norms, GCSC norms, It is worth noting that finding the most appropriate or other proposals, it must be recognized that for language to express a norm can be challenging. norms to be effective, it is necessary for them to be If norms are too precise and leave no room for adopted and implemented, and norms violators must interpretation, it may be hard to achieve consensus be held accountable. We now address those issues, and there may be significant gaps in coverage. On before turning to how non-state actors, who are the other hand, if norms are too vague, they do not decentralized and distributed around the world, can provide the type of guidance necessary to guide come together to work with governments on practical behavior and set clear expectations for a specific solutions to cyberstability challenges. group of actors. The goal is to strike the right balance and develop further norms, where necessary, to ensure that unwanted behaviors are addressed. By B. Norms Adoption way of example, the UN GGE norms adopted in 2015 protected critical infrastructures, but it is not clear that For a norm to be effective, it must achieve widespread the public core of the Internet is covered by that term; acceptance. Such acceptance, even by actors that many think of critical infrastructures as utilities and some consider to be potential norm violators, services (e.g., power, communications, and banking).42 bolsters the legitimacy of actions that call out norms Additionally, the UN GGE did not specifically reference violations and of appropriate collective actions taken to respond to such violations. While widespread 42 Critical infrastructure has been defined as including “systems and assets, whether physical or virtual, so vital that the in- 43 Erik Brattberg and Tim Maurer, Russian Election Interference: capacity or destruction of such systems and assets would have Europe’s Counter to Fake News and Cyber Attacks, Carnegie En- a debilitating impact on security, national economic security, na- dowment for International Peace (23 May 2018), https://carn- tional public health or safety, or any combination of those mat- egieendowment.org/2018/05/23/russian-election-interference- ters.” Critical Infrastructures Protection Act of 2001, 42 U.S. Code europe-s-counter-to-fake-news-and-cyber-attacks-pub-76435. § 5195c(e), (2001). It has also been defined as “assets or systems See also Michael McFaul, ed., Securing American Elections, Stan- which are vital for the maintenance of societal functions, health, ford Cyber Policy Center (June 2019), https://cyber.fsi.stanford. safety, security, economic or social well-being of people.” Coun- edu/securing-our-cyber-future. cil of the European Union, Council Directive 2008/114/EC of 8 44 See, for example, U.S. Department of Homeland Securi- December 2008 on the Identification and Designation of European ty, “Statement by Secretary Jeh Johnson on the Designation Critical Infrastructures and the Assessment of the Need to Improve of Election Infrastructure as a Critical Infrastructure Subsec- Their Protection, Official Journal of the European Union, (8 De- tor” (6 January 2017), https://www.dhs.gov/news/2017/01/06/ cember 2008), https://eur-lex.europa.eu/legal-content/EN/TXT/ statement-secretary-johnson-designation-election-infrastruc- PDF/?uri=CELEX:32008L0114. ture-critical.

