The Quest for a Formal Cyber-regime Should Address Existing Cyber-norms

The Quest for a Formal Cyber-regime Should Address Existing Cyber-norms

Published: December 20th, 2018

The multilateral effort to formulate a discourse of voluntary norms for cyber-conflicts is gaining steam in the last couple of years fueled by justified fears from the risks posed by state sponsored cyber-attacks. Whereas Cyber scholars and professionals are probing about the right institutional design that will generate the right international norms, we should consider that there might be preexisting cybersecurity related trend and conduct between states that can be described as norms. This normative landscape should not be ignored when advancing new international security regimes but serve as a basis for its creation.

Norms are commonly defined as "a relatively stable collection of practices and rules defining appropriate behavior for specific groups of actors in specific situations."[1] Hence international public law is customary in its nature, and the study of the effect of international norms on the creation of international institutions and regimes is not new to scholars.[2] Even the study of international norms and their effect on creation of cybersecurity regimes and institutions, already received attention from esteem scholars such Joseph Nye.[3] A crucial element raised by these theoretical studies are the ability to point the "constitutional moment",[4] of which the transformation of a set of norms aggregately support the establishment of an institution. In this case, when does a set of state cyber conduct can be aggregated to a set of acceptable international conducts or even laws.

The formation of legal norms into written formal security regimes manifested in the enactment and agreement on packs, treaties, arrangement and abiding state laws is a natural process for those who believe that the international legal status of state sovereignty should simulate itself into cyberspace, and for those who fear that the next inter-states cyber-conflict will be worse than ever. As most internet governance and cyber researchers are aware of, the legal attempts to emulate order in the so-called cyberspace are as old as the privatization and commercialization of the internet. The emergence of cybercrime in the 1990's was incentivizing states to take legal action, set court precedence and initiate policy plans and institutions, as proven in the case of the 414 gang,[5] or the state of Israel Vs. Ohad Tenenbaum (known in the U.S as the "Solar Sunrise").[6] Yet the attempt to expand the applicability of the Law of Arm Conflict (LOAC) to address cyber-attacks manifested in the publication of the Tallinn manuals,[7] have failed to gain relative sufficient international support.[8]

The latest most noticeable international multilateral effort to advance cyber-norms, took place at the last few meeting of the "Governments Group of Experts (GGE) on the Developments in the Field of Information and Telecommunications in the Context of International Security" (A/70/174) under the UN 1st committee that is in charge on disarmament and International Security.[9] Lately, due to the inability to reach an agreement in regards to some of the proposed norms at the last 2017 GGE meeting,[10] states are pondering about the right way to advance this track,[11] yet they tend again to reinstate bureaucratic mechanism as a solution, without addressing the disputes them-selves such as the different opinions of the needed level of state content control.[12]

In face of the failed attempts and the reoccurring disputes, I would like to point a few preexisting trends that should be taken into account when considering the future formation of an international cyber-regimes:

  1. Pre-existing intelligence arrangements and understandings between states such as in the case of the "5 eye community", the long lasting security alliance of shared intelligence resources, between the US, UK, Canada, NZ and Australia, that was formed by the end of WWII.[13] According to Edward Snowden, the 5 eye community did not surveil each other, but did not refrain from surveilling other allies top political leaders and institutions (i.e. Germany and France).[14]
  2. Information transfer mechanisms between states entities and private entities, whether formal such as in the case of the relationship between national CERTs that rely on formal MOUs,[15] or the existing norm of software vulnerability disclosure between private entities and professional organizations.[16]
  3. The emergence of strategic communication between states aimed at establishing a "red line" marking the shift between cyber to a kinetic response. Thus, the various actions taken by states to signal to other states their scale of possible escalation from a minor cyber incident to a military conflict. This was evident from the intensified "Naming & Shaming" strategy taken by the US manifested in the public indictment of Russian operative due to their allegedly attempts to effect public opinion in the last US presidential elections.[17]  
  4. The acceptance and debate of an international arrangement for cyber-arms control, under the umbrella of the known "Wassenaar Arrangement", which includes the creation of a common international professional language on the perception of concepts such as "intrusion software", "vulnerability disclosure" and more.[18]

It is not the intention of the writer of this post to take side in the theoretical debate about the potential of legal arrangements to contribute to the creation of norms, but rather to point to the existence of a possible reality of interaction between states, and that might serve as the basis for the creation of legal framework founded on trust-based mechanisms and relations. In face of pessimistic views over the future of cybersecurity and future international regimes such as the claim that "It is unlikely that there will be a single overarching regime for cyberspace any time soon",[19] I claim that we should start by acknowledging the few areas in which cyber-attacks related international relations is already a part of a known international conduct, to be able to assess when will be the right time to aggregate them into a formal international institution.


[1] March J. G and Olsen J. P. (1998). "The Institutional Dynamics of International Political Order". International Organization, Vol. 52, No. 4, International Organization at Fifty: Exploration and Contestation in the Study of World Politics (Autumn), Pp. 949.

[2] Finnemore M. & Sikkink K. (1998). "International Norm Dynamics and Political Change"

International Organization, Vol. 52, No. 4, International Organization at Fifty: Exploration and Contestation in the Study of World Politics (Autumn), pp. 887-917

[3] Nye, J. S. (2014). The Regime Complex for Managing Global Cyber Activities. Global Commission on Internet Governance Paper Series 1.

[4] Jasanoff, S. (2011). Constitutional moments in governing science and technology. Science and engineering ethics, 17(4), Pp. 621-638.

[5] Elmer-DeWitt P. (1983). "The 414 Gang Strikes Again"Time magazine. (August 29).

[6] The State of Israel Vs. Ehud Tenenbaum (1998). לCriminal record No. 0721227/01.

[7] Michael N. Schmitt ed., 2013) Tallinn manual on the international law applicable to cyber warfare [hereinafter tallinn manual 1.0]; tallinn manual 2.0 on the international law applicable to cyber operations (Michael N. Schmitt ed., 2017) [hereinafter tallinn manual 2.0]

[8]Efrony, D., & Shany, Y. (2018). "A Rule Book on the Shelf? Tallinn Manual 2.0 on Cyberoperations and Subsequent State Practice". American Journal of International Law,112(4), 583-657.

[9] A GGE is a known UN mechanism, who's aim is to advance the discourse by publishing reports which has no abiding decisions. UN GGE reports can be found here-

[10]"No consensus was reached on a final report". (Accessed 21/11/18).

[11] See for example the report by the European Council for Foreign Relations "The UN GGE is dead: Time to fall forward". (Accessed 21/11/18)

[12] Many suggestions are on the table, of those the most common are the Russian proposal (to pursue an "Open Ended" Mechanism) and the US proposal (yet another new GGE).

[13] Based on the formal UKUSA agreement of 1946, that was disclosed in 2010.

[14]See reports of German chancellor Angela Merkel testimony here about NSA tapping to her phone here- (Accessed 26.11.18)

[15] See for example the CERT cooperation MOU signed between Singapore and India at June 2018, (accessed 25.11.18)

[16] See for example the tools developed by the Internet Engineering Task Force (IETF) for software vulnerability disclosure. (Accesses 25.11.18).

[18] For an extensive summary of the debate and changes to the last 2017-2018 Wassenaar Arrangement lists to address Cyber-weapons and services see at Lawfare blog – Hinck, G. "Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research" (5.1.18). (Accessed 25.11.18).

[19] Nye, J. S. (2014). The Regime Complex for Managing Global Cyber Activities. Pp. 13.


Amit Sheniak
The Quest for a Formal Cyber-regime Should Address
Existing Cyber-norms