Professional Documents
Culture Documents
OPEN ACCESS
While other disciplines like law, sociology, and computer science have engaged closely
with the Information Age, international relations scholars have yet to bring the full analytic
power of their discipline to developing our understanding of what new digital technologies
mean for concepts like war, peace, security, cooperation, human rights, equity, and power.
This series brings together the latest research from international relations scholars—par-
ticularly those working across disciplines—to challenge and extend our understanding of
world politics in the Information Age.
Governing Cyberspace: Behavior, Power, and Diplomacy, edited by Dennis Broeders and
Bibi van den Berg
Governing Cyberspace
Behavior, Power, and Diplomacy
Edited by
Dennis Broeders
Bibi van den Berg
All rights reserved. No part of this book may be reproduced in any form or by any
electronic or mechanical means, including information storage and retrieval systems,
without written permission from the publisher, except by a reviewer who may quote
passages in a review.
Acknowledgmentsvii
v
vi Contents
Index 315
About the Editors and Contributors 323
Acknowledgments
This book resulted from the inaugural conference of the Hague Program
for Cyber Norms, titled “Novel Horizons: Responsible Behaviour in Cyber-
space,” which was held in the Hague on November 5–7, 2018. The editors
thank the participants for a great conference and especially those that submit-
ted their work for this edited volume.
A first round of editorial comments was done for the conference itself,
and we thank Liisi Adamson, Els de Busser, Ilina Georgieva, and Zine Hom-
burger, who were at the time all affiliated to the program, for their editorial
contribution. We also thank Corianne Oosterbaan for all her hard work orga-
nizing the conference and her invaluable help with the editorial process.
Lastly, we would like to thank the Dutch Ministry of Foreign Affairs who
generously fund the Hague Program for Cyber Norms and all of its activities
and publications.
The Hague, 2.12.2019
Dennis Broeders and Bibi van den Berg
vii
Chapter 1
Governing Cyberspace
Behavior, Power, and Diplomacy
Dennis Broeders and Bibi van den Berg
WELCOME TO CYBERSPACE
When states look at cyberspace, they do not necessarily see the same as
most end users do. Sure, they see the massive added value in terms of the
digital economy and, like their citizens, they have difficulties imagining life
without the constant interactions and communication that is the bedrock
of modern digital society. However, many parts of the government see
cyberspace increasingly as a source of threat, insecurity, and instability.
Where states looked at the early stages of the development of cyberspace
with a certain degree of “benign neglect,” it became much more of a gov-
ernment interest when the digital economy started off in earnest. Now,
states increasingly view cyberspace through a lens of security. Not just
in terms of cybercrime but more and more in terms of the high politics of
international security (Klimburg 2017; Segal 2016; DeNardis 2014; Deib-
ert 2013; Betz and Stevens 2011). Many states have formally declared the
cyber domain to be the fifth domain of warfare—after land, sea, air, and
space—and increasingly states conduct intelligence and pseudo-military
operations in the cyber domain that fall short of “cyber war” but do create
a permanent state of “unpeace” (Kello 2017; see also Boeke and Broeders
2018). The increase in cyber-attacks among states, or at least those that come
out into the open, seem to be intensifying in terms of damage and impact,
and provoke reactions from states and corporations. Cyber operations like
WannaCry and NotPetya, politically attributed to North Korea and Russia,
respectively, were both damaging and indiscriminate, which added to the
feeling of vulnerability in the digital domain. However, even with NotPetya,
of which the global damages have been estimated at roughly $10 billion
(Greenberg 2018), no state was willing to say this operation was in violation
1
2 Dennis Broeders and Bibi van den Berg
The possible negative effects of the use of ICTs for international peace
and security were flagged by Russia in 1998 when it submitted a resolution
on “Developments in the field of Information and Telecommunications in
the context of International Security” to the UN’s First Committee, which
deals with disarmament and international security (UNGA 1999). While
Governing Cyberspace 3
recognizing that the Internet brought many good things, Moscow feared an
arms race in this new domain and aimed for the negotiation of a treaty that
would ban the use of information weapons in order to prevent information
wars. To some extent, Russia feared in 1998 what many now consider Mos-
cow to be the best at: information operations and the spread of disinforma-
tion. Russia was aiming for a new treaty specifically for cyberspace but ran
into Western resistance to the notion that cyberspace needed lex specialis.
Western states, in this field often loosely assembled under the heading of
the “like-minded” states, depart from the notion that international law,
including International Humanitarian Law, applies in the digital domain as
it does in the “real world.” The UN Group of Governmental Experts (UN
GGE) process was started in 2004 to create a venue at the UN level for
deliberation of the issue without going down the road of a treaty. Out of five
iterations of the process the group of experts produced a consensus report
three times, with as main yields the principle that international law applies
in cyberspace in 2013 and the formulation of a number of nonbinding norms
for responsible state behavior in the 2015 consensus report (UN General
Assembly 2010, 2013, 2015). After the 2017 round of the UN GGE failed
to achieve consensus, there were many reports of the “death of the norms
process” (see, e.g., Grigsby 2017), but in November 2018, the UN General
Assembly voted on two parallel and competing resolutions. The first was
submitted by the United States and supported by the “like-minded” states
calling for a new round of the GGE. The second was submitted by Russia
and called for an Open-Ended Working Group (OEWG) to discuss roughly
the same issues. Both were voted through by the General Assembly in sub-
stantial and significantly overlapping numbers, and the twin processes have
started in 2019.
In a parallel trajectory to the diplomatic processes at the UN and regional
organizations, international legal scholars embarked on a project to flesh
out how exactly international law applies in cyberspace. This project under
the sponsorship of the NATO CCDCOE—which does not make it a NATO
project—resulted in the Tallinn Manual (2013) and the Tallinn Manual 2.0
in 2017 (Schmitt et al. 2013, 2017). Both are academic, nonbinding studies
on how international law applies to cyber conflicts and cyber warfare and on
many issues contain majority and minority opinions. The first manual focuses
on the jus ad bellum and International Humanitarian Law and the second
focuses on cyber operations that are “below the threshold” of armed conflict,
or “peacetime operations.” The Tallinn manuals are the most comprehensive
analyses of International Humanitarian Law and cyberspace available and
serve as an important reference point. However, and as indicated before,
states are reluctant to refer to (specific principles of) international law when
they publicly address cyber operations and conflict, leading Efrony and
4 Dennis Broeders and Bibi van den Berg
Shany (2018) to refer to the manual as “a rulebook on the shelf.” Many legal
scholars in this fieldwork on different aspects of international law and how
these relate to state operations in the cyber domain. In this volume, Roguski
(2020) analyses the principle of territorial sovereignty in cyberspace through
a lens of an “intrusion-based approach” and Tsagourias (2020) looks at cyber
interference with election processes in light of the legal principle of non-
intervention. Principle-by-principle and case-by-case legal scholars are add-
ing to the growing literature on the application of international law to state
behavior in cyberspace.
The limited diplomatic progress on the application of international law to
cyberspace also led to what is called the cyber-norms process, both in diplo-
matic practice as in academia. The 2015 UN GGE consensus report included
a section on “general non-binding, voluntary norms, rules and principles for
responsible behaviour of states.” This section contained eleven “new” recom-
mendations for norms and gave an impetus to the international debate about
cyber norms. These norms are often juxtaposed with international law. The
states that participate in the GGE process went the route of norms, in part
because achieving agreement on the question of how exactly international law
applies to cyberspace proved a size too big for the negotiations. However, it
is also misleading to set norms and international law totally apart from each
other in this domain. In this volume, Adamson (2020) highlights the fact
that many of the norms in the 2015 UN GGE report actually reflect existing
international law. Norms and international law can and do mutually reinforce
each other and should not be seen as two completely different and parallel
discourses.
International law and international norms—as well as Confidence Build-
ing Measures (CBMs), which are also part of the GGE process—all serve
the same basic function in the context of cyberspace. They are all meant
to make state behavior more predictable—especially in times of conflict—
when operating in a context that is unpredictable and where actions are
easy to obfuscate and misinterpret. Norms and international law serve to
set benchmarks against which we can measure and evaluate state behavior
and call actors out on bad behavior. International law would be the gold
standard for this but is problematic for two reasons. Firstly, because it has
proven hard to get substantial agreement on the question of how specific
principles of international law apply in cyberspace. Secondly, because
many of the cyber operations that have states worried are below-the-
threshold operations and, moreover, they are usually executed by intel-
ligence agencies and proxy actors, which are not meaningfully regulated
by international law in the first place (Boeke and Broeders 2018; Maurer
2018). In order to make some progress, academics and states have gone
down the route of norms.
Governing Cyberspace 5
Norms have been a part of the academic debate for far longer than the rise
to fame of the cyber-prefix. In international relations theory, Peter Kat-
zenstein’s definition of a norm is often the point of departure. According
to him, a norm in international politics is “a collective expectation for the
proper behaviour of actors with a given identity” (Katzenstein 1996, 5). This
implies that there is some sort of community that has—or develops—an idea
of what appropriate behavior is. And even though there is no enforcement
mechanism in place, the community expects its members to behave a cer-
tain, appropriate, way. In the cyber-norms discourse that community is often
equated with states, especially in the diplomatic, state-led norms debate,
even though many other public and private actors populate the cyber domain
and even dominate important aspects of Internet governance. Finnemore and
Sikkink (1998) argue that norms are often championed by a norms entre-
preneur and when successful the norm they champion goes through a norms
cycle. This cycle starts with “norms emergence,” in which the role of the
norms entrepreneur(s) to propagate the norm is vital. If their advocacy for
the norm is successful, the community to which the norm should apply may
reach a tipping point which leads to the second stage, labeled the “norms cas-
cade.” During this phase, the pioneering work of the norms entrepreneur gets
taken over by many other actors within the community who see the norms
as central to their identity and propagate its spread. In the last stage, actors
“internalize” the norm into their everyday behavior and the norms effec-
tively come to serve as a benchmark for appropriate behavior. Finnemore
and Hollis (2016) have taken this classic approach to norms creation into the
cyber domain and highlighted the dynamic and interdependent character of
cyber norms. They also found that much of the debate about norms in this
domain was (too) centered on norms as an end goal and not enough on the
value of the process itself. Kurowska (2019) takes that argument further and
emphasizes that the classic model of the norms cycle—perhaps especially
in the cyber-norms debate—often has a teleological character and does not
take norms contestation into account as an important part of the model. This
blind spot has consequences not only for the empirical analysis of the norms
process but also for the legitimacy of the norms process as a political and
a policy process: “a norm that cannot be contested, cannot be legitimate”
(Kurowska 2019, 8).
Cyber norms as they stand today are highly contested among governments,
despite the efforts of diplomats over the last decades. Moreover, the com-
munity to which the norms apply—and who feel part of it as norm entrepre-
neurs—is by no means convincingly demarcated. States consider themselves
to be the core community, but civil society and corporations are increasingly
6 Dennis Broeders and Bibi van den Berg
vocal about their place and role in this normative and regulatory domain and
engage with the norms debate on their own accord. In this volume, Eggen-
schwiler and Kulesza (2020) analyze the role of a number of civil society and
corporate initiatives that engage with, and shape the norms debate. Gorwa
and Peez (2020) and Hurel and Lobato (2020), both also in this volume, ana-
lyze the role, goals, and strategies of Microsoft that has put itself forward as
a major actor in the international cyber-norms debate.
However, the diplomatic track does not easily open up to “outside” actors
even when it has failed to make much substantial progress on the issue. The
2015 UN GGE norms may be agreed upon but are in the words of Maurer
(2019) “considered voluntary, defined vaguely, and internalized weakly.”
After the attacks on the Ukrainian grid in December 2015, many wondered
why this was not called out as a violation of the norm that states do not attack
critical infrastructures in peacetime as formulated in the 2015 UN GGE con-
sensus report.1 Now that the stalemate that came into being after the 2017
round of the UN GGE failed to produce consensus has been replaced with the
political surprise of the creation of two UN processes in 2018, states bear a
great responsibility for moving the process forward. If they do not, the UN is
unlikely to remain the focal point for discussion. And while the United States
is heavily invested in the GGE as a format and Russia is heavily invested in
the OEWG, and more generally in the idea of a multilateral approach, the
differences of opinion remain substantial.
Meanwhile, cyber norms are also emerging through state practice rather
than diplomatic agreement. States engage in certain behavior in cyberspace:
they conduct cyber operations, develop (military) cyber doctrine, change
cybersecurity policies and thus create new facts on the digital ground. States
also draw red lines that are either respected or violated. When violated, some
are met with consequences and some are not. All of this is norm-setting
behavior. Actual state behavior shapes normative behavior but is “implicit,
poorly understood, and cloaked in secrecy” (Maurer 2019). A good example
of that is the norm-setting behavior of intelligence agencies that is analyzed
by Georgieva (2020b) in this volume (see also Georgieva 2020a). Power rela-
tions and actual state behavior go a long way in explaining how state relations
in cyberspace develop.
One complicating factor of state relations is the Orwellian notion that all
states are equal, but some are more equal than others. Even the UN, an
organization founded on the principle of the equality of sovereign states,
acknowledges this through the mechanism of the five permanent members of
Governing Cyberspace 7
the Security Council that hold a veto. As “cyber” rose to the top of the inter-
national and national security agenda, geopolitics and strategic considerations
became more prominent in the debate about responsible state behavior in
cyberspace. States may agree that cyberspace is a source of threats to national
security, but simultaneously it is also a possible strategic military advantage,
especially to the top-tier cyber powers. Powerful states are usually reluctant
to give up capabilities, especially when it is uncertain that others will do the
same (Broeders 2017). Countries like the United States, China, Russia, the
United Kingdom and Israel, but also Iran and North Korea, have invested
heavily in military and foreign intelligence capacity to operate in cyberspace.
Other countries have followed suit in different degrees creating a landscape
in which operational cyber capacity and cyber power are unequally divided
among states.
Moreover, in recent years, the global balance of power has been shift-
ing. American global dominance is challenged by the rising star of China.
While China’s cyber power is still mostly focused on (economic) espionage
and control on the domestic information sphere, rather than all-out military
cyber power, China is also asserting itself as a tech developer and vendor
at the global level as one of the underpinnings of its status as an economic
superpower (Inkster 2016). Russia is trying to reassert itself in terms of being
a key player in international cyber peace and security. In cyberspace it does
so by—allegedly—being one of the most active cyber powers operating
below the threshold of armed conflict in the networks of a great number of
countries, as well as by being one of the leading countries in the diplomatic
processes on responsible state behavior in cyberspace (see Kurowska 2020 in
this volume). China and Russia are also formally and informally aligned on
a number of foreign policy objectives, including in the cyber domain. They
present a seemingly united front to the world, largely aimed at countering US
hegemony, but underneath the façade of unity there are also structural dif-
ferences that may put cracks into Sino-Russian cooperation in the longer run
(Broeders, Adamson, and Creemers 2019).
As a general principle, all states want other states to be bound by a frame-
work of rules while retaining as much room to maneuver for themselves.
Great powers like strategic ambiguity in military affairs (Taddeo 2017) and
exceptionalism in political affairs. To global powers, like the United States,
China, and Russia, the latter is almost an informal doctrine: they all apply a
sense of exceptionalism to themselves. China and Russia have clear, explicit,
and extensive rules and regulations with regard to cyberspace for their own
territories, and (global) companies wishing to do business there must comply
or else face the consequences. In this volume, Hoffman (2020) analyses the
ways in which China has dealt with US pushback on freedom of expression
surrounding Google’s entry into the Chinese market.
8 Dennis Broeders and Bibi van den Berg
Russia and China both rally around the idea of “cyber sovereignty” as
one of the main organizing principles for interstate relations in cyberspace
(see Creemers 2020 and Kurowksa 2020 in this volume). To these coun-
tries, cyber sovereignty means control over the domestic information sphere
internally, and strict adherence to the principle of non-intervention and self-
determination externally. Both China and Russia see information operations
in their nation’s information sphere as the greatest ICT-related threat. Ironi-
cally, what Moscow fears most is what it is generally considered to be best
at: information operations and the spread of mis- and disinformation. More
in general, “sovereignty” is a bone of contention between Western states and
authoritarian states. In this volume, Creemers (2020) highlights that tension
in the Chinese case: “China’s definition of sovereignty primarily concerns the
integrity of its political structure, while Western states consider this a defence
of exactly those abuses that the more conditional, post-Cold War reading of
sovereignty sought to curtail” (Creemers 2020, 112). Moreover, for countries
like China and Russia, sovereignty is not the same for all states: the sover-
eignty of great states is of a different order than those of smaller states. Great
power status is paired with exceptionalism. In the eyes of both Russia and
China, the Pax Americana was built on American exceptionalism—“do as I
say, don’t do as I do.” Their (rise to) great power status will likewise be built
on the idea of exceptionalism, which in turn will influence their views and
role in disrupting, reforming, and building the future world order (Broeders,
Adamson, and Creemers 2019). The cyber order will be shaped by great
power politics, which is currently and for the foreseeable future in flux.
It is also interesting to see how less powerful states seek to navigate the
power divides in cyberspace, aligning themselves with one power block on
some issues, while choosing to align themselves with a competing power
block on others. In this volume, Shires (2020) looks at states in the Middle
East—a complex region with multiple allegiances on different issues—
and shows how “their regulations, laws, and participation in international
institutions places them with Russia, China, and other proponents of cyber
sovereignty; on the other, their private sector cybersecurity collaborations,
intelligence relationships, and offensive cyber operations are closely aligned
with the USA and Europe” (Shires 2020, 205–206). For many countries then
determining their position on security, international law, and norms is often
an undertaking characterized by a degree of ambiguity.
In the practice of everyday cyber diplomacy, the inequality between sove-
reign states often means that smaller states favor and support the development
of a rules-based order, engaging, for example, in cyber-norms entrepreneur-
ship (Adamson and Homburger 2019), while larger states engage with these
processes but allow themselves at least a certain degree of strategic ambigu-
ity. Russia and the United States may be the primary instigators of the UN
Governing Cyberspace 9
processes that seek to define how international law applies in cyberspace and
which cyber norms could help shape state behavior, they are also the states
that shift the posts on these issues through their actual behavior and advances
in national (military) doctrine and operations. In terms of espionage (NSA
mass surveillance, Chinese economic espionage, Russian digital sabotage),
the “militarization” of cyberspace (building up military cyber commands)
and the return of information operations (Russian influence operations, most
notably interference with the 2016 US presidential election) it has been state
practice, not laws and rules, that set the tone. Development in military cyber
doctrine in some of the top-tier countries also points in the direction of a
more aggressive posture in cyberspace. For example, the US Department of
Defence (DoD) cyber strategy states that US cyber forces are in “persistent
engagement” with their adversaries and, therefore, need to “defend forward”
and “continuously contest” those adversaries, creating more possibilities for
escalation of cyber conflict, even though the intention may be the opposite
(Healey 2019). States interpreting the actions and intentions of other states
erroneously is a classic source of instability as it can lead to the unintended
escalation of conflict, a dynamic captured by the idea of the classic security
dilemma (Jervis 1978). As Buchanan (2016) has shown, cyberspace provides
an excellent context for what he calls a cybersecurity dilemma, highlighting
how misinterpretation and escalation of conflict in cyberspace may emerge
easily. Therefore, stability in cyberspace may be best served by consciously
preparing for the moment that states wrongly interpret the actions of their
adversaries. In addition to international law and cyber norms, the world also
needs Confidence Building Measures (CBMs) as the third part of the triptych
to avoid (unwanted) escalation of conflict in cyberspace (Kavanagh and Cre-
spo 2019). Even though they are widely considered to be vital, CBMs mainly
play a useful role when the escalation of (cyber) conflict is un-intentional
(Pawlak 2016, 135). When states intentionally seek to escalate a conflict,
CBMs are useless: in that case the red phone may ring, but will not be picked
up. In spite of the realities of power politics, a rules-based order—interna-
tional law foremost and to certain degree norms—is still the most promising
route to stability in cyberspace. International law does not always prevent
hostilities; however, states but it does provide a benchmark by which to judge
and call out state behavior that is in breach of laws and norms.
NEGOTIATING CHANGE
2019. The fact that twenty-five UN member states will again meet to discuss
the application of international law to the cyber domain and cyber norms
is in itself not a guarantee for success, although sources say that the 2017
round found quite a lot of common ground, in addition to the disputes that
eventually blocked consensus. As the General Assembly of the UN thickened
the diplomatic cyber plot by also voting through the Russian resolution that
called for the installation of an Open-Ended Working Group (OEWG), the
revival of the UN GGE is in no way “business as usual.” Russia has claimed
the moral high ground and played the card of international political legiti-
macy. The Russian delegation built its case for the OEWG on the principle
that it is open to the participation of all states and renounced the UN GGE as
“the practice of club agreements that should be sent into the annals of history”
(cited in Kurowska 2019). As one of the permanent members of the Security
Council, Russia is assured of a seat in that club, but given their sponsorship
of the OEWG resolution the stakes are high. The parallel tracks have ushered
in a state of Mutually Assured Diplomacy: it is more than likely that either
both processes yield a result or that both will fail (Broeders 2019). If one fails
on account of one political camp, the other camp is likely to respond in kind
and derail the other process. This will complicate an already difficult process.
Getting agreement on how existing international law applies to cyberspace—
generally agreed to be the stumbling block of the 2017 GGE round—now
has to be navigated in two processes that are at once separate and joined at
the hip. Add in the new geopolitics of technical Internet governance and ris-
ing tensions about the permanent state of “unpeace” in cyberspace and those
working on the diplomatic challenges of cyberspace stability and Internet
governance have their work cut out for them.
NOTES
BIBLIOGRAPHY
Adamson, L. and Z. Homburger. 2019. “Let Them Roar: Small States as Cyber Norm
Entrepreneurs.” European Foreign Affairs Review 24 (2): 217–234.
Betz, D. and T. Stevens. 2011. Cyberspace and the State. Towards a Strategy for
Cyber-Power. Abingdon: Routledge for the IISS.
Boeke, S. and D. Broeders. 2018. “The Demilitarisation of Cyber Conflict.” Survival
60 (6): 73–90.
Broeders, D. 2015. The Public Core of the Internet. An International Agenda for
Internet Governance. Amsterdam: Amsterdam University Press.
Broeders, D. 2017. “Aligning the International Protection of “The Public Core of the
Internet” with State Sovereignty and National Security.” Journal of Cyber Policy
2 (3): 366–376.
Broeders, D. 2019. “Mutually Assured Diplomacy: Governance, ‘unpeace’ and
Diplomacy in Cyberspace.” Global Policy—Digital Debates 2019 6: 26–29.
Broeders, D., L. Adamson and R. Creemers. 2019. Coalition of the Unwilling?
Chinese and Russian Perspectives on Cyberspace. The Hague Program for Cyber
Norms Policy Brief. November 2019.
Broeders, D., S. Boeke and I. Georgieva. 2019. Foreign Intelligence in the Digital
Age. Navigating a State of “unpeace.” The Hague Program for Cyber Norms
Policy Brief. September 2019.
Buchanan, B. 2016. The Cybersecurity Dilemma: Hacking, Trust and Fear Between
Nations. Oxford: Oxford University Press.
Creemers, R. 2020. “China’s Conception of Cyber Sovereignty: Rhetoric and Real-
ization.” In Governing Cyberspace: Behaviour, Power and Diplomacy, edited by
D. Broeders and B. van den Berg. London: Rowman & Littlefield.
Deibert, R. 2013. Black Code. Inside the Battle for Cyberspace. Toronto: Signal.
DeNardis, L. 2014. The Global War for Internet Governance. New Haven and Lon-
don: Yale University Press.
Efrony, D. and Y. Shany. 2018. “A Rule Book on the Shelf? Tallinn Manual 2.0 on
Cyber Operations and Subsequent State Practice.” American Journal of Interna-
tional Law 112 (4): 583–657.
Eggenschwiler, J. and J. Kulesza. 2020. “Non-State Actors as Shapers of Customary
Standards of Responsible Behaviour in Cyberspace.” In Governing Cyberspace:
Behaviour, Power and Diplomacy, edited by D. Broeders and B. van den Berg.
London: Rowman & Littlefield.
Finnemore, M. and D. Hollis. 2016. “Constructing Norms for Global Cybersecurity.”
The American Journal of International Law 110: 425–479.
Finnemore, M. and K. Sikkink. 1998. “International Norm Dynamics and Political
Change.” International Organization 52: 887–917.
GCSC. 2019. Advancing Cyberstability. Final Report of the Global Commission on
the Stability of Cyberspace, November 2019.
Georgieva, I. 2020a. “The Unexpected Norm-Setters: Intelligence Agencies in Cyber-
space.” Contemporary Security Policy 41 (1): 33–54.
Georgieva, I. 2020b. “The Power of Norms Meets Normative Power: On the Inter-
national Cyber Norm of Bulk Collection, the Normative Power of Intelligence
Agencies and How These Meet.” In Governing Cyberspace: Behaviour, Power
14 Dennis Broeders and Bibi van den Berg
and Diplomacy, edited by D. Broeders and B. van den Berg. London: Rowman &
Littlefield.
Gorwa, R. and A. Peez. 2020. “Big Tech Hits the Diplomatic Circuit: Norm Entre-
preneurship, Policy Advocacy, and Microsoft’s Cybersecurity Tech Accord.” In
Governing Cyberspace: Behaviour, Power and Diplomacy, edited by D. Broeders
and B. van den Berg. London: Rowman & Littlefield.
Greenberg, A. 2018. “The Code That Crashed the World.” Wired, September 2018:
53–63.
Grigsby, A. 2017. “The End of Cyber Norms.” Survival 59 (6): 109–122.
Healey, J. 2019. “The Implications of Persistent (and Permanent) Engagement in
Cyberspace.” Journal of Cybersecurity 5 (1): 1–15.
Heinl, C. 2018. “Cyber Dynamics and World Order: Enhancing International Cyber
Stability.” Irish Studies in International Affairs 29: 53–72.
Hill, S. and N. Marsan. 2020. “International Law in Cyber Space: Leveraging
NATO’s Multilateralism, Adaptation and Commitment to Cooperative Security.”
In Governing Cyberspace: Behaviour, Power and Diplomacy, edited by D. Broed-
ers and B. van den Berg. London: Rowman & Littlefield.
Hoffman, G. 2020. “Cybersecurity Norm-Building and Signaling with China.” In
Governing Cyberspace: Behaviour, Power and Diplomacy, edited by D. Broeders
and B. van den Berg. London: Rowman & Littlefield.
Hurel, L.M. and L.C. Lobato. 2020. “Cyber-Norms Entrepreneurship? Understand-
ing Microsoft’s Advocacy on Cybersecurity.” In Governing Cyberspace: Behav-
iour, Power and Diplomacy, edited by D. Broeders and B. van den Berg. London:
Rowman & Littlefield.
Inkster, N. 2016. China’s Cyber Power, Adelphi 456. Abingdon: Routledge for the
IISS.
Jervis, R. 1978. “Cooperation under the Security Dilemma”. World Politics 30 (2):
167–214.
Katzenstein, P., ed. 1996. The Culture of National Security: Norms and Identity in
World Politics. New York: Columbia University Press.
Kavanagh, C. and L. Crespo. 2019. “Confidence Building Measures and ICT.” Euro-
pean Foreign Affairs Review 24 (2): 187–202.
Kello, L. 2017. The Virtual Weapon and International Order. New Haven and Lon-
don: Yale University Press.
Klimburg, A. 2017. The Darkening Web. The War for Cyberspace. New York: Pen-
guin Press.
Klimburg, A. and L. Faesen. 2020. “A Balance of Power in Cyberspace.” In Govern-
ing Cyberspace: Behaviour, Power and Diplomacy, edited by D. Broeders and B.
van den Berg. London: Rowman & Littlefield.
Kurowska, X. 2019. The Politics of Cyber Norms: Beyond Norm Construction
Towards Strategic Narrative Contestation. EU Cyber Direct: Research in Focus.
Kurowska, X. 2020. “What Does Russia Want in Cyber Diplomacy? A Primer.” In
Governing Cyberspace: Behaviour, Power and Diplomacy, edited by D. Broeders
and B. van den Berg. London: Rowman & Littlefield.
Maurer, T. 2018. Cyber Mercenaries. The State, Hackers and Power. Cambridge:
Cambridge University Press.
Governing Cyberspace 15
The international community has recognized the need for “rules of the road”
in cyberspace not only for individuals and private sector actors but also for
states. The issue of responsible state behavior in the context of international
peace and security was raised by the Russian Federation already in 1998
when it called for an international dialogue under the auspices of the United
Nations (UN) (UNGA 1998; UNGA 1999). Over the past two decades that
regulatory discussion pertaining to cyberspace has evolved from a possible
multilateral treaty to application of existing international law, and to the
development and application of cyber norms.
Norms of responsible state behavior in cyberspace, or more commonly
noted as cyber norms, have developed into a very broad research focus that can
be part of various different discourses in the realm of cybersecurity. Norms,
in general, can be found everywhere, from everyday interactions to norms that
have been codified as law. Yet, in the interactions between states as well as in
the academic discourse cyber norms and international law are often perceived
as two different tracks of regulatory approaches. Mainly inspired by the work
of the United Nations Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of Interna-
tional Security (hereinafter UN GGE), norms in cyberspace are increasingly
approached as nonbinding and voluntary in nature. The latter aspect is often
interpreted as being a pathway to easier consensus in a challenging realm. At
the same time, international law is portrayed as a binding source of normative
behavior, application of which often leads to contestation among states.1
This chapter argues that norms and international law are not detached from
each other. Instead, they are mutually reinforcing and ought to not be seen
19
20 Liisi Adamson
as two completely different parallel discourses. At the same time, not all
norms are to be seen as international laws. Instead, norms of responsible state
behavior ought to be seen in terms of continuums. A first continuum focuses
on the spectrum from nonbinding norms to hard law. A second continuum
emphasizes the specificity of norms.
Thus, the article first elaborates on the move to international law in the
cybersecurity and state behavior discourse from a historical perspective. Sec-
ond, the article then explains the origins of the cyber-norms discourse and
how the norms discourse was and is seen as an easier avenue to achieve con-
sensus on after the contesting approaches to application of international law.
However, the opaque nature of the concept of nonbinding, voluntary norms
in the context of cybersecurity can hamper the implementation of said norms.
Furthermore, one could argue that cyber norms now mean everything and
nothing at all. Last, the article argues that the binary dialogue of international
law versus norms could be undermining the whole discourse. Instead, norms
and international law ought to be seen as building on each other.
The Catalyst
A broader discussion on the regulation of cyberspace started a little over a
decade ago. The catalyst for a deeper regulatory discussion was the denial-
of-service (hereinafter DoS) and distributed-denial-of-service (hereinafter
DDoS) attacks against the Estonian government, e-services and financial
sector in April–May 2007 (Tikk et al. 2010, 14–35). This incident made it
visible to the international community how vulnerable ICT-reliant states can
be (Aaviksoo 2010). Although there was no physical damage to the servers,
systems, and X-road infrastructure,4 the DoS and DDoS attacks halted the
functioning of several governmental vital services, which at the very least
caused financial damage, but more importantly showed where digital states
are vulnerable. Moreover, due to the supposed involvement of a neighboring
government, this was also the first time tensions between states moved to a
completely new realm of actions.5 If the attacks had been attributed to Russia
22 Liisi Adamson
as a state, it would have been a clear indication that cyber operations have
moved qualitatively to a different level and have become politicized. The
2007 Estonia attacks showed that there is a new possible domain for interstate
conflict, which was promptly proven during the 2008 Georgia–Russia war.
A rise in state-sponsored offensive activity in cyberspace led to calls for a
secure and stable cyberspace in multiple avenues.6
Besides the diplomatic process among states under the aegis of the UN, the
Estonian incident in 2007 and Iranian Stuxnet incident in 2010 also led to the
start of the Tallinn Manual process.7 It was one of the first academic initia-
tives and focused on putting forth an interpretation of existing international
law pertaining to conflict and laws of war (jus ad bellum and jus in bello).
The focus on conflict was understandable due to the catastrophic picture that
was painted by policy makers and academics alike of the effects that cyber
incidents could have.8 Stuxnet had after all signified another qualitative leap
from politically motivated operations to offensive state-sponsored cyber
operations. It also raised questions of low-intensity conflict (Buchan 2012;
O’Connell 2012) and assured the academics working on the normative frame-
work for cyber operations and laws of armed conflict. Even though Stuxnet
was never attributed to a state, the technical analysis left no doubt that at the
very least, the offensive operation was backed by a nation-state (De Falco
2012), which once again emphasized the necessity to address the application
of international law in cyberspace. The Tallinn Manual project was spear-
headed by then newly created NATO Cooperative Cyber Defence Centre of
Excellence, a NATO-accredited cyber defence hub, established in Tallinn,
Estonia, in 2008. Ever since, the NATO CCD COE has become one of the
strongest academic voices in the discussion revolving around the application
of international law to cyberspace and operations.
After 2007, the conflict-focused regulatory discourse rebooted the UN
GGE process, which convened after a five-year hiatus for their 2009–2010
session under the chair of Russia. Even though the United States, Russia’s
strategic contestant and another cyber power, still did not want to discuss
the negotiation of a cybersecurity treaty, the new Obama administration
broke the deadlock in discussions and shifted conversation from a possible
multilateral treaty to responsible state behavior. Since 2009, the Obama
administration advocated a general approach that favored the development of
multilateral norms for responsible state behavior in cyberspace. The Cyber-
space Policy adopted in 2009 emphasized that the “United States cannot suc-
ceed in securing cyberspace if it works in isolation” (The White House 2009,
iv), which was a contrast to the policy of Obama’s predecessor. The policy
continued stating that “international norms are critical to establishing a secure
and thriving digital infrastructure” (The White House 2009, 20). The Obama
administration adopted an outward-looking and “norms-based” approach to
International Law and International Cyber Norms 23
The Progress
The task for the 2009/2010 UN GGE was identical to the previous UN GGE
in 2004/2005: to study both the threats in the sphere of information security
as well as suggest cooperative measures to strengthen the security of global
information and communication systems. This time the UN GGE identified
several motives for disruption, sources of threats as well as objectives. The
2009/2010 session resulted in a consensus report outlining the main threats
stemming from the development and use of ICTs to international peace and
security, such as the terrorist use of ICTs, ICTs as instruments of warfare and
intelligence, attribution issues, use of proxies, protection of critical infrastruc-
tures, ICT supply chain security, and ICT capacity and security differences
among states (UNGA 2010). Ever since, the UN GGE has become one of
the most important avenues for regulatory discussion pertaining to the main-
tenance of international peace and security and the development and use of
ICTs.12 Bringing together strategic contestants, agile tech adopters and devel-
oping countries, the UN GGE has offered a venue to discuss which threats
result from the development and the use of ICTs to international peace and
security and how to prevent and mitigate such threats through the application
of norms, international law, confidence-building measures13 and capacity-
building measures.14
During the hiatus year of the UN GGE, Russian Federation attempted
to propose another opportunity for a negotiation of a cybersecurity treaty.
Namely, in 2011, the Russian Ministry of Foreign Affairs put forth a Draft
Convention on International Information Security (The Ministry of Foreign
Affairs of the Russian Federation 2011). The general values and ideas of the
24 Liisi Adamson
convention were the same as in the original 1998 resolution proposal. The
overall aim of the convention was to prevent “possible uses of information
and communication technology for purposes not compatible with ensuring
international stability and security” (The Ministry of Foreign Affairs of the
Russian Federation 2011). With a heavy focus on sovereignty and the gov-
ernance of a “sovereign information space,” the convention did not find sup-
port among the like-minded Western allies. The Obama administration was
still focusing on international norms and application of international law for
responsible state behavior in cyberspace.
The following 2013 UN GGE report was heralded as a qualitative leap for-
ward in regulating state behavior in cyberspace (Wolter 2013). Its major con-
tribution lies in the fact that the group was able to conclude that international
law, and in particular the UN Charter, applies to cyberspace and the activities
therein (UNGA 2013, para. 19). The year 2013 was also the first time when
the UN GGE included a section in its report on “Recommendations on norms,
rules and principles of responsible behavior by States,” which were seen
as norms deriving from existing international law. Even though the report
concluded that unique attributes of ICTs might warrant the development of
additional norms over time, the main focus lied still with international law
(UNGA 2013, para. 16). The report named a number of international law
norms and principles that states ought to abide by ranging from sovereignty,
including the international norms and principles that flow from sovereignty,
to human rights and state responsibility (UNGA 2013, para. 19–23). This
was a big step in the thus far binary discussion on whether international law
applies or not. Together with the Tallinn Manual on the International Law
Applicable to Cyber Warfare published in 2013 (Schmitt 2013), high hopes
were put on international law to provide the normative framework applicable
to states’ cyberspace activities. The norms discussion continued in connec-
tion to international law. To keep the momentum, the UNGA decided to
gather another UN GGE as soon as possible.
The Turn
The 2015 iteration of the UN GGE was tasked with analyzing the specific
application of international law principles elaborated in the 2013 report.
However, this turned out to be a contested area of study, as states’ understand-
ing and interpretations of international law in general already vary greatly,15
let alone in the context of cyberspace and responsible state behavior. The
application and interpretation of international law reflect different value sys-
tems that states have. These fundamental differences necessitated an approach
that would allow the group to not address the disputed issues regarding inter-
national law. In an effort to make progress on previous groups’ work, the UN
International Law and International Cyber Norms 25
GGE turned to a new construct to get past the contestation: general nonbind-
ing, voluntary norms, rules, and principles for the responsible behavior of
states. The latter, that is, norms as a concept, which had been in 2013 report
deriving from international law and thus, deeply connected to it, was now pre-
sented as a different source for guidance regarding responsible state behavior
than international law. This was reflected in the fact that international law and
norms, rules and principles were now two different sections in the UN GGE
report (UNGA 2015b, sec. III and VI). Moreover, the new norms, rules, and
principles section reflected to a great extent (with some exceptions) already
existing international law (for further elaboration, see UNODA 2017). The
UN GGE, however, did not put forth any conceptualization regarding the rela-
tionship between the proposed recommendations of norms and international
law. Yet, this conceptual opaqueness seemed to not be a concern. The U.S.-
led voluntary, nonbinding norms approach, as argued by some, was a way
sidestep the question of a possible cybersecurity treaty amid conflicting views
on the application of international law, and at the same time allowed states
to articulate issues that require more normative guidance than international
law currently offers (Tikk et al. 2018b, 20–21). Outside the UN GGE, despite
the fact that norms were seen as voluntary and nonbinding in the context and
framework of the UN GGE, the following academic (Crandall et al. 2015;
Finnemore 2017, 2011; Finnemore et al. 2016) as well as policy16 discussion
saw cyber norms the same way as the UN GGE. Thus, the narrative created
by the UN GGE of norms as an alternative to binding international law had
carried over to the wider cyber-norms debate.
However, the eleven recommendations for cyber norms (UNGA 2015,
para. 13) proposed by the UN GGE in 2015 reflect to a great extent already
existing international law. The implementation guide for said norms was left
as a task for the following UN GGE that commenced its work in 2016. In
2017, however, the UN GGE failed to reach consensus. For the first time, two
countries—the United States and Cuba—explained their views as to the fail-
ure of the closed and nontransparent process. The United States argued that
the process failed over states’ unwillingness to clarify how specific aspects
of international law, such as law of the armed conflict or state responsibility,
apply to cyberspace. Furthermore, the United States saw the lesser extent of
the agreement in the 2017 UN GGE as backtracking the progress that had
been made with previous reports (Markoff 2017). Cuba, on the other hand,
argued that reinterpreting law of armed conflict would legitimize cyberspace
as a domain for military conflict, giving thereby state-sponsored cyber opera-
tions a green light (Cuba’s Representative Office Abroad 2017).
While the progress at the UN GGE stalled due to strategic, value, and
interpretation differences, the international dialogue outside of the UN GGE
continued. The year 2017 also marked the publication of Tallinn Manual
26 Liisi Adamson
INTERNATIONAL NORMS
Continuums of Norms
Yet, instead of binary approaches, this article proposes to address norms in
terms of continuums.21 The first continuum ranges from norms that have been
codified into hard laws to soft law to voluntary, nonbinding norms. Gener-
ally, laws are expressions of norms that the international community accepts.
States conform their behavior to laws because of the wide acceptance of the
underlying norms (Sloss 2006, 170). Moreover, international law often also
28 Liisi Adamson
they require trust and solidarity among the community. When the issue to be
regulated occurs rarely, that is, single isolated incidents, standards alongside
trust ensure that given the circumstances, the actors will balance all relevant
interests while making the decision on how to act (Koskenniemi 2019).
When it comes to the UN GGE norms, majority of them seem from the
outset to be rather specific, that is, they have been cast in ICT-specific terms.
Even though they pertain to specific “siloed” categories, such as coopera-
tion (UNGA 2015b, para. A, D, H, J), due diligence of transit states (UNGA
2015b, para. C), critical infrastructure protection (UNGA 2015b, para. F, G),
human rights protection (UNGA 2015b, para. E), and protection of CERTs
(UNGA 2015b, para. K), they are essentially cast in the form of standards,
providing no further guidance than the basic goal-oriented obligation set forth
in the norm.
For example, the UN GGE 2015 report put forth a norm that state should
not knowingly allow their territory to be used for internationally wrongful
acts using ICTs (UNGA 2015b, para. 13[C]). Even though it is made ICT
specific through the addition of “using ICTs,” it still puts forth a general obli-
gation of due diligence in cyberspace. The latter is a standard in itself, which
means that the ICT specificity of it has created marginal additional value. The
use of general standards applies to norms in the SCO’s Code of Conduct’s
as well. Even content wise specific norms’ proposals for the protection of
the public core of the Internet24 or the norm against the manipulation of the
integrity of financial data25 are inherently standards. Thus, considering the
uncertainty and the novelty of activities in cyberspace, the push for standards
instead of rules makes somewhat sense. Standards are useful when stakes and
the cost for errors are high. This has been inherently the case in cyberspace.
However, considering the state of the regulatory debate surrounding cyber-
space, political contestation, and the lack of trust and solidarity among the
international community, the likelihood of implementation and purposeful
functioning of these standards is small.
Thus, even though the concept of norms has grown to be used in the cyber-
security discourse as indicating only voluntary and nonbinding nature, the
view of norms ought to be much wider. Yet, even when options are abundant
and clarity would help with reducing uncertainty, participants in different
norms discussions are reluctant to define what they mean by norms. They are
often conjoined with the notion of responsible state behavior. Norms are seen
as a tool to limit the malicious or negligent behavior of actors and incentivize
desired behavior, thereby defining and explaining acceptable and unaccept-
able behavior.26 If binding international law is not clear or its application is
contested due to grave political differences, norms of different nature may
offer an avenue for striving toward predictable behavior of states, creating
trust and stability.
30 Liisi Adamson
Hence, the article sees cyber norms for responsible state behavior in the
broadest sense as legally relevant expectations, in the form of rules or stan-
dards, regarding appropriate behavior in cyberspace among the international
community. Yet, norms in and of themselves do not guarantee compliance.
All emergent norms must compete with existing or even countervailing ones,
as norms are not created in a vacuum. Whereas new norms do not guarantee
action nor do they determinate the results of said norm, they can legitimize
new types of action (Jepperson et al. 1996, 56). At the same time, if complied
with, norms also channel, constrain, and constitute action. As such, norms are
“a fundamental component of both the international system and actors’ defi-
nitions of their interests” (Klotz 1995, 15). Cyber norms regulate or the very
least guide, depending on their nature, the behavior of states in cyberspace
(Iasiello 2016, 31–32).
under UN Charter Article 51. At the same time, there were also those, who
asserted that the attack did not reach the level of use of force in order to
be considered an armed attack. As such, it remained a below-the-threshold
operation which would have prevented Iran from acting in self-defence. In
this case, there is an agreement that states have the right to act in self-defence,
if there is an armed attack. However, there is disagreement whether the cyber-
attack reached the threshold of an armed attack or not. Third, there might be
variations of application of the norm, that is, interpretation of how to apply
the norm in a particular case. This would be the case, for example, with the
UN GGE 2015 report recommended norms, as there is no uniform interpreta-
tion guidance, all states can interpret them as they wish.
What connects this fragmented picture of norms is that they are all created
through interaction among different actors in the international community.
This is especially true when it comes to international norms. As the inter-
national level does not have a single authority who could prescribe or pro-
scribe norms upon the international community, it is generally understood
that most international norms for states are created through the interaction of
states.27 This does not mean that all international norms are created by states.
Yet, considering that states are still the main subjects of international law,
creating binding norms regulating their behavior still belongs to the purview
of states. However, norm-creation in a broad sense is not just the preroga-
tive of states or powerful states for that matter. Non-state actors and states
alike can act as norm entrepreneurs. This has been particularly evident in
the cybersecurity discourse.28 It is then up to states to decide whether these
norms, created or championed by non-state actors or nonbinding and volun-
tary, are legally relevant for them or not. As a result, some of those soft or
voluntary, nonbinding norms created in the interaction among states or put
forth by non-state actors can harden and become binding treaty or custom-
ary law, backed by responsibility and liability mechanisms in occurrence of
noncompliance.
THE FUTURE
The policy action regarding “the rules of the road” has not dealt with norms in
such detail, rather the calls for promoting voluntary, nonbinding norms have
become ubiquitous and opaque without clear understanding of what are the
norms that are being promoted, how they should be implemented and what is
the impact of such calls. The intricacies and different “shades” of norms are
not always apparent.
On the one hand, the conceptual opaqueness created by the UN GGE and
carried forward by states allows for room of manoeuvre. The conceptual and
32 Liisi Adamson
might turn out to be a futile effort. Considering the contestation and strategic
behavior surrounding regulatory efforts, the continued increase of offensive
cyber activities, and the rise of political attributions instead of legal ones, it
is clear that there is significant lack of trust in the international community.
Without trust, however, there is no meaningful way to apply the agreed-
upon standards or hope for reciprocated behavior on others’ part. At the
same time, there is no space nor political will to create red lines rules, as
cyberspace activity is largely unpredictable due to exponential technological
development. Thus, the challenge here is to create actionable norms, whether
standards or rules, in and for a highly unpredictable, contested, and strategic
environment.
While there is a push forward on the progress regarding international legal
norms applicable in cyberspace, states do not necessarily interpret cyber
norms as legal norms, emphasizing often separately the adherence to interna-
tional law and the support for norms for responsible state behavior in cyber-
space. The latest National Cyber Strategy of the United States of America,
for example, states that “International law and voluntary non-binding norms
of responsible state behavior in cyberspace provide stabilizing, security-
enhancing standards that define acceptable behavior to all states and promote
greater predictability and stability in cyberspace” (The White House 2018,
20). This clearly shows that for the United States, norms and international
law are as regulatory frameworks two complementary, yet conceptually sep-
arate things. Without defining the relationship between international law and
international norms of behavior that have been created and are created, the
opaqueness might lead to fragmentation and eventually unclear guidance for
state behavior. This runs contrary to the object and purpose of cyber norms
and norms in general, as norms are supposed to provide clarity, stability, and
predictability.
It is apt to recall that norms and international law influence, condition,
and develop dependent on each other. Voluntary, nonbinding norms do not
undermine existing binding hard norms. On the contrary, laws yield a deeper
support for the ideas reflected by norms. Cyber norms, even if seen in a vol-
untary, nonbinding form, are grounded in international law and at the same
time, eventually, norms are going to have an impact on the interpretation and
development of international law as well. There is no regulatory vacuum or
norm vacuum when it comes to cyberspace. New norms build on already
existing regulatory order. Thus, as norms build on and influence other norms,
it is a fallacy to depict the norms and international law as being detached from
each other, as is a fallacy to equate international law and cyber norms.
The UN GGE-proposed recommendations of future norms are clearly
grounded in existing international law (see further, UNODA 2017). It is often
used as a point of criticism, yet the norms could also be seen as ICT-specific
34 Liisi Adamson
CONCLUSION
Calls for responsible behavior of states in cyberspace and rules of the road in
said space have become ubiquitous. Out of the work of the UN GGE a distinct
discourse on cyber norms has emerged. First developed as a response to con-
testation regarding international law, cyber norms have gradually obtained a
rather opaque meaning.
This chapter argued that even though the UN GGE has moved from dis-
cussing international law norms to discussing international law and norms,
rules and principles, the two are not detached from each other. Norms in gen-
eral ought to be seen in several continuums, where norms have the potential
to move and change when it comes to their binding nature and specificity.
Having a “siloed” understanding of norms, meaning considering one type of
norms detached from others is detrimental to the international community’s
understanding of what shapes state behavior. For example, hard norms in the
form of international law might not always be the most effective forms of
regulating behavior, as they are often accompanied by grave political differ-
ences. All norms pertaining to an issue-area ought to be seen as an ecosystem,
where norms are mutually reinforcing, sometimes contesting, yet in general
inform and influence the application of each other. Thus, when it comes to
cyber norms, norms and application of international law to cyberspace can-
not be seen as two parallel tracks of regulatory interventions. Norms are not
necessarily an easier avenue to achieve consensus amid disagreement on the
application of international law. Norms, even in voluntary, nonbinding form,
are a powerful tool to change and regulate behavior, but not when they mean
everything and nothing at all.
NOTES
BIBLIOGRAPHY
Clarke, Richard A., and Robert K. Knake. 2012. Cyber War: The Next Threat to
National Security and What to Do About It. Ecco.
Crandall, Matthew, and Collin Allan. 2015. “Small States and Big Ideas: Estonia’s
Battle for Cybersecurity Norms.” Contemporary Security Policy 36 (2): 346–368.
Cuba’s Representative Office Abroad. 2017. “71 UNGA: Cuba at the Final Session
of Group of Governmental Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security.” June 23, 2017.
http://misiones.minrex.gob.cu/en/un/statements/71-unga-cuba-final-session-group-
governmental-experts-developments-fi eld-information.
