Global Governance, Power & Security, Technology Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads

February 26, 2020
By Christian Ruhl, Duncan Hollis, Wyatt Hoffman, Tim Maurer | Carnegie Endowment for International Peace

This paper is based on a workshop hosted by Perry World House and Carnegie Endowment for International Peace, entitled 'Cyberspace and Geopolitics.' It highlights four weaknesses that could hinder the development of cyber norm frameworks, and recommendations for combating these. It was co-authored by Christian Ruhl, Program Associate for Global Order at Perry World House; Duncan Hollis, a Visiting Scholar at Perry World House; Wyatt Hoffman, a senior research analyst with Carnegie's Nuclear Policy Program and Cyber Policy Initiative; and Tim Maurer, a senior fellow at Carnegie and co-director of the Cyber Policy Initiative. 

As cyber threats multiply, efforts to establish international norms for cyber activity have created a disjointed ecosystem. Is the fragmentation a cause for concern or an opportunity to promote cyber stability and security? 

As cyber insecurity has become a growing problem worldwide, states and other stakeholders have sought to increase stability for cyberspace. As a result, a new ecosystem of “cyber norm” processes has emerged in diverse fora and formats. Today, United Nations (UN) groups (for example, the Group of Governmental Experts [GGE] and the Open-Ended Working Group [OEWG]), expert commissions (for example, the Global Commission on the Stability of Cyberspace), industry coalitions (for example, the Tech Accord, the Charter of Trust), and multistakeholder collectives (for example, the Paris Call for Trust and Security in Cyberspace) all purport to identify or operationalize various normative standards of behavior for states and/or other stakeholders in cyberspace. As some of these processes wind down (for example, the Global Commission) and others wind up (for example, the OEWG), cyber norms are at a crossroads where each process’s potential (and problems) looms large.

On October 29, 2019, the University of Pennsylvania’s Perry World House and the Carnegie Endowment for International Peace convened a one-day workshop titled “Cyberspace and Geopolitics.” It brought together three dozen key stakeholders in the cyber norm discourse, including representatives of national governments, international organizations, nongovernmental entities, industry, and think tanks, alongside several chief information security officers and academics from international law and international relations. Participants assessed the various cyber norm processes both individually and collectively. This paper builds on the outcome of those discussions.

The workshop’s key takeaway was an embrace of the existing fragmentation of the cyber norm ecosystem. Participants saw the variety of cyber norm efforts not as detrimental but rather as an opportunity to broaden the base of engaged stakeholders and to deepen understandings of normative expectations within relevant communities. At the same time, the workshop highlighted four weaknesses that constrain the effectiveness of these frameworks individually and collectively:

  • Inherent characteristics of the cyber domain, especially its low barriers to entry to develop and to use cyber capabilities, that create serious multistakeholder cooperation problems, as states, corporations, proxy actors, and others all would need to adhere to norms
  • A lack of transparency about state behavior, which creates an inability to measure norm adherence to differentiate “aspirational norms” from actual “norms” and, within the latter category, to assess the breadth and depth of conformance by relevant actors
  • A dearth of great power cooperation to address this global public policy challenge, especially as geopolitics moves from identifying norms to internalizing them within relevant state and other stakeholder communities
  • A lack of clear incentives for internalizing norms—that is, articulating concrete benefits for adopting and internalizing one or more cyber norms or the costs that may follow a failure to do so

Four recommendations can address these issues:

  1. Focused research on specific cyber norms to measure their alignment with actual behavior in cyberspace and identification of potential gaps between them and among existing accords.
  2. A shared global database of cyber processes that can improve transparency on what each process does, who participates, and how its work is received in other processes (that is, what sort of cross-pollination is occurring versus triggering competing or conflicting norm proposals). For example, Carnegie’s Cyber Norms Index already tracks existing multilateral and bilateral accords relating to cyber norms.
  3. Research efforts to identify a menu of incentives to promote norm adoption and implementation, including a list of potential consequences that can follow cases of nonconformance.
  4. More multistakeholder engagement with great powers on exercising their power responsibly to improve the identification and operation of cyber norms for states and other stakeholder groups (for example, industry, civil society).

The paper is divided into four sections. The first section gives a short overview of the manifold forms of cyber threats and the various types of cyber norm processes they have spawned. The next section examines four case studies of cyber norm processes—the GGE, the OEWG, the Global Commission, and the Paris Call—while highlighting the existence of others. The section after that gives a collective assessment of these processes and their interactions. The paper concludes with a section examining the key takeaways and recommendations that emerged from the workshop.

This paper was originally published by the Carnegie Endowment for International Peace.

Read the full paper on the Carnegie Endowment's website >>