What are the ‘rules of the road’ for cyberspace, and who sets them? The question has risen in prominence and priority as cyber threats have grown more severe. A lack of clarity about acceptable behaviour enables destabilising cyber activity, such as the recent Microsoft Exchange hack by suspected state-sponsored actors and the persistent ransomware attacks targeting hospitals around the world. For all their importance, however, efforts to identify behavioural norms for cyberspace are increasingly fragmented.
That fragmentation signals future perils; multiple concurrent norm-building efforts could cloud relevant actors’ understanding of appropriate behavioural expectations or, worse, generate competing norm candidates among rival groups. Yet fragmentation also offers some promise – a collection of specialised processes establishing behavioural standards for specific actors in specific contexts. If successful, such processes could eventually be coordinated to develop various elements of an overarching cyber norms framework.
Determining which vision of fragmentation will prevail (or if both perils and promise will proceed simultaneously) requires more transparency. States and other stakeholders need to know more about which processes exist, what these processes aspire to do in terms of building or operationalising responsible norms of behaviour for cyberspace, and how actors and communities are engaged in this norm development and operationalisation. The Carnegie Endowment’s Cyber Norms Index offers one contribution to such an endeavour, and may encourage others going forward.
A Bottle Half-Empty
The past decade has witnessed a rapid expansion in the number and variety of cyber norms processes. Fragmentation first emerged as multilateral efforts at the UN began to compete with the original multistakeholder governance communities, including the Internet Governance Forum (IGF), ICANN and the IETF. It progressed with the failure of the 2016–2017 UN Group of Governmental Experts (GGE) to reach consensus.
New, industry-focused norm processes emerged – such as the Cybersecurity Tech Accord and the Charter of Trust – while industry actors worked across stakeholder groups to generate new ‘multistakeholder’ fora such as the Paris Call for Trust and Security in Cyberspace. A group of experts – the Global Commission on the Stability of Cyberspace – promoted its own list of norms. Meanwhile, norms diplomacy at the UN split into two tracks: a new GGE and an Open-Ended Working Group (OEWG), each operating simultaneously within the First Committee, with plans afoot to launch a new Programme of Action going forward.
These processes all have similar goals: to form and distribute common standards of behaviour to improve global cybersecurity. Nonetheless, they make for a disjointed ecosystem. Each process comes with tradeoffs in its ability to advance global cyber norms. More inclusive processes like the IGF welcome a wide variety of stakeholders and viewpoints. This inclusivity allows for crucial dialogue among states, industry and civil society. However, these processes are quite limited in their ability to transform dialogue into action, given participants’ diverging views. Such procedural weaknesses challenge the IGF’s capacity to be a centralised focal point of norm-building discussions.
In contrast, multilateral norm-building processes at the UN are more focused and less inclusive. Both the GGE and the OEWG have made some efforts to incorporate other stakeholders’ views, although it is not clear if these views are being integrated into UN outputs. Indeed, UN processes may generate outcomes that non-governmental stakeholders view with hostility. Still, the organisational and resource capacities of governments create opportunities to move past deliberations and ‘operationalise’ norms among states. The legacy of other multilateral global governance projects suggests, moreover, that their norms can cascade and become internalised by other industry-focused and multistakeholder initiatives.
The possibility for UN progress faces significant hurdles at present, with fragmented mandates and authorities. The GGE and OEWG have potentially divergent mandates backed by rival cyber powers; the US prefers the GGE, while Russia sponsored the creation of the OEWG. To the significant credit of its chair, Jürg Lauber, the OEWG managed to produce a report with the consensus of the entire UN membership without retrenching on the nascent framework of norms developed by previous GGEs, as some feared it would. However, it was also unable to substantially build on the existing norms framework. This will likely be left to future processes, given Russia’s ability to block any efforts within the current GGE that would supplant the conclusions of the OEWG.
Unfortunately, these future processes could perpetrate the current dual-track norms system. A second Russian-sponsored OEWG is scheduled to begin work later this year; like its predecessor, it is authorised to introduce possible changes to existing GGE norms. The US opposes such changes and would likely respond to any revisionist efforts in the new OEWG by supporting an alternative process – perhaps a new GGE or the proposed Programme of Action. As was the danger with the current GGE and OEWG, a second iteration of simultaneous norms processes could move at different paces with different agendas, with real potential for competing outcomes if their activities become too disjointed.
The First Committee’s work is further complicated by talk of a UN treaty on cybercrime. Such deliberations traditionally steered clear of global cybersecurity topics. However, the 2019 resolution establishing a group of experts to consider a new UN cybercrime treaty was vaguely worded. As such, its mandate could include cybersecurity-related norms (e.g. on the criminal or terrorist use of ICTs). Without proper coordination, processes in the UN’s Third Committee could produce conflicting outcomes with earlier and ongoing First Committee efforts. Hence, many understandably view the complexity of the current norms environment with concern.
