1.

Why would powerful political actors pursue a norms

based approach to cyber security in world politics?
Introduction
This essay will explore the development of cyber security norms by powerful political actors
in world politics through the examination of recent undertakings that have pitted East versus
West along historical lines of political difference. Prior to directly addressing these
developments, it will look at how the lack of norms and rapid rise of cyber security as a
genuine concern among states has driven the steady output of conferences, discussions and
conventions from both sides seeking to set the tone for cyber norms and bolster enough broad
support for an agreement that not only provides resolution to issues raised by a relatively
borderless cyber landscape, but also still benefit certain broader domestic security concerns of
specific states, whether that be economic, political or otherwise.
International debate on the matter continues to unfold on almost a daily basis and further
analysis in the future will no doubt produce a different view on interactions taking place.
Much of the material referenced here is taken from within the last four years and without the
benefit of hindsight, the norms that become entrenched may be significantly shaped by future
events that are impossible to predict as well as the timeframe in which a binding international
agreement (if any at all) comes into being. Discussing the specifics of cyber security norms
may be premature, however there are parallels with other development processes that are
relevant to understand where this is heading. One such parallel being the development of the
Nuclear Non-Proliferation Treaty, established and successfully relied upon for almost 50
years.1 And while a fear as great as nuclear war does not yet accompany threats emanating
from cyber space, the potential damage from future cyber attacks or the impacts of an
unregulated cyber space on security in general means states will continue to seek norms as a
way of setting predictable actions and reactions in this fast-paced realm.
The absence of cyber security norms
The establishment of norms in cyber security seeks to address a growing realization of the
security concerns emerging as the Internet and cyber networks permeate throughout modern
1 United Nations Office for Disarmament Affairs. Treaty on the Non-Proliferation of Nuclear
Weapons. http://www.un.org/disarmament/WMD/Nuclear/NPT.shtml (accessed October 18,
2015).

society. The lack of norms also means a lack of clear definitions of what constitutes an act of
war, where jurisdictions lie and what reactions are acceptable2. Demchak and Dombrowski
make this point: Even a willingness to abide by norms of trust and nonthreatening behavior is
tied to security, where collective rules can and cannot be enforced. To live in ungoverned
societies is not only insecure; it is also a psychologically palpable existential threat.3 Thus the
current pursuit of norms in cyber security highlights a growing uneasiness within world
politics around cyber security and its impacts on the world order.
A lack of norms in the borderless regions of cyber space impacts states ability to manage
their own security. Incidents like the cyber attacks against Georgia in 2008 and the use of the
Stuxnet worm targeting Iranian enrichment centrifuges has highlighted the wild frontier 4
nature of cyberspace where actors are relatively free to engage against any and all targets with
impunity given the lack of established norms and, importantly, untried responses to violations
of these norms. In response to the Estonian cyber attacks in 2007, NATO established the
Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. The
CCDCOE produced the Tallinn Manual in 2009 that considers the applicability of
International Law to cyber warfare. An updated version of the manual (Tallinn Manual 2.0) is
being developed that seeks to include sections on human rights, diplomatic law, the
responsibility of international organizations, international telecommunications law, and peace
operations5 substantially widening the scope of the original document. Importantly, the
Tallinn Manual frames cyber conflict within existing international laws, particularly the
Geneva Convention and Laws of Armed Conflict, and as such gives guidance to the use of
military cyber capabilities and lethal military counterstrikes.6 Other powerful actors, notably
Russia and China, initially questioned this school of thought and subsequently put forward

2 Farwell, James P., and Rafal Rohozinski. "The New Reality of Cyber War." Survival 54, no.
4 (August-September 2012) p. 111
3 Demchak, Chris C, and Peter Dombrowski. "Rise of a Cybered Westphalian Age." Strategic
Studies Quarterly 5, no. 1 (Spring 2011) p. 42
4 Ibid.
5 NATO CCDCOE. Tallinn Manual 2.0 to b completed in 2016. October 09, 2015.
https://ccdcoe.org/tallinn-manual-20-be-completed-2016.html (accessed October 12, 2015).

