There was one message which overshadowed all discussions at the 5th Global Conference on Cyber Space (GCCS) in New Delhi in November 2017: Instability in cyberspace is as dangerous as climate change. With four billion Internet users and five trillion dollars annually in digital transactions, instability in cyberspace has the potential to ruin the world.

GCCS is a high-level ministerial meeting with broad multistakeholder participation. The conference was initiated by the former British Foreign Secretary William Hague during the Munich Security Conference (MSC) in February 2011 and became known as the “London Process.” The London meeting was followed by conferences in Budapest (2012), Seoul (2013) and The Hague (2015). An outcome of the process is, inter alia, the establishment of the Global Forum on Cyber-expertise (GFCE) which presented its first report in New Delhi.

Disagreement among Governments

The GFCE collects best practices how cybersecurity can be promoted. The reality is that numerous governments preach cybersecurity, but practice policies, which undermine it. There is broad agreement that security and stability in cyberspace is an issue of first priority on the world’s policy agenda. However, there is an even broader disagreement on what to do. In the absence of an intergovernmental agreement, states have entered into a cyber arms race without any clue about the unintended side-effects of their activities. This is dangerous. Is there any hope to stop the swinging pendulum?

Cybersecurity has been on the agenda of UN negotiations for more than a decade. One effort, which was seen by many groups as a right step into the right direction to reduce the risks of cyber-confrontation, was the formation of a so-called “UN Group of Governmental Experts” (UNGGE). The small group, operating under the 1st Committee of the UN General Assembly, produced in 2013 and 2015 two consensus reports, which introduced a number of confidence-building measures in cyberspace (CBMCs) and recognized that international law and the UN Charter are relevant both offline and online.

But in 2017, when the 5th UNGGE tried to go one step further by digging deeper, the time of consensus was over. The group was unable to agree on how international law has to be applied in cyberspace, what a cyberwar is, whether a cyberattack constitutes an act of aggression (which would trigger Article 51 of the UN Charta, that is the right to self-defense) and how the question of attribution could be answered.

The issues are complicated, no doubt. But the intergovernmental disagreement emerged not as a result of the complexity of the issues. It was the absence of the political will to agree.

In New Delhi, five members of the 5th UNGGE were sitting on one panel, but they spoke different languages. Nobody said that the failure of the 5th GGE is the end of the story. Cybersecurity remains on the table of global diplomacy, and the issue will not go away in the years ahead of us. However, there is no plan how to revitalize the broken process. Mutual mistrust and hidden agendas are blocking sofar any effort to find the way towards the reset button.

Should there be a 6th UNGGE or a body with all 193 UN member states? Should there be a new process independent from the UN (like the one on climate change)? Would it be helpful to include—on a consultative or collaborative basis—non-governmental stakeholders? Would it be more successful to re-start “small” with regional arrangements in Europe (via the OSCE), Asia (via ASEAN) and the Americas (via OAS)?

Thinking out of the Box

The gap between the inability to do anything and the need to do something is growing. To rescue the situation, one has to bring new steam to the process and to think out of the box.

When the Dutch government, after the GCCS in The Hague in April 2015, started to investigate the usefulness of the creation of an independent commission to look into the broader options to strengthen cyber-stability, it got a broad positive response. After a short preparatory phase, the Dutch foreign minister Bert Koenders used the Munich Security Conference (MSC) in February 2017 to announce the establishment of a new “Gobal Commission on Stability in Cyberspace” (GCSC), chaired by the former foreign minister of Estonia, Marina Kaljarund, with a mandate to support policy and norms coherence related to the security and stability in and of cyberspace.

The formation of independent commissions to investigate options how to deal with burning policy issues is not new in the recent history of global diplomacy. In the 1970s the Palme Commission and the Brandt Commission, chaired by former prime ministers from Sweden and Germany, paved the way for disarmament agreements in the 1980s and the formulation the Millenium Development Goals in the 1990s. In the 1980s, UNESCO’s McBride Commission and ITUs Maitland Commission, chaired by two former ministers from Ireland and the United Kingdom, helped to open our eyes to understand better the role of media and communication technology in the information age. In 2002 the Cardozo Commission, chaired by the former Brazilian president, recommended to include civil society in global policymaking, opening the door for what we call today “the multistakeholder approach.”

