Advertisement

A Dose of Realism: The Contestation and Politics of Cyber Norms

  • Tim MaurerEmail author
Article
First Online:

Abstract

Norms for cyberspace remain highly contested internationally among governments and fragmented domestically within governments. Despite diplomatic activities at the United Nations over the past two decades, intersubjective agreement on norms governing coercive cyber power is still nascent. Agreed upon, explicitly stated norms are considered voluntary, defined vaguely, and internalized weakly. Implicit state practice is slowly emerging, yet poorly understood, and cloaked in secrecy. This raises the question: how do norms emerge for cyberspace? What has been the contribution of the UN process to the international community’s understanding of norms for cyberspace? Why did the process collapse in 2017, the very same year that two of the biggest cyber attacks to date—WannaCry and NotPetya—caused indiscriminate economic harm worldwide each with an estimated cost of several billion U.S. dollars? And why did member states, in an unprecedented move in the UN’s history, create two separate processes dedicated to the same issue in 2018? To answer these questions, this article analyses the various factors feeding into the dynamic process of norm contestation including an in-depth discussion of the process at the United Nations, the role of international law, and the main points of critiques.

Keywords

Cyberspace Contestation Cyber norms Cybersecurity Cyber security 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

Many thanks to Arun Sukumar, Duncan Hollis, Garrett Hinck, and Hannes Ebert in addition to two anonymous reviewers for providing feedback on an earlier draft of this article.

