Cyber-stability wonks add election-ware to ‘civilised nations won’t hack this’ standard

The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure.

The GCSC works to develop “norms” of behaviour it hopes governments and others will adopt in order to leave internet infrastructure untouched during conflict. The body believes that as the internet is now critical to civil society, international agreements should protect its operation so that bystanders to conflicts aren’t harmed by disruptions to online services. Microsoft, the Internet Society and the governments of The Netherlands, France and Singapore have all funded the group.

The Commission met last week and resolved that “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”

In an explanatory text (PDF) the GCSC pointed out that the United Nations Charter states that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state” and argued that those sentiments should be extended to ensure that nations don’t fiddle each other’s digital electoral infrastructure.

“As more countries opt to digitise their election machinery, the risks and vulnerabilities associated with such infrastructure increase manifold, as does the prospect of a major, offensive cyber operation,” the explanatory text reads. “A modest first step to effective multilateral cooperation would be a pledge or commitment from governments to refrain from engaging in cyber operations against the technical electoral infrastructure of another state. In recommending this norm, the Commission merely affirms the numerous international legal protections already afforded against external interference in the internal affairs of another state.”

The GCSC knows that those will be considered nought but noble words by some nations and non-state actors, who will carry on hacking regardless. The Commission therefore works to have its norms approved and adopted by as many nations as possible, so that those who don’t sign up can be singled out for diplomatic finger-waving or worse.

The Commission’s had some success with that approach: the European Parliament recently considered the adoption of GCSC-developed norms internet infrastructure as amendments to the EU Cybersecurity Act. ®