Norm

State and non-state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.

Background

Defining the public core of the Internet is challenging as many different types of attacks may ultimately impair the general availability or integrity of the Internet writ-large (the outcome to be avoided). That said, there are clearly certain components that one would target if looking to have such a broad impact and it is at least possible to provide a non-exhaustive list of such critical elements. At the highest level, the Commission defines the phrase “general availability” to mean that the actor’s conduct has a substantial impact on the general population. Therefore, this norm recognizes that those states who support this norm may still engage in activities that are more limited in purpose and scope and have no substantial impact on the general population.

The Commission defines the phrase “the public core of the Internet” to include such critical elements of the infrastructure of the Internet as packet routing and forwarding, naming and numbering systems, the cryptographic mechanisms of security and identity, transmission media, software, and data centers.

Packet routing and forwarding elements include, but are not limited to, (1) the equipment, facilities, information, protocols, and systems that facilitate the transmission of packetized communications from their sources to their destinations; (2) Internet Exchange Points (the physical sites where Internet bandwidth is produced); (3) the peering and core routers of major networks which transport that bandwidth to users; (4) systems needed to assure routing authenticity and defend the network from abusive behavior; (5) the design, production, and supply-chain of equipment used for the above purposes; and (6) the integrity of the routing protocols themselves and their development, standardization, and maintenance processes.

Naming and numbering systems include, but are not limited to, (1) systems and information used in the operation of the Internet’s Domain Name System (including registries, name servers, zone content, infrastructure and processes such as DNSSEC used to cryptographically sign records); (2) the WHOIS information services for the root zone, inverse-address hierarchy, country-code, geographic, and internationalized top-level domains and for new generic and non-military generic top-level domains; (3) frequently used public recursive DNS resolvers; (4) the systems of the Internet Assigned Numbers Authority and the Regional Internet Registries which make available and maintain the unique allocation of Internet Protocol addresses, Autonomous System Numbers, and Internet Protocol Identifiers; and (5) the naming and numbering protocols themselves and the integrity of the standardization processes and outcomes for protocol development and maintenance.

The cryptographic mechanisms of security and identity include, but are not limited to, (1) the cryptographic keys which are used to authenticate users and devices and secure Internet transactions; (2) the equipment, facilities, information, protocols, and systems that enable the production, communication, use, and deprecation of those keys; (3) PGP keyservers, Certificate Authorities and their Public Key Infrastructure; (4) DANE and its supporting protocols and infrastructure; (5) certificate revocation mechanisms and transparency logs; (6) password managers; (7) roaming access authenticators; (8) mechanisms of accurate time and establishment of temporal precedence, such as the Network Time Protocol and its infrastructure; (9) the integrity of the standardization processes and outcomes for cryptographic algorithm and protocol development and maintenance; and (10) the design, production, and supply-chain of equipment used to implement cryptographic processes.

Transmission media includes, but are not limited to (1) infrastructure, systems and installations for communications serving the public, whether fiber, copper, or wireless; (2) terrestrial and undersea cables and the landing stations, datacenters, and other physical facilities which support them; (3) cellular and other wireless voice and data communications; (4) regulated and unregulated broadcast communications; (5) the support systems for transmission, signal regeneration, branching, multiplexing, and signal-to-noise discrimination; and (6) cable systems that serve regions or populations, but not those that serve the customers of individual companies.

Software includes but is not limited to the availability and integrity of the development processes, source code and patch-distribution infrastructure of software used in the core of the Internet and by large portions of the Internet-using public.

Datacenters include but are not limited to (1) the physical facilities which house servers, content, and Internet infrastructure; (2) the system used to ensure datacenter safety, security, physical access control, operations, management, maintenance, and redundancy systems; and (3) communications systems used to send communications to, from and within data centers.

Experts believe that far more categories of Internet and ICT-enabled infrastructure are deserving of protection, so this definition may be broadened in the future.

Norm

State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.

Background

Of all the rules, precepts and principles that guide the conduct of states in the comity of nations, the norm of non-interference is perhaps held most sacred. Article 2(4) of the United Nations Charter articulates this norm and elevates it as a principle of legal, and thus, binding character:

All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.

