The Global Commission on the Stability of Cyberspace announced the release of its new Norm Package on Thursday November 8, 2018, featuring six new global norms to help promote the peaceful use of cyberspace. The norms were developed with the express purpose of being adopted by public and private sector actors towards creating an architecture to improve international security and stability in cyberspace.
On Monday December 17, the GCSC announced a Request for Consultation on the Norm Package Singapore. This public comment procedure seeks to solicit comments and obtain additional feedback on the proposed norms of the Norm Package.
Once public comments have been received, the GCSC Consultation team (consisting of the GCSC Secretariat and Chairs of the Research Advisory Group) will collect and present the received comments to the GCSC Commissioners at the next GCSC meeting in Geneva at the end of January 2019.
In line with the expected GCSC work program, an “Expanded Request for Consultation” will be launched in Q3 2019. This will most likely take into account all norms currently drafted, as well as the future work of the Commission on a definition of and principles for cyber stability
Sign up to the weekly newsletter!
This Cyberstability Update is an overview of all articles included in our Weekly Newsletters for the month. Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.
The GCSC In The News
The article by Allison Peters was published on the Lawfare blog, 18th December 2018
Last month, more than 50 countries and over 200 major corporations and organizations came together to agree that the international nature of cyber threats needs a cooperative global response and a common set of principles as a basis for security. This conclusion seems obvious—millions of people have been affected by malicious activity perpetrated through the internet—and yet consensus has proved difficult to obtain until now. Commitments reflect much of the consensus already built on behavior in cyberspace by groups including the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security and the Global Commission on the Stability of Cyberspace.
The article by Vladimir Radunovic was published by DiploFoundation, 19th December 2018
At the opening of the annual UN Internet Governance Forum (IGF), held 12–14 November 2018 at UNESCO in Paris, French President Emmanuel Macron launched the Paris Call for Trust and Security in Cyberspace, a high-level declaration laying out common principles for securing cyberspace. Stepping back to survey the growing cybersecurity table, there is a veritable ‘meze’ platter of initiatives and forums cluttering its surface: the UN-based GGE and now, possibly, a new open-ended group; the Global Commission on the Stability of Cyberspace (GCSC); the Geneva Dialogue on Responsible Behaviour in Cyberspace; the Global Forum on Cyber Expertise (GFCE); and more. While some of these elements individually pair well with others and some do not, presented together and consumed in balanced moderation, they represent a satisfying meal.
The article by Kelly Jackson Higgins was published in Dark Reading, 5th December 2018
Black Hat Europe 2018, London. As nation-state cyberattacks continue to evolve into more complex and disruptive campaigns, the pressure is on for countries to set specific cybernorms and support one another in the attribution of nation-state hacks, according to Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace (GCSC) and Member of the UN Secretary General's High Level Panel on Digital Cooperation.
The article by Catherine Chapman was published in The Daily Swig, 5th December 2018
Marina Kaljurand, current chair of the Global Commission of the Stability of Cyberspace, was the Estonian ambassador to Russia at the time her country’s critical infrastructure was hit by the politically motivated offensive. “I had two tasks,” Kaljurand said, in her keynote address to attendees at this year’s Black Hat Europe conference in London. “I had to learn in 15 minutes what DDoS meant in order to start explaining it to others, which I managed, and my second task was to find ways of cooperation with Russia – that, I failed.” “Cyber-attacks have become the new normality, and they are global and massive in their scale,” she said. “Cyber does not have borders and that’s why, if you want to be efficient, you have to cooperate with others.”
In an age where hybrid tactics such as disinformation and cyber-attacks are increasingly deployed, the limitations of conventional military power have become evident. The paper includes different perspectives from a range of authors including: Giles Portman, Head of the East Stratcom Task Force at the European External Action Service, Antonio Missiroli, NATO Assistant Secretary General, Emerging Security Challenges, and Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace. The article of Marina Kaljurand is on “The Need for International Norms to Help Govern Conduct in Cyberspace.”
The report by IISS was published on their website, 6th December 2018
Global approaches to the vulnerabilities equity process – GCHQ, the United Kingdom’s signals intelligence agency, released details about how the department assesses the software vulnerabilities it finds in order to determine whether it should exploit them or disclose them to vendors so that they can be patched. In November 2017, the US government made public the contours of its own policies around vulnerabilities, which is known as the vulnerabilities equity process (VEP).
