Let’s talk about cybersecurity norms. What are they, how do they form, and why do they matter? Starting with the basics, international norms are one of three tools available to limit the destructive behavior of bad actors. The other two involve coercion and treaties or laws.
Due in part to issues with knowing exactly who took a certain action in cyberspace, coercion and treaties—which rely on good information and strong international reaction—haven’t quite had the desired effect in cyberspace. Norms provide a complement to laws in proscribing what state and non-state actors should and should not do online. In short, norms help establish and maintain a stable international ecosystem.
As Painter notes, cyber norms and the discussions around them are still in a relatively immature state, and some discussion persists as to whether we need to develop entirely new norms for cyberspace or whether we can simply apply existing norms that have helped govern interstate relations. In 2010, the United Nations organized a Group of Governmental Experts to weigh in on this question. In 2013, they reached a general conclusion: existing norms and laws apply in cyberspace.
How that looks in practice is still up for interpretation, though a group of lawyers provided their interpretation via the Tallinn Manual in 2013. However, even with the GGE conclusion and the Tallinn Manual (which is not an authoritative international document, but rather a list of recommendations from a group of international legal experts), holes remained. Some feel that we need to tackle the issue on an sub-issue to sub-issue basis and in bite-sized chunks, while others favor a more regional approach.
Once actors have agreed to norms, the challenge of getting them to actually abide by them remains.
Currently, efforts to build norms are taking place at unilateral, bilateral, and multilateral levels internationally, and non-governmental organizations are increasingly seeking to exert greater influence.
Norms are important and useful. They help define expectation for proper behavior. By providing guidelines, they can discourage bad actors from acting badly and can even serve as a foundation for more formal treaties and agreements. A well-established collection of norms gets everyone on the same page.To learn more about the past, present, and future of international cyber norms and the negotiations that surround them, check out the full version of Professor Cy Burr’s Graphic Guide to International Cyber Norms.