Through this provision, the framers of the Charter acknowledged that the gravest threats to the principle of non-intervention came from coercive measures directed at a state’s physical or political autonomy, as, indeed, both are essential to state sovereignty. The territory controlled by a state may be a manifestation of its sovereign capacity, but it is worthless without the enjoyment of political agency and independence. Moreover, nothing reflects genuine political independence more than national participatory processes, such as elections, conducted freely and fairly. The UN Charter sought to grant strong protections against undue external interference. Those protective measures have now come to be challenged again in the digital age.

Experts have debated whether the type of cyber-related election interference recently seen amounts to an unlawful violation of sovereignty (because it interferes with the exercise of an inherently governmental function) or an unlawful intervention. [1] Whether or not a violation of international law has occurred, however, there is the clear possibility that malicious actors—acting alone, collectively, or on behalf of states—will manipulate elections through digital means. With national participatory processes becoming more complex in scale and sophistication, there has been a burgeoning of data, institutions and infrastructure to manage them. Many countries today publish their electoral rolls—a basic, traditional guarantee against voting manipulation or fraud—online, exposing such databases to cyber attacks and exploitation. Similarly, electoral voting instruments are used in far flung and remote areas of a country, where its operators are not fully abreast of the risks and concerns associated with their digital manipulation. Voting software suppliers and computer systems at the local or “booth” levels remain susceptible to such intrusions as well.

Seized of the growing number and intensity of threats to participative processes, and recognizing that such attacks are unacceptable, the GCSC recommends stronger national measures and effective international cooperation to prevent, mitigate and respond to cyber intrusions against the technical electoral infrastructure. The Commission acknowledges that the actual conduct of elections or participatory processes at the regional, local or federal level is firmly the remit of states, to be carried out in accordance with their respective national laws. Nevertheless, the cyber attacks on their electoral infrastructure may originate from outside the borders, necessitating multilateral cooperation resolution. As more countries opt to digitize their election machinery, the risks and vulnerabilities associated with such infrastructure increase manifold, as does the prospect of a major, offensive cyber operation. Thus, governments must commit to refraining from engaging in cyber operations against the technical electoral infrastructure of another state. In recommending this norm, the Commission merely affirms that election interference is intolerable whether it is considered to be a violation of international law or not.

[1] See Michael N. Schmitt, “’Virtual’ Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law,” Chicago Journal of International Law, Vol. 19, No. 1, and Nicholas Tsagourias, “Electoral Cyber Interference, Self-Determination and the Principle of Non-Intervention in Cyberspace,” https://www.ejiltalk.org/electoral-cyber-interference-self-determination-and-the-principle-of-non-intervention-in-cyberspace/.

Norm

State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace.

Background

In a norm focused on “Non-Interference with the public core of the Internet,” the GCSC called upon state and non-state actors not to intentionally and substantially damage the general availability or integrity of the public core of the Internet. In support of this norm, the Commission noted the increasing dependence of other infrastructures on a stable and secure Internet and the potential dramatic consequences of its disruption. While the public core norm focused on the “core of the Internet,” individuals and organizations rely heavily upon certain commercial products to reach that public core and leverage the connectivity it provides. As a result, tampering with key components in software and hardware IT products (including, but not limited to, operating systems, Industrial Control Systems, switches, routers and other critical networking equipment, critical cryptographic products and standards, microchip design and widely used end-user consumer applications) may similarly deprive society of the ability to use and leverage the Internet safely and securely, and weaken overall the trust in its proper function. While such attacks are often in the news, what receives less attention is the fact that an attack can occur even before a product or its update reaches the market. For example, a product can be attacked by inserting a vulnerability—or secretly removing a security feature—during the design and manufacturing phase or during one of its updates. Put another way, a product can be tampered with prior to its release or production, with consequences for the public at large. The time between inserting a vulnerability, and activating the vulnerability for malicious use, can vary.