D’Aspremont, Jean. 2011. Formalism and the Sources of International Law: A The-
ory of the Ascertainment of Legal Rules. Oxford: Oxford University Press.
Estonian Information System Authority. 2018. “Data Exchange Layer X-Tee.” https
://www.ria.ee/en/state-information-system/x-tee.html.
Falco, Marco De. 2012. “Stuxnet Facts Report. A Technical and Strategic Analysis.”
Tallinn.
Farwell, James P., and Rafal Rohozinski. 2011. “Stuxnet and the Future of Cyber
War.” Survival 53 (1): 23–40.
Farwell, James P., and Rafal Rohozinski. 2012. “The New Reality of Cyber War.”
Survival 54 (4): 107–120.
Finnemore, Martha, and Duncan B. Hollis. 2016. “Constructing Norms for Global
Cybersecurity.” American Journal of International Law 110 (3): 425–479.
Finnemore, Martha. 2011. “Cultivating International Cyber Norms.” America’s
Cyber Future Security and Prosperity in the Information Age II: 87–102.
Finnemore, Martha. 2017. “Cybersecurity and the Concept of Norms.” Carnegie
Endowment for International Peace. http://carnegieendowment.org/fi les/Finne
more_web_fi nal.pdf.
Futter, Andrew. 2018. “‘Cyber’ Semantics: Why We Should Retire the Latest Buzz-
word in Security Studies.” Journal of Cyber Policy 3 (2): 201–216.
G7. 2016. “Principles and Action on Cyber.” May 27, 2016.
G7. 2017. “Declaration on Responsible States Behaviour in Cyberspace.” Lucca,
April 11, 2017.
GCSC (Global Commission on the Stability of Cyberspace). 2018a. “Global Com-
mission Urges Protecting Electoral Infrastructure.” May 24, 2018. https://cyberst
ability.org/research/global-commission-urges-protecting-electoral-infrastructure/.
GCSC (Global Commission on the Stability of Cyberspace). 2018b. “Global Com-
mission Proposes a Definition of the Public Core of the Internet.” June 27, 2018.
https://cyberstability.org/research/global-commission-proposes-definition-of-the
-public-core-of-the-internet/.
Goldsmith, Jack L., and Eric A. Posner. 2005. The Limits of International Law. New
York: Oxford University Press.
Grigsby, Alex. 2017. “The End of Cyber Norms.” Survival 59 (6): 109–122. https://
doi.org/10.1080/00396338.2017.1399730.
Hampson, Fen Osler, and Michael Sulmeyer. 2017. Getting Beyond Norms: New
Approaches to International Cyber Security Challenges. Centre for International
Governance Innovation.
40 Liisi Adamson
Iasiello, Emilio. 2016. “What Happens If Cyber Norms Are Agreed To?” Georgetown
Journal of International Affairs: International Engagement on Cyber VI, Assessing
Cyber Strategy 18 (3): 30–37.
Jepperson, Ronald L., Alexander Wendt, and Peter J. Katzenstein. 1996. “Norms,
Identity, and Culture in National Security.” In The Culture of National Security:
Norms and Identity in World Politics, edited by Peter J. Katzenstein, 33–75. New
York: Columbia University Press.
Kaljulaid, Kersti. 2019. “President of Estonia: International Law Applies Also in
Cyber Space.” Keynote speech CyCon 2019, May 29, 2019. https://www.presiden
t.ee/en/meedia/press-releases/15243-president-of-estonia-international-law-appli
es-also-in-cyber-space/index.html.
Katzenstein, Peter J. 1996. The Culture of National Security: Norms and Identity in
World Politics. Edited by Peter J. Katzenstein. New York: Columbia University Press.
Khagram, Sanjeev, James V. Riker, and Kathryn Sikkink. 2002. Restructuring World
Politics: Transnational Social Movements, Networks and Norms. Minneapolis:
University of Minnesota Press.
Klabbers, Jan. 2017. International Law. 2nd ed. Cambridge: Cambridge University
Press.
Klotz, Audie. 1995. Norms in International Relations: The Struggle Against Apart-
heid. Ithaca: Cornell University Press.
Koskenniemi, Martti. 2019. “International Cyber Law: Does It Exist and Do We Need
It?” European Cyber Diplomacy Dialogue, EU Cyber Direct.
Mačak, Kubo. 2017. “From Cyber Norms to Cyber Rules: Re-Engaging States as
Law-Makers.” Leiden Journal of International Law, September 2016: 1–23. https
://doi.org/10.1017/S0922156517000358.
Markoff, Michele G. 2017. “Explanation of Position at the Conclusion of the 2016–
2017 UN Group of Governmental Experts (GGE) on Developments in the Field of
Information and Telecommunications in the Context of International Security.” US
Department of State Releases and Remarks. June 23, 2017.
Martinsson, Johanna. 2011. “Global Norms: Creation, Diffusion, and Limits.” Com-
mGAP Discussion Papers. Washington, DC.
Maurer, Tim, Ariel Levite, and George Perkovich. 2017. “Toward a Global Norm
Against Manipulating the Integrity of Financial Data.” White Paper. Carnegie
Endowment for International Peace.
Mckay, Angela, Jan Neutze, Paul Nicholas, and Kevin Sullivan. 2014. “International
Cybersecurity Norms,” 24. https://blogs.microsoft.com/cybertrust/2014/12/03/
proposed-cybersecurity-norms/.
Microsoft et al. 2018. “Cybersecurity Tech Accord.” 2018. https://cybertechaccord.
org/accord/.
Ministère des Armées (French Ministry of Defense). 2019. “Communiqué_La France
s’engage à promouvoir un cyberespace stable, fondé sur la confiance et le respect
du droit international.” September 9, 2019. https://www.defense.gouv.fr/salle-d
e-presse/communiques/communiques-du-ministere-des-armees/communique_la
-france-s-engage-a-promouvoir-un-cyberespace-stable-fonde-sur-la-confiance-
et-le-respect-du-droit-international.
International Law and International Cyber Norms 41
NATO CCD COE. 2016. “Over 50 States Consult Tallinn Manual 2.0.” 2016. https://
ccdcoe.org/over-50-states-consult-tallinn-manual-20.html.
NATO CCD COE. 2017. “Tallinn Manual 2.0 on the International Law Applicable to
Cyber Operations.” In Tallinn Manual 2.0 on the International Law Applicable to Cyber
Warfare, edited by Michael N. Schmitt. Cambridge: Cambridge University Press.
NATO. 2016a. “Cyber Defence Pledge.” July 8, 2016.
NATO. 2016b. “Warsaw Summit Communiqué.” July 9, 2016.
O’Connell, Mary Ellen. 2012. “Cyber Security Without Cyber War.” Journal of Con-
flict & Security Law 17 (2): 187–209.
OSCE. 2013. Decision No. 1106 Initial Set of OSCE Confidence-Building Measures
to Reduce the Risks of Conflict Stemming from the Use of Information and Com-
munication Technologies.
OSCE. 2016. Decision No. 1202 OSCE Confidence-Building Measures to Reduce
the Risks of Conflict Stemming from the Use of Information and Communication
Technologies.
Osula, Anna-Maria, and Henry Rõigas. 2016. International Cyber Norms. https
://ccdcoe.org/sites/default/files/multimedia/pdf/InternationalCyberNorms_full_bo
ok.pdf.
Panetta, Leon E. 2012. “Remarks by Secretary Panetta on Cybersecurity to the Busi-
ness Executives for National Security.” US Department of Defense. 2012. http://
archive.defense.gov/transcripts/transcript.aspx?transcriptid=5136.
Roberts, Anthea. 2017. Is International Law International? Oxford: Oxford Univer-
sity Press.
Schmitt, Michael N. 2013. Tallinn Manual on the International Law Applicable to Cyber
Warfare. Edited by Michael N. Schmitt. Cambridge: Cambridge University Press.
Schmitt, Michael N. 2018. “International Cyber Norms: Reflections on the Path
Ahead.” Netherlands Military Law Review. https://puc.overheid.nl/mrt/doc/PUC
_248171_11/1/
Schmitt, Michael N., and Liis Vihul. 2014. “The Nature of International Law Cyber
Norms.” 5. The Tallinn Papers. Tallinn. https://ccdcoe.org/sites/default/files/m
ultimedia/pdf/Tallinn Paper No 5 Schmitt and Vihul.pdf.
Segal, Adam. 2017. “The Development of Cyber Norms at the United Nations Ends
in Deadlock. Now What?” Council on Foreign Relations. https://www.cfr.org/blog/
development-cyber-norms-united-nations-ends-deadlock-now-what.
Seventh International Conference of American States. 1933. Montevideo Convention
on the Rights and Duties of States. https://doi.org/10.1007/s13398-014-0173-7.2.
Shanghai Cooperation Organization. 2009. Agreement Between the Governments of
the Member States of the Shanghai Cooperation Organization on Cooperation in
the Field of International Information Security. https://ccdcoe.org/sites/default/fi
les/documents/SCO-090616-IISAgreement.pdf.
Shaw, Malcolm N. 2017. International Law. 8th ed. Cambridge: Cambridge Univer-
sity Press.
Shires, James, and Max Smeets. 2017. “The Word Cyber Now Means Everything—
And Nothing At All.” Future Tense, 2017. http://www.slate.com/blogs/future_t
ense/2017/12/01/the_word_cyber_has_lost_all_meaning.html.
42 Liisi Adamson
Sloss, David. 2006. “Do International Norms Influence State Behavior?” George
Washington International Law Review 159: 159–207.
Smith, Brad. 2017. “The Need for a Digital Geneva Convention.” Microsoft on
the Issues. https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-gene
va-convention/.
Soesanto, Stefan, and D’Incau Fosca. 2017. “The UN GGE Is Dead: Time to Fall
Forward.” European Council on Foreign Relations. https://www.ecfr.eu/article/co
mmentary_time_to_fall_forward_on_cyber_governance.
Terpan, Fabien. 2015. “Soft Law in the European Union—The Changing Nature of
EU Law.” European Law Journal 21 (1): 68–96.
The Ministry of Foreign Affairs of the Russian Federation. 2011. Convention on
International Information Security (Concept). http://www.mid.ru/en/foreign_p
olicy/official_documents/-/asset_publish.
The White House. 2009. “Cyberspace Policy Review: Assuring a Trusted and Resil-
ient Information and Communications Infrastructure.” https://www.energy.gov/si
tes/prod/fi les/cioprod/documents/Cyberspace_Policy_Review_final.pdf.
The White House. 2017. “Remarks by Homeland Security Advisor Thomas P.
Bossert at Cyber Week 2017.” 2017. https://www.whitehouse.gov/briefings-sta
tements/remarks-homeland-security-advisor-thomas-p-bossert-cyber-week-2017/.
The White House. 2018. “National Cyber Strategy of the United States of America.”
Washington. https://www.whitehouse.gov/wp-content/uploads/2018/09/Nation
al-Cyber-Strategy.pdf.
Tikk, Eneken, and Mika Kerttunen. 2018a. “Cyber Treaty Is Coming : Что Делать ?”
Tartu.
Tikk, Eneken, and Mika Kerttunen. 2018b. “Parabasis: Cyber-Diplomacy in Stale-
mate.” Oslo.
Tikk, Eneken, Kadri Kaska, and Liis Vihul. 2010. International Cyber Incidents—
Legal Considerations. Tallinn: NATO CCD COE Publications.
UNGA (United Nations General Assembly). 1998. “Letter Dated 23 September 1998
from the Permanent Representative of the Russian Federation to the United Nations
Addressed to the Secretary- General.” A/C.1/53/3. 1998.
UNGA (United Nations General Assembly). 1999. A/RES/53/70 Developments in
the Field of Information and Telecommunications in the Context of International
Security.
UNGA (United Nations General Assembly). 2005. A/60/202 Group of Governmental
Experts on Developments in the Field of Information and Telecommunications in
the Context of International Security Report of the Secretary-General.
UNGA (United Nations General Assembly). 2010. A/65/201 Report of the Group of
Governmental Experts on Developments in the Field of Information and Telecom-
munications in the Context of International Security.
UNGA (United Nations General Assembly). 2011. A/66/359 49656 Letter Dated
12 September 2011 from the Permanent Representatives of China, the Russian
Federation, Tajikistan and Uzbekistan to the United Nations Addressed to the
Secretary-General.
International Law and International Cyber Norms 43
UNGA (United Nations General Assembly). 2013. A/68/98 Report of the Group of
Governmental Experts on Developments in the Field of Information and Telecom-
munications in the Context of International Security.
UNGA (United Nations General Assembly). 2015a. A/69/723 Letter Dated 9 January
2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the
Russian Federation, Tajikistan and Uzbekistan to the United Nations Addressed to
the Secretary General.
UNGA (United Nations General Assembly). 2015b. A/70/174 Report of the Group of
Governmental Experts on Developments in the Field of Information and Telecom-
munications n the Context of International Security.
UNGA (United Nations General Assembly). 2018a. A/C.1/73/L.27, Developments in
the Field of Information and Telecommunications in the Context of International
Security: Draft Resolution, October 22, 2018.
UNGA (United Nations General Assembly). 2018b. A/C.1./73/L.37, Advancing
Responsible State Behaviour in Cyberspace in the Context of International Secu-
rity, October 18, 2018.
UNODA. 2017. Voluntary, Non-Binding Norms for Responsible State Behaviour in
the Use of Information and Communications Technology: A Commentary. New
York: UNODA.
US Department of State. 2016. “Joint Statement on Third Annual Nordic-Baltic +
U.S. Cyber Consultations.” September 16, 2016.
Velde, James van de. 2018. “Why Cyber Norms Are Dumb and Serve Russian Inter-
ests.” The Cipher Brief, June 6, 2018.
Wolfrum, Rüdiger. 2010. “General International Law (Principles, Rules, and Stan-
dards).” Max Planck Encyclopedia of Public International Law. https://opil.ou
plaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1408
Wolter, Detlev. 2013. “The UN Takes a Big Step Forward on Cybersecurity.” Arms
Control Today 43 (7): 25–29.
Wright, Jeremy. 2019. “Cyber and International Law in the 21st Century.” Speech
on May 23, 2019. https://www.gov.uk/government/speeches/cyber-and-internation
al-law-in-the-21st-century.
Chapter 3
and “hack and leak” operations (U.S. ODNI 2017, 1; EU vs Disinfo 2019).
Views concerning the legal characterization of Russia’s actions vary and
although commentators invoked the principle of non-intervention, the major-
ity concluded that Russia’s actions did not fulfill its conditions in particular
that of coercion (Hollis 2016; Ohlin 2016; Watts 2016). The US incident is
not the only example of electoral cyber interference; other incidents involve
elections in the Netherlands, the United Kingdom, France, and Germany to
name just a few (Brattberg and Maurer 2018; Galante and Ee 2018; Bay and
Šnore 2019).2 Although electoral interference is not a new phenomenon,
cyberspace increases the scalability, reach, and effects of such interference
and poses a serious threat to a state’s sovereign authority.
Against this background, this chapter examines the question of how the
principle of non-intervention can be contextualized and reconceptualized
in cyberspace in order to attain its purpose of protecting a state’s sovereign
authority in cases of electoral cyber interference. I will do this by aligning
the principle of non-intervention with the principle of self-determination and
by identifying the baseline of intervention and the pathways intervention can
take in cyberspace. By reassessing the concept of intervention, its regulatory
scope and effectiveness in cyberspace will be enhanced since cyberspace is
linked to the political, economic, military, diplomatic, social, and cultural
functions of a state and is a domain within which, or through which, states
operate, interact, and exert power.
The chapter proceeds in the following manner. In the next section, I
explain the content and meaning of the principle of non-intervention as tra-
ditionally interpreted in international law and in the third section I will apply
this definition to Russia’s interference in the 2016 US election. Because of
the identified normative and regulatory gaps, in the fourth section I expose
the relationship between the principle of non-intervention and that of self-
determination, define the baseline of intervention as control, and explain the
different pathways intervention can take in cyberspace. In the fifth section, I
apply this concept to electoral cyber interference such as the interference in
the 2016 US election. The conclusion sets out the chapter’s overall findings
and explains the importance of reassessing the meaning of intervention in the
cyber context and more generally.
The first condition describes the domain within which interference should
take place as well as the object of such interference. In this respect, the ICJ
mentioned the choice of political, economic, social, and cultural systems
and the formulation of foreign policy.9 It thus transpires that the protected
domain is a state’s political, economic, social, and cultural system whereas
the object of intervention is the ability to make free choices in this domain.
That said, the aforementioned list is not exhaustive and can change in light of
related developments concerning the meaning and scope of state sovereignty
(Jennings and Watts 1992, 428). As a result, the domain protected from inter-
vention may expand or decrease, something that will affect the scope of the
non-intervention principle.
The second condition—coercion—refers to the nature of the interference
and is what differentiates intervention from pure interference or influence. As
the ICJ said, “the element of coercion . . . defines, and indeed forms the very
essence of, [a] prohibited intervention.”10 Traditionally, coercion in interna-
tional law has been taken to imply compulsion whereby one state compels or
attempts to compel another state to take a particular course of action against
its will thus obtaining, in the words of the 1970 Friendly Relations Declara-
tion, “the subordination of the exercise of its sovereign rights” (U.N. General
Assembly Friendly Relations Declaration 1970).11
Such a construction of intervention can very well apply to cyberspace. For
instance, if a state’s governmental services are targeted by a Distributed Denial
of Service (DDoS) attack in order to compel its government to change its poli-
cies or decisions, this would amount to prohibited intervention. The 2007 DDoS
attacks against Estonia come immediately to mind. They were launched after
the Estonian government decided to relocate a Soviet-era statue, a decision
that was resisted by the country’s Russian-speaking minority and was frowned
upon by Moscow. To the extent that they were intended to put such pressure on
Estonia to change its decision and provided that they were attributed to Russia,12
in my opinion, they would constitute prohibited intervention (Tsagourias 2012,
35; Buchan 2012). In contrast, the 2014 Sony attack (Zetter 2014) does not
amount to intervention because the target of the attack was a private company
not connected to the US government and it did not involve a matter that falls
within the sovereign prerogatives of the United States nor was there any attempt
to coerce the US government to take a particular course of action.
included hacking into the Democratic National Committee e-mails and the
release of confidential information as well as disinformation operations (U.S.
ODNI 2017, 2-5). The former is referred to as doxing (Kilovaty 2018, 152)
whose objective is to “expose, disgrace, or otherwise undermine a particular
individual, campaign, or organisation in order to influence public opinion
during an election cycle” (EU vs Disinfo 2019) whereas disinformation is
the dissemination of “false, inaccurate, or misleading information designed,
presented and promoted to intentionally cause public harm or for profit” and
can threaten the “democratic political processes and value” (European Com-
mission 2018, 10).13 The Department of Homeland Security (DHS) and the
Office of the Director of National Intelligence (ODNI) issued a joint state-
ment claiming that the Russian government was responsible for the hack
and the publication of the materials in an attempt to “interfere with the US
election process” (U.S. DHS and ODNI 2016) and, according to ODNI, the
intention of the leaks was to “undermine public faith in the US democratic
process, denigrate Secretary Clinton and harm her electability and potential
presidency” (U.S. ODNI 2017, ii). Following investigations, a number of
Russian operatives were indicted. According to the Mueller indictment, “[t]
he conspiracy had as its object impairing, obstructing, and defeating the law-
ful governmental functions of the United States by dishonest means in order
to enable the Defendants to interfere with U.S. political and electoral pro-
cesses, including the 2016 U.S. presidential election” (Mueller Indictments
2018).14
One can plausibly say that Russia’s actions satisfied the first condition
of unlawful intervention by targeting the conduct of elections. As the ICJ
opined in the Nicaragua Case, the “choice of political system” is a matter
falling within a state’s sovereign prerogatives which should remain “free
from external intervention”15 and went on to say that holding elections is a
domestic matter.16 There are problems, however, with the second condition
namely that of coercion. According to Brian Egan, “a cyber operation by a
State that interferes with another State’s ability to hold an election or that
manipulates a State’s election results would be a clear violation of the rule of
non-intervention” (Egan 2017, 175). Likewise, according to the former UK
attorney general, “the use by a hostile state of cyber operations to manipulate
the electoral system to alter the results of an election in another state . . . must
surely be a breach of the prohibition on intervention in the domestic affairs
of states” (U.K. Attorney General’s Office 2018). These statements refer to
interference with the electoral administration, for example, interference with
electoral registers to delete voters’ names as well as on interference with the
electoral infrastructure, for example, interference with the recording or count-
ing of votes or the blocking of voting machines thus cancelling an election.
Since Russia’s operations, according to the aforementioned reports (U.S.
50 Nicholas Tsagourias
ODNI 2017, 3), did not amount to such interference, they do not breach the
non-intervention norm.
That said, many states since then have designated their electoral infra-
structure (registration, casting and counting votes, submitting and tallying
results) as critical national infrastructure (U.S. DHS “Election Security”).17
In the same vein, the Global Commission on the Stability of Cyberspace
(GCSC) proposed a norm prohibiting the disruption of elections through
cyberattacks on the technical infrastructure that supports elections (GCSC
2018).18 Although these are important developments, they only address one
aspect of the phenomenon of electoral cyber interference, that is, meddling
with the electoral infrastructure but do not extend to the process according to
which the will of the people is formed and how intervention can impact on
them. Yet, outcomes can be affected not only by interfering with the electoral
infrastructure but also by interfering with the process of will formation. This
is an issue that will be discussed in the next section.
meaning and status in the rule prohibiting the use of force contained in Article
2(4) of the UN Charter and in customary law.
Another pathway to coercion mentioned by Oppenheim is that of dictato-
rial interference. Dictatorial interference is when a state prescribes a course of
action in imperative terms and usually by threatening negative consequences,
forcing thus the will of the recipient state. This is again a direct form of coer-
cion and describes a situation where two sovereign “wills” clash over a matter
and one state loses control over a matter by subordinating its will.
In addition to these direct pathways, there are also other more subtle or
indirect pathways to coercion where one state extends its will over another
and thus assumes control even if the latter State appears to behave freely.
This can happen when the intervening state arranges the targeted state’s
choices in such a way that it has no effective choice. Another instance is
when the intervenor, through manipulation, arranges the other state’s prefer-
ences in such a way that the state acts in accordance with the intervenor’s
preferred choices. In these cases, coercion as control does not appear to be
conflictual since the victim state apparently acts voluntarily but the intervenor
exerts control over the other and extends its will by rearranging the avail-
able choices or by rearranging preferences to align them with its own. For
example, if a state assumes control over another state’s governmental systems
(or systems supporting critical national infrastructure) and manipulates their
operation, this would amount to coercion to the extent that the systems oper-
ate counterintuitively to how they were programed to operate by the victim
state and produce actions and effects desired by the intervener. Also, when a
state, through cyber espionage, acquires information on another state’s poli-
cies which is then used to direct the choices of the victim state, it controls the
latter’s choices against its wishes.24
discredit them. To the extent that such operations are designed and executed
in such a way as to manipulate the cognitive process where authority and will
are formed and to take control over peoples’ choices of government, they
would constitute intervention.
As the aforementioned example shows, cyberspace provides a facilitative
ecosystem where electoral interference can take place and as was said, it can
also enhance its scalability, reach, and effects of coercion. To explain, cyber-
space has made it easier to produce, disseminate, and share disinformation,
enhances its accessibility by amplifying the circle of targeted audiences or
by micro-targeting, increases the immediacy and speed of such operations,
complicates attribution, and allows for remotely conducted operations.
The interference in the 2016 US elections is a case in point. As was
said, Russian operations included the hacking and release of confidential
information and social media-enabled disinformation. The primary target
of such operations was the cognitive environment which enables the mak-
ing of choices that are subsequently reflected in the type of government that
emerges from the process (Hollis 2018, 36; Lin and Kerr 2017). As James
Comey, the former FBI director, said before the Senate Intelligence Commit-
tee: “[t]his is such a big deal, . . . we have this big, messy, wonderful country
where . . . nobody tells us what to think, what to fight about, what to vote for,
except other Americans . . . . But we’re talking about a foreign government
that, using technical intrusion, lots of other methods, tried to shape the way
we think, we vote, we act” (New York Times 2017). In a similar vein, the
2017 US National Security Strategy opined that “[a] democracy is only as
resilient as its people. An informed and engaged citizenry is the fundamental
requirement for a free and resilient nation. . . . Today, actors such as Rus-
sia are using information tools in an attempt to undermine the legitimacy
of democracies. Adversaries target media, political processes, financial net-
works, and personal data” (U.S. White House 2017, p. 14).
From the preceding discussion, it can be said that Russia’s interference
met the two conditions of unlawful intervention. Although one could have
stopped here, it is important to consider a number of other issues which
should be present although their status has not been firmly settled in legal
doctrine.
The first is intention and more specifically whether coercion should be
intentional. The Tallinn Manual treats intent as a constitutive element of the
principle of non-intervention (Schmitt 2017, Rule 66, para. 27), but there
are also dissenting voices who treat intervention as an objective state of
affairs (Watts 2015, 249, 268–269). If, as was said previously, intervention
is relational and contextual, it can never be an objective state of affairs. It
seems that the ICJ in the Nicaragua Case required intent when it said that “in
international law, if one State, with a view to the coercion of another State,
Electoral Cyber Interference, Self-Determination, Non-intervention 55
supports and assists armed bands in that State whose purpose is to overthrow
the government of that State, that amounts to an intervention by the one State
in the internal affairs of the other, whether or not the political objective of the
State giving such support and assistance is equally far-reaching.”26 What the
court meant is that a state should have the intention to coerce another state by
using proxies although it may not share the particular objective of the proxies
it is supporting.
In the opinion of the present writer, intent is critical, particularly in cyber-
space, where operations are often factually indistinguishable, and their effects
permeate borders unintentionally. Moreover, intent distinguishes influence
operations or in general propaganda from operations that are purposively
designed to exert control over a sovereign matter (self-determination) through
false, fabricated, misleading, or generally through disinformation.
That having been said, it should be acknowledged that it is difficult to
establish intent. There may exist some factual and demonstrable evidence to
prove intent in the form of statements or the involvement of state operatives
(U.S. ODNI 2017; Mueller Indictments 2018), otherwise intent can be con-
structed from circumstantial evidence and from surrounding circumstances.
For example, the target of the operation27 and the means used (disinforma-
tion) are important indicators (U.S. ODNI 2017, 3; Mueller Indictments,
para. 2). With regard to the latter, one can look into whether the confiden-
tiality, integrity, or availability of information has been breached (Herpig,
Schuetze and Jones 2018, 14ff). For example, in the case of deep fakes or
leaked e-mails, it is the authenticity, integrity, and confidentiality of the dis-
seminated information that is breached but even in the case of true informa-
tion, it is its integrity and authenticity that is encroached if it is mixed with
false information or is presented in a false or fabricated context or if it relates
to partial truths. Other factors to take into account to establish intent are the
political and ideological competition that exists between states, the strategic
or other interests served by the operation, the timing of the operation, the
intensity and widespread nature of the operation. With regard to the latter,
the Mueller indictment demonstrated the widespread and systematic nature
of Russia’s interference. 28
The second condition is that of knowledge in the sense of whether the vic-
tim state should be aware of the coercion. Certain commentators contend that
knowledge is not required whereas others claim that it is required because a
state cannot be coerced when it is unaware of the act of coercion (Schmitt
2017, Rule 66, para. 25). In international relations theory, which views
coercion as an instrument of power and usually identifies it with threats,
knowledge of the threat and of its author is important because it relates to
the persuasiveness and credibility of the threat. For this reason, some inter-
national relations commentators view cyber coercion as inconsequential
56 Nicholas Tsagourias
because of the covert nature of cyber operations (Lindsay and Gartzke [2014]
2018, 179).
The difference, however, between international law and international rela-
tions is that the latter takes a functional approach to intervention whereas
international law takes a normative approach. It is thus submitted that
knowledge is not a constitutive element of intervention, but knowledge is
required in order to trigger a claim that intervention has taken place. This
also means that the fact that intervention may be covert, or that it was
attempted without actually succeeding, will not affect the qualification of the
impugned behavior as intervention for international law purposes when the
intervened against state becomes aware of the situation, provided of course
that the criteria of intervention have been satisfied. To put it differently,
the intervening state cannot claim that there was no intervention or that
there is no breach of the non-intervention rule because at the time interven-
tion happened the victim state was not aware of the intervention. This also
means that the victim state is not prevented from taking countermeasures
after acquiring knowledge of the intervention even if the act of intervention
occurred much earlier because there will be temporal proximity between the
countermeasures and the claim of wrongfulness. In the US case, the fact that
subsequent reports established the facts will not prevent the United States
from claiming that it was victim of unlawful intervention although whether
it will do so is a matter of politics.
Finally, such interference needs to reach a certain level of severity to
amount to intervention. Severity can be assessed against the importance of
the values affected which in this case is the value of self-determination; the
consequences of intervention which in this case is the control of a state’s
authority and will and, according to McDougal and Feliciano, the extent to
which values are affected and the number of participants whose values are
so affected.29 Although no analytical tool exists to measure the real impact
of electoral interference on people or how their voting preferences were
affected, however, analysis of social networks can reveal the number of
viewers or artificial movements and to some extent measure the number of
affected individuals (Howard et al. 2018).30
CONCLUSION
This chapter has shown that cyberspace is a new domain where the principle
of non-intervention can apply. However, deciphering its content and under-
standing how it applies to cyberspace are a difficult exercise that can impact
its effectiveness to regulate cyber activities. Consequently, reassessing the
meaning of intervention in the cyber domain is critical because cyberspace
Electoral Cyber Interference, Self-Determination, Non-intervention 57
NOTES
1. In the same vein, the UK attorney general said: “The precise boundaries of this
principle are the subject of ongoing debate between states, and not just in the context
of cyber space” (U.K. Attorney General’s Office 2018).
58 Nicholas Tsagourias
2. For similar activities during the 2018 elections in Cambodia, see Henderson
et al. (2018).
3. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v
United States of America) (Merits) [1986] ICJ Rep 14 para 202 (hereinafter referred
to as Nicaragua Case); See: Maziar Jamnejad and Michael Wood, “The Principle
of Non-Intervention in International Law” Leiden Journal of International Law 22
(2009): 345, 347–367.
4. See also: U.N. General Assembly Res., Declaration on Principles of Interna-
tional Law Concerning Friendly Relations and Co-Operation Among States in Accor-
dance with the United Nations, October 24, 1970, U. N. Doc. A/RES/2625 (XXV),
Annex: “No State or group of States has the right to intervene, directly or indirectly,
for any reason whatever, in the internal or external affairs of any other State. Conse-
quently, armed intervention and all other forms of interference or attempted threats
against the personality of the State or against its political, economic and cultural ele-
ments, are in violation of international law.”
5. Nicaragua Case, para 202.
6. Ibid., para 202.
7. See also: Philip Kunig, “Prohibition of Intervention” Max Planck Encyclope-
dia of Public International Law (2012) para 1.
8. Nicaragua Case, para 205.
9. Ibid.
10. Ibid.
11. See also: Christopher C. Joyner, “Coercion” Max Planck Encyclopedia of
Public International Law (2006): “Coercion in inter-State relations involves the gov-
ernment of one State compelling the government of another State to think or act in a
certain way by applying various kinds of pressure, threats, intimidation or the use of
force.”
12. For attribution see: Nicholas Tsagourias, “Cyber Attacks, Self-Defence and the
Problem of Attribution,” Journal of Conflict Security Law 17, no. 2 (2012): 229.
13. According to EU vs Disinfo, disinformation is “the fabrication or deliberate
distortion of news content aimed at deceiving an audience, polluting the information
space to obscure fact-based reality, and manufacturing misleading narratives about
key events or issues to manipulate public opinion. Disinformation is the most persis-
tent and widespread form of the Kremlin’s interference efforts. Importantly, it is not
limited only to election cycles, but has now become a viral feature of our information
ecosystem” and its objective is “to paralyse the democratic process by fuelling social
fragmentation and polarisation, sowing confusion and uncertainty about fact-based
reality, and undermining trust in the integrity of democratic politics and institutions”:
EU vs Disinfo, “Methods of Foreign Electoral Interference,” April 2, 2019, https://
euvsdisinfo.eu/methods-of-foreign-electoral-interference/. Others speak of “informa-
tion manipulation” encompassing three criteria: a coordinated campaign, the diffusion
of false information or information that is consciously distorted, and the political
intention to cause harm,” see: Jean-Baptise Jeangène Vilmer, Alexandre Escorcia,
Marine Guillaume, and Janaina Herrera, “Information Manipulation: A Challenge for
Our Democracies, Report by the Policy Planning Staff (CAPS) of the Ministry for
Electoral Cyber Interference, Self-Determination, Non-intervention 59
Europe and Foreign Affairs and the Institute for Strategic Research (IRSEM) of the
Ministry for the Armed Forces” (Paris, August 2018), 21.
14. U.S. District Court, District of Columbia, United States v. Internet Research
Agency LLC et al. (Indictment, 16 February 2018), Criminal Action No. 100032
(DLF), para 25 and United States v. Victor Borisovich Netyksho et al. (Indictment,
13 July 2018), Criminal Action No. 00215 (ABJ), para. 28 (The Mueller Indictments),
https://d3i6fh83elv35t.cloudfront.net/static/2018/07/Muellerindictment.pdf.
15. Nicaragua Case, para 205.
16. Ibid., paras 257–259.
17. U.S. Department of Homeland Security, “Election Security,” https://www.dhs
.gov/topic/election-security.
18. See also: U.K. Cabinet Office, National Security Capability Review, March
28, 2018, 34 https://assets.publishing.service.gov.uk/government/uploads/system/upl
oads/attachment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf;
For Sweden see: Government Offices of Sweden, Ministry of Justice, “National
Strategy for Society Information and Cyber Security,” June 2018, 6–7. https://ww
w.government.se/4ac8ff/contentassets/d87287e088834d9e8c08f28d0b9dda5b/a-nat
ional-cyber-security-strategy-skr.-201617213; Sean Kanuck, Global Commission on
the Stability of Cyberspace, “Protecting the Electoral Process and its Institutions,”
January 2018, https://cyberstability.org/research/.
19. For example, the U.S. ODNI Report 2017, says that Russia’s actions “repre-
sented a significant escalation in directness, level of activity and scope of effort.”
20. See also: Patrick Thornberry, “The Democratic or Internal Aspect of Self-
Determination with Some Remarks on Federalism” in Modern Law of Self-Deter-
mination, edited by Christian Tomuschat (Dordrecht, Boston and London: Martinus
Nijhoff, 1992), 101.
21. According to Universal Declaration of Human Rights, Article 21(3): “[t]he
will of the people shall be the basis of the authority of government.” See: U.N. Gen-
eral Assembly Res., Universal Declaration of Human Rights, December 10, 1948,
183rd Plenary Meeting, U.N. Doc. 217A (III).
22. Rosenau, for example, speaks about a sharp break with conventional patterns
of behavior. See: James N. Rosenau, “Intervention as a Scientific Concept,” Journal
of Conflict Resolution 13, no. 2 (1969): 149–171, 162–163.
23. Nicaragua Case, para 205.
24. For cyber espionage, see also: Russell Buchan, Cyber Espionage and Interna-
tional Law (Hart, 2018), 48–69.
25. According to Rosenau, intervention is addressed to “the authority structure
of the target society-that is, to the identity of those who make the decisions that
are binding for the entire society and/or to the processes through which such deci-
sions are made. New foreign policy initiatives designed to modify the behavior of
voters abroad are thus likely to be regarded as interventionary even though equally
extensive efforts to modify the behavior of tourists in the same country are not”:
Rosenau, “Intervention as a Scientific Concept,” 149–171, 163; Myres S. McDougal
and Florentino P. Feliciano, “International Coercion and World Public Order: The
General Principles of the Law of War,” The Yale Law Journal 67 (1957): 771, 793:
60 Nicholas Tsagourias
“The use of the ideological instrument commonly involves the selective manipula-
tion and circulation of symbols, verbal or nonverbal, calculated to alter the patterns
of identifications, demands and expectations of mass audiences in the target-state and
thereby to induce or stimulate politically significant attitudes and behavior favorable
to the initiator-state”; Contra see: Duncan Hollis, “The Influence of War; The War for
Influence,” Temple International and Comparative Law Journal 32 (2018): 31, 41.
26. Nicaragua Case, para 241.
27. According to the ODNI Report 2017, the target was the Democratic candidate.
Also, “Russia collected on some Republican-affiliated targets but did not conduct a
comparable disclosure campaign”; Mueller Indictments.
28. Mueller’s indictments, for example, reveal the systematic and widespread
nature of Russian activities.
29. McDougal and Feliciano, supra note 25, 782–783.
30. Philip N. Howard, Bharath Ganesh, Dimitra Liotsiou, John Kelly and Camille
François, “The IRA, Social Media and Political Polarization in the United States,
2012–2018.” Working Paper 2018 (University of Oxford), which provides data about
the activities of the Russia’s Internet Research Agency.
BIBLIOGRAPHY
Bay, Sebastian, and Guna Šnore. 2019. “Protecting Elections: A Strategic Communi-
cations Approach.” NATO Strategic Communications Centre of Excellence, June
2019. https://www.stratcomcoe.org/download/file/fid/80396.
Brattberg, Erik, and Tim Maurer. 2018. “Russian Election Interference: Europe’s
Counter to Fake News and Cyber Attacks.” Carnegie Endowment for International
Peace, May 23, 2018. https://carnegieendowment.org/2018/05/23/russian-electi
on-interference-europe-s-counter-to-fake-news-and-cyber-attacks-pub-76435.
Buchan, Russell. 2012. “Cyber Attacks: Unlawful Uses of Force or Prohibited Inter-
ventions?” Journal of Conflict and Security Law, 17(2): 212–227.
Buchan, Russell. 2018. Cyber Espionage and International Law. Bloomsbury: Hart
Publishing.
Cassese, Antonio. 1995. Self-Determination of Peoples: A Legal Reappraisal. Cam-
bridge: Cambridge University Press.
Crawford, James. 2007. The Creation of States in International Law. Oxford: Oxford
University Press.
Egan, Brian J. 2017. “International Law and Stability in Cyberspace.” Berkeley Jour-
nal of International Law, 35(1): 169.
EU vs Disinfo. 2019. “Methods of Foreign Electoral Interference.” April 2, 2019.
https://euvsdisinfo.eu/methods-of-foreign-electoral-interference/.
European Commission. 2018. “A Multi-Dimensional Approach to Disinformation:
Report of the Independent High Level Group on Fake News and Online Disinfor-
mation.” Publications Office of the European Union.
Galante, Laura, and Shaun Ee. 2018. “Defining Russian Election Interference: An
Analysis of Select 2014 to 2018 Cyber Enabled Incidents.” Atlantic Council,
Electoral Cyber Interference, Self-Determination, Non-intervention 61
New York Times. 2017. Full Transcript and Video: James Comey’s Testimony on
Capitol Hill. New York Times, June 8, 2017. https://www.nytimes.com/2017/06/08/
us/politics/senate-hearing-transcript.html.
Ohlin, Jens D. 2016. “Did Russian Cyber Interference in the 2016 Election Violate
International Law.” Texas Law Review, 95: 1579.
Ohlin, Jens D. 2018. “Election Interference: The Real Harm and the Only Solution.”
Cornell Law School Research Paper, No. 18–50: 1–26.
P. R. C., Permanent Mission to the U.N. 2013. Statement By Ms. Liu Ying of the
Chinese Delegation at the Thematic Debate on Information and Cyber Security
at the First Committee of the 68th Session of the UNGA, October 30, 2013. www.
china-un.org/eng/hyyfy/t1094491.htm.
Rosenau, James N. 1969. “Intervention as a Scientific Concept.” Journal of Conflict
Resolution, 13(2): 149–171.
Schmitt, Michael N. (ed). 2017. Tallinn Manual 2.0 on the International Law Appli-
cable to Cyber Operations, 2nd edn. Cambridge: Cambridge University Press.
Sweden, Government Offices of Sweden, Ministry of Justice. 2018. “National Strat-
egy for Society Information and Cyber Security.” June 2018. https://www.gov
ernment.se/4ac8ff/contentassets/d87287e088834d9e8c08f28d0b9dda5b/a-national
-cyber-security-strategy-skr.-201617213.
Thornberry, Patrick. 1992. “The Democratic or Internal Aspect of Self-Determination
with Some Remarks on Federalism.” In Modern Law of Self-Determination, edited
by Christian Tomuschat. Dordrecht, Boston and London: Martinus Nijhoff.
Tsagourias, Nicholas. 2012. “Cyber attacks, Self-Defence and the Problem of Attri-
bution.” Journal of Conflict and Security Law, 17(2): 229–244.
Tsagourias, Nicholas. 2012. “The Tallinn Manual on the International Law Applica-
ble to Cyber Warfare: A Commentary on Chapter II—The Use of Force.” Yearbook
of International Humanitarian Law, 15: 19–43.
U.K. Attorney General’s Office. 2018. Cyber and International Law in the 21st Cen-
tury, May 23, 2018. https://www.gov.uk/government/speeches/cyber-and-intern
ational-law-in-the-21st-century.
U.K. Cabinet Office. 2018. National Security Capability Review. March 28, 2018.
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attac
hment_data/file/705347/6.4391_CO_National-Security-Review_web.pdf.
U.N. General Assembly Res. 1948. Universal Declaration of Human Rights, Decem-
ber 10, 1948, 183rd Plenary Meeting, U.N. Doc. 217A (III).
U.N. General Assembly Res. 1965. Declaration on the Inadmissibility of Intervention
in the Domestic Affairs of States and the Protection of Their Independence and
Sovereignty, December 21, 1965, U.N. Doc. A/RES/20/2131 (XX), Annex.
U.N. General Assembly Res. 1970. Declaration on Principles of International Law
Concerning Friendly Relations and Co-Operation among States in Accordance
with the United Nations, October 24, 1970, U. N. Doc. A/RES/2625 (XXV), Annex.
U.N. General Assembly. 1964. Consideration of Principles of International Law
Concerning Friendly Relations and Co-Operation Among States in Accordance
with the Charter of the United Nations, Report of the Special Committee on Prin-
ciples of International Law Concerning Friendly Relations and Co-Operation
Among States, November 16, 1964, 19th sess., U.N. Doc. A/5746.
Electoral Cyber Interference, Self-Determination, Non-intervention 63
U.N. General Assembly. 1966. International Covenant on Civil and Political Rights
“ICCPR” (Concluded December 16, 1966, entered into force March 23, 1976) 999
UNTS 171.
U.N. General Assembly. 2013. Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of International
Security, June 24, 2013, 68th sess., U.N. Doc. A/68/98.
U.N. General Assembly. 2015. Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of International
Security, July 22, 2015, 17th sess., U.N. Doc. A/70/174.
U.S. Department of Homeland Security and Office of the Director of National Intel-
ligence. 2016. “Joint Statement from the Department of Homeland Security and
Office of the Director of National Intelligence on Election Security”. DHS Press
Office. https://www.dhs.gov/news/2016/10/07/joint-statement-department-ho
meland-security-and-office-director-national.
U.S. Department of Homeland Security. “Election Security”. https://www.dhs.gov/
topic/election-security.
U.S. District Court, District of Columbia, United States v. Internet Research Agency
LLC et al, (Indictment, February 16, 2018), Criminal Action No. 00032 (DLF)
and United States v. Victor Borisovich Netyksho et al (Indictment, July 13, 2018),
Criminal Action No 00215 (ABJ). https://d3i6fh83elv35t.cloudfront.net/static/
2018/07/Muellerindictment.pdf.
U.S. Office of the Director of National Intelligence. 2017. “Background to ‘Assessing
Russian Activities and Intentions in Recent US Elections’: The Analytic Process
and Cyber Incident Attribution” in Assessing Russian Activities and Intentions in
Recent US Elections. ICA 2017–01, January 6, 2017. https://www.dni.gov/files/
documents/ICA_2017_01.pdf.
U.S., The White House. 2017. National Security Strategy of the United States of
America. December 2017. Washington, DC. https://www.whitehouse.gov/wp-
content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf.
Vilmer, J.B. Jeangène, Alexandre Escorcia, Marine Guillaume, and Janaina Herrera.
2018. “Information Manipulation: A Challenge for Our Democracies, Report by
the Policy Planning Staff (CAPS) of the Ministry for Europe and Foreign Affairs
and the Institute for Strategic Research (IRSEM) of the Ministry for the Armed
Forces.” August 2018. Paris.
Vincent, John. 1974. Non Intervention and International Order. Princeton, NJ: Princ-
eton University Press.
Watts, Sean. 2015. “Low-Intensity Cyber Operations and the Principle of Non-Inter-
vention.” In Cyber War: Law and Ethics for Virtual Conflicts, edited by Jens David
Ohlin, Kevin Govern and Claire Finkelstein. Oxford: Oxford University Press.
Watts, Sean. 2016. “International Law and Proposed US Responses to the DNC
Hack.” Just Security, October 14, 2016. https://www.justsecurity.org/33558/inter
national-law-proposed-u-s-responses-d-n-c-hack/.
Zetter, Kim. 2014. “Sony Got Hacked Hard: What We Know and Don’t Know So
Far.” Wired, March 12, 2014. https://www.wired.com/2014/12/sony-hack-what-
we-know/.
Chapter 4
Violations of Territorial
Sovereignty in Cyberspace—an
Intrusion-based Approach
Przemysław Roguski
Ever since the Treaty of Westphalia established the modern legal order, the
sovereignty of states is one of the foundational principles of public interna-
tional law. The principles of state sovereignty and sovereign equality have
been reaffirmed in Art. 2(1) of the United Nations Charter and form the bed-
rock of the post–World War II international legal order. This legal order, con-
ceived in a time when global computer networks carrying information across
continents in seconds and making it available without regard for location and
geographical distance were but a distant dream, must evolve to account for
new technological developments such as the rise of information and com-
munication technologies (ICTs), which link states and people closer together
through cyberspace. Faced with a new medium with unique characteristics
of ubiquity and aterritoriality of information, states as the principal actors of
the international legal order had to decide whether this new medium—cyber-
space—is a unique “space,” requiring a different set of rules governing state
rights and state behavior, or whether existing rules of international still apply.
Gradually, a consensus has begun to form around the proposition that
rules and principles of international law, as enshrined in the UN Charter,
apply in cyberspace. As the former legal adviser to the US Department of
State, Harold Koh, put it: “cyberspace is not a ‘law-free’ zone where anyone
can conduct hostile activities without rules or restraint. (. . .) States conduct-
ing activities in cyberspace must take into account the sovereignty of other
states” (Koh 2012, 3, 6). This consensus has been cemented through the work
of the United Nations Group of Governmental Experts on Developments in
the Field of Information and Telecommunications in the Context of Interna-
tional Security (GGE), which in 2013 and 2015 issued two reports detailing
the rules and principles of international law applicable to state behavior
65
66 Przemysław Roguski
Rule 4 of the Tallinn Manual 2.0 states that “[a] State must not conduct cyber
operations that violate the sovereignty of another State” (Schmitt and Vihul
2017c, 17). It is based on the assumption that the international legal order
contains, apart from the prohibition on the use of force and the prohibition of
intervention into the internal affairs of other states, a separate norm requiring
respect for the (territorial) sovereignty of other states, which may be violated
through the performance of certain cyber activities within other states’ territo-
ries without their consent. However, the existence of such a rule has recently
been put into question—at least with respect to activities in cyberspace. In his
68 Przemysław Roguski
Chatham House speech of May 23, 2018, the attorney general of the United
Kingdom, Jeremy Wright QC MP, has stated that he is “not persuaded that
we can currently extrapolate from [the] general principle [of sovereignty] a
specific rule or additional prohibition for cyber activity beyond that of a pro-
hibited intervention. The UK Government’s position is therefore that there
is no such rule as a matter of current international law” (Wright 2018). The
United Kingdom has been the first state to officially articulate its doubts as to
the existence of a rule of territorial sovereignty in such clear terms, but this
position seems to reflect earlier arguments brought forth by (at least) some
branches of the US government. The then legal adviser to the US Depart-
ment of State, Brian Egan, noted that “cyber operations involving computers
located on another State’s territory do not constitute a violation of interna-
tional law. (. . .) This is perhaps most clear where such activities in another
State’s territory have no effects or de minimis effects” (Egan 2016). Further-
more, as has been reported by some authors (Watts and Richard 2018, 859;
Schmitt and Vihul 2017a, 1641), on January 19, 2017, the outgoing general
counsel of the US Department of Defence has issued a memorandum on the
“International Law Framework for Employing Cyber Capabilities in Military
Operations.” The memo—which is not publicly available and whose content
the present author can therefore only assess through secondary sources—
reportedly stated that sovereignty is not a rule but a “baseline principle”
which undergirds other binding rules of international law such as the prohibi-
tion on the use of force and the prohibition of intervention (Schmitt and Vihul
2017a, 1642). The 2017 DoD memo’s position seems to be shared by some
American authors, including authors which at the time of writing are work-
ing for US Cyber Command (Corn and Taylor 2017; Corn and Jensen 2018).
dispersed locations (Corn and Jensen 2018). States wishing to protect their
cyber infrastructure from such threats, therefore, need to be able to counter
cyberattacks regardless of their starting location. The sovereignty-as-a-rule
approach would create “unworkable hurdles to States conducting such limited
but potentially important operations” (Corn 2017).
