Governments, their supporters and technology companies have to adopt internationally-accepted rules to limit online misconduct and a forum for hearing complaints or the Internet will be in peril, according to a new report.
The call was made Tuesday in the final report of the Global Commission on the Stability of Cyberspace which urged state and non-state actors “to implement norms that increase the stability of cyberspace by promoting restraint and encouraging action.”
It also calls for “a standing multistakeholder engagement mechanism … to address stability issues, one where states, the private sector (including the technical community), and civil society are adequately involved and consulted.”
The report emphasizes that cyberspace is a multistakeholder environment that includes hardware and software companies and private sector firms that build and manage IT systems.
Those who violate the agreed norms would face norms face “predictable and meaningful consequences.”
Asked for comment, Global Affairs Canada said in a statement that Ottawa while welcomes “the positive engagement of stakeholders working to advance stability in cyberspace, Canada’s priority is the implementation and operationalization of the peacetime norms of appropriate State behaviour endorsed by all U.N. member States.
“Canada will continue engaging at the UN, including through the Open-Ended Working Group and Group of Governmental Experts processes, to promote and protect a free, open, secure cyberspace and encourage the dissemination and implementation of the framework for responsible State behavior in cyberspace.”
Canada will continue engaging at the UN, including through the Open-Ended Working Group and Group of Governmental Experts processes, to promote and protect a free, open, secure cyberspace and encourage the dissemination and implementation of the framework for responsible State behavior in cyberspace.
The 28 commissioners are cyber experts, academics and former government officials from a number of countries including the U.S., the U.K., Russia, Nigeria, Brazil, Israel, China, India and others. However, the report carries no backing from the United States, Russia, China or North Korea. Report authors hope to get international support.
Still, Stef Blok, Minister of Foreign Affairs of the Netherlands, a co-founder of the GCSC, called the report “an important contribution to a digital space in which order and peace must prevail.”
“Since stability in cyberspace is directly linked with stability in the ‘real world,’ such a cyberstability framework is more crucial than ever.” he said in a statement. “The next step in this multilateral process is to collect evidence and hold those who break the rules responsible. Together we must increase accountability and combine all pieces of the puzzle, between governments, tech and security firms, and civil society.”
The report outlined how serious the situation is: “We have reached the end of a twenty-five-year period of strategic stability and relative peace among major powers,” it warns. “Conflict between states has taken new forms, and cyber activities are playing a leading role in this newly volatile environment. Over the last decade, the number and sophistication of cyber attacks by state and non-state actors have increased, thus threatening the stability of cyberspace.
“Simply put, people and organizations may no longer be confident in their ability to use cyberspace safely and securely or be assured of the availability and integrity of services and information.”
The GCSC effort is one of a number of efforts around the world, at the United Nations and elsewhere, to get countries to limit what are seen as offensive actions against other nations or their critical infrastructure. Among other moves earlier this year the European Union established a framework allowing it to impose targeted restrictive measures to deter and respond to cyber-attacks.
Experts say it’s will be a long struggle, particularly because cyber attacks can be successful without apparent retaliation. China has been blamed for hacking Canada’s National Research Council, Russia has been accused of attempted U.S. election manipulation and cutting power in Ukraine.
The GCSC report also says the voluntary online norms of behavior — which would follow international law — should include agreements that:
- state and non-state actors will neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace;
- state and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referendum or plebiscites;
- state and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace;
- state and non-state actors should not commandeer the general public’s ICT resources for use as botnets or for similar purposes;
- governments should prevent non-state actors from engaging in offensive cyber operations;
- companies that make products and services should prioritize security and stability and take reasonable steps to ensure that their products or services are free from significant vulnerabilities, take measures to timely mitigate vulnerabilities that are later discovered and share information about product vulnerabilities
“Stability of cyberspace means everyone can be reasonably confident in their ability to use cyberspace safely and securely,” says the report, ” where the availability and integrity of services and information provided in and through cyberspace are generally assured, where change is managed in relative peace, and where tensions are resolved in a non-escalatory manner.”
The commission’s six recommendations are:
1. State and non-state actors adopt and implement norms that increase the stability of cyberspace by promoting restraint and encouraging action;
2. State and non-state actors, consistent with their responsibilities and limitations, respond appropriately to norms violations, ensuring that those who violate norms face predictable and meaningful consequences.
3. State and non-state actors, including international institutions, increase efforts to train staff, build capacity and capabilities, promote a shared understanding of the importance of the stability of cyberspace, and take into account the disparate needs of different parties;
4. State and non-state actors collect, share, review, and publish information on norms violations and the impact of such activities;
5. State and non-state actors establish and support Communities of Interest to help ensure the stability of cyberspace;
6. A standing multistakeholder engagement mechanism be established to address stability issues, one where states, the private sector (including the technical community), and civil society are adequately involved and consulted.