States have conflicting interests and responsibilities when dealing with information technology products. On the one hand, they have an obligation to promote the resilience and integrity of the cyber infrastructure to help thwart future cyber attacks by malicious actors and make the entire digital ecosystem safer. On the other hand, states have an obligation to their citizens to protect national security and combat criminals and other malicious actors in cyberspace. The exploitation of vulnerabilities in digital products and services used by adversaries has been leveraged by states to achieve their national security and public safety mission. Thus, to the extent that states consider exploiting vulnerabilities to be an effective approach to fulfilling their responsibilities, they may also find it helpful to intentionally introduce weaknesses or back doors into products and services used by adversaries. Non-state actors may in turn tamper with products and services as well, as their objectives may be aided by their ability to disrupt the stability of cyberspace. It is important to note that the norm prohibits tampering with a product or service line, which puts the stability of cyberspace at risk. This norm would not prohibit targeted state action that poses little risk to the overall stability of cyberspace; for example, the targeted interception and tampering of a limited number of end-user devices in order to facilitate military espionage or criminal investigations. This type of activity, unless it occurs within the basic infrastructure of the public core itself, or critically weakens user trust in the Internet globally, is unlikely to weaken the overall trust in cyberspace that is a condition of cyberstability. Although a non-state actor may also target systems in a limited way, such activity might violate existing criminal and civil laws.

While state and non-state actors should not affirmatively tamper with products in development or production, those in industry also have a responsibility to prevent such activities. Therefore, those creating products and services must commit to a reasonable level of diligence in the designing, developing and delivering of products and services that prioritizes security and in turn reduces the likelihood, frequency, exploitability and severity of vulnerabilities. Those concerned must also reject any apparent state or non-state efforts to compromise products and services, as well as adopt practices that reduce the risk of tampering and permit them to respond if tampering is discovered.

Norm

State and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes.

Background

Internet-connected devices are becoming integral to people’s lives globally. We are surrounded by devices with a multiplicity of computational, networking, sensing and actuating capabilities. Thermostats, televisions, medical devices, alarm clocks and automobiles have computing, storage and network capacity that can be appropriated and abused. Exploits of vulnerabilities in their underlying code can lead to physical safety issues for the individuals using the device: a device working outside of its design parameters could catch fire or create other unsafe conditions, such as unexpectedly unlocked doors, video broadcast from the interior of a house or cause (medical) equipment to fail.

We refer to botnets when software agents are installed, en masse and without consent, to use the devices’ computational, storage or network resources. Those botnets can then be used to exercise direct effects on a different targeted system that can include impacting the end-targets’ data confidentiality, availability and integrity. Therefore, a potentially uninvolved “third party” device, and its owner/operator, are made party to a malicious cyber activity without their knowledge. The compromise of devices to install malicious software agents not only weakens the defense of the device from other attacks—for instance from criminals—or infringes on the devices’ normal functioning, but also casts the owner/operator as potentially culpable for damages inflicted on the end target. This is particularly acute for cases where the compromise of the device might inadvertently cast the device and its owner/operator as an unwitting belligerent in interstate hostilities, and therefore invite reprisals or liability.

As we become increasingly reliant on technology in our personal environment, and more and more connected devices enter the market, the exploitation of consumer devices and their use as botnets increasingly undermines trust and destabilizes society. The Commission recognizes that there are cases—for instance for law enforcement purposes—in which authorized state actors may find it necessary to install software agents on devices of a specifically targeted individual adversary, or a group of adversaries. However, state and non-state actors should not commandeer civilian devices of the general public (en masse) to facilitate or directly execute offensive cyber operations, irrespective of motivation. [1]

[1] This norm is complementary to the previous proposed norm for state and non-state actors to avoid tampering with products prior to their release, which focuses on supply chain aspects, while this norm addresses already deployed devices.

Norm

States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.

Background

As the complexity of operating systems, critical software and computer hardware grows, they increasingly contain vulnerabilities. Those vulnerabilities can be exploited by state and non-state actors. States sometimes have conflicting interests and responsibilities when dealing with newly discovered vulnerabilities. On the one hand, they have an obligation to promote the resilience and integrity of infrastructure essential to the stability of cyberspace and by helping thwart malicious cyber activity make the entire digital ecosystem safer for all users. This would argue for a state to quickly disclose newly discovered vulnerabilities to vendors and manufacturers for patching, as well as making broader public disclosures, where appropriate, to protect the public. On the other hand, states have an obligation to protect their citizens from criminals, to investigate and prosecute cyber crime offenses, and reserve the right to impose sanctions that act as both a specific and a general deterrent to future malicious activity. An essential tool to pursue malicious actors, and particularly sophisticated actors such as rogue states, is the exploitation of vulnerabilities in the digital infrastructure on which they rely. States therefore often argue that they must preserve at least some select capabilities, including the use of undisclosed vulnerabilities, or else extremely capable malicious actors would go undiscovered and unchecked.