According to the lack-of-state-practice argument, sovereignty is a baseline
principle of international law, from which other, more concrete prohibitive
rules of international law flow. These rules, such as the prohibition on the use
of force and the prohibition of intervention, exist as customary international
law, because they are evidenced by a sufficiently uniform and universal prac-
tice and opinio iuris of states, and/or have been codified in the United Nations
Charter. Below the threshold of these two rules, “international law does not
obligate other states to refrain from all activities that might infringe upon or
operate to the prejudice of the territorial state’s internal sovereignty” (Corn and
Taylor 2017, 209). Evidence of this is to be seen in the fact that states conduct
espionage operations within the territory of other states, yet international law
does not prohibit espionage as such (Corn and Taylor 2017, 209). Moreover,
one cannot find evidence of one single universal rule of territorial sovereignty,
as the content of rights in relation to a particular territory varies depending on
which domain (land, sea, air, space) is affected. While access to airspace is
severely restricted, and entry without consent is a serious violation of interna-
tional law which may lead to grave consequences (as has most recently been
evidenced by the shoot down of a Russian fighter jet by the Turkish army for
violating Turkish airspace), international law allows the innocent passage of
warships through the territorial sea of states and in the case of space, orbiting
objects do not violate the airspace or territory states they overfly (Corn and
Taylor 2017, 210). In consequence, given that no separate regime of restricted
access to a state’s cyberspace domain (below the thresholds of use of force and
intervention) has yet developed, states are free to act as they wish by virtue of
their sovereignty, as has been found by the PCIJ in the Lotus case (S.S. Lotus
[Fr. v. Turk.], 1927 P.C.I.J. Rep. [ser. A] No. 10, at 18).
In the author’s view, both arguments are to be rejected. They disregard
long-standing jurisprudence of the PCIJ and ICJ, do not take account of more
recent state practice, and are based on a false understanding of the so-called
Lotus doctrine whereby states have unlimited freedom of action barring a
prohibitive rule of international law.
[Nicar. v. U.S.], Judgment, 1986 I.C.J. Rep. 14, para. 251). What becomes
clear from this brief overview is, therefore, that sovereignty is not only a prin-
ciple, from which other more specific rules are derived, but that sovereignty
demands respect for the supreme authority of a state within its territory and
as such forms itself a prohibitive rule of international law. Territorial sover-
eignty is, therefore, a “baseline rule” derived from general international law
(Watts and Richard 2018, 859), which reflects the structural framework of
international law for the exercise of state sovereignty in order “to ensure the
co-existence of independent communities and facilitate the achievement of
common aims” (Hertogen 2015, 912). As Judge Shahabuddeen has noted in
his dissent in the Nuclear Weapons advisory opinion: “It is difficult (. . .) to
uphold a proposition that, absent a prohibition, a State has a right in law to
act in ways which could deprive the sovereignty of all other States of mean-
ing” (Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion,
Dissenting Opinion of Judge Shahabuddeen, 1996 I.C.J. Rep. 226, 393–394).
but not extreme, impact fall below the threshold of armed attack, but may
nevertheless constitute other internationally wrongful acts such as interven-
tion, violation of sovereignty or use of force (“les actions correspondant à
ces niveaux pourraient néanmoins constituer d’autres faits internationaux
illicites [intervention, violation de la souveraineté, usage de la force, etc.])”
(Secrétariat général de la défense et de la sécurité nationale 2018, 80). This
view is elaborated upon in the declaration on “International Law Applicable
to Operations in Cyberspace” (Droit international appliqué aux opérations
dans le cyberespace”), published by the Ministry of Defence on 9 Septem-
ber 2019. The document argues that since France has sovereignty over ICT
systems located within its territory, any cyberattack—defined as an operation
which breaches the confidentiality, integrity, or availability of the targeted
system—constitutes at minimum a violation of sovereignty, if attributable to
another state. Such a violation occurs not only when effects are produced on
French territory, but already when there is a penetration of French computer
systems (Ministère des Armées 2019, 6–7).
Similarly, the GGE consensus reports clearly conclude that states have
jurisdiction over ICT infrastructure located within their territory (United
Nations General Assembly 2015, akap. 28[a]). States regularly assert
jurisdiction, both civil and criminal, over activities within their cyber infra-
structure. For example, on July 13, 2018, the US Special Counsel filed an
indictment of twelve Russian intelligence officers alleged to have hacked the
servers of the Democratic National Committee and thus to have committed
computer-related offenses within the United States (United States vs. Netyk-
sho et al., US District Court for the District of Columbia, Case No. 1:18-cr-
00215-ABJ, filed July 13, 2018). It is thus clear that states treat activities
within their cyber infrastructure as falling into the territorial confines of their
sovereignty (some states even speak of “national cyberspace,” e.g., the Pol-
ish cybersecurity strategy “Polityka Ochrony Cyberprzestrzeni Rzeczpospo-
litej Polskiej” [Ministerstwo Administracji i Cyfryzacji 2013]), even though
some states may deny the existence of a rule of territorial sovereignty. In the
author’s view, it follows from sovereignty over ICT devices that sovereign
activities conducted within the cyber infrastructure located on the territory of
other states violate their territorial sovereignty if they constitute an exercise
of power without the consent of the affected state.
In summary, it may very well be that the rule of territorial sovereignty in
cyberspace will have to adapt for the (perceived) aterritoriality of the logical
and social layers of cyberspace, the loss of distance typical for geographical
territory and the ease of access this structural characteristic of cyberspace
presents to malicious cyber actors. The practical necessity of defending
against threats originating from multiple locations and using cyber infra-
structure located in various states, coupled with the currently slow process of
Violations of Territorial Sovereignty in Cyberspace 73
territory. As the UN GGE noted in its two reports, states have jurisdiction
over the ICT infrastructure located within their territory (United Nations
General Assembly 2015, akap. 28[a]) and they do assert their jurisdiction
over actions performed by individuals as well as agents of other states. If
the agents of a state perform cyber operations within the cyber infrastructure
of another state in ways other than the intended use of said cyber infrastruc-
ture, that is, by violating the information security of computer systems, they
exercise state power vis-à-vis cyber infrastructure under the jurisdiction of
another state. Thereby they actively change the functioning of computer sys-
tems within the sphere of authority of another state and thus exercise a power
which, by virtue of the principle of sovereignty, should remain exclusively
with that state.
Secondly, if the violation of territorial integrity depended on the manifesta-
tion of physical effects, states would not have a legal remedy against cyber
operations which are in their preparatory stages or ongoing. Looking at the
technical side of cyber operations, one sees that conducting offensive cyber
operations requires several preparatory steps: identifying a target, choosing
the appropriate attack vector, bypassing the security of the attacked computer
system and finally conducting the intended activity. There are many analyti-
cal models describing the various steps of a cyberoperation and its effects
(Smeets 2017, 30; CCHS 2016, 5; Ducheine 2015, 230), but one of the most
common models—the so-called Cyber Kill Chain, developed by employees
of the Lockheed Martin Corporation—divides cyber operations into seven
phases: Reconnnaisance, Weaponization, Delivery, Exploitation, Installa-
tion, Command and Control and Action on objective (Hutchins, Cloppert and
Amin 2011, 5). During the reconnaissance phase, the attacker identifies and
selects potential targets. Information about the target can be collected from
many sources: from open-source intelligence through secret intelligence
sources, to the scanning of computer systems (for a detailed description see
Maybaum 2013, 217–219). After identifying the proper target and its vulner-
abilities, the attackers can gain access to the targeted system (delivery and
exploitation phases). This can happen remotely (in so-called remote-access
cyber operations, e.g., by sending an infected message to the victim’s mail-
box) or directly (in so-called close-access cyber operations, e.g., by install-
ing malicious software directly on the target system by the agent, vendor)
(Owens and ors. 2009, 87). Most often, malicious code installed after gaining
access does not yet contain the proper harmful payload but is used for self-
replication and “raising the drawbridge” through which the system will be
accessed and further payloads will be installed. In many cases, the installed
code is a so-called Remote Access Tool (RAT), which makes contact with
the command and control server and waits for further commands from the
attackers (Maybaum 2013, 122).
76 Przemysław Roguski
AN INTRUSION-BASED APPROACH TO
VIOLATIONS OF TERRITORIAL SOVEREIGNTY
Since computer crimes and state cyberattacks share the same techni-
cal characteristics and the forensic analysis of both types of attacks is the
same—the difference lying only in the attribution of the action constituting
a computer crime to a state actor, thus subjecting it to international rather
than (only) national law—the present author proposes to use the criterion
of computer intrusion or interference to assess the moment state power is
exercised in the territory (cyber infrastructure) of another state. This means
that whenever a foreign state damages, deletes, deteriorates, alters, or sup-
presses data stored on a computer system within the territory of another state
(compare Art. 4 Cybercrime Convention), this action would be regarded as
an exercise of state power and thus a violation of the territorial sovereignty
of the targeted state.
The criterion of “intrusion,” closely related to the integrity of data stored
on a computer system, does not encompass every action of a state in foreign
networks. For instance, intrusion does not mean the regular use of cyberspace
infrastructure for their intended purposes, as no damage to or alteration of
data is being done in this process. This is true even for actions undertaken
with malicious intent, such as port scanning for the purposes of reconnais-
sance and preparation of a cyberattack in the future. Since the scanning of
ports is possible without interference with data stored in a network due to the
technical design and functioning of global networks such as the Internet and
states allow the use of their ICT infrastructure for the purposes of informa-
tion transfer, regular usage, even including the routing of cyber operations
through foreign infrastructure, would therefore not violate territorial sover-
eignty. Similarly, even gaining access to a computer network without proper
authorization (i.e., breaching the confidentiality of a computer system or net-
work, for instance through phishing) would not constitute an intrusion under
the proposed test as the integrity of data stored within the system would not
be compromised. The present author submits that the focus on the integrity
(rather than its confidentiality or availability) of a computer system or data
stored therein is justified, as it is the interference with the functioning of a
computer system in the territory of another state—for example, the deletion
or alteration of data, the implantation of malware, remote access tools, the use
of the computer system to cause effects on systems or processes controlled by
that computer.—which bears the closest resemblance to the exercise of state
power in the traditional sense.
The proposed intrusion-based approach would have several advantages
over the no-sovereignty approach advocated by the UK attorney general
(Wright 2018) or the effects-based approach proposed by the Tallinn Man-
ual 2.0 (Schmitt and Vihul 2017c). First, with respect to the sovereignty-
as-a-principle view, it respects established international jurisprudence and
international law, which is, in the view of the present author, unequivocal
80 Przemysław Roguski
in this point. Secondly, with respect to the Tallinn Manual 2.0 approach,
focusing on a technical, rather than an effects-based criterion, has the
advantage of forensic clarity and predictability, thus enhancing legal
certainty. Whereas a successful hacking operation may not produce any
physical effects at all or these effects may not manifest for some time, under
the intrusion-based approach it is the hacking itself which constitutes the
violation of sovereignty. The affected state would thus not have to wait for
physical effects to emerge—or to be severe enough—to be legally entitled
to enact countermeasures. Thirdly, the close resemblance of the intrusion
criterion to the legal framework regulating computer crimes would allow
states to rely on technical expertise and procedures established by law
enforcement. In other words—the terrain would be more familiar. And
lastly, treating computer intrusions as violations of sovereignty would truly
establish territorial sovereignty as the “baseline” norm (Watts and Richard
2018) in cyberspace, thus creating a predictable framework of primary
norms and norms-imposing consequences for their breach (such as counter-
measures) and could therefore enhance the stability of cyberspace through
clear legal principles.
The approach proposed in this chapter has recently gained prominent sup-
port in the form of the French declaration on “International Law Applicable
to Operations in Cyberspace,” which has been published after the submission
date of this article and thus can only be briefly referred to. In this document,
France argues that a violation of sovereignty may already exist when there is
a penetration of computer systems under the sovereignty of France (Ministère
des Armées 2019, 6–7). Given that a penetration occurs when there is a
breach of the information security, that is, the confidentiality, integrity, or
availability, of the targeted system, it is similar to the criterion of intrusion
proposed in this article.
CONCLUSION
BIBLIOGRAPHY
Ministère des Armées. 2019. “Droit International appliqué aux opérations dans le
cyberespace.” https://www.defense.gouv.fr/content/download/565895/9750877/
file/Droit+internat+appliqué+aux+opérations+Cyberespace.pdf.
Owens, William A., Kenneth W. Dam, Herbert S. Lin, and National Research Coun-
cil. 2009. Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use
of Cyberattack Capabilities. The National Academies Press.
Pirker, Benedikt. 2013. “Territorial Sovereignty and Integrity and the Challenges of
Cyberspace.” In Peacetime Regime for State Activities in Cyberspace, edited by
Katharina Ziolkowski, 189–216. Tallinn: NATO CCD COE Publications.
Riedel, Norbert. 2015. “‘Cyber Security as a Dimension of Security Policy.’ Speech
by Ambassador Norbert Riedel, Commissioner for International Cyber Policy,
Federal Foreign Office, Berlin, at Chatham House, London.” London. https://ww
w.auswaertiges-amt.de/en/newsroom/news/150518-ca-b-chatham-house/271832.
Roguski, Przemysław. 2019. “Layered Sovereignty: Adjusting Traditional Notions of
Sovereignty to a Digital Environment.” In 11th International Conference on Cyber
Conflict: Silent Battle, edited by Tomáš Minárik, Siim Alatalu, Stefano Biondi,
Massimiliano Signoretti, Ihsan Tolga, and Gábor Visky, 1–13. Tallinn: NATO
CCD COE Publications. https://doi.org/10.23919/cycon.2019.8756900.
Schmitt, Michael N. 2018. “International Cyber Norms: Reflections on the Path
Ahead.” Militair Rechtelijk Tijdschrift 111 (3 Cyber Special): 12–20.
Schmitt, Michael N., and Liis Vihul (eds.). 2017c. Tallinn Manual 2.0 on the Inter-
national Law Applicable to Cyber Operations. Cambridge: Cambridge University
Press.
Schmitt, Michael N., and Liis Vihul. 2017a. “Respect for Sovereignty in Cyber-
space.” Texas Law Review 95: 1639–1670.
Schmitt, Michael N., and Liis Vihul. 2017b. “Sovereignty in Cyberspace: Lex Lata
Vel Non?” AJIL Unbound 111: 213–218.
Secrétariat général de la défense et de la sécurité nationale. 2018. “Revue stratégique
de cyberdéfense.” http://www.sgdsn.gouv.fr/uploads/2018/02/20180206-np-re
vue-cyber-public-v3.3-publication.pdf.
Smeets, Max. 2017. “Organisational Integration of Offensive Cyber Capabilities:
A Primer on the Benefits and Risks.” In 9th International Conference on Cyber
Conflict: Defending the Core, edited by Henry Roigas, R. Jakschis, L. Lindström,
i T. Minárik, 25–42. Tallinn.
Tsagourias, Nicholas. 2015. “The Legal Status of Cyberspace.” In Research Hand-
book on International Law and Cyberspace, edited by Nicholas Tsagourias i Rus-
sell Buchan, 13–29. Cheltenham: Edward Elgar Publishing.
U.S. Department of Justice—Computer Crime and Intellectual Property Section.
2010. “Prosecuting Computer Crimes Manual.” Washington, DC. https://www.jus
tice.gov/criminal/cybercrime/docs/ccmanual.pdf.
United Nations General Assembly. 2013. Report of the Group of Governmental
Experts on Developments in the Field of Information and Telecommunications in
the Context of International Security. UN Doc. A/68/98.
United Nations General Assembly. 2015. Report of the Group of Governmental
Experts on Developments in the Field of Information and Telecommunications in
the Context of International Security. UN Doc. A/70/174.
84 Przemysław Roguski
Watts, Sean, and Theodore Richard. 2018. “Baseline Territorial Sovereignty and
Cyberspace.” Lewis & Clark Law Review 22 (3): 803–872.
Wilske, Stephan. 2012. “Abduction, Transboundary.” In Max Planck Encyclopaedia
of Public International Law, edited by Rüdiger Wolfrum. Oxford, NY: Oxford
University Press.
Wright, Jeremy. 2018. “Cyber and International Law in the 21st Century.” London.
https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-2
1st-century.
Chapter 5
85
86 Xymena Kurowska
can help to reform their effort. The rather urgent political question, in this
context, involves how to smartly counteract being cast as a villain by Russia’s
narrative about the post-liberal world. In other words, the question concerns
how to offer an appealing and inclusive alternative.
The short answer to what Russia wants in and through cyber diplomacy is
twofold. First, cyberspace promises Russia respect (уважение/uvazheniye),
not only at the well-cultivated regional level, but, potentially, globally. It
affords status recognition that Russia lost and craved to regain since the
unsuccessful attempt to integrate into the liberal world order in the early
1990s. Status thirst is, however, difficult to engage with in politics. It is a
moving target and the approaches of Western countries are likely to “fall
below Moscow’s expectations to be treated as it feels it deserves” (Schmitt
forthcoming, 20). Second, the long-standing priority of Russia’s cyber diplo-
macy is “to create conditions [emphasis mine] for promoting internationally
the Russian initiative to develop and adopt a Convention of International
Information Security by United Nations Member States” (Security Council
2013). The lex specialis for the cyber domain may not yet be realistic, in other
words, but Russia is working to prepare the ground for it.
“The like-minded” tend to justify their objection to an international cyber
treaty by reference to the consensus that existing international law applies
in cyberspace, which, supported by the norms of responsible state behavior,
is sufficient to defend “the rules-based international order” in cyberspace.
Negotiations over a new binding instrument would, in this context, only
divert efforts from implementing what is already agreed upon; they would
draw the world into an unnecessary, lengthy, and divisive struggle, and, as
emphasized particularly in US discourse, hinder technological development
(Rõigas 2015). Russia’s advocacy for the treaty relies on the claim to defend
the international order in its classic version where binding legal instruments
are a traditional form of regulation. An international cyber treaty is also
portrayed as a means to curb the liberal international order which legitimizes
intervention into the domestic makeup of states, and thus a tool against the ad
hoc decisions by the strong.
What Does Russia Want in Cyber Diplomacy? 89
RUSSIA’S COMEBACK AS “A
RESPONSIBLE CYBER POWER”
2018). The role gives a shiny and topical veneer to an anachronistic under-
standing of the international order, reasserting Russia’s special responsibility
as the permanent member of the UN Security Council for shaping global
cooperation and maintaining peace and security. The distinct advantage of
the cyber domain is that it is highly “actionable.” Nuclear weapons are,
ultimately, not to be used; the international community has even managed to
create a taboo over such potential use (Tannenwald 1999). By contrast, cyber-
space means of disruption and interference may be, and are, in common use.
In rhetoric, Russia’s chief preoccupation is then with the militarization of
cyberspace, which adds urgency to global Internet regulation. In practice,
cyber diplomacy provides Russia with a global platform for uploading its
long-cultivated regional effort to counter the liberal world order. The fre-
quency of cyberattacks and scandals, like that of the Snowden and Cambridge
Analytica revelations, bolster Russia’s claim of cyberspace as dangerous and
lacking proper “rules-of-the-road.” The growing populist sentiment at the
global level further plays into the hands of the Kremlin, which has the ideo-
logical and operational resources to tap into this sentiment as a new structur-
ing force in international politics. A key discourse in this respect is Russia’s
broad agenda of defending international law and democratizing international
relations, read containing the US hegemony, revamped in the rhetoric of
fighting digital inequality.
There is a missing link in the debate over whether international law applies
in cyberspace. The explicit consensus that it does, indeed, apply is marked by
different understandings of the role of international law as such.6 The consen-
sus is, therefore, hardly a reason to celebrate. The recent recommendation that
national governments append to UN GGE reports their explanation of how
international law applies in cyberspace is a move toward clarification. It will
not, however, eradicate fundamental differences in interpretation.
The Kremlin interprets international law as the body of rules and conven-
tions that govern relations between the major powers. Formally speaking, this
reflects a procedural and pluralist understanding of international law as a par-
ticular kind of a legal system, with a commitment to legality in international
politics as an end in itself rather than a means toward an end beyond itself
(Collins 2019, 196). This traditional positivist notion contrasts with a model
of international law as a way to judge, in terms of its “functional capacity to
actually pre-empt political choices and realise agreed-upon objectives” (Ibid).
In other words, for Moscow, international law regulates relations between
92 Xymena Kurowska
each other’s domestic practices and cultures. The principle is not politically
neutral; the pole exerts the normative, as well as political, influence. The
principle is rather intended “to chip away at the authority of Western forms
of order and empower regimes to dismiss liberal norms as intrusive and inap-
propriate for their culture” (Cooley 2019, 22).
Multipolarity is often conflated with multilateralism in Russian diplomacy,
to the extent that it baffles external observers. Russia approaches international
institutions as equalizers of liberal hegemony and as a means of guarding
its own sovereignty, not as components of transnational regimes generating
global governance, which contravenes sovereignty, or makes it “conditional.”
The insistence on the UN’s central and coordinating role in world politics
should be read in this light: It reasserts collective leadership by major powers
through the Security Council, as fixed in 1945. It also constitutes a balancing
mechanism to both prevent an imposition with regard to domestic governance
and curb a unilateral action based solely on national interest (i.e., the US
interest).
International law and international norms are crucial to maintaining this
system, hence Russia’s whole-hearted commitment to them. They do so dif-
ferently from how they are envisaged in the liberal paradigm, however. As
explained above, in the Russian doctrine, international law is understood
procedurally. The international cyber treaty is supposed to target the current
“loose” cyber regime based on the “common law” logic that reflects, enables,
and reproduces the liberal consensus. A dedicated legal instrument estab-
lishes procedural rules of the game, in a supposedly politically neutral man-
ner, to prevent acting on the liberal reflex. International norms, specifically
those such as, for example, sovereignty and multilateral decision-making,
have also been extremely important in the Russian foreign policy discourse
because they help Russia maintain its technically great power status (Hopf
2002, 225). From this position, norms, including cyber norms, must be or
should become binding, as a transitionary step toward codification. The cur-
rent politically, rather than formally, binding character of cyber norms is,
therefore, unsatisfactory for Russia as it reflects the suboptimal state of the
regulation of the cyber domain.8
Norms are not, however, understood in accordance with the liberal idea of
norm diffusion by enlightened norm entrepreneurs, as progressively adopted
across the international community to constitute a uniform social glue and
superior morality (cf. Kurowska 2019). Quite the opposite, in the Russian
doctrine, norms are in place in order to regulate conduct between states of
a different normative makeup, and, to be effective, they need to be formally
binding. This is how Russia interprets the rules and norms of responsible state
behavior in cyberspace. A global value-bound community, which does not
need a binding legal instrument because it can act on a case-by-case basis on
94 Xymena Kurowska
DEMOCRATIZATION À LA RUSSE
that (Andrey Krutskikh cited in, Kommersant 2019b, 6). It is the realization
that Russia could not further advance its great power cyber goals within the UN
GGE that led to a major diplomatic swerve in 2018 and the resolution which
launched the OEWG (General Assembly 2018c). From then on, it proceeded to
label the UN GGE as a U.S.-promoted mechanism driven by experts who act
in their personal capacity, which makes it unrepresentative and exclusionary.
The statements about the final draft of the OEWG-launching resolution in
the First Committee on November 8, 2018 demonstrate a successful applica-
tion of “democratization” rhetoric for contesting the liberal order. Russia
denounced the UN GGE, ironically given its role in instantiating the process,
as “the practice of some club agreements [that] should be sent into the annals
of history” (Disarmament and International Security Committee 2018). “The
like-minded” responded with pledges to strengthen capacity building and
envisaging merely a secondary and consultative role for the OEWG in imple-
menting norms created by the UN GGE. This made them politically vulner-
able to charges of maintaining the structural inequality of the global Internet
governance. The Russian portrayal of the OEWG, as, first, providing equal
access to all the UN membership to shape Internet governance decisions, and,
second, as returning sovereign states to the driver’s seat of making such deci-
sions (Andrey Krutskikh cited in, Permanent Mission 2019c, 3), appealed to
concerns over representativeness in non-Western constituencies.
The diplomatic feat of launching the OEWG unsettles the process of global
Internet governance but it will not be easy to exploit. With the OEWG advo-
cacy, Russia seeks to break its own marginalization, yet it can simultaneously
harm its overall objective; that is, achieving an equal status at the table of
those shaping the global governance structures of the Internet. The OEWG
constitutes “a cyber agora” which, in the long run, can provide a platform for
treaty negotiation. But it comes with agora-like politics which cannot be eas-
ily channelled or made conducive to intimate deals among “poles of power,”
something that Russia craves to be involved in.
The diplomatic downfall experienced in November 2019, after the gen-
erally positive atmosphere around the launch of the OEWG in June and
September 2019, shows how “democratization agenda” is but a tool in the
geopolitics of global Internet governance. The First Committee session on
November 6, 2019 saw, again, two votes over competing resolutions. The
U.S.-sponsored document (General Assembly 2019a) elaborates on and
reasserts the primacy of the UN GGE and concedes to “also welcoming”
rather than only noting the launch of the OEWG. The Russian-sponsored,
and little-consulted, document (General Assembly 2019b) prioritizes the
OEWG while “also welcoming” the UN GGE and underscoring the sta-
tus of both as independent mechanisms under United Nations auspices
that should work in parallel toward peace and stability in ICTs. This
96 Xymena Kurowska
head-on rhetorical confrontation between the two main cyber orators cre-
ates confusion and divisions among “the like-minded.” Caught between
its commitment to working within both the OEWG and the UN GGE and
its allegiance to “the like-minded” vision of cyberspace, the EU abstained
rather than voting against the Russian-sponsored resolution. The explana-
tion of the vote cited “the non-consensus based language” but reaffirmed
the commitment to “work both within the UN GGE and the OEWG in a
complementary and coordinated fashion, to promote and further build on
the cumulative achievements of the previous UN GGEs” (EEAS 2019).
Switzerland, chairing the OEWG, voted in favor. A closer look at the
underpinnings of Russia’s cyber narrative may help better manage the
confusion it generates.
“DIGITALIZATION IS DANGEROUS”—THE
DOCTRINE OF INFORMATION SECURITY
handy especially strongly vis-à-vis colonial legacies and the extractive post-
colonial policies that proliferate in cyberspace. The strategy of empowering
regional organizations as responsible for regional security in accordance
with the UN Charter adds legitimacy to this self-serving endeavor. Many
regional actors recognize the “pragmatist” logic of this rhetoric. Even if
they do not necessarily fall for Russia’s supposedly democratic campaign,
their concern with structural inequality in the international system partially
overlaps with Russia’s agenda. What gets corrupted in the process of align-
ing such positions is the very ideal of decolonization and de-hierarchization.
It is hijacked for Russia’s pursuit of collective leadership by great powers
which will disregard the voices of those structurally disadvantaged in the
system.
CONCLUSION
effective strategy to achieve such aim. Its righteousness also becomes anach-
ronistic in international society, underpinned by normative pluralism and the
contestation of hierarchies, including those created by liberal social norms.
The shift from paternalism to participatory modes of engagement in building
sustainable cyber societies better corresponds to the realities of the contem-
porary world. It builds an alternative, human- rather than security state-based
model of democratization in international relations. The major challenge in
this process is to “de-securitize” the politics of the global governance of the
Internet and reformulate the parameters of the debate about digital society.
NOTES
1. I thank Patryk Pawlak and Mika Kerttunen for detailed comments on this chap-
ter. I would also like to acknowledge research opportunities provided by EU Cyber
Direct Team and non-attributable conversations with national diplomats participat-
ing in the UN processes. I further thank Bibi van den Berg and Dennis Broeders for
numerous textual and terminological suggestions. Philip Conway helped with copy
editing. The views expressed in this chapter are solely mine and I bear responsibility
for any possible mistakes. A version of this paper was first published by EU Cyber
Direct. Reprinted here with permission.
2. See Giles and Hagestad (2013) for an analysis of terminological misunderstand-
ings in the domain of cyber and information security as evident in the policy docu-
ments by Russia, China, United States, and United Kingdom.
3. For an alternative view, see Tikk and Kerttunen (2018).
4. “The rules-based international order” has not been neatly defined but it can be
understood as “a shared commitment by all countries to conduct their activities in
accordance with agreed rules that evolve over time, such as international law, regional
security arrangements, trade agreements, immigration protocols, and cultural arrange-
ments” (Association of Australia 2015, 3).
5. Securitization in international relations is the process of state actors transform-
ing subjects into matters of “security”: an extreme version of politicization that
enables extraordinary means to be used in the name of security (Buzan, Wæver, and
de Wilde 1998, 25). The successful securitization of ICT by the Russian Federation
was noticed by Tikk and Kerttunen (2018, 56, 58).
6. Some authors speak of the Russian version as “a simulacrum or concave mirror
to Western use” (Mälksoo 2015, 185). See Tikk and Kerttunen (2018), for examples,
of how specific concepts of international law have been differently understood across
a range of actors participating in the UN GGE.
7. This can also be interpreted as a “pragmatist relation to truth,” which opens
another line of interpretation of the Russian agenda of democratizing international
relations. On the domestic culture of the pragmatic relation to truth as manifested in
pro-Kremlin trolling, see Kurowska and Reshetnikov (2018a).
8. I thank Mika Kerttunen for highlighting this point to me.
What Does Russia Want in Cyber Diplomacy? 101
BIBLIOGRAPHY
Association of Australia, United Nations. 2015. The United Nations and the Rules-
Based International Order. Accessed November 23, 2019. https://www.unaa.org
.au/wp-content/uploads/2015/07/UNAA_RulesBasedOrder_ARTweb3.pdf.
Astrov, Alexander. 2011. “Great Power Management without Great Powers? The
Russian–Georgian War of 2008 and Global Police/Political Order.” In The Great
Power (mis)Management: The Russian–Georgian War and Its Implications for
Global Political Order, edited by Alexander Astrov, 1–24. Farnham: Ashgate.
Averre, Derek. 2009. “From Pristina to Tskhinvali: The Legacy of Operation Allied
Force in Russia’s Relations with the West.” International Affairs 85 (3): 575–591.
Bull, Hedley. 1977. The Anarchical Society: A Study of Order in World Politics.
London: Macmillan.
Buzan, Barry, Ole Wæver, and Jaap de Wilde. 1998. Security: A New Framework for
Analysis. Boulder, CO: Lynne Rienner.
Casier, Tom. 2006. “Putin’s Policy Towards the West: Reflections on The Nature of
Russian Foreign Policy.” International Politics 43 (3): 384–401.
Chernenko, Elena. 2018. “Russia’s Cyber Diplomacy.” In Hacks, Leaks and Dis-
ruptions. Russian Cyber Strategies, edited by Nicu Popescu and Sergiu Secrieru,
43–49. Paris: EU Institute for Security Studies.
Chernukhin, Ernest. 2019. Mezhdunarodnaya informatsionnaya bezopasnost’: uspe-
khi Rossii v OON [International Information Security: Russia’s Successes at the
UN]. Russian International Affairs Council. Accessed November 23, 2019 https://
russiancouncil.ru/analytics-and-comments/analytics/mezhdunarodnaya-informatsi
onnaya-bezopasnost-uspekhi-rossii-v-oon/.
Collins, Richard. 2019. “Two Idea(l)s of the International Rule of Law.” Global Con-
stitutionalism 8 (2): 191–226.
Cooley, Alexander. 2015. “Authoritarianism Goes Global: Countering Democratic
Norms.” Journal of Democracy 26 (3): 49–63.
Cooley, Alexander. 2019. “Ordering Eurasia: The Rise and Decline of Liberal Inter-
nationalism in the Post-Communist Space.” Security Studies 28 (3): 588–613.
Creppell, Ingrid. 2011. “The Concept of Normative Threat.” International Theory 3
(3): 450–487.
Disarmament and International Security Committee, General Assembly of United
Nations . 2018. 31st meeting in the 73rd session of the General Assembly. New York.
Dmitry, Dubrovsky. 2017. “Lauri Mälksoo. Russian Approaches to International
Law. Oxford: Oxford University Press, 2015.” Laboratorium: Russian Review of
Social Research 9 (1): 146–151.
EEAS. 2019. “EU Explanation of Vote—United Nations 1st Committee: Information
and Telecommunications in the Context of International Security.” https://eeas.eu
ropa.eu/delegations/un-new-york/70041/eu-explanation-vote-%E2%80%93-un
ited-nations-1st-committee-information-and-telecommunications-context_en.
Franke, Ulrik. 2015. War By Non-Military Means. Understanding Russian Informa-
tion warfare. Swedish Defence Research Agency. http://johnhelmer.net/wp-conte
nt/uploads/2015/09/Sweden-FOI-Mar-2015-War-by-non-military-means.pdf.
102 Xymena Kurowska
General Assembly, United Nations. 2011. International Code of Conduct for Informa-
tion Security. New York: A/66/359.
General Assembly, United Nations. 2018a. Advancing Responsible State Behaviour
in Cyberspace in the Context of International Security. Edited by 1st Committee of
the General Assembly of the United Natons. New York.
General Assembly, United Nations. 2018b. Countering the Use of Information and
Communications Technologies for Criminal Purposes. Edited by 3rd Committe of
United Nations General Assembly. New York.
General Assembly, United Nations. 2018c. Developments in the Field of Information
and Telecommunications in the Context of International Security. Edited by 1st
Committe of United Nations General Assembly. New York: A/RES/73/27.
General Assembly, United Nations. 2019a. Advancing Responsible State Behaviour
in Cyberspace in the Context of International Security. Edited by 1st Committee
of the General Assembly of the United Nations. New York: November 6, 2019.
General Assembly, United Nations. 2019b. Developments in theFfield of Information
and Telecommunications in the Context of International Security. Edited by 1st
Committee of the General Assembly of the United Nations. New York: November
6, 2019.
Giles, Keir, and William Hagestad. 2013. “Divided by a Common Language: Cyber
Definitions in Chinese, Russian and English.” 5th International Conference on
Cyber Conflict (CyCon): 1–17.
Kagan, Robert. 2008. The Return of History and the End of Dreams. New York:
Knopf.
Kavanagh, Camino. 2017. The United Nations, Cyberspace and International Peace
and Security. Responding to Complexity in the 21st Century. New York: The
United Nations Institute for Disarmament Research.
Kello, Lucas. 2017. The Virtual Weapon and International Order. New Haven: Yale
University Press.
Klabbers, Jan. 2004. “Constitutionalism Lite.” International Organizations Law
Review 1 (1): 31–58.
Kokoshin, Andrei. 2006. Real’nyi suverenitet v sovremennoi miropoliticheskoi sis-
teme [Real Sovereignty in a World Political System]. Moscow: Evropa.
Kommersant. 2016. “Pora postavit’ deystvennyy zaslon informatsionnoy voyne [It’s
time to put an effective barrier to the information war].” Accessed November 23,
2019. https://www.kommersant.ru/doc/2961578.
Kommersant. 2018. “Rossiya i SSHA peretyagivayut vsemirnuyu pautinu [Russia
and the USA are pulling the World Wide Web].” Accessed November 23, 2019.
https://www.kommersant.ru/doc/3797617.
Kommersant. 2019a. “Ataki na mezhdunarodnoye pravo priobretayut opasnyye
masshtaby [Attacks on international law are becoming dangerous].” Accessed
November 23, 2019. https://www.kommersant.ru/doc/4109238.
Kommersant. 2019b. “Rossii nechego skryvat’ i nechego boyat’sya [Russia has
nothing to hide and nothing to fear].” Accessed November 23, 2019. https://www.
kommersant.ru/doc/3923963.
Koskenniemi, Martti. 2011. The Politics of International Law. London: Hart
Publishing.
What Does Russia Want in Cyber Diplomacy? 103
Krickovic, Andrej, and Yuval Weber. 2018. “What Can Russia Teach Us About
Change? Status-Seeking as a Catalyst for Transformation in International Politics.”
International Studies Review 20 (2): 292–300.
Kurowska, Xymena, and Anatoly Reshetnikov. 2018a. “Neutrollization: Industrial-
ized Trolling as a Pro-Kremlin Strategy of Desecuritization.” Security Dialogue
49 (5): 345–363.
Kurowska, Xymena, and Anatoly Reshetnikov. 2018b. “Russia’s Trolling Complex
at Home and Abroad.” In Hacks, Leaks and Disruptions: Russian Cyber Strate-
gies, edited by Nicu Popescu and Sergiu Secrieru, 25–32. Paris: EU Institute for
Security Studies.
Kurowska, Xymena. 2014. “Multipolarity as Resistance to Liberal Norms: Russia’s
Position on Responsibility to Protect.” Conflict, Security & Development 14 (4):
489–508.
Kurowska, Xymena. 2019. The Politics of Cyber Norms: Beyond Norm Construction
Towards Strategic Narrative Contestation. Paris: EU Institute for Security Studies.
https://eucyberdirect.eu/content_research/the-politics-of-cyber-norms-beyond-nor
m-construction-towards-strategic-narrative-contestation/.
Larson, Deborah Welch, and Alexei Shevchenko. 2014. “Russia Says No: Power,
Status, and Emotions in Foreign Policy.” Communist and Post-Communist Studies
47 (3): 269–279.
Lavrov, Sergey. 2016. “Russia’s Foreign Policy in a Historical Perspective.” Russia
in Global Affairs 2. Accessed July 27, 2019. https://eng.globalaffairs.ru/number/
Russias-Foreign-Policy-in-a-Historical-Perspective-18067.
Lavrov, Sergey. 2019. “World at a Crossroads and a System of International Rela-
tions for the Future.” Russia in Global Affairs. Accessed November 11, 2019. https
://eng.globalaffairs.ru/book/World-at-a-crossroads-The-future-system-of-internat
ional-relations-20199.
Lo, Bobo. 2015. Russia and the New World Disorder. London and Washington, DC:
Chatham House and Brookings Institution Press.
Makarychev, Andrey, and Viatcheslav Morozov. 2011. “Multilateralism, Multipolar-
ity, and Beyond: A Menu of Russia’s Policy Strategies.” Global Governance 17
(3): 353–373.
Mälksoo, Lauri. 2015. Russian Approaches to International Law. First Edition ed.
Oxford: Oxford University Press.
MID. 2011. Convention on International Information Security. Accessed November
24, 2019. https://www.mid.ru/en/foreign_policy/offi cial_documents/-/asset_publis
her/CptICkB6BZ29/content/id/191666.
Nakashima, Ellen. 2019. “The U.S. Is Urging a No Vote on a Russian-Led U.N.
Resolution Calling for a Global Cybercrime Treaty.” The Washington Post.
Accessed 23 November 2019. https://www.washingtonpost.com/national-security/
the-us-is-urging-a-no-vote-on-a-russian-led-un-resolution-calling-for-a-global-cy
bercrime-treaty/2019/11/16/b4895e76-075e-11ea-818c-fcc65139e8c2_story.html?
wpisrc=nl_cybersecurity202&wpmm=1.
Neumann, Iver. 1996. Russia and the Idea of Europe: A Study in Identity and Inter-
national Relations. 2nd ed. London: Routledge.
104 Xymena Kurowska
Sharikov, Pavel, and Natalia Stepanova. 2019. “Podkhody SSHA, ES i Rossii k prob-
leme informatsionnoy politiki [US, EU and Russia’s approaches to information
policy].” Sovremennaya Evropa 2: 73–83.
Sharikov, Pavel. 2018a. “Artificial Intelligence, Cyberattack, and Nuclear Weapons—
A Dangerous Combination.” Bulletin of the Atomic Scientists 74 (6): 368–373.
Sharikov, Pavel. 2018b. “Informatsionnyy suverenitet i vmeshatel’stvo vo vnutren-
niye dela v rossiysko-amerikanskikh otnoshenyiakh [Information sovereignty and
interference in domestic affairs in the Russian-US relations].” Mezhdunarodnyye
protsessy 16 (3): 170–188.
Sharikov, Pavel. 2018c. “Understanding the Russian Approach to Information Secu-
rity.” Accessed November 23, 2019. https://www.europeanleadershipnetwork.org/
commentary/understanding-the-russian-approach-to-information-security/.
Strel’tsov, A. A., R.A. Sharyapov, and V.V. Yashchenko. 2016. Kratkiy kommen-
tariy i predlozheniya k p.13 Doklada Gruppy pravitel’stvennykh ekspertov po
dostizheniyam v sfere informatizatsii i telekommunikatsiy v sfere mezhdunarod-
noy bezopasnosti [Brief comment and suggestions to paragraph 13 of the Report
of the Group of Governmental Experts on Developments in the field of information
and telecommunications in the context of international security]. Moskva: Institut
problem informatsionnoy bezopasnosti Moskovskogo gosudarstvennogo univer-
siteta imeni M.V.Lomonosova.
Tannenwald, Nina. 1999. “The Nuclear Taboo: The United States and the Normative
Basis of Nuclear Non-Use.” International Organization 53 (3): 433–468.
Tikk, Eneken, and Mika Kerttunen. 2018. Parabasis. Cyber-Diplomacy in Stalemate.
Norwegian Institute of International Affairs (Oslo).
Chapter 6
China’s Conception of
Cyber Sovereignty
Rhetoric and Realization
Rogier Creemers1
INTRODUCTION
Since its initial connection to the global Internet in the 1990s, China has expe-
rienced a tremendous technological leap forward. Over 850 million Chinese
individuals have become network users (CNNIC 2019), using increasingly
sophisticated devices to access a rapidly burgeoning digital economy. Chi-
nese hardware and software businesses, including Alibaba, Tencent, Huawei,
and ZTE, have become industry leaders with a growing global footprint.
Technology questions have swiftly gained political prominence, reflected in
the creation and expansion of institutions such as the Cyberspace Adminis-
tration of China (CAC) and the Central Commission for Cybersecurity and
Informatization, chaired by Xi Jinping personally (Creemers 2019). Yet, the
nomenclature of the latter body also points at a tension fundamental to Chi-
na’s technology policy: while informatization—the introduction of informa-
tion technologies (ITs) into social and economic life—promises considerable
benefits, it equally creates considerable security concerns.
These concerns are not limited to technical questions surrounding the
integrity, availability, and correct functioning of IT systems and the data
stored within them. For decades, the Chinese leadership has feared ideologi-
cal subversion, and has designated online content as a potential weapon for
“peaceful evolution” (Wang 2011). In recent years, the growing adoption
of ITs and tensions resulting from China’s expanding geopolitical role have
led to new worries, particularly in relation to the United States. Overall,
China sees itself standing at the wrong end of a digital divide, where the
distribution of resources and capabilities in cyberspace is highly asymmetric
107
108 Rogier Creemers
various Chinese stakeholders are often at odds. The conclusion will discuss
practical and theoretical implications of these processes for the global Internet.
Parallel Histories
While the classical attribution of sovereignty to the 1648 Peace of Westphalia
has been disputed, it is generally accepted that the notion of sovereignty—
supreme and exclusive political authority within a bounded territory—was
consolidated across Europe in the seventeenth century. This international
order was based on the principles of non-intervention and sovereign equal-
ity: no foreign entity outranked the ruler of a territory, or was permitted to
interfere in its internal affairs (Krasner 1999). This was particularly impor-
tant with regard to religion. Religious wars had wrought havoc across the
continent for over a century. In this sense, with the principle of cuius region,
eius religio, sovereignty expressed an agreement to disagree: disputes over
alleged universal moral truths would no longer form a justification for con-
flict. In the centuries since, the sovereign state has become the primary form
of territorial organization worldwide.
To be sure, the sovereignty principle has often been honored in the breach
as much as the observance. The attempted invasion by monarchical powers
into revolutionary France, for instance, was largely justified by arguments for
regime change. Racist ideas concerning “civilization” withheld sovereignty
from much of the non-European world until after World War II. Yet, as
decolonizing states increasingly achieved sovereignty and self-determination,
another trend toward constraining sovereignty started gaining traction: one to
limit state cruelty and injustice. In the wake of the Holocaust, the Universal
Declaration on Human Rights became the first component of a growing body
of human rights law. The Helsinki Process of the 1970s created commitments
on civil rights that greatly encouraged dissident and democratic movements
in the USSR and its satellite states (Thomas 2001). Following the end of the
Cold War, doctrines such as the Responsibility to Protect further eroded the
authority of the non-intervention norm (Glanville 2013). Lastly, de facto if
not de jure, economic globalization has grown to considerably curtail the
space for movement of states, and consolidated the dominance of a (neo-)
liberal capitalist model around the world (Stein 2016).
China’s approach to sovereignty, in contrast, was predominantly concerned
with a drive to counteract the presence of imperialist powers that had estab-
lished extraterritorial rule in their concessions and had taken over a number
of Chinese government authorities, and start China on a path back toward
China’s Conception of Cyber Sovereignty 111
wealth and strength (Schell and Delury 2014). Their efforts rarely met with
success. At the end of World War I, China hoped to cash its material support
for the allies with the return of German-held concessions in Shandong. Del-
egation member (and later International Court of Justice judge) Wellington
Koo eloquently argued that the Wilsonian principles of independence and
self-determination implied Japan’s competing claims should be rejected. The
territories were subsequently handed over to Japan as part of a compromise
to mitigate tensions in the Pacific and stave off Japanese calls for the explicit
recognition of racial equality in the League of Nations (MacMillan 2011,
chapters 23–24). In China, this disappointment triggered dejection, protests,
a transformational nationalist cultural movement (Forster 2018), the estab-
lishment of the Chinese Communist Party, and a lingering sense that, in the
final analysis, foreign powers were not serious in their stated commitment to
international law, but would use it as an instrument of power (Kent 2008).
China’s task, therefore, would be to acquire power, not play the law game.
Distrust continued to color the foreign relations of the Chinese Republic
and People’s Republic, even with its nominal allies. During World War II,
even though Chiang Kai-shek managed to secure agreements ending extrater-
ritoriality and renouncing territorial concessions from Britain and the United
States, the alliance was strained due to Chiang’s—not unjustified—sense
that both countries were only doing the bare minimum to keep China in the
war and Japanese soldiers tied up (Mitter 2013). Ideological differences,
disagreements on relationships with the West, and competition for leader-
ship in the global Communist movement led Mao to curtail relationships
with the Soviet Union in the early 1960s. China’s near-total isolation from
global diplomacy would last until the 1970s, when gradual overtures toward
the United States led to Beijing’s takeover of the Chinese membership of the
UN, hitherto held by Taipei, and the recognition of the People’s Republic by
most nations worldwide. The Dengist reforms further spurred openness to the
outside world, as China started participating in numerous global diplomatic
and legal regimes. Yet, even as China developed a more pragmatic form of
global engagement, the rhetorical basis of China’s foreign policy remained
the Five Principles of Peaceful Coexistence, developed in the mid-1950s, of
which sovereignty was the most important one (Kent 2008).
The Tiananmen events of 1989 underscored the distance the regime would
go to, to safeguard its existence, and in a certain sense, their aftermath has
continued to shape China’s relationship with the outside world. Coinciding
with the end of Communist regimes in Eastern Europe and the dissolution
of the Soviet Union, the West came to believe that Tiananmen indicated it
would only be a matter of time until the Chinese regime would follow them
into the annals of history (Pei 2006; Chang 2010). Human rights became an
important part of American and European diplomatic efforts toward China,
112 Rogier Creemers
to ensuring sovereignty can be realized for China itself, even in the absence
of international adoption. These measures have converged around three core
strategies: territorialization, indigenization, and investment.
Territorial boundaries are a key component of the concept of sovereignty,
but have been largely anathema in discussions on cyberspace. From a techni-
cal perspective, geography plays no meaningful role in the functioning of the
Internet, even if the underlying infrastructure is territorial, and the absence
of online borders was key to the techno-optimist view of cyberspace as a
completely sui generis creature. Unsurprisingly, the Chinese government has
taken a rather different approach. In 2013, CAC director Lu Wei stated that
cyberspace is an extension of real space, and that it is, therefore, not a “land
outside the law” (fa wai zhi di, Lu 2013). Yet, claiming jurisdiction over
cyberspace implies having to define its limits and instituting border controls.
Partly, the Chinese government has been able to do so through physical
infrastructure: the Great Firewall’s hardware is mainly located at China’s
international gateways (Lee 2018). But territorialization can also take place
through regulatory means: by mandating that particular actors, activities, and
data are located within China, jurisdictional questions are avoided altogether.
The indigenization strategy intends to increase the proportion of technol-
ogy used in Chinese cyberspace that is produced by Chinese suppliers. For
most of the 2000s, the vast majority of information technology products used
in China originated from foreign businesses, from Cisco routers in the net-
work infrastructure to Microsoft operating systems, from Apple smartphones
and laptops to domain names purchased from foreign registrars. In 2014,
a party journal claimed that 82 percent of servers, 73.9 percent of storage
equipment, 95.6 percent of operating systems and 91.7 percent of databases
in the country were foreign-sourced (Zhao and Xu 2014). A number of events
highlighted China’s vulnerability to both foreign corporate decisions and
governmental acts. When Microsoft announced in early 2014 that it would
no longer support Windows XP, for instance, this operating system was
still in use in the majority of Chinese computers. In response, China banned
Windows 8 from government systems (Kai 2014), and Microsoft reversed
its position. The Snowden revelations generated widespread concern about
the possible implantation of backdoors or other forms of malicious code into
foreign ICT equipment (Xi 2013, People’s Daily 2014). For both economic
and political reasons, the Chinese government has increasingly sought to sub-
stitute foreign suppliers by domestic counterparts across a range of sectors.
As a result, foreign content providers and online platforms have either not
gained a significant foothold on the Chinese market, or in the case of Google,
ended their Chinese activities as they were unwilling to comply with govern-
ment demands. The four brands Huawei, Oppo, Vivo, and Xiaomi combined
now hold over 80 percent of China’s market share. China has also attempted
China’s Conception of Cyber Sovereignty 117
Content Control
Perhaps the best-known boundary in cyberspace is the Great Firewall of
China, the filtering infrastructure at the international gateways of China’s
telecommunications networks that filters out undesirable content. Established
in the late 1990s, it has been upgraded of the years to effectively remove from
Chinese audiences content produced outside of Beijing’s ability to control.
