Confronting the Ubiquity of Norms in Cyberspace and Cyber Governance

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

The Cyberspace Solarium Commission was tasked with applying social science insights to American cybersecurity strategy. Organization of the commission into three task forces on deterrence, active disruption of adversary attacks through persistent engagement, and norms-based regimes reflects an important truth. Norms, or standards of socially appropriate behavior, are a ubiquitous and unavoidable dimension of global cyber policy. Distinguishing a norms-based approach, however, carries the risk of suggesting that a deterrence or persistent engagement strategy could be undertaken without relying on norms. In fact, norms are essential to both strategies and to any other possible cyber strategy. The only choices facing the United States (or any other actor) are about the content of the norms it promotes, and about how it will convince others to adopt, interpret, comply with and uphold them. Below, I introduce several vital but sometimes misunderstood features of how norms work and discuss their implications for American cybersecurity strategy.

In the past 30 years, international relations scholars have learned a great deal about norms. First, norms often generate high rates of compliance without centralized enforcement; internet technical standards are a key example. Second, it is a mistake for analysts to treat something that violates their own set of norms as something that is necessarily anti-normative. Individuals and groups across space and time have held vastly different notions about what constitutes appropriate behavior. Care should be taken not to conflate norms in general with a specific set of Western liberal norms that underpin contemporary rule-based global order. Third, norms are not inherently likely to encourage cooperation or discourage violence. Some norms (like U.N. Charter Article 51) explicitly authorize violence, at least under certain conditions. Thus, it is completely consistent with the standard definition of norms to envision an extremely conflictual world in which regular, high-consequence cyberattacks are regarded as appropriate behavior for major powers, states in general or even various nonstate actors. While such a world would not align with American interests or values, to the extent actors saw it as legitimate, it would reflect the influence of norms.

Fourth, norms are not outcomes that remain static until they suddenly change. Rather, they are ongoing products of social relations that exist not as individual things in isolation but as parts of complex normative systems that can (and often do) place actors in difficult positions requiring them to make determinations about appropriate behavior in light of multiple applicable norms that may be in conflict. Fifth, this means that consensus and completeness are not useful standards for thinking about whether norms exist or can be useful in a given issue area.

Finally, norms are important even when compliance is imperfect. They have a crucial role to play in responding to violations. The process of applying and constantly adapting norms highlights the fact that the international community relies on norms to provide a basis for criticizing or justifying behavior. It is the very existence of such behavioral standards that makes it possible to stigmatize actions that fall outside expectations as with, for example, “rogue states.” In this way, norms are essential in justifying responses to norm-violating behavior, whether in the form of criminal indictments, economic sanctions or even the use of force. Other related norms tell us how to determine whether a prior norm has been broken, and how to respond if it has been.

What does this all mean for American cyber policy? A great deal. No single actor, however powerful, can unilaterally shape norms for cybersecurity. Doing so requires skillful, consistent engagement in global processes of rule-making, interpretation and application. Shaping cyber norms thus requires “persistent engagement” but of a very different kind than envisioned by most uses of the term. Specifically, norms development requires a coordinated whole-of-government approach led by the State Department. The United States must articulate and justify its positions in convincing, legitimate ways to a broad audience that includes industrial democracies, emerging economies, foreign and domestic firms, and civil society organizations. Since these stakeholders have different standards for what makes an argument convincing, this presents an extremely challenging diplomatic task.

It is also vital to take a long view in promoting cyber norms, by prioritizing the creation of effective, legitimate processes for rule-making, interpretation and application that will enable cooperative management of cybersecurity governance challenges, rather than prioritizing specific, short-term rule-making outcomes. In complex, uncertain circumstances, it is important to prioritize flexible arrangements drawing on soft law mechanisms that facilitate agreements by lowering the costs of error in rule-making. Such arrangements require careful attention to ongoing processes of refinement, as well as to issues created by potential conflicts between related sets of rules in different domestic and international institutional settings.

A focus on the procedural underpinnings of global information and communications technology governance is evident in Russian and Chinese strategies. The parallel operation of a new Group of Governmental Experts alongside the Open-Ended Working Group in the First Committee of the U.N. General Assembly exemplifies awareness of how procedural rules (such as terms of reference, and membership and voting rules) can be used to advance interests and values, as does the Russian resolution establishing a process to create a cybercrime treaty in the General Assembly’s Third Committee. China and Russia will continue to pursue such efforts, with increasing sophistication and success, as they master rule-making procedures that have since 1945 been dominated by Western democracies. Countering such efforts will require renewed engagement in institution building in the international system, as well as bilateral and multilateral engagement with states that have not firmly decided which vision for internet governance they prefer.

While the technological and military challenges for American cyber strategy are daunting, in the long run the rule-making challenges will be equally if not more consequential. These are not the kind of problems that can be definitively solved; rather, they will require ongoing management. Further, as the internet and related technologies metastasize, via the “internet of things” and the application of artificial intelligence, these rule-making challenges will only grow in scope, complexity and significance. Meeting these challenges requires a clear understanding of how norms work, and acceptance of their centrality to any cyber strategy.