There are also some unique and practical challenges to promoting norms adoption. The unique challenge is that we are attempting to address relatively new, destabilizing behaviors. To the extent a norm is “something that is usual, typical, or standard,”45 drafting norms regarding future behavior is an interesting exercise. If everyone is already behaving a certain way, then a written norm is simply codifying existing practice. But if there is no “typical behavior,” then drafting a norm is an attempt to encourage common behavior in the future, even where there is not common behavior today. Simply declaring something desirable will not make it normative, so adoption needs to be promoted.
Second, there needs to be greater awareness of proposed norms by the entities that are capable of their implementation, as well as those the norms are meant to protect. Even with significant activity in the UN and a host of other fora, norms adoption is still in its relative infancy and much needs to be done to promote proposed norms and secure acceptance, particularly in certain parts of the world. This is why capacity building efforts in this area are so vital; organizations with greater capacity are more likely to effectively support norms adoption and getting additional adherents is foundational to any global normative structure. Additionally, outreach must be done to those protected by norms, as they may be unaware of their potential impact. For example, there does not appear to be widespread awareness among Computer Emergency Response Teams (CSIRTs/CERTs) of the UN GGE norm concerning states not attacking national CSIRTs and using them for only defensive purposes. As discussed below, protected entities often will have a role in implementation and accountability (as well as the design of the proposed norm), but they cannot fulfill those roles if they have no awareness or insight into the proposals being made by state and non-state actors. It is clear that governments and international organizations need to do more to reach out to those communities that proposed norms are meant to help.
C. Norms Implementation
Following adoption, state and non-state actors must take concrete steps to implement a norm. There seems to be evolving consensus in the ongoing UN processes (OEWG and GGE) and in regional efforts that implementation is a priority.46 To some, implementation refers to the adoption of the norm, engaging in capacity building efforts and confidence building measures, or reaching more granular consensus on the meaning of an agreed-to norm.47 While these steps are important prerequisites to norms implementation, they do not serve to implement the norms themselves. For example, while capacity building is necessary to ensure that countries can secure themselves and have the bandwidth to engage internationally, one can build capacity without adopting or implementing norms. Similarly, while confidence building measures can help maintain the stability of cyberspace by facilitating the exchange of national views on cyber doctrine, establishing hotlines for rapid communications between national cyber experts, and encouraging the sharing of best practices and security standards, these too can be done without implementing norms. Rather, implementing a norm involves taking concrete steps to give it force. Domestically, this might include incorporating proposed norms into national policy, legislation, and military doctrine. Internationally, this might include citing a norm’s provisions when attributing attacks or taking diplomatic action. Operationalizing a norm in this way also serves to give it more precise definition.
Once norms are adopted and implemented there must be accountability for those who violate them. This raises the complicated issues of attribution and response, both of which have proven challenging in addressing cyber attacks.
To support a claim that a state or non-state actor has acted wrongfully requires credible attribution. This starts with collecting and analyzing evidence, and there is both technical and procedural work that can be done now to improve the quality and timeliness of attribution. More specifically, as with other technical disciplines, having well-accepted protocols for collecting and analyzing evidence is important to improving the quality of investigations. Thus, the standardization of investigative methods is important because it may reduce concerns over the integrity of evidence, even if attribution must be decided on a case-by-case basis. In addition to improving attribution as a technical matter, there is much that can be done to shorten the bureaucratic processes associated with making attribution decisions and then, when appropriate, making them public. The often long delay between an event and a declaration of responsibility is due, in no small part, to unclear or unwieldy processes for reaching such decisions at a national level and is exacerbated when several countries are involved in making collective attribution statements. Designing and exercising processes for reaching attribution at a national level and international level, and improving information sharing between countries, can significantly improve the timeliness and effectiveness of attribution statements and facilitate any further appropriate action.
Even after the evidence points to a given actor, the next step (attribution) may remain challenging. In the past, some state and non-state actors have asserted that attribution is impossible or required absolute proof. But absolute proof is not required and while attribution may be difficult, it is not as insurmountable as some have suggested. In the nation state context, attribution, whether in the cyber or physical realm, is often a political act, and while there is no particular agreed upon standard of proof, countries still have a strong incentive to not make spurious allegations, lest they lose credibility. In short, what is needed is for attribution to be convincing to other countries and to the public.