alternate frameworks that countering this notion, looking to formulate new norms specific to
cyber security. 7
Cyber crime is one area in which norms development has been undertaken, through an
international treaty developed by The Council of Europes Convention on Cybercrime in
Budapest in 2001. The treaty came into force on 01 July 2004 and deals particularly with
infringements of copyright, computer-related fraud, child pornography and violations of
network security.8 According to the Councils website as of October 2015, 47 countries have
ratified the treaty including Australia and the United States. Notably, Russia, itself home to
hackers responsible for an estimated third of all malicious software9 and also a member of the
Council of Europe, is absent from the convention. The convention, although only modestly
successful and not without detractors like Russia, does show that agreement on cyber space
norms and their implementation is achievable where common principles are held.
The use of norms to further a states security concerns
As the push to develop norms in cyber security begin to take shape, classic divisions in
security concerns have emerged in the debate that threaten any real progress and, in the worst
case, make any agreement in the current climate impossible.10 In this, we have seen two main
blocs appear with divergent approaches that almost classically divide east and west along the
fundamental lines of difference in political interests.11 Russia and China have been seeking to
build support for their approach to cyber security (or more accurately information security)
6 Healey, Jason. "Reason Finally Gets a Voice: The Tallinn Manual on Cyber War and
International Law." Atlantic Council. March 27, 2013.
http://www.atlanticcouncil.org/blogs/new-atlanticist/reason-finally-gets-a-voice-the-tallinnmanual-on-cyber-war-and-international-law (accessed October 14, 2015).
7 Ibid.
8 Council of Europe. Details of Treaty No. 185. http://www.coe.int/en/web/conventions/fulllist/-/conventions/treaty/185 (accessed October 17, 2015)
9 NBC News. Skilled, Cheap Russian Hackers Power American Cybercrime. February 5,
2014. http://www.nbcnews.com/news/world/skilled-cheap-russian-hackers-power-americancybercrime-n22371 (accessed October 17, 2015).
10 Segal, A., Greenberg, M. R., & Waxman, M. C. (2011, October 27). Why a Cybersecurity
Treaty is a Pipe Dream. Retrieved October 10, 2015, from Council on Foreign Relations:
http://www.cfr.org/cybersecurity/why-cybersecurity-treaty-pipe-dream/p26325#

through a series of agreements since 200912, while the US, European Union and other
Western-centric states, have been pursuing cooperation through what the US has coins a
multi-stakeholder approach.13
In the vacuum of norms, such as has occurred due to the rapid development of cyberspace and
its permeation through all facets of modern society, states will seek to establish them, not only
to provide predictability but also to benefit their own strategic interest. The Western bloc
looks to the protection of the carriage of cyber networks and critical infrastructure, which it
sees as crucial to economic outputs14, as well as the freedom of information, in line with
liberal capitalist aims. The eastern bloc, on the other hand, seeks to protect its security with
more focus on the control of content and sovereignty, as regimes seek more authoritarian
control over the medium. As Giles remarks, A key divergence between Russian and Western
approaches to cyber security is the Russian perception of content as threat. In the Russian list
of issues of concern, this is expressed as the threat of the use of content for influence on the
social-humanitarian sphere.15 Normative agendas reflect the strategic security concerns of
the powerful actors in cyber security. Given this, we see that the blocs will move rapidly to
strengthen their agendas through favourable institutionalism, agreements and debate in an
attempt to garner foundational support. Regular attempts at diplomacy on the issues, like the
UKs London Conference in 2014 and, even between the competing blocs, will continue as a
palatable outcome is explored, while outlying countries pick which side suits their own
concerns (See for example Sukumars article - Indias New Multistakeholder line could be
a Gamechanger in Global Cyberpolitics16).

11 Ibid.
12 Korzak, Elaine. "The Next Level for Russia-China Cyberspace Cooperation?" Council on
Foreign Relations. August 20, 2015. http://blogs.cfr.org/cyber/2015/08/20/the-next-level-forrussia-china-cyberspace-cooperation/ (accessed October 11, 2015).
13 United States. "International Strategy for Cyberspace." President of the United States,
May 2011.
14 Deibert, Ronald J, and Rafal Rohozinski. "Risking Security: Policies and Paradoxes of
Cyberspace Security." International Political Sociology 4 (2010), p. 19
15 Giles, K. (2012). Russia's public stance on cyberspace issues. International Conference on
Cyber Conflict (p 64). Tallinn: NATO CCD COE.

Whats in it for the West?

