Source: Carnegie Endowment for International Peace, by Christian Ruhl, Duncan Hollis, Wyatt Hoffman, and Tim Maurer, February 2020.
As cyber insecurity has become a growing problem worldwide, states and other stakeholders have sought to increase stability for cyberspace. As a result, a new ecosystem of “cyber norm” processes has emerged in diverse fora and formats. Today, United Nations (UN) groups (for example, the Group of Governmental Experts [GGE] and the Open-Ended Working Group [OEWG]), expert commis- sions (for example, the Global Commission on the Stability of Cyberspace), industry coalitions (for example, the Tech Accord, the Charter of Trust), and multistakeholder collectives (for example, the Paris Call for Trust and Security in Cyberspace) all purport to identify or operationalize various normative standards of behavior for states and/or other stakeholders in cyberspace. As some of these processes wind down (for example, the Global Commission) and others wind up (for example, the OEWG), cyber norms are at a crossroads where each process’s potential (and problems) looms large.
On October 29, 2019, the University of Pennsylvania’s Perry World House and the Carnegie Endow- ment for International Peace convened a one-day workshop titled “Cyberspace and Geopolitics.”1 It brought together three dozen key stakeholders in the cyber norm discourse, including representatives of national governments, international organizations, nongovernmental entities, industry, and think tanks, alongside several chief information security officers and academics from international law and international relations. Participants assessed the various cyber norm processes both individually and collectively. This paper builds on the outcome of those discussions.2
The workshop’s key takeaway was an embrace of the existing fragmentation of the cyber norm ecosystem. Participants saw the variety of cyber norm efforts not as detrimental but rather as an opportunity to broaden the base of engaged stakeholders and to deepen understandings of normative expectations within relevant communities. At the same time, the workshop highlighted four weak- nesses that constrain the effectiveness of these frameworks individually and collectively:
- Inherent characteristics of the cyber domain, especially its low barriers to entry to develop and to use cyber capabilities, that create serious multistakeholder cooperation problems, as states, corporations, proxy actors, and others all would need to adhere to norms
- A lack of transparency about state behavior, which creates an inability to measure norm adherence to differentiate “aspirational norms” from actual “norms” and, within the latter category, to assess the breadth and depth of conformance by relevant actors
- A dearth of great power cooperation to address this global public policy challenge, especially as geopolitics moves from identifying norms to internalizing them within relevant state and other stakeholder communities
- A lack of clear incentives for internalizing norms—that is, articulating concrete benefits for adopting and internalizing one or more cyber norms or the costs that may follow a failure to do so
Four recommendations can address these issues:
- Focused research on specific cyber norms to measure their alignment with actual behavior in cyberspace and identification of potential gaps between them and among existing accords.
- A shared global database of cyber processes that can improve transparency on what each process does, who participates, and how its work is received in other processes (that is, what sort of cross-pollination is occurring versus triggering competing or conflicting norm propos- als). For example, Carnegie’s Cyber Norms Index already tracks existing multilateral and bilateral accords relating to cyber norms.
- Research efforts to identify a menu of incentives to promote norm adoption and implementa- tion, including a list of potential consequences that can follow cases of nonconformance.
- More multistakeholder engagement with great powers on exercising their power responsibly to improve the identification and operation of cyber norms for states and other stakeholder groups (for example, industry, civil society).
The paper is divided into four sections. The first section gives a short overview of the manifold forms of cyber threats and the various types of cyber norm processes they have spawned. The next section examines four case studies of cyber norm processes—the GGE, the OEWG, the Global Commis- sion, and the Paris Call—while highlighting the existence of others. The section after that gives a collective assessment of these processes and their interactions. The paper concludes with a section examining the key takeaways and recommendations that emerged from the workshop.
To read the full report click here