The authors discuss the need and potential for normative constraints on cyber aggression. They describe how norms tend to arise, review the history of governmental and private initiatives on cyber norms, and outline principles governing U.S. policy on the issue. The authors propose a bottom-up, "outside-in" agenda for the United States to encourage the development of norms to limit the most damaging forms of cyber aggression.
Competition and Restraint in Cyberspace
The Role of International Norms in Promoting U.S. Cybersecurity
- What is the extent of international agreement, if any exists, over what cyber norms should accomplish and how they should be implemented?
- How have international norms governing other types of activities become established?
- Do existing international norms provide potential models for restraining cyber competition?
Recent years have seen a mounting concern in the United States over foreign efforts to harm election security or legitimacy through cyber means, increased cyber espionage, and attacks of growing sophistication. The United States has been engaged for almost a decade in international negotiations over agreed normative constraints on such activities, but the prospects for a comprehensive international agreement appear dim.
In this report, the authors develop a renewed agenda for utilizing cyber norms to limit destabilizing behavior in cyberspace. To do so, they survey the literature on norms and norm emergence and describe the process by which norms tend to arise. They identify the common and conflicting interests that major states have in cyberspace, summarize the history of intergovernmental and private-sector initiatives on cyber norms, outline the principles governing U.S. policy on the issue since 2007, and survey current proposals for cyber norms.
Based on this analysis, the authors propose a bottom-up, "outside-in" approach to promoting cyber norms that would allow the United States to bypass current international disagreements to encourage the development of norms to constrain the most destructive and escalatory forms of cyber aggression.
- There is no clear, emerging consensus on the precise shape of cyber norms.
- The gap on cybersecurity issues between the United States and both China and Russia remains very wide, and there is limited room for mutually agreed restraints on behavior.
- Cyberspace has specific characteristics that may impede the development of norms to restrict state behavior.
- Norms can affect state behavior even when leaders disagree with them, and they can become established through "bottom-up" efforts rather than being imposed by governments.
- Norms tend to be more effective when they are simple rather than complex and emotive rather than dry.
- The current status of international discussions does not provide the basis for believing that any universal agreements on cyber norms are feasible in the near term.
- Bring U.S. policy into alignment with norms that would restrain destabilizing cyber attacks.
- Enhance existing initiatives on cyber norms, including building a common position on prohibited behaviors with allies.
- Support efforts by nongovernmental entities to expand commitment to cyber norms.
- Impose costs on states that violate emerging cyber norms.
- Reaffirm and expand confidence-building mechanisms regarding cyber norms with Russia and China, and propose a working group with either or both to build toward limited areas of consensus and develop rules of engagement.
- Work to gain congressional approval of an institutional home within the U.S. government for the process of cyber norm development.
- Articulate bilateral, informal commitments with other powers to refrain from certain categories of cyber aggression.
- Convene intergovernmental, multistakeholder processes to gather a critical mass of partners in the effort.
- Identify specific normative constraints for general agreement, including prohibitions on the following: cyber attacks on critical infrastructure, direct interference in or manipulation of electoral and political processes, and activities designed to damage the availability or integrity of the public core of the internet.
Table of Contents
The Challenge of Norms in Cyberspace
The Current Status of International Dialogues on Cyber Norms
Identifying Next Steps in Cyber Norm Development