The Paris Peace Forum (PPF), established by the French president Emanual Macron, was picked by the Global Commission for Stability in Cyberspace (GCSC) to launch its final report “Advancing Cyberstability” for good reasons: The Internet isn’t just a purely technical issue with some political implications anymore. On the eve of the 2020s, the management of cyberspace is a global problem, a matter of international security, a question of war or peace.

The GCSC was formally launched at the Munich Security Conference in February 2017. The Commission, a multistakeholder group of 28 individuals from around the world and co-chaired by former politicians—as Marina Kaljurand, Ex-Foreign Minister of Estonia, Latha Reddy, former deputy national security adviser to the Indian Primeminister and Michael Chertoff, Secretary of Homeland Security under US President George W. Bush—concluded its work after 30 months with a clear message to acting politicians and the whole Internet community: The world needs a global framework for cyber stability.

Instability in cyberspace is not only as dangerous as climate change, but it can also undermine international security and peace. Stef Blok, Minister of Foreign Affairs of the Netherlands, said at the launch: “Since stability in cyberspace is directly linked with stability in the ‘real world,’ such a cyber stability framework is more crucial than ever. The next step in this multilateral process is to collect evidence and hold those who break the rules responsible. Together we must increase accountability and combine all pieces of the puzzle between governments, tech and security firms, and civil society.”

The work of the Commission originated out of a desire to address rising social and political instability as a result of malicious actions in cyberspace. The situation has further deteriorated, as evident by the rise in the number and sophistication of cyberattacks by state and non-state actors, increasingly putting considerable benefits of cyberspace at risk. In this increasingly volatile environment, there is an apparent lack of mutual understanding and awareness among communities working on issues related to international cybersecurity.

The fact that more than 30 countries have developed offensive cyber capabilities indicates that the world is moving into troubled waters if nothing is happening.

“Cyberstability and governance are inextricably and naturally linked,” said Michael Chertoff, GCSC Co-Chair. “As the digital age evolves so rapidly, governments and societies lack the desired level of exchange, let alone the decision-making processes needed to ensure the stability of cyberspace. The GCSC’s effort complements the work of other organizations, and will serve to influence how critical actors can engage with one another and collaborate towards a stable cyberspace.” Emphasizing a concerted, multistakeholder approach, the framework reflects technological, product and operational measures, as well as a focus on the behavioral change required among all stakeholders.

The backbone of the proposed “Cyberstability Framework” is a set of eight individual norms. Those norms are based on the 11 norms adopted by the so-called Group of Governmental Experts (UNGGE) in 2015—but they go one step further. They are aimed not only at states but also at non-state actors. And they are more specific if it comes to details concerning the stability of the Internet itself.

Protect the Public Internet Core

The GGE agreed in 2015 on a norm to protect critical infrastructure. The commission has this specified and proposed a norm to protect the public core of the Internet. The proposed norm reads as follows: “State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.” In the eyes of the Commission, the “public Internet core” includes such critical elements of the Internet infrastructure as packet routing and forwarding, naming and numbering systems (the DNS), the cryptographic mechanisms of security and identity, transmission media, software, and data centers.

The mysterious Sea-Turtle attack from Januar 2019 can be seen as a wake-up call to look deeper into the new threats, risks, and vulnerabilities coming with advanced capabilities from actors with bad intentions.

There should be a global consensus that an attack against the technical core elements of the Internet infrastructure in an interconnected world, is very dangerous behavior and should be outlawed by all parties. The whole mankind is now so dependent on the Internet that an attack against the core elements of the Internet should be seen not only as a cybercrime but a crime against humanity.

This norm has a lot of potential for further elaboration and could be the starting point for drafting a new type of international agreement, fixing rights and responsibilities not only for states but also for non-state actors. The New-Mundial Declaration (2014) and the Paris Call for Trust and Security in Cyberspace (2018) have already demonstrated, that documents with commitments both for state and non-state actors can be successfully negotiated. Such an approach would not undermine existing international law. On the contrary, it would strengthen it and help in understanding that the international treaty system in the 21st century is more and more embedded into a multistakeholder environment. And it would recognize that cyberspace in the “age of digital interdependence” (as it was put by the UN High-Level panel on digital cooperation) is too complex to be managed by governments alone, even if they are united in good will, which is—unfortunately—not the case. To reach sustainable international arrangements, it needs the involvement of the private sector, civil society and the technical community.

Cyber hygiene and Reducing Vulnerabilities

Another norm, proposed by the commission, is “Cyberhygeine.” We all know that the highest risk factor in cyberspace is the uninformed and lazy end-user. And we have now more than four billion end-users in cyberspace, many of them uninformed and lazy. The security risk can be minimized dramatically if everybody understands its individual responsibility and if the developer, producer and provider of services have security as its first priority.

One can compare here the situation with the public health sector. It is certainly true that governments have a special responsibility to adopt rules for hygiene and to control hospitals and food production. However, if individuals do not wash their hands and ignore simple rules of daily hygiene, and if hospitals do not follow the hygiene guidelines, the risk for an epidemic is high if a virus is underway. The proposed norm reads: “States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.”

Linked to this is another norm which aims at non-state actors: “Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.”

Two norms relate to duties for State and non-state actors “not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites” and “not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.”

The three other norms are related to botnets, dealing with vulnerabilities and offensive cyber operations: “Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.”

Moving Forward

The Commission has proposed its Cyberstability Framework not only as “food for thought” for further discussions, but also as an input into ongoing intergovernmental or multistakeholder negotiations. The norm to protect the public core of the Internet, put out for public comment in already in September 2018, has meanwhile made its way into recognized international instruments as the legally binding EU Cybersecurity Act (May 2019) or the multistakeholder “Paris Call for Trust and Security in Cyberspace” (November 2018). As said above, the norm to protect the public core could be the starting point for the development of a new international cybersecurity architecture, which could include a mix of different instruments: from multistakeholder commitments to legally binding treaties.

Looking ahead, there are numerous opportunities where the ideas and the proposed language of the Global Commission could be used as a source of inspiration: At the forthcoming UN Internet Governance Forum (IGF) in Berlin (November 25-29, 2019) cybersecurity is a priority issue. The Multistakeholder Intersessional Meeting on Cybersecurity in New York (December 2-4, 2019) or the Munich Security Conference (February 13-16, 2020) are other opportunities.

There are two new intergovernmental negotiation platforms under the first Committee of the United Nations General Assembly—the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE)—which could make use of the GCSC´s ideas. And the implementation of the proposal, made by the UN High-Level Panel on Digital Cooperation, to use the 75th anniversary of the United Nations, October 24, 2020, to adopt something like a “UN Declaration for Cyber peace and Digital Cooperation” will certainly benefit from the commission´s report.

At the eve of the 2020s, time is ripe for a “New Deal” in Cyberspace, based on the existing building blocks which have emerged in the last 20 years as the WSIS Tunis Agenda (2005), the NetMundial Declaration (2014), the GGE Principles (2015), the Paris and Christchurch Calls (2018) and others. But in the “age of cyber-interdependence,” one has to move to the next level. The 2020s will be a decade where cyber and digital will be a first priority issue on the world’s political agenda. What is needed is a holistic approach that takes into consideration the multidisciplinary nature of the digital age, where security, economic, human rights, and technology issues are interlinked. We have to move forward into the next generation of Internet Governance (NextGenIG). In 2025 there will be the review conference on the UN World Summit on the Information Society (WSIS+20). And in 2030, we have to check how we have implemented the UN Sustainable Developments Goals (SDGs).