GLOBAL COMMISSION 22 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE adoption is best, there is a place for smaller groupings norm), but they cannot fulfill those roles if they have of like-minded states or other entities to agree on and no awareness or insight into the proposals being enforce particular norms. To address this, the GCSC is made by state and non-state actors. It is clear that proposing a flexible, extensible approach that allows governments and international organizations need states and other stakeholders to embrace some to do more to reach out to those communities that norms while rejecting or abstaining from others. proposed norms are meant to help. This approach not only creates clarity by highlighting specific areas of agreement and disagreement, but C. Norms Implementation it permits particular norms to be embraced, refined, and implemented, even if more time is needed to Following adoption, state and non-state actors must evaluate others. In any case, widespread norms take concrete steps to implement a norm. There adoption will be a long-term effort. seems to be evolving consensus in the ongoing UN processes (OEWG and GGE) and in regional There are also some unique and practical challenges efforts that implementation is a priority.46 To some, to promoting norms adoption. The unique challenge implementation refers to the adoption of the norm, is that we are attempting to address relatively new, engaging in capacity building efforts and confidence destabilizing behaviors. To the extent a norm is building measures, or reaching more granular “something that is usual, typical, or standard,”45 consensus on the meaning of an agreed-to norm.47 drafting norms regarding future behavior is an While these steps are important prerequisites interesting exercise. If everyone is already behaving to norms implementation, they do not serve to a certain way, then a written norm is simply codifying implement the norms themselves. For example, while existing practice. But if there is no “typical behavior,” capacity building is necessary to ensure that countries then drafting a norm is an attempt to encourage can secure themselves and have the bandwidth to common behavior in the future, even where there engage internationally, one can build capacity without is not common behavior today. Simply declaring adopting or implementing norms. Similarly, while something desirable will not make it normative, so confidence building measures can help maintain the adoption needs to be promoted. stability of cyberspace by facilitating the exchange of national views on cyber doctrine, establishing hotlines Second, there needs to be greater awareness of for rapid communications between national cyber proposed norms by the entities that are capable of experts, and encouraging the sharing of best practices their implementation, as well as those the norms are and security standards, these too can be done meant to protect. Even with significant activity in the UN and a host of other fora, norms adoption is still 46 General Assembly resolution 73/266, p. 3, Paragraph in its relative infancy and much needs to be done to 1(b), https://undocs.org/en/A/RES/73/266; General Assembly promote proposed norms and secure acceptance, resolution 73/27, p. 5, Paragraph 5, https://undocs.org/en/A/ particularly in certain parts of the world. This is why RES/73/27. See also Organization for Security and Co-operation capacity building efforts in this area are so vital; in Europe (OSCE), Opening remarks by Secretary General Thom- as Greminger organizations with greater capacity are more likely , 2019 Chairmanship OSCE-wide cyber/ICT security conference (Bratislava, 2019). “Regional organizations…can to effectively support norms adoption and getting be incubators for new ideas and practical efforts that relate to additional adherents is foundational to any global CBMs as well as an implementer of globally accepted agree- normative structure. Additionally, outreach must be ments, like the GGE reports. So, regional organizations are both done to those protected by norms, as they may be incubators and implementers.” unaware of their potential impact. For example, there 47 The UN General Assembly invites all Member States, tak- does not appear to be widespread awareness among ing into account the assessments and recommendations con- Computer Emergency Response Teams (CSIRTs/ tained in the reports of the GGE and the OEWG, to continue to CERTs) of the UN GGE norm concerning states not inform the Secretary-General of their views and assessments attacking national CSIRTs and using them for only on inter alia “Efforts taken at the national level to strengthen defensive purposes. As discussed below, protected information security and promote international cooperation in entities often will have a role in implementation and this field” and “possible measures that could be taken by the international community to strengthen information security accountability (as well as the design of the proposed at the global level.” See UN Secretary-General’s report 74/120, https://undocs.org/A/74/120. For more national views of Mem- 45 See https://www.lexico.com/en/definition/norm. ber States, see, https://www.un.org/disarmament/ict-security/.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 23 without implementing norms. Rather, implementing a strong incentive to not make spurious allegations, a norm involves taking concrete steps to give it lest they lose credibility. In short, what is needed is for force. Domestically, this might include incorporating attribution to be convincing to other countries and to proposed norms into national policy, legislation, and the public. military doctrine. Internationally, this might include citing a norm’s provisions when attributing attacks or Even if an aggrieved party is satisfied that a particular actor is responsible (and attribution has in fact taking diplomatic action. Operationalizing a norm in occurred in international cases), holding actors this way also serves to give it more precise definition. truly accountable has also proven challenging, thus undermining the value of norms. After all, if there D. Accountability are no adverse consequences for those who violate accepted norms, those norms become little more Once norms are adopted and implemented there than words on paper and they will be unlikely to must be accountability for those who violate them. discourage destabilizing activities. This raises the complicated issues of attribution and response, both of which have proven challenging in Accountability for cyber attacks conducted by non- addressing cyber attacks. state actors is relatively straightforward and is predominately achieved through the imposition of To support a claim that a state or non-state actor civil or criminal responsibility under the domestic has acted wrongfully requires credible attribution. laws of the states concerned. There are certainly This starts with collecting and analyzing evidence, challenges in doing so, as the international nature and there is both technical and procedural work of many cyber attacks and the technical challenges that can be done now to improve the quality and in collecting evidence may present obstacles to state timeliness of attribution. More specifically, as with action. But the way forward is conceptually clear: other technical disciplines, having well-accepted streamline international law enforcement processes protocols for collecting and analyzing evidence is and work to ensure that cyber criminals are identified important to improving the quality of investigations. and prosecuted. Thus, the standardization of investigative methods is important because it may reduce concerns over Holding states accountable for norms violations is the integrity of evidence, even if attribution must more challenging.48 This is because responding to an be decided on a case-by-case basis. In addition to attack in cyberspace is heavily context dependent. As improving attribution as a technical matter, there is to whether accountability is demanded, state and non- much that can be done to shorten the bureaucratic state actors will weigh different factors; for example, processes associated with making attribution a state responding to a norms violation may consider decisions and then, when appropriate, making them the political implications while a private sector public. The often long delay between an event and a company may consider the business and reputational declaration of responsibility is due, in no small part, repercussions. As to how a norms violation should be to unclear or unwieldy processes for reaching such addressed, state actions available in response to a decisions at a national level and is exacerbated when norms violation can be viewed along a continuum, as several countries are involved in making collective a response may be minor (e.g., a private complaint), attribution statements. Designing and exercising significant (e.g., economic sanctions), or dramatic processes for reaching attribution at a national level (e.g., a highly visible kinetic response). While there and international level, and improving information is not and will not be a one size fits all response, sharing between countries, can significantly improve clearly there must be meaningful consequences for the timeliness and effectiveness of attribution violations of norms and international law. As past statements and facilitate any further appropriate efforts to enforce norms have had limited success, action. 48 States may be held responsible for the cyber operations Even after the evidence points to a given actor, the they conduct, direct, or permit. The principle of due diligence next step (attribution) may remain challenging. In the may also prove helpful in defining the level of care required past, some state and non-state actors have asserted from states in cyberspace. Joanna Kulesza, Due Diligence in that attribution is impossible or required absolute International Law, (Leiden: Brill Nijhoff, 2016), https://doi. proof. But absolute proof is not required and while org/10.1163/9789004325197. See also, Articles on Responsibility attribution may be difficult, it is not as insurmountable of States for Internationally Wrongful Acts, adopted by the Inter- as some have suggested. In the nation state context, national Law Commission at its fifty-third session in 2001, an- attribution, whether in the cyber or physical realm, is nexed to General Assembly resolution 56/83 of 12 December often a political act, and while there is no particular 2001, and corrected by document A/56/49(Vol I)/Corr4, Articles agreed upon standard of proof, countries still have 4 and 11, http://legal.un.org/ilc/texts/instruments/draft_arti- cles/9_6_2001.pdf.

GLOBAL COMMISSION 24 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE more effective and timely responses are needed, different constituencies, and different organizations recognizing that such responses should seek to and members of society may be interested in minimize further instability. advocating for certain norms more than others. Since governments, the private sector, the technical Non-state actors are also working to ensure that community, academia, and civil society are not norms violators are held accountable for their actions. monolithic entities, it is important to think about how For example, the GFCE49 combines government, to create a concerted as opposed to concentrated civil society, and private sector members to help effort, one that engages diverse communities in coordinate efforts to build capacity, a necessary norms-related issues.53 Creating Communities of prerequisite to norms adoption, implementation, and Interest permits those having expertise in specific accountability. Additionally, the private sector has norms to work on their further development and taken on an expanded role in attributing attacks, using implementation. For example, Computer Emergency both proprietary and public information to expose Response Teams (CERTs/ CSIRTs) may be particularly actors and describe the damage they have caused. interested in implementing and monitoring the UN Finally, some private sector entities have proposed or GGE norm aimed at protecting that community, just launched efforts, such as the “CyberPeace Institute,”50 as those responsible for electoral systems may be that are designed to monitor and expose large cyber particularly interested in the GCSC norm on electoral events in a more systematic way and potentially at systems. Similarly, the Internet community could help greater scale. advance, implement, and monitor the Commission’s proposed norm on protecting the public core of the Non-state actors should take a greater role in holding Internet, and developers may be most interested in norms violators accountable for transgressions. The the norm involving product tampering. idea of private sector norms enforcement is not a new one: for instance, in 1977, during the anti-apartheid The formation of a Community of Interest may be struggle in South Africa, General Motors promoted a directed or an ad hoc, bottom-up process. The fact set of widely-adopted principles for doing business that members themselves may form a Community (and not doing business) in that country, resulting does not suggest that their development and success in disinvestment by over 125 foreign businesses.51 should be left to chance. Instead, it is important to More recently, and in a more symbolic vein, many focus on what makes a Community successful: (1) companies (and governments) responded to the shared principles; (2) issue focus; (3) subject matter Saudi murder of opposition reporter Jamal Khashoggi expertise; (4) financial and administrative support; by boycotting the Future Investment Initiative as a and (5) a transparent process. In fact, it may be message of disapproval.52 These kinds of efforts bear possible to identify a best-practice template of how further examination. Communities should be created and implemented, thus allowing various norm-setting processes to E. Communities of Interest leverage a similar Community model. This would help reconcile different workstreams to ensure efficiency While a multistakeholder approach to norms and focus, as well as leverage best practices for norms adoption, implementation, and accountability is adoption, implementation, and accountability. critical, harnessing the energies and capabilities of these groups is challenging. Governments often use the term “like-minded nations” to reflect a group of states with similar views, but there is no equivalent term that encompasses a collection of states, private companies, not-for-profit organizations (including standards organizations), civil society, and individuals that share views on a particular issue. This is important because the norms that have been proposed by the UN GGE and GCSC may affect