Providing a capstone of the Western blocs approach to cyberspace norms is the US White
House International Strategy for Cyberspace. It espouses the need to protect digital freedoms,
privacy and access and goes on to promote the development of norms without a reinvention
of customary international law.17 However the links made between a prosperous cyber
economy, cyber security and norms development belies underpinning security concerns of the
US, and is summed up in one sentence The United States will pursue an international
cyberspace policy that empowers the innovation that drives our economy and improves lives
here and abroad.18 The implication here being that the US believes cyber security is firstly
important in economic progress and, secondly in social development.
Given the burgeoning role of cyber space in the global economy, not only in goods traded but
in cyber commerce and industry, it would be expected that there be little appetite for adjusting
the status quo of governance and regulation. It is therefore easy to understand why Western
cyber powers would seek to maintain an institutional model rather than try and fix something
that aint that broke. So a multi-stakeholder approach makes sense in this case; allowing the
states input into the system to ensure security needs are met while at the same time allowing
institutions the freedom to innovate and avoiding a hindrance to the growth of cyber space
and its associated economic benefits.
This approach requires a certain devolvement of sovereignty to institutions and regulators.19
The idea of a digital border becomes less pragmatic where the governance is not under state
control and serves as a contentious issue for Russia and other states where there is insistence
on maintaining sovereignty.20
16 Sukumar, Arun Mohan. "india's New 'Multistakeholder' Line Could Be a Gamechanger in
Global Cyberpolitics." The Wire. June 22, 2015. http://thewire.in/2015/06/22/indias-newmultistakeholder-line-could-be-a-gamechanger-in-global-cyberpolitics-4585/ (accessed
October 14, 2015).
17 United States. "International Strategy for Cyberspace." President of the United States,
May 2011, p. 9
18 Ibid, p. 4
19 Hurwitz, Roger. "The Play of States: Norms and Security in Cyberspace." American
Foreign Policy Interests 36, no. 5 (September 2014), p. 329

Eastern ideas of cyber security

In September 2011, Russia and China (with Tajikistan and Uzbekistan as co-signatories)
proposed an International Code of Conduct for Information Security through the United
Nations General Assembly, in a surprise21 move that demonstrated the agenda of norms
development begun between members of the Shanghai Cooperation Organisation (SCO).
Russia followed this up with a draft convention for cyberspace that was, in conjunction with
the Code of Conduct, shied away from by the west and was seen as undermining then efforts
by the US and UK in the development of norms.22 Since then, the SCO members have
continued to build on agreements and have recently seen India and Pakistan added as
permanent members, bolstering the organizations voice and weight. A revised draft of the
International Code of Conduct was circulated in January 2015 to the UN General Assembly
that sees an evolution in an initial sticking point: acknowledging that norms should be derived
from current international law as agreed during the 2013 meeting of the Group of
Governmental Experts. Prior to this, Russia and China questioned the applicability of
international laws of war and self defense to cyber attacks23 with China asserting that it was
too premature to apply international law.24
Closely following this, as recently as May 2015, Russia and China signed a bilateral
agreement that has been dubbed by some as a non-agression pact.25 Building on the
provisions within the International Code of Conduct and previous SCO agreements, the pact
includes a memorandum that neither country would conduct hacking attacks or use the
20 Giles, Keir. "Russia's public stance on cyberspace issues." International Conference on
Cyber Conflict. Tallinn: NATO CCD COE, 2012, p. 67
21 Hurwitz, Roger. "The Play of States: Norms and Security in Cyberspace." American
Foreign Policy Interests 36, no. 5 (September 2014), p. 323
22 Farnsworth, Timothy. "China and Russia Submit Cyber Proposal." Arms Control Today 41,
no. 9 (November 2011), p. 35
23 Segal, Adam, Maurice R Greenberg, and Matthew C Waxman. "Why a Cybersecurity
Treaty is a Pipe Dream." Council on Foreign Relations. October 27, 2011.
http://www.cfr.org/cybersecurity/why-cybersecurity-treaty-pipe-dream/p26325# (accessed
October 10, 2015).
24 Hurwitz, Roger. "The Play of States: Norms and Security in Cyberspace." American
Foreign Policy Interests 36, no. 5 (September 2014), p. 324

