The Global Commission on the Stability of Cyberspace (GCSC) is worried its guidance on preventing the internet and all it connects becoming a casualty of war is being misinterpreted.
The GCSC works to create global behavioural norms that hopefully find their way into the diplomatic documents that govern nation-states’ behaviour. The organisation does so because conventions governing kinetic warfare prohibit attacks on hospitals or schools, but many nations are yet to formalise recognition that information warfare could easily disrupt hospitals. The GCSC therefore wants nations to recognise that information warfare needs rules that match the intent of those governing kinetic conflict.
The Commission has had considerable success in those efforts, having defined eight norms. The first, the Norm on non-interference with the public core of the Internet, seeks to forbid attacks on the Domain Name System, DNSSEC, WHOIS information services, systems operated by the Internet Assigned Numbers Authority and of Regional Internet Registries.
The norm also calls for “naming and numbering protocols themselves and the integrity of the standardization processes and outcomes for protocol development and maintenance” to be off-limits during conflict.
The organisation is pleased with progress towards its goals.
“We are delighted that the concept of the public core of the Internet has been fully integrated in such diverse texts as the Paris Call for Trust and Security in Cyberspace and the Cyber Security Act of the European Union,” reads a new statement [PDF] from the group.
But the statement suggests the norm is being misinterpreted.
“Fundamentally we believe that the norm of non-interference with the public core is an issue of governance ‘on’ the Internet, and primarily a matter of moderating malicious state behaviour, and not an issue of governance ‘of’ the Internet, and therefore of Internet governance” the statement declares.
“Despite recent attempts to cast the main threat to the public core as resulting from cybercriminals, it is in fact states and their affiliates whose activities pose the greatest risks,” the document adds, citing an International Telecommunications Union document that suggests nation-states could guarantee the ‘net’s safety from a criminal attack.
Only the attack on Dyn.com, the statement adds, has been identified as a result of criminal activity.
The statement also points out that most internet governance organisations are not run by governments.
“There is nothing in the GCSC norm to suggest that these key elements of the public core are not being well cared for by these actors,” the statement adds. “However, no extent of care is sufficient to address an unlimited reservoir of potentially malicious behaviour. As described above, the only evidence of repeat behaviour points to state-affiliated activity, and not cybercrime.”
The statement therefore concludes that the GCSC’s approach of setting norms for nations regarding the bodies that define, operate, and administer the internet is therefore more appropriate than trying to stop criminals attacking its core.
“Even if governments maintain a de jure monopoly over the legitimate use of force in cyberspace, they no longer have a practical monopoly on attacking and protecting this domain, nor can they prevent the proliferation and use of powerful cyber weapons,” the statement declares.
“Rather, the technical community, civil society, and individuals also play a major role in the protection of cyberspace, including the promulgation of standards.” ®