While states are unlikely to voluntarily disclose every vulnerability they discover, there has been a recent move by several states away from a presumption that all undisclosed vulnerabilities will be retained, to a presumption in favor of disclosure in the interests of greater systemic cybersecurity. A key part of this is the creation, by states, of a publicly described process for assessing the pros and cons of disclosure that takes into account the full range of policy, economic, social and technical equities. More specifically, that process should be procedurally transparent and take into account a full range of views including factors such as: network security and resiliency, the security of users and their data, law enforcement and national security utility, and diplomatic and commercial implications. The United States has recently promulgated a new version of such a process and other countries are considering creating their own Vulnerability Equities Process (VEP) policies. Given that vulnerability discovery and disclosure is broader than any one state, in order to promote network resilience while at the same time safeguarding national security, it would be in the interest of the long-term stability of cyberspace for every state to have such a process in place. Additionally, states should work towards compatible and predictable processes. The existence of such processes can act as a confidence-building measure between states in that it provides some assurance that relevant equities and competing interests are fully considered. Of course, every state has differing capabilities and unique interagency structures, however, any effective VEP process should be designed to take a broad range of perspectives and equities into account. In addition, though the actual decisions reached in individual cases may, out of necessity, remain confidential, there should be transparency on the general procedures and framework for reaching such decisions. Finally, this norm deals only with the establishment of a process where disclosure decisions are made. If a government or any other entity decides to make a disclosure, such disclosure should be made in a responsible manner that promotes public safety and does not lead to exploitation of that vulnerability.

Norm

Developers and producers of products and services on which the stability of cyberspace depends should (1) prioritize security and stability, (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.

Background

Certain IT products and services are essential to the stability of cyberspace due to their use within the core technical infrastructure, such as in core name resolution or routing, because of their widespread facilitation of the user Internet experience, or because of their use within critical infrastructures. Those creating products and services must commit to a reasonable level of diligence in the designing, developing, and delivering of products and services that prioritizes security and in turn reduces the likelihood, frequency, exploitability and severity of vulnerabilities.

Due to the increasing complexity of software and hardware, vulnerabilities in those products are a fact of life. While those vulnerabilities are usually unintentional, malicious state and non-state actors often exploit these vulnerabilities when discovered in ways that undermine the stability of cyberspace.

Moreover, in a hyper-connected and hyper-dependent world, a discovered vulnerability may affect multiple products and services by different producers and in different environments. Patching one product without disclosing the underlying vulnerability to others may protect that product but not protect the stability of cyberspace writ large. Those in the best position to assess the impact of a given vulnerability are often those who develop, produce, install or operate the products that the vulnerabilities affect. It is important to share information that would assist in fixing security vulnerabilities or help prevent, limit or mitigate an attack. [1]

While it is currently very difficult to ensure that no vulnerabilities exist in newly released or updated products, rather, this proposed norm suggests that those involved in the development or production of such products take “reasonable steps” that would reduce the frequency and severity of those that do occur.

Just as the “no tampering” norm addresses intentional insertion of vulnerabilities into critical products and services, and the hygiene norm ultimately addresses the duties of end users, this proposed norm seeks to have those who develop or produce critical products take reasonable measures to ensure that the number and scope of critical vulnerabilities are minimized and that they are effectively and timely mitigated and, when appropriate, disclosed when discovered. The process used should be transparent to create a predictable and stable environment.

[1] One of the norms for responsible behavior of states in the 2015 Report of the UN GGE (A/70/174) affirms that “States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.”

Norm

States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.

