Two weeks ago, a small delegation from the Internet Society was in Delhi for a series of meetings. (See yesterday’s post about GCCS and GFCE.) In this post, I’ll pick up with the Global Commission on the Stability of Cyberspace (GCSC).

The international community has been trying to develop cybernorms for international behaviour for over a decade. This has been happening through UN processes, through the GCCS, through international law discourse, and other fora. And, some progress has been made. For instance, the Tallin manuals provide some insights on how international law applies to cyber war and cyber operations, while the UN GGE, among others, recognized the applicability of international law on the digital space and has provided some protection to cybersecurity incident response teams (CIRTs) and critical infrastructure.

However, these processes are slow, and certainly not without roadblocks. The 5^th UN Group of Governmental Experts on Information Security (GGE), for example, failed to reach consensus on whether certain aspects of international law, in particular the right to self-defence, apply to cyberspace as well as issues related to attribution. During a panel at GCCS, five participants in the 5^th UN GGE shared their perspectives. To me it was clear that all parties see that the cyber diplomatic discussions on stability need to continue, but that it is not at all clear what the modalities of such discussion will be; it is not clear if there will ever be a 6^th UN GGE or an alternative UN process.

So, how do we get to norms that may impact state and non-state behavior? Norms that can be supported by a large group of stakeholders – states, private sector, and technical, academic and civil society communities alike?

The Global Commission on the Stability of Cyberspace (a multistakeholder commission of experts) sets out to bring perspective by developing ‘proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.’ In its meeting in Delhi, it converged on its concrete outcome: A call to protect the Public Core of the Internet.

It reads:

NON-INTERFERENCE WITH THE PUBLIC CORE

Without prejudice to their rights and obligations, state and non-state actors should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.

This is a call that, I believe, can be prima facie respected by international law scholars, diplomats, negotiators, politicians, civil society members, and technologists alike. It recognizes a body of existing norms and agreements while it also unequivocally states: don’t mess with the public core of the Internet.

Many readers will rebut that this is a clear call, as the concept of public core of the Internet is not clearly defined. They have a point, but among the commissioners, it is well understood that the public core is a broad term that includes elements like Internet routing, the domain name system (DNS), certificates and trust, and communications cables. The associated protocol soup contains terms like BGP, DNS, PKI, and TLS. It is also well understood that we are not only talking about physical resources, like the routers themselves, but also about intangible aspects such as the state of the global routing table. More work will be done to refine and define the Public Core concept.

Creating a common understanding of global normative behaviour is a long and slow process where certain actors can become norm entrepreneurs. Not without pride, I believe that the GCSC, with the call for protection of the public core, is demonstrating norm entrepreneurship.  Or, as EFF’s Jeremy Malcolm observes in in his blog on Delhi’s cyber events: “The Call to Protect the Public Core of the Internet is not intended to be legally binding, but like Internet standards, it is hoped that it will acquire influence because the process by which it was developed was relatively thoughtful, inclusive, and balanced”, closing his blog with: “It doesn’t surprise us that a diverse, multi-stakeholder group of experts can actually produce more useful outcomes than a group of governments alone, and this could be taken as a lesson by the host of the next GCCS.”

I can’t write a better conclusion to this post.

Further reading

• In Slate, James Shire and Max Slate argue that ‘The word Cyber now means everything – and nothing at all’
• Commissioner Wolfgang Kleinwächter shares his perspectives on the GCCS and GFCE in this Circle ID blog.
• The Geneva Internet Platform’s Digital Watch is a fine starting point to read more about the UN GGE

The Internet Society sponsors the GCSC and the author is one of its commissioners.