Even if an aggrieved party is satisfied that a particular actor is responsible (and attribution has in fact occurred in international cases), holding actors truly accountable has also proven challenging, thus undermining the value of norms. After all, if there are no adverse consequences for those who violate accepted norms, those norms become little more than words on paper and they will be unlikely to discourage destabilizing activities.
Accountability for cyber attacks conducted by non-state actors is relatively straightforward and is predominately achieved through the imposition of civil or criminal responsibility under the domestic laws of the states concerned. There are certainly challenges in doing so, as the international nature of many cyber attacks and the technical challenges in collecting evidence may present obstacles to state action. But the way forward is conceptually clear: streamline international law enforcement processes and work to ensure that cyber criminals are identified and prosecuted.
Holding states accountable for norms violations is more challenging.48 This is because responding to an attack in cyberspace is heavily context dependent. As to whether accountability is demanded, state and non-state actors will weigh different factors; for example, a state responding to a norms violation may consider the political implications while a private sector company may consider the business and reputational repercussions. As to how a norms violation should be addressed, state actions available in response to a norms violation can be viewed along a continuum, as a response may be minor (e.g., a private complaint), significant (e.g., economic sanctions), or dramatic (e.g., a highly visible kinetic response). While there is not and will not be a one size fits all response, clearly there must be meaningful consequences for violations of norms and international law. As past efforts to enforce norms have had limited success, more effective and timely responses are needed, recognizing that such responses should seek to minimize further instability.
Non-state actors are also working to ensure that norms violators are held accountable for their actions. For example, the GFCE49 combines government, civil society, and private sector members to help coordinate efforts to build capacity, a necessary prerequisite to norms adoption, implementation, and accountability. Additionally, the private sector has taken on an expanded role in attributing attacks, using both proprietary and public information to expose actors and describe the damage they have caused. Finally, some private sector entities have proposed or launched efforts, such as the “CyberPeace Institute,”50 that are designed to monitor and expose large cyber events in a more systematic way and potentially at greater scale.
Non-state actors should take a greater role in holding norms violators accountable for transgressions. The idea of private sector norms enforcement is not a new one: for instance, in 1977, during the anti-apartheid struggle in South Africa, General Motors promoted a set of widely-adopted principles for doing business (and not doing business) in that country, resulting in disinvestment by over 125 foreign businesses.51 More recently, and in a more symbolic vein, many companies (and governments) responded to the Saudi murder of opposition reporter Jamal Khashoggi by boycotting the Future Investment Initiative as a message of disapproval.52 These kinds of efforts bear further examination.
E. Communities of Interest
While a multistakeholder approach to norms adoption, implementation, and accountability is critical, harnessing the energies and capabilities of these groups is challenging. Governments often use the term “like-minded nations” to reflect a group of states with similar views, but there is no equivalent term that encompasses a collection of states, private companies, not-for-profit organizations (including standards organizations), civil society, and individuals that share views on a particular issue. This is important because the norms that have been proposed by the UN GGE and GCSC may affect different constituencies, and different organizations and members of society may be interested in advocating for certain norms more than others. Since governments, the private sector, the technical community, academia, and civil society are not monolithic entities, it is important to think about how to create a concerted as opposed to concentrated effort, one that engages diverse communities in norms-related issues.53 Creating Communities of Interest permits those having expertise in specific norms to work on their further development and implementation. For example, Computer Emergency Response Teams (CERTs/CSIRTs) may be particularly interested in implementing and monitoring the UN GGE norm aimed at protecting that community, just as those responsible for electoral systems may be particularly interested in the GCSC norm on electoral systems. Similarly, the Internet community could help advance, implement, and monitor the Commission’s proposed norm on protecting the public core of the Internet, and developers may be most interested in the norm involving product tampering.
The formation of a Community of Interest may be directed or an ad hoc, bottom-up process. The fact that members themselves may form a Community does not suggest that their development and success should be left to chance. Instead, it is important to focus on what makes a Community successful: (1) shared principles; (2) issue focus; (3) subject matter expertise; (4) financial and administrative support; and (5) a transparent process. In fact, it may be possible to identify a best-practice template of how Communities should be created and implemented, thus allowing various norm-setting processes to leverage a similar Community model. This would help reconcile different workstreams to ensure efficiency and focus, as well as leverage best practices for norms adoption, implementation, and accountability.