Background

As Internet connectivity spreads around the world pervading all aspects of modern life, users of every kind—individuals, organizations, enterprises, and governments—are growing more and more reliant on technology and access to information available on the Internet. Politics, economics, public information, education, development and every other manner of social interaction depend critically on the Internet and associated technologies. Yet, this modern wonder remains broadly unsafe, and no one is immune to its dangers.

Consensus has yet to emerge on the most effective ways to optimize the promising technologies of cyberspace while safeguarding the public. Yet, most agree that the benefits of our digitally connected lives cannot be sustained going forward without agreed standards of essential security in cyberspace. To this end, the Commission strongly endorses the widespread adoption and verified implementation of basic cyber hygiene—a regime of foundational measures that represent prioritized, essential tasks to perform to defend against, prevent and rapidly mitigate avoidable dangers in cyberspace. Indeed, given the extensiveness of interconnectivity online, these measures constitute a basic duty of care that should be required of all users. Hygiene regimes should incorporate reliable measures of implementation, provide for widespread sharing of technical information and best practices, and be subject to appropriate oversight. Increasingly smart devices and processes demand smart laws and regulations. In creating more accountability for this basic duty of cyber care, governments should not curtail innovation or alter the basic properties of the Internet.

Cyber hygiene standards already exist in various forms. [1] They have been gaining wider international acceptance, as governments and enterprises increasingly understand the importance of taking steps demonstrated to help prevent and rapidly mitigate the dangers of known malware. Moreover, these standards represent best practice, highlight the importance of sensible, regular oversight and underscore the importance of automated information sharing where possible to alert other users to trouble. Such basic cyber defenses as outlined in these approaches account for the reality that no government, organization or collection of users can single-handedly alleviate all cyber-related risks. They also recognize that users at every level have important roles to play in strengthening cybersecurity.

The GCSC believes that fundamental cybersecurity defense through the widespread adoption of cyber hygiene has become essential to the responsible use and beneficial growth of the Internet. Security must be seen as a continuous process with responsibilities distributed among all actors with mechanisms in place, such as automated reporting and information sharing, to ensure appropriate accountability.

The Commission also recognizes that many societies around the world face considerable challenges in the use of information and communications technologies and calls on states to share knowledge and offer capacity building to instantiate processes for the effective implementation of basic cyber hygiene regimes to widen the effect of this norm.

[1] This includes, for example, by the European Telecommunications Standards Institute (ETSI), the not-for-profit Center for Internet Security (CIS) and the Australian Signals Directorate (ASD), among others.

Norm

Non-state actors should not engage in offensive cyber operations and state actors should prevent such activities and respond if they occur.

Background

While information and communication technologies have positively transformed societies, they also pose new security challenges. The speed and ubiquity of cyber operations often poses considerable difficulties to states’ judicial systems and international law enforcement cooperation. Despite these difficulties, it should be recalled that state sovereignty is the cornerstone of the rules-based international system of peace and security. States have a monopoly on the legitimate use of force, strictly bound by international law. Some non-state actors, mainly private companies, advocate for the right to conduct offensive cyber operations across national borders, potentially claiming that it constitutes a necessary defensive action as states do not have the capacity to adequately protect them against cyber threats. These non-state actors’ offensive cyber operations are sometimes euphemistically referred to as “active cyber defense,” [1] including but not limited to so-called “hack back,” as they are conducted for defensive purposes.

Some states do not control or may actively ignore these practices, despite the risk they impose upon the stability and security of cyberspace. However, in many states such practices would be unlawful, if not criminalized, while in other states they appear to be neither prohibited nor explicitly authorized. A few states are, nevertheless, considering legitimizing non-state actors’ offensive cyber operations. Indeed, some have decided or proposed domestic legislation to allow offensive operations by non-state actors.

The GCSC believes that these practices undermine the stability of cyberspace. They can result in serious disruption and damages, including for third parties, and are thus likely to trigger complex legal disputes and escalate conflicts. States explicitly granting or knowingly allowing non-state actors the authorization to conduct offensive operations, for their own purposes or those of third parties, would set a dangerous precedent and risk violating international law. The Commission believes that offensive measures should be reserved solely to states and recalls that international law establishes a strict and exclusive framework for states’ responses to hostile acts that also applies to cyber operations. Similarly, under international law, non-state actors acting on behalf of states must be considered their agents and are therefore considered extensions of the state. [2]

If states permit such action, they may therefore be held responsible under international law. [3] States must act, domestically and internationally, to prevent offensive cyber operations by non-state actors.