A Bottle Half-Full
However, it is also important to recognise that in certain contexts fragmentation may actually benefit norm-building efforts by inducing specialisation. This in turn may generate more effective norms. For example, in the UN context, the Third Committee has expertise on issues like mutual legal assistance related to cybersecurity that the First Committee lacks, just as the Third Committee does not have depth on the linkages between cybersecurity and international peace and security. The processes in each committee can (and should) optimise norm-building according to their own specialised capacities and expertise.
Industry-focused norms processes such as the Cybersecurity Tech Accord may further showcase the potential of norm specialisation given that stakeholders who create, own and operate ICTs are well suited to identify relevant behavioural expectations that eliminate or mitigate ICT-related threats. Similar efforts like the ‘Oxford Process’ aim to bring international legal experts together to elaborate more precisely what international law says about some of the most pressing cyberthreats today (e.g. cyberattacks against healthcare, vaccine research, and foreign electoral interference).
Fragmentation: a problem or a solution?
Thus, fragmentation is a two-sided coin. On the one hand, the diversity and complexity of the norm-building environment may hinder progress in establishing rules of the road for cyberspace. On the other hand, fragmentation may generate positive developments for global norm-building if it empowers specific stakeholder communities to leverage their expertise and capacities. With proper coordination, individual processes might coalesce into a collective whole comparable to the ‘regime complex’ idea describing other global governance areas. Cyber norms initiatives that serve different purposes can be leveraged to avoid disabling any progress on a complex problem set due to unnecessary insistence on establishing a primary focal point or institutional process.
Overlapping processes can be structured to avoid conflicting outcomes, for example by tying their mandates to specific communities or intermediaries most suited to dealing with a particular issue of global cybersecurity. Ideally, over time, states and other stakeholders might pursue multistakeholder opportunities to coordinate and consolidate these norms into universal rules or principles (the Paris Call’s nine principles offer an early preview of how this might work). High-ambition coalitions can broaden the base of participants in norm-building processes and allow for cross-stakeholder dialogue that would not otherwise occur. At the same time, more exclusive processes, such as the UN GGE, can focus on achieving concrete agreement among key nation states on fundamental normative issues, or projects for their operationalisation.
Ultimately, whether fragmentation becomes a problem or achieves such potential will turn on transparency. To coordinate effectively, cyber norms stakeholders must understand the relationships between various norm-building projects and the purposes they serve. One way to promote such transparency is a shared, publicly available database of cyber norms developments. The Carnegie Endowment for International Peace provides such a database through its newly updated Cyber Norms Index. The Index hosts hundreds of multilateral, bilateral and multistakeholder norms documents, as well as a timeline of cyber norms agreements, filterable by country, illustrating how nations’ norm-building efforts have evolved over time. Users can also search multilateral documents by topic or keyword to understand which multilateral norms processes overlap and/or diverge on specific issues.
The Cyber Norms Index is a living database that Carnegie regularly updates, though ensuring the Index remains a comprehensive resource in an expanding environment of cyber norms actors and processes presents challenges. Regular feedback from and communication with cyber norms stakeholders, particularly those in the growing multistakeholder community, would improve Carnegie’s ability to capture the full range of actors, organisations and initiatives contributing to the development of behavioural standards in cyberspace.
To be sure, databases and transparency cannot guarantee the success of any normative process. Stakeholders must contend with constant technical evolution and low barriers to entry for cyber actors, the fundamental ideological divides among major cyber powers and the presumption of anonymity surrounding state-sponsored cyber activity. More work is needed to understand how well norm candidates have influenced actual behaviour; to identify ways to consolidate current cyber norms processes; and to create stronger incentives for states, especially major cyber powers, to internalise these norms into their own operations.
That work should not rest, however, on a presumption that norm fragmentation is inherently flawed. To do so would predicate progress on establishing a dominant focal point in cyber norms processes, which may not be feasible or desirable. Instead, cyber norms stakeholders should accommodate fragmentation and pursue its positive potential. A starting point is increasing transparency among norm-building communities with different stakeholders, capacities and expertise, and, from there, working towards a consistent framework of acceptable behaviour in cyberspace. In the absence of transparency, stakeholders will struggle to identify which fragmentation is problematic and which warrants space and support to ensure the common goal – global cybersecurity.
About the Author
Evan Burke is a research assistant in the Cyber Policy Initiative of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. His current work focuses on cyber diplomacy and the implications of a changing U.S.-China technology relationship.