Pressing pause: A new approach for international cybersecurity norm development

摘要

Over the last few years, the international community has devoted much attention to the topic of "international cyber norms". However, there appears to be a fundamental tension between these norm-development efforts and their real-world application as effective tools to reduce cyber risk and deter or prevent malicious state and non-state actors. Furthermore, in the current geopolitical climate, a broad agreement on global cyber norms seems improbable, as suggested by the lack of consensus in the course of the UN GGE 2017 process. In the meantime, government officials tasked with developing and deploying cybersecurity policy and law face day-to-day challenges and are operating on a different track. Questions continuously arise with respect to the role of the state in formulating cybersecurity standards, information sharing, active defense and privacy protection. These questions are dealt with mostly in the "civilian" cybersecurity sphere and are occurring largely under the radar of the global "international cyber norms" community. Against this backdrop, the paper suggests a shift in the approach to cyber norms. Its central thesis is that, at this juncture, rather than attempting to create a set of pre-defined aspirational norms aimed at achieving global stability, the international community should pay greater attention to discussions that are already occurring between cybersecurity regulators/authorities and should proactively support such discussions. Incremental and "bottom-up" processes, covering technical, policy and legal challenges at the domestic level, create fertile grounds for discussions that can be scaled up. This civilian, bottom-up approach is admittedly more mundane than the “aspirational cyber norms” track. Both tracks can and should continue to coexist in parallel, though the “civilian” track is more likely to result in a common taxonomy, legal/policy interoperability or common understandings that states can readily endorse, all of which could potentially ultimately lead to norms that enhance cybersecurity more pragmatically.