Global Commission on the Stability of Cyberspace

The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 through 2019, and produced the diplomatic norm for which it was chartered and seven others.

Origins

Together with the Global Forum on Cyber Expertise, the GCSC was a product of the 2015-2017 Dutch chairmanship of the London Process, and particularly the work of Wouter Jurgens who, as head of the cyber security department of the Dutch Ministry of Foreign Affairs, had responsibility for organizing the 4th Global Conference on CyberSpace ministerial, which was held in The Hague April 16–17 of 2015, and formalizing its outcomes. Jurgens had been working for several years on the topic of governmental non-aggression in cyberspace, in collaboration with Uri Rosenthal, Bill Woodcock, Olaf Kolkman, James Lewis, and others who would subsequently become GCSC commissioners.
The GCSC was launched by Dutch Foreign Minister Bert Koenders at the 53rd Munich Security Conference, on February 18, 2017, with a three-year charter, and issued its final report at the Paris Peace Forum, on November 13, 2019.

Published norms

Norm to Protect the Public Core of the Internet

The Norm to Protect the Public Core is the GCSC's principal product, and has been included or referenced in many subsequent legislative and diplomatic work. It was included in the European Union's Cybersecurity Act, which extends the mandate of the European Union Agency for Cybersecurity to include the protection of the public core. The Paris Call for Trust and Security in Cyberspace included a call for compliance with the Public Core norm. The United Nations cites the Public Core norm in the 2019 report of the Secretary General and the report of the Secretary General’s High-level Panel on Digital Cooperation, ''The Age of Digital Interdependence.''

Other publications

In addition to the Norm to Protect the Public Core and the seven subsequent norms, the GCSC has published several other documents.

Definition of the Public Core, to which the Norm Applies

Early in the process of defining the Norm to Protect the Public Core the effort was divided into two working groups, one, principally diplomatic, to specify what actions should be precluded; the other, involving subject-matter experts, to specify which infrastructures were deemed most worthy of protection. This latter working group specified a survey of cybersecurity experts, delegated implementation of the survey to Packet Clearing House, and integrated its results to form the Definition of the Public Core, to which the Norm Applies. This definition of the "public core of the Internet" to include packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, and physical transmission media, with more-specific details attending to each, has since been used by the OECD and others as a standardized description of the principal elements of Internet critical infrastructure.

Statement on the Interpretation of the Norm on Non-Interference with the Public Core

On September 22, 2021, the GCSC released a three-page statement responding, in large part, to Russia's submission to the ITU Council Working Group on International Internet-related Public Policy Issues, Risk Analysis of the Existing Internet Governance and Operational Model. The statement reiterates the GCSC's findings that state actors are the primary threat to Internet stability, not private actors; that the GCSC believes that the multistakeholder model of Internet governance is key to maintaining Internet stability, and that the Internet's critical infrastructure is principally operated by the private sector.

Derivative work

In addition to the norms the commission published, several other organizations were created and efforts undertaken as byproducts of the commission's work.

CyberPeace Institute

One of the most notable derivative outcomes of the GCSC's work was the formation of the CyberPeace Institute, headed by GCSC commissioner Marietje Schaake and Europol veteran Stéphane Duguin. This independent, non governmental organization has the mission to highlight the human aspect of cyberattacks. It works in close collaboration with relevant partners to reduce the harms from cyberattacks on people’s lives worldwide. The Institute builds on the GCSC's work by monitoring compliance with its norms and coordinating cyber-attack forensic and analytic efforts that broaden public understanding of norm violations.

Critical infrastructure assessment

As input to the Definition of the Public Core, a global survey of Internet infrastructure security experts was conducted in 2017 by Packet Clearing House, headed by GCSC commissioner Bill Woodcock.

Participants

Commissioners

Marina Kaljurand
Latha Reddy
Michael Chertoff
Motohiro Tsuchiya
Joseph Nye
Christopher Painter
Ilya Sachkov
Jeff Moss
Khoo Boon Hui
Anriette Esterhuysen
Xiadong Lee
Abdul-Hakeem Ajijola
Virgilio Almeida
Marietje Schaake
Bill Woodcock
Wolfgang Kleinwächter
Scott Charney
Elina Noor
Isaac Ben-Israel
Jonathan Zittrain
Nigel Inkster
Jane Holl Lute
Samir Saran
Olaf Kolkman

Former commissioners

William Saito
Wolff Heintschel von Heinegg
Sigrid Kaag
Hugo Zylerberg

Research Advisory Group

Sean Kanuck
Liis Vihul
Marilia Maciel
Hugo Zylberberg
Koichiro Komiyama

Secretariat

Bruce McConnell
Alexander Klimburg