This includes explicitly political content, such as websites defending Falun
Gong, the Tibetan or Uyghur cause, online media outlets reporting critically
in China, social media networks that had been implicated in political events
such as the Arab Spring and color revolutions in ex-Soviet states, as well as
morally undesirable content such as pornography (Griffiths 2019). Allegedly,
it was used to leverage the “Great Cannon” attack, which targeted developer
platform GitHub in 2015 (Marczak et al. 2015). The Great Firewall has also
been periodically updated to target circumvention software. For instance, par-
ticular commercial VPN services work less effectively around major national
China’s Conception of Cyber Sovereignty 119
celebrations, and The Onion Router (TOR), which enables anonymous and
encrypted web access, does not function reliably from China.
Yet, the Great Firewall is not the only barrier to foreign content. Starting in
2000, authorities started expanding the previous regulatory regime for media
from the traditional realm to the Internet. The first provisional regulations
already contained a ban on foreign audiovisual content on Chinese websites
(SARFT 2000, Art. 16[g]), and imposed licensing requirements for online
operators. The permitted share of foreign participants in online information
services’ joint ventures was limited (State Council 2000, Art. 17), while the
Chinese WTO accession schedule limited foreign market access for many
media-related activities (MOFCOM 2001). Subsequent regulations barred
foreign participation from activities such as news (SCIO and MII 2005, Art.
9), online publishing (CAC 2016b, Art. 10), and provision of audiovisual
content (SARFT 2004, Art. 7). Unsurprisingly, these regulatory barriers, in
combination with a protectionist stance in favor of Chinese businesses, meant
no large foreign online operator has been able to maintain a sustained pres-
ence on Chinese territory. Google had set up operations in Beijing in 2005
but closed down its Chinese search engine in 2010 after it discovered state-
backed hacking operations into its user data (Waddell 2016). More recently,
Facebook attempted to open a start-up incubator subsidiary in Hangzhou, but
after a miscommunication between local and central authorities meant it did
not obtain the required permits (Liao 2018). Instead, the market has come to
be dominated by the domestic massive online platform companies Alibaba,
Tencent, and Baidu. Among a list of top 100 mobile apps on the Chinese mar-
ket as measured in market penetration in 2017, only a handful are produced
by a foreign entity (Jiguang n.d.).
In governing online content, Beijing thus has employed a combination
of the territorialization (Great Firewall) and indigenization (barring foreign
businesses) approaches, with considerable success. This not only has substan-
tial economic benefits, it also provides the leadership with a more effectively
governed landscape. Regular tussles notwithstanding, over the years, a modus
vivendi has emerged between China’s online businesses and the central gov-
ernment. Government recognizes private business has generated consider-
able economic and technological achievement, and thus maintains a mostly
positive attitude, while businesses do not upset the governmental applecart,
and are far more trusted on politically sensitive matters than their foreign
equivalents (Creemers 2018).
cochairman (Xinhua 2015). China, equally, has made efforts to build closer
relations. The ICANN50 meeting in London, most notably, was the venue for
CAC director Lu Wei to make his first high-profile international appearance
(Lu 2014). Furthermore, the ICANN transition away from a direct contractual
relationship with the US government and toward nongovernmental, multi-
stakeholder stewardship assuaged some of Beijing’s concerns vis-à-vis the
organization. Even so, some ambivalence remains in China’s stance. While
ICANN reform seems less of a priority for Beijing, the International Strategy
for Cooperation in Cyberspace, as well as the Chinese submission to the UN
Open-Ended Working Group on Information and Telecommunications still
contain references to the need to create a multilateral Internet governance
system, and to ensure that institutions governing strategic Internet resources,
such as root servers, remain “truly independent of any state’s control” (MFA
2019). Partly, this reflects continuing concerns that, as a U.S.-registered
corporation, ICANN could be compelled to limit its services to China, for
instance, through a process akin to the Department of Commerce Entity List,
which limits, among others, technology exports to specific businesses or
institutions. Another element is that numerous other strategic resources, such
as the root servers on which the DNS depends, remain owned or operated by
US entities, further increasing perceived risk.
In the meantime, China has sought to mitigate some of the risks it saw ema-
nating from the ICANN structure through domestic regulation. Almost from
the start, the administration of domain names became a government affair,
eschewing the multistakeholder approach adopted elsewhere. In 1997, the
newly established CNNIC, under the Chinese Academy of Sciences, became
responsible for managing Chinese aspects of the DNS, including administra-
tion of the .cn domain (Xue 2004). CNNIC also required notification from
server operators using other top-level domains (Ermert and Hughes 2003,
202). Successive regulations promulgated in 2002 and 2004 started to extend
Chinese jurisdiction over the domain name system, referring consistently
to “our country’s domain name system.” Not only did they encourage the
adoption of Chinese-language domain names, they also applied preexisting
provisions on content censorship to domain names, and required providers
to cease resolving DNS addresses upon request by public security depart-
ments (MII 2002; MII 2004). But perhaps, most importantly, it unilaterally
took the initiative to create an alternative system to handle Chinese-language
domain names, which still remained globally compatible. While this sys-
tem was operated relatively secretively at first, by 2006, the People’s Daily
proudly boasted that “[Chinese] Internet users don’t have to surf the web via
the servers under the management of the Internet Corporation for Assigned
Names and Numbers of the United States (Cited in Mueller 2012).” Also,
the continuing tensions over ICANN’s role led the Chinese government to
122 Rogier Creemers
Data Protection
Like many governments, the Chinese leadership has identified data as a
crucial resource for development, but also a potential source of vulnerabil-
ity. Many of those risks, such as data leaks leading to fraud and abuse, are
domestic, but authorities have also voiced concern over the potential harm
stemming from data on Chinese citizens and important businesses flowing
abroad. Over the past few years, the leadership has thus sought to centralize
its previously fragmented regulatory approach to data protection, and data
localization is an important element in new regulations. Localization require-
ments were already issued for financial and healthcare data in 2011 and 2014
respectively (PBoC 2011; NHFPC 2014). A 2013 technical standard required
consent of data subjects for data export (Chander and Le 2014). The cyberse-
curity law would set a general standard across all sectors. Yet, the exact cat-
egorization of data to be protected, as well as the specific limitations on their
export, have been subject to a to-and-fro between different regulators and
China’s Conception of Cyber Sovereignty 123
operating systems (Ni 2017B) claimed this version should remain outside
the government procurement catalogue (Ni 2017), and more broadly, that
government operating systems should be “indigenous and controllable (Ni
2017A).” In response, Wang Jun, general engineer at one of the approved
third party security evaluators, the China Information Technology Security
Evaluation Centres (CNITSEC), stated that the cybersecurity review regime
does not discriminate on the basis of nationality. Moreover, Wang indicated
that replacing Windows with an indigenous alternative would “not neces-
sarily [be] the best choice” (Transpacifica 2017), citing switchover costs,
software incompatibilities, and software quality as reasons. In contrast, Wang
hailed the fact that the government edition was developed by a Sino-US joint
venture, in which Microsoft cooperated with the China Electronics Technol-
ogy Group (CETC), with the aim of providing software better responding to
user needs and security requirements. Lastly, Wang argued domestic operat-
ing systems might not necessarily provide a more secure alternative, merely
that the risk profile might be somewhat different. This debate encapsulates
many of the key points surrounding the technology substitution question in
China, many of which are nonideological or political. Some businesses, such
as CETC, care well through technological openness, others would do better
if foreign competitors were absent from the market. In many cases, foreign
technology is better than Chinese alternatives, and even a Huawei executive
has indicated the virtuous effects of competition on innovation and security
provide a strong reason to maintain openness (Shih 2015). The existing
installed base of foreign technology and integration with other systems means
“rip-and-replace” might be very costly.
It is often claimed that the Chinese government uses its close ties to busi-
nesses to advance the cause of national champions. This is especially salient
in the area of 5G, which lies at the heart of tensions between China and its
major trading partners. State-owned telecommunications operator China
Mobile granted over half the contracts for its 5G equipment to Huawei (Li
2019), and specific policy plans often indicate local content targets in various
sectors and network systems. Furthermore, state-run media outlets regularly
target foreign businesses in order to pressure them toward greater compli-
ance, or send political signals. The technology sector is no exception. In
July 2019, for instance, Apple was targeted on national radio for allegedly
allowing fake reviews to appear on its App Store (CNR 2019). This com-
pounded an already negative picture for Apple in China: Apple’s smartphone
share plummeted from a high of 27 percent in 2015 to 5 percent in late 2019
(Kirton 2019). Huawei not only took 42 percent of the Chinese domestic
market at that time, it also had surpassed Apple as the second largest smart-
phone manufacturer worldwide. Partly, this may be due to political influence
and nationalism among Chinese buyers, but the rapidly growing quality and
China’s Conception of Cyber Sovereignty 129
has sought to maintain interoperability with the global Internet, at the same
time as striving to ensure dominance of indigenous online businesses, as well
as technological autonomy to the greatest possible extent. Moreover, the
increasing tensions with the United States have fostered a greater sense of
urgency and unity in Beijing. Nevertheless, there are considerable arguments
and differing views among different constituencies on important questions
of how this principle is best realized in practice. How, and in which fields,
to collaborate with foreign players, the extent to which specific foreign tech-
nologies should be banned from certain fields or merely regulated, and how to
determine the sort of data that should be nationalized are still open questions.
This trend has not taken place in a vacuum. China’s insistence on cyber
sovereignty has both been a response to and a catalyst of broader evolu-
tions in global cyber governance. In some cases, other governments have
recognized the desirability of jurisdictional powers, referring explicitly to
the sovereignty principle. EU digital commissioner Günther Oettinger, for
instance, mentioned “digital sovereignty” as an objective for European digital
policy (Tost 2015). Sovereignty was recognized as applying to states’ use of
information technologies in the 2013 and 2015 reports of the United Nations
Group of Governmental Experts (Schmitt and Vihul 2017), and is recognized
in the Tallinn Manual, a comprehensive expert analysis of how international
law applies to cyber operations (Schmitt 2017). China is not the only coun-
try to institute data localization policies; the EU’s General Data Protection
Regulation equally requires local storage of personal data under certain
circumstances. As governments increasingly assert control over the digital
sphere, and as national security questions grow increasingly prominent in
global cyber debates, it seems China’s approach to sovereignty has to be seen
as part of a complex spectrum. While Beijing’s stance seems clear-cut and
diametrically opposed to that of the United States and its “like-minded” allies
in diplomatic discourse, the complexity of the domestic policy and regulatory
landscape reveals a more nuanced picture.
To a significant degree, the difference in approaches reflects the contrast
in security concepts between Beijing and its Western counterparts. China pri-
marily defines cybersecurity through the lens of “information security” (CAC
2016a), and focuses on the potential impact the uncontrolled circulation of
information might have on political, economic, and social stability. It is thus
no surprise that content control has historically been the most elaborate com-
ponent of the cybersecurity landscape. American and European governments,
conversely, have largely defined cybersecurity in technical terms, focusing on
the integrity, stability, and functioning of information systems and the data
stored on them. This, in turn, explains the attention these governments have
directed toward the security of telecommunication networks, and in some
cases, resorted to banning Chinese suppliers from their domestic markets. It is
China’s Conception of Cyber Sovereignty 131
worth remembering that China, thus far, has not banned specific hardware or
software makers from its markets. Equally, China puts a far greater emphasis
on economic development its cyber policy, while the United States stresses
military, intelligence, and other national security questions relatively more. It
is likely that these views will converge somewhat over the years, as illustrated
by greater Western attention to disinformation campaigns and fake news, and
China’s efforts to establish a cybersecurity review regime. The United States
seems more amenable to greater state influence over economic affairs, while
China is building up its cyber military and intelligence capabilities. Yet, even
that convergence is unlikely to lead to greater cooperation or coordination.
It is overshadowed by the growing U.S.–China tensions, in which technol-
ogy plays a central role. It seems that, increasingly inevitably, arrangements
in cyberspace will reflect unadorned great power competition, with interests
overshadowing values in importance, and political expediency replaces prag-
matic cooperation as a key virtue.
This has important implications on the future development of both the
development of the digital economy, and of interstate relations pertaining
to cyber affairs. The global digital economy as it exists today, developed
since the 1990s in a context where there were few national and international
regimes on matters ranging from data flows to supply chains. The current pro-
cess of increasing regulatory nationalization inaugurates a new paradigm in
which multinational companies must operate. One likely scenario is that the
world will fragment into separate spheres of cooperation with high degrees of
internal harmonization, and significant barriers between them. An example of
this is the supply of telecommunications equipment. If China’s push for tech-
nology indigenization is matched by other major states, or leads to reciprocal
measures, the global market for telecommunications devices may equally
become segregated along the lines of political alignment. What will be the
impact on global connectivity, data and information flows is an important
subject for future research. Yet, the tightrope that China needs to walk is a
precarious one. In the diplomatic realm, China’s strong insistence on sover-
eignty has contributed to a low level of trust between Beijing and its major
international interlocutors. It also has, thus far, overshadowed the question
in which areas, how and for which purposes China can cooperate with other
states—even those ostensibly more closely aligned—in order to enhance
cyber governance, continue to stimulate interoperability and innovation, and
tackle shared issues affecting the global online ecosystem. Yet, in the eco-
nomic realm, greater economic internationalization and technical interoper-
ability is imperative for the flourishing of China’s digital industry. Moreover,
the global digital economy is, seemingly inextricably, linked with China as a
manufacturing base and market. With the nature of cyber issues increasing in
complexity, and tensions increasing in intensity, the way Beijing will seek to
132 Rogier Creemers
preserve this balance, and how its foreign counterparts will respond, will be
a prime factor shaping outcomes in the decades to come.
LIST OF ABBREVIATIONS
NOTES
1. This chapter has been written with the generous support of the Dutch Ministry
of Foreign Affairs and the NWO (Netherlands Organization for Scientific Research).
2. Members of the technical community and sector institutions such as the Inter-
net Society of China did attend. Given that these organizations function under party
leadership and maintain direct connections with the bodies in charge of Internet
governance, this meant that Chinese governmental preferences were still represented,
albeit indirectly.
BIBLIOGRAPHY
Ahmed, Shazeda and Steven Weber. 2018. “China’s Long Game in Techno-National-
ism.” First Monday 23 (5–7). http://dx.doi.org/10.5210/fm.v23i5.8085.
China’s Conception of Cyber Sovereignty 133
.wordpress.com/2016/07/27/outline-of-the-national-informatization-developme
nt-strategy/
Chander, Anupam and Uyen P. Le. 2014. “Breaking the Web: Data Localization
vs. the Global Internet.” UC Davis Legal Studies Research Paper Series 378.
Accessed November 29, 2019. https://aicasia.org/wp-content/uploads/2017/06/
SSRN-id2407858-1.pdf.
Chang, Gordon G. The Coming Collapse of China. New York: Random House, 2010.
China Daily. 2019. “BT Becomes First Foreign Telecoms Firm to Secure Chinese
License.” January 29, 2019. Accessed November 29, 2019. http://www.chinadail
y.com.cn/a/201901/29/WS5c4fbdfca3106c65c34e70b2.html.
CNNIC. 2019. “Di 44 ci ‘Zhongguo hulian wangluo fazhan zhuankuang tongji
baogao’ (44th ‘China Statistical Report on Internet Development’).” August 30,
2019. Accessed October 19, 2019. http://www.cac.gov.cn/2019-08/30/c_11249
38750.htm.
CNR. 2019. “App Store xian ‘shuahaoping’ wudao yonghu kewu: ruo bu manyi ke
gei chaping (‘Good Review Paint” Emerges on App Store, Misleading Customers:
In Case of Dissatisfaction, Bad Marks May be Awarded).” July 8, 2019. Accessed
November 29, 2019. http://china.cnr.cn/yaowen/20190708/t20190708_524682741
.shtml.
Congressional Research Service. 2018. “Tricks of the Trade: Section 301 Investi-
gation of Chinese Intellectual Property Practices Concludes.” March 29, 2018.
Accessed November 29, 2019. https://crsreports.congress.gov/product/pdf/LSB/
LSB10109.
Corera, Gordon. 2015. Intercept: The Secret History of Computers and Spies. Lon-
don: Hachette UK.
Creemers, Rogier. 2018. “Disrupting the Chinese State: New Actors and New Fac-
tors.” Asiascape: Digital Asia 5(3): 169–197.
Creemers, Rogier. 2019. “The International and Foreign Policy Impact of China’s Arti-
ficial Intelligence and Big-Data Strategies.” In Artificial Intelligence, China, Russia,
and the Global Order: Technological, Political, Global, and Creative Perspectives,
edited by Wright, Nicholas, 129–135. Maxwell AFB: Air University Press.
Demchak, Chris. 2016. “Uncivil and Post-Western Cyber Westphalia: Changing
Interstate Power Relations of the Cybered Age.” The Cyber Defense Review 1(1):
49–74.
Dutton, William H., and Malcolm Peltu. 2008. “The New Politics of the Internet:
Multi-stakeholder Policy-making and the Internet Technocracy.” In: Routledge
handbook of Internet politics, edited by Chadwick, Andrew and Philip Howard,
400–416. Abingdon: Routledge.
Ermert, Monika and Christopher Hughes. 2003. “What’s in a Name? China and the
Domain Name System.” In: China and the Internet: Politics of the Digital Leap
Forward, edited by Hughes, Christopher and Gudrun Wacker, 127–138. Abingdon:
Routledge.
Feng, Emily. 2018. “China’s State-Owned Venture Capital Funds Battle to Make
an Impact.” Financial Times. December 23, 2018. Accessed November 29, 2019.
https://www.ft.com/content/4fa2caaa-f9f0-11e8-af46-2022a0b02a6c.
China’s Conception of Cyber Sovereignty 135
Forster, Elisabeth. 2018. 1919—The Year That Changed China: A New History of the
New Culture Movement. Berlin: De Gruyter.
Freshfields. 2016. “China Introduces Comprehensive New Cyber Security Rules for
Banking Procurement.” Accessed November 29, 2019. http://knowledge.freshfields.
com/m/Global/r/1514/china_introduces_comprehensive_new_cyber_security_rules.
Glanville, Luke. 2013. Sovereignty and the Responsibility to Protect: A New History.
Chicago: University of Chicago Press.
Global Times. 2016. “Hulianwang xingui bing fei ‘fengsha jingwai wangzhan’, IT jie
wangyou jiedu zhuanye shuyu (New Internet Rules Don’t ‘Wipe Out Foreign Web-
sites’, Netizens from IT Circles Explain Specialized Jargon).” March 29, 2016.
Accessed November 29, 2019. https://world.huanqiu.com/article/9CaKrnJUT0p.
Griffiths, James. The Great Firewall of China: How to Build and Control an Alterna-
tive Version of the Internet. London: Zed Books.
Hall, Chris. 2019. “Huawei HarmonyOS Update: Without Google What Is Huawei’s
plan B?” Pocket Lint. September 18, 2019. Accessed November 29, 2019. https
://www.pocket-lint.com/phones/news/huawei/148118-huawei-alternative-os-with
out-google-huawei-plan-b.
Harold, Scott Warren, Martin C. Libicki, and Astrid Stuth Cevallos. 2016. “Getting
to Yes with China in Cyberspace.” Rand Corporation. Accessed November 25,
2019. https://www.rand.org/content/dam/rand/pubs/research_reports/RR1300/RR1
335/RAND_RR1335.pdf.
Houser, Kimberley. Forthcoming. “The Innovation Winter Is Coming: How the U.S.-
China Trade War Endangers the World.” San Diego Law Review 57(3). Accessed
November 29, 2019. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3473902.
https://opinion.huanqiu.com/article/9CaKrnK3qF3.
Hu, Jintao. 2011. “Jianding buyi zou Zhongguo tese shehuizhuyi wenhua fazhan
daolu: nuli jianshe shehuizhuyi wenhua qiangguo (Resolutely Walk the Path of
Socialist Culture Development with Chinese Characteristics: Striving to Construct
a Strong Socialist Culture Country).” Qiushi. Translation, accessed November 28,
2019. https://chinacopyrightandmedia.wordpress.com/2012/01/04/hu-jintaos-art
icle-in-qiushi-magazine-translated/
ICANN. 2013. “ICANN Engagement Center to Open In Beijing.” April 8, 2013.
Accessed November 29, 2019. https://www.icann.org/en/system/files/press-materi
als/release-08apr13-en.pdf.
Jiguang. S.d. “Jiguang dashuju: 2017 nian yidong hulianwang hangye pandian app
bangdan (Jiguang data: a 2017 list of apps in the mobile Internet sector).” Accessed
November 29, 2019. https://www.jiguang.cn/reports/195.
Kai, Jin. 2014. “Why China Banned Windows 8.” The Diplomat. May 28, 2014.
Accessed November 29, 2019. https://thediplomat.com/2014/05/why-china-ban
ned-windows-8/.
Kent, Ann. 2008. “China’s Changing Attitude to the Norms of International Law and
Its Global Impact.” In China’s “New” Diplomacy, edited by Kerr, Pauline, Stuart
Harris and Yaqing Qin, 55–76. New York: Palgrave Macmillan.
Kirton, David. 2019. “Huawei Tightens China Market Hold with 42% Share at
Expense of iPhones: Canalys.” Reuters. October 30, 2019. https://www.reuters.
136 Rogier Creemers
com/article/us-china-smartphone/huawei-tightens-china-market-hold-with-42-s
hare-at-expense-of-iphones-canalys-idUSKBN1X907R.
Klimburg, Alexander. 2013. “The Internet Yalta.” Center for a New American Secu-
rity. Accessed November 29, 2019. http://dragon-report.com/Dragon_Report/h
ome/home_fi les/The%20Internet%20Yalta.pdf.
Knowledge@Wharton. 2011. “China’s 3G Technology Gamble: Who Has the Last
Laugh?” Accessed November 29, 2019. https://knowledge.wharton.upenn.edu/arti
cle/chinas-3g-technology-gamble-who-has-the-last-laugh/
Kolton, Michael. 2017. “Interpreting China’s Pursuit of Cyber Sovereignty and Its
Views on Cyber Deterrence.” The Cyber Defense Review 2(1), 119–154.
Krasner, Stephen D. 1999. Sovereignty: Organized Hypocrisy. Princeton: Princeton
University Press.
Lee, Jyh-An. 2018. “Great Firewall.” The Chinese University of Hong Kong Faculty
of Law Research Papers 2018–10.
Li, Tao. 2019. “Huawei Wins Half of China Mobile’s 5G Network Contracts While
Ericsson Picks Up a Third.” South China Morning Post. June 17, 2019. https://
www.scmp.com/tech/big-tech/article/3014766/china-mobile-awards-half-its-5g-ne
twork-contracts-huawei-while.
Liao, Shannon. 2018. After a Single Day, Facebook Is Pushed Out of China Again.”
The Verge. July 25, 2018. Accessed November 29, 2019. https://www.theverge
.com/2018/7/25/17612162/facebook-technology-subsidiary-blocked-china-censor.
Lindsay, Jon. 2014. “The Impact of China on Cybersecurity: Fiction and Friction.”
International Security 39(3): 7–47.
Lu, Wei. 2013. “Wang ju zhengnengliang, gong zhu Zhongguo meng: zai di shisan
jie Zhongguo wangluo meiti luntan shang de zhuzhi yanjiang (Concentrate Posi-
tive Online Energy, Jointly Build the Chinese Dream: Speech at the 13th China
Online Media Forum).” October 30, 2013. Translation, accessed November 29,
2019. https://chinacopyrightandmedia.wordpress.com/2013/10/30/siio-director-
outlines-eight-objectives-for-online-media/.
Lu, Wei. 2014. “Gongxiang de wangluo, gongzhi de kongjian: zai ICANN Lundun
huiyi kaimushi de zhuzhi yanjiang (A Network Shared Together, A Space Gov-
erned Together: Keynote Speech at the Opening Ceremony of the London ICANN
Meeting).” June 23, 2014. Translation, accessed November 22, 2019. https://ch
inacopyrightandmedia.wordpress.com/2014/06/23/a-network-shared-together-a-s
pace-governed-together/
Lu, Xiaomeng, Paul Triolo, Samm Sacks, Rogier Creemers, and Graham Webster.
2018. “Progress, Pauses, and Power Shifts in China’s Cybersecurity Law Regime.”
Digichina. Accessed November 29, 2019. https://www.newamerica.org/cybersec
urity-initiative/digichina/blog/progress-pauses-power-shifts-chinas-cybersecurit
y-law-regime/
Macmillan, Margaret. 2011. Peacemakers: Six Months That Changed the World.
London: Hachette, UK.
Marczak, Bill, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah
McKune, Arn Rey, John Scott-Railton, Ron Deibert, and Vern Paxson. 2015.
“China’s Great Cannon.” CitizenLab. Accessed November 29, 2019. https://citizen
lab.ca/wp-content/uploads/2009/10/ChinasGreatCannon.pdf.
China’s Conception of Cyber Sovereignty 137
NHFPC. 2014. “Renkou jiankang xinxi guanli banfa (shixing) (Population Health
Information Management Rules (Trial)).” May 5, 2014. Accessed November 29,
2019. http://www.cac.gov.cn/2014-08/20/c_1112064075.htm.
Ni, Guangnan, 2017A. “Zhengfu caozuo xitong ying quebao zizhu kekong (Govern-
ment Operating Systems Should Be Guaranteed Indigenous and Controllable).”
Global Times. June 13, 2007. Accessed November 29, 2019.
Ni, Guangnan. 2017. “Jianyi zhengfu tingzhi caigou he shiyong ‘Win10 zhengfuban’
(I Suggest the Government Ceases to Buy and Use the ‘Win10 Government Edi-
tion’).” QQ Tech. June 8, 2017. Accessed November 9, 2019.
Ni, Guangnan. 2017B. “Jiandingbuyi de fazhan guochan caozuo xitong (Unwaver-
ingly Develop Domestically Produced Operating Systems).” Global Times. June
29, 2017. Accessed November 29, 2019. https://opinion.huanqiu.com/article/9CaK
rnK3MJr.
NPC. 2015. “Zhonghua renmin gongheguo wangluo anquan fa (cao’an) (Cyberse-
curity Law of the People’s Republic of China (Draft)).” July 6, 2015. Translation,
accessed November 29, 2019. https://chinacopyrightandmedia.wordpress.com/
2015/07/06/cybersecurity-law-of-the-peoples-republic-of-china-draft/
NPC. 2016. “Zhonghua renmin gongheguo wangluo anquan fa (cao’an—erci shenyi
gao) (Cybersecurity Law of the People’s Republic of China (Second Reading
Draft).” July 6, 2016. Translation, accessed November 29, 2019. https://chinaco
pyrightandmedia.wordpress.com/2016/07/06/peoples-republic-of-china-cybersec
urity-law-second-reading-draft/
NPC. 2016. “Zhonghua renmin gongheguo wangluo anquan fa (cao’an—sanci
shenyi gao) (Cybersecurity Law of the People’s Republic of China (Third Reading
Draft).” November 2, 2016. Translation, accessed November 29, 2019. https://ch
inacopyrightandmedia.wordpress.com/2016/11/02/cybersecurity-law-of-the-peop
les-republic-of-china-third-reading-draft/
NPC. 2016A. “Wangluo anquan fa (cao’an) de xiugai qingkuang (The Situation of the
Revision of the Cybersecurity Law (Draft)).” July 8, 2016. Translation, accessed
November 29, 2019. https://chinacopyrightandmedia.wordpress.com/2016/07/08/
the-situation-of-the-revision-of-the-cybersecurity-law-draft/
NPC. 2016C. “Zhonghua renmin gongheguo wangluo anquan fa (Cybersecurity Law
of the People’s Republic of China.” November 7, 2016. Translation, accessed
November 22, 2019. https://chinacopyrightandmedia.wordpress.com/2016/11/07/
cybersecurity-law-of-the-peoples-republic-of-china/
Panda, Ankit. 2019. “Huawei’s Legal Woes and Tech ‘Decoupling’ Between China
and the West.” The Diplomat. February 4, 2019. Accessed November 29, 2019.
https://thediplomat.com/2019/02/huaweis-legal-woes-and-tech-decoupling-betw
een-china-and-the-west/
PBoC. 2011. “Guanyi yinhangye jinrong jigou zuohao geren jinrong xinxi baohu
gongzuo de tongzhi (Notice concerning Protecting Personal Financial Information
in Financial Bodies in the Banking Sector).” January 21, 2011. Accessed Novem-
ber 29, 2019. http://www.gov.cn/gongbao/content/2011/content_1918924.htm.
Pei, Minxin. 2006. China’s Trapped Transition. Cambridge: Harvard University
Press.
China’s Conception of Cyber Sovereignty 139
People’s Daily. 2012. “Wangzhan xiaoyenmiman, women ruhe yingdui (Smoke over
the Network Warfare Battlefield, How Do We Respond).” June 6, 2012. Accessed
November 29, 2019. http://media.people.com.cn/GB/18088684.html.
People’s Daily. 2014. “Guojia Hulianwang Bangongshi fuzhuren Wang Xiujin: wan-
gluo anquan shi zhongda zhanlüe wenti (SIIO Vice-Director Wang Xiujun: Cyber-
security Is a Major Strategic Question).” May 18, 2014. Translation, accessed
November 29, 2019. https://chinacopyrightandmedia.wordpress.com/2014/05/30/
siio-vice-director-wang-xiujun-cybersecurity-is-a-major-strategic-question/
Qu, Weizhi. 2010. China’s Path to Informatization. Singapore: Cengage Learning
Asia.
Rapoza, Kenneth. 2019. “Huawei Has Taken Over Apple’s Market Share in China;
It Will Get Worse.” Forbes. May 2, 2019. Accessed November 29, 2019. https
://www.forbes.com/sites/kenrapoza/2019/05/02/huawei-has-taken-over-apples-m
arket-share-in-china-it-will-get-worse/#3530820385f1.
Reuters. 2019. China Publication of ‘Unreliable Entities List’ Depends on Sino-U.S.
Trade Talks: Sources.” October 11, 2019. Accessed November 29, 2019. https://
www.reuters.com/article/us-usa-trade-china-entities/china-publication-of-unreliabl
e-entities-list-depends-on-sino-u-s-trade-talks-sources-idUSKBN1WQ28L.
Sacks, Samm and Manyi Kathy Li. 2018. “How Chinese Cybersecurity Standards
Impact Doing Business in China.” CSIS Briefs. Accessed November 29, 2019.
https://csis-prod.s3.amazonaws.com/s3fs-public/publication/180802_Chinese_C
ybersecurity.pdf?EqyEvuhZiedaLDFDQ.7pG4W1IGb8bUGF.
SARFT. 2000. “Xinxi wangluo chuanbo guangbo dianying dianshi lei jiemu jiandu
guanli zanxing banfa (Provisional Information Network Dissemination of Radio,
Film and Television-Type Programme Supervision and Management Rules).”
April 7, 2000. Translation, accessed November 29, 2019. https://chinacopyrightand
media.wordpress.com/2000/04/07/provisional-information-network-disseminatio
n-of-radio-film-and-television-type-programme-supervision-management-rules/
SARFT. 2004. “Hulianwang deng xinxi wanluo chuanbo shiting jiemu guanli banfa
(Internet and Other Information Networks Audiovisual Programme Dissemination
Management Rules).” July 6, 2004. Translation, accessed November 29, 2019.
https://chinacopyrightandmedia.wordpress.com/2004/07/06/internet-and-other-
information-networks-audiovisual-programme-dissemination-management-rules/
Schell, Orville, and John Delury. 2014. Wealth and Power: China’s Long March to
the Twenty-First Century. New York: Random House, 2014.
Schmitt, Michael N., and Liis Vihul. 2017. “Sovereignty in Cyberspace: Lex Lata Vel
Non?” AJIL Unbound 111: 213–218.
Schmitt, Michael N., ed. 2017. Tallinn Manual 2.0 on the International Law Appli-
cable to Cyber Operations. Cambridge: Cambridge University Press.
SCIO and MII. 2005. “Hulianwang xinwen xinxi fuwu guanli guiding (Internet News
Information Service Management Regulations).” September 25, 2005. Translation,
accessed November 29, 2019. https://chinacopyrightandmedia.wordpress.com/
2005/09/25/internet-news-information-service-management-regulations/
SCIO. 2010. “The Internet in China (White Paper).” June 8, 2010. Accessed October
22, 2019. http://www.chinadaily.com.cn/china/2010-06/08/content_9950198.htm.
140 Rogier Creemers
SCMP. 2018. “Timeline: Chinese Telecoms Giants Huawei, ZTE Incur Wrath of
Washington Over Iran Sanction Violations.” December 6, 2018. Accessed Novem-
ber 29, 2019. https://www.scmp.com/tech/big-tech/article/2176664/timeline-chine
se-telecoms-giants-huawei-zte-incur-wrath-washington.
Segal, Adam. 2016. “China, Encryption Policy, and International Influence.” Hoover
Institution. Accessed November 29, 2019. https://www.hoover.org/sites/default/fil
es/research/docs/segal_webreadypdf_updatedfinal.pdf.
Segal, Adam. 2017. “Chinese Cyber Diplomacy in a New Era of Uncertainty.” Hoover
Institution, Aegis Paper Series 1703. Accessed November 29, 2019. https://ww
w.hoover.org/sites/default/files/research/docs/segal_chinese_cyber_diplomacy.pdf.
Sevastopulo, Demetri and Geoff Dyer. 2015. “Obama and Xi in Deal on Cyber Espio-
nage.” Financial Times. September 15, 2015. Accessed November 29, 2019. https
://www.ft.com/content/0dbcab36-63be-11e5-a28b-50226830d644.
Shen, Hong. 2016. “China and Global Internet Governance: Toward an Alternative
Analytical Framework.” Chinese Journal of Communication 9(3): 304–324.
Shen, Hong. 2018. “Building a Digital Silk Road? Situating the Internet in China’s
Belt and Road Initiative.” International Journal of Communication 12: 2683–2701.
Shen, Yi. 2016. “Cyber Sovereignty and the Governance of Global Cyberspace.”
Chinese Political Science Review 1(1): 81–93.
Shih, Gerry. 2015. “Huawei CEO Says Chinese Cybersecurity Rules Could Back-
fire.” Reuters. April 21, 2015. Accessed November 29, 2019. http://www.reuters.c
om/article/2015/04/21/us-huawei-cybersecurity-idUSKBN0NC1G920150421.
State Council. 1999. “Shangyong mima guanli guiding (Commercial Encryption
Management Regulations).” October 7, 1999. Accessed November 29, 2019. https
://zh.wikisource.org/zh-hans/中华人民共和国国务院令第273号
State Council. 2000. “Hulianwang xinxi fuwu guanli banfa (Internet Information
Service Management Rules).” September 25, 2000. Translation, accessed Novem-
ber 29, 2019. https://chinacopyrightandmedia.wordpress.com/2000/09/25/internet-
information-service-management-rules/
State Council. 2016. “‘Shisan wu’ guojia xinxihua guihua (‘13th Five-Year Plan’ for
National Informatization).” December 15, 2016. Accessed November 29, 2019.
http://www.gov.cn/zhengce/content/2016-12/27/content_5153411.htm.
Stein, Arthur A. 2016. “The Great Trilemma: are Globalization, Democracy, and
Sovereignty Compatible?” International Theory 8(2): 297-340.
TC260. n.d. “Xinxi anquan jishu—shuju chujing anquan pinggu zhinan (Information
Security Technology- Guidelines for Data Cross-Border Transfer Security Assess-
ment).” Accessed November 29, 2019. https://www.tc260.org.cn/ueditor/jsp/upl
oad/20170527/87491495878030102.pdf.
Thomas, Daniel C. 2001. The Helsinki Effect: International Norms, Human Rights,
and the Demise of Communism. Princeton: Princeton University Press.
Thomas, Neil. 2019. “Mao Redux: The Enduring Relevance of Self-Reliance in
China.” MacroPolo. April 25, 2019. Accessed November 29, 2019. https://ma
cropolo.org/analysis/china-self-reliance-xi-jin-ping-mao/
Tost. 2015. “Oettinger Calls for ‘Europeanisation’ of Digital Policy.” EurActiv.
March 17, 2015. Accessed November 29, 2019. https://www.euractiv.com/section/
digital/news/oettinger-calls-for-europeanisation-of-digital-policy/
China’s Conception of Cyber Sovereignty 141
Xinhua. 2015. “High-level Advisory Committee Established for World Internet Con-
ference.” December 21, 2015. Accessed November 29, 2019. http://www.wuzh
enwic.org/2015-12/21/c_48303.htm.
Xue, Hong. 2004. “Voice of China: A Story of Chinese-Character Domain Names.”
Cardozo Journal of International and Comparative Law 12: 559–592.
Yuan, Li. 2019. “As Huawei Loses Google, the U.S.-China Tech Cold War Gets Its
Iron Curtain.” New York Times, May 20, 2019. https://www.nytimes.com/2019/0
5/20/business/huawei-trump-china-trade.html.
Zeng, Jinghan, Tim Stevens and Yaru Chen. 2017. “China’s Solution to Global Cyber
Governance: Unpacking the Domestic Discourse of ‘Internet Sovereignty’.” Poli-
tics & Policy 45(3): 432–464.
Zhao, Zhoujian and Zhilian Xu. 2014. “Xinxi jiashu fazhan qushi yu yishixingtai
anquan (Information Technology Development Trends and Ideological Security).”
Red Flag Manuscripts. Translation, accessed November 29, 2019. https ://ch
inacopyrightandmedia.wordpress.com/2015/01/01/information-technology-develo
pment-trends-and-ideological-security/.
Part II
INTERNATIONAL ORGANIZATIONS,
STATES, AND SUBSTATE ACTORS
Chapter 7
The balance of power theory is one of the most enduring and protean
concepts in international relations.3 It has also sometimes proven to be the
145
146 Alexander Klimburg and Louk Faesen
always use the “cheapest” tools available, and not necessarily the most
advanced.19
• The vast majority of offensive cyber effects can only be deployed using
civilian intermediaries (networks, products) that also can be part of a neu-
tral or even friendly third nation.
• The difference between imminent preparation for attack (e.g., OPE) and
simple espionage can be hard to distinguish for the defender, making inad-
vertent escalation much more likely due to a failure to correctly interpret
intent.
• Offensive capabilities are much cheaper and much easier to develop and
deploy than the total sum of necessary defensive measures.20
• Unlike conventional weapons, “cyber weapons” can be reused but are also
perishable—an entire arsenal can be rendered useless without ever being
used once the vulnerability is patched.21
• These tools are specific—the outcomes are dependent on the victim’s net-
work—and can be immediate or time-delayed. They upend conventional
ways of response.
• They can also be reverse engineered, weaponized and reused by the victim
or another party that gets their hands on the technology.22
• They not only undermine the target’s security but also compromise the
security of other actors using systems with the same vulnerabilities.23
These are just a small range of examples describing how the fundamental
differences between cyber and conventional weapons greatly complicate the
process of parsing state offensive cyber capabilities.
But even in the physical world, Kissinger states that “an exact balance is
impossible, and not only because of the difficulty of predicting the aggressor.
It is chimerical, above all, because while powers may appear to outsiders as
factors in a security arrangement, they appear domestically as expressions of a
historical existence. No power will submit to a settlement, however well-bal-
anced and however secure, which seems totally to deny its vision of itself.”24
Power is thus conceived and assessed not merely as a mathematical exercise
(the number of weapons or military capabilities) but takes into account the
perception of a nation’s leaders, the quality of its strategies, military doctrines,
and its will to use power effectively. Therefore, the common perception of a
state’s cyber capabilities, even if founded on incomplete knowledge, can func-
tion as a basis for calculating the respective balance of power.
Legitimacy
A balance of power makes the overthrow of international order physically
difficult, deterring a challenge before it occurs. A broadly based principle of
150 Alexander Klimburg and Louk Faesen
Figure 7.1 “The Regime Complex for Managing Global Cyber Activities.” Source:
Joseph S. Nye Jr. “The Regime Complex for Managing Global Cyber Activities,” Global
Commission on the Internet Governance, May 2014. Available at: www.cigionline.org/s
ites/default/files/gcig_paper_no1.pdf.
152 Alexander Klimburg and Louk Faesen
sector, and governments. For the Internet, this is seemingly grounded in real-
ity. It is the members of civil society (which includes state-funded university
researchers, as well as corporate engineers working on their own time) who
write the code of the Internet. It is the private sector that builds and owns
most aspects of the Internet, ranging from the cables to the services, to prod-
ucts and software which runs on and in it. Government’s role is relatively
limited in that respect. Its power is manifested through its sovereign rights
and jurisdiction. While there are fine-tuned differences between the exact
definition of the multistakeholder approach, for instance, between Western
nations and China (Russia, by and large, still rejects the term entirely), there
are more questions of applicability and responsibility. Both definitions,
however, implicitly agree that the cyberspace domain overall is a multistake-
holder one—even if they disagree on exactly what the respective authorities
of the actors among each other are, or at what “level” of governance and what
kind of authority is applicable.
The ability of governments to successfully manage the threat of major
conflict in cyberspace is, therefore, not only hampered by the rapid develop-
ment of digital technologies but also the dominant role of non-state actors
in all shapes and forms (attacker, victim, media or carrier of attacks), as
well as their unclear relationships with the government. Traditionally,
all questions related to international peace and security occur within the
governmental remit of states and the UN First Committee, while in reality
governments only constitute one of three stakeholder groups in the wider
cyberspace ecosystem. Failure to reach meaningful progress at the multilat-
eral level has led other civil society and industry to become more involved
in developing rules of the road.30 This is not the first time that this has
occurred—nongovernmental groups have previously helped reshape global
discussions on responsible behavior.31 Governments and international orga-
nizations are beginning to recognize the need for industry and civil society
involvement at the traditionally state-led multilateral level. Initiatives
such as the “Paris Call for Trust and Security in Cyberspace,”32 the “UN
Secretary General’s High-Level Panel on Digital Cooperation,”33 and the
civil society and industry consultations of the “UN Open-Ended Working
Group on Developments in the Field of Information and Communications
Technologies in the Context of International Security”34 are testament to
this development.
Finally, there is the question of the ideological connotation of the multi-
stakeholder model itself, opening the door for further neo-corporatist influ-
ence over the governance structure. While many of these points are worthy
of further examination and debate, there is often the assessment on par with
liberal democratic systems that it might be one of the worst systems out
there, but still better than the alternatives. Support for the multistakeholder
A Balance of Power in Cyberspace 153
approach should not just be based on the notion of simply being “inclusive.”
Instead, they allow for decision- and policy making to be informed and
shaped by the relevant and authoritative sources. Within the complex con-
text of cyberspace, it’s not an ideology, but a necessity—the removal of the
private sector and civil society from the Internet governance architecture is
simply not physically possible.
Given this complex landscape, it is unlikely there can be a singularly
encompassing entity successfully acting unilaterally across the entire regime
complex. If, for instance, governments, as an overall actor group, were to
agree to make definitive changes to the current non-state-dominated Inter-
net governance structures, then there would almost certainly be a strong
reaction—not only from the private sector but also from the engineers and
hobbyists who have coded most of the backbone of the Internet. Install-
ing an intergovernmental organization instead of, for instance, the Internet
Engineering Task Force, would not simply make these volunteers stop work-
ing on Internet technology. Therefore, the most basic reality of the wider
cyber regime complex is that it is in its own, precarious, multistakeholder
balance. While states can and may expand their own arrangements among
each other, certain basic realities of how the domain is managed cannot be
changed. Nothing that completely goes against the diffused power structure
of cyberspace can, therefore, be considered viable or “legitimate”—the mul-
tistakeholder approach is, therefore, in effect, the Westphalian System of the
Internet.
Thus far, it has become apparent that an equilibrium of state forces in cyber-
space remains elusive because of the lack of a basic understanding of each
other’s capabilities and doctrines and, therefore, also a minimum amount of
agreed definitions. Moving beyond power, the legitimizing principle reflects
the recognition of the limits of states in the prevailing reality of the historical
epoch. In cyberspace, this arguably can be expressed as the multistakeholder
approach because of the technical reality of cyberspace that prevents one
party from deciding universally and unilaterally.
From a state perspective, there are different ways to achieve a balance of
power. In the next section, the guiding principles will be applied to three
scenarios proposed by states that roughly correspond to the first three com-
mittees of the UN General Assembly to see how likely they can actually lead
to a balance of power that upholds to the legitimizing principle. This does not
mean that the UN is or should be the sole means through which to establish
international peace and stability in cyberspace. Instead, it offers a starting
154 Alexander Klimburg and Louk Faesen
Figure 7.2 The Cyber Regime Complex by Stakeholder Group: The “International
Cybersecurity” Cluster. Source: Alexander Klimburg, “To the GGE and beyond,” UNIDIR
Cyber Stability Conference Series, 17 July 2016, Geneva. Available at: www.unidir.ch/f
iles/conferences/pdfs/looking-ahead-the-gge-and-beyond-en-1-1173.pdf.
The code proposes that states voluntarily forego the “use of [ICTs]
. . . to carry out activities which run counter to the task of maintaining
international peace and security.” It predominantly focuses on interstate
cooperation against the use of ICTs to incite the “three evil –isms”—ter-
rorism, separatism or extremism—as well as reinforces a multilateral
model for Internet governance and the notion of noninterference in the
internal affairs of states through ICTs. The code has been floated at the
UN since 2011, but has attracted criticism for its perceived incompat-
ibility with human rights law.43
3. Finally, the UN General Assembly adopted a resolution in 2003, call-
ing on states to build a culture of cybersecurity by encouraging domestic
stakeholders to be aware of cybersecurity risks and to take steps to miti-
gate them.44
and contentious as the concept behind “cyber power” per se, and there is no
definition of a cyberweapon or even cyber capabilities that would lend itself
to negotiations. Russia and China still view cyber threats in fundamentally
different ways as the United States (e.g., information weapons versus cyber
tools), making it difficult to establish and enforce such a framework. There
are some workarounds that have been suggested, such as the focus on sim-
ply regulating certain “effects” rather than trying to define the weapons.
However, they also stumble over some basic differences in understanding
of international law. Currently, the open questions in international law, par-
ticularly the status of data as an object,50 are almost as difficult as technical
understanding of what could comprise a “weapon” in cyberspace, mainly due
to the dual-use or omni-use nature of many of the potential subcomponents in
a “cyberweapon,” and the need for the technical community, researchers, or
the private sector to be able to provide security tools for testing.
The introduction of two competing processes within the First Committee
neither represent encouraging developments in this regard, signifying that
divergent views between UN member states, in particular between liberal
democracies and autocracies, persist even despite progress that may have
previously been made through the GGE. However, if these hurdles can be
overcome, the ability to at least agree on a counter-proliferation agreement
(similar to the Missile Technology Control Regime or the Treaty on the
Non-Proliferation of Nuclear Weapons) is theoretically possible.51 Such an
agreement would clarify both concepts and capabilities of signatory states,
as well as limit the transfer of those capabilities to other actors (including
non-state actors). If such a treaty neither violated the need of the technical
community to have simple and easy access to security testing tools, nor set
a dangerous precedent by trying to “outlaw” individual pieces of code glob-
ally, then it could arguably provide for a much-needed dose of predictability
among states.
Figure 7.3 The Cyber Regime Complex by Stakeholder Group: “Law Enforcement” and
“Civil Rights” Clusters. Source: Alexander Klimburg, “To the GGE and beyond,” UNIDIR
Cyber Stability Conference Series, 17 July 2016, Geneva. Available at: www.unidir.ch/f
iles/conferences/pdfs/looking-ahead-the-gge-and-beyond-en-1-1173.pdf.
A Balance of Power in Cyberspace 159
rights. Moreover, human rights law governs mainly the relations between
governments and their citizens. Instead, it needs to be incorporated into other
approaches.
Finally, there have been several attempts by states to assert power in
cyberspace by pushing for a state-led Internet governance approach through
the International Telecommunications Union (ITU) of the United Nations.
Internet governance is largely treated as a Second Committee issue (primarily
through ECOSOC and the Internet Governance Forum) but there are options
to connect it to the Third Committee as well. The IGF has no formal decision-
making power or government policy-making impact, but instead helps to
coordinate and facilitate among the different Internet governance constituen-
cies. If the Third Committee link to Internet governance can be strengthened,
this might also reinforce the notion of a rights-based Internet.
The Internet governance regime complex best represents the complexity
of dealing with the larger issues of managing resources and behaviors in
cyberspace. It encompasses a wide range of different institutions, from estab-
lished international organizations like the International Telecommunications
Union (ITU)54 to the critical Internet Engineering Task Force (IETF)55 that is
characterized by its informal structure, and the nonprofit public-benefit cor-
poration known as the Internet Corporation for Assigned Names and Num-
bers (ICANN).56 Most importantly, the Internet governance ecosystem is
resolutely representative of the multistakeholder approach, with civil society,
the private sector and government stakeholders each working more or less
equally according to their strengths. As such, it is a “proof” of the legitimiz-
ing principle of cyberspace: nothing that is determined about resources and
behaviors in cyberspace can be legitimate if it fully violates the basic reality
of how the Internet is actually managed.
