At the Paris Peace Forum last month, the Global Commission on the Stability of Cyberspace (GCSC) issued its report on how to provide an overarching cyber stability framework. Originally convened by the Dutch government, three years ago, the multi-stakeholder GCSC (of which I was a member) had co-chairs from Estonia, India, and the US, and comprised former government officials, experts from civil society, and academics from 16 countries.

Over the years, there have been numerous calls for laws and norms to manage the new international insecurity created by information technology, starting with Russian proposals at the UN two decades ago for a binding treaty.

Unfortunately, given the nature of cyber weapons and the volatility of the technology, such a treaty would not be verifiable and would quickly become obsolete.

Instead, the UN set up a Group of Governmental Experts (GGE), which produced a non-binding set of norms in 2013 and 2015.

That group was unable to issue a report in 2017, but its work continues, and an Open-Ended Working Group, in which some 80 states participated last September, has joined it at the UN. In addition, UN secretary seneral António Guterres established a high-level group which issued a report looking forward to a broader UN discussion in 2020.

The GCSC defines cyber stability as individuals and institutions being confident in their ability to use cyber services safely and securely, to manage change in peace, and resolve tensions without escalation.

Stability is based on existing international law, which, as the GGE’s 2013 and 2015 reports affirmed, applies to cyberspace.

But a binding international legal treaty would be premature. Norms of expected behaviour can provide a flexible middle ground between rigid treaties and taking no action.

As Michael Chertoff, one of the GCSC co-chairs and previously US secretary of homeland security, has explained, norms can exist in parallel with laws, but are more dynamic in the face of rapidly changing technology.

The GCSC proposed eight norms and focused on technical issues that are fundamental to cyber stability. Such norms are common points of reference in the evolving political discussions.

The first norm is non-interference with the public core of the internet. While authoritarian and democratic states might disagree about free speech or regulation of online content, they can agree not to interfere with core features, such as the domain name system, without which there would be no predictable inter-connection among the network of networks that comprise the internet.

Second, state and non-state actors must not support cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites.

While this norm does not prevent all interference, such as what happened in the US elections in 2016, it sets some bright lines around technical features.

Third, state and non-state actors should not tamper with goods and services in development or production. Insecure supply chains threaten stability.

Fourth, state and non-state actors should not commandeer the public’s resources for use as ‘botnets’ (cyber robots based on others’ machines, but commanded without their knowledge or consent).

Fifth, states should create procedurally transparent frameworks to assess whether, and when, to disclose to the public vulnerabilities or flaws in information systems or technology. Such flaws are often the basis of cyber weapons. Hoarding such vulnerabilities for possible use in the future poses a risk to all. The presumption should be in favour of disclosure and patching.

Sixth, developers and producers of goods and services on which the stability of cyberspace depends should emphasise security, ensure that their wares are free from vulnerabilities, and be transparent about those vulnerabilities to mitigate malicious cyber activity.

Seventh, states should enact laws and regulations to ensure basic cyber hygiene. Just like vaccinations prevent communicable diseases, such as measles, so basic cyber hygiene can remove the low-hanging fruit that attract cyber malefactors.

Lastly, non-state actors should not engage in offensive cyber operations, and state actors should prevent such activities or respond if they occur. Sometimes called ‘hack-back’, private vigilantism may escalate and threaten cyber stability.

These eight norms will not ensure stability in cyberspace, but combined with norms, principles, and confidence-building measures suggested by others, they could provide a start. In the long-term, states observe norms of behaviour to improve coordination, manage uncertainty, preserve their reputations, or in response to internal pressures. The world is a long way from such a normative regime for cyberspace, but the GCSC has nudged the process forward.

- Joseph S Nye, Jr, a professor at Harvard University, is the author of Is the American Century Over? and the forthcoming Do Morals Matter? Presidents and Foreign Policy from FDR to Trump.