References

  1. Abbott K, Snidal D (2000) Hard and soft law in international governance. Int Org 54(3):421–456CrossRefGoogle Scholar
  2. Abbott K, Keohane R, Moravcsik A, Slaughter A, Snidal D (2000) The of legalization. Int Org 54(3):401–419CrossRefGoogle Scholar
  3. Abbott K, Green J, Keohane R (2016) Organizational ecology and institutional change in global governance. Int Org 70(2):247–277CrossRefGoogle Scholar
  4. Abdenur A, Gama C (2015) Triggering the norms cascade: Brazil’s initiatives for curbing electronic espionage. Glob Gov Rev Multilater Int Org 21(3):455–474Google Scholar
  5. Australian Signals Directorate (2018) Tweet. https://twitter.com/asdgovau/status/1056712961148895232?lang=en. Accessed 12 Feb 2019
  6. Baker S (2017) Steptoe cyber law podcast. Interview. https://www.steptoe.com/en/news-publications/interview-with-tim-maurer.html. Accessed 12 Feb 2019
  7. Barnes J E, Gibbons-Neff T (2019) U.S. carried out cyberattacks on Iran. https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html. Accessed 23 Aug 2019
  8. Brantly A, Keller WW, Jones SA (2016) The decision to attack: military and intelligence cyber decision-making. University of Georgia Press, AthensGoogle Scholar
  9. Broeders D (2016) The public core of the internet: an international agenda for internet governance. Amsterdam University Press, AmsterdamCrossRefGoogle Scholar
  10. Buchanan B (2017) The cybersecurity dilemma: hacking, trust and fear between Nations. Oxford University Press, OxfordCrossRefGoogle Scholar
  11. Burgess M (2018) We need a global cyberwar treaty, says the former head of GCHQ. WIRED. https://www.wired.co.uk/article/gchq-uk-robert-hannigan-cyberwar-definition. Accessed 12 Feb 2019
  12. Chesney R (2019) Crossing a cyber rubicon? Overreactions to the IDF’s strike on the Hamas Cyber Facility. https://www.lawfareblog.com/crossing-cyber-rubicon-overreactions-idfs-strike-hamas-cyber-facility. Accessed 23 Aug 2019
  13. Clapper J, Lettre M, Rogers M (2017) Foreign cyber threats to the United States. Joint Statement for the Record to the Senate Armed Services Committee. U.S. Congress. https://www.armed-services.senate.gov/imo/media/doc/Clapper-Lettre-Rogers_01-05-16.pdf. Accessed 22 Feb 2019
  14. Clarke R, Knake R (2011) Cyber war: the next threat to national security and what to do about it. HarperCollins, New YorkGoogle Scholar
  15. Cornish P (2015) Governing cyberspace through constructive ambiguity. Survival 57(3):153–176CrossRefGoogle Scholar
  16. Cybersecurity Tech Accord (2018) Cybersecurity tech accord. https://cybertechaccord.org/. Accessed 12 Feb 2019
  17. Diamond L (2016) Democracy in decline. Foreign Affairs, July/August 2016Google Scholar
  18. Dunn Cavelty M (2012) From cyber-bombs to political-fallout: threat representations with an impact. Int Stud Rev 15(1):105–122CrossRefGoogle Scholar
  19. Efrony D, Shany Y (2018) A rule book on the shelf? Tallinn manual 2.0 on cyberoperations and subsequent state practice. Am Soc Int Law 112(4):583–657CrossRefGoogle Scholar
  20. Egloff FJ, Wenger A (2019) Public attribution of cyber incidents.’ CSS Analyses in Security Policy No. 244. https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/CSSAnalyse244-EN.pdf. Accessed 23 Aug 2019
  21. Eichensehr KE (2014) The cyber-law of nations. Geo LJ 103:317Google Scholar
  22. Erskine T, Carr M (2016) Beyond ‘Quasi-Norms’: the challenges and potential of engaging with norms in cyberspace. International cyber norms: legal, policy and industry perspectives. NATO CCD COE Publications, TallinnGoogle Scholar
  23. Farrell H (2015) Promoting norms for cyberspace. Council on Foreign Relations Cyber-Brief. https://www.cfr.org/report/promoting-norms-cyberspace. Accessed 16 Sept 2019
  24. Farrell H, Glaser S (2017) The role of effects, saliencies and norms in US Cyberwar doctrine. J Cybersecur 3(1):7–17Google Scholar
  25. Fidler D (2018) The UN secretary-general’s call for regulating cyberwar raises more questions than answers. Net politics, council on foreign relations. https://www.cfr.org/blog/un-secretary-generals-call-regulating-cyberwar-raises-more-questions-answers. Accessed 12 Feb 2019