Internet in a way to destabilize internal politics.26 This move looks to solidify Russias
approach to norms development that not only further emphasizes the Eastern blocs
interpretation of information security but demonstrates that such agreements are possible in
the face of other stalled or failing negotiations notably the Sino-American dialogue and USRussian Cooperation on ICT security.27 Furthermore, the deal formalizes a combined approach
by China and Russia and lays a foundation for further bi-lateral or multi-lateral agreements
between SCO members.
The approach of the Eastern bloc for the most part is in line with the global desire to establish
norms pertaining to cyber space, and indeed the content of these norms maintains certain
commonalities with the Western approach.28 However the divergent view that state
sovereignty should be maintained over certain aspects, particularly as they relate to content,
highlights the security concerns of Russia and China. Deibert and Rohozinski have pointed
out that cyber space allows activists in even the most tightly controlled societies (including
China) to establish cross-border support and that, For these regimes, these movements
represent a new, fluid, and very formidable security risk.29 Such concerns are founded not
just in cyber space but, at least for Russia, extends to the media, with an underlying concept
that the media should be used as a tool of the state for primarily shaping public opinion in a
manner favourable to the authorities.30 Such a difference in approach and interpretation of
sovereignty stems from the political traditions of Russia and China, where state authorities
25 Korzak, Elaine. "The Next Level for Russia-China Cyberspace Cooperation?" Council on
Foreign Relations. August 20, 2015. http://blogs.cfr.org/cyber/2015/08/20/the-next-level-forrussia-china-cyberspace-cooperation/ (accessed October 11, 2015)
26 Roth, Andrew. "Russia and China Sign Cooperation Pacts." New York Times. May 8, 2015.
http://www.nytimes.com/2015/05/09/world/europe/russia-and-china-sign-cooperationpacts.html?_r=0 (accessed October 18, 2015).
27 Kulikova, Alexandra. "China-Russia cyber-security pact: Should the US be concerned?"
Russia Direct. May 21, 2015. http://www.russia-direct.org/analysis/china-russia-cybersecurity-pact-should-us-be-concerned (accessed October 17, 2015).
28 Healey, Jason. "Breakthrough or Just Broken? China and Russia's UNGA Proposal on
Cyber Norms." Atlantic Council. September 11, 2011.
http://www.atlanticcouncil.org/blogs/new-atlanticist/breakthrough-or-just-broken-china-andrussia-s-unga-proposal-on-cyber-norms (accessed October 17, 2015).
29 Deibert, Ronald J, and Rafal Rohozinski. "Risking Security: Policies and Paradoxes of
Cyberspace Security." International Political Sociology 4 (2010), p. 21

decide what their citizens should think, and that the principle of sovereignty bars outsiders
from interfering with the exercise of that power.31
Parallels with the Nuclear Non-Proliferation Treaty
With such disparate views dividing East and West in a flashback to Cold War ideology, many
commentators have begun to draw parallels between the development of cyber norms and the
development of nuclear non-use norms that ultimately gave shape to the Nuclear NonProliferation Treaty. However as Nye argues, the concepts of nuclear versus cyber war are
very different from the standpoint of the way in which a cyber war might potentially send us
back to the economy of the early 1990s, whereas a nuclear war could send us back to the
Stone Age.32 That said, other parallels provide an insight as to the process of norms
development in such a political climate of distrust and divergent opinions. Central to this is
the concept of deterrence that helped provide the initial stability between the superpowers in
the Cold War. However deterrence as it relates to cyber security is much harder to quantify or
even demonstrate beyond some policy statements put forward, like that within the US
International Strategy for Cyberspace. That said, the concept of deterrence between states,
even if impossible against non-state actors, might prove a valid stabilizer33 in the situation
until an established set of norms is developed. The fact that the Internet and other essential
networks are so intrinsically linked between the antagonists means it is in everyones interest
to maintain cyber space integrity.
Conclusion
This essay has examined the impetus for norms development in cyber security, noting that the
rapid growth of the Internet and cyber space has created a new security concern for key
political actors, and given the economic challenges and impacts on state sovereignty arising
30 Giles, Keir. "Russia's public stance on cyberspace issues." International Conference on
Cyber Conflict. Tallinn: NATO CCD COE, 2012, p. 70.
31 Hurwitz, Roger. "Depleted Trust in the Cyber Commons." Strategic Studies Quarterly 6,
no. 3 (2012), p. 36
32 Nye, Joseph S. "From bombs to bytes: Can our nuclear history inform our cyber future?"
Bulletin of Atomic Scientists 69, no. 5 (September/October 2013), p. 10
33 Stevens, Tim. "Deterrence and Norms in Cyberspace." Contemporary Security Policy 33,
no. 1 (Apr 2012), p.157