The Global Commission on the Stability of Cyberspace (in which IISS experts Sean Kanuck and Nigel Inkster participate) has proposed a norm for VEP: ‘States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favour of disclosure.’
The Chatham House event was held in London on 5th December, 2018
While attribution remains a sovereign political decision and should be established in accordance with international law, there is a clear consensus between like-minded states that malicious cyber activities need to be brought to light, coupled with other tailored measures, which would alter the perpetrating state’s risk-calculation.
On the cyber diplomacy level, the French president has recently launched the Paris Call for Trust and Security in Cyberspace. It has been supported by 370 states, companies and civil society entities so far. The Global Commission on the Stability of Cyberspace (GCSC) has also recently released its cyber Norm Package which aims at promoting stability in cyberspace and build peace and prosperity. GCSC Commissioner Christopher Painter speaks at this event alongside Carmen Gonsalves, the Head of International Cyber Policy at the Ministry of Foreign Affairs of the Netherlands.
The article by Arthur P.B. Laudrain was published by Lawfare, 4th December 2018
French President Emmanuel Macron delivered a charged speech [on Nov. 11] denouncing nationalism and urging all leaders to pursue peace through multilateralism. On November 12th 2018 at the Internet Governance Forum, Macron unveiled France’s first international initiative to that end, the “Paris Call for Trust and Security in Cyberspace.”
A key theme of the document is the importance of protecting individuals and critical infrastructure from harm. The document presses to safeguard the “public core of the Internet” from hostile actors. This is a clear demonstration of support for a package of norms unveiled by the Global Commission for the Stability of Cyberspace on Nov. 8 in Singapore.
The article by Doris Leuthard was published by the World Economic Forum, 6th December 2018
Digitalization transforms, pervades and affects all aspects of our social, economic and political lives. These impacts span a wide range of issues, which through digitalization become increasingly interconnected and interdependent. However, at the global level, these issues are addressed by institutions that were founded in the 19th and 20th centuries, and which are often incapable of ensuring effective cooperation between the relevant international actors. In fact, the need to strengthen cooperation has been identified in different ways in recent years. From a general point of view, we have witnessed various initiatives, including in the field of cybersecurity, the Global Commission on Stability of Cyberspace (GCSC).
The article by Paul Meyer was published on the ICT for Peace Foundation website, 3rd December 2018
Paul Meyer, Senior Advisor of the Foundation, prepared his analysis of the most recent developments at the United Nations and elsewhere regarding the development and promotion of norms of responsible state behaviour in Cyberspace. He analyses the recent process at the UN (UN GGE, Open-ended Working Group), new instruments such as the Paris Call, Digital Peace Initiative, Digital Geneva Convention, and the recent norms proposal by the Global Commission on the Stability of Cyberspace.
The article by Commissioner Joseph S. Nye was published on Project Syndicate, 5th December 2018
Experience from European elections suggests that investigative journalism and alerting the public in advance can help inoculate voters against disinformation campaigns. But the battle with fake news is likely to remain a cat-and-mouse game between its purveyors and the companies whose platforms they exploit.
The article by Andrijana Gavrilovic was published by DiploFoundation, 11th December 2018
An abundance of new cybersecurity declarations and resolutions, calls for ethical considerations in artificial intelligence (AI) systems development, and new rulings regarding the gig economy were among the main digital policy developments in November 2018. The Global Commission on Stability of Cyberspace (GCSC) has come up with six new proposed norms for state and non-state behaviour, the so-called ‘Singapore package’. The norms focus on tampering with products, vulnerability disclosure and responsibility, botnets, cyber-hygiene, and conduct of offensive cyber operations by non-state actors.
The speech by Executive Director Brett Solomon was published on the Access Now website, 10th December 2018
The speech was addressed to the United Nations on the 70th Anniversary of the Universal Declaration of Human Rights. “Technology is not only upending long-held rules which have, at least nominally, protected our rights, but it is also introducing new risks which are threatening to replicate, and even exacerbate, more traditional and longstanding risks to our human rights. Our challenge is to identify and solidify the norms, the laws, the regulations, and the innovation that can protect our human rights. We must and can deliver on the promise of emerging norms identified in the Paris Call, the Contract for the Web, and the Global Commission on the Stability of Cyberspace.”