As such, a major question of the state’s influence on Internet governance
was solved by a momentous decision by the Obama administration. The day
of October 1, 2016 marked a historic moment, when the US government
officially cut the final strings to its influence over ICANN by handing over
the IANA function—the management of the root zone file of the Internet—to
ICANN in its entirety.57 The process of slowly moving the Internet away from
government influence was arguably part of the basic US approach to the Inter-
net since as far back as the 1980s. A number of steps under various administra-
tions conformed to this principle—slowly moving the Internet “back into the
Internet community” that gave birth to it, even if that community was heavily
financed by the US government in its early years. The commitment of the US
government to fully disinvest itself from the last vestiges of direct control over
the Internet was given new urgency after the June 2013 Snowden revelations
and the significant impact this had on US “soft power,” particularly in and
through cyberspace. Although it marks an awkward bent in realist thinking
A Balance of Power in Cyberspace 161
Figure 7.4 The Cyber Regime Complex by Stakeholder Group: “Internet Governance”
Cluster. Source: Alexander Klimburg, “To the GGE and beyond,” UNIDIR Cyber Stability
Conference Series, 17 July 2016, Geneva. Available at: www.unidir.ch/files/conferences/
pdfs/looking-ahead-the-gge-and-beyond-en-1-1173.pdf.
that a state would voluntary give up power, the Obama administration made
the assessment that sticking to previous political commitments and “releas-
ing” the last shreds of government control over the Internet confirmed to
three objectives, namely it reinforced the US soft power when it gave up its
first “potentially coercive” face of power, to (i) gain a stronger position in the
second face, that is, in agenda setting or framing, (ii) it confirmed a self-image
of the United States as a leader of a “Free Internet,” and (iii) it finally rein-
forced the basic legitimizing principle of the Internet altogether: it is run by the
multistakeholder approach, and no one government can exercise a hegemonic
position on it. Instead, all states enjoy the same relative power. Therefore, the
US IANA disinvestment played a significant role in bringing a “balance of
power” to the Internet governance domain itself.
The internal balance of power within Internet governance means that it is,
in effect, a poor choice for states to advance their power through this approach
as it would disrupt the current system and the legitimizing principle. If a state
tried to do so at the expense of the multistakeholder model, it would conflict
162 Alexander Klimburg and Louk Faesen
with the basic reality of the domain, in which the key technical standard set-
ting bodies, such as the IETF, are resolutely outside of governmental control
and due to their voluntary nature cannot be co-opted by it. If a state tried to
expand its power while at the same time maintaining the multistakeholder
model, it would be limited to very small, incremental increases, thus limiting
its attractiveness. Restructuring the Internet governance ecosystem to that of
an intergovernmental structure is, therefore, a poor choice for states to seek a
different balance of power among states as they already enjoy the same rela-
tive power under the current ICANN structure that respects the legitimizing
principle of the multistakeholder model.
This chapter sets out to assess the application of the balance of power theory
to cyberspace to establish international stability and order. It did so by pursu-
ing a more neoliberal interpretation of power. Two conditions of the balance
of power theory were applied to three approaches or scenarios that roughly
correspond to the first three committees of the United Nations General
Assembly, to see how they could contribute to such a stable environment,
leading to the following preliminary observations.
Overall, merit can be found in the realist approach to stability and inter-
national order in cyberspace by describing it in terms of compromise and of
relative security and relative insecurity. By adopting a neoliberal interpreta-
tion of the notion of cyber power, the balance of power theory can be applied
to certain aspects of cyberspace. Establishing stability in this environment
hinges upon the acceptance of the framework of the international order by
all major powers, at least to the extent that no state is so dissatisfied that it
expresses it in a revolutionary foreign policy. At least for now, the Internet
governance domain enjoys a balance of power among states in accordance
with the legitimizing principle. This principle, described as a “recognition of
limits” by the state, is construed by the technical reality of the domain inhibit-
ing one party from deciding universally and unilaterally, arguably defined as
the multistakeholder reality in the context of cyberspace.
However, the condition of an equilibrium of forces that lies at the core
of the balance of power theory is currently impossible to establish as it
requires states to have a basic understanding of each other’s capabilities and,
therefore, a minimum amount of agreed definitions as to what constitutes a
“cyberweapon.” In this context, compared to the other options, an arms con-
trol treaty has most to offer for the balance of power for states in cyberspace.
If nearly all difficulties could be overcome, it would clarify those concepts
A Balance of Power in Cyberspace 163
when the idea to have a discussion about conventional forces in Europe side-
by-side with a human rights discussion, the same “basket-based” approach
could be applied to the wide variety of issues in cyberspace: International
peace and security issues, cybercrime (terrorist use of the Internet) and eco-
nomic and development issues, human rights and Internet governance issues.
These also nicely align with the UN First to Third Committees.
Most importantly, it needs to be pointed out that the Helsinki Final Act did
not create new norms but reinforced existing norms within the UN charter. It
provided for an “enhanced explanation” of the Charter, something that could
be very welcome in the context of cyberspace. It would also help define the
exact role of the multistakeholder model and its application across the bas-
kets. Just like the original Helsinki Process, it does require the full-fledged
support of all major powers to get underway—the United States was notably
hesitant on the Helsinki Process from the very start, and a new Helsinki
Process might be equally popular, for similar reasons. However, the legally
nonbinding status here is key—it provides assurances to the doubters that the
process can be reversed if necessary, while at the same time does not under-
mine existing international law.
A basket-based model inspired by the Helsinki Process could create an
environment in which all major players can expand their foreign policy inter-
ests in the respective baskets, while leaving room for others to do the same,
leading to a more stable situation whereby all states are equally (dis)satisfied
and at the same time respect the legitimizing principle of a multistakeholder
reality in cyberspace. No matter how likely its success, it needs to be seen as
a collaborative effort where progress toward stability can be made on several
fronts.
The basket-based approach is obviously just one approach that need not
frame a “final answer” to the overarching problem of balancing states’ inter-
ests in cyberspace. But it may form a beginning.
NOTES
University Press, USA. For examples of the competing theoretical and empirical
claims see Vasquez, J. A. and C. Elman. eds. 2003. Realism and the Balancing of
Power: A New Debate. Saddle River, NJ: Prentice Hall.
4. See, for example, Mearsheimer: “The international system creates powerful
incentives for States to look for opportunities to gain power at the expense of rivals,
and to take advantage of those situations when the benefits outweigh the costs”
(Mearsheimer, John. 2001. The Tragedy of Great Power Politics. New York: Nor-
ton); and Morgenthau: “the aspiration for power on the part of several nations, each
trying to maintain or overthrow the status quo, leads of necessity, to a configuration
that is called the balance of power and to policies that aim at preserving it” (Morgen-
thau, Hans. 1948. Politics Among Nations: The Struggle for Power and Peace [4th
ed.], New York: Alfred Knopf).
5. Jervis, Robert. 1978. Cooperation under the Security Dilemma, pp. 186–189.
6. Waltz, for example, maintains that “these balances tend to form whether some
or all States consciously aim to establish and maintain balance, or whether some or
all States aim for universal domination” in Waltz, K. N. 1979. Theory of International
Politics. Reading, MA: Addison-Wesley. p. 119; and Morgenthau who considers a
balance of power as a result from a State’s policies in Morgenthau, Hans. Politics
Among Nations: The Struggle for Power and Peace (4th ed.). New York: Alfred
Knopf. Statecraft based on balancing polices has been lauded by figures such as Met-
ternich, Castlereagh, Churchill, and Kissinger.
7. Schweller, R. L. 2006. Unanswered Threats: Political Constraints on the
Balance of Power. Princeton, NJ: Princeton University Press: “Balancing means the
creation or aggregation of military power through either internal mobilization or the
forging of alliances to prevent or deter the occupation and domination of the State by
a foreign power or coalition. The State balances to prevent the loss of territory, either
one’s homeland or vital interests abroad (e.g., sea lanes, colonies, or other territory
considered of vital strategic interest). Balancing only exists when States target their
military hardware at each other in preparation for a possible war.”
8. Kissinger, Henry. 1957. A World Restored: Metternich, Castlereagh, and the
Problems of Peace 1812–1822. Echo Point Books & Media.
9. See Nye, Joseph S., Jr. 2011. “The Future of Power.” Public Affairs.
10. Nye, Joseph S., Jr. 2010. Cyber Power. Harvard University Belfer Center for
Science and International Affairs, pp. 7–8. Available at: www.belfercenter.org/sites/
default/files/legacy/files/cyber-power.pdf.
11. Kuehl, Daniel T. “From Cyberspace to Cyberpower: Defining the Problem.”
In: Kramer, Franklin D., Stuart Starr, and Larry K. Wentz, eds. 2009. Cyberpower
and National Security. Washington, DC: National Defense University Press. Avail-
able at: http://ctnsp.dodlive.mil/files/2014/03/Cyberpower-I-Chap-02.pdf.
12. Ibid., p.10.
13. CNE was initially defined in JP1-02 as “Enabling operations and intelligence
collection capabilities conducted through the use of computer networks to gather data
from target or adversary information systems or networks.” In JP 3-13 (2012), its
removal from JP-02 was approved.
14. Cyberspace Operational Preparation of the Environment (OPE) is defined in
JP3-12 (2013) as “consist[ing] of the non-intelligence enabling activities conducted to
166 Alexander Klimburg and Louk Faesen
plan and prepare for potential follow-on military operations. OPE requires cyberspace
forces trained to a standard that prevents compromise of related IC operations. OPE
in cyberspace is conducted pursuant to military authorities and must be coordinated
and deconflicted with other USG departments and agencies.”
15. Network attacks are usually preceded by network exploitation. As former NSA
and CIA director Michael Hayden states in his book, Playing to the Edge (2017):
“Reconnaissance should come first in the cyber-domain. . . . How else would you
know what to hit, how, when—without collateral damage?”
16. Offensive Cyber Effects Operations (OCEO) is defined in PPD-20 as “Opera-
tions and related programs or activities—other than network defense, cyber collec-
tion, or DCEO—conducted by or on behalf of the United States Government, in
or through cyberspace, that are intended to enable or produce cyber effects outside
United States Government networks.”
17. See FM3-38 (2014) for examples. Electronic Attacks, for example, is “consid-
ered a form of fires” (see 4–3).
18. Exploiting, for instance, the ability to conduct differential power analysis on
individual computers.
19. Klimburg, Alexander. 2017. The Darkening Web: The War for Cyberspace.
New York: Penguin Press.
20. Slayton, Rebecca. 2016. “What Is the Cyber Offense-Defense Balance? Con-
ceptions, Causes, and Assessment.” International Security 41, no. 3. Slayton argues
that this perception leads to unnecessary escalation and militarization of cyberspace.
According to Klimburg (2017), using DDoS costs as a point of departure, defense can
be conceived as being up to 1,000 times more costly than offense.
21. In Zero Days, Thousands of Nights by Lillian Ablon and Timothy Bogart of
RAND, the average lifespan of zero-days is set at 6.9 years, and for a given stockpile
of zero days, about 5.7 percent will be publicly disclosed after one year. The report is
available at: www.rand.org/pubs/research_reports/RR1751.html.
22. The EternalBlue exploit is a good example of a weapon or exploit developed
by the NSA that was leaked by the Shadow Brokers, and was used in several mal-
ware epidemics afterward, including NotPetya and WannaCry. See, for example,
Fox-Brewster, Thomas. May 12, 2017. “An NSA Cyber Weapon Might Be Behind A
Massive Global Ransomware Outbreak.” Forbes. www.forbes.com/sites/thomasbre
wster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosio
n/#2ff505c2e599; and Perlroth, Nicole, Mark Scott, Sheera Frenkel. June 27, 2017.
“Cyberattack Hits Ukraine Then Spreads Internationally.” The New York Times,
www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?_r=0.
23. Several examples include NotPetya, Turla and Black Energy. These are all
malware attacks generally thought to be sponsored by the Russian Federation. Nev-
ertheless, it went rogue and the malware hit Russian organizations and companies as
well. More information available at: www.cfr.org/interactive/cyber-operations
24. Kissinger. A World Restored.
25. Kissinger, Henry. 1989. War Roared Into Vacuum Formed by a Sidestepping
of Statesmanship. Available at: http://articles.latimes.com/1989-08-27/opinion/op-
1559_1_eastern-europe.
A Balance of Power in Cyberspace 167
31. For instance, the Brundtland Commission created norms for Sustainable Devel-
opment. A Carnegie Commission on Preventing Deadly Conflict led to the Interna-
tional Commission on Intervention and state Sovereignty and a commitment by all
UN member states on the duty to prevent and protect against war crimes, genocide,
ethnic cleansing and other crimes against humanity. The Ilves Commission helped set
the framework for the NETmundial Initiative. The Brandt and Palme Commissions
represented important steps both in development and disarmament, respectively.
32. The Paris Call for Trust and Security in Cyberspace (2018) is a high-level mul-
tistakeholder declaration with norms and principles to enhance cybersecurity that is
signed by 552 official supporters from all stakeholder groups and launched by French
President Emmanuel Macron. For more information see: Ministry for Europe and
Foreign Affairs of France. 2018. The Paris Call for Trust and Security in Cyberspace
https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06f918.pdf.
33. The UN Secretary-General’s High-Level Panel on Digital Cooperation, a mul-
tistakeholder initiative dealing with a variety of digital challenges, argue in favor of
a distributed co-governance architecture that bridges multilateralism and multistake-
holderism. UN Secretary-General’s High-level Panel on Digital Cooperation. 2019.
The Age of Digital Interdependence. 33, https://digitalcooperation.org/wp-content/upl
oads/2019/06/DigitalCooperation-report-web-FINAL-1.pdf.
34. United Nations General Assembly Resolution A/RES/73/27. 2018. https://
undocs.org/A/RES/73/27
35. UNGGE 2015 Report, paragraph 31 on p. 13, a vailable at: www.un.org/ga/s
earch/view_doc.asp?symbol=A/70/174.
36. For a comprehensive overview of cyber diplomatic initiatives see: Grigsby,
Alex. 2017. Overview of Cyber Diplomatic Initiatives, and Housen-Couriel, Debo-
rah. 2017. An Analytical Review and Comparison of Operative Measures Included in
Cyber Diplomatic Initiatives, both published as Briefings from the Research Advisory
Group for the Global Commission on the Stability of Cyberspace, available at: https
://cyberstability.org/wp-content/uploads/2017/12/GCSC-Briefings-from-the-Researc
h-Advisory-Group_New-Delhi-2017.pdf.
37. The UN General Assembly, Group of Governmental Experts on Developments
in the Field of Information and Telecommunications in the Context of International
Security, A/65/201. July 30, 2010, available at: www.unidir.org/files/medias/pdfs/fi
nal-report-eng-0-189.pdf.
38. The UN General Assembly, Group of Governmental Experts on Developments
in the Field of Information and Telecommunications in the Context of International
Security, A/68/98. June 24, 2013, www.un.org/ga/search/view_doc.asp?symbol
=A/68/98.
39. The United States argues it failed over states’ unwillingness to explain how
specific bodies of international law, such as the law of armed conflict (LOAC) or state
responsibility, apply to cyberspace. Cuba, echoing the views of Russia and China,
argues that acknowledging LOAC would legitimize cyberspace as a domain for mili-
tary conflict, giving state-sponsored cyber operations a green light.
Sources: Markoff, Michele G. Explanation of Position at the Conclusion of
the 2016–2017 UN Group of Governmental Experts (GGE) on Developments in the
A Balance of Power in Cyberspace 169
48. Grigsby, Alex. 2017. “The End of Cyber Norms”, Survival, 59(6).
49. Morgus, Robert, Max Smeets, Trey Herr. 2017. Countering the Proliferation
of Offensive Cyber Capabilities. Published by the Global Commission on the Stability
of Cyberspace, and available at: https://cyberstability.org/wp-content/uploads/2017
/12/GCSC-Briefings-from-the-Research-Advisory-Group_New-Delhi-2017.pdf.
50. The second edition of the Tallinn Manual states that, in the opinion of its
experts, data is not an object in legal terms (Tallinn Manual at p. 127). This view is,
however, disputed by other scholars. See for example: Adams, Michael J. January 04,
2017. “A Warning About Tallinn 2.0 … Whatever It Says.” Lawfare, available at:
www.lawfareblog.com/warning-about-tallinn-20-%E2%80%A6-whatever-it-says.
51. For more information on the feasibility of the application of the counter-
proliferation model to cyberspace see: Morgus, Robert, Max Smeets, Trey Herr.
2017. Countering the Proliferation of Offensive Cyber Capabilities. Published by
the Global Commission on the Stability of Cyberspace, and available at: https://
cyberstability.org/wp-content/uploads/2017/12/GCSC-Briefings-from-the-Researc
h-Advisory-Group_New-Delhi-2017.pdf. For more information on the application
of the feasibility of a Cyber Weapons Convention based off the Chemical Weapons
Convention, see Geers, Kenneth. September 2010. “Cyber Weapons Convention.”
Computer Law & Security Review, Volume 26, Issue 5, pp. 547–551.
52. Council of Europe. 2001. Convention on Cybercrime. European Treaty
Series—No. 185, available at: www.coe.int/en/web/conventions/full-list/-/convent
ions/rms/0900001680081561.
53. “Russia Presents Draft UN Convention on Fighting Cyber Crimes in Vienna.”
Sputnik, May 25, 2017, https://sputniknews.com/science/201705251053959333-russ
ia-un-convention-cybercrimes/.
54. The ITU is a United Nations agency established in 1865, whose mission
includes developing technical standards, allocating the radio spectrum, and providing
technical assistance and capacity building to developing countries.
55. The IETF is one of the most important organizations working on Internet pro-
tocols and effectively decides much what constitutes the Internet’s nervous system;
most protocols, such as DNS and BGP. Its mission is to “make the Internet work
better” from an engineering point of view. They try to avoid policy and business
questions as much as possible, which are mostly managed by the Internet Society.
56. ICANN is a nonprofit public-benefit corporation with the purpose to coordi-
nate at the overall level, the global Internet system of unique identifiers and manage
the Internet names and addresses (IANA function) www.icann.org/resources/pages/
what-2012-02-25-en,
57. On 1 October 2016, the contract between ICANN and the United States
Department of Commerce National Telecommunications and Information Adminis-
tration (NTIA) to perform the IANA functions officially expired, handing over the
stewardship of IANA functions to the global Internet community. You can read the
announcement here: www.icann.org/news/announcement-2016-10-01-en.
58. Kleinwächter, Wolfgang. 2018. Towards a Holistic approach for Internet
Related Public Policy Making: Can the Helsinki Process of the 1970s Be a Source of
Inspiration to Enhance Stability in Cyberspace? Published by the Global Commission
A Balance of Power in Cyberspace 171
norms. The chapter concludes that although states are responsible for norms,
given the proliferation of cyber threats to transatlantic security, NATO cannot
but both contribute to and draw guidance from the ongoing debates on the
development of norms of responsible state behavior and stability in cyber-
space. Furthermore, recent experience in NATO and in other international
fora has underlined the importance of reinforcing effective enforcement
mechanisms and potential response options.
NATO heads of state and government affirmed at the Wales Summit in 2014
that international law, including international humanitarian law and the UN
Charter, applies in cyberspace.13 Although there is now general consensus
on the fundamental role that international law can play in promoting peace
and stability in cyberspace, questions remain as to how international law
applies in a cyber context. For example, questions relating to attribution and
state responsibility, which have always been difficult topics in international
law, have become even more so given the intrinsically anonymous and
asymmetrical nature of cyberspace. There are also questions as to whether a
particular cyber activity is of such a nature to warrant a response, preventa-
tive or defensive. The “below-the-threshold” nature of most malign cyber
incidents challenges our understanding of what counts as an internationally
wrongful act which could form the basis of a legally justified response such
as countermeasures. The lack of clarity in these crucial and contentious areas
makes it difficult to predict state action in the cyber realm and the existence
of divergent views among states risks leading to misperceptions and potential
escalations.14
Several important international initiatives have provided some guidance on
these and other questions. The development of the two Tallinn Manuals under
the auspices of the NATO-accredited Cooperative Cyber Defense Centre of
Excellence (CCDCOE) in Estonia has helped identify the key legal issues
and provides an academic assessment of the application of international law
to cyberspace. As the development of the manuals was not a process formally
endorsed by states, experts were free to thoroughly explore the implications
of legal issues and states had an opportunity to offer comments during the so-
called Hague Process. The manuals have become indispensable desk books
for lawyers and cyber policy experts. However, although the Manuals help us
interpret the law, they are not official NATO doctrine and do not constitute
the law itself.
There has been progress in advancing the norms debate in international fora,
many of which have largely been aspirational in nature.15 The United Nations
176 Steven Hill and Nadia Marsan
Within NATO, allies have coalesced on a few fundamental areas that can
serve as building blocks for the development and particularly the socializa-
tion of norms: the rule of law, restraint, resilience, and mutual cooperation
and assistance. These areas are well anchored in the North Atlantic Treaty
and in the most recent Summit Communiques, which supplement the work
of international expert groups regarding how well-established areas of inter-
national law apply to cyberspace.
Rule of Law
Allies express their commitment to the rule of law in the preamble to the
North Atlantic Treaty which states that “the Parties to this Treaty . . . are
determined to safeguard the freedom, common heritage and civilization of
their peoples, founded on the principles of democracy, individual liberty and
the rule of law.” At the NATO Summit in Wales in 2014, allies recognized
that “international law, including international humanitarian law and the UN
Charter, applies in cyberspace.”32 More recently, at the Brussels Summit in
July 2018, allies reaffirmed their “commitment to act in accordance with
international law, including the UN Charter, international humanitarian law,
and human rights law, as applicable.”33
The broad affirmation of the application of the body of international law to
cyberspace cannot be underestimated. It is the essential starting point toward
ensuring predictability and stability as it places a duty on states to exercise
diligence in the application of international law in cyberspace. At the NATO
Summit in Warsaw in 2016, NATO heads of state and government recog-
nized cyberspace as an operational domain “in which NATO must defend
itself as effectively as it does in the air, on land, and at sea.”34 Together with
the commitment to respect the UN Charter and international humanitarian
law, the designation of cyberspace as an operational domain indirectly rein-
forces the tenet that the general corpus of international law applying in the
air, land, and sea domains also applies in cyberspace. Although every situa-
tion is unique and states must be able to respond to cyber incidents using a
International Law in Cyberspace 179
wide variety of means, states have the obligation to act in accordance with
international law before (jus ad bellum) and during an armed conflict (jus in
bello) as well as during peacetime.
With the application of international law in cyberspace, it can be inferred
that there is no immediate requirement to create new legal instruments to
govern state behavior in cyberspace. Such proposals, including the idea of
a Digital Geneva Convention35 or of an International Code of Conduct for
Information Security,36 have raised a number of concerns on the part of some
states related to enforcement, verification, volatile technological change, and
fear that tailored instruments may discredit rather than reinforce the interna-
tional legal order.37 With respect to the proposal for an International Code
of Conduct for Information Security, the primary concern was that such a
code could potentially enshrine state sovereignty and information control in
cyberspace.38
Restraint
Flowing from the previous point on the rule of law, NATO discussions and
statements also support an evolving consensus on the application of the
principle of restraint in cyberspace. Article 1 of the North Atlantic Treaty
embodies the principle of restraint which echoes the principles set out in
Article 1 of the UN Charter: “the Parties undertake, as set forth in the Charter
of the United Nations, to settle any international dispute in which they may
be involved by peaceful means in such a manner that international peace and
security and justice are not endangered, and to refrain in their international
relations from the threat or use of force in any manner inconsistent with the
purposes of the United Nations.”39
At the Warsaw Summit in 2016, allies agreed that they “will continue to
follow the principle of restraint and support maintaining international peace,
security and stability in cyber space.”40 States have shown that they gener-
ally respond to cyber incidents at a lesser threshold than would be permitted
under international law, thereby demonstrating a commitment to restraint and
de-escalation. Some good examples of such responses include network shut-
down to stop the spread of a particular attack, public attribution, diplomatic
demarches, economic sanctions, and increased exchanges of information
with like-minded states. Self-restraint in cyberspace is especially important
as actions in that realm may have unintended and serious follow-on conse-
quences for other state and non-state actors: “the very newness of cyberwar
and the fear of unforeseen consequences in unpredictable systems may
contribute to prudence and self-restraint that could develop into a norm of
non-use or limited use or limited targets.”41 The importance of self-restraint
in cyberspace is further highlighted within the context of “broad deterrence,”
180 Steven Hill and Nadia Marsan
Resilience
At the Warsaw Summit in 2016, allies adopted the Cyber Defense Pledge
toward strengthening and enhancing the cyber defenses of national networks
and infrastructures, thereby bolstering the alliance’s resilience to cyber
threats and enhancing the resilience of the alliance itself. This emphasis
on cyber resilience was reaffirmed at the NATO Summit in Brussels in
July 2018, where allies declared that they “are determined to deliver strong
national cyber defenses through full implementation of the Cyber Defense
Pledge, which is central to enhancing cyber resilience and raising the costs
of a cyber-attack.”43
The commitment to resilience is anchored in the North Atlantic Treaty at
Article 3: “in order more effectively to achieve the objectives of this Treaty,
the Parties . . . will maintain and develop their individual and collective
capacity to resist armed attack.”44 Although Article 3 refers to the capacity to
resist armed attack, NATO’s approach to cyber defense through the pledge
has prioritized resilience in peacetime, precisely to prevent armed attacks
from occurring in the first place. Effective cyber defense and deterrence relies
on resilience of networks and their capacity to recover.45 Resilience of net-
works deters malicious cyber actors by increasing the effort, raising the risk,
and reducing the rewards.46
The priority for NATO itself is the protection of the communication
and information systems owned and operated by the alliance. In light of
our increasing dependence on information technologies and the escalatory
potential of state action in cyberspace, the resilience of our cyber networks
is necessary to limit the damages of any malicious cyber incidents including
cyberattacks and, correspondingly, reinforce collective defense mechanisms
themselves. The emphasis on cyber resilience highlights a fundamental ele-
ment of collective defense; that allies’ “interconnectedness means that we are
only as strong as our weakest link.”47
means of continuous and effective self-help and mutual aid, will maintain and
develop their individual and collective capacity to resist armed attack.”
As part of efforts to enhance information sharing, allies committed to a
model memorandum of understanding which sets out arrangements for the
exchange of cyber defense-related information and assistance to improve
allies’ cyber incident prevention, resilience, and response capabilities. In
his chapter “The Cyberhouse Rules: Resilience, Deterrence and Defence in
Cyberspace,” the current assistant secretary-general for Emerging Security
Challenges at NATO Headquarters underlined that “cyber defence is a quint-
essential team sport, and the Alliance recognises that it cannot go it alone in
cyberspace: partnerships are instrumental for strengthening resilience and
deterrence.”49 This pledge for mutual assistance is a key element toward
ensuring the resilience of networks and was reaffirmed at the NATO Summit
in Brussels in July 2018.50
Although NATO has a regional focus, its commitment to collective
security calls for close cooperation with other international organizations,
including cooperative relationships with more than forty countries around
the world and international organizations. For example, in 2016, a Technical
Arrangement on cyber defense was concluded between the NATO Com-
puter Incident Response Capability (NCIRC) and the Computer Emergency
Response Team of the European Union (CERT-EU), thereby providing a
framework for exchanging information and sharing best practices between
emergency response teams. NATO has also recognized the importance of
cooperation with the private sector in confronting threats and challenges to
cybersecurity, especially as industry develops and operates the vast majority
of networks worldwide. Toward increased cooperation with industry, NATO
established the NATO-Industry Cyber Partnership at the Summit in Wales in
2014. This was further reaffirmed at the NATO Summit in Brussels in 2018
where allies committed to “further develop our partnership with industry and
academia from all Allies to keep pace with technological advances through
innovation.”51
CONCLUSION
There is no need to create specific and tailored law to govern state behavior
in cyberspace. It is more a question of applying and adapting existing law to
a new and evolving context. Existing multilateral institutions such as NATO,
working within the clear international legal framework of the North Atlantic
Treaty, could add value in the process of socialization of voluntary norms
regulating responsible state behavior in cyberspace, without prejudice to
ongoing efforts by states either bilaterally or multilaterally.
182 Steven Hill and Nadia Marsan
NOTES
1. The views expressed here are ours alone and do not necessarily represent the
views of NATO or its allies.
2. Stoltenberg, Jens. 2018. “Why Cyber Space Matters as Much to NATO as
Land, Sea and Air Defence,” Financial Times, July 12, 2018. https://www.ft.com/c
ontent/9c3ae876-6d90-11e8-8863-a9bb262c5f53.
3. NATO Wales Summit 2014 Communiqué, paragraph 72.
4. United Nations, Charter of the United Nations, October 24, 1945, 1 UNTS
XVI, hereafter UN Charter.
5. The North Atlantic Treaty 1949.
6. See the NATO Warsaw Summit 2016 Communiqué, paragraph 70: We wel-
come the work on voluntary international norms of responsible state behavior and
confidence-building measures regarding cyberspace.
7. See Nye, Joseph S. 2018. “Normative Restraints on Cyber Conflicts,” Cyber
Security: A Peer-Reviewed Journal 1, no. 4 (August): 331–342. https://www.belferce
nter.org/sites/default/files/fi les/publication/ Nye%20Normative%20Restraints%2
0Final.pdf.
184 Steven Hill and Nadia Marsan
did so at its Summit in Wales in 2014; UNGGE 2015 confirmed the application of
IHL principles to cyberspace, NATO did so at its summit in Wales in 2014.
31. Egan 2017, 180.
32. NATO Wales Summit 2014 Communiqué, paragraph 72.
33. NATO Brussels Summit 2018 Communiqué, paragraph 20.
34. NATO Warsaw Summit 2016 Communiqué, paragraph 70.
35. Proposal initially made by the president of Microsoft Incorporated, Brad
Smith, at the RSA Conference in February 2017.
36. Originally presented to the United Nations General Assembly in 2011 by
China, Russia, Tajikistan, and Uzbekistan. Subsequently, a revised version was
submitted to the United Nations General Assembly in January 2015 by the founding
members of the Shanghai Cooperation Organization (SCO).
37. Maurer, Tim, and Kathryn Taylor. 2018. “Outlook on International Cyber
Norms: Three Avenues for Future Progress,” Just Security, March 2, 2018. www.
justsecurity.org/53329.
38. Ibid.
39. The North Atlantic Treaty, Article 1.
40. NATO Warsaw Summit 2016 Communiqué, paragraph 70.
41. Nye 2018, 15.
42. See Keohane, Robert O. and Joseph S. Nye Jr. 1977. Power and Interdepen-
dence: World Politics in Transition. Boston: Little, Brown.
43. NATO Brussels Summit 2018 Communiqué, paragraph 20.
44. The North Atlantic Treaty, Article 3.
45. Nye 2017, 56.
46. Ibid., citing Bruce Schneider, page 56.
47. The NATO Cyber Defense Pledge, issued on July 8, 2016, paragraph 2. https
://www.nato.int/cps/en/natohq/official_ texts_133177.htm
48. The North Atlantic Treaty, Preamble: They are resolved to unite their efforts
for collective defense and for the preservation of peace and security.
49. Missiroli, Antonio. 2018. “The Cyberhouse Rules: Resilience, Deterrence and
Defence in Cyberspace,” Italian Institute for International Political Studies, May 2,
2018. https://www.ispionline.it/sites/default/files/ pubblicazioni/commentary_missi
roli_02.05.2018.pdf
50. NATO Brussels Summit 2018 Communiqué, paragraph 20.
51. Ibid.
52. See, for example, the NATO Cyber Defence Pledge. https://www.nato.int/cps/
en/natohq/official_texts_133177.htm
53. See Wright.
Chapter 9
Cybersecurity Norm-Building
and Signaling with China
Geoffrey Hoffman
187
188 Geoffrey Hoffman
Google has had a difficult relationship with China beyond the inherent market
challenges (Madden 2010). It entered China in January 2006 with google.
cn, a censored version of its search engine (CNN 2006). A Google statement
explained its calculus: “While removing search results is inconsistent with
Google’s mission, providing no information (or a heavily degraded user
experience that amounts to no information) is more inconsistent with our mis-
sion” (Crampton 2006). Although Google said it would report to users when
information was removed from search results (CNN 2006), there was, nev-
ertheless, a widespread belief that google.cn violated the company’s “don’t
be evil” policy (BBN News 2006). For instance, the following month, a con-
gressional subcommittee on human rights summoned Google—along with
other Internet companies—to defend their “sickening collaboration,” as the
subcommittee chairman put it, with the Chinese government (Zeller 2006).
Google’s founders struggled with the choice. Sergey Brin, who claimed that
his childhood in the authoritarian Soviet Union influenced his views on censor-
ship (Lohr 2010), spent a year with Larry Page weighing the decision to censor
on their “evil scale” (Walker 2010). Reflecting on it a year later, he said, “On
a business level, that decision to censor . . . was a net negative” (Martinson
2007). He also remarked that the company had suffered because of the damage
to its reputation in the United States and Europe (Martinson 2007). However,
he eventually defended the moral reasoning behind google.cn, believing that it
was the best decision for the Chinese people (McManus 2010).
In 2010, Google and the US government clashed with the Chinese gov-
ernment over cybersecurity norms. There were two central issues: China’s
Aurora cyber espionage campaign and China’s Internet censorship (Lau
Cybersecurity Norm-Building and Signaling with China 191
foundation for global progress.” She made a point of speaking directly to the
private sector, arguing that “censorship should not be in any way accepted
by any company from anywhere. And in America, American companies need
to make a principled stand. This needs to be part of our national brand. I’m
confident that consumers worldwide will reward companies that follow those
principles” (Clinton 2010a).
Unsurprisingly, she also addressed the Chinese government, asking it to
conduct a thorough and transparent investigation into Google’s allegations.
She noted that, while the United States and China had different views on
Internet censorship, they should “address those differences candidly and con-
sistently in the context of our positive, cooperative, and comprehensive rela-
tionship.” She further warned of censorship’s implications for international
peace and security: “Historically, asymmetrical access to information is one
of the leading causes of interstate conflict. When we face serious disputes or
dangerous incidents, it’s critical that people on both sides of the problem have
access to the same set of facts and opinions” (Clinton 2010a).
In short, Google and the United States were arguing that China’s Internet
censorship was a human rights violation. China, however, countered that
Google needed to obey its laws if it wished to operate there (Fletcher 2010a).
In agreement with China was J. Stapleton Roy, a former US ambassador
to China, who said, “I don’t understand their calculation. I do not see how
Google could have concluded that they could have faced down the Chinese
on a domestic censorship issue” (Wong 2010). Also siding with China were
Microsoft Corporation’s Steve Ballmer (2010), who said “we are all subject
to local laws,” and Bill Gates, who said, “You’ve got to decide: do you want
to obey the laws of the countries you’re in or not? If not, you may not end up
doing business there” (Johnson and Branigan 2010).
Furthermore, it is important to note that it is unclear whether human rights
or, in fact, economics was the deeper motivation for the coordinated Google
and US response to Aurora. Not doing well in China despite censoring its
search engine, Google’s best business decision may have been to improve its
international reputation by sacrificing its China operations for a noble cause
(Lacy 2010). Similarly, the United States was eager to push back against
China’s recurring cyber espionage efforts (Metzl 2011). From this perspec-
tive, the issue of human rights served as convenient pressure point to achieve
other goals.
actions that were intended to alter another actor’s perception. Thus, a timeline
of the Aurora conflict follows.
January
On January 12, 2010, Google revealed the Aurora cyber espionage campaign
to the public, beginning the escalation with the Chinese government (Drum-
mond 2010a). Google announced that they, along with a wide range of other
businesses, had been hacked (Drummond 2010a). Google claimed that the
target was both its intellectual property and the e-mail accounts of human
rights activists, and that the attacks originated in China (Drummond 2010a).
Later that day, Clinton (2010b) made her statement seeking an explanation
from the Chinese government. Google and Clinton implied that the Chinese
government was responsible but had not explicitly assigned blame.
Two days later, a Chinese Foreign Ministry spokeswoman said that Chi-
nese law prohibits any form of hacking attacks and she emphasized that
foreign companies needed to respect Chinese law (Fletcher 2010a). She
declined, however, to answer a question about whether the illegality of
hacking extended to government hacking (Fletcher 2010a). That same day,
security researchers at Verisign declared that the Chinese government was
behind the attack, claiming that “the government of China has been engaged
for months in a massive campaign of industrial espionage against U.S. com-
panies” (Paul 2010). Security researchers at McAfee also investigated the
attack, naming it “Operation ‘Aurora’ ” (Goodin 2010a).
On January 18, Google began an investigation into its Chinese employees
(Branigan 2010), and, the next day, it postponed the launch of two Android
mobile phones in China (Lee and Buckley 2010). On January 21, Clinton
(2010a) gave her speech on Internet freedom. The following day, China
rebuffed Clinton, warning that her words were dangerous to U.S.–China
relations (Fletcher 2010b). At the World Economic Forum at Davos, Google
CEO Eric Schmidt remarked, “We like what China is doing in terms of
growth . . . we just don’t like censorship. We hope that will change and we
can apply some pressure to make things better for the Chinese people” (Blu-
menstein and Fidler 2010).
February
Google began coordinating with the US National Security Agency to ana-
lyze the attacks, with the objective to better defend against future attacks
(Nakashima 2010). On February 10, evidence emerged that the attacks were
still ongoing and had targeted many more companies than Google originally
estimated (Higgins 2010). On February 12, Brin said that, given the size
194 Geoffrey Hoffman
of the Chinese government, it was not important whether it was behind the
attacks (Zetter 2010). He also remarked that Google was hopeful that it could
remain in China and was willing to permit some types of censorship, such as
for adult content and gambling, but not political censorship (Zetter 2010). On
February 17, the cybersecurity company iSEC published a report detailing
the difficulty of defending against Aurora and claimed that it had actually
targeted over one hundred companies. The next day, investigators linked
Aurora to two Chinese universities (Goodin 2010b). On February 23, for the
first time, the Chinese government officially rejected Google’s allegations
(Graham-Harrison 2010).
March
The United States then considered taking the issue of China’s forcing cen-
sorship on Google to the WTO as an unfair trade barrier (Drajem 2010). On
March 12, China’s chief Internet regulator insisted Google must obey its laws
or “pay the consequences” (Pomfret 2010). The state-run news agency Xin-
hua attacked Google’s “intricate ties with the U.S. government” on March 21
(BBC News 2010). The following day, Google ended its google.cn censorship
and tested a new strategy of automatically redirecting visitors from google.
cn to google.com.hk, whose servers were located in Hong Kong and so not
subject to the mainland’s censorship laws (Drummond 2010b). In response,
an official in China’s State Council Information Office said that Google’s
move was “totally wrong” and “violated its written promise” (Metz 2010).
As a result, on March 23, the Chinese government attempted to restrict the
mainland’s access to Google’s Hong Kong-based servers (Metz 2010).
April–November
On April 20, referencing Article 19 of the Universal Declaration on Human
Rights, Google launched a new worldwide tool that displayed the number of
government requests for user data or content removal (Drummond 2010d).
The Chinese government, on June 8, released the white paper The Internet
in China defending its Internet policies (Bristow 2010). On June 28, Google
announced that the Chinese government would not accept its redirect solution
and would deny the renewal of its business license (Drummond 2010c). Con-
sequently, Google attempted a new strategy, turning google.cn into a static
webpage that only contained a link to their uncensored Hong Kong-based site,
rather than forcing an automatic redirect (Drummond 2010c). Google stated,
“This new approach is consistent with our commitment not to self censor and,
we believe, with local law (Drummond 2010c).” The new strategy worked:
on July 9, Google’s China business license was renewed (Drummond 2010c).
Cybersecurity Norm-Building and Signaling with China 195
From that point on, both sides remained relatively peaceable, even after a
WikiLeaks cable, released on November 28, implicated the Chinese Politburo
in the Aurora attacks (Shane and Lehren 2010).
During Aurora, there were roughly four groups of tying-hands signals that
used reputation as an audience cost. The first signal of significance occurs at
the beginning of the conflict: Google revealing Aurora to the public and tying
its hands by announcing the plan to end its censorship. To the international
community and to its users, Google signaled a recommitment to its “don’t
be evil” policy. To the Chinese government, it signaled that there were both
physical and virtual consequences to China’s hostile actions in cyberspace.
These potential consequences included Google no longer abiding China’s
censorship laws—possibly even leaving China—and China suffering inter-
national reputation loss.
The second signal was the response of the US government. Google and the
US Department of State may have coordinated the initial public response to
occur on the same day for greater impact. From this viewpoint, it was a two-
pronged act of Thomas Schelling’s (1966, 69) concept of compellence, with
the threat being that the United States would escalate the issue in Clinton’s
upcoming speech if China did not justify itself before then. China did not,
and, with Clinton’s speech and the later threat to take the matter to the WTO,
the United States signaled that it would respond in both the physical and
virtual spheres to actions that harm its interests in cyberspace. Broadly, the
United States was tying its hands to a willingness to escalate matters.
The third set of signals was the cumulative reaction of the Chinese govern-
ment. There were four important individual responses: first, the response two
days after the first statements by Google and Clinton; second, the response the
day after Clinton’s address on Internet freedom; third, the response after more
evidence had accumulated linking the Chinese government to the attacks, and
finally, the publication of The Internet in China, the Chinese government’s
white paper defending its Internet practices. Each response added something:
the first, that foreign companies must follow China’s domestic laws; the sec-
ond, that what was best for the Chinese people was China’s concern, and so
Clinton’s comments were damaging to U.S.–China relations; and the third,
that Google’s allegations in its January 12 statement were “groundless,” stat-
ing that “China administers its Internet according to law, and this position
will not change. China prohibits hacking and will crack down on hacking
according to law” (Graham-Harrison 2010). This was the first time China had
directly refuted the allegations, over five weeks after Aurora came to light.
196 Geoffrey Hoffman
China’s fourth response, the white paper The Internet in China, both
reiterated and expanded on the messages of the first three responses. Like
Clinton’s speech, it expressed the importance of international cooperation
on cybersecurity. The white paper was both China’s version of and ultimate
response to the speech, and it was an argument for China’s Internet sover-
eignty within its borders. Interestingly, apparently in response to Clinton’s
call for Internet freedom, it claimed that the Chinese government “guarantees
the citizens’ freedom of speech on the Internet as well as the public’s right to
know, to participate, to be heard and to oversee in accordance with the law”
(IOSCPRC 2010). China was tying its hands to the argument that both the
United States and China permit Internet freedom in accordance with law, but
that those laws were different.
The final signals occurred during rapprochement. Because Google and the
United States confronted China publicly, China had to respond in a way that
would mitigate its international reputation loss. By emphasizing the illegality
of hacking and making the issue of censorship a matter of legal compliance,
China was able to defend its requirements for renewing Google’s business
license. By permitting Google to adhere to the letter of the law but not the
spirit, China signaled that, even in sensitive areas like censorship, legal com-
pliance had some flexibility.
The silence that followed the renewal of Google’s business license—
silence that even the new WikiLeaks evidence did not interrupt—signaled
that both sides were eager to move forward from the clash. China and Google
continued their tenuous relationship, although China never fully relented:
it slowed down and intermittently disrupted Google’s services—a form of
censorship (Roberts 2018, 42)—finally blocking google.com.hk altogether
in 2014 (Levin 2014). Nevertheless, at the time, Google was able to offer
a link to an uncensored search engine for users who sought it, and China
was satisfied that Google capitulated to its regulations. In the end, however,
all three actors suffered some reputation loss: evidence had implicated the
government of China in the attack, the international community remembered
that Google had “spent four years, and earned vast sums of money, operating
under China’s censorship laws” (Carr 2010), and Clinton’s appeal for global
Internet freedom had achieved little.
DECOUPLING CYBERSECURITY
AND INTERNET FREEDOM
Internet freedom, and that signaling can help overcome two of the barriers to
this decoupling.
Interestingly, the literature on signaling has argued that authoritarian regimes
are less effective than democracies at sending tying-hands signals with ex post
costs because the domestic audience costs are lower or obfuscated (Weiss
2013, 1–2). Jessica Chen Weiss (2013, 2) shows that authoritarian states can
employ nationalist, anti-foreign protests as a substitute for the way democra-
cies use official statements as tying-hands signals. Yet, during Aurora, China’s
official statements appeared to be honest signals. The first possibility is that
the signals were costless but happened to be honest anyway. The second pos-
sibility, which seems more likely, is that the costs were not domestic but rather
from the international audience. The world was watching, and if China had
backed down from its stance of being in the legal right, the international politi-
cal and business community’s perception of China would adjust accordingly.
Although China’s authoritarianism might intrinsically restrict the band-
width of potential cybersecurity cooperation, something changed in democra-
cies’ willingness to seek it in the time between Clinton’s speech on Internet
freedom in 2010 and 2015 Obama-Xi cybersecurity summit. The summit
occurred while the US Department of State was funding the development of
censorship evasion tools, and the resulting pact, which temporarily succeeded
in reducing the frequency of Chinese cyberattacks on the United States
(Sanger 2016), made no mention of censorship (Brown and Yung 2017). The
pact, along with China’s other cybersecurity pacts in recent years, overcame
the three barriers to decoupling and may suggest that democracies are becom-
ing more receptive to the idea. As cybersecurity becomes more important
to international security, democracies may increasingly view cybersecurity
norms as independent from others.
BIBLIOGRAPHY
Ballmer, Steve. 2010. “Microsoft & Internet Freedom.” Official Microsoft Blog,
Microsoft. January 27, 2010. https://blogs.microsoft.com/blog/2010/01/27/micros
oft-internet-freedom/.
Blumenstein, Rebecca and Stephen Fidler. 2010. “Google Takes Aim at Beijing
Censorship.” Wall Street Journal, January 30, 2010. https://www.wsj.com/articles/
SB10001424052748703389004575033100778834196.
Branigan, Tania. 2010. “Google Investigates China Staff Over Cyber Attack.” Guard-
ian, January 18, 2010. https://www.theguardian.com/technology/2010/jan/18/chin
a-google-cyber-attack.
Bristow, Michael. 2010. “China Defends Internet Censorship.” BBC News, June 8,
2010. http://news.bbc.co.uk/2/hi/americas/8727647.stm.
200 Geoffrey Hoffman
Brown, Gary and Christopher D. Yung. 2017. “Evaluating the US-China Cyberse-
curity Agreement, Part 1: The US Approach to Cyberspace.” Diplomat, January
19, 2017. https://thediplomat.com/2017/01/evaluating-the-us-china-cybersecurity-
agreement-part-1-the-us-approach-to-cyberspace/.
Burgess, Christopher. 2017. “Dissecting China’s Global Bilateral Cybersecurity
Strategy.” Security Boulevard, October 9, 2017. https://securityboulevard.com/
2017/10/dissecting-chinas-global-bilateral-cybersecurity-strategy/.
Carr, Paul. 2010. “Soul Searching: Google’s Position on China Might Be Many
Things, But Moral It Is Not.” TechCrunch, January 13, 2010. https://techcrunch.c
om/2010/01/13/not-safe-for-wok/.
“China Denounces Google ‘US ties.’” BBC News, March 21, 2010. http://news.bbc
.co.uk/2/hi/asia-pacific/8578968.stm.
China Internet Network Information Center. 2018. “第42次《中国互联网络发展状
况统计报告》发布.” August 20, 2018. https://cnnic.net.cn/gywm/xwzx/rdxw
/20172017_7047/201808/t20180820_70486.htm.
Clinton, Hillary. 2010a. “Remarks on Internet Freedom.” U.S. Department of State.
January 21, 2010. https://2009-2017.state.gov/secretary/20092013clinton/rm/201
0/01/135519.htm.
Clinton, Hillary. 2010b. “Statement on Google Operations in China.” U.S. Depart-
ment of State. January 12, 2010. https://2009-2017.state.gov/secretary/2009201
3clinton/rm/2010/01/135105.htm.
Crampton, Thomas. 2006. “Google Puts Muzzle on Itself in China.” New York Times,
January 24, 2006. https://www.nytimes.com/2006/01/24/technology/google-pu
ts-muzzle-on-itself-in-china.html.
Denning, Dorothy. 2017. “How the Chinese Cyberthreat Has Evolved.” Conversa-
tion, October 4, 2017. https://theconversation.com/how-the-chinese-cyberthreat
-has-evolved-82469.
Doubek, James. 2018. “Google Testing a Censored Search Engine Just for China.”
NPR, August 2, 2018. https://www.npr.org/2018/08/02/634827587/google-testing
-a-censored-search-engine-just-for-china.
Drajem, Mark. 2010. “Google Wants U.S. to Weigh Challenging China in WTO.”
Bloomberg, March 3, 2010. https://www.bloomberg.com/news/articles/2010-03-03
/google-wants-u-s-to-weigh-challenging-china-in-wto.
Drummond, David. 2010a. “A New Approach to China.” Official Blog, Google. Janu-
ary 12, 2010. https://googleblog.blogspot.com/2010/01/new-approach-to-china.html.
Drummond, David. 2010b. “A New Approach to China: An Update.” Official Blog,
Google. March 22, 2010. https://googleblog.blogspot.com/2010/03/new-approa
ch-to-china-update.html.
Drummond, David. 2010c. “An Update on China.” Official Blog, Google. July 9,
2010. https://googleblog.blogspot.com/2010/06/update-on-china.html.
Drummond, David. 2010d. “Greater Transparency Around Government Requests.”
Official Blog, Google. April 20, 2010. https://googleblog.blogspot.com/2010/04/
greater-transparency-around-government.html.
Fearon, James D. 1997. “Signaling Foreign Policy Interests: Tying Hands versus
Sinking Costs.” The Journal of Conflict Resolution. 41, no. 1 (February): 68–90.
http://www.jstor.org/stable/174487.
Cybersecurity Norm-Building and Signaling with China 201
Finnemore, Martha and Duncan B. Hollis. 2016. “Constructing Norms for Global
Cybersecurity.” American Journal of International Law. 110, no. 3 (July): 425–
479. https://doi.org/10.1017/S0002930000016894.
Fletcher, Owen. 2010a. “China Emphasizes Laws as Google Defies Censorship.”
PCWorld, January 14, 2010. https://www.pcworld.com/article/186881/article.html.
