Cyber Norms Processes at a Crossroads

In October 2019, a major cyberattack on the Republic of Georgia disrupted thousands of government, media and private websites in the country, highlighting the escalating scope of cyber aggression. The following day, the University of Pennsylvania’s Perry World House and the Carnegie Endowment for International Peace convened key stakeholders from academia, industry and policy for a workshop to assess the state of global cyber norms processes. We’ve compiled the takeaways from the workshop, which was held under Chatham House Rules, in a new report. The discussions indicated that while the splintering of cyber norms processes in recent years raises cause for concern, fragmented initiatives provide reason for optimism that norms will eventually solidify.

Last week, the United States, United Kingdom, Australia and a number of European states publicly condemned Russia for the Oct. 28 cyberattacks against Georgia, reportedly attributed to Russia’s military intelligence service, the GRU. A rare example of collective attribution, the condemnation follows a joint statement signed by the U.S. and 26 other states in September 2019 pledging to hold states accountable for “bad behavior in cyberspace.” While this response is a welcome development, such accusations remain a modest response to increasingly flagrant cyber aggression: Indiscriminate cyberattacks like NotPetya, malware targeting critical infrastructure and large-scale cyber-enabled disinformation campaigns all demonstrate the acute need to solidify rules of the road for cyber operations.

Against this backdrop, some observers have viewed with alarm the splintering of cyber norms processes in recent years. The U.N. Group of Governmental Experts (GGE) had made considerable progress toward a nascent framework of norms in 2013 and 2015. The 2017 GGE, however, failed to reach a consensus in the dynamic geopolitical environment of the time: Certain member states appeared to walk back their commitment to the applicability of international law in cyberspace, and countries such as Russia and Cuba opposed the idea that states may respond to cyberattacks with noncyber means. After the process collapsed in 2017, cyber norms discussions at the U.N. split between the U.S.-proposed, reestablished GGE and the Russian-proposed Open-Ended Working Group. Meanwhile, other cyber norms-focused initiatives emerged, driven by civil society, industry and multistakeholder groups, including Microsoft’s Cybersecurity Tech Accord, the Paris Call for Trust and Security in Cyberspace, and the Global Commission on the Stability of Cyberspace. While laudable efforts, these initiatives make for a disjointed “ecosystem” of cyber norms processes.

Yet rather than signaling a death knell for cyber norms, fragmentation may propel them forward. This splintering creates potential points of friction but also carries considerable benefits. It allows processes to be optimized for different outcomes—such as constraining offensive operations or improving security in the ecosystem. Each initiative engages different sets of stakeholders, including private-sector actors uniquely relevant in the cyber context but often overlooked in state-centric processes. These processes cross-pollinate in ways that harness progress in one to generate innovations in others.

Rather than process fragmentation, the key challenges for cyber norms development derive from the structure of the cyber domain itself and the current alignment of incentives for state behavior. Constant technological evolution and low barriers to entry for conducting cyber operations impede the solidification and diffusion of norms. And the obfuscation of states’ cyber activities makes it difficult to discern which “aspirational norms” constitute actual, shared expectations of appropriate behavior. Rather than cooperating pragmatically to constrain cyber conflict, major powers remain firmly divided over fundamental concepts like the application of sovereignty to cyberspace. And while there are few consequences for violating incipient norms, states perceive real benefits from engaging in cyber operations in a relatively unrestrained manner. This balance of incentives militates against the internalization of norms.

To address these concerns, we recommend some practical steps forward, including directions for further research and engagement by the community of stakeholders working to promote cyber norms. More robust measurement of cyber activity is needed to cut through the fog and assess progress toward solidifying norms. A shared database to track cyber norms processes can facilitate cross-pollination. These processes should aim to consolidate in a way that allows them to bridge gaps between major powers—rather than becoming tools for them to compete. Finally, stakeholders should aim to both create incentives for adherence and diminish the incentives for malicious cyber activity, including by improving the security and resilience of the underlying information and communications technology ecosystem itself. More research is needed on these issues, but states could institutionalize the practice of pointing to specific cyber norms and applicable international law, for instance, and do more to impose costs on norm violators and their proxies.

Despite—or perhaps because of—fragmentation, there’s reason for optimism that, over time, cyber norms will solidify and diffuse. For instance, while it avoided attributing the attacks to Russia, the European Union denounced the cyberattacks on Georgia and called for the implementation of the “existing consensus” around GGE norms. Still, stakeholders need to calibrate expectations. Absent fundamental structural changes, states will continue to routinely exploit and contest cyberspace. Finding ways to manage and contain this contestation and mitigate the worst risks—rather than trying to insulate cyberspace from geopolitics altogether—offers the most realistic path forward.