49 Global Forum on Cyber Expertise, https://www.thegfce. com/. 50 CyberPeace Institute, https://cyberpeaceinstitute.org/. 51 See, generally, “Sullivan Principles,” Wikipedia, 12 August 2018, https://en.wikipedia.org/wiki/Sullivan_principles. 52 See “Western boycott of Future Investment Initiative 53 See, generally, The Age of Digital Interdependence, https:// 2018,” Royal News, 16 October 2018, https://en.royanews.tv/ digitalcooperation.org/wp-content/uploads/2019/06/DigitalCo- news/15500/2018-10-16. operation-report-for-web.pdf.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 25 7. RECOMMENDATIONS

Our six recommendations for ensuring the stability of that there is no price for doing so. Therefore, cyberspace flow from our principles on responsibility, state and non-state actors should develop the restraint, requirement to act, and respect for internal capability to evaluate transgressions and human rights. As everyone is responsible for, and a quickly decide on and take appropriate individual multistakeholder approach is critical to, ensuring the and collective responses, consistent with the stability of cyberspace, our recommendations also Requirement to Act Principle. seek to leverage the capabilities of state and non- state actors, in part through Communities of Interest. 3. State and non-state actors, including In short, we focus on what should be done and how it international institutions, should increase might be done. efforts to train staff, build capacity and capabilities, promote a shared understanding 1. State and non-state actors must adopt and of the importance of the stability of implement norms that increase the stability cyberspace, and take into account the of cyberspace by promoting restraint and disparate needs of different parties. Increasing encouraging action. State actors who have capacity, capability, and understanding will previously agreed to norms must more clearly broaden the world’s ability to implement define the terms used, an outcome that could international laws, norms, and other confidence be achieved through further negotiations and building measures designed to enhance the through practical experience implementing stability of cyberspace while respecting human existing norms. Both state and non-state actors rights. All parties should leverage existing should offer clear evidence of norms adoption organizations, including the multistakeholder and implementation through public statements, Global Forum on Cyber Expertise, that are focused and through changes in both policy and action. on capacity building as this is a prerequisite to adopting and implementing norms, ensuring 2. State and non-state actors, consistent with accountability, taking other stability measures, their responsibilities and limitations, must and respecting human rights. respond appropriately to norms violations, ensuring that those who violate norms face 4. State and non-state actors should collect, predictable and meaningful consequences. share, review, and publish information on Norms development and implementation will norms violations and the impact of such not be effective if those who violate norms learn activities. While the world has seen actions that

GLOBAL COMMISSION 26 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE would constitute a violation of the norms set community), and civil society are adequately forth in the United Nations and proposed by the involved and consulted. The Responsibility GCSC, reporting tends to be anecdotal rather than Principle recognizes that everyone has a role comprehensive. Organizations, particularly those to play in ensuring the stability of cyberspace that are independent of any state or commercial and reinforces the need for multistakeholder interest, should systematically collect and publish approaches. From 2011-17, the Global Conference information on norms violations and their impact. on CyberSpace (GCCS) provided one platform for Doing so will serve to catalyze responses by state such engagement that brought in minister-level and non-state actors to norms violations and participants from foreign and security ministries serve to improve norms compliance. who were charged with achieving global stability in other contexts, and it was also the launching 5. State and non-state actors should establish point of the Global Forum on Cyber Expertise, an and support Communities of Interest to important capacity building effort. The Internet help ensure the stability of cyberspace. Governance Forum (IGF) has also offered Establishing and supporting Communities an important platform for multistakeholder will serve to ensure that all interested parties discussion. More recently, the Paris Call brought including states, the private sector, the technical together the largest-ever multistakeholder community, academia, and civil society all fulfill community of supporters of cybersecurity their responsibility to ensure the stability of norms. These efforts suggest that the time is ripe cyberspace. These Communities can focus on, for the development of a global, inclusive, and among other things, the interpretation, adoption, action-oriented multistakeholder community and implementation of the cybersecurity norms focused on the practical implementation of the put forward in this report and elsewhere, whether cybersecurity norms put forward in this report evidentiary standards for attribution are robust, and elsewhere. The mechanism should be and whether norms violators are being held supported by a standing structure to ensure a accountable in a timely and effective manner. sustained and continuous effort.

6. The GCSC recommends establishing a standing multistakeholder engagement mechanism to address stability issues, one where states, the private sector (including the technical

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 27 APPENDIX A: NORMS ADOPTED BY THE UN GGE 54

a. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;54

b. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;

c. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;

d. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;

e. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;

f. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;

g. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;

h. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;

i. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;

j. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT- dependent infrastructure;

k. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

54 See United Nations General Assembly, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015), https://undocs.org/A/70/174.

GLOBAL COMMISSION 28 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE APPENDIX B: 54 THE NORMS OF THE GCSC

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 29 NORM: 1. NON- State and non- state actors should INTERFERENCE neither conduct nor knowingly WITH THE allow activity PUBLIC CORE that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.

BACKGROUND

Defining the public core of the Internet is challenging as many different types of attacks may ultimately impair the general availability or integrity of the Internet writ-large (the outcome to be avoided). That said, there are clearly certain components that one would target if looking to have such a broad impact and it is at least possible to provide a non-exhaustive list of such critical elements. At the highest level, the Commission defines the phrase “general availability” to mean that the actor’s conduct has a substantial impact on the general population. Therefore, this norm recognizes that those states who support this norm may still engage in activities that are more limited in purpose and scope and have no substantial impact on the general population.