  26. Finnemore M (1993) International organizations as teachers of norms: the United Nations educational, scientific, and cultural organization and science policy. Int Org 47(4):565–597CrossRefGoogle Scholar
  27. Finnemore M (1999) Are legal norms distinctive? NYU J Int Law Polit 32(3):699–706Google Scholar
  28. Finnemore M (2011) Cultivating international cyber norms. America’s cyber future: security and prosperity in the information age. CNAS. https://citizenlab.ca/cybernorms2011/cultivating.pdf. Accessed 12 Feb 2019
  29. Finnemore M, Hollis D (2016) Constructing norms for global cybersecurity. Am J Int Law 110(3):425–479CrossRefGoogle Scholar
  30. Finnemore M, Sikkink K (1998) International norm dynamics and political change. Int Org 52(4):887–917CrossRefGoogle Scholar
  31. Fischerkeller M (2018) Persistent engagement and tacit bargaining: a strategic framework for norms development in cyberspace’s agreed competition. Institute for Defense Analyses. https://www.ida.org/research-and-publications/publications/all/p/pe/persistent-engagement-and-tacit-bargaining-a-strategic-framework-for-norms-development-in-cyberspaces-agreed-competition. Accessed 16 Sept 2019
  32. Fischerkeller M, Harknett R (2018) Persistent engagement and tacit bargaining: a path toward constructing norms in cyberspace. Lawfare. https://www.lawfareblog.com/persistent-engagement-and-tacit-bargaining-path-toward-constructing-norms-cyberspace. Accessed 12 Feb 2019
  33. France Diplomatie (2018) Cybersecurity: Paris call of 12 November 2018 for trust and security in cyberspace. https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-trust-and-security-in. Accessed 12 Feb 2019
  34. G7 (2017) G7 declaration on responsible states behavior in Cyberspace. Lucca. https://s3.amazonaws.com/ceipfiles/pdf/CyberNorms/Multilateral/G7+Declaration+on+Responsible+States+Behavior+in+Cyberspace+4-11-2017.pdf. Accessed 12 Feb 2019
  35. Goddard S (2018) Embedded revisionism: networks, institutions, and challenges to world order. Int Org 72(4):763–797CrossRefGoogle Scholar
  36. Goodman R, Jinks D (2013) Socializing states: promoting human rights through international law. Oxford University Press, OxfordCrossRefGoogle Scholar
  37. Greenberg A (2018) The untold story of NotPetya, the most devastating cyberattack in history. WIRED. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Accessed 12 Feb 2019
  38. Grigsby A (2017) The end of cyber norms. Survival 59(6):109–122Google Scholar
  39. Hathaway O, Crootof R, Levitz P, Nix H (2012) The law of cyber-attack. Calif L Rev 100:817Google Scholar
  40. Hollis D (2014) Re-thinking the boundaries of law in cyberspace: a duty to hack? Cyberwar: law and ethics for virtual conflicts. In: Ohlin J et al (eds) Oxford University Press, Oxford. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2424230
  41. Hollis D (2015) The existential function of interpretation in international law. In: Bianchi A et al (eds) interpretation in international law. Oxford University Press, Oxford, pp 78–110CrossRefGoogle Scholar
  42. Hollis D, Waxman M (2018) Promoting international cybersecurity cooperation: lessons from the proliferation security initiative. Temp Int Comp LJ 32:147Google Scholar
  43. Hosenball M, Zengerle P (2015) The U.S. isn’t going to blame China for the catastrophic hack of the federal government’s personal records. Reuters. https://www.businessinsider.com/r-us-unlikely-to-blame-china-publicly-over-opm-data-breach-officials-2015-7. Accessed 12 Feb 2019
  44. Hurel LM, Cruz Lobato L (2018) Unpacking cyber norms: private companies as norm entrepreneurs. J Cyber Policy 3(1):61–76CrossRefGoogle Scholar
  45. Hurwitz R (2014) The play of states: norms and security in cyberspace. Am Foreign Policy Interests 36(5):322–331CrossRefGoogle Scholar
  46. Ikenberry J (2011) The future of the liberal world order: internationalism after America. Foreign Aff 90(3):56–68Google Scholar
  47. International Organization for Standardization (2018) ISO/IEC 27000. https://www.iso.org/standard/73906.html. Accessed 12 Feb 2019
  48. Jose B (2018) Norm contestation: insights into non-conformity with armed conflict norms. Springer, New YorkCrossRefGoogle Scholar