Even in the Internet world, full of experts of every color, the formation of “Independent Commissions” was useful. The Ilves Commission, chaired by the former President of Estonia, recommended in 2014 the completion of the IANA transition to strengthen ICANN as a truly independent global steward of the critical Internet resources as domain names, IP addresses, Internet protocols and root servers. And it was the Bildt Commission, chaired by the former Swedish prime minister, who told the world in 2016, that the only way, to avoid a worst-case scenario for the future of the Internet is an engagement into multistakeholder governance processes and mechanisms.

With this background, the expectations for the Kaljarund-Commission are high. Will it be able to contribute to global arrangements, which keep the Internet free, open and secure?

First Step: Protecting the Core of the Internet

The commission has 27 individual commissioners, most of them former ministers, CEOs, board members, retired professors and technical experts representing all stakeholder groups from all parts of the world (see a full list of Commissioners here.

It is a unique pool of knowledge, experience, and wisdom. With such an expertise, the outcome of the deliberations of the commission, which acts in an open environment, closely linked to the community by having meetings back to back to big Internet community meetings around the globe, supported by a research team and a governmental advisory network, the GCSC has the potential, to become a trusted source of inspiration for global Internet policy making in the 2020s.

In its mission statement, the GCSC has stated: “We have reached the end of a 25 year period of strategic stability and relative peace among major powers. Conflict between states will take new forms, and cyber-activities are likely to play a leading role in this newly volatile environment, thereby increasing the risk of undermining the peaceful use of cyberspace to facilitate the economic growth and the expansion of individual freedoms. In order to counter these developments, the GCSC will develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. The GCSC will engage the full range of stakeholders to develop shared understandings, and its work will advance cyber stability by supporting information exchange and capacity building, basic research, and advocacy.

The commission is supported by a secretariat formed by the Hague Center for Strategic Studies and the East-West Institute, directed by Alexander Klimburg with Bruce McConnell as co-chair.

So far the Commission had meetings in Tallin (June 2017 back to back to CyCon), Las Vegas (July 2017 back to back to Black Hat) and New Delhi (November 2017 back to back to GCCS). It has started an independent research program based on open calls for proposals. First research papers were discussed during the recent New Delhi meeting.

In New Delhi, the GCSC Commissioners issued a “Call to Protect the Public Core of the Internet.” The declaration urges state and non-state actors to avoid activity that would intentionally and substantially damage the general availability or integrity of the “public core” of the Internet. The Commission believes that the stability of cyberspace is essential for the good of humanity now and into the future.

“In an ideal state, every citizen in the world should be free to enjoy, with confidence and peace of mind, the positive impacts of cyberspace,” commented Marina Kaljurand, GCSC Chair. “Unfortunately, we are not there, yet. Significant cyber incidents are on the increase, and mitigation will require diligent action from all stakeholders, including especially governments and the private sector. This document underscores collaboration, restraint, and protection of the public core, all of which will pave the way for greater security and stability in cyberspace.” Incidents such as those affecting the Internet domain name system, forging a widely used software validation certificate, and corrupting certificate authorities provide examples of the potential disruptions that could generate widespread consequences for Internet users around the world.

During the forthcoming 12th Internet Governance Forum (IGF) in Geneva, December 17, 2017, the GCSC will have a Public Hearing where the proposed norm will be discussed with the broader Internet community.

At its next meeting, scheduled for January 2018 in Lille (France), the commission will also discuss, how cybersecurity issues are interlinked with the issue of digital trade and human rights and whether a more holistic approach is needed to find specific solutions for the myriad of complex issues in the borderless Internet Governance ecosystem.

Do not boil the Water, build Bridges

One should not forget, that the Internet is just a neutral enabling technology. It can enable the implementation of the UN Sustainable Development Goals (SDGs) until 2030. But it can also enable a cyberwar with lethal autonomous weapon systems (LAWS) which could pull humankind into a doomsday scenario. It is dangerous to boil the troubled water. There is a need to build bridges.

It is never too late to move from the banks of confrontation to the banks of collaboration. The Commission has a mandate for three years. Its final report with recommendations is expected for spring 2020. A lot of today’s controversies will be probably “water under the bridge.” But the key question is what happens in those three years on the bridge. How the global intergovernmental and multistakeholder wrestling on the “bridge over troubled water” will be played out? Will we move forward towards a world with one free, open and secure Internet in stable cyber-spaces, or will we walk back into a fragmented Internet with unstable cyber-places?

Three years is not such a long time. A new decade, the 2020s, always offers an opportunity for a new beginning. To avoid to be blamed to have missed opportunities, one has to start thinking out of the box now.