Whilst cyberspace has provided great social and economic benefits, it also poses significant challenges for international security and stability.
The Global Commission on the Stability of Cyberspace (GCSC) has developed proposals for norms and policies to guide responsible state and non-state behaviour in cyberspace, enhancing international security and stability.
A key aim of this work is for these norms to influence the international community, shaping both the behaviour of public and private institutions and the decisions of national leaders, and establishing globally acknowledged boundaries between acceptable and unacceptable behaviours in cyberspace.
Norm to avoid tampering
“State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.”
Many key infrastructures rely on a stable and secure internet, such that its disruption has potentially severe consequences.
Tampering with key components in software and hardware IT products may compromise the security of the general public in their use of the Internet, thereby weakening the overall trust in its proper function.
Cyber attacks can occur through tampering with IT products before they are even released to market, through inserting a vulnerability or secretly removing a security feature during the design and manufacturing phase or during one of its updates. The vulnerability can later be activated for malicious use.
It is important to note that this norm refers to tampering with a product or service which puts the stability of cyberspace at risk. This norm would not prohibit targeted state action that poses little risk to the overall stability of cyberspace; for example, the targeted interception and tampering of a limited number of end-user devices in order to facilitate a criminal investigation.
Norm against commandeering of ICT devices into botnets
“State and non-state actors should not commandeer others’ ICT resources for use as botnets or for similar purposes.”
While the previous norm deals with the tampering with IT products prior to their release, this norm looks at tampering with already deployed devices.
With the rapid growth of internet-connected devices, malicious actors can exploit vulnerabilities in their underlying code to gain access to a device. The term botnet refers to a network of compromised computers that can be used to perform malicious cyber activities.
The exploitation of consumer devices and their use as botnets increasingly undermines trust and destabilises society. Furthermore, a potentially uninvolved “third party” device, and its owner/operator, can be made party to a malicious cyber activity without their knowledge.
The Commission recognises that there are cases — for instance for law enforcement purposes — in which authorised state actors may find it necessary to install software agents on devices of a specifically targeted individual adversary, or a group of adversaries. However, state and non-state actors should not commandeer civilian devices of the general public (en masse) to facilitate or directly execute offensive cyber operations, irrespective of motivation.
Norm for states to create a vulnerability equities process
“States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.”
Vulnerabilities in operating systems, software and hardware can be exploited by malicious state and non-state actors. Conversely, these vulnerabilities can also be exploited by states in order to catch malicious cyber actors.
This creates a conflict of interest for states in determining whether or not to disclose a vulnerability to relevant corporations and to the public. While states have an obligation to ensure the stability of infrastructure essential to the security of cyberspace, they also have an obligation to protect their citizens from criminals, to investigate and prosecute cybercrime offences.
The existence of transparent processes can act as a confidence-building measure between states in that it provides some assurance that relevant competing interests are fully considered in determining whether or not a vulnerability should be disclosed.
Norm to reduce and mitigate significant vulnerabilities
“Developers and producers of products and services on which the stability of cyberspace depends should prioritize security and stability, take reasonable steps to ensure that their products or services are free from significant vulnerabilities, take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.”
IT products and services are critical to the stability of cyberspace, facilitating the use of the internet and critical infrastructures such as power generation.
While it is very difficult to ensure that no vulnerabilities exist in newly released or updated products, this proposed norm suggests that those involved in the development or production of such products take “reasonable steps” that would reduce the frequency and severity of those that do occur. Where appropriate, these vulnerabilities should also be disclosed upon discovery to help protect the overall stability of cyberspace.
Norm on basic cyber hygiene as foundational defence
“States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.”
While increasing internet access around the world has brought significant benefits, it has also resulted in increased instances of cybercrime. In order to ensure that the benefits of our digital lives outweigh the negatives into the future, it will be important to have agreed standards of essential security in cyberspace.
The GCSC defines basic cyber hygiene as “a regime of foundational measures that represent prioritized, essential tasks to perform to defend against, prevent and rapidly mitigate avoidable dangers in cyberspace.”
This norm calls on states to share knowledge and offer capacity building to instantiate processes for the effective implementation of basic cyber hygiene regimes.
Norm against offensive cyber operations by non-state actors
“Non-state actors should not engage in offensive cyber operations and state actors should prevent and respond to such activities if they occur.”
Some non-state actors, mainly private companies, advocate for the right to conduct offensive cyber operations across national borders, potentially claiming that it constitutes “self-defence” as states do not have the capacity to adequately protect them against cyber threats.
Some states are unable to control, or choose to ignore these practices. The GCSC posits that states allowing non-state actors to conduct offensive operations are setting a dangerous precedent, and would breach in breach of international law in most cases. The Commission believes that offensive measures should be reserved solely to states.