  49. Katzenstein P (1996) The culture of national security: norms and identity in world politics. Columbia University Press, New YorkGoogle Scholar
  50. Kavanagh C, Stauffacher D (2014) Confidence building measures and international cyber security. ICT4Peace, GenevaGoogle Scholar
  51. Kennedy D (2006) Of war and law. Princeton University Press, PrincetonGoogle Scholar
  52. Kerry J (2015) An open and secure internet: we must have both. remarks, Seoul, South Korea. https://2009-2017.state.gov/secretary/remarks/2015/05/242553.htm. Accessed 12 Feb 2019
  53. Khalip A (2018) U.N. chief urges global rules for cyber warfare. Reuters. https://www.reuters.com/article/us-un-guterres-cyber/u-n-chief-urges-global-rules-for-cyber-warfare-idUSKCN1G31Q4. Accessed 12 Feb 2019
  54. Koh H (2015) Remarks—international law in cyberspace. https://2009-2017.state.gov/s/l/releases/remarks/197924.htm. Accessed 5 May 2019
  55. Kreps S, Schneider J (2018) Escalation Firebreaks in the Cyber. Moving beyond Effects-Based Logics, Conventional and Nuclear Domains.  https://doi.org/10.2139/ssrn.3104014 (Accessed 23 August 2019) Google Scholar
  56. Lantis JS (2017) Theories of international norm contestation: structure and outcomes. Oxford Research Encyclopedia of Politics. https://oxfordre.com/politics/view/10.1093/acrefore/9780190228637.001.0001/acrefore-9780190228637-e-590. Accessed 16 Sept 2019
  57. Lin H (2012) Cyber conflict and international humanitarian law. Int Rev Red Cross 94(886):515–531CrossRefGoogle Scholar
  58. Lindsay J (2015) Tipping the scales: the attribution problem and the feasibility of deterrence against cyberattack. J Cybersecur 1(1):53–67Google Scholar
  59. Lynn W (2010) Defending a new domain. Foreign Affairs, September/October 2010 Issue. https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain. Accessed 12 Feb 2019
  60. Mačák K (2017) From cyber norms to cyber rules: re-engaging states as law-makers. Leiden J Int Law 30(4):877–899CrossRefGoogle Scholar
  61. Mandiant (2013) APT1: exposing one of China’s Cyber espionage units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed 5 May 2019
  62. Markoff M (2017) Explanation of position at the conclusion of the 2016–2017 UN Group of Governmental Experts (GGE) on developments in the field of information and telecommunications in the context of international security. United Nations, New York. https://s3.amazonaws.com/ceipfiles/pdf/CyberNorms/Multilateral/GGE_2017+US+State+Department+Position.pdf. Accessed 12 Feb 2019
  63. Markoff M, Nicholas P, Finnemore M, Hollis D, Maurer T (2017) Cyber norms revisited: cybersecurity and the way forward. Carnegie Endowment for International Peace. https://carnegieendowment.org/2017/02/06/cyber-norms-revisited-international-cybersecurity-and-way-forward-event-5490. Accessed 12 Feb 2019
  64. Maurer T (2011) Cyber norm emergence at the United Nations: an analysis of the activities of the UN regarding cyber-security. Harvard Belfer Center for Science and International Affairs. https://www.belfercenter.org/sites/default/files/legacy/files/maurer-cyber-norm-dp-2011-11-final.pdf. Accessed 12 Feb 2019
  65. Maurer T (2018) Cyber mercenaries: the state, hackers, and power. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  66. Maurer T, Morgus R (2014) ‘Cybersecurity’ and why definitions are risky. The CSS Blog Network, ETH Zurich. https://isnblog.ethz.ch/intelligence/cybersecurity-and-the-problem-of-definitions. Accessed 12 Feb 2019
  67. Maurer T, Taylor K (2018) Outlook on international cyber norms: three avenues for future progress. Just Security. https://www.justsecurity.org/53329/outlook-international-cyber-norms-avenues-future-progress/. Accessed 12 Feb 2019
  68. Maurer T, Thompson B, Taylor K (2017) Cyber norms index. Carnegie Endowment for International Peace. https://carnegieendowment.org/publications/interactive/cybernorms. Accessed 12 Feb 2019
  69. McKune S (2015) An analysis of the international code of conduct for information security. Citizen Lab. https://openeffect.ca/code-conduct/. Accessed 12 Feb 2019
  70. Meredith S (2018) Microsoft calls for ‘new Digital Geneva Convention’ after spate of high-profile cyberattacks. CNBC. https://www.cnbc.com/2018/01/26/microsoft-calls-for-new-digital-geneva-convention-after-spate-of-high-profile-cyberattacks.html. Accessed 12 Feb 2019