GLOBAL COMMISSION 30 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE The Commission defines the generic top-level domains; (3) Transmission media includes, but phrase “the public core of the frequently used public recursive are not limited to (1) infrastructure, Internet” to include such critical DNS resolvers; (4) the systems of systems and installations for elements of the infrastructure the Internet Assigned Numbers communications serving the of the Internet as packet Authority and the Regional Internet public, whether fiber, copper, routing and forwarding, naming Registries which make available or wireless; (2) terrestrial and and numbering systems, the and maintain the unique allocation undersea cables and the landing cryptographic mechanisms of of Internet Protocol addresses, stations, datacenters, and other security and identity, transmission Autonomous System Numbers, physical facilities which support media, software, and data centers. and Internet Protocol Identifiers; them; (3) cellular and other wireless and (5) the naming and numbering voice and data communications; Packet routing and forwarding protocols themselves and the (4) regulated and unregulated elements include, but are not integrity of the standardization broadcast communications; (5) the limited to, (1) the equipment, processes and outcomes for support systems for transmission, facilities, information, protocols, protocol development and signal regeneration, branching, and systems that facilitate the maintenance. multiplexing, and signal-to-noise transmission of packetized discrimination; and (6) cable communications from their The cryptographic mechanisms systems that serve regions or sources to their destinations; (2) of security and identity include, populations, but not those that Internet Exchange Points (the but are not limited to, (1) the serve the customers of individual physical sites where Internet cryptographic keys which are companies. bandwidth is produced); (3) the used to authenticate users and peering and core routers of devices and secure Internet Software includes but is not limited major networks which transport transactions; (2) the equipment, to the availability and integrity that bandwidth to users; (4) facilities, information, protocols, of the development processes, systems needed to assure routing and systems that enable the source code and patch-distribution authenticity and defend the production, communication, use, infrastructure of software used network from abusive behavior; and deprecation of those keys; in the core of the Internet and (5) the design, production, and (3) PGP keyservers, Certificate by large portions of the Internet- supply-chain of equipment used Authorities and their Public Key using public. for the above purposes; and Infrastructure; (4) DANE and (6) the integrity of the routing its supporting protocols and Datacenters include but are not protocols themselves and their infrastructure; (5) certificate limited to (1) the physical facilities development, standardization, revocation mechanisms and which house servers, content, and maintenance processes. transparency logs; (6) password and Internet infrastructure; (2) the managers; (7) roaming access system used to ensure datacenter Naming and numbering systems authenticators; (8) mechanisms of safety, security, physical access include, but are not limited to, (1) accurate time and establishment control, operations, management, systems and information used of temporal precedence, such as maintenance, and redundancy in the operation of the Internet’s the Network Time Protocol and systems; and (3) communications Domain Name System (including its infrastructure; (9) the integrity systems used to send registries, name servers, zone of the standardization processes communications to, from and content, infrastructure and and outcomes for cryptographic within data centers. processes such as DNSSEC used algorithm and protocol to cryptographically sign records); development and maintenance; Experts believe that far more (2) the WHOIS information and (10) the design, production, categories of Internet and ICT- services for the root zone, inverse- and supply-chain of equipment enabled infrastructure are address hierarchy, country-code, used to implement cryptographic deserving of protection, so this geographic, and internationalized processes. definition may be broadened in top-level domains and for the future. new generic and non-military

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 31 2. PROTECTING ELECTORAL INFRASTRUCTURE

GLOBAL COMMISSION 32 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.

BACKGROUND Those protective measures have and concerns associated with now come to be challenged again their digital manipulation. Voting in the digital age. software suppliers and computer Of all the rules, precepts and systems at the local or “booth” principles that guide the conduct Experts have debated whether levels remain susceptible to such of states in the comity of nations, the type of cyber-related election intrusions as well. the norm of non-interference is interference recently seen perhaps held most sacred. Article amounts to an unlawful violation of Seized of the growing number and 2(4) of the United Nations Charter sovereignty (because it interferes intensity of threats to participative articulates this norm and elevates with the exercise of an inherently processes, and recognizing that it as a principle of legal, and thus, governmental function) or an such attacks are unacceptable, binding character: unlawful intervention.55 Whether the GCSC recommends stronger or not a violation of international national measures and effective All Members shall refrain in law has occurred, however, international cooperation to their international relations there is the clear possibility that prevent, mitigate and respond from the threat or use of force malicious actors—acting alone, to cyber intrusions against the against the territorial integrity collectively, or on behalf of technical electoral infrastructure. or political independence states—will manipulate elections The Commission acknowledges of any state, or in any other through digital means. With that the actual conduct of elections manner inconsistent with national participatory processes or participatory processes at the the Purposes of the United becoming more complex in scale regional, local or federal level is Nations. and sophistication, there has been firmly the remit of states, to be a burgeoning of data, institutions carried out in accordance with Through this provision, the framers and infrastructure to manage their respective national laws. of the Charter acknowledged them. Many countries today Nevertheless, the cyber attacks that the gravest threats to the publish their electoral rolls—a on their electoral infrastructure principle of non-intervention came basic, traditional guarantee may originate from outside the from coercive measures directed against voting manipulation or borders, necessitating multilateral at a state’s physical or political fraud—online, exposing such cooperation resolution. As more autonomy, as, indeed, both are databases to cyber attacks and countries opt to digitize their essential to state sovereignty. The exploitation. Similarly, electoral election machinery, the risks and territory controlled by a state may voting instruments are used in vulnerabilities associated with such be a manifestation of its sovereign far flung and remote areas of infrastructure increase manifold, capacity, but it is worthless without a country, where its operators as does the prospect of a major, the enjoyment of political agency are not fully abreast of the risks offensive cyber operation. Thus, and independence. Moreover, governments must commit to nothing reflects genuine political 55 See Michael N. Schmitt, “’Virtual’ Dis- refraining from engaging in cyber independence more than national enfranchisement: Cyber Election Med- operations against the technical participatory processes, such as dling in the Grey Zones of International electoral infrastructure of another elections, conducted freely and Law,” Chicago Journal of International state. In recommending this norm, fairly. The UN Charter sought to Law, Vol. 19, No. 1, and Nicholas Tsa- the Commission merely affirms grant strong protections against gourias, “Electoral Cyber Interference, Self-Determination and the Principle of that election interference is undue external interference. Non-Intervention in Cyberspace,” https:// intolerable whether it is considered www.ejiltalk.org/electoral-cyber-interfer- to be a violation of international ence-self-determination-and-the-principle-of-non-intervention-in-cyberspace/. law or not.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 33 3. NORM TO AVOID TAMPERING

GLOBAL COMMISSION 34 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.

