Professor Cy Burr’s Graphic Guide to International Cyber Norms

Let’s talk about cybersecurity norms. What are they, how do they form, and why do they matter? Starting with the basics, international norms are one of three tools available to limit the destructive behavior of bad actors. The other two involve coercion and treaties or laws.

Cyber Comic Web 1

Due in part to issues with knowing exactly who took a certain action in cyberspace, coercion and treaties—which rely on good information and strong international reaction—haven’t quite had the desired effect in cyberspace. Norms provide a complement to laws in proscribing what state and non-state actors should and should not do online. In short, norms help establish and maintain a stable international ecosystem.

Cyber Comic Web 2

As Painter notes, cyber norms and the discussions around them are still in a relatively immature state, and some discussion persists as to whether we need to develop entirely new norms for cyberspace or whether we can simply apply existing norms that have helped govern interstate relations. In 2010, the United Nations organized a Group of Governmental Experts to weigh in on this question. In 2013, they reached a general conclusion: existing norms and laws apply in cyberspace.

Cyber Comic Web 3

How that looks in practice is still up for interpretation, though a group of lawyers provided their interpretation via the Tallinn Manual in 2013. However, even with the GGE conclusion and the Tallinn Manual (which is not an authoritative international document, but rather a list of recommendations from a group of international legal experts), holes remained. Some feel that we need to tackle the issue on an sub-issue to sub-issue basis and in bite-sized chunks, while others favor a more regional approach.

Once actors have agreed to norms, the challenge of getting them to actually abide by them remains.

Cyber Comic Web 4

Currently, efforts to build norms are taking place at unilateral, bilateral, and multilateral levels internationally, and non-governmental organizations are increasingly seeking to exert greater influence.

Cyber Comic Web 5

Norms are important and useful. They help define expectation for proper behavior. By providing guidelines, they can discourage bad actors from acting badly and can even serve as a foundation for more formal treaties and agreements. A well-established collection of norms gets everyone on the same page.

To learn more about the past, present, and future of international cyber norms and the negotiations that surround them, check out the full version of Professor Cy Burr’s Graphic Guide to International Cyber Norms.


Professor Cy Burr’s Graphic Guide to International Cyber Norms


Dan Ward was a fellow in New America's Cybersecurity Initiative. He is the author of F.I.R.E.: How Fast, Inexpensive, Restrained, and Elegant Methods Ignite Innovation (Harper Business, 2014) and The Simplicity Cycle: A Field Guide To Making Things Better Without Making Them Worse (Harper Business, 2015).

Robert Morgus is a senior policy analyst with New America’s Cybersecurity Initiative and International Security program and the deputy director of the FIU-New America C2B Partnership.