  71. Microsoft (2017) The need for a digital Geneva convention. https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/. Accessed 23 Aug 2019
  72. Microsoft (2018) International cybersecurity norms. https://www.microsoft.com/en-us/cybersecurity/content-hub/international-cybersecurity-norms-overview. Accessed 12 Feb 2019
  73. Microsoft (2018) International cybersecurity norms: Part 2. https://www.microsoft.com/en-us/cybersecurity/content-hub/international-cybersecurity-norms-part-2. Accessed 12 Feb 2019
  74. Mitrany D (1943) A working peace system. RIAA, LondonGoogle Scholar
  75. Nakashima E, Goldman A (2015) In a first, Chinese hackers are arrested at the behest of the U.S. government. Washington Post. https://www.washingtonpost.com/world/national-security/in-a-first-chinese-hackers-are-arrested-at-the-behest-of-the-us-government/2015/10/09/0a7b0e46-6778-11e5-8325-a42b5a459b1e_story.html?utm_term=.47f611561cfd. Accessed 12 Feb 2019
  76. Noble Z (2015) Report: China has arrested alleged OPM hackers. FCW. https://fcw.com/articles/2015/12/02/china-cyber-opm-arrest.aspx. Accessed 12 Feb 2019
  77. Nye J (2018) Normative restraints on cyber conflict. Cyber Secur 4(1):331–342Google Scholar
  78. Percy S (2007) Mercenaries: the history of a norm in international law. Oxford University Press, OxfordCrossRefGoogle Scholar
  79. Putin V (2016) Decree of the president of the Russian Federation No. 646 of December 5, 2016—Doctrine of Information Security of the Russian FederationGoogle Scholar
  80. Rawls J (1971) A theory of justice. Harvard University Press, CambridgeGoogle Scholar
  81. Rid T, Buchanan B (2015) Attributing cyber attacks. J Strateg Stud 38(1–2):4–37CrossRefGoogle Scholar
  82. Rodriguez M (2017) Statement by Miguel Rodriguez, representative of Cuba, at the final session of group of governmental experts on developments in the field of information and telecommunications in the context of international security. United Nations, New York. https://s3.amazonaws.com/ceipfiles/pdf/CyberNorms/Multilateral/GGE_2017+Cuban-Expert-Declaration.pdf. Accessed 12 Feb 2019
  83. Russian Ministry of Foreign Affairs (2011) Convention on international information security—concept. https://carnegieendowment.org/files/RUSSIAN-DRAFT-CONVENTION-ON-INTERNATIONAL-INFORMATION-SECURITY.pdf. Accessed 23 Aug 2019
  84. Sanger D (2018) U.S. Declines to sign declaration discouraging use of cyberattacks. New York Times. https://www.nytimes.com/2018/11/12/us/politics/us-cyberattacks-declaration.html. Accessed 12 Feb 2019
  85. Schelling T (2008) Arms and influence. Yale University Press, New HavenGoogle Scholar
  86. Schmitt MN (ed) (2013) Tallinn manual on the international law applicable to cyber warfare. Cambridge University Press, CambridgeGoogle Scholar
  87. Schmitt MN (2015a) In defense of due diligence in cyberspace. Yale LJF 125:68–81Google Scholar
  88. Schmitt MN (2015b) The notion of ‘objects’ during cyber operations: a riposte in defence of interpretive and applicative precision. Israel Law Review 48(1):81–109Google Scholar
  89. Siemens (2018) Time for action: building a consensus for cybersecurity. https://www.siemens.com/innovation/en/home/pictures-of-the-future/digitalization-and-software/cybersecurity-charter-of-trust.html. Accessed 12 Feb 2019
  90. Smeets M (2018) Integrating offensive cyber capabilities: meaning, dilemmas, and assessment. Def Stud 18(4):395–410CrossRefGoogle Scholar
  91. Smith B (2017) The need for a digital Geneva convention. Microsoft Blog. https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/. Accessed 12 Feb 2019
  92. Sukumar A (2017) The UN GGE failed. Is international law in cyberspace doomed as well? Lawfare. https://www.lawfareblog.com/un-gge-failed-international-law-cyberspace-doomed-well. Accessed 12 Feb 2019
  93. Sunstein C (2007) Incompletely theorized agreements in constitutional law. Soc Res 74(1):1–24Google Scholar
  94. Tikk-Ringas E (2016) International cyber norms dialogue as an exercise of normative power. Georget J Int Affairs 1:47–59CrossRefGoogle Scholar