Russia’s invasion of Ukraine in 2014 marked a sharp break with the past: the post–Cold War interlude, a time when peace and democracy spread across the globe, was over, and a new, more aggressive era, had begun. Since then, Western governments have had to relearn the forgotten art of deterring attacks and protecting their countries’ borders. They have failed to see, however, that the attacks can also be aimed at their democratic institutions. Liberal democracy may remain the world’s preferred model of governance, but it is under debilitating pressure from threats both internal and external.
In 170 days, Europeans will go to the polls, but the right to freely choose their representatives is under threat. With election after election facing hacking and manipulation, no-one should be naive about what is at stake in Europe. Stress-tests are an established EU method to spot potential systemic weaknesses in anything from nuclear power facilities to banks. The stress-tests could measure the security and resilience of election infrastructures and technologies.
The article by Kieren McCarthy was published in The Register, 11th December 2018
If ever there was doubt that 2018 is the year of fear, it was confirmed by a panel discussion involving the two men that are credited with inventing the internet and the world wide web. Co-inventor of the internet protocols TCP/IP Vint Cerf and inventor of the web Sir Tim Berners-Lee have spent the past 20 years talking in pragmatic but highly optimistic tones about the global networks they helped give birth to. At the Our People-Centered Digital Future conference in San Jose, USA, the tone was very different.
The article by Pukhraj Singh was published in The Tribune India, 3rd December 2018
The disinformation campaign garnered lakhs of social media impressions. It could very well be the most systematic attempt at domestic foreign interference via cyberspace, meeting the thresholds of cyber-enabled information warfare. If left undeterred, such insidious campaigns could sway a decisive chunk of the populace in the 2019 Indian General Election. Alexander Klimburg defines this confrontation as a "slow, hardly measurable, and yet steady reinterpretation of information as a weapon." Disinformation must be dealt with impartially and apolitically else the situation may worsen even more, leading to domestic collateral damage.
International Cyber Affairs
The article by Samantha Dickinson was published in Lingua Synaptica, 6th December 2018
Delegates who were in Dubai for the recent ITU Plenipotentiary Conference 2018 may remember the Chair of the Ad Hoc Group on Resolution 130 (about cybersecurity) regularly reporting on how many pages his group had succeeded in deleting from the original 56-page consolidated draft containing all proposed changes to the resolution. Member States engaged in long hours, including nights, weekends, and almost through to the dawn of the final day of the conference, to slowly work their way through the 18,063 words in the initial consolidated draft of proposals. 13 versions of the Ad Hoc Group’s draft resolution were to follow the first version.
The article by Dominik P. Jankowski was published in World Politics Review, 19th December 2018
As NATO’s relations with Russia seem to be hitting a post-Cold War low, numerous experts argue that the West is already in a state of conflict with Moscow in three domains: intelligence, information warfare and cyber. In particular, Russia’s increasingly hostile actions in the cyber domain have lent new urgency to the debate over cybersecurity in the West, including within NATO.
The article by Leonie Tanczer, Irina Brass and Madeline Carr was published in Global Policy, 29th November 2018
Ongoing efforts by state actors to collaborate on addressing the challenges of global cybersecurity have been slow to yield results. Technical expert communities such as Computer Security and Incident Response Teams (CSIRTs) have played a fundamental role in maintaining the Internet's functional structure through transnational collaboration. Responsible for security incident management and located in diverse constituencies, these coordination centres engage in joint responses and solve day‐to‐day cybersecurity problems through diverse national, regional and international networks. This article argues that CSIRTs form an epistemic community that engages in science diplomacy, at times navigating geopolitical tensions in a way that political actors are not able to. Through interviews with CSIRT representatives, we explain how their collaborative actions, rooted in shared technical knowledge, norms and best practices, contribute to the advancement of international cooperation on cybersecurity.
The article by Dustin Volz, Kate O’Keefe and Bob Davis was published in The Wall Street Journal, 20th December 2018
The Trump administration exerted further pressure Thursday on Beijing, unsealing criminal charges against two Chinese citizens allegedly tied to a state-sponsored campaign to steal sensitive information from businesses and several U.S. government agencies, including the Navy. The charges come amid a broader push by the U.S. to deter cyberattacks and technology theft, and to reset trade relations with the world’s second largest economy on more favorable terms, through tariffs, sanctions, indictments and investment restrictions. See the U.S. Department of Justice press release and the indictment.
The article by Sean Lyngaas was published in Cyber Scoop, 5th December 2018
Companies that view cybersecurity as a competitive advantage and fail to exchange threat data make the broader private sector more vulnerable to hacking, a Department of Homeland Security official has warned. If a good product or company fails because of a breach that could have been thwarted by sharing threat information, “there’s something that we’ve all lost,” Willke said at the Public Sector Innovation Summit.