BACKGROUND a security feature—during the a product or service line, which design and manufacturing phase puts the stability of cyberspace at or during one of its updates. Put risk. This norm would not prohibit In a norm focused on “Non- another way, a product can be targeted state action that poses Interference with the public tampered with prior to its release little risk to the overall stability core of the Internet,” the GCSC or production, with consequences of cyberspace; for example, called upon state and non-state for the public at large. The time the targeted interception and actors not to intentionally and between inserting a vulnerability, tampering of a limited number substantially damage the general and activating the vulnerability for of end-user devices in order to availability or integrity of the public malicious use, can vary. facilitate military espionage or core of the Internet. In support of criminal investigations. This type of this norm, the Commission noted States have conflicting interests activity, unless it occurs within the the increasing dependence of and responsibilities when dealing basic infrastructure of the public other infrastructures on a stable with information technology core itself, or critically weakens and secure Internet and the products. On the one hand, they user trust in the Internet globally, is potential dramatic consequences have an obligation to promote unlikely to weaken the overall trust of its disruption. While the public the resilience and integrity of the in cyberspace that is a condition core norm focused on the “core cyber infrastructure to help thwart of cyberstability. Although a non- of the Internet,” individuals and future cyber attacks by malicious state actor may also target systems organizations rely heavily upon actors and make the entire digital in a limited way, such activity might certain commercial products ecosystem safer. On the other violate existing criminal and civil to reach that public core and hand, states have an obligation to laws. leverage the connectivity it their citizens to protect national provides. As a result, tampering security and combat criminals While state and non-state actors with key components in software and other malicious actors in should not affirmatively tamper and hardware IT products cyberspace. The exploitation of with products in development or (including, but not limited to, vulnerabilities in digital products production, those in industry also operating systems, Industrial and services used by adversaries have a responsibility to prevent Control Systems, switches, routers has been leveraged by states to such activities. Therefore, those and other critical networking achieve their national security creating products and services equipment, critical cryptographic and public safety mission. Thus, must commit to a reasonable products and standards, to the extent that states consider level of diligence in the designing, microchip design and widely used exploiting vulnerabilities to be an developing and delivering of end-user consumer applications) effective approach to fulfilling their products and services that may similarly deprive society of responsibilities, they may also find prioritizes security and in turn the ability to use and leverage it helpful to intentionally introduce reduces the likelihood, frequency, the Internet safely and securely, weaknesses or back doors into exploitability and severity of and weaken overall the trust in its products and services used by vulnerabilities. Those concerned proper function. While such attacks adversaries. Non-state actors may must also reject any apparent state are often in the news, what receives in turn tamper with products and or non-state efforts to compromise less attention is the fact that an services as well, as their objectives products and services, as well attack can occur even before a may be aided by their ability to as adopt practices that reduce product or its update reaches the disrupt the stability of cyberspace. the risk of tampering and permit market. For example, a product It is important to note that the them to respond if tampering is can be attacked by inserting a norm prohibits tampering with discovered. vulnerability—or secretly removing

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 35 4. NORM AGAINST COMMANDEERING OF ICT DEVICES INTO BOTNETS

GLOBAL COMMISSION 36 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.

BACKGROUND network resources. Those botnets As we become increasingly reliant can then be used to exercise on technology in our personal direct effects on a different environment, and more and Internet-connected devices are targeted system that can include more connected devices enter becoming integral to people’s impacting the end-targets’ data the market, the exploitation of lives globally. We are surrounded confidentiality, availability and consumer devices and their use as by devices with a multiplicity integrity. Therefore, a potentially botnets increasingly undermines of computational, networking, uninvolved “third party” device, trust and destabilizes society. The sensing and actuating capabilities. and its owner/operator, are made Commission recognizes that there Thermostats, televisions, medical party to a malicious cyber activity are cases—for instance for law devices, alarm clocks and without their knowledge. The enforcement purposes—in which automobiles have computing, compromise of devices to install authorized state actors may find storage and network capacity malicious software agents not only it necessary to install software that can be appropriated and weakens the defense of the device agents on devices of a specifically abused. Exploits of vulnerabilities from other attacks—for instance targeted individual adversary, or in their underlying code can lead from criminals—or infringes on the a group of adversaries. However, to physical safety issues for the devices’ normal functioning, but state and non-state actors should individuals using the device: a also casts the owner/operator as not commandeer civilian devices device working outside of its potentially culpable for damages of the general public (en masse) design parameters could catch fire inflicted on the end target. This is to facilitate or directly execute or create other unsafe conditions, particularly acute for cases where offensive cyber operations, such as unexpectedly unlocked the compromise of the device irrespective of motivation.56 doors, video broadcast from might inadvertently cast the device the interior of a house or cause and its owner/operator as an (medical) equipment to fail. unwitting belligerent in interstate 56 This norm is complementary to the hostilities, and therefore invite previous proposed norm for state and We refer to botnets when software non-state actors to avoid tampering with reprisals or liability. agents are installed, en masse products prior to their release, which and without consent, to use the focuses on supply chain aspects, while this norm addresses already deployed devices’ computational, storage or devices.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 37 5. NORM FOR STATES TO CREATE A VULNERABILITY EQUITIES PROCESS

GLOBAL COMMISSION 38 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.

BACKGROUND they rely. States therefore often disclosure is broader than any one argue that they must preserve state, in order to promote network at least some select capabilities, resilience while at the same time As the complexity of operating including the use of undisclosed safeguarding national security, it systems, critical software and vulnerabilities, or else extremely would be in the interest of the long- computer hardware grows, they capable malicious actors would go term stability of cyberspace for increasingly contain vulnerabilities. undiscovered and unchecked. every state to have such a process Those vulnerabilities can be in place. Additionally, states exploited by state and non- While states are unlikely to should work towards compatible state actors. States sometimes voluntarily disclose every and predictable processes. The have conflicting interests and vulnerability they discover, there existence of such processes can responsibilities when dealing with has been a recent move by several act as a confidence-building newly discovered vulnerabilities. states away from a presumption measure between states in that On the one hand, they have an that all undisclosed vulnerabilities it provides some assurance that obligation to promote the resilience will be retained, to a presumption in relevant equities and competing and integrity of infrastructure favor of disclosure in the interests interests are fully considered. essential to the stability of of greater systemic cybersecurity. Of course, every state has cyberspace and by helping thwart A key part of this is the creation, differing capabilities and unique malicious cyber activity make the by states, of a publicly described interagency structures, however, entire digital ecosystem safer process for assessing the pros and any effective VEP process should for all users. This would argue cons of disclosure that takes into be designed to take a broad range for a state to quickly disclose account the full range of policy, of perspectives and equities into newly discovered vulnerabilities economic, social and technical account. In addition, though to vendors and manufacturers equities. More specifically, that the actual decisions reached for patching, as well as making process should be procedurally in individual cases may, out of broader public disclosures, where transparent and take into account necessity, remain confidential, appropriate, to protect the public. a full range of views including there should be transparency On the other hand, states have an factors such as: network security on the general procedures and obligation to protect their citizens and resiliency, the security of users framework for reaching such from criminals, to investigate and and their data, law enforcement decisions. Finally, this norm deals prosecute cyber crime offenses, and national security utility, only with the establishment of a and reserve the right to impose and diplomatic and commercial process where disclosure decisions sanctions that act as both a specific implications. The United States are made. If a government or any and a general deterrent to future has recently promulgated a new other entity decides to make a malicious activity. An essential version of such a process and other disclosure, such disclosure should tool to pursue malicious actors, countries are considering creating be made in a responsible manner and particularly sophisticated their own Vulnerability Equities that promotes public safety and actors such as rogue states, is the Process (VEP) policies. Given does not lead to exploitation of exploitation of vulnerabilities in that vulnerability discovery and that vulnerability. the digital infrastructure on which

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 39 6. NORM TO REDUCE AND MITIGATE SIGNIFICANT VULNERABILITIES

GLOBAL COMMISSION 40 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.

