Expert commissions and norms of responsible behaviour in cyberspace: a review of the activities of the GCSC

Against the background of two decades of debates about responsible behaviour in cyberspace, this paper aims to examine the contributions of non-state actors to processes of cybersecurity norm-making. Specifically, it intends to dissect and critically appraise the work of the Global Commission on the Stability of Cyberspace (GCSC), a multistakeholder consortium composed of 28 regionally-diverse scholars, CEOs and (former) policymakers. Inaugurated at the margins of the 2017 Munich Security Conference, the GCSC has been fairly active with regard to developing proposals for norms and policies to enhance international security and stability and guiding responsible conduct in the virtual realm.

With a view to engaging in a differentiated analysis of the Commission’s activities, this paper asks: How do non-state actors such as the GCSC contribute to processes of cybersecurity norm-making, i.e. what are their roles and responsibilities, and how effective is their engagement? Since the end of the Cold War, non- state actors have become an issue of great interest to scholars of International Relations and International Law. However, in the context of cybersecurity, their normative engagement has not been scrutinised extensively. This paper seeks to address this gap.

Based on a review of secondary literature and case materials, this paper finds that, within a relatively short period of time, the GCSC has managed to exert discernible discursive and political influence over discussions on responsible behaviour in cyberspace and deserves recognition as a shaper of transnational cybersecurity governance. However, while fairly successful across the dimensions of output and outcome, the Commission has struggled to effect far-reaching systemic change (impact).

In light of significant contestation and fleeting governmental appetite for enacting red lines in the virtual realm, this paper seeks to critically appraise the contributions of non-state actors to processes of cybersecurity norm-making. The motivation to do so stems from two sources: empirical observations that non-state protagonists have become more involved in issues concerning responsible conduct in cyberspace, and realisations that, so far, academic research has offered little examination of their ideational engagement. Exploring the case of the GCSC, this paper argues that non-state actors have to be taken seriously as normative change agents in cybersecurity governance-related contexts.