Fletcher, Owen. 2010b. “China slams Clinton’s Call for Internet Freedom.” Comput-
erworld, January 22, 2010. https://www.computerworld.com/article/2523071/ente
rprise-applications/china-slams-clinton-s-call-for-internet-freedom.html.
“Freedom on the Net 2017.” Freedom House, November 2017. https://freedomhouse
.org/report/freedom-net/freedom-net-2017.
Gan, Nectar. 2018. “Chinese Police Get Power to Inspect Internet Service Providers.”
South China Morning Post. October 6, 2018. https://www.scmp.com/news/chin
a/politics/article/2167240/chinese-police-get-power-inspect-internet-service-pro
viders.
Goodin, Dan. 2010a. “IE Zero-Day Used in Chinese Cyber Assault on 34 Firms.”
Register, January 14, 2010. https://www.theregister.co.uk/2010/01/14/cyber_ass
ault_followup/.
Goodin, Dan. 2010b. “Most Resistance to ‘Aurora’ Hack Attacks Futile, Says
Report.” Register, March 1, 2010. https://www.theregister.co.uk/2010/03/01/auro
ra_resistence_futile/.
“Google move ‘black day’ for China.” BBC News, January 25, 2006. http://news.bbc
.co.uk/2/hi/technology/4647398.stm.
“Google to Censor Itself in China.” CNN, January 26, 2006. http://www.cnn.com/2
006/BUSINESS/01/25/google.china/.
Graham-Harrison, Emma. 2010. “China Says Google Hacking Claims ‘groundless.’”
Reuters, February 23, 2010. https://www.reuters.com/article/us-china-google/ch
ina-says-google-hacking-claims-groundless-idUSTRE61M2FM20100223.
Higgins, Kelly Jackson. 2010. “‘Aurora’ Attacks Still Under Way, Investigators Clos-
ing In On Malware Creators.” Darkreading, February 10, 2010. https://www.dar
kreading.com/attacks-breaches/aurora-attacks-still-under-way-investigators-closi
ng-in-on-malware-creators/d/d-id/1132922.
Hwang, Tim. 2018. “The Four Ways That Ex-Internet Idealists Explain Where It All
Went Wrong.” MIT Technology Review, August 22, 2018. https://www.technolo
gyreview.com/s/611805/the-four-ways-that-ex-internet-idealists-explain-where-it-
all-went-wrong.
IOSCPRC (Information Office of the State Council of the People’s Republic of
China). 2010. The Internet in China. June 8, 2010. http://www.china.org.cn/govern
ment/whitepaper/node_7093508.htm.
Jervis, Robert. 1989. The Logic of Images in International Relations. New York:
Columbia University Press.
Johnson, Bobbie and Tania Branigan. 2010. “Web Censorship in China? Not a Prob-
lem, Says Bill Gates.” Guardian, January 25, 2010. https://www.theguardian.com/
technology/2010/jan/25/bill-gates-web-censorship-china.
Lacy, Sarah. 2010. “Google’s China Stance: More About Business Than Thwarting
Evil.” TechCrunch, January 12, 2010. https://techcrunch.com/2010/01/12/google
’s-china-stance-more-about-business-than-thwarting-evil/.
202 Geoffrey Hoffman
Lau, Justine. 2010. “A History of Google in China.” Financial Times, July 9, 2010.
http://ig-legacy.ft.com/content/faf86fbc-0009-11df-8626-00144feabdc0#axzz5P
hJFzwqh.
Lee, Melanie and Chris Buckley. 2010. “Google Postpones Cellphone Launch in
China.” Reuters, January 19, 2010. https://www.reuters.com/article/idINIndia-455
11720100119.
Levin, Dan. 2014. “China Escalating Attack on Google.” New York Times, June 2,
2014. https://www.nytimes.com/2014/06/03/business/chinas-battle-against-goog
le-heats-up.html.
Lin, Liza and Yoko Kubota. 2018. “China’s VPN Crackdown May Aid Government
Surveillance.” Wall Street Journal. January 17, 2018. https://www.wsj.com/artic
les/chinas-vpn-crackdown-may-aid-government-surveillance-1516189155.
Lohr, Steve. 2010. “Interview: Sergey Brin on Google’s China Move.” New York
Times, March 22, 2010. https://bits.blogs.nytimes.com/2010/03/22/interview-ser
gey-brin-on-googles-china-gambit/.
Madden, Normandy. 2010. “Google Isn’t the Only Silicon Valley Company Strug-
gling in China.” Business Insider, January 19, 2010. https://www.businessinsid
er.com/google-isnt-the-only-silicon-valley-company-struggling-in-china-2010-1.
Markoff, John and David Barboza. 2010. “2 China Schools Said to Be Tied to Online
Attacks.” New York Times, February 18, 2010. https://www.nytimes.com/2010/0
2/19/technology/19china.html.
Martina, Michael. 2015. “China’s Cyber Chief Defends Censorship Ahead of Internet
Conference.” Reuters, December 9, 2015. https://www.reuters.com/article/us-
china-internet/chinas-cyber-chief-defends-censorship-ahead-of-internet-conferenc
e-idUSKBN0TS0X720151209.
Martinson, Jane. 2007. “China Censorship Damaged Us, Google Founders Admit.”
Guardian, January 27, 2007. https://www.theguardian.com/technology/2007/j
an/27/news.newmedia.
McManus, Emily. 2010. “Sergey Brin on Google’s China Decision.” TEDBlog, TED.
February 24, 2010. https://blog.ted.com/our_focus_has_b/.
Metz, Cade. 2010. “China Hits Back at Google’s Uncensored Hong Kong Servers.”
Register, March 23, 2010. https://www.theregister.co.uk/2010/03/23/china_mov
es_to_restrict_google_hong_kong_services/.
Metzl, Jamie. 2011. “China and Cyber-Espionage.” HuffPost, October 22, 2011. https
://www.huffingtonpost.com/jamie-metzl/china-and-cyberespionage_b_931918.html.
Morrow, James D. 1999. “The Strategic Setting of Choices: Signaling, Commitment,
and Negotiation in International Politics.” In Strategic Choice and International
Relations, edited by David A. Lake and Robert Powell, 77–114. Princeton: Princ-
eton University Press.
Nakashima, Ellen. 2010. “Google to Enlist NSA to Help It Ward Off Cyberattacks.”
Washington Post, February 4, 2010. http://www.washingtonpost.com/wp-dyn/con
tent/article/2010/02/03/AR2010020304057.html.
Newman, Lily Hay. 2017. “The Pentagon Opened Up to Hackers—And Fixed Thou-
sands of Bugs.” Wired, November 10, 2017. https://www.wired.com/story/hack-th
e-pentagon-bug-bounty-results/.
Cybersecurity Norm-Building and Signaling with China 203
NATO (North Atlantic Treaty Organization). 2018. “Cyber Defense.” July 16, 2018.
https://www.nato.int/cps/en/natohq/topics_78170.htm.
Paul, Ryan. 2010. “Researchers Identify Command Servers Behind Google Attack.”
Ars Technica, January 14, 2010. https://arstechnica.com/information-technolog
y/2010/01/researchers-identify-command-servers-behind-google-attack/.
Pomfret, John. 2010. “China Holds Firm Against Google, Says Firm Must Obey Its
Laws.” Washington Post, March 13, 2010. http://www.washingtonpost.com/wp-dy
n/content/article/2010/03/12/AR2010031203564.html.
“Putin Brings China’s Great Firewall to Russia in Cybersecurity Pact.” The Guard-
ian, November 29, 2016. https://www.theguardian.com/world/2016/nov/29/puti
n-china-internet-great-firewall-russia-cybersecurity-pact.
“Quicktake: The Great Firewall of China.” Bloomberg News, November 30, 2017.
https://www.bloomberg.com/quicktake/great-firewall-of-china.
Reynolds, Glenn Harlan. 2018. “When Digital Platforms Become Censors.” Wall
Street Journal, August 18, 2018. https://www.wsj.com/articles/when-digital-pla
tforms-become-censors-1534514122.
Roberts, Margaret E. 2018. Censored: Distraction and Diversion Inside China’s
Great Firewall. Princeton: Princeton University Press.
Sanger, David E. 2016. “Chinese Curb Cyberattacks on U.S. Interests, Report Finds.”
New York Times, June 20, 2016. https://www.nytimes.com/2016/06/21/us/politics/
china-us-cyber-spying.html.
Schelling, Thomas. 1966. Arms and Influence. Fredericksburg: BookCrafters.
Shane, Scott and Andrew W. Lehren. 2010. “Leaked Cables Offer Raw Look at U.S.
Diplomacy.” New York Times, November 28, 2010. https://www.nytimes.com/2
010/11/29/world/29cables.html.
Stecklow, Steve. 2012. “Special Report: Chinese Firm Helps Iran Spy on Citizens.”
Reuters, March 22, 2012. https://www.reuters.com/article/us-iran-telecoms/specia
l-report-chinese-firm-helps-iran-spy-on-citizens-idUSBRE82L0B820120322.
Steinberg, Joseph. 2015. “10 Issues With the China-US Cybersecurity Agreement.”
Inc., September 27, 2015. https://www.inc.com/joseph-steinberg/why-the-china
-us-cybersecurity-agreement-will-fail.html.
UN General Assembly. 1948. Universal Declaration of Human Rights. December
10, 1948, 217 A (III). http://www.un.org/en/universal-declaration-human-rights/.
Walker, Tim. 2010. “Sergey Brin: Engine Driver.” Independent, January 16, 2010.
https://www.independent.co.uk/news/people/profiles/sergey-brin-engine-drive
r-1869546.html.
Weiss, Jessica Chen. 2013. “Authoritarian Signaling, Mass Audiences, and National-
ist Protest in China.” International Organization. 67, no. 1 (January): 1-35. http://
journals.cambridge.org/abstract_S0020818312000380.
Wong, Edward. 2010. “Google Faces Fallout as China Reacts to Site Shift.” New
York Times, March 23, 2010. https://www.nytimes.com/2010/03/24/technology
/24google.html.
Zeller, Tom, Jr. 2006. “Web Firms Are Grilled on Dealings in China.” New York
Times, February 16, 2006. https://www.nytimes.com/2006/02/16/technology/web-
firms-are-grilled-on-dealings-in-china.html.
204 Geoffrey Hoffman
Zetter, Kim. 2010. “TED 2010: Google Optimistic It Can Remain in China.” Wired,
February 12, 2010. https://www.wired.com/epicenter/2010/02/ted-2010-google
-optimistic-it-can-remain-in-china/.
Zhuang, Pinghui. 2018. “Weibo Falls Foul of China’s Internet Watchdog for Fail-
ing to Censor Content.” South China Morning Post, January 29, 2018. https://ww
w.scmp.com/news/china/policies-politics/article/2130931/weibo-falls-foul-chinas-
internet-watchdog-failing.
Chapter 10
205
206 James Shires
and other proponents of cyber sovereignty; on the other, their private sector
cybersecurity collaborations, intelligence relationships, and offensive cyber
operations are closely aligned with the United States and Europe.
This chapter argues that this contradictory position has led to two innova-
tions in state responses to global cyber norms. First, these states have devel-
oped deliberately ambiguous national cybersecurity strategies that disguise
differences between domestic cybersecurity priorities and those of their
international partners. Second, these states have appropriated international
norms on cybercrime—specifically the Council of Europe’s Budapest Con-
vention of 2001—in order to counter political opposition and restrict their
online public spheres through new cybercrime legislation. This chapter has
three sections. The first section details the contradictory position of Egypt
and the Gulf states in relation to international cyber norms. The second sec-
tion examines their national cybersecurity strategies, and the third section
examines their cybercrime laws. Finally, it concludes that these two innova-
tions are closely linked: the cybersecurity practices of these states, especially
their appropriation of cybercrime laws, illustrates the calculated nature of the
ambiguity present in their strategy documents. Finally, one caveat is neces-
sary: the research for this chapter was conducted up to August 2018, and
so developments following this date, including a recent increase in publicly
available documents, are not factored into the analysis.
Many scholars and policy makers lament the current state of “cyber norms,”
especially after the failure of the U.N. Group of Governmental Experts to
agree on the application of international law in cyberspace in 2017 (Grigsby
2017). The difficulty of reaching global agreement on cyber norms is gener-
ally attributed to a bipolar division in cybersecurity governance, reflecting
two opposing sets of values. On one hand, there is a group of what experts
have called “like-minded” states (Kaljurand 2017). This group generally
includes the United States and European countries, and it believes in an open
and free Internet driven largely by global market competition with some
government regulation and civil society observation, known as multistake-
holderism (Savage and McConnell 2015). The second group includes Iran,
Russia, and China, and prioritizes state control over national “borders” in
cyberspace with strict governmental limits on content, known as cyber sov-
ereignty (Segal 2018). These differences have been described as the cyber-
space element of a resurgent Cold War, in which neoliberal and democratic
structures confront information control, authoritarianism, and rule-breaking
(Ignatius 2016).
Ambiguity and Appropriation 207
international allies. In the Cold War, the oil wealth of the Gulf states and
Egypt’s central position in pan-Arabism and the Israel–Palestine conflict
motivated the United States and Europe to work with these countries, over-
looking inconsistencies with the rhetoric of worldwide democracy promo-
tion (Chase and Hamzawy 2008). After the Cold War, joint concerns over
Islamist terrorism and growing arms sales encouraged an equally muted pub-
lic response to human rights violations from allied governments. Both sides
have attempted to square this circle. International allies argued that influence
in private was more effective than public condemnation, and that working
with these regimes was more likely to bring change than breaking away from
them (van Rij and Wilkinson 2018). The regimes themselves paid lip service
to democracy and human rights, and activists and social movements made
some genuine progress (Hosseinioun 2017).
In cybersecurity, the same puzzle presents itself. There has been no indica-
tion of opposition by the US and UK governments to the raft of new cyber-
crime laws. More seriously, their offensive cyber activities do not fall within
the limits set both rhetorically and in practice by the United States, the United
Kingdom, and other “like-minded” states, which condemn the destabiliz-
ing use of cyber tools and permit cyber espionage only for narrow national
security purposes. The GCC split itself was reportedly triggered by a cyber
operation carried out by contractors working for the UAE, who implanted
fake text praising Iran on the website of the Qatari national news agency
(DeYoung and Nakashima 2017). The leaking of private e-mails of the UAE
ambassador to the United States may have been a Qatari response (Ahmed
2017). Finally, as part of the ongoing dispute between Canada and Saudi
Arabia, Israel-manufactured spyware was identified on the devices of Saudi
dissidents in Canada, and assessed to be controlled by the Saudi government
(Hubbard and Porter 2018; Marczak et al. 2018). Egypt has conducted simi-
lar cyberattacks on journalists and civil society (Scott-Railton et al. 2017).
Overall, the contradictions between cyber norms and long-standing security
alliances have been left unresolved, undermining the force of the norms the
United Kingdom stresses in regard to states like Russia.
This complex picture, which reflects the broader tensions in these states’
historical relationships with Western democracies dating back to the Cold
War, suggests that a binary understanding of global cyber norms is incom-
plete. Amid deep conflict over basic norms, Egypt and the GCC states have
maneuvered between two poles while enjoying the tacit, if not explicit, sup-
port of both sides. This suggests that global cyber norms are much more
complex—and much more entangled with traditional governance practices,
diplomatic relationships, and strategic concerns—than Western officials may
like to admit. More broadly, to understand the complexity of cyber norms we
must look outside the framework of great power competition.
210 James Shires
(Government of Dubai 2017, 7, 13). The Qatar strategy claims that their
“values in cybersecurity” are to “show tolerance and respect,” and embrace
“the free flow of ideas and information” (ictQatar, 17). In Bahrain, the aim
is to “maintain the rights and values of individuals” (Government of Bahrain
2017). This language echoes wider contests over human rights values in the
region, where alternative institutions are set up to mimic the language of
genuine human rights bodies.
However, even in the rarefied world of cybersecurity strategies, this
endorsement of human rights values is qualified by vague references to
safety and care. The Saudi strategy emphasizes the cultural and economic
threats of information to the state, although, crucially, these qualifications
are not made by senior Saudi figures writing in U.S. journals about the Saudi
cybersecurity strategy, suggesting that such figures present a calculated
portrayal of abstracted Internet rights and freedoms to their international
audience (Al-Saud 2012). Other Gulf states offer similar qualifications. In
Kuwait, “the strategy is primarily intended to promote the culture of cyber-
security which supports the safe and right use of the electronic space” (Arab
Times 2017), while Qatar aims to “foster a culture of cyber security that
promotes safe and appropriate use of cyberspace” (ictQatar, 17). In both
cases, the ambiguity of “safe and right/appropriate” disguises significant
content restrictions, discussed in the next section. Finally, the Dubai strategy
states that “cyber space attacks lead to a variety of threats, such as: fraud,
espionage, terrorism, violation of privacy, and defamation” (Government
of Dubai 2017, 12). These last two threats mean that “careful use of social
media” is a “baseline control” that “should be established, maintained and
supported by Dubai individuals in their implementation,” along with system
updates, firewalls, and password management (Government of Dubai 2017,
25). The phrase “careful use” is ambiguous between care in clicking on
links and sharing potentially infected documents on the one hand, and self-
policing of content on the other.
Egypt’s ICT strategy demonstrates this ambiguity clearly, partly due to its
publication date in 2012, shortly after the January 2011 revolution and before
the higher security imperatives initiated by President Al-Sisi from 2013. It
was then relaunched under Al-Sisi as a 2014–2017 rather than 2012–2017
strategy, but no other changes were made. On the one hand, it states that
“Telecommunications Law No. 10 of 2003 . . . contains certain articles that
require amendment in line with Egypt’s democratic transition that will pro-
mote political openness and protect freedom of expression” (MCIT [Egypt]
2014, 9). On the other hand, it also qualifies this aim, claiming to “bring
about the desired balance between the considerations of freedom as a funda-
mental human right and privacy considerations and national security” (MCIT
[Egypt] 2014, 33). Consequently, “the availability of information [that] could
214 James Shires
harm national security of Egypt or the exposure of relations with other coun-
tries at risk under the banner of freedom is not acceptable” (MCIT [Egypt]
2014, 33). Here the national ICT strategy incorporates both an expansive
definition of national security and an abstract endorsement of human rights
values: the ambiguity of both masks the significant extent to which Egyptian
cybersecurity governance differs from U.S. and European states who adopt
similar language.
On top of this ambiguity, some cybersecurity strategy documents display
a contradictory orientation to international cyber norms, most relevantly the
Budapest Convention on Cybercrime (treated further in the next section). The
Budapest Convention is only referenced in the Omani and Egyptian strate-
gies. In Oman, the Budapest Convention is described as one source among
many for its cybercrime law:
CYBERCRIME LAWS
Raʾif Badawi, the creator of the “Free Saudi Liberals” website, was arrested
by the Saudi authorities on 17 June 2012. He had run the website since 2006
and had been detained and questioned about its content in 2008. A month
before his arrest, he used it to declare a celebratory day for Saudi liberals.
Badawi was charged under the 2007 cybercrime law—among others2—for
216 James Shires
posts made by him and others on this website (BBC 2015a; 2015b; Al-
Barqawi 2015). He was sentenced to 10 years in prison and 1,000 lashes; the
first 50 were carried out in January 2015, but after international protests the
remainder were deferred on health grounds. While recognizing the severity of
the human rights violations in this incident, this section focuses on a slightly
different question: is Raʾif Badawi a cybercriminal?
Cybercrime laws were drafted between 2006 and 2018 throughout Egypt
and the Gulf states. In this section, I argue that these laws consisted of an
expansion of the scope of “cybercrime” from economic concerns such as
fraud and espionage to also include political speech online. I first stress that
“cybercrime” is an English term with no equivalent in Arabic. While many
professional documents in Arabic use the loan word sibrani (cybercrimes
would thus be al-jaraʾim al-sibraniyya), this neologism is not used in legal
terminology. Instead, the legal Arabic equivalents are electronic crimes
(al-jaraʾim al-ʾiliktruniyya), information crimes (jaraʾim al-muʿalumat), or
information technology crimes (jaraʾim tiqniyyat al-muʿalumat). The English
translation of these terms is nearly always “cybercrime.”
The main international norm regarding cybercrime is the Budapest Con-
vention on Cybercrime agreed by the Council of Europe in 2001, considered
briefly in the previous section. None of the states considered here have
acceded to the Budapest Convention (accession is available to nonmembers
of the Council of Europe, while signature is only available to members). At
the time of writing, there were sixty-four ratifications or signatures/acces-
sions to the Convention, only two of which are in the Middle East: Tunisia
and Israel (Council of Europe 2018). Consequently, this section argues that
the wide definitions of cybercrime by Egypt and the Gulf states are not
a “localization” of this norm, in Acharya’s terms, as these states are not
“norm-takers”: they have not accepted it as an international norm in the first
place (Acharya 2004). Instead, it is a more active appropriation of this norm.
“Appropriation” is a term used by some norm scholars to describe changes
made by states to norms more generally (Zimmerman 2017, pp. 217–222).
Here, I use it to specify the expansion of the professional discourse to fit a
particular cluster of values; namely, a broad definition of national security
historically prevalent in the region.
First, it should be noted that domestic cybercrime laws emerged against the
backdrop of a regional agreement on cybercrime: the Convention on Com-
bating Information Technology Offences (jaraʾim tiqniyyat al-muʿalumat)
by the Arab League (the Arab Convention). This convention was signed in
December 2010, and it has been ratified by Egypt and all GCC states other
than Saudi Arabia. The Arab Convention is different in several key ways to
the earlier Budapest Convention. Hakmeh highlights the similarities between
the two, claiming that “provisions [of the Arab Convention] are in fact almost
Ambiguity and Appropriation 217
Electronic
State transactions law Cybercrime law
Oman 2008 Penal code amended with chapter on computer
crime 2001, Cyber Crime Law 2011
UAE 2002 Law No. 2 of 2006, Law No. 5 of 2012 Concerning
Combating Information Technology Crimes
Saudi Arabia 2007 Anti-Cyber Crime Law 2007, updated 2015
Qatar 2010 Cybercrime Prevention Law 2014
Bahrain 2002 Law No. 60 of 2014 Concerning Information
Technology Crimes
Kuwait 2014 Law No.63 of 2015 Concerning Combating
Information Technology Crimes
Egypt 2004 Laws 2015 and 2016 Concerning Electronic Crimes
discussed by Parliament, approved 2018
218 James Shires
a “naming and shaming” clause for offenders, allowing a name and details
of their offense to be published in local newspapers with the costs to be paid
by the person convicted (Al-Sharq Al-ʾAwsat 2015). Similarly, the updated
Omani law in 2011 has a section explicitly titled “content crimes,” covering
any use of ICTs to “produce or publish or distribute or purchase or possess
whatever might prejudice the public order or religious values” (Govern-
ment of Oman 2011). The updated UAE law in 2012 is one of the starkest
examples, as Article 9 prevents almost any form of online political debate:
New laws, such as the Kuwait cybercrime law, include very similar provi-
sions to the updated laws above. Human rights organizations argued that
the Kuwait law was “an effective barrier to critical political speech over the
Internet” (Human Rights Watch 2015b), and “a direct assault on the right
to freedom of opinion and belief and the right to freedom of expression”
(Reporters without Borders 2016). Interestingly, this law had been considered
even before the Arab Spring: a leaked U.S. cable in 2010 quoted Minister of
the Interior Sheikh Jabar Al-Khalid Al-Sabah as complaining that “politics
was hindering progress on . . . many other important bills, including one to
criminalize cyber crimes” (Wikileaks 2010). The expansion of cybercrime
in these laws is thus far more than localization of an existing norm: it is the
active renegotiation of both cybercrime and national security.
Importantly, these cybercrime laws do not just have content provisions in
their texts but have all been used to target political speech online. In the UAE,
the cybercrime law was used in 2013 to charge the son of one of ninety-four
defendants associated with Al-Islah, a political group accused by the UAE
government of affiliation with the Muslim Brotherhood, after he published
details about their trial (Human Rights Watch 2013). Al-Islah was then des-
ignated a terrorist group by the UAE in 2014. A prominent political dissident,
Nasser bin Ghaith, was charged under the cybercrime law in 2016 after he
criticized the UAE and Egyptian government. In this case, the cybercrime law
was used to criminalize his claims of mistreatment in an earlier trial as the
posting of information “intended to damage the UAE” (Human Rights Watch
2016a). Ahmed Mansoor, a well-known dissident, was also tried under cyber-
crime laws (Al-Jazeera 2018). In 2016, an Omani was jailed for three years
Ambiguity and Appropriation 219
after criticizing the UAE’s conduct in the war in Yemen in a Whatsapp audio
recording (Al-ʿArabi Al-Jadid 2016). After the Qatar crisis in June 2017, the
UAE attorney general stated that showing sympathy for Qatar online would
be treated as a cybercrime, resulting in prison sentences between three and
fifteen years (Al Subaihi 2017).
In Saudi Arabia, the cybercrime law was also used regularly to prosecute
political opposition. The liberal dissident Raʾif Badawi was sentenced under
the cybercrime law in 2013 (Human Rights Watch 2012). A year later, the
head of a human rights organization in Saudi Arabia was also sentenced to
seven years’ imprisonment under the cybercrime law (Reporters without
Borders 2014). In 2015, a lawyer who had represented Raʾif Badawi, and
who founded the rights organization Saudi Monitor for Human Rights, was
sentenced to fifteen years imprisonment for a range of offenses, including
some under the new cybercrime law (Human Rights Watch 2014a). Other
lawyers confirmed the use of the cybercrime law to prosecute the “spread-
ing of rumours” over Twitter in 2017 (Al-Barqawi 2017). Most recently, in
October 2018, the Saudi Public Prosecution reiterated their willingness to use
the provisions against spreading rumors in the updated cybercrime law in an
oblique reference to the alleged murder of Saudi journalist Jamal Khashoggi
by the Saudi government in its Turkish consulate (Saudi Gazette 2018).
Kuwait’s cybercrime law was used in 2016 to charge a blogger who
criticized the emir (FIDH 2016). In Bahrain, the most consistent use of the
cybercrime law was against Nabeel Rajab, a prominent political activist, who
led demonstrations in the 2011 protests and has been given prison sentences
multiple times for his opposition to the government. According to his own
testimony, he was arrested and interviewed in 2015 and 2016 by the Cyber
Crimes Department following anti-government tweets, and remained in
prison at the time of writing (Rajab 2016). His charges included “insulting a
neighbouring country” in relation to Saudi Arabia (Bahrain Center for Human
Rights 2017). In Oman, the cybercrime law was used to charge an individual
who interviewed striking oil workers in 2012 and made other political state-
ments online, although he was then convicted of an older criminal offense—
insulting the Sultan—rather than under the cybercrime law (Human Rights
Watch 2014b). In 2015, a government critic was sentenced to three years in
prison for critical blog posts under the cybercrime law (Human Rights Watch
2015a). The editor of a politically independent newspaper in Oman, Al-
Zaman, was charged under the cybercrime law after an article that criticized
the judiciary in 2016 (Human Rights Watch 2016b). The newspaper was shut
down a year later. I identified no instances of Qatar’s cybercrime law being
used to suppress political opposition. However, human rights organizations
highlight risks of this law through the example of a poet sentenced to fifteen
years in prison in 2013 for indirectly criticizing the ruling family (Amnesty
220 James Shires
laws. This innovation is important for the global development of cyber norms
because it demonstrates how states that are not “norm-takers” (who did not
sign up to the Budapest Convention) nonetheless incorporate such norms into
their practices in a strategic maneuver, signaling their alignment with the
norm through national strategy documents and then deviating from the norm
in their domestic laws.
CONCLUSION
This chapter has argued that the emergence of cyber norms in Egypt and the
Gulf states is characterized by ambiguity and appropriation. First, I argued
that these states occupy a complex position in international cybersecurity
governance, with both strong security ties to multistakeholder proponents in
the United States and Europe and support for cyber sovereignty measures in
multilateral forums. Second, these states’ cybersecurity strategy documents
accommodate the contradictions of this position by adopting an abstract
and ambiguous description of cybersecurity threats and human rights values
designed for international consumption. Although this ambiguous tone is
partly a reflection of the many uses and causes of ambiguity more gener-
ally in international politics, in this case it also disguises the differences in
conceptions of cybersecurity and cybercrime between these states and their
international allies. Third, in the turbulent political situation after the Arab
Spring, cybercrime laws and regional agreements across Egypt and the GCC
appropriated the concept of cybercrime to provide an additional means to
criminalize political speech online in an already restricted public sphere.
These two innovations are closely linked: the cybersecurity practices of these
states, especially their appropriation of cybercrime laws, illustrates the calcu-
lated nature of the ambiguity present in their strategy documents.
Both ambiguity and appropriation are innovations in state responses to the
development of global cyber norms that could be analyzed in comparative
perspective elsewhere. Future work could compare the production of ambigu-
ity and appropriation in other regions with similar contradictory positions in
global cybersecurity governance or test the logic of the argument presented
here by exploring whether such maneuvers take place in states without such
contradictory pressures. This chapter has thus provided an original contribu-
tion to the study of cyber norms, based on a rich empirical analysis of an
important and largely unstudied region in cybersecurity. It highlights how
states outside the cyber “great powers” have reached novel horizons in their
sophisticated engagement with cyber norms, as—through their embrace of
ambiguity and appropriation—these states participate in the constant under-
mining and redefining of responsible behavior itself.
222 James Shires
NOTES
REFERENCES
Kaljurand, Marina. 2017. “An Interview with Marina Kaljurand, Former Minister
of Foreign Affairs”. Journal of Complex Operations, December 21, 2017. https://
perma.cc/K7F8-9MNX.
Khalid Negm. 2015. “Draft Law Concerning Electronic Crimes”. Leaked draft avail-
able on Scribd, April 2015. https://perma.cc/H4BS-VLGQ.
Lambert, Lisa, Anthony Deutsch, and Guy Faulconbridge. 2018. “West Accuses
“pariah State” Russia of Global Hacking Campaign”. Reuters, October 5, 2018.
https://perma.cc/YF3L-LV3N.
Malsin, Jared. 2018. “U.S. Releases $195 Million in Military Aid to Egypt”. The Wall
Street Journal, July 25, 2018. https://perma.cc/Y7EY-F7UD.
Marczak, Bill, John Scott-Railton, Adam Senft, Ronald J. Deibert, and Bahr Abdul
Razzak. 2018. “The Kingdom Came to Canada: How Saudi-Linked Digital Espio-
nage Reached Canadian Soil”. Citizen Lab, October 1, 2018.
MCIT (Egypt). 2012. “National ICT Strategy 2012–2017: Towards a Digital Society
and Knowledge-Based Economy”. MCIT, 2012.
———. 2014. “Publications—Egypt’s ICT Strategy 2014–2017”. Ministry of Com-
munications and Information Technology. https://perma.cc/X6G3-WT3F.
MCIT (Saudi Arabia). 2011. “National Information Security Strategy”. Ministry of
Communications and Information Technology, January 2011.
Miller, Elissa. 2018. “Egypt Leads the Pack in Internet Censorship Across the Middle
East”. Atlantic Council, August 28, 2018. https://perma.cc/8DAC-LXYW.
Mueller, Milton, Andreas Schmidt, and Brenden Kuerbis. 2013. “Internet Security
and Networked Governance in International Relations”. International Studies
Review 15(1): 86–104.
National Cyber Security Center. 2017. “Profile—Introducing the National Cyber
Security Center”. Governnment of Saudi Arabia.
Rajab, Nabeel. 2016. “Letter From a Bahraini Jail”. The New York Times, September
4, 2016. https://perma.cc/HH4R-6WZP.
Raymond, Mark, and Laura DeNardis. 2015. “Multistakeholderism: Anatomy of an
Inchoate Global Institution”. International Theory, 7(3): 572–616.
Reporters without Borders. 2014. “Cyber Crime Law Used Again to Silence Dissi-
dent Voices”. July 1, 2014. https://perma.cc/2M9U-S5E2.
———. 2016. “New Cyber Crimes Law Restricts Free Expression and Targets
Online Activists”, January 21, 2016. https://perma.cc/M9ZB-6VRH.
Rij, Armida van, and Benedict Wilkinson. 2018. “Security Cooperation with Saudi
Arabia: Is It Worth It for the UK?”. The Policy Institute at King’s, September 2018.
Saad, Ragab. 2015. “Egypt’s Draft Cybercrime Law Undermines Freedom of Expres-
sion”. Atlantic Council, April 24, 2015. https://perma.cc/9ATE-HNNA.
Salama, Samr. 2018. “Barlimani Yuʾakid ʾan Qanun Mukafihat Jaraʾim Al-Mu’alumat
Al-Jadid Yauqif Al-Jaraʾim Al-ʾiliktroni [Parliament Confims That the New Law
against Information Crimes Stops Electronic Crimes]”. Al-Masry Al-Yaum, August
19, 2018. https://perma.cc/D6HS-DFG4.
Savage, John E., and Bruce W. McConnell. 2015. “Exploring Multi-Stakeholder
Internet Governance”. EastWest Institute, January 2015.
Segal, Adam. 2018. “Year in Review: Chinese Cyber Sovereignty in Action”. Coun-
cil on Foreign Relations, January 8, 2018. https://perma.cc/L3UB-CDEN.
226 James Shires
Staff Report. 2015. “Al-Shura Al-Saʿudi Yudifu ʿaqubat Al-Tashhir ʾila Nizam
Mukafahat Al-Jaraʾim Al-Muʿalumatiyya [Saudi Council Adds Naming and Sham-
ing Punishment to the Cybercrime Law]”. Al-Sharq Al-ʾAwsat, March 18, 2015.
https://perma.cc/4QXP-Y8JR.
———. 2016. “Omani Jailed for Insulting UAE on Whatsapp”. Al-ʿArabi Al-Jadid,
February 29, 2016. https://perma.cc/2ULR-LTFQ.
———. 2017. “CAIT Chief Briefs HH the Amir on National Cybersecurity Strat-
egy—Vision to Protect Kuwait’s National Interest”. Arab Times, July 31, 2017.
https://perma.cc/KTQ7-GW8G.
———. 2018a. “5-Year Jail, 3 Million Fine for Rumormongers”. Saudi Gazette,
October 13, 2018. https://perma.cc/3D68-SFJC.
———. 2018b. “UAE Rights Activist Ahmed Mansoor Put on Trial in Abu Dhabi”.
Al-Jazeera, April 18, 2018. https://perma.cc/8MWW-JCMV.
The Arab Republic of Egypt. 2014. “Egypt’s Constitution of 2014”. Constitutepro-
ject.org, translated by International IDEA.
The Economic Times. 2014. “China, Egypt Sign Strategic Partnership Agreement”,
December 24, 2014. https://perma.cc/G5M4-KPHW.
UK Government. 2018. “UK Exposes Russian Cyber Attacks”, October 4, 2018.
https://perma.cc/6UTX-TXYC.
UK Trade & Investment. 2013. “Cybersecurity: The UK’s Approach to Exports”. UK
Government, April 2013.
Wikileaks. 2010. “US Embassy Kuwait City—Kuwait Interior Minister Sounds
Alarm on Iran; Offers Assurances on GITMO Returnees and Security”. Wikileaks
Public Library of US Diplomacy, February 17, 2010. Public Library of US Diplo-
macy. https://perma.cc/A79J-WF2E.
Yusif, Muhammad. 2016. “Al-Watan Tanshuru Nus Qanun Al-Jarimat Alʾiliktruniyya
ʾamam Al-Nuwab [Al Watan Publishes the Text of the Electronic Crimes Law
before Parliament]”. Al-Watan, May 11, 2016. https://perma.cc/KAX8-SUQH.
Zimmermann, Lisbeth. 2017. Global Norms with a Local Face: Rule-of-Law Promo-
tion and Norm Translation. Cambridge, UK; New York: Cambridge University
Press.
Chapter 11
227
228 Ilina Georgieva
this chapter puts forward that to see the intelligence agencies as a normative
power internationally is not “a contradiction in terms” (Manners 2002, 236),
but a natural complementation of the normative process.
The main reasons for choosing to look into foreign bulk collection prac-
tices are threefold. For one, the oversea focus intends to circumvent the
heated domestic debates on the checks and balances that pertain (at least to a
certain extent) to rather specific domestic contexts, and have already enjoyed
the attention of a number of scholars and practitioners. Second, by focus-
ing on intelligence practices that cross national borders by default, thematic
priority can be given to their relevance for both the ongoing debate on inter-
national cyber norms and for the emerging normative framework relating to
cyber espionage activities. Last, bulk data is the epitome of the information
age; it is what the information society in many instances thrives on, but also
fears. This contribution thus takes on the opportunity to look further into the
normative implications of bulk data collection.
The choice to look into the legislative developments of Germany, France
and the United Kingdom bears on the following points. For one, it allows
to consider both common and civil law traditions. Second, their intelligence
practices (and alliances) prior to the respective intelligence reforms are well
documented by primary sources, which provide for a good ex ante—ex post
normative comparison. One can thus trace the behavioral norms the intel-
ligence agencies were abiding by prior to the leaks, whether and how those
were codified, and contrast them to current practices and legal frameworks.
Further, the consideration of the normative developments in Germany, France
and the United Kingdom covers a number of intelligence contexts—the
United Kingdom as one of the initial driving forces behind the Five Eyes and
its role as a bridge between Europe and United States; Germany, which is
particularly interesting for being marked by its Stasi past and thus bound by
very restrictive domestic rules regarding surveillance; and last but not least
France for its rather silent development of one of the most comprehensive
bulk collection mechanisms able to match the Five Eyes’ ambitions long
before other “elite” intelligence actors were able to do so. In addition, as the
revelations and other public sources give away, all three countries are affili-
ated with the Five Eyes in different capacities—an interaction governed by its
own diplomacy, elaborate agreements and countless treaties (Aldrich 2004,
739), creating an indisputable community culture.
The present contribution continues as follows. Section II briefly makes
some terminology references and gives a few prominent examples of bulk
collection which were brought to light mainly by Snowden. Section III evalu-
ates those through the lens of IR norms scholarship to pinpoint the norma-
tivity in the agencies’ behavior. Section IV presents evidence of how these
methods have been fortified in legal instruments. Section V takes on the task
230 Ilina Georgieva
Information collection in bulk has been central to the debate in the post-
Snowden era. Naturally, definitions of the practice differ according to juris-
diction and operational context (see, for instance, Anderson 2016, 1, 2 as
an example of the UK context). As a rule, bulk collection refers to an intel-
ligence collection practice by which vast amounts of data (both content and
metadata) are acquired for multiple purposes/databases without a “determi-
nant” (Boeke 2017, 312), that is to say without aiming at a particular target,
be it a geographical location or an individual. Leaving the domestic context
aside, it is a standard feature of the foreign intelligence portfolio of almost
any intelligence or national security agency and falls by default under its
respective signals intelligence (SIGINT) capabilities. As such the practice
is exercised on the premise “first collect, then select” (Boeke 2017, 312),
hence the familiar-sounding metaphor of the haystack and the needle. For
the sake of simplicity, the rest of this article uses “bulk data collection”
or “bulk collection” as references to the collection of both content and
metadata unless otherwise specified. Further, the terms are used to denote
communications taking place entirely abroad, as well as communications
originating/ending in the intercepting country. Consequently, a foreign fac-
tor is always implied.
As Snowden’s revelations developed in time and scope, it became increas-
ingly clear that a number of states had been making use of bulk collection
methods (Inkster 2014, 57), either unilaterally or in peer cooperation. Valu-
able insights on the subject were delivered by leaks relating to the NSA’s
Special Source Operations (SSO) division, the crown jewel of the agency
(Electrospaces 2014b). Documents pertaining to the SSO allow a rare peek
into the collection practices of a number of the NSA’s oversea partners
including the GCHQ, the German Federal Intelligence Service (Bundesnach-
richtendienst or BND) and the French General Directorate for External
Security (Direction Générale de la Sécurité Extérieure or DGSE) (Electro-
spaces 2014a). While those liaison relationships necessarily vary in scope,
durability, and authorization, they also hold commonalities when it comes to
obtaining communications data in bulk. As will be explained, the common
features of their operational practices are particularly telling for the intelli-
gence community’s culture and corresponding intelligence collection norms.
The following examples illustrate the agencies’ methodology.
The Power of Norms Meets Normative Power 231
Operation TEMPORA allowed GCQH to tap into the fiber optic cables
that carry Internet data in and out of the United Kingdom and to collect it
in bulk (MacAskill et al. 2013). By exploring the United Kingdom’s unique
geographical advantage and placing interceptors on the approximately 200
transatlantic cables where they come ashore (Shubber 2013), GCHQ has not
only managed to secure a direct access to vast amounts of Internet data, but to
do so on a scale that ranked it first in that regard among its partners the Five
Eyes (Shubber 2013). The process has been facilitated by secret partnerships
(voluntary or forced) with the companies that operate the cables (MacAskill
et al. 2013; Obermaier et al. 2014). The legal framework for the collection
appears to have been the rather broad provision of s8 RIPA 2000 (Shubber
2013). The latter allows the Foreign Secretary to issue certificates for broad
interception of data categories relating to terrorism, organized crime, and so
on. Inception pertains to entirely foreign communications, but also to com-
munications whereby one of the communicating parties (either the receiver
or sender) is on UK soil.
France and Germany’s involvement in bulk data collection is evidenced
for one thing by the RAMPART-A program (Gallagher 2014; Information.
dk 2014). The leaked material pertaining to the program show that the NSA
considers France and Germany “third party” countries—strategic partners
outside of the Five Eyes (“second parties”) providing access to transition
cables and hosting equipment. The majority of the RAMPART-A missions
are carried out by its partners “under the cover of an overt COMSAT effort,”
implying that the tapping takes place at Cold War eavesdropping stations in
the intercepting countries (Gallagher 2014).
Besides additional leaks, France’s engagement in bulk intelligence collec-
tion is further substantiated by a handful of investigative reports that trace
the practice back to 2008 (Tréguer 2017, 2). The latter confirm the involve-
ment of the telecommunications operators Orange and the Alcatel-Lucent
group as facilitating the French DGSE’s access to about two dozen undersea
communications cables (Tréguer 2017, 2). Designated teams within the com-
panies would manage the so-called landing stations, where the submarine
cables touch French shore and would forward the data caught in transit to the
DGSE’s systems in Paris (Follorou 2014). Although lacking an actual legal
framework, intelligence officials familiar with the practices have argued that
the practices were not illegal, but operated rather in the grey zones of the law
(Follorou and Johannès 2013).
The German BND in turn is known to have (jointly with the NSA) run the
EIKONAL bulk interception program (Electrospaces 2014c)—the tapping
into Deutsche Telecom cables (Biermann 2014). Sources confirm that the
NSA has provided the equipment for the interception in 2003 (Electrospaces
2014c). The operation was ended in 2008, although the explanations put
232 Ilina Georgieva
forward in that regard differ. Legal authorization for the tapping of the transit
cables has been provided by the G10-commission, which is required to step
in once the collection of G10-data—communications data originating/ending
in Germany and thus affecting nationals— is involved. Enabling statutes for
fully foreign data traffic seems to have been of a lesser concern (Electro-
spaces 2015). EIKONAL and the agency’s foreign partnerships aside, once
the BND had learned how to collect Internet traffic from fiber optic cables,
G10-orders were used to extract communications from about twenty-five
domestic and foreign Internet service providers that made use of the DE-CIX
cables positioned in Frankfurt (Electrospaces 2015).
The following section examines the examples from a normative perspective.
Norms are built by actors that have strong ideas about appropriate behavior
in their community (Finnemore and Sikkink 1998, 896). What is appropriate
in turn is very much linked to the role the actors in that community are per-
forming (Sunstein 1996, 903). Norms are thus often role-specific (Sunstein
1996, 921). Consequently, evaluating the intelligence practices discussed
above through the lens of IR norms literature mandates looking into them
by adopting an inwards perspective and finding that shared understanding of
the appropriateness of bulk collection within the community. Said communal
perspective is particularly valuable when thinking of regulation in terms of
bottom-up influences (as presently looking into the influences of substate
entities on international cyber norms) that play out on the national and ulti-
mately on the international level as well.
As the previous paragraph hints, the conventional wisdom holds that a
norm is a standard of appropriate behavior for actors with a particular iden-
tity (Katzenstein 1996, 5; Finnemore and Sikkink 1998, 891; Finnemore and
Hollis 2016, 438). This section thus focuses on highlighting the behavioral
standards that give away the normative nature of bulk data collection for the
intelligence community.
It appears that upon developing the necessary technological tools and
know-how, all three agencies not only carry out extensive bulk collection
programs but also operationalize the collection (their behavior) in a very
similar way—by casting a wide net for foreign communications data and
tapping into the accessible fiber optic cables. This regularized, standardized
behavior exercised on a large-scale and without real-time constraints runs
like a red thread through the examples above. The fact that the practice is not
contested within the intelligence community, but seen as appropriate to serve
The Power of Norms Meets Normative Power 233
CONCLUSION
NOTE
1. Up until that date, France was one of the few Western democracies without a
legal framework pertaining to the intelligence agencies. The latter’s mandates were
based on executive decrees and decisions in combination with other pieces of legisla-
tion such as the 1991 Wiretapping Act.
BIBLIOGRAPHY
Bundestag. 2014. “Antrag Der Fraktionen CDU/CSU, SPD, DIE LINKE. Und
BÜNDNIS 90/DIE GRÜNEN: Einsetzung Eines Untersuchungsausschusses.”
———. 2016. Gesetz Zur Ausland-Ausland-Fernmeldeaufklärung Des Bundesnach-
richtendienstes. Bonn: Bunderstag. http://www.bundesgerichtshof.de/SharedDocs/
Downloads/DE/Bibliothek/Gesetzesmaterialien/18_wp/BND-Gesetz/bgbl.pdf?__
blob=publicationFile.
Chase, Jefferson. 2016. “Germany Reforms Its Main Intelligence Service.” Dw.Com,
2016.
Cobain, Ian. 2018. “UK Has Six Months to Rewrite Snooper’s Charter, High Court
Rules.” The Guardian, 2018. https://www.theguardian.com/technology/2018/a
pr/27/snoopers-charter-investigatory-powers-act-rewrite-high-court-rules.
Cole, David. 2013. “We Are All Foreigners: NSA Spying and the Rights of Others.”
Just Security, 2013.
Deeks, Ashley. 2016. “Intelligence Services, Peer Constraints, and the Law.” In
Global Intelligence Oversight—Governing Security in the Twenty-First Century,
edited by Zachary K. Goldman and Samuel J. Rascoff, 3–36. New York: Oxford
University Press.
Diez, Thomas. 2005. “Constructing the Self and Changing Others: Reconsidering
`Normative Power Europe’.” Millennium: Journal of International Studies 33 (3):
613–636.
DoD. 2013. “DoD Information Review Task Force-2: Initial Assessment- Impact
Resulting from the Compromise of Classified Material by a Former NSA Contrac-
tor.” https://nsarchive2.gwu.edu/NSAEBB/NSAEBB534-DIA-Declassified-Sour
cebook/documents/DIA-48.pdf.
ECJ. 2016. Judgment in Joined Cases C-203/15 Tele2 Sverige AB v Post-och tele-
styrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson
and Others.
Electrospaces. 2014a. “NSA’s Foreign Partnerships.” Electrospaces.Blogpost.Com.
2014. https://electrospaces.blogspot.com/2014/09/nsas-foreign-partnerships.html.
———. 2014b. “Slides about NSA’s Upstream Collection.” January 17, 2014. https://
electrospaces.blogspot.com/2014/01/slides-about-nsas-upstream-collection.html.
———. 2014c. “The German Operation Eikonal as Part of NSA’s RAMPART-A
Program.” Electrospaces.Blogpost.Com. 2014. https://electrospaces.blogspot.com/
2014/10/the-german-operation-eikonal-as-part-of.html.
———. 2015. “New Details About the Joint NSA-BND Operation Eikonal.” Electro-
spaces.Blogpost.Com. 2015. https://electrospaces.blogspot.com/2015/05/new-det
ails-about-joint-nsa-bnd.html.
Finnemore, Martha. 1996. “Defining State Interests.” In National Interests in Interna-
tional Society, 1–33. Ithaca, NY: Cornell University Press.
Finnemore, Martha, and Duncan B Hollis. 2016. “Constructing Norms for Global
Cybersecurity.” American Journal of International Law 110. https://doi.org/10.5
305/amerjintelaw.110.3.0425.
Finnemore, Martha, and Kathryn Sikkink. 1998. “International Norm Dynamics and
Political Change.” International Organization 52 (4): 887–917. http://www.jstor.
org/stable/2601361.
240 Ilina Georgieva
MULTISTAKEHOLDER AND
CORPORATE DIPLOMACY
Chapter 12
Over the past two decades, the public domain has experienced far-reaching
phases of reconstitution (Ruggie 2004). Forces of globalization and techno-
logical advancement have added new degrees of complexity to international
affairs and have given rise to a pluralization of actors. Polymorphous non-
state actors have come to inhabit central areas of international steering and
policy-making, including among others, cybersecurity.
A realm of rising political, economic, and cultural relevance, cybersecurity
has been subject to considerable non-state actor engagement. Non-state actors
have been key contributors to the development and expansion of cyberspace.
In addition to producing hard- and software and providing technological
services, they have also come to contribute to the development of global
cybersecurity norms. Their normative contributions have, however, received
little academic attention so far (Hall and Biersteker 2002; Ruggie 1993).
With a view to addressing this deficiency, this chapter seeks to uncover the
parts played by non-state actors in processes of international cybersecurity
norm-construction.
