The Carnegie Endowment for International Peace released a report Feb. 26 discussing the disjointed nature of international cybersecurity norms.
Given the disparate ways that countries across the globe are responding to cyberattacks, the report asked, “Is the fragmentation [of international norms] a cause for concern or an opportunity to promote cyber stability and security?”
The report cited a wide variety of international groups working to establish cyber norm processes:
- United Nations (UN) groups: the Group of Governmental Experts [GGE] and the Open-Ended Working Group [OEWG]);
- Expert commissions: the Global Commission on the Stability of Cyberspace;
- Industry coalitions: the Tech Accord and the Charter of Trust; and
- Multistakeholder collectives: the Paris Call for Trust and Security in Cyberspace.
The report noted that all of these groups are attempting to “operationalize various normative standards of behavior for states and/or other stakeholders in cyberspace.” However, since these groups are operating separately from each other, “cyber norms are at a crossroads where each process’s potential (and problems) looms large.”
In October of 2019, the Carnegie Endowment for International Peace, along with the University of Pennsylvania’s Perry World House, held a one-day cyberspace and geopolitics workshop. The workshop, which is the basis for the report, brought together cyber stakeholders from national governments, international organizations, nongovernmental entities, industry, and think tanks, as well as CISOs and academics from international law and international relations.
“The workshop’s key takeaway was an embrace of the existing fragmentation of the cyber norm ecosystem,” the report explains. “Participants saw the variety of cyber norm efforts not as detrimental but rather as an opportunity to broaden the base of engaged stakeholders and to deepen understandings of normative expectations within relevant communities.”
However, while participants did find some positives in the variety of cyber norms, the workshop identified four weaknesses that harm the effectiveness of the existing frameworks, both individually and collectively:
- Inherent characteristics of the cyber domain, especially its low barriers to entry to develop and to use cyber capabilities.
- A lack of transparency about state behavior, which creates an inability to measure norm adherence to differentiate “aspirational norms” from actual “norms.”
- A dearth of “great power” cooperation to address this global public policy challenge.
- A lack of clear incentives for internalizing norms.
In response to those weaknesses, the report’s authors offered four recommendations:
- “Focused research on specific cyber norms to measure their alignment with actual behavior in cyberspace and identification of potential gaps between them and among existing accords.
- A shared global database of cyber processes that can improve transparency on what each process does, who participates, and how its work is received in other processes (that is, what sort of cross-pollination is occurring versus triggering competing or conflicting norm proposals). For example, Carnegie’s Cyber Norms Index already tracks existing multilateral and bilateral accords relating to cyber norms.
- Research efforts to identify a menu of incentives to promote norm adoption and implementation, including a list of potential consequences that can follow cases of nonconformance.
- More multistakeholder engagement with great powers on exercising their power responsibly to improve the identification and operation of cyber norms for states and other stakeholder groups (for example, industry, civil society).”