GCSC proposes rules to guide states towards responsible cyber behaviour

The proposed norms are similar to a cyber version of the Geneva Convention

The Global Commission on the Stability of Cyberspace (GCSC), a group established to develop policies to keep the internet stable and secure, has released a final report outlining a set of proposals that, it believes, can help in promoting "the peaceful use of cyberspace," and safeguarding online activity against attacks by state and non-state actors.

The GCSC - which exists because its founders believe the internet is essential, but lacks safeguards - says the internet being increasingly targeted by state and non-state actors, threatening the stability of cyberspace.

The organisation is now working to promote understanding and awareness among various communities on issues related to global cyber-security.

In order to ensure the peaceful use of cyberspace, GCSC has proposed eight norms, which it says are fundamental to cyber stability. These are similar to international rules in conventional wafare, which forbid the killing of civilians.

  1. Non-interference with the public core of the internet. The Commission defines "the public core of the Internet" as critical elements of the internet's infrastructure, such as packet routing and forwarding systems, the cryptographic mechanisms of security and identity, and data centres. The GCSC suggests that state and non-state actors should neither conduct nor allow activity that damages the general availability of this public core.
  2. State and non-state actors must not pursue or allow cyber activities that intend to damage the technical infrastructure essential to elections, plebiscites or referenda.
  3. State and non-state actors should neither conduct nor allow activities that tamper with goods and services in development or production, if doing so has the potential to substantially harm the stability of cyberspace.
  4. State and non-state actors should not commandeer the public's ICT (resources for use as botnets, or for similar purposes.
  5. States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws in information systems and technologies.
  6. Developers and producers of goods and services on which the stability of cyberspace depends should prioritise security and ensure that their products are free from vulnerabilities. They should also be transparent about those security flaws and take appropriate and timely measures to mitigate malicious cyber activity.
  7. States should enact laws and regulations to ensure basic cyber hygiene.
  8. Non-state actors should not engage in offensive cyber activities, and state actors should prevent such operations if they occur.

"The GCSC has introduced universal norms that seek to address individual risks to the stability of cyberspace," Marina Kaljurand, chair of the Organisation and former Estonian ambassador to the United States, said.

"We trust that decision makers within the government, private sector and civil society recognise that these norms will help guide how we as a global society define cyber stability."

"The interdependent nature of cyberspace demands established 'rules of the road' the global community can agree on-this effort is an important step in that direction."

The GCSC comprises 27 Commissioners representing a range of geographic regions, as well as government, technical, civil society and industry stakeholders.