Drawing on secondary academic literatures in the fields of international
relations and international law, as well as primary case materials, this chap-
ter claims that non-state actors have come to exert considerable clout over
endeavors of international norm-construction, particularly as active propos-
ers of norms of responsible behavior for state and non-state actors, and
contributors to the emergence of international custom. As non-state actors
continue to make their voices heard in debates about appropriate conduct
in cyberspace, it is important to shed light on their contributions with a
view to better understanding current practices and frames of international
245
246 Jacqueline Eggenschwiler and Joanna Kulesza
LITERATURE REVIEW
The advent of non-state actors on the international plain has presented state-
oriented scholarly disciplines, including international law and international
relations, with formidable theoretical and practical challenges. Non-state
actors have added new layers of complexity to traditional (hierarchical)
schemes of international ordering and have challenged conventional sources
of agency. Yet, in order to “understand how change occurs in the world pol-
ity, [it is necessary] to unpack the different categories of transnational actors
and understand the quite different logic and processes in these different cat-
egories” (Keck and Sikkink 1999, 99).
Defined in the negative, the term non-state actors constitutes a residual
category that comprises a broad range of actors other than states (Bianchi
2011). It encompasses both bene- and malevolent individuals and entities.
According to Wagner, it is impossible to identify these entities “by common
sociological features as they include, inter alia, international organisations,
corporations, non-governmental organisations (NGOs), de facto regimes,
trade associations, and transnational corporations, terrorist groups and trans-
national criminal organisations” (Wagner 2009). To somewhat narrow the
group of possible subjects of inquiry, this chapter only considers the contribu-
tions of benevolent non-state actors to processes of international cybersecu-
rity norm development, that is, the contributions of those that actively seek to
promote appropriate conduct in cyberspace and aspire to improve the overall
state of global cybersecurity.
Non-State Actors as Shapers of Customary Standards 247
Debates about the need for rules of the road regulating the conduct of state
and non-state entities in cyberspace have acquired increasing prominence
over the past decade. In the face of proliferating cybersecurity incidents and
reluctance on the parts of governments to agree on and enact legally binding
rules at the global level, less formal, norms-based discussions have emerged
as alternative pathways to formal regulation.1 In contrast to binding legal
statutes, norms as understood here denote voluntary “standard[s] of appropri-
ate behaviour for actors with a given identity” (Finnemore and Sikkink 1998,
891). They define legitimate social purposes that enable and constrain the
behavior of international actors (Florini 1996). “What distinguishes norms
from other social facts (e.g., customs, traditions, values, or fashions) is their
prescriptive quality, the sense of oughtness attached to them. . . . They are
‘prescriptive generalization’. Or, in Onuf’s more extended definition, norms
(or rules) ‘address some class of agents, describe some class of actions as
appropriate conduct for those agents, and link agents and standards with
ought-statements: agents ought to behave in accordance with standards’”
(Sandholtz 2017, 2).
Since the late 1990s, norms have figured prominently across a great vari-
ety of research agendas and have witnessed extensive theorization (Keck
and Sikkink 1999; Sandholtz 2017; Winston 2017). Constructivist interna-
tional relations scholars, in particular, have made important contributions
to advancing analytically more rigorous understandings of international
norms and the roles of non-state actors in changes to normative ideas.
Ideational efforts conducted by non-state actors have been subsumed under
the analytical umbrella of norm entrepreneurship. Norm entrepreneurship
refers to activities conducted by agents with a view to persuading others
to adopt new standards of appropriateness and change social understand-
ings (Sjöström 2010; Finnemore and Sikkink 1998). Agents engaging in
norm entrepreneurship, so-called norm entrepreneurs, typically promote
new understandings of appropriate conduct and mobilize other entities or
network of entities to support their normative ideas. These coalitions then
“bring pressure to bear from above (transnationally) and below (domesti-
cally)” and help the norms advocated to cascade, and eventually become
internalized into domestic and international legal codes and institutions
(Sandholtz 2017, 2).
A field of growing political importance and social relevance, cybersecurity
has seen a number of noteworthy initiatives relating to the creation of inter-
national norms (Nye 2018; Hinck 2018). Discussions concerning the creation
of rules of the road to curb malicious behavior in cyberspace can be traced
back to the mid-1990s. In 1996, the Council of the European Union endorsed
a proposal put forward by the French government for a Charter for Interna-
tional Cooperation on the Internet (Mačák 2017). At the time, “the French
248 Jacqueline Eggenschwiler and Joanna Kulesza
Minister for Information Technology expressed hope that the initiative would
lead eventually to an accord comparable to the international law of the sea”
(Wu 1998, 660). The French proposition was followed by a Russian bid in
the remit of the UN General Assembly, which sought to ban information
weapons and their use by way of enacting legally binding rules. Moscow’s
draft resolution emerged in consideration of a perceived Western dominance
of the ICT landscape, and gave rise to more institutionalized international
discussions.
In reaction to Russia’s proposal of 1998, and as a result of concerns over
the appropriateness of legally binding provisions, particularly on the parts
of Western states, the UN GA’s First Committee called to life a Group of
Governmental Experts to study existing and emerging threats emanating from
the digital realm and possible normative measures to address them. The first
of a total of five groups met in 2004. While the UN GGEs meeting between
2009 and 2015 managed to issue non-binding consensus reports, the groups
convening between 2004–2005 and 2016–2017 did not produce correspond-
ing documents (Väljataga 2017).
Subsequent to the 2016–2017 UN GGE’s inability to agree on a con-
sensus report, and following major cybersecurity incidents of transnational
magnitude, including WannaCry and Petya/NotPetya, there has been a
noticeable surge in the number of non-state initiatives directed at foster-
ing responsible behavior in the virtual domain (Hern 2017). Examples
include, among others, the University of Leiden’s and ICT4Peace Founda-
tion’s co-sponsorship of a Global Commentary on Voluntary, Non-Binding
Norms for Responsible State Behaviour in the Use of Information and
Communications Technology, Microsoft’s proposal for a Digital Geneva
Convention, its adoption of a Cybersecurity Tech Accord, its initiation of
a Digital Peace Now campaign, and its support of the Paris Call for Trust
and Security in Cyberspace, Siemens’ conclusion of a Charter of Trust, as
well as the Global Commission on the Stability of Cyberspace’s (GCSC)
calls for the Protection of the Public Core of the Internet, the safeguarding
of electoral infrastructures, and the release of the Singapore Norms Package
(Smith 2017b, 2018; Siemens 2018a; Global Commission on the Stability of
Cyberspace 2017a; ICT4Peace Foundation 2018; Global Commission on the
Stability of Cyberspace 2018a).
In what follows, the activities of these actors are highlighted in more detail.
Against the background of lacking political agreement at the intergovern-
mental level and a halting emergence of international hard law directed at
addressing the challenges pertaining to nefarious conduct in the digital realm,
efforts led by non-state actors deserve particular analytical attention in terms
of fostering international peace, security, and stability.
Non-State Actors as Shapers of Customary Standards 249
Non-state actors have been central to the growth and spread of ICTs.2 As
operators of key network infrastructures, developers of products and suppli-
ers of services, they have made important contributions to the “international
[. . .] architecture for the governance of cyberspace” (Radu 2014, 4). Apart
from acting as executors of public initiatives (e.g., public-private partner-
ships), they have also been seen to drive normative agendas.
The subsequent paragraphs summarize the norms-based activities con-
ducted by some of the most vocal proponents for rules of the road for cyber-
space. The selection of relevant initiatives was informed by substantive as
well as temporal considerations. Only proposals by benevolent non-state
actors, and only proposals launched post-2017 were selected for examination.
nations . . . need to examine and assess the need for modifying existing laws
to address cyber-specific issues. At both . . . national and international levels,
taskforces need to be established including all the key players to exchange
information, provide early warning and explore possible solutions to existing
or future challenges. (Stauffacher, Sibilia, and Weekes 2011)
Microsoft
Among the first corporate stakeholders to instigate debates about responsible
conduct in cyberspace was Microsoft (Betz 2015). Following preceding
efforts in 2013, 2014, and 2016, in February 2017, Microsoft president and
chief legal officer Brad Smith introduced the idea of a Digital Geneva Con-
vention to Protect Cyberspace (Smith 2017a; Microsoft 2013; McKay et al.
2014; Charney et al. 2016). Grounded in the belief that deep-rooted collabo-
ration among states, and between states, the private sector and civil society
is needed to curb nefarious doings in the digital realm, the convention as
outlined by Smith, asks governments to “come together, affirm international
cybersecurity norms that have emerged in recent years, adopt new and bind-
ing rules, and get to work implementing them” (Smith 2017b). Furthermore,
it pleads global technology companies to behave as neutral actors, and rec-
ommends the setting-up of an independent non-governmental organization
capable of investigating and publicly attributing (nation-state) cyberattacks
(Smith 2017b; Maurer and Taylor 2018).
Microsoft’s call for a Digital Geneva Convention to Protect Cyberspace
was succeeded by the unveiling of a Cybersecurity Tech Accord among
leading industry partners in April 2018 (Smith 2018). In September 2018,
Microsoft unveiled a Digital Peace Now campaign, which calls on citizens
to protect cyberspace, for example, through measures of cyberhygiene, and
urges governments to refrain from endangering the global digital environ-
ment. Only two months later, in November 2018, it supported the release
of the Paris Call, a multistakeholder initiative seeking to safeguard peace
and security in the virtual realm by means of nine principles, including
the prevention of nefarious interference or theft of intellectual property by
foreign actors, the condemnation of hack-backs, and the securing of sup-
ply chains (Ministère de l’Europe et des Affaires Étrangères 2018). So far,
the Paris Call has been acceded to by more than 1000 supporters: 78 gov-
ernments, 29 public authorities, 343 civil society organizations, and 633
private sector entities (Ministère de l’Europe et des Affaires Étrangères
2018).
Siemens
Two months before the launch of Microsoft’s Cybersecurity Tech Accord,
Siemens, together with eight partner corporations, issued a Charter of Trust
Non-State Actors as Shapers of Customary Standards 251
for a Secure Digital World (Siemens 2018a). Adopted at the sidelines of the
2018 Munich Security Conference, the charter calls for binding rules, and
postulates ten principles ranging from ownership of cyber and IT security,
responsibility throughout the digital supply chain, security by default, user-
centricity, innovation and co-creation to education, certification for critical
infrastructure and solutions, transparency and response, regulatory frame-
work, and joint initiatives (Siemens 2018b; Hinck 2018; Kaeser 2018).
Calling for binding legal rules, the charter recognizes that
in order to keep pace with continuous advances in the market as well as threats
from the criminal world, companies and governments must join forces and take
decisive action. This means making every effort to protect the data and assets
of individuals and businesses; prevent damage from people, businesses, and
infrastructures; and build a reliable basis for trust in a connected and digital
world. (Siemens 2018a, 1)
states: “Without prejudice to their rights and obligations, state and non-state
actors should not conduct or knowingly allow activity that intentionally and
substantially damages the general availability or integrity of the public core
of the Internet, and therefore the stability of cyberspace” (Global Commis-
sion on the Stability of Cyberspace 2017a, 1). The proclamation of the norm
drew considerable attention from the international community and the norm
has since made its way into a number of political fora, including the Paris
Peace Forum, and the European Union (Global Commission on the Stability
of Cyberspace 2019; Ministère de l’Europe et des Affaires Étrangères 2018).
According to some observers, including the Electronic Frontier Foundation’s
global policy analyst, Jeremy Malcolm, “the idea of a duty on stakeholders
not to attack the internet’s core technical infrastructure has the potential to
become an influential and important guiding principle for policymakers and
business leaders” (Malcolm 2017).
The concept of the public core as advanced by the GCSC was first articu-
lated by associate professor of Security and Technology, Dennis Broeders, in
a study published by Netherlands Scientific Council for Government Policy
(Broeders 2016). The study argued for the establishment of an international
norm directed at protecting “the internet’s public core—its main protocols
and infrastructure, which are a global public good . . . against unwarranted
intervention by states” (Broeders 2017, 367).3
Since the publication of its first norm, the commission has issued seven
further norms addressing issues such as product tampering, the commandeer-
ing of botnets, and the creation of a vulnerability equities process (Global
Commission on the Stability of Cyberspace 2018b).
The cases introduced above demonstrate that non-state actors have come to
insert their voices in debates about responsible behavior in cyberspace. They
have taken seats at political tables and have started to behave as diplomatic
protagonists. Their proposals are deliberately targeted at the international
level and consciously employ policy-oriented language. Naming norms-
based endeavors Charter, Accord, or Convention underscores the underlying
political ambitions of these efforts.
In terms of agency, the norm-building activities conducted by non-state
actors reflect a substantial extension of their traditional authority. From a
structural point of view, they suggest a shift in global regulation from state-
centric forms of steering toward new non-territorial, multi-actor modes of
Non-State Actors as Shapers of Customary Standards 253
Of particular relevance for the purposes of this chapter are administrative pro-
cesses conducted by private protagonists. Whether through company policies,
254 Jacqueline Eggenschwiler and Joanna Kulesza
CONCLUSION
The international societal body is changing at a rapid rate and new actors in
international law are emerging and gaining prominence. Scholars and prac-
titioners have to think fast to keep pace with global change. As a result, the
theoretical discourse is sometimes lost in the attempt to provide a satisfactory
explanation of legal processes in a changing and unpredictable world. (Bianchi
2009)
NOTES
1. “The main goals for agreeing on norms are believed to include increased pre-
dictability, trust and stability in the use of Information and Communication Technolo-
gies” (Osula and Rõigas 2016, 11).
2. Contrary to earlier communication technologies, and despite its emergence in
a politically predicated context, sovereign actors initially displayed little inclination
toward enacting measures of control over cyberspace. Operation and management of
the infrastructure were, for the most part, left to the experts who had contributed to
its development, including, among others, Barry M. Leiner, Vinton G. Cerf, David
D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry
G. Roberts, and Stephen Wolff. Oversight was informal and reflected the academic
context within which the digital realm had arisen.
3. According to Broeders the public core “does not comprise the whole of the
internet or even enter into the content layer of the internet but is limited to the logical
Non-State Actors as Shapers of Customary Standards 257
BIBLIOGRAPHY
———. 2017. “Aligning the International Protection of “the Public Core of the Inter-
net” with State Sovereignty and National Security.” Journal of Cyber Policy 2 (3):
366–376. https://doi.org/10.1080/23738871.2017.1403640.
Charney, Scott, Erin English, Aaron Kleiner, Nemanja Malisevic, Angela McKay,
Jan Neutze, and Paul Nicholas. 2016. “From Articulation to Implementation:
Enabling Progress on Cybersecurity Norms.” https://query.prod.cms.rt.microsoft
.com/cms/api/am/binary/REVmc8.
Drake, William J. 2008. “Introduction: The Distributed Architecture of Network
Global Governance.” In Governing Global Electronic Networks, edited by William
J. Drake and Ernest J. Wilson III, 1–80. The MIT Press. https://doi.org/10.7551/m
itpress/9780262042512.003.0009.
European Parliament. 2018. “Report on Cyber Defence (2018/2004(INI)).” http://
www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+
A8-2018-0189+0+DOC+PDF+V0//EN.
Finnemore, Martha, and Duncan B. Hollis. 2018. “Naming without Shaming? Accu-
zations and International Law in Global Cybersecurity.”
Finnemore, Martha, and Kathryn Sikkink. 1998. “International Norm Dynamics
and Political Change.” International Organization 52 (4): 887–917. https://doi.
org/10.1162/002081898550789.
Florini, Ann. 1996. “The Evolution of International Norms.” International Studies
Quarterly, 40: 363–389. http://www.jstor.org/stable/2600716.
Global Commission on the Stability of Cyberspace. 2017a. “Call to Protect the Public
Core of the Internet.” https://cyberstability.org/wp-content/uploads/2017/11/call-t
o-protect-the-public-core-of-the-internet.pdf.
———. 2017b. “Mission Statement.” https://cyberstability.org/.
———. 2018a. “Call to Protect the Electoral Infrastructure.” https://cyberstability.or
g/wp-content/uploads/2018/05/GCSC-Call-to-Protect-Electoral-Infrastructure.pdf.
———. 2018b. “Global Commission Introduces Six Critical Norms Towards Cyber
Stability.” News. https://cyberstability.org/research/singapore_norm_package/.
———. 2018c. “The European Parliament Supports the GCSC in Its Recent Report
on Cyber Defence.” News. https://cyberstability.org/news/the-european-parliament
-supports-the-gcsc-in-its-recent-report-on-cyber-defence/.
———. 2019. “European Union Embeds Protection of the Public Core of the
Internet in New EU Cybersecurity Act.” News. https://cyberstability.org/news/
european-union-embeds-protection-of-the-public-core-of-the-internet-in-new-eu-
cybersecurity-act-2/.
Hall, Rodney Bruce, and Thomas J Biersteker. 2002. The Emergence of Private
Authority in the International System. Cambridge: Cambridge University Press.
https://doi.org/10.1017/CBO9780511491238.
Hathaway, Melissa. 2017. “When Violating the Agreement Becomes Customary
Practice.” In Getting beyond Norms: New Approaches to International Cyberse-
curity Challenges, edited by Fen Osler Hampson and Michael Sulmeyer, 5–12.
Centre for International Governance Innovation. https://www.cigionline.org/sites/
default/files/documents/Getting Beyond Norms.pdf.
Healey, Jason. 2018. “Innovation on Cyber Collaboration: Leverage at Scale.” Vol. 1.
http://www.atlanticcouncil.org/images/publications/Innovation-Cyber-WEB.pdf.
Non-State Actors as Shapers of Customary Standards 259
Hern, Alex. 2017. “WannaCry, Petya, NotPetya: How Ransomware Hit the Big Time
in 2017.” The Guardian. https://www.theguardian.com/technology/2017/dec/30/
wannacry-petya-notpetya-ransomware.
Hinck, Garrett. 2018. “Private-Sector Initiatives for Cyber Norms: A Summary.”
Lawfare. https://www.lawfareblog.com/private-sector-initiatives-cyber-norm
s-summary.
Horenbeeck, Maarten Van. 2018. “Taking a Multi-Stakeholder Look at Cyber
Norms.” CircleID. http://www.circleid.com/posts/20180827_taking_a_multi_s
takeholder_look_at_cyber_norms/.
Horenbeeck, Maarten Van, Sheetal Kumar, Global Partners Digital, Frans Van Aardt,
Susan Mohr, Carina Birarda, Louise Marie Hurel, John Hering, Duncan Hollis, and
Joanna Kulesza. 2019. “Cybersecurity Agreements.” http://www.intgovforum.org/
multilingual/filedepot_download/4904/1658.
ICT4Peace Foundation. 2017. “Call for Global Open Consultations on the United
Nations Cybersecurity Norms Proposals.” Activities. https://ict4peace.org/activiti
es/call-for-global-open-consultations-on-the-united-nations-cybersecurity-norms-
proposal/.
———. 2018. “ICT4Peace Sponsored First Global Commentary on Norms of
Responsible State Behaviour in Cyberspace.” https://ict4peace.org/activities/
ict4peace-sponsored-first-global-commentary-on-norms-of-responsible-state-beh
aviour-in-cyberspace/.
———. 2019. “UN GGE and UN OEWG on Cybersecurity: ICT4Peace Supporting
OAS Regional Consultations.” Activities. https://ict4peace.org/activities/un-gge-
and-un-oewg-on-cybersecurity-ict4peace-supporting-oas-regional-consultations/.
Kaeser, Joe. 2018. “Working Together for More Security in the Digital World.”
LinkedIn Pulse. https://www.linkedin.com/pulse/working-together-more-securit
y-digital-world-joe-kaeser.
Keck, Margaret E., and Kathryn Sikkink. 1999. “Transnational Advocacy Networks
in International and Regional Politics.” International Social Science Journal 51
(159): 89–101. https://doi.org/10.1111/1468-2451.00179.
Kingsbury, Benedict, and Megan Donaldson. 2011. “Global Administrative Law.”
Max Planck Encyclopedia of Public International Law. http://iilj.org/wp-content/
uploads/2016/08/EPIL_Global_Administrative_Law.pdf.
Kingsbury, Benedict, Nico Krisch, and Richard Stewart. 2005. “The Emergence of
Global Administrative Law.” Law and Contemporary Problems 68 (3): 48. http://hei
nonlinebackup.com/hol-cgi-bin/get_pdf.cgi?handle=hein.journals/lcp68§ion=35.
Klabbers, Jan. 2003. “(I Can’t Get No) Recognition: Subjects Doctrine and the
Emergence of Non-State Actors.” In Nordic Cosmopolitanism, edited by Martti
Koskenniemi, Jarna Petman, and Jan Klabbers, 1813: 352–369. Leiden: Martinus
Nijhoff Publishers.
Kleinwächter, Wolfgang. 2017. “The Kaljurand Commission: Building Bridges Over
Troubled Cyber-Water.” http://www.circleid.com/posts/20171202_kaljarund_c
ommission_building_bridges_over_troubled_cyber_water/.
Krisch, Nico, and Benedict Kingsbury. 2006. “Introduction: Global Governance and
Global Administrative Law in the International Legal Order.” European Journal of
International Law 17 (1): 1–13. https://doi.org/10.1093/ejil/chi170.
260 Jacqueline Eggenschwiler and Joanna Kulesza
Mačák, Kubo. 2017. “From Cyber Norms to Cyber Rules: Re-Engaging States as
Law-Makers.” Leiden Journal of International Law 30 (4): 877–899.
Malcolm, Jeremy. 2017. “EFF at Cyberspace Events in Delhi: Protecting the Public
Core of the Internet.” Deeplinks Blog. https://www.eff.org/deeplinks/2017/11/ef
f-cyberspace-events-delhi-protecting-public-core-internet.
Maurer, Tim, and Kathryn Taylor. 2018. “Outlook on International Cyber Norms:
Three Avenues for Future Progress.” Just Security. https://www.justsecurity.org/5
3329/outlook-international-cyber-norms-avenues-future-progress/.
McKay, Angela, Jan Neutze, Paul Nicholas, and Kevin Sullivan. 2014. “International
Cybersecurity Norms.” https://blogs.microsoft.com/cybertrust/2014/12/03/propo
sed-cybersecurity-norms/.
Microsoft. 2013. “Five Principles for Shaping Cybersecurity Norms.” https://
www.microsoft.com/en-us/cybersecurity/content-hub/five-principles-for-shaping
-cybersecurity-norms.
Ministère de l’Europe et des Affaires Étrangères. 2018. “Cybersecurity: Paris Call of
12 November 2018 for Trust and Security in Cyberspace.” French Foreign Policy.
https://www.diplomatie.gouv.fr/en/french-foreign-policy/digital-diplomacy/france
-and-cyber-security/article/cybersecurity-paris-call-of-12-november-2018-for-tru
st-and-security-in.
Noortmann, Math, August Reinisch, and Cedric Ryngaert. 2015. Non-State Actors
in International Law. Edited by Math Noortmann, August Reinisch, and Cedric
Ryngaert. Studies in International Law. Oxford: Hart Publishing.
Nye, Joseph S. Jr. 2018. “Normative Restraints on Cyber Conflict.” Cambridge, MA.
https://www.belfercenter.org/sites/default/files/fi les/publication/Nye Normative
Restraints Final.pdf.
Osula, Anna-Maria, and Henry Rõigas. 2016. International Cyber Norms. Edited by
Anna-Maria Osula and Henry Rõigas. Tallinn: NATO Cooperative Cyber Defence
Centre of Excellence. https://ccdcoe.org/sites/default/files/multimedia/pdf/Intern
ationalCyberNorms_full_book.pdf.
Radu, Roxana. 2014. “Power Technology and Powerful Technologies: Global Gov-
ernmentality and Security in the Cyberspace.” In Cyberspace and International
Relations, edited by Jan-Frederik Kremer and Benedikt Müller, 3–20. Berlin, Hei-
delberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-37481-4.
Ruggie, John Gerard. 2011. “Guiding Principles on Business and Human Rights:
Implementing the United Nations “Protect, Respect and Remedy” Framework.”
Vol. HR/PUB/11/. New York, NY. https://www.ohchr.org/documents/publicat
ions/guidingprinciplesbusinesshr_en.pdf.
Ruggie, John Gerard. 1993. “Territoriality and Beyond: Problematizing Modernity in
International Relations.” International Organization 47 (1): 139–174. http://www.
jstor.org/stable/2706885.
———. 2004. “Reconstituting the Global Public Domain—Issues, Actors, and Prac-
tices.” European Journal of International Relations 10 (4): 499–531. https://do
i.org/10.1177/1354066104047847.
Sandholtz, Wayne. 2017. International Norm Change. Oxford Research Encyclope-
dia of Politics. Oxford: Oxford University Press. https://doi.org/10.1093/acrefo
re/9780190228637.013.588.
Non-State Actors as Shapers of Customary Standards 261
Scherer, Andreas Georg, Guido Palazzo, and Dorothée Baumann. 2006. “Global
Rules and Private Actors: Toward a New Role of the Transnational Corporation
in Global Governance.” Business Ethics Quarterly 16 (04): 505–532. https://doi.
org/10.5840/beq200616446.
Siemens. 2018a. “Charter of Trust: For a Secure Digital World.” https://www.sie
mens.com/press/pool/de/feature/2018/corporate/2018-02-cybersecurity/charter
-of-trust-e.pdf.
———. 2018b. “Time for Action: Building a Consensus for Cybersecurity.” Cyber-
security. https://www.siemens.com/innovation/en/home/pictures-of-the-future/digi
talization-and-software/cybersecurity-charter-of-trust.html.
Sjöström, Emma. 2010. “Shareholders as Norm Entrepreneurs for Corporate Social
Responsibility.” Journal of Business Ethics 94 (2): 177–191. https://doi.org/10.1
007/s10551-009-0255-1.
Smith, Brad. 2017a. “A Digital Geneva Convention to Protect Cyberspace.” https://
query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW67QH.
———. 2017b. “The Need For a Digital Convention.” Microsoft. https://blogs.
microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.00
01hkfw5aob5evwum620jqwsabzv.
———. 2018. “34 Companies Stand Up for Cybersecurity with a Tech Accord.”
Microsoft. https://blogs.microsoft.com/on-the-issues/2018/04/17/34-companies
-stand-up-for-cybersecurity-with-a-tech-accord/.
Stauffacher, Daniel, Ricardo Sibilia, and Barbara Weekes. 2011. “Getting Down to
Business Realistic Goals for the Promotion of Peace in Cyberspace.” Geneva.
Thirlway, Hugh. 2014. The Sources of International Law. Foundations of Public
International Law. Oxford: Oxford University Press.
Tikk, Eneken. 2019. “UN GGE—Eneken Tikk’s Cyber Norms Blogposts: Search for
Cyber Norms—Where to Look? #4 The Norms Test: Existing Norms.” ICT4Peace
Foundation. https://ict4peace.org/activities/policy-research/policy-research-cs/un
-gge-eneken-tikks-cyber-norms-blogposts-search-for-cyber-norms-where-to-loo
k-4-the-norms-test-existing-norms/.
Tikk, Eneken, Zine Homburger, Mika Kerttunen, Liisi Adamson, Els DeBusser, Bar-
rie Sander, Jason Jolley, Michael Berk, Caitriona Heinl, and Nicholas Tsagourias.
2017. Voluntary, Non-Binding Norms for Responsible State Behaviour in the
Use Of Information and Communications Technology: A Commentary. Edited by
Eneken Tikk. New York, NY: United Nations Office for Disarmament Affairs. https
://www.un.org/disarmament/wp-content/uploads/2018/04/Civil-Society-2017.pdf.
Väljataga, Ann. 2017. “Back to Square One? The Fifth UN GGE Fails to Submit a
Conclusive Report at the UN General Assembly.” NATO CCDCOE. https://cc
dcoe.org/back-square-one-fifth-un-gge-fails-submit-conclusive-report-un-general-
assembly.html.
Vihul, Liis. 2013. “The Tallinn Manual on the International Law Applicable to Cyber
Warfare.” Blog of the European Journal of International Law. https://www.ejiltalk
.org/the-tallinn-manual-on-the-international-law-applicable-to-cyber-warfare/.
Wagner, Markus. 2009. “Non-State Actors.” Edited by Rüdiger Wolfrum. Max
Planck Encyclopedia of Public International Law. Oxford. https://ssrn.com/
abstract=2661832.
262 Jacqueline Eggenschwiler and Joanna Kulesza
Wex Legal Dictionary. 2018. “Opinio Juris.” Legal Information Institute. https://ww
w.law.cornell.edu/wex/opinio_juris_%28international_law%29.
Winston, Carla. 2017. “Norm Structure, Diffusion, and Evolution: A Conceptual
Approach.” European Journal of International Relations, 135406611772079. https
://doi.org/10.1177/1354066117720794.
Wu, Timothy S. 1998. “Cyberspace Sovereignty? The Internet and the International
System.” Harvard Journal of Law & Technology 10 (3): 647–666. https://doi.org
/10.3868/s050-004-015-0003-8.
Chapter 13
The “existing and potential threats in the sphere of information security are
among the most serious challenges of the twenty-first century,” stated the
United Nations Group of Governmental Experts on Developments in the
Field of Information and Telecommunications in the Context of International
Security (UN GGE) in its first report, published in 2010. Almost ten years
later, it has become clear that the use of networked technologies to conduct
espionage, sabotage, and subversion (Rid 2013) is a major feature of contem-
porary global politics (Kello 2017). How this behavior should be governed at
the global level has been a major point of international contention, and efforts
to develop “cyber norms” of conduct via established international institu-
tions, bilateral summits, and other conventional forms of diplomacy have
failed to resolve many fundamental disagreements between key states such
as the United States, Russia, and China (Grigsby 2017; Segal 2017; Lantis
and Bloomberg 2018; Henriksen 2019). How should the laws of war apply?
What kinds of intrusions can be considered an armed attack? What type of
networks are fair-play for military cyber commands and intelligence agen-
cies, and what others are off limits?
Unsatisfied with the tenor of the government-led discussion on these issues,
Microsoft president Brad Smith proposed a “Digital Geneva Convention” at
the RSA Conference in March 2017, calling on states to renounce cyberat-
tacks on the private sector (Smith 2017b, 10). Smith’s speech also called
upon tech firms to rally together in support of the cause by not collaborating
263
264 Robert Gorwa and Anton Peez
Finally, we present the first descriptive analysis of the Tech Accord’s 110
members, and examine the possible instrumental motivations of signatories
by collecting and analyzing their public statements regarding accord mem-
bership. We argue that most firms—smaller ones, in particular—attempt to
cast themselves as innovative “global players” and as impactful technology
companies, “bandwagoning” alongside Microsoft.
Table 13.1 Commitments and “Common Values” as Proposed by Brad Smith in 2017,
and Their Equivalents in the 2018 Tech Accord (Authors’ Systematization, Numbers in
Parentheses Correspond to the Numbering in the Original Documents)
see also Katzenstein 1996, 5). Early foundational work by Sikkink and Mar-
garet Keck on non-state actors and norms focused primarily on grassroots,
transnational advocacy networks (Keck and Sikkink 1998). The authors
examined the tactics such networks employ in their attempts to affect
Big Tech Hits the Diplomatic Circuit 267
Table 13.2 Cybersecurity Tech Accord Members by Industry Sector and by Whether
a Press Release Was Issued (as of July 25, 2019)
with the PR fallout from the Snowden revelations, and the waning position
of Microsoft as a meaningful corporate player (relative to Google, Facebook,
Amazon, and Apple) makes Microsoft a likely candidate for corporate norm
entrepreneurship.
Nicole Deitelhoff and Klaus Dieter Wolf make three further particularly
relevant points for the case of cyber norm entrepreneurship. First, they argue
that corporate involvement in “governance in the post-national constellation”
is generally strong (Deitelhoff and Wolf 2013, 222). The realm of cyberspace
is emblematic of this setting. Therefore, Deitelhoff and Wolf’s work provides
a fitting theory to apply to the Microsoft-led case of norm entrepreneur-
ship. Second, the authors amend Risse et al.’s five-phase “spiral model” of
state norm socialization (Risse, Ropp, and Sikkink 1999) to fit the corporate
context. The adjusted “spiral model” contains the following steps in which
businesses deal with human rights norms: (1) denial and “quiet complicity,”
followed by typically unsuccessful (2) tactical concessions, leading to (3)
growing norm acceptance and institutionalization, potentially followed by (4)
corporate norm-setting in order to achieve a level-playing field with noncom-
pliant competitors, and finally (5) ongoing rule-consistent behavior, norm-
setting and norm development (Deitelhoff and Wolf 2013, 231–234). Third,
and more broadly, the authors find that corporate norm entrepreneurship is
often primarily driven by “rationalist calculations regarding the re-definition
of fundamental business interests” (Deitelhoff and Wolf 2013, 237). In other
words, when companies “proactively engage in norm-setting,” they are
mainly guided by the aim of minimizing losses by bringing competitors who
are not adhering to the norm in question into the fold—“levelling the play-
ing field” (Zadek 2004; Deitelhoff and Wolf 2013, 237). This assumption is
particularly worth examining in the Microsoft and Tech Accord case.
The remainder of this section proceeds along these three steps. While
Hurel and Lobato state that “governments usually look to the ICT industry
to prevent, detect, respond to, and recover from cyber attacks” (Hurel and
Lobato 2018, 62), governments have also long looked to tech corporations for
access to private user data. In the following, we examine this interaction as a
key mechanism in understanding Microsoft’s ongoing Tech Accord efforts.
A critical element in the call for cyber norms is the difficulty of governing
cyberspace in the first place. Cyberspace is today generally considered quasi-
regulated space (Jakobi 2013; however, also see Jeutner 2019) and corporate
entities are, therefore, crucial actors in this “area of limited statehood,” a
realm where “the state lacks governance capacities in different sectors or over
certain periods” (Börzel and Deitelhoff 2018, 250). Where state governance is
limited, corporations are both commonly normatively expected to get involved
and empirically more likely to do so (Deitelhoff and Wolf 2013; Börzel and
Deitelhoff 2018). The concept of “limited statehood” fits the online context
Big Tech Hits the Diplomatic Circuit 271
Barack Obama and the U.S. Congress, containing five “reform principles”
to reign in government surveillance. They stated that “the balance in many
countries has tipped too far in favor of the state and away from the rights
of the individual.” Brad Smith, then Microsoft’s general counsel, put the
responsibility for decreasing user trust squarely on the U.S. government’s
shoulders: “Governments have put this trust at risk, and governments need to
help restore it” (The Guardian 2013c). In this way, Microsoft sought to high-
light their compliance with civil liberty norms, a “regular instance of tactical
concessions” (Deitelhoff and Wolf 2013, 230).
The third step—“norm acceptance and institutionalization”—is difficult to
separate from concessions. The open letter was accompanied by an industry-
wide push for stronger encryption and peer review of application code (The
Guardian 2013b, 2013c). More antagonistically, Brad Smith compared gov-
ernment surveillance of its servers to “sophisticated malware or cyber attacks”
in December 2013 (The Guardian 2013b). Microsoft had now accepted and
firmly, publicly committed to higher standards, and to no longer providing
broad access to user data. Thereby, the company had moved from long-term
NSA cooperation to public support for civil liberties online to sharp public
criticism of U.S. government practices (see also Hurel and Lobato 2020).
Fourth, this leads to what Deitelhoff and Wolf call “a curious and unex-
pected side effect”—the potential transformation of “norm-takers into norm-
makers.” Rather than using discursive tactics such as shaming, Deitelhoff
and Wolf argue that companies often change their own behavior and lead by
example, forging “collective self-commitments” (Deitelhoff and Wolf 2013,
231–232). The Digital Geneva Convention, Tech Accord, and Paris Call ini-
tiatives in 2017 and 2018 are examples of such commitments, as are the com-
pany’s “Transparency Centres,” the “Defending Democracy Program,” and
their “Digital Crimes Unit” (see Hurel and Lobato 2020). Through this lens
and perhaps somewhat favorably, Microsoft’s pushes can be interpreted as a
genuine effort to drive and advance cyber norms as part of the “groundswell
of private leadership” (Matsakis 2018) in this realm from 2014 onwards.
In the absence of effective state-led international agreements and therefore
the presence of “unregulated space,” tech firms such as Microsoft may feel
empowered to be more proactive and take the lead in norm and agenda set-
ting, exemplified by the firm’s activities as a “quasi-diplomatic actor” (Hurel
and Lobato 2018) adopting the vocabulary of international relations.
Fifth, looking into the future, “companies often struggle to commit public
actors (. . .) to comply with human rights,” particularly in settings of “limited
statehood more generally” (Deitelhoff and Wolf 2013, 235). This does not
bode well for common cybersecurity norms, and may indeed be the reason
why Microsoft toned down the “Digital Geneva Convention” language in
the first place (see Smith 2018). The voluntary nature of the accord makes it
Big Tech Hits the Diplomatic Circuit 273
This section critically analyses the Cybersecurity Tech Accord itself, focus-
ing on the benefits to corporate actors of (1) appropriating of the authoritative
language of international humanitarian law without any of its commitment,
274 Robert Gorwa and Anton Peez
With this chapter, we have sought to trace the evolution of Microsoft’s norm
entrepreneurship from 2013 Snowden revelations to the 2017 Digital Geneva
Convention speech to the 2018 Cybersecurity Tech Accord initiative. We
have explored the potential motives shaping Microsoft’s behavior as the cre-
ator of the accord, unpacked the proscriptions of the accord itself, analyzed
public statements issued by signatories to better understand why so many
firms have joined, and tabulated its members along various characteristics.
At 110 members, it is steadily growing and provides insightful precedent as
an informal, potentially powerful coalition of non-state actors in the cyber-
norms debate.
We show that Deitelhoff and Wolf’s rationalist argument for why corpora-
tions may become norm entrepreneurs seems plausible for the Tech Accord
and Microsoft case (Deitelhoff and Wolf 2013, 237). The accord may be
an attempt to bolster user trust in the companies’ data protection measures,
a value that has been at the forefront of user demands since 2013. So will
this lead to a catalogue of do’s and don’ts, a cohesive alternative vision for
responsible behavior in cyberspace? Under the commonly accepted definition
of norms as “shared understandings” (see Niemann and Schillinger 2017), the
accord’s provisions and very organizational nature seem neither shared nor
understood. Despite the apparent novelty of the initiative, and its ongoing
endorsement by scholars frustrated with the current poor state of cyberse-
curity norms discourse (see, e.g., Tworek 2017; Korzak and Lin 2018), as
it stands, the accord offers all the PR potential and heavyweight legitimacy
and very little of the normative obligation of the international legal language
Microsoft has emulated.
Nonetheless, the rationalist and instrumental accounts do not fully explain
the accord, and the goal of profit maximizing “does not rule out the exis-
tence of underlying notions of appropriate business behaviour” (Deitelhoff
278
Table 13.3 Cybersecurity Tech Accord Membership by Date of Joining and by World Region (as of July 25, 2019)
Sum 32 11 17 9 11 11 15 4 110
Big Tech Hits the Diplomatic Circuit 279
Table 13.4 Cybersecurity Tech Accord by World Region and by Whether a Press
Release Was Issued (as of July 25, 2019)
and Wolf 2013, 237). Less than half of the accord’s signees have issued
statements on their joining (tables 13.2 and 13.4), and the biggest, most
important members (Facebook, Cisco, LinkedIn, Hewlett Packard, Dell, and
others) have been oddly silent regarding the accord, casting some doubt on
the assumption of the accord as purely a PR exercise. If all firms are simply
seeking to improve their public image through participation, why would they
not issue a statement? The importance of individuals such as Brad Smith in
driving change may come into play here and is worth exploring further—
good-faith commitment to the principles of user privacy and data protection
has been traced back to the idealism, ideology, and the institutional culture
of the American technology industry (see, e.g., Turner 2008). Another major,
unexplored question is why certain major industry players (such as Google)
are missing, seemingly having refused to sign on to the accord.
Overall, the Tech Accord demonstrates several novel characteristics which
provide a major departure from past norm-building efforts in the cyber realm.
It is led by different stakeholders (i.e., tech companies rather than states), and
seems to have virtually no external buy-in from civil society, nongovern-
mental organizations, or other key actors in international cyber governance.
However, it seems to be positioning Microsoft as a responsible cyber actor,
offering legitimacy for future endeavors, such as the November 2018 Paris
Call, which does feature broader civil society participation. Microsoft’s tac-
tics can also be interpreted as an attempt to frame the company as a “quasi-
diplomatic entity” (Hurel and Lobato 2018, 71), from their spearheading of
the Tech Accord to the branding of a “Global Security Strategy and Diplo-
macy Team,” and a way to exercise political influence in a potentially novel
way. Watching how this process unfolds will be important for cybersecurity
and international norms scholars, and those studying the role of technology
and technology companies in politics more broadly.
Notwithstanding the general pessimism and in the cyber community
regarding the future of common cyber norms, international norms often start
as informal, loose standards and progress to more firm rules—both legally
and socially.
280 Robert Gorwa and Anton Peez
NOTES
1. We thank Nicole Deitelhoff, Florian Egloff, Xenija Grusha, and the PRIF PhD
colloquium for their helpful comments and suggestions. A previous version of this
paper was presented at the inaugural the Hague Program for Cyber Norms Confer-
ence, November 5–7, 2018. Many thanks to Dennis Broeders, Corianne Oosterbaan,
and the rest of the Hague Program’s team for putting this collection together, and for
their assistance in turning our initial paper into this book chapter.
2. Industrial manufacturer Siemens has initiated a cybersecurity “Charter of Trust,”
though with fewer members—16—and less public fanfare (as of July 25, 2019).
3. As of July 25, 2019, the Tech Accord website lists 111 members. Two com-
panies originally announced as joining are now no longer listed, CA Technologies
and Symantec (both joined in April 2018). One company currently listed was never
announced in a press release, Sharp. For consistency, all three have been omitted from
the data used in this paper, resulting in a final list of 110 members.
4. We assign one sector per company, opting for the most significant sector if
a company is involved in multiple lines of business. For example, the Japanese
conglomerate Hitachi is coded as “Industrial,” though it also produces consumer
electronics, and Microsoft is coded as “Software” while also offering cloud services.
Sectors are defined as follows.
IT: general IT services, web/app development, call centers
Information security: vendors, threat intelligence, security solutions and soft-
ware (e.g. antivirus)
Telecom: telecommunications firms, internet service providers
Platform: platform companies, social media, online marketplaces
Industrial: heavy machinery, industrial equipment
Software: content management software, tax software, operating systems, apps
Hardware: personal computers, routers, networking and computing hardware
Cloud: web hosting, data storage, cloud services
Misc.: residual category
5. Press releases were searched via online queries for “Tech Accord” + [com-
pany name]. We assume that there are no language or translation problems with this
approach, as the query is not specific to the English language.
BIBLIOGRAPHY
Avast. 2018. “US & UK Issue Security Warning and Tech Giants Join Forces.”
April 20. https://blog.avast.com/us-uk-issue-security-warning-and-tech-giants-jo
in-forces-avast.
Baker, Stewart. 2018. “If Paris Calls, Should We Hang Up? (11:55 Onwards).” The
Cyberlaw Podcast. Episode 240. https://www.lawfareblog.com/cyberlaw-podcast-
if-paris-calls-should-we-hang.
Bitdefender. 2018. “Your Protection Is Our Mission, and We’re Serious About It.”
April 17. https://businessinsights.bitdefender.com/your-protection-is-our-missio
n-and-were-serious-about-it.
Big Tech Hits the Diplomatic Circuit 281
Börzel, Tanja, and Nicole Deitelhoff. 2018. “Business.” In The Oxford Handbook of
Governance and Limited Statehood, edited by Thomas Risse, Tanja Börzel, and
Anke Draude, 250–271. Oxford, UK: Oxford University Press.
Deitelhoff, Nicole, and Klaus Dieter Wolf. 2013. “Business and Human Rights: How
Corporate Norm Violators Become Norm-Entrepreneurs.” In The Persistent Power
of Human Rights: From Commitment to Compliance, edited by Thomas Risse, Ste-
phen C. Ropp, and Kathryn Sikkink, 222–238. Cambridge Studies in International
Relations 126. Cambridge, UK: Cambridge University Press.
DeNardis, Laura. 2014. The Global War for Internet Governance. New Haven, CT:
Yale University Press.
Der Spiegel. 2013. “Wie Microsoft Systematisch Den Geheimdiensten Hilft,” July
12. http://www.spiegel.de/netzwelt/netzpolitik/wie-microsoft-mit-fbi-nsa-und-ci
a-kooperiert-a-910863.html.
ESET. 2018. “ESET Joins Cybersecurity Tech Accord.” June 20. https://www.ese
t.com/int/about/newsroom/press-releases/announcements/eset-joins-cybersecur
ity-tech-accord-1/.
Finnemore, Martha, and Duncan B. Hollis. 2016. “Constructing Norms for Global
Cybersecurity.” American Journal of International Law 110 (3): 425–479.
Finnemore, Martha, and Kathryn Sikkink. 1998. “International Norm Dynamics and
Political Change.” International Organization 52 (4): 887–917.
Flohr, Annegret, Lothar Rieth, Sandra Schwindenhammer, and Klaus Dieter Wolf.
2010. The Role of Business in Global Governance. Basingstoke, UK: Palgrave
Macmillan.
France Diplomatie. 2018. “Paris Call for Trust and Security in Cyberspace.” Novem-
ber 12, 2018. https://www.diplomatie.gouv.fr/IMG/pdf/paris_call_text_-_en_cle06
f918.pdf.
Fuentes, José M. de, Lorena González-Manzano, Juan Tapiador, and Pedro Peris-
Lopez. 2017. “PRACIS: Privacy-Preserving and Aggregatable Cybersecurity
Information Sharing.” Computers & Security 69: 127–141.
Gigamon. 2018. “Gigamon Joins Cybersecurity Tech Accord.” June 20. https://bl
og.gigamon.com/2018/06/20/gigamon-joins-cybersecurity-tech-accord/.
Global Network Initiative. 2017. “Global Network Initiative Governance Charter.”
https://globalnetworkinitiative.org/gin_tnetnoc/uploads/2018/04/GNI-Governa
nce-Charter.pdf.
Gorwa, Robert, and Anton Peez. 2019a. “Charmeoffensiven. Ist Das Schon Außen-
politik, Was Die Großen Technologiekonzerne Betreiben?” Internationale Politik
74 (4): 25–29.
Gorwa, Robert, and Anton Peez. 2019b. “Big Tech Hits the Diplomatic Circuit.”
Berlin Policy Journal/German Council on Foreign Relations (DGAP)). https://be
rlinpolicyjournal.com/big-tech-hits-the-diplomatic-circuit/.
Grigsby, Alex. 2017. “The End of Cyber Norms.” Survival 59 (6): 109–122. doi:10.
1080/00396338.2017.1399730.
Henriksen, Anders. 2019. “The End of the Road for the UN GGE Process: The Future
Regulation of Cyberspace.” Journal of Cybersecurity 5 (1). doi:10.1093/cybsec/
tyy009.
282 Robert Gorwa and Anton Peez
Hurel, Louise Marie, and Luisa Cruz Lobato. 2020. “Cyber-Norms Entrepreneur-
ship? Understanding Microsoft’s Advocacy on Cybersecurity.” In Governing
Cyberspace: Behaviour, Power and Diplomacy, edited by Dennis Broeders and
Bibi van den Berg. London: Rowman & Littlefield.
Hurel, Louise Marie, and Luisa Cruz Lobato. 2018. “Unpacking Cyber Norms: Pri-
vate Companies as Norm Entrepreneurs.” Journal of Cyber Policy 3 (1): 61–76.
Jakobi, Anja P. 2013. “Non-State Actors All Around: The Governance of Cyber-
crime.” In The Transnational Governance of Violence and Crime, edited by Anja
P. Jakobi and Klaus Dieter Wolf, 129–148. London, UK: Palgrave Macmillan.
doi:10.1057/9781137334428.
Jeutner, Valentin. 2019. “The Digital Geneva Convention. A Critical Appraisal of
Microsoft’s Proposal.” Journal of International Humanitarian Legal Studies 10
(1): 158–170. doi:10.1163/18781527-01001009.
Katzenstein, Peter J. 1996. The Culture of National Security: Norms and Identity in
World Politics. Columbia University Press.
Keck, Margaret E., and Kathryn Sikkink. 1998. Activists Beyond Borders: Advocacy
Networks in International Politics. Ithaca, NY: Cornell University Press.
Kello, Lucas. 2017. The Virtual Weapon and International Order. New Haven, CT:
Yale University Press.
KoolSpan. 2018. “An Enduring Principle: KoolSpan Joins Cybersecurity Tech
Accord To Lead Industry Efforts For Collective Cyber-Defense.” https://koolspa
n.com/koolspan-joins-cybersecurity-tech-accord/.
Korzak, Elaine, and Herb Lin. 2018. “Proposal for a Cyber-International Committee
of the Red Cross.” Lawfare. October 17. https://www.lawfareblog.com/proposa
l-cyber-international-committee-red-cross.
Landau, Susan. 2014. “Highlights from Making Sense of Snowden, Part II: What’s
Significant in the NSA Revelations.” IEEE Security & Privacy 12 (1): 62–64.
Lantis, Jeffrey S., and Daniel J. Bloomberg. 2018. “Changing the Code? Norm Con-
testation and US Antipreneurism in Cyberspace.” International Relations 32 (2):
149–172.
Lété, Bruno, and Peter Chase. 2018. “Shaping Responsible Behavior in Cyberspace.
Workshop Briefing Paper.” The German Marshall Fund of the United States. http:
//www.gmfus.org/publications/shaping-responsible-state-behavior-cyberspace#.
Matsakis, Louise. 2018. “The US Sits Out an International Cybersecurity Agree-
ment.” Wired, November 12. https://www.wired.com/story/paris-call-cybersecuri
ty-united-states-microsoft/.
Mueller, Milton. 2010. Networks and States: The Global Politics of Internet Gover-
nance. Information Revolution and Global Politics. Cambridge, MA: MIT Press.