BACKGROUND Moreover, in a hyper-connected products, rather, this proposed and hyper-dependent world, a norm suggests that those involved discovered vulnerability may affect in the development or production Certain IT products and services multiple products and services of such products take “reasonable are essential to the stability of by different producers and in steps” that would reduce the cyberspace due to their use within different environments. Patching frequency and severity of those the core technical infrastructure, one product without disclosing that do occur. such as in core name resolution the underlying vulnerability to or routing, because of their others may protect that product Just as the “no tampering” norm widespread facilitation of the but not protect the stability of addresses intentional insertion of user Internet experience, or cyberspace writ large. Those in vulnerabilities into critical products because of their use within critical the best position to assess the and services, and the hygiene norm infrastructures. Those creating impact of a given vulnerability are ultimately addresses the duties products and services must commit often those who develop, produce, of end users, this proposed norm to a reasonable level of diligence install or operate the products seeks to have those who develop in the designing, developing, and that the vulnerabilities affect. It is or produce critical products delivering of products and services important to share information take reasonable measures to that prioritizes security and in turn that would assist in fixing security ensure that the number and reduces the likelihood, frequency, vulnerabilities or help prevent, scope of critical vulnerabilities exploitability and severity of limit or mitigate an attack.57 are minimized and that they are vulnerabilities. effectively and timely mitigated While it is currently very difficult and, when appropriate, disclosed Due to the increasing complexity to ensure that no vulnerabilities when discovered. The process of software and hardware, exist in newly released or updated used should be transparent to vulnerabilities in those products create a predictable and stable are a fact of life. While those 57 One of the norms for responsible be- environment. vulnerabilities are usually havior of states in the 2015 Report of the unintentional, malicious state and UN GGE (A/70/174) affirms that “States should encourage responsible reporting non-state actors often exploit these of ICT vulnerabilities and share associat- vulnerabilities when discovered in ed information on available remedies to ways that undermine the stability such vulnerabilities to limit and possibly of cyberspace. eliminate potential threats to ICTs and ICT-dependent infrastructure.”

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 41 7. NORM ON BASIC CYBER HYGIENE AS FOUNDATIONAL DEFENSE

GLOBAL COMMISSION 42 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.

BACKGROUND Indeed, given the extensiveness possible to alert other users to of interconnectivity online, these trouble. Such basic cyber defenses measures constitute a basic duty as outlined in these approaches As Internet connectivity spreads of care that should be required of account for the reality that no around the world pervading all all users. Hygiene regimes should government, organization or aspects of modern life, users incorporate reliable measures collection of users can single- of every kind—individuals, of implementation, provide for handedly alleviate all cyber-related organizations, enterprises, and widespread sharing of technical risks. They also recognize that governments—are growing more information and best practices, users at every level have important and more reliant on technology and be subject to appropriate roles to play in strengthening and access to information oversight. Increasingly smart cybersecurity. available on the Internet. Politics, devices and processes demand economics, public information, smart laws and regulations. In The GCSC believes that education, development and every creating more accountability for fundamental cybersecurity other manner of social interaction this basic duty of cyber care, defense through the widespread depend critically on the Internet governments should not curtail adoption of cyber hygiene and associated technologies. Yet, innovation or alter the basic has become essential to the this modern wonder remains properties of the Internet. responsible use and beneficial broadly unsafe, and no one is growth of the Internet. Security immune to its dangers. Cyber hygiene standards already must be seen as a continuous exist in various forms.58 They have process with responsibilities Consensus has yet to emerge been gaining wider international distributed among all actors on the most effective ways acceptance, as governments with mechanisms in place, such to optimize the promising and enterprises increasingly as automated reporting and technologies of cyberspace while understand the importance of information sharing, to ensure safeguarding the public. Yet, most taking steps demonstrated to appropriate accountability. agree that the benefits of our help prevent and rapidly mitigate digitally connected lives cannot be the dangers of known malware. The Commission also recognizes sustained going forward without Moreover, these standards that many societies around the agreed standards of essential represent best practice, highlight world face considerable challenges security in cyberspace. To this end, the importance of sensible, in the use of information and the Commission strongly endorses regular oversight and underscore communications technologies and the widespread adoption and the importance of automated calls on states to share knowledge verified implementation of information sharing where and offer capacity building to basic cyber hygiene—a regime instantiate processes for the of foundational measures that effective implementation of basic represent prioritized, essential 58 This includes, for example, by the European Telecommunications Stan- cyber hygiene regimes to widen tasks to perform to defend against, dards Institute (ETSI), the not-for-profit the effect of this norm. prevent and rapidly mitigate Center for Internet Security (CIS) and avoidable dangers in cyberspace. the Australian Signals Directorate (ASD), among others.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 43 8. NORM AGAINST OFFENSIVE CYBER OPERATIONS BY NON-STATE ACTORS

GLOBAL COMMISSION 44 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE NORM: Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.

BACKGROUND “active cyber defense,”59 including including for third parties, and but not limited to so-called “hack are thus likely to trigger complex back,” as they are conducted for legal disputes and escalate While information and defensive purposes. conflicts. States explicitly granting communication technologies have or knowingly allowing non-state positively transformed societies, Some states do not control or may actors the authorization to conduct they also pose new security actively ignore these practices, offensive operations, for their own challenges. The speed and ubiquity despite the risk they impose purposes or those of third parties, of cyber operations often poses upon the stability and security of would set a dangerous precedent considerable difficulties to states’ cyberspace. However, in many and risk violating international judicial systems and international states such practices would be law. The Commission believes law enforcement cooperation. unlawful, if not criminalized, that offensive measures should Despite these difficulties, it should while in other states they appear be reserved solely to states and be recalled that state sovereignty is to be neither prohibited nor recalls that international law the cornerstone of the rules-based explicitly authorized. A few states establishes a strict and exclusive international system of peace and are, nevertheless, considering framework for states’ responses security. States have a monopoly legitimizing non-state actors’ to hostile acts that also applies to on the legitimate use of force, offensive cyber operations. cyber operations. Similarly, under strictly bound by international law. Indeed, some have decided or international law, non-state actors Some non-state actors, mainly proposed domestic legislation to acting on behalf of states must be private companies, advocate for allow offensive operations by non- considered their agents and are the right to conduct offensive state actors. therefore considered extensions cyber operations across national of the state.60 borders, potentially claiming that it The GCSC believes that these constitutes a necessary defensive practices undermine the stability If states permit such action, action as states do not have the of cyberspace. They can result in they may therefore be held capacity to adequately protect serious disruption and damages, responsible under international them against cyber threats. law.61 States must act, domestically These non-state actors’ offensive and internationally, to prevent cyber operations are sometimes 59 Active cyber defense should be un- derstood as a set of measures ranging offensive cyber operations by non- euphemistically referred to as from self-defense on the victim’s network state actors. to destructive activity on the attacker’s network. Offensive cyber operations 60 See “additional note” for a wider within this continuum imply for the de- treatment of the case within internation- fender to act outside of its own network al law, available here: https://cybersta- independently of their intention (offense bility.org/wp-content/uploads/2018/11/ or defense) and the legal qualification of Additional-Note-to-the-Norm-Against-Of- their acts. Further work should be con- fensive-Cyber-Operations-by-Non-state- ducted on the definition of offensive -cy Actors-Norm-Package-Singapore.pdf. ber operations and active cyber defense. 61 Id.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 45 APPENDIX C: HISTORY, GOALS, AND PROCESSES OF THE GCSC