  95. UK government (2011) London conference on cyberspace: Chair’s statement. https://www.gov.uk/government/news/london-conference-on-cyberspace-chairs-statement. Accessed 23 Aug 2019
  96. US Cyber Command (2018) Achieve and maintain cyberspace superiority: command vision for U.S. cyber command. https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010. Accessed 22 Feb 2019
  97. UN General Assembly (1999) Developments in the field of information and telecommunications in the context of international security. United Nations, A/RES/53/70. http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/53/70. Accessed 12 Feb 2019
  98. UN Group of Governmental Experts (2015) Developments in the field of information and telecommunications in the context of international security. United Nations General Assembly. https://s3.amazonaws.com/ceipfiles/pdf/CyberNorms/Multilateral/UN+Group+of+Governmental+Experts+on+Developments+in+the+Field+of+Information+and+Telecommunications+in+the+Context+of+International+Security+Report+2015+7-22-2015.pdf. Accessed 12 Feb 2019
  99. UNIDIR (2019) Cyber stability conference—strengthening global engagement. United Nations Institute for disarmament research. http://unidir.org/files/medias/pdfs/cyber-stability-conference-2019-summary-report-eng-0-849.pdf. Accessed 25 Aug 2019
  100. U.S. Department of Justice (2016) Seven Iranians working for islamic revolutionary guard corps-affiliated entities charged for conducting coordinated campaign of cyber attacks against U.S. financial sector. Press release. https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged. Accessed 22 Feb 2019
  101. U.S. Department of State (2018) Recommendations to the president on deterring adversaries and better protecting the American People from cyber threats. Office of the Coordinator for Cyber Issues. https://www.state.gov/s/cyberissues/eo13800/282011.htm. Accessed 22 Feb 2019
  102. U.S. Office of the Director of National Intelligence (2017) Background to ‘assessing russian activities and intentions in recent US elections’: the analytic process and cyber incident attribution. https://www.dni.gov/files/documents/ICA_2017_01.pdf. Accessed 23 Aug 2019
  103. White House (2015) FACT SHEET: president Xi Jinping’s state visit to the United States. https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states. Accessed 23 Aug 2019
  104. White House (2015) Statement by the press secretary on the executive order entitled “imposing additional sanctions with respect to North Korea”. Press release. https://obamawhitehouse.archives.gov/the-press-office/2015/01/02/statement-press-secretary-executive-order-entitled-imposing-additional-s. Accessed 22 Feb 2019
  105. White House (2018a) National cyber strategy of the United States of America. https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf. Accessed 12 Feb 2019
  106. White House (2018b) Statement from the press secretary. https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/. Accessed 22 Feb 2019
  107. Wiener A (2007) the dual quality of norms and governance beyond the state: sociological and normative approaches to ‘interaction’. Crit Rev Int Soc Polit Philos 1:47–69CrossRefGoogle Scholar
  108. Wiener A (2008) The invisible constitution of politics: contested norms and international encounters. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  109. Wiener A (2014) A theory of contestation. Springer, BerlinCrossRefGoogle Scholar
  110. Wiener A (2017) Agency of the governed in global international relations: access to norm validation. Third World Themat TWQ J 5:709–725CrossRefGoogle Scholar
  111. Wright (2018) Speech—Cyber and international law in the 21st century. https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century. Accessed 22 Feb 2019
  112. Zimmermann L, Deitelhoff N, Lesch M (2017) Unlocking the agency of the governed: contestation and norm dynamics. Third World Themat TWQ J 5:691–708CrossRefGoogle Scholar

Copyright information

© T.M.C. Asser Press 2019

Authors and Affiliations

  1. 1.Co-Director, Cyber Policy InitiativeCarnegie Endowment for International PeaceWashingtonUSA

Personalised recommendations

Cite article

Buy options