New York Times. 2013. “Report Indicates More Extensive Cooperation by Microsoft
on Surveillance,” July 11. https://www.nytimes.com/2013/07/12/us/report-indic
ates-more-extensive-cooperation-by-microsoft-on-surveillance.html.
Niemann, Holger, and Henrik Schillinger. 2017. “Contestation ‘All the Way down’?
The Grammar of Contestation in Norm Research.” Review of International Studies
43 (01): 29–49. doi:10.1017/S0260210516000188.
Rid, Thomas. 2013. Cyber War Will Not Take Place. London: Hurst & Company.
Big Tech Hits the Diplomatic Circuit 283
Risse, Thomas, Stephen C. Ropp, and Kathryn Sikkink, eds. 1999. The Power of
Human Rights: International Norms and Domestic Change. Cambridge, UK: Cam-
bridge University Press. http://ebooks.cambridge.org/ref/id/CBO9780511598777.
Schneier, Bruce. 2015. “Cisco Shipping Equipment to Fake Addresses to Foil NSA
Interception.” March 20. https://www.schneier.com/blog/archives/2015/03/cis
co_shipping_.html.
Segal, Adam. 2017. “The Development of Cyber Norms at the United Nations Ends
in Deadlock. Now What?” Council on Foreign Relations. June 29. www.cfr.org/
blog/development-cyber-norms-united-nations-ends-deadlock-now-what.
Smith, Brad. 2017a. “The Need for a Digital Geneva Convention. Blog Post.” Micro-
soft on the Issues. February 14. https://blogs.microsoft.com/on-the-issues/2017/02/
14/need-digital-geneva-convention/.
———. 2017b. “The Need for a Digital Geneva Convention. Transcript of Key-
note Address at the RSA Conference 2017.” https://blogs.microsoft.com/up
loads/2017/03/Transcript-of-Brad-Smiths-Keynote-Address-at-the-RSA-Conferen
ce-2017.pdf.
———. 2018. “Digital Peace in an Age of Cyber Threats. Speech and Q&A at the
Peace Palace, The Hague, the Netherlands.” November 6, 2018.
StatCounter. 2018. “Desktop Operating System Market Share Worldwide. September
2017–September 2018.” http://gs.statcounter.com/os-market-share/desktop/world
wide.
Tech Accord. 2018a. “Cybersecurity Tech Accord. Protecting Users and Customers
Everywhere.” https://cybertechaccord.org/accord/.
———. 2018b. “Cybersecurity Tech Accord Expands Rapidly; Announces Partner-
ship with Global Forum on Cyber Expertise (GFCE).” https://cybertechaccord.org/
gfce_partnership/.
Telefónica. 2018. “Telefónica among Leading Tech Companies Which Pledge to
Fight Cyberattacks.” April 17. https://www.telefonica.com/es/web/public-policy/bl
og/articulo/-/blogs/telefonica-amongst-leading-tech-companies-which-pledge-to-fi
ght-cyberattacks.
The Guardian. 2013a. “Microsoft Handed the NSA Access to Encrypted Messages.”
July 12. https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaborat
ion-user-data.
———. 2013b. “Microsoft Likens Government Snooping to Cyber Attacks.” Decem-
ber 5. https://www.theguardian.com/technology/2013/dec/05/microsoft-likens-go
vernment-snooping-cyber-attacks.
———. 2013c. “Twitter, Facebook and More Demand Sweeping Changes to US
Surveillance.” December 9. https://www.theguardian.com/world/2013/dec/09/nsa-
surveillance-tech-companies-demand-sweeping-changes-to-us-laws.
Trend Micro. 2018. “The Cybersecurity Tech Accord: Time to Come Together to
Combat Digital Threats.” April 17. https://blog.trendmicro.com/the-cybersecurity
-tech-accord-time-to-come-together-to-combat-digital-threats/.
Turner, Fred. 2008. From Counterculture to Cyberculture: Stewart Brand, the Whole
Earth Network, and the Rise of Digital Utopianism. Chicago, IL: University of
Chicago Press.
284 Robert Gorwa and Anton Peez
Cyber-Norms Entrepreneurship?
Understanding Microsoft’s
Advocacy on Cybersecurity1
Louise Marie Hurel and Luisa Cruz Lobato
285
286 Louise Marie Hurel and Luisa Cruz Lobato
Call for Trust and Security, the CyberPeace Institute and engagement with
governments—bilaterally or via international organizations—(Barrinha and
Renard 2018), suggest that, at least, when it comes to cyberspace, companies
have devised distinct regulatory and organizational strategies to build their
legitimacy to negotiate with states. Of particular interest is the fact that their
legitimacy as political actors is once again being debated.2 What is more:
Microsoft’s involvement with the cyber norms-making has reanimated much
of the talk on norms and private governance, as it becomes evident from the
number of recent debates on this topic.3
We take the contestation over Microsoft’s legitimacy as norm entrepreneur
as an entry point to the discussion of how global cybersecurity governance
unfolds in practice and how, instead of focusing on either the “public” or “pri-
vate” aspects of it, cybersecurity governance happens in a grey zone of con-
tinuous contestation and negotiations over who can engage in norms-making,
how norms are made and what counts as norm. In a previous study, we paid
attention to the first question, looking at how private actors shape cyberse-
curity by means of public-private partnerships, lobbying, and self-regulation
(Hurel and Lobato 2018). Now, we take a step further and look at how
organizational complexity might highlight different modalities of exerting
influence on public policy and engage in an interdisciplinary effort to portray
the socio-technical arrangements (both intra-organizationally and interna-
tionally) as parts of a norms-making continuum. This exercise is relevant to
the study of power, influence, agency, and authority in global cybersecurity
governance, as it allows us to grasp the specific organizational, technical, and
material arrangements that support the practices of stakeholders to negotiate
their conditions of engagement in cybersecurity governance. Furthermore,
these strategies allow us to deepen the critique of who produces norms so as
to address the ontological problem of what it is to produce a norm.
In this chapter, we seek to provide two major contributions to the ongoing
debate on cyber norms. The first contribution is with respect to how norms are
usually conceived within this debate. Rather than being contained in the writ-
ten text (law and regulation), norms extend to the processes (see Finnemore
and Hollis 2016) of negotiation that happen until it reaches its “final” (writ-
ten) and also to the agencies, resources, and organizational and technological
structures that are mobilized in order for it to reach widespread public debate.
The “expectations of behavior” that are a necessary component of norms also
come in different forms, including through an infrastructure of access estab-
lished to promote values such as transparency and trust (e.g., Transparency
Centers). The second relates to the understanding of how global cybersecurity
governance unfolds in practice and which agencies count as legitimate in
the process of negotiating cyber norms. As we argue, the question of who’s
Understanding Microsoft’s Advocacy on Cybersecurity 287
misses the fact that they do not act only where and when governments fail.
The 1980s opening of global markets also enabled an increase in the “spaces”
in which companies could act by means of the delegation of a number of state
competencies to the private sector (privatization) as well as the incorporation
of market rationales into government functions (marketization), a number
of new fields of intervention and competition opened to private companies
(Bevir 2009; Crouch 2004). However, rather than meaning that corporations
would “fill the gap” left by governments, this opening up provided for new
spaces for contested and negotiated governance, that is to say, in which cor-
porations and government actors had to, at all times, negotiate their own roles
in it. What is more: with the so-called revolving door between public and pri-
vate sectors (which was observable also from the professional backgrounds of
part of our interviewees at Microsoft), part of the negotiations likely benefit
from a shared understanding and grammar about what kinds of approaches
and issues should be prioritized in public policy and how. Thus, rather than
taking place in the absence of “public” governance, “private” governance is
often deeply intertwined with it (Lobato 2016).
In this sense, contemporary private governance presents us with important
challenges. First, it is difficult to define the boundaries of private groups’
decisions that make it into public policy. Whereas private organizations make
policies that affect the larger public, their rule-making functions often remain
concealed by a variety of forms they take—which includes trade associa-
tions, not-for-profit organizations, and public policy teams within for-profit
enterprises. Second, their operations can result in a lack of transparency,
accountability, and legitimacy that is required of governments, despite the
fact that private groups make and enforce rules that bind people to follow
them, just like governments’ laws and regulations (Rudder, Fritschler, and
Jung Choi 2016).
Notwithstanding these challenges, this is a significant area of cybersecurity
governance that deserves further scrutiny. Despite the often tacit recogni-
tion of private groups’ role in shaping cybersecurity, there is scant empirical
analysis on how this happens and through which venues.6 This might possibly
be due to a difficulty in accepting that companies’ practices, such as lobbying,
and principles-based action, including norms promotion, are not mutually
excluding. Companies are very often analyzed under the terms of rational
choice theory: they are usually seen as rational actors, acting on a cost-benefit
based evaluation, rather than by any “common good” incentives. Claims of
companies acting on moral or normative grounds are promptly criticized
either because corporations cannot be morally distinguished from the human
beings that constitute them (Rönnegard 2015) or because companies, even
when acting on social ends, are seen to do so exclusively to maximize profits
(Friedman 2007). And when companies are recognized as possibly acting on
Understanding Microsoft’s Advocacy on Cybersecurity 291
some kind of normative or social grounds, it is argued that, when doing so,
they are not reduced to the actions and interests of their members. The chal-
lenge is, therefore, one of continuously attempting to locate agency amid a
complex and evolving organizational structure in a context where perhaps
that is not possible.
When it comes to cybersecurity, the increasing digitization of society and
governments’ reliance on informational infrastructures (cloud computing and
data centers) provides a significant element to thinking about norms entre-
preneurship and private governance, more generally. Business models are in
constant development and this includes, but is not restricted to the (i) diversifi-
cation of services and products, (ii) continuous organizational flexibility (new
teams, posts) and (iii) key leadership influence. It plays a fundamental part in
understanding the socio-technical dimension of private governance of actors
such as Microsoft. The development of solutions and services requires care-
ful consideration as it embeds specific protocols and functionalities that are
selected to maintain a secure ecosystem. On the one hand, these arrangements
prescribe what kind of security is “desirable” and “available” for consumers
(public or private) (Hurel 2018) through technical architectures, protocol
specifications, and security control mechanisms. Media and Communications
scholars have drawn on science, technology and society studies to expose
emerging dynamics of power of platforms and infrastructures (Kitchin 2014;
Gillespie 2017; Plantin et al. 2017; Gorwa 2019). They consider protocols,
algorithms, infrastructures, technical systems as an integral part of the gov-
ernance of and by platforms. On the other hand, the development of products
and services happens within a wider framework of overarching principles
(trust and security), objectives and/or company strategies.
Understanding how corporate actors promote norms in cybersecurity,
therefore, requires an integrated perspective between the socio-technical,
organizational, and political arrangements. As the following sections show,
the visibility of these configurations is indispensable and perhaps indisso-
ciable in understanding private influence in cybersecurity governance, in gen-
eral, and norms-entrepreneurship, in particular. As one of our interviewees
suggested, the global and diplomatic engagement is part of a continuum of
what is done and advocated for on the enterprise side of the company. Though
often-invisible to cyber-norms discussions, these arrangements provide the
conditions of existence for the big tech companies to exert influence and
maintain their engagement nationally, regionally, and globally with different
stakeholder groups.
As this chapter seeks to illustrate, norms-making and entrepreneurship
are not restricted to echoing or proposing new terms or international norms;
rather, it encompasses a complex negotiation of the values and services and is
enabled by continuous organizational flexibility and key leadership influence.
292 Louise Marie Hurel and Luisa Cruz Lobato
Therefore, delving into the practices of companies and showing how complex
structures of governance work offers us a privileged take on how different
kinds of norms are produced and negotiated. It also allows us to go deeper
into the different practices adopted by the company so as to show that norms
may come in a variety of shapes—the Tech Accord and the Digital Geneva
Convention are but the tip of the iceberg; contemporary corporate entrepre-
neurship also comprises voluntary self-commitments in reaction to public
expectations, rather than simply being a response to “delegated tasks” (Hurel
and Lobato 2018, 67).
Unlike other big tech companies, Microsoft engages as much in platform
governance7—by embedding compliance within their platform, for example,
making sure that it is not being used to violate intellectual property, and so
on—as they seek to establish room for themselves as both industry leaders
and government interlocutors (Interview, September 2019). When asked
about why would a company get involved with cyber norm promotion, an
interviewee answered that global companies should be able to put govern-
ments to talk and that it is impossible for governments to do it all [the gov-
ernance work in cyberspace] by themselves. At the same time, however, s/
he emphasized that it is of fundamental importance that governments and
companies act together in combating cybercrime, for example, and that cor-
porations are unable to pursue this task by themselves (Interview, September
2019). Also part of Microsoft’s business strategy (Interview, October 2019),
norms become important meaning settlers and indicators of commitment
between parties. In addition to engaging in lobbying with national govern-
ments, the company has for some time now raised interest for its explicit
advocacy on norms of state behavior in cyberspace (Smith 2017). As we will
explore in detail in section three, such engagement means that, despite obvi-
ous resistance and suspicion on the part of governments (and diplomats the
most), the company is effectively there (in the meeting room) when it comes
to discuss and negotiate action and norms with states.
Several times when conducting this research, we were met with the ques-
tion of why we were looking at Microsoft, or if, due to its open advocacy
and engagement with norms promotion, this would not be an exceptional
case rather than a pattern, or even whether we could provide any valuable
generalization from this case. Particularly interesting about Microsoft’s
case is that, because it is sui generis and not (yet) followed by its peers in
the private sector when it comes to openly carving out a space for itself as
a legitimate interlocutor in norms debate, it offers us with a yet underex-
plored perspective on potential new unfoldings of private practices in global
governance. While they indeed embrace much of the patterns for private
action that are identified by specialized literature—hybridization, revolving
door, reliance on PPPs, increased participation in decentralized governance
Understanding Microsoft’s Advocacy on Cybersecurity 293
company, but the social tensions and norms that are negotiated within and
outside the company environment.
Interestingly, the company’s narrative in cases such as this is one of expos-
ing an inherent tension present in negotiating their role in the protection of
individual “liberties of privacy and free speech and civil society requirements
like public safety” (Nadella 2017, 112). However, it is also followed and
informed by the development of strategies to further guide action. In Micro-
soft’s case, this includes but is not restricted to the principle of designing trust
in products and customers, partners, and governments. The “Redmond-based
yet globally present” organizational structure is also an important feature to
understanding how they claim legitimacy over their role in cybersecurity
governance. As Brad Smith noted, “[t]he products and companies are far
more global, and the pervasive nature of information and communications
technology increasingly thrusts the tech sector into the center of foreign
policy issues.”
A second shift that followed from this “Windows-centric” to “cloud-first”
model pertains to the relations of the company with governments. As one
interviewee observed, for some time, some governments in Latin America
were suspicious of the company for its monopoly on software services (and,
accordingly, leveling up the pricing due to its comfortable position back then)
and for its legal allegiance to the U.S. government, due to the fact that Micro-
soft is a U.S. company.12 This has now changed, prompted by an increase
in market competition, the loss of its monopoly of software production and
distribution and by the attempts to carve out other market niches for the com-
pany (as the shift promoted by Mr. Nadella indicates). Not only did Microsoft
need to “reinvent” themselves, they also had to convince governments that
they could be trusted partners, which also depended on negotiating with their
government interlocutors the need to establish transparency mechanisms and
encode values, such as privacy, security, and trust, within their products.13
This need becomes evident from one interview, held in October 2019, when it
was said that if [Microsoft] could not show their clients and users (especially
governments) that their products were safe, they would likely end up losing
clients.
One such channel for building trust would be the company’s transparency
centers. Scattered in five different locations in Asia, Latin America, Europe,
and the United States (there is no transparency center in the African continent
to date), these centers allow governments access to source code and propri-
etary information from Microsoft’s products and inspect them whenever there
is suspicion about the products provided by the company. However, when
we asked one of our interviewees about whether there was someone in the
government of country A14 that already requested access to the source code,
the answer was negative (here, we could speculate whether this could be due
Understanding Microsoft’s Advocacy on Cybersecurity 299
reach and rising concerns with cybersecurity: “The products and companies
are far more global, and the pervasive nature of information and communica-
tion technology increasingly thrusts the tech sector into the center of foreign
policy issues” (Smith and Browne 2019, 80). In order to advance their dip-
lomatic engagement, the company works to influence global cybersecurity
governance direct and indirectly. Engagement, in this front, relies mostly
on the mobilization of staff within the company’s Department of Corporate,
External, and Legal Affairs (CELA)15 and, most importantly, the Digital
Diplomacy Team.
Microsoft works to advance multistakeholder and multilateral processes
indirectly, whether through funding cybersecurity conferences,16 participat-
ing in working groups,17 attending international cybersecurity conferences
or signaling support for norm entrepreneurship by others. When placed in
a wider horizon on activities (indirect influence), the entrepreneurial efforts
and cyber-norms documents of the company, the Digital Geneva convention
is but one public-facing activity within a thread of continuous normative
arrangements. Most notably, examples such as the Paris Call on Trust and
Security and the Christchurch Call portray this cross-sector outward-facing
norms engagement. However, members of the CELA Department also work
continuously in providing inputs to specific multistakeholder cybersecurity
processes. That is the case of the Internet Governance Forum,18 where Micro-
soft has been continuously contributing to the work of the Best Practice
Forum on Cybersecurity providing inputs to annual consultations. Within the
Global Forum on Cyber Expertise, Microsoft has not only participated but
also led—alongside government representatives—specific task forces on the
implementation of cyber norms, Confidence-Building Measures and cyber
diplomacy (see GFCE 2019).
Direct diplomatic engagement is equally central to the process of influ-
encing the development of cyber norms as well as pushing for the broader
participation within the private sector in cyber diplomacy. Even though from
a tech sector standpoint, it might be indisputable that—as infrastructure
providers and platform developers—a company such as Microsoft holds
a considerable role in shaping and participating in global cybersecurity
governance along with other tech giants, that is not necessarily the case
when it comes to cyber-norms discussions. International processes such
as the United Nations Group of Governmental Experts (UNGGE), whose
main objective has been to discuss norms for responsible state behavior in
cyberspace and, most recently, consider the applicability of international
law in cyberspace. In light of fundamental immediate implications of
any international negotiation such as the UNGGE, Microsoft has a direct
interest mobilizing its resources to promoting norms to help mitigate and
diminish cyberattacks and conflicts in an interdependent ecosystem such
Understanding Microsoft’s Advocacy on Cybersecurity 301
as cyberspace (see McKay et al. 2014; Charney et al. 2016; Nadella 2017;
McKay 2018; Smith and Browne 2019).
Even though the company has maintained a long-standing relationship
with different governments as part of their Government Security Programme,
bilateral agreements or PPP, the international cyber-norms discussions
presents a slightly different landscape (forums, initiatives) of interaction.
Though bilateral and closed-meeting interactions are much more challenging
to take into account in the study of how norms are built in practice, there is
something to be said about how the company has expanded their engagement
with governments. Be it on the “techplomacy” side, interacting with tech
ambassadors from Denmark, Australia, and France, or creating a diplomatic
cyber norms-oriented agenda to engage with governments bilaterally and
multilaterally. One example worth noting was the Christchurch call, where
Brad Smith narrates his encounter with New Zealand prime minister Jacinda
Arden in March 2019, and how the Paris Call set a precedent back in Decem-
ber 2018 for thinking about a mechanism that could potentially bring gov-
ernments, tech sector, and civil society together (Smith and Browne 2019).
Cases such as this highlight an important feature of normative cascading
effects of emerging cross-sector exchange—it also portrays how Microsoft
diplomatic-focused interaction with governments has opened up avenues for
their interaction with governments.19
Diplomatic efforts are not limited to strengthening ties with governments
and/or socializing norms and principles in different multilateral fora, rather
it entails circulating and developing norms from and for the private sector.
That is the case of the Cybersecurity Tech Accord (CTA), a private sector-
facing initiative launched in April 2018 that seeks to promote spaces for
collective action, capacity building, and cooperation among global technol-
ogy companies. The CTA also serves as a platform supporting other industry
partners to onboard into cyber-norms discussions by (i) providing them the
opportunity to attend consultations and conferences alongside governments
and/or civil society and (ii) planning coordinated action and response to
international processes (see Tech Accord 2019). Another example of peer-
collaboration is the Global Internet Forum to Counter Terrorism (GIF-CT),
an initiative established in early 2017 by Twitter, Facebook, Microsoft,
and YouTube to deepen industry collaboration to combat terrorist abuse of
platforms. Following the Christchurch Call, this group of companies has
announced the creation of an independent initiative to work in a more struc-
tured setting with government and civil society organizations in prevent-
ing the exploitation of digital platforms by terrorists and violent extremist
groups. Spaces such as this not only contribute as a coordination point, but
serve as a knowledge and skills-sharing platform between sectors. However,
such coordination and interaction contributes to the emergence of hybrid
302 Louise Marie Hurel and Luisa Cruz Lobato
legal (Belli and Venturini 2016) architectures. But these approaches remain
mostly restricted to either self or individual regulation. Whereas they give
us a hint on how companies—intentionally or not—develop sophisticated
regulatory mechanisms through their products and services, they are less
helpful once we try to make sense of the varied, sometimes conflicting or not-
always-coherent-in-practice, organizational architectures underpinning such
regulatory efforts. They are also not very helpful once we ask why and how
companies engage with state actors to advocate for moral standards and com-
mon social codes of conduct to other actors beyond its peers in the private
sector. Without in-depth discussion of why/how this happens, we foreclose
our own understanding of how legitimacy is built through such efforts, as
well as debates about how we should be dealing with these kinds of practices.
Adding to the burgeoning literature and policy initiatives to advance cyber
norms (NATO 2013; McKay et al. 2014; Osula and Rõigas 2016; Finnemore
and Hollis 2016; Charney et al. 2016; G7 2017; Nye 2018), Microsoft’s call
for a Digital Geneva Convention has drawn as much attention as suspicion to
the company, as well as to its intentions and chances of succeeding. Whereas
attention to corporate cyber-norms promotion and evaluations of its success
or failure can be useful in assessing the efficacy (or not) of a situated initia-
tive, both miss an important aspect of Microsoft’s efforts: it is not—and,
possibly, never was—about the Digital Geneva Convention. As our research
on the company’s organizational structure attempted to show, this is but one
situated effort in the context of a diversified range of possibilities for political
articulation undertaken by the company. As we sought to illustrate through-
out this study, each particular relation begs the articulation of distinct policy
strategies, infrastructures, and narratives that, in turn, constitute a multiplicity
of associations in themselves—associations composed of people in policy
teams, lobbying practices, technical systems, pieces of hardware, software,
codes of conduct, different levels of government (local, state, national, and
international), policy documents, physical installations, and so on. These
associations point to the varied ways through which norms are articulated
through corporate practice, some of them fairly straightforward, such as cre-
ating instruments of “soft influence,” that is, policy papers and whitepapers,
and producing advisory opinions, while some not so much—here, Transpar-
ency Centers are a case in point.
The empirical research suggests that such organizational complexity plays
an important role in building legitimacy in private governance. This happens
in—at least—three different ways. First, in devising strategies to deal with
technical challenges to cyberspace security. As a platform and productivity
technology company, Microsoft invests in the development of new technolo-
gies, software, and mitigation of incidents, such as the Conficker worm and
the WannaCry ransomware, and also engages on combating cybercrime
304 Louise Marie Hurel and Luisa Cruz Lobato
through its cybercrime unit.20 This shaping of both the economic and tech-
nical dimensions of cybersecurity paves the way for private actors to be
“recognized as legitimate by some larger public (that often includes states
themselves) as authors of policies, of practices, of rules, and of norms” (Hall
and Biersteker 2002, 4).
Second, in taking the lead in the proposal of a tech accord in the private
sector and entering into cooperation with companies within and outside the
tech sector, Microsoft has sought to establish itself as a moral leader among
its peers. As Floh et al. (2010) note, establishing normative standards for its
peers on the private sector is characteristic of corporate entrepreneurship.
When engaging with norms promotion, corporations tend to work as meaning
managers, establishing “new ways of talking about and understanding issues”
(Finnemore and Sikkink 1998, 897). They may also support the setting or
institutionalization of a new norm “by adopting a unilateral company code
as best practice, by lobbying for it among its peers and by engaging in the
creation of a collective self-regulatory initiative” (Flohr et al. 2010, 19) and
play a role even after the norm has acquired some degree of institutionaliza-
tion, by engaging with organizations supporting the norm and participation in
revision processes (Flohr et al. 2010).
Third, by actively engaging with norms emergence beyond national
borders, structuring public policy as well as diplomacy teams, regularly
publishing policy documents aimed at state actors and getting involved in
multilateral and multistakeholder policy processes, the company has clearly
sought to stretch the boundaries of its legitimacy. Such stretching has less to
do with the proposal of a Digital Geneva Convention in itself than with the
company’s aforementioned practices and organizational structure. That is to
say, legitimacy building, at this stage, is better understood in terms of the
complex associations and relations that follow from Microsoft’s engagement
with local, state, and national governments and its attempts to build legiti-
macy within the private sector and through its technical expertise.
The implications of this for the study of norms-making and power are man-
ifold. The processual lenses hereto adopted suggest that power can be less
straightforward than it seems: it can be distributed through internal teams,
technical and policy considerations, expertise, “high-tech” centers, computa-
tional systems, soft-engagement. Consequently, what we call norms-making
is equally distributed in these practices, stretching into every direction thanks
to dynamic architecture of policy engagement. In this sense, norms-making
cannot be understood as neither a state-only process, nor necessarily an
actor-only process. By reintroducing private governance to the cyber-norms
discussions—that is, looking at the strategies and associations involved in the
establishing of a range of social codes of conduct—our goal was to provide
an exercise of visualizing and further inquiring of what indeed, can pass as a
Understanding Microsoft’s Advocacy on Cybersecurity 305
its home country—the United States—as its main locus for policy making.
Further research is still required about how the company develops relations
with Global South countries and to what extent it is perceived by them as
simply reproducing the interests of its “home country” or as something else.
This could indicate whether the strength of particular associations at the
expense of others might say something and potentially affect the company’s
advocacy. Distinctly, it could also shed a more clarifying light onto how local
politics possibly shape long-term, global policies.
LIST OF INTERVIEWS
NOTES
1. The authors would like to thank Prof. Dennis Broeders, Prof. Duncan Hollis,
and Prof. Anna Leader for their support and invaluable comments to the development
of this chapter. The authors would also thank the panel discussion held on “(Re)
assessing the role of private actors in cybersecurity governance” at the ISA Annual
Conference 2019, Toronto.
2. In fact, the political role of companies has been widely debated within Inter-
national Political Economy by means of discussions over multinational corporations.
See: Strange (1991; 1996; 1998); Gill; Cutler (2014); Gilpin (1976); May (2015);
Babic, Fichtner and Heemskerk (2017).
3. Such as the 2019 Brazil-EU Consultations on Preventing Conflict in Cyber-
space, the 2018 Conference Responsible Behaviour in Cyberspace: Novel Horizons
and the new European framework for Cyber Sanctions.
4. Notably, they are progressively becoming locus of attention. See, for example,
Dunn Cavelty (2016) and Carr (2016).
5. In this work, we also consider as IR studies in Global Governance and Inter-
national Political Economy.
6. This has also proven to be a challenge to the development of this chapter. In
spite of having conducted interviews, analyzed public documentation, and engaged in
participant observation across different events, the traceability of Microsoft’s engage-
ment and interests was an exercise in itself. The generativity and fast-paced change
of the company’s organizational structure allowed us to further understand that their
engagement in diplomacy, policy and product development (enterprise side) is a con-
tinuous process of communication and internal negotiation. Norms are continuously
challenged, reinforced, maintained, and transformed within complex arrangements
Understanding Microsoft’s Advocacy on Cybersecurity 307
that do not necessarily imply in a clear-cut rational and objective response. Rather,
they rely on internal alignments, leadership, and narrative-building.
7. However, in a far less explicit fashion than its peers (e.g., Facebook or Google)
also due to different business models.
8. Executive security adviser at Microsoft Enterprise Cybersecurity Group.
9. See Smith and Browne (2019) chapter 5 note 2 for a detailed description of the
development of the DCU since early 2000s.
10. The Cybersecurity Policy Framework, launched in 2018, holds together
many of the previous documents directed to capacity building and development of
national cybersecurity strategies. It serves as an interesting case for understanding
how Microsoft gradually organized their agenda and positions on this particular area.
Most importantly, they explicitly state the purpose of the document—and their aim
in circulating it—that is, to provide “a high-level overview of concepts and priorities
that must be top of mind when developing an effective and resilient cybersecurity
policy environment” (McKay 2018).
11. Interestingly, in 2012, Microsoft developed an expected cybersecurity policy
PPP timeline called “Cybersecurity Policy and Partnership Evolutionary Curve” that
ranged from their early experiences in working with governments at the national
level—risk management (2000) and resiliency (2005)—to new avenues for collabo-
ration on cyber norms at the international level—starting from Internet governance
(2010) to cybersecurity norms development (2015) and finally reaching harmoniza-
tion (2020) (Thomlinson 2012).
12. Curiously, possibly in anticipation to this kind of criticism, one interviewee
promptly emphasized the legal bond of the subsidiary in which s/he worked with the
country in which it operated.
13. See Nadella (2017) and Smith (2019) for a detailed account of how both the
president and CEO of the company portrayed the internal negotiations during the
Snowden revelations and how they responded deciding to sue the U.S. government
through the Foreign Intelligence Surveillance Court.
14. Where the subsidiary for which s/he works operates.
15. Regionally, the CELA Departments work to represent global principles and
advocacy strategies in their respective countries.
16. Such as the Paris Peace Forum in 2018 (see Belin 2018), Global Commission
on the Stability of Cyberspace, Global Conference on Cyberspace and others.
17. Such as the Best Practice Forum (BPF) on Cybersecurity within the Internet
Governance Forum, or different Working Groups of the GFCE.
18. A global multistakeholder platform of the United Nations dedicated to facili-
tating the discussion of public policy issues related to the Internet.
19. In cyber norms-discussions (both internationally and regionally), Microsoft
is perhaps the only industry representative participating in closed-door negotiations
continuously. Though it is more challenging to generalize when it comes to interac-
tion and influence in concealed environments, through participant observation the
researchers were able to identify specific occasions where the company was the only
industry partner represented either in multilateral negotiations or in closed multistake-
holder environments. In early 2019, the EU Cyber Forum was followed by a closed
civil society side meeting. Participants included civil society organizations, think
308 Louise Marie Hurel and Luisa Cruz Lobato
tanks, academics and Microsoft. Examples such as this illustrate not only the emerg-
ing spaces of interaction resulting from sustained engagement with global cybersecu-
rity and cyber-norms community, but it creates an entry point for them to advocate,
communicate and bring other industry sectors—such as those that are members of the
CTA. All of which support the narrative echoed by Brad Smith of industry as technol-
ogy providers and central to the promotion of peace and secure cyberspace.
20. The digital crime unit, in cooperation with academic experts and industry,
successfully took down the Rustock botnet (Microsoft 2011) and further engaged in
joint operations with the financial sector and law enforcement agencies—the most
aggressive operation being Operation b54 (Boscovich 2013).
REFERENCES
Bies, Robert J., Jean M. Bartunek, Timothy L. Fort, and Mayer N. Zald. 2007. “Cor-
porations as social change agents: Individual, interpersonal, institutional, and envi-
ronmental dynamics”. Academy of Management Review, 32 (3): 788–793.
Boscovich, Richard Domingues. 2013. “Microsoft works with financial services
industry leaders, law enforcement and others to disrupt massive financial cyber-
crime ring”. The Official Microsoft Blog. (Available at: https://blogs.technet.mic
rosoft.com/microsoft_blog/2013/06/05/microsoft-works-with-financial-service
s-industry-leaders-law-enforcement-and-others-to-disrupt-massive-financial-cyber
crime-ring/; accessed: Sept. 3, 2018.)
Bouwen, Pieter. 2002. “Corporate lobbying in the European Union: The logic of
access”. Journal of European Public Policy, 9 (3): 365–390.
Burt, Tom. 2018a. “Announcing the defending democracy program”. Microsoft.
(Available at: https://blogs.microsoft.com/on-the-issues/2018/04/13/announcing-t
he-defending-democracy-program/; accessed: Sept. 10, 2018.)
Burt, Tom. 2018b. “Protecting democracy with Microsoft AccountGuard”. Microsoft.
(Available at: https://blogs.microsoft.com/on-the-issues/2018/08/20/protecting-d
emocracy-with-microsoft-accountguard/; accessed: Sept. 10, 2018.)
Burt, Tom. 2018c. “Defending against disinformation in partnership with News-
Guard”. Microsoft. Available at: https://blogs.microsoft.com/on-the-issues/201
8/08/ 2 3/de f endi n g-ag a inst - disi n form a tion - in-p a rtne r ship - with - news g uard / ;
accessed: Sept. 10, 2018.
Carr, Madeline. 2016. “Public–private partnerships in national cyber-security strate-
gies”. International Affairs, 92 (1): 43–62.
Charney, Scott, Erin English, Aaron Kleiner, Nemanja Malisevic, Angela McKay,
Jan Neutze, and Paul Nicholas. 2016. “From articulation to implementation:
Enabling progress on cyber security norms”. Microsoft, white paper, June 2016.
Crouch, Colin. 2004. “Markets and states”. In: Nash, Kate, and Alan E. Scott (eds.).
The Blackwell Companion to Political Sociology, 240–249. Oxford: Blackwell.
Digital. n.d. “Digital crimes unit: Leading the fight against cybercrime”. Microsoft,
policy paper.
Dunn Cavelty, Myriam. 2016. “Cyber-security and private actors”. In: Rita Abraha-
msen and Anna Leander (eds.). Routledge Handbook of Private Security Studies.
New York: Routledge.
Dunn Cavelty, Myriam, and Manuel Suter. 2009. “Public-private partnerships are no
silver bullet: An expanded governance model for Critical Infrastructure Protec-
tion”. International Journal of Critical Infrastructure Protection, 2 (4): 179–187.
ENISA. 2017. Public Private Partnerships (PPP): Cooperative Models. ENISA.
(Available at: https://www.enisa.europa.eu/publications/public-private-partnersh
ips-ppp-cooperative-models; accessed: Sept. 6, 2018.)
FEC. 2018. “FEC approves advisory opinion and notification of availability”. Federal
Election Commission. (Available at: https://www.fec.gov/updates/fec-approves
-advisory-opinion-and-notification-availability/; accessed: Sept. 6, 2018.)
Finnemore, Martha, and Duncan B. Hollis. 2016a. “Constructing norms for global
cybersecurity”. Temple University Beasley School of Law. Legal Studies Research
Paper n. 52: 89–101.
310 Louise Marie Hurel and Luisa Cruz Lobato
Finnemore, M., and D.B. Hollis. 2016b. “Constructing norms for global cybersecu-
rity”. American Journal of International Law, 110 (3): 425–479.
Finnemore, Martha, and Kathryn Sikkink. 1998. “International norm dynamics and
political change”. International Organization, 52 (4): 887–917.
Flohr, Annegret, Lothar Rieth, and Sandra Schwindenhammer. 2010. The Role of
Business in Global Governance: Corporations as Norm-Entrepreneurs. London:
Palgrave.
Friedman, M. 2007. “The social responsibility of business is to increase its profits”.
In: W.C. Zimmerli, M. Holzinger, and K. Richter (eds.). Corporate Ethics and
Corporate Governance. Berlin: Springer.
Fuchs, Doris. 2007. Business Power in Global Governance. Boulder, CO: Lynne
Rienner.
G7. 2017. “On responsible states behavior in cyberspace”. Lucca, 17 April 2017.
(Available at: https://s3.amazonaws.com/ceipfi les/pdf/CyberNorms/Multilater
al/G7+Declaration+on+Responsible+States+Behavior+in+Cyberspace+4-11-20
17.pdf; accessed: Sept. 4, 2018.)
Garriga, Elisabet, and Domènec Melé. 2004. “Corporate social responsibility theo-
ries: Mapping the territory”. Journal of Business Ethics, 53 (51): 51–71.
GFCE. 2019. “Report GFCE WG A—Task Force on CBMs and norms implementa-
tion & Cyber diplomacy”. Global Forum on Cyber Expertise. (Available at: https
://cdn.foleon.com/upload/17621/gfce_secretariat_wgm2019_wg_a_report.90f7333
bc1c3.pdf;accessed: Oct. 22, 2019.)
Gill, Stephen, and Claire A. Cutler. 2014. “New constitutionalism and world order:
General introduction”. In: S. Gill (ed.). New Constitutionalism and World Order,
1–22. Cambridge: Cambridge University Press.
Gilpin, Robert. 1976. “Review: The political economy of the multinational corpora-
tion: Three contrasting perspectives”. The American Political Science Review, 70
(1): 184–191.
Gorwa, Robert. 2019. “What is platform governance?” Information, Communication
& Society, 22 (6), 854–871.
Gorwa, Robert, and Anton Peez. 2018. “Tech companies as cybersecurity norm entre-
preneurs: A critical analysis of microsoft’s cybersecurity tech accord”. SocArXiv,
working paper, December 11, 2018. (Available at: https://doi.org/10.31235/osf.io/
g56c9.)
Government. n.d. “Government security program: An overview”. Microsoft, policy
paper.
Grigsby, Alex. 2017. “The end of cyber norms”. Survival: Global Politics and Strat-
egy, 56 (6): 109–122.
Hall, Rodney Bruce, and Thomas J. Biersteker. 2002. “The emergence of private
authority in the international system”. In: Rodney Bruce Hall and Thomas J. Bier-
steker (eds.). The Emergence of Private Authority in Global Governance, 3–22.
Cambridge: Cambridge University Press.
Hurel, Louise Marie. 2016. “Cybersecurity and internet governance: Two competing
fields?”. SSRN (Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_
id=3036855;accessed: Sept. 10, 2018.)
Understanding Microsoft’s Advocacy on Cybersecurity 311
Hurel, Louise Marie. 2018. “Architectures of security and power: IoT platforms as
technologies of government”. MSc diss., London School of Economics and Politi-
cal Science. (Available at: https://doi.org/10.13140/RG.2.2.28293.29920.)
Hurel, Louise Marie, and Luisa C. Lobato. 2018. “Unpacking cyber norms: Private
companies as norms entrepreneurs”. Journal of Cyber Policy, 3 (1): 61–76.
Kitchin, Robert. 2014. The Data Revolution: Big Data, Open Data, Data Infrastruc-
tures and Their Consequences. Thousand Oaks, CA: SAGE.
Lapowski, Issie. 2018. “Tech giants are becoming defenders of democracy. Now
what?” WIRED, Aug. 22, 2018. (Available at: https://www.wired.com/story/mi
crosoft-facebook-tech-giants-defending-democracy/; accessed: Sept. 10, 2018.)
Latour, Bruno. 1994. “On technical mediation: Philosophy, sociology, genealogy”.
Common Knowledge, 3 (2): 29–64.
Latour, Bruno. 2005. Reassembling the Social: An Introduction to Actor-Network-
Theory. Oxford: Oxford University Press.
Leander, Anna. 2010. “Commercial Security Practices”. In: P.J. Burgess (ed.). Hand-
book of New Security Studies. New York: Routledge.
Leigh Star, S., and K. Ruhleder. 1996. “Steps toward an ecology of infrastructure:
Design and access for large information spaces”. Information Systems Research,
7 (1): 111–134.
Lobato, Luisa. 2016. “Unravelling the cyber security market: The struggles among
cyber security companies and the production of cyber (in)security”. MSc diss.,
Pontifical Catholic University of Rio de Janeiro. (Available at: https://doi.org/10.1
7771/PUCRio.acad.27784.)
May, Christopher. 2015. “Who’s in charge? Corporations as institutions of global
governance”. Palgrave Communications, 1: 1–10.
Mayntz, Renate. 2003. “New challenges to governance theory”. In: Henrik P. Bang
(ed.). Governance as Social and Political Communication, 27–40. Manchester:
Manchester University Press.
McIntyre, Mark. 2017. “How public-private partnerships can combat cyber adver-
saries”. Microsoft. (Available at: https://cloudblogs.microsoft.com/microsoftsec
ure/2017/12/13/how-public-private-partnerships-can-combat-cyber-adversaries/;
accessed: Sept. 4, 2018.)
McKay, Angela. 2018. “Building on experience: A framework for cybersecurity
policy”. Microsoft, blog post. (Available at: https://cloudblogs.microsoft.com/
microsoftsecure/2018/08/09/building-on-experience-a-framework-for-cybersecuri
ty-policy/; accessed: Sept. 8, 2018.)
McKay, Angela, Paul Nicholas, Jan Neutze, and Kevin Sullivan. 2014. Interna-
tional Cybersecurity Norms: Reducing Conflict in an Internet-Dependent World.
Microsoft.
Microsoft. 2005. “Microsoft advocates comprehensive federal privacy legisla-
tion”. Microsoft. (Available at: https://news.microsoft.com/2005/11/03/mi
crosoft-advocates-comprehensive-federal-privacy-legislation/; accessed: Oct.
21, 2019.)
Microsoft. 2011. “Taking down Botnets: Microsoft and the Rustock Botnet”. Micro-
soft corporate blogs. (Available at: https://blogs.microsoft.com/on-the-issues/201
312 Louise Marie Hurel and Luisa Cruz Lobato
om/on-the-issues/2018/07/13/facial-recognition-technology-the-need-for-public-re
gulation-and-corporate-responsibility/; accessed: Sept. 9, 2018.)
Smith, Brad. 2017. “The need for a Digital Geneva Convention”. Microsoft blogs.
(Available at: https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital
-geneva-convention/; accessed: Sept. 9, 2019.)
Strange, Susan. 1998. States and Markets. San Francisco: University of California
Press.
Strange, Susan. 1996. The Retreat of the State: The Diffusion of Power in the World
Economy. Cambridge: Cambridge University Press.
Strange, Susan. 1991. “Big business and the state”. Millennium Journal of Interna-
tional Studies, 20 (2): 245–250.
Tech Accord. 2019. “The cybersecurity tech accord response to a call for contribu-
tions from best practice forum working group on ‘Cybersecurity Culture, Norms
and Values’”. Tech Accord. (Available at: https://cybertechaccord.org/category/
policies-rfis/; accessed: Oct. 21, 2019.)
Thomlinson, Matt. 2012. “Cybersecurity norms and the public private partner-
ship: Promoting trust and security in cyberspace”. Microsoft. (Available at: https
://cloudblogs.microsoft.com/microsoftsecure/2012/10/05/cybersecurity-norms-
and-the-public-private-partnership-promoting-trust-and-security-in-cyberspace/;
accessed: Sept. 9, 2018.)
Van Dijck, J. 2013. The Culture of Connectivity: A Critical History of Social Media.
Oxford: Oxford University Press.
Wendt, Alexander. 2004. “The state as person in international theory”. Review of
International Studies, 30 (2): 289–316.
Wendt, Alexander. 1992. “Anarchy is what states make of it: The social construction
of power politics”. International Organization, 46 (2): 391–425.
Wendt, Alexander. 1995. “Constructing international politics”. International Secu-
rity, 20 (1): 71–81.
Westermann-Behaylo, Michelle K., Kathleen Rehbein, and Timothy Fort. 2015.
“Enhancing the concept of corporate diplomacy: Encompassing political corporate
social responsibility, international relations, and peace through commerce”. Acad-
emy of Management Perspectives, 29 (4): 389.
Index
315
316 Index
FIA. See French Intelligence Act (FIA) Google: relationship with China, 190–
Finnemore, Martha, 177, 187 96; vs. U.S. government, 190–91
Five Eyes agency, 208, 229, 231, 268 Government Communications
Flohr, Annegret, 269 Headquarters (GCHQ), 227, 230
forcible coercion, 52–53 Great Firewall of China, 118–19, 188
France: in bulk intelligence collection, Gulf Cooperation Council (GCC) states,
231; intelligence reforms, 233–34; 205; cybercrime laws in, 215–21;
surveillance practices, 234 and Egypt relationships, 208–9;
French General Directorate for External international cyber norms, position
Security, 230 of, 206–9; national cybersecurity
French Intelligence Act (FIA), 234 strategies in, 210–15
fundamental rights intrusions, 227
hard power, 147–48
Gates, Bill, 192 HarmonyOS, 129
GCC. See Gulf Cooperation Council Helsinki Process, 163–64
(GCC) Hollis, Duncan B., 187
GCHQ. See Government Huawei, 108, 129
Communications Headquarters
(GCHQ) ICANN. See Internet Corporation for
GCSC. See Global Commission on the Assigned Names and Numbers
Stability of Cyberspace (GCSC) (ICANN)
General Assembly Declaration: on ICRC. See International Committee of
Friendly Relations, 47–48; on the Red Cross (ICRC)
Inadmissibility of Intervention, ICT4Peace Foundation, 249–50
46–47 IETF. See Internet Engineering Task
German Federal Intelligence Service, Force (IETF)
230 information: aterritoriality of, 65;
Germany, 231; intelligence reforms, collection (in bulk), 230–37; ubiquity
233–35; surveillance laws, 234–35 of, 65; weapons, 3, 21, 35n3, 90, 98,
Ghaith, Nasser bin, 218 157, 248
GIF-CT. See Global Internet Forum to information and telecommunications
Counter Terrorism (GIF-CT) technologies (ICTs), 20–21, 65;
global administrative law, 253–54, applications, 23; to international
257n4 peace and security, 23; international
Global Commission on the Stability of regulation of, 20–21
Cyberspace (GCSC), 50, 251–52 information security, 130, 211, 263;
global governance, 257n5 doctrine of, 96–97; globalization
Global Internet Forum to Counter through regional platforms, 97–99;
Terrorism (GIF-CT), 301 international code of conduct for,
global Internet governance, 85–88 155–56; and international peace
Global Network Initiative (GNI), 274–75 and security, 21, 23–24, 67; nuclear
Global Security Strategy and Diplomacy regime for, 90; violation, 75–77
Team, 296 intelligence, surveillance and
GNI. See Global Network Initiative reconnaissance (ISR), 148
Index 319
Liisi Adamson is a PhD researcher at the Hague Program for Cyber Norms.
She has a background in international and comparative law as well as infor-
mation technology law from University of Helsinki and University of Tartu,
respectively. Prior to commencing her PhD studies, Liisi served as a research
fellow at the Cyber Policy Institute in Estonia (2014–2017) and as an adviser
to the Estonian delegation to the UN Group of Governmental Experts on
Information Security (2016–2017). Her research at the Hague Program for
Cyber Norms focuses on resilience in the context of cybersecurity.
323
324 About the Editors and Contributors
for Cyber Norms at the Institute of Security and Global Affairs. His research
investigates China’s domestic technology policies, as well as China’s partici-
pation in global cyber affairs. His work has been published, among others,
in The China Journal and the Journal of Contemporary China. He is also
a founding member of DigiChina, a project run in cooperation with New
America, as well as a frequent contributor to international news media.
Louk Faesen is a strategic analyst at the Cyber Policy and Resilience Pro-
gram of the Hague Centre for Strategic Studies and project manager of the
Global Commission on the Stability of Cyberspace. His research mainly
focuses on international peace and security in cyberspace, norms of respon-
sible state and non-state behavior, and confidence-building measures (CBMs)
in cyberspace.
Ilina Georgieva is a PhD candidate of the Hague Program for Cyber Norms
at Leiden University’s Institute of Security and Global Affairs. Previously,
Ilina served as a researcher on the Sweetie Project at eLaw, the Center for
Law and Digital Technologies at Leiden University, and was an editor at the
Utrecht Journal of International and European Law. She was also a part of
Heidelberg University’s Cluster of Excellence “Asia and Europe in a Global
Context” and of the Austria Institute for European and Security Policy in her
capacity as a research assistant. She also worked at the Max Planck Institute
for Comparative Public Law and International Law in Heidelberg and served
as a senior research associate and later on as a counsel for the Public Interna-
tional Law and Policy Group (PILPG).
Steven Hill is a legal adviser and director of the Office of Legal Affairs at
NATO Headquarters in Brussels, Belgium. Mr. Hill came to NATO after
About the Editors and Contributors 325
serving as counselor for Legal Affairs at the U.S. Mission to the United
Nations. Prior to his work in New York, Mr. Hill led the legal unit at the
International Civilian Office in Kosovo. He previously worked in the Office
of the Legal Adviser at the U.S. Department of State, where he advised on
the law of armed conflict, human rights law, economic sanctions, and the
law governing diplomatic premises. He was assigned to the U.S. Embassy
in Baghdad from 2004 to 2005. He also served as counsel in proceedings
before the International Court of Justice in 2003 and in several cases before
the Inter-American Commission on Human Rights from 2006 to 2007. Mr.
Hill also actively engages in teaching and research on international law and
he has graduated from Yale Law School and Harvard College.
Louise Marie Hurel is pursuing her PhD in Data, Networks, and Society at
the London School of Economics and Political Science (LSE) working on
technical security expertise, cybersecurity governance, and incident response.
She also leads research and project development at Igarapé Institute’s Cyber-
security and Digital Liberties Programme. Having concluded her MSc in
Media and Communications (Data and Society) LSE and BA in International
Relations at PUC-Rio, Louise Marie Hurel’s work focuses on exploring inter-
disciplinary approaches to contemporary security challenges and the role of
non-state actors in cybersecurity; having been awarded for her dissertation
“Cybersecurity and Internet Governance: Two Competing Fields.” Louise
Marie has given lectures and presentations at King’s College London, NATO,
ICANN, and other organizations. Her previous experience includes consul-
tancy for the UNESCO project on “What if we all governed the Internet,” and
research on Internet Governance, privacy, data protection, and security at the
Center for Technology and Society at Getúlio Vargas Foundation (CTS-FGV).