[1] Active cyber defense should be understood as a set of measures ranging from self-defense on the victim’s network to destructive activity on the attacker’s network. Offensive cyber operations within this continuum imply for the defender to act outside of its own network independently of their intention (offense or defense) and the legal qualification of their acts. Further work should be conducted on the definition of offensive cyber operations and active cyber defense.

[2] See “additional note” for a wider treatment of the case within international law, available here: https://cyberstability.org/wp-content/uploads/2018/11/Additional-Note-to-the-Norm-Against-Offensive-Cyber-Operations-by-Non-state-Actors-Norm-Package-Singapore.pdf.

[3] Id.

Presented below are just a few examples of the way in which the Commission’s work on norms have already achieved success, either through honorable mention of the Commission’s work or explicit affirmations of particular norms. The GCSC looks to build on this further by advocating for norm acceptance and implementation various fora in order to enhance norm coherence across a wide range of stakeholders.

EU Cybersecurity Act

The Norm to protect the public core of the Internet has been embedded into EU policy and law though its Cybersecurity Act, which also extends the mandate of ENISA to include the protection of the public core of the Internet.

The EU Cybersecurity Act represents a major step forward in EU cybersecurity policy. It aims to increase cybersecurity capabilities at EU level by establishing an EU-wide cybersecurity certification framework and promotes the current European Agency for Network and Information Security (ENISA) to a permanent EU Agency for Cybersecurity.

Read more on the inclusion of the Commission’s public core norm in the EU Cybersecurity Act here.

Paris Call for Trust and Security in Cyberspace

The Paris Call for Trust and Security in Cyberspace refers to five of the Commission’s norms, making explicit reference to the Commission’s flagship norm on protecting the public core of the Internet. Other norms referred to in the Call include preventing malign interference with electoral infrastructure, establishing a vulnerabilities equities process, ensuring basic cyber hygiene and prohibiting offensive cyber operations. The Paris Call for Trust and Security in Cyberspace is a high-level declaration in favor of the development of common principles for securing cyberspace. It was launched in November 2018 at the Internet Governance Forum by President Emmanuel Macron of France. It has already gained the backing of 552 official supporters, in which the GCSC is proud to be included.

Cybersecurity Tech Accord

The Cybersecurity Tech Accord welcomed the GCSC Norm Package, and offered comments on enhancing stability in cyberspace during the GCSC request for consultation. The Tech Accord also released a statement to this effect, which can be read here. You can find the full Cybersecurity Tech Accord response to the GCSC consultation on its Singapore Norm Package here.

United Nations

A Report of the UN Secretary-General A/74/62-E/2019/6 highlights the work of the Commission on norms of responsible behavior for reducing the risks to cyber stability. The report makes mention of the Commission in the section on ‘building confidence and security in the use of information and communications technologies’. The report of the UN Secretary-General, entitled “Progress made in the implementation of and follow-up to the outcomes of the World Summit on the Information Society at the regional and international levels,” is a response to the UN Economic and Social Council Resolution 2006/46.

In addition, the UN Secretary-General’s High-level Panel on Digital Cooperation Report “The Age of Digital Interdependence” highlights the work of the Global Commission on the Stability of Cyberspace and its Singapore Norm Package.

In recent years the Global Commission on the Stability of Cyberspace has also been a regular participant and session organizer of the United Nations Internet Governance Forum. The IGF Best Practice Forum on Cybersecurity highlighted the work of the Commission in it’s 2018 report on Cybersecurity Culture, Norms and Values, whilst the BPF on Cybersecurity also plans to further assess the contributions of the GCSC to cybersecurity best practices in its proposals for 2019 work streams.  The Commission has recently taken part in the last two IGF meetings, holding a zero-day event in 2017, convening a panel session in 2018 and participating in the BPF on Cybersecurity in both 2017 & 2018.