Since its launch at the February 2017 Munich dedicated to international peace and security. Security Conference under the patronage of Dutch Much of the subsequent GCCS declaration drew Minister of Foreign Affairs Bert Koenders, the Global directly on the work of the preparatory meeting, Commission on the Stability of Cyberspace has clearly outlining the need for a multistakeholder been considered one of the first multistakeholder format to discuss international cybersecurity initiatives of its kind to specifically concentrate on issues. Accordingly, HCSS convened a core group the stability of cyberspace. Chaired by Michael of supporters and funders (originally Microsoft, the Chertoff, former United States Secretary of Internet Society, and the Ministry of Foreign Affairs Homeland Security; Latha Reddy, former Deputy of the Netherlands) and developed a strategic National Security Advisor of India; and previously plan. In August 2016, having gained the EastWest by Marina Kaljurand, Member of the European Institute (EWI) as a partner in the Secretariat, HCSS Parliament and former Foreign Minister of convened a meeting of the GCSC Inception Group Estonia, the Commission comprises 28 prominent at Harvard Kennedy School, which drafted the individuals from different geographies as well as main requirements for both the operation of the different backgrounds related to international GCSC, its membership, structure, and goals, as well cybersecurity.62 It is supported by Special Advisors, as its mission statement. a Secretariat, comprised of The Hague Centre for Strategic Studies and the EastWest Institute, a The mission statement reads: Research Advisory Group, as well as a number of partners and sponsors, including the Ministry of The Global Commission on the Stability of Foreign Affairs of the Netherlands and France, the Cyberspace (GCSC) will develop proposals for Cyber Security Agency of Singapore, Microsoft, the norms and policies to enhance international Internet Society, and Afilias. security and stability and guide responsible state and non-state behavior in cyberspace. The The Commission was born from the desire GCSC will engage the full range of stakeholders to continue the work of previous civil society to develop shared understandings, and its commissions, including the Global Commission on work will advance cyberstability by supporting Internet Governance, and to connect to the work research, information exchange, and capacity of the Global Conference on CyberSpace (GCCS). building. In 2015, The Hague Centre for Strategic Studies (HCSS) was asked to organize a preparatory From its start, the GCSC was intended to influence session for The Hague meeting of the GCCS, the international peace and security agenda related to cyberspace, generally referred to as 62 See full list of Commissioners on page 4.

GLOBAL COMMISSION 46 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE “international cybersecurity.” The Inception Group through research and from the wider community. identified a need to solicit diverse views, especially To connect the work of the GCSC to the wider from the Internet governance and technical academic community, the Research Advisory Group communities, into the ongoing international was instigated with a chair and four deputy chairs64 cybersecurity discussions. The goal was to better responsible for managing an email list of over 200 inform the deliberations in the arms control and experts. It was also the basis for a wide-ranging peace and security communities, where much research program, which eventually commissioned of the good work, particularly on norms, was over 20 studies from research institutions and considered hampered by the lack of input and individuals worldwide.65 The bulk of this work was acceptance from these civil society and private presented directly to the Commissioners at the sector actors. The multistakeholder approach was dedicated “CyberStability Hearings.” therefore considered to be a practical rather than an ideological issue. Prior to the publication of this report and the previously issued norms, the Commission The GCSC approached its deliberations in a consistently sought input from a broad range “bottom-up to top-down” manner. Firstly, it of government, civil society, and industry identified operational norms that meet the stakeholders. By staggering the delivery over most obvious urgent international cybersecurity the entire tenure of the Commission it was needs as expressed by its members and which possible to constantly invite outside input and have not been addressed elsewhere. Secondly, comment. Online Requests for Consultations were it extrapolated from these and already existing issued on the GCSC norms and the definition of norms a working definition of cyberstability and its cyberstability. Over 23 submissions were received underlying principles. Thirdly, a stability framework from actors worldwide which went towards was developed for a clearer understanding of what informing the deliberations of the Commissioners. the international peace and security architecture Furthermore, the Commission actively participated needs to do to meet that definition. Lastly, it in more than 70 conferences and events, and developed recommendations addressed to state convened roundtables, side-events, and dedicated and non-state stakeholders on how this could be CyberStability Hearings with a wide range of state accomplished. and non-state stakeholders.

The deliberations of the Commissioners towards Finally, the Commissioners themselves maintained these goals were conducted across geographical active links with their own respective communities. boundaries and across stakeholder groups. From Input and feedback from these groups represented the start, the Commission put the emphasis on the bedrock of interactions with the wider holding its meetings in the margins of relevant community of state and non-state experts and will conferences to facilitate input from a wide range form the basis of the advocacy of the report going of stakeholders.63 It also actively solicited input forward.

63 Official meetings of the Commission were convened at the following events: 2017 Munich Security Conference (Munich, Germany); CyCon (Tallinn, Estonia); BlackHat USA (Las Vegas, USA); Global Conference on CyberSpace (New Delhi, India); 2018 FIC International Cybersecurity Forum (Lille, France); 2018 Munich Security Conference (Munich, Germany – Conferral); GLOBSEC (Bratislava, Slovakia); Israel Cyber Week (Tel Aviv, Isra- el – Conferral); Singapore International Cyber Week (Singapore); Paris Peace Forum & IGF (Paris, France – Conferral); 2019 Unit- ed Nations Institute for Disarmament Research (Geneva, Swit- 64 Covering four topic areas, including international peace zerland); ICANN 64 Community Forum (Kobe, Japan); EuroDIG and security, international law, Internet governance, and tech- (The Hague, Netherlands); GFCE Annual Meeting (Addis Ababa, nology. Ethiopia). 65 See Acknowledgements section.