Threats to U.S. national security continue to evolve with technological, economic, and social changes. Federal agencies identified 26 long-term threats within 4 categories: 1) Adversaries' Political and Military Advancements—e.g., China's increasing ability to match the U.S. military's strength. 2) Dual-Use Technologies—e.g., self-driving cars might be developed for private use, but militaries can use them too. 3) Weapons—advances in weapons technology, e.g., cyberweapons. 4) Events and Demographic Changes—e.g., infectious disease outbreaks.
The article by Suzanne Spaulding and Mieke Eoyang was published by Defense360, a project of the Center for Strategic and International Studies, 13th December 2018
A lack of cybersecurity can have serious consequences – the theft of money or data, an interruption of operations or essential services, or even the compromise of weapons systems or destruction of critical infrastructure. It’s no wonder that people are desperately on the hunt for policy solutions to improve the security of systems on which we rely. And while some ideas are better than others, one truly bad idea is to create a Department of Cybersecurity—a hugely disruptive bureaucratic solution that not only fails to solve problems but adds new ones.
The analysis was published by the European Union Agency for Network and Information Security (ENISA), 19th December 2018
The present document provides a series of recommendations for the priorities in the EU for R&D in the domain of ICT security made after analysis of a wide series of interviews with domain experts. The proposed research priorities have the aim to make Europe, ”a global leader in cybersecurity by 2025, in order to ensure the trust, confidence and protection of our citizens, consumers and enterprises online and to enable a free and law-governed internet”, as stated at the Tallinn Digital Summit in September 2017.
The article by David E. Sanger and Steven Erlanger was published in The New York Times, 18th December 2018
Hackers infiltrated the European Union’s diplomatic communications network for years, downloading thousands of cables that reveal concerns about an unpredictable Trump administration and struggles to deal with Russia and China and the risk that Iran would revive its nuclear program. The techniques that the hackers deployed over a three-year period resembled those long used by an elite unit of China’s People’s Liberation Army. The cables were copied from the secure network and posted to an open internet site that the hackers set up in the course of their attack, according to Area 1, the firm that discovered the breach.
The post by the Internet Society was published on their website, December 2018
The Internet Society teamed up with NetBlocks to develop a platform to quickly and accurately estimate the cost of Internet shutdowns, mobile data, blackouts and social media restrictions. The Cost of Shutdown Tool (COST), is a data-driven online policy instrument that can quickly estimate the economic impact of Internet shutdowns and online restrictions. It is built upon established research papers published by the Brookings Institution for global coverage and a specialised model by CIPESA for sub-Saharan Africa, taking into account indirect economic factors and informal economies that play a major role in the region. Economic indicators are integrated from open data sources including the World Bank, ITU and Eurostat.
The article by Sean McDonald and An Xiao Mina was published in Foreign Policy, 19th December 2018
The global internet continues to fragment. Governments, in particular, are using their influence to shape the ways that digital companies, markets, and rights connect us online. This new form of realpolitik, which we call “digitalpolitik,” is an emerging tactical playbook for how governments use their political, regulatory, military, and commercial powers to project influence in global, digital markets.
The article by Justin Sherman and Robert Morgus was published on the Council on Foreign Relations blog, 5th December 2018
Chinese telecom giant ZTE is exporting surveillance technology to Venezuela, according to a recent Reuters investigation. Venezuelan officials allegedly visited Shenzhen, the Chinese technology hub, to learn about the country’s national identity card technology. It’s an insidious tool for population control, and its export—along with the export of other digital surveillance systems—is lending to the diffusion of an increasingly consolidated authoritarian model for internet governance and control. This ZTE incident is the most recent in a long line.
Impacts of Cybersecurity Incidents
The article by Robert Stines was published on the TechLawX blog, updated 13th December 2018
On June 27, 2017, a major global cyber attack harmed several companies. The cyber weapon of choice was malware dubbed NotPetya. NotPetya was a variation of ransomware called Petya that was first discovered in 2016. Companies such as FedEx and Merck reported that NotPetya disrupted their operations and earnings. Among the companies infected was Mondelez International Inc. Zurich American Insurance Company sold an insurance policy to Mondelez that provided coverage for loss or expenses incurred by Mondelez during the period of business interruption directly resulting from the failure of Mondelez's electronic data processing equipment or media.