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 47 ACKNOWLEDGEMENTS

The Global Commission on the Stability of Cyberspace (GCSC) would like to thank the many institutions and individuals who supported, contributed to, and facilitated the work of the Commission including, but not limited to our sponsors, Research Advisory Group, research paper authors and peer reviewers, and support staff. Below are just a few of those who contributed to the success of the Commission.

Secretariat Partners, Sponsors, and Supporters

THE HAGUE CENTRE FOR STRATEGIC The Hague Centre for Strategic Studies, the STUDIES (HCSS) EastWest Institute, and the Commissioners would like to recognize and acknowledge the following Alexander Klimburg, Director, Global organizations for their support: Commission on the Stability of Cyberspace Initiative and Secretariat PARTNERS: Louk Faesen, Project Manager, Global Commission on the Stability of Cyberspace • Ministry of Foreign Affairs of the Secretariat Netherlands, Timo Koster and Elliot Mayhew, Project Assistant, Global Dimitri Vogelaar Commission on the Stability of Cyberspace • Microsoft, Jan Neutze and Kaja Ciglic Secretariat • Cyber Security Agency of Singapore, David Koh and Sithuraj Ponraj With additional support from: Timon Domela • Internet Society (ISOC) Nieuwenhuis Nyegaard, Koen van den Dool, • Ministry of Foreign Affairs of France, Niels Renssen, and Kaja Karlson. Henry Verdier and David Martinon • Afilias, Ram Mohan and Philipp Grabensee EASTWEST INSTITUTE (EWI) SPONSORS: Bruce W. McConnell, Co-Director, Global Commission on the Stability of Cyberspace • Federal Department of Foreign Affairs of Secretariat Switzerland Anneleen Roggeman, Project Manager, Global • GLOBSEC Commission on the Stability of Cyberspace • Ministry of Foreign Affairs of Estonia Secretariat • Ministry of Internal Affairs and Communications of Japan With additional support from: Abagail Lawson, Dragan Stojanovski, and Conrad Jarzebowski.

GLOBAL COMMISSION 48 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE SUPPORTERS: GCSC ISSUE BRIEF 1 (NOVEMBER 2017)

• African Union Commission Alex Grigsby, Formerly of the Council on Foreign • Black Hat USA Relations (CFR) • DEF CON Deborah Housen-Couriel, Konfidas Digital Ltd. • European Union Delegation to the UN in Joanna Kulesza, University of Lodz and Rolf H. Geneva Weber, University of Zürich • Global Forum on Cyber Expertise Oluwafemi Osho, Joseph A. Ojeniyi, and • Google Shafi’i M. Abdulhamid, Federal University of • Municipality of The Hague Technology, Minna • Packet Clearing House Analía Aspis, University of Buenos Aires • Tel Aviv University Robert Morgus, Formerly of New America, Max • United Nations Institute for Disarmament Smeets, Formerly of the Center for International Security and Cooperation, Stanford University, These organizations and institutions are committed and Trey Herr, Harvard Kennedy School to advancing the debate and putting forward Arun Mohan Sukumar, Madhulika Srikumar, creative solutions to some of the most pressing and Bedavyasa Mohanty, Observer Research challenges facing the stability of cyberspace. Foundation (ORF)

Researchers GCSC ISSUE BRIEF 2 (MAY 2018)

The Commission would like to thank the members Shen Yi, Jiang Tianjiao, and Wang Lei, Research of its Research Advisory Group, a group of over Center for the Governance of Cyberspace, Fudan 200 online members that connected the GCSC to University the wider academic community. In particular, we Elana Broitman, Mailyn Fidler, and Robert would like to thank the researchers who were Morgus, Formerly of New America commissioned to write briefings and memos to Elonnai Hickok and Arindrajit Basu, Centre for inform the deliberations of the Commissioners. Internet and Society Thomas Uren, Bart Hogeveen, and Fergus Hanson, Australian Strategic Policy Institute (ASPI) Dragan Mladenović and Vladimir Radunović, DiploFoundation Thomas Reinhold, Institute for Peace Research and Security Policy, University of Hamburg

GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE NOVEMBER 2019 49 Consultations

The Commission would like to thank the following Brett van Niekerk and Trishana Ramluckan, individuals and organizations for submitting University of KwaZulu-Natal extensive comments in response to the Request Peter Swire, Justin Hemmings, and Sreenidhi for Consultations on the Singapore Norm Package Srinivasan, Georgia Tech Scheller College of (from 17 December 2018 until 17 January 2019) Business and the Definition of Stability of Cyberspace (from Johan de Wit, Siemens/TU Delft 14 August 2019 until 6 September 2019): Finally, the Commission would like to thank the Hussein Abul-Enein, Access Partnership following experts, whose work and expertise have Kayode Akanni, DesignIT guided and informed the deliberations of the Jonathan D. Aronson, University of Southern Commission: California (USC) Aviram Atzaba, Israel National Cyber Directorate Dennis Broeders, Leiden University Arindrajit Basu, Gurshabad Grover, Elonnai Deborah Brown and Verónica Ferrari, Hickok, and Karan Saini, Center for Internet & Association for Progressive Communications Society Michael Daniel, Cyber Threat Alliance Vytautas Butrimas, NATO Energy Security Centre François Delerue, Institut de Recherche of Excellence Stratégique de l’École Militaire – IRSEM Cybersecurity Tech Accord Akhil Deo and Arun Mohan Sukumar, Observer Michael Daniel, Cyber Threat Alliance Research Foundation (ORF) Global Partners Digital Martha Finnemore, George Washington Arvind Gupta and Dickey Kumar, Vivekananda University International Foundation Aude Géry, University of Rouen Tara Hairston and Anastasiya Kazakova, Duncan Hollis, Temple Law School Kaspersky Joanna Kulesza, University of Lodz Sven Herpig, Stiftung Neue Verantwortung Peter Rowland, Packet Clearing House Drew Mitnick, Access Now Michael Schmitt, Exeter Law School George M. Moore, James Martin Center for Nonproliferation Studies

GLOBAL COMMISSION 50 GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE ON THE STABILITY OF CYBERSPACE Patra Kongsirimongkolchai / EyeEm / Getty Images SECRETARIAT SPONSORS Federal Department of Foreign Affairs of Switzerland GLOBSEC Ministry of Foreign Affairs of Estonia Ministry of Internal Affairs and Communications of Japan PARTNERS SUPPORTERS African Union Commission Black Hat USA DEF CON European Union Delegation to the UN in Geneva Global Forum on Cyber Expertise Google Municipality of The Hague Packet Clearing House Tel Aviv University United Nations Institute for Disarmament Research