from a unregulated and almost borderless cyberspace. While there have been many calls to
develop a set of global norms, driven from events like the cyber attacks on Estonia and the
Stuxnet worm, an international agreement may be some time off given the divergent
approaches between powerful political actors.
The Western bloc, led by the United States and comprised of like-minded liberal democracies,
approaches the development of norms through a multi-stakeholder approach that looks to
establish norms where the state is not necessarily central to the governance and regulation of
cyber space. This benefits a key security concern pertaining to the economic success and
freedom of access intrinsic to the historic, and conceivably, continued success of an open
cyber space. In contrast, Russia and China have garnered support in an Eastern bloc that has
been actively pursuing norms with submissions of a draft International Code of Conduct
through the UN General Assembly as well as bi-lateral and multi-lateral agreements amongst
the nations of the Shanghai Cooperation Organisation. Although sharing many common
themes, this approach places an emphasis on state control of content and potentially that of
regulation. The central tenet of state sovereignty and the extent to which it is applied in
cyberspace remains a barrier to agreement between the two sides.
As such we see that the development of norms in cyber security is not just in response to a
need for predictable behaviour and better global regulation but also hinged on the varied
security concerns of each bloc, and in contrast to the Cold War development of the Nuclear
Non-Proliferation Treaty, a lack of common ground (only marginally stabilised by the concept
of deterrence) continues to hamper diplomatic efforts to achieve a binding set of norms.

Works Cited
Council of Europe. Details of Treaty No. 185.
http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
(accessed October 17, 2015).
Deibert, Ronald J, and Rafal Rohozinski. "Risking Security: Policies and
Paradoxes of Cyberspace Security." International Political Sociology 4
(2010): 15-32.
Demchak, Chris C, and Peter Dombrowski. "Rise of a Cybered Westphalian
Age." Strategic Studies Quarterly 5, no. 1 (Spring 2011): 32-61.
Farnsworth, Timothy. "China and Russia Submit Cyber Proposal." Arms
Control Today 41, no. 9 (November 2011): 35-36.
Farwell, James P., and Rafal Rohozinski. "The New Reality of Cyber War."
Survival 54, no. 4 (August-September 2012): 108-119.
Giles, Keir. "Russia's public stance on cyberspace issues." International
Conference on Cyber Conflict. Tallinn: NATO CCD COE, 2012. 63-75.
Healey, Jason. "Breakthrough or Just Broken? China and Russia's UNGA
Proposal on Cyber Norms." Atlantic Council. September 11, 2011.
http://www.atlanticcouncil.org/blogs/new-atlanticist/breakthrough-or-justbroken-china-and-russia-s-unga-proposal-on-cyber-norms (accessed
October 17, 2015).
Healey, Jason. "Reason Finally Gets a Voice: The Tallinn Manual on Cyber
War and International Law." Atlantic Council. March 27, 2013.
http://www.atlanticcouncil.org/blogs/new-atlanticist/reason-finally-gets-avoice-the-tallinn-manual-on-cyber-war-and-international-law (accessed
October 14, 2015).
Hurwitz, Roger. "Depleted Trust in the Cyber Commons." Strategic Studies
Quarterly 6, no. 3 (2012): 20-45.
Hurwitz, Roger. "The Play of States: Norms and Security in Cyberspace."
American Foreign Policy Interests 36, no. 5 (September 2014): 322-331.
Korzak, Elaine. "The Next Level for Russia-China Cyberspace Cooperation?"
Council on Foreign Relations. August 20, 2015.
http://blogs.cfr.org/cyber/2015/08/20/the-next-level-for-russia-chinacyberspace-cooperation/ (accessed October 11, 2015).
Kulikova, Alexandra. "China-Russia cyber-security pact: Should the US be
concerned?" Russia Direct. May 21, 2015. http://www.russia-

direct.org/analysis/china-russia-cyber-security-pact-should-us-beconcerned (accessed October 17, 2015).

NATO CCDCOE. Tallinn Manual 2.0 to b completed in 2016. October 09,
2015. https://ccdcoe.org/tallinn-manual-20-be-completed-2016.html
(accessed October 12, 2015).
NBC News. Skilleed, Cheap Russian Hackers Power American Cybercrime.
February 5, 2014. http://www.nbcnews.com/news/world/skilled-cheaprussian-hackers-power-american-cybercrime-n22371 (accessed October
17, 2015).
Nye, Joseph S. "From bombs to bytes: Can our nuclear history inform our
cyber future?" Bulletin of Atomic Scientists 69, no. 5 (September/October
2013): 8-14.
Risen, Tom. "Chinese Telecom Huawei Will 'Exit the US Market'." US News.
December 3, 2013.
http://www.usnews.com/news/articles/2013/12/03/chinese-telecomhuawei-will-exit-the-us-market (accessed October 14, 2015).
Roth, Andrew. "Russia and China Sign Cooperation Pacts." New York Times.
May 8, 2015. http://www.nytimes.com/2015/05/09/world/europe/russiaand-china-sign-cooperation-pacts.html?_r=0 (accessed October 18, 2015).
Segal, Adam, Maurice R Greenberg, and Matthew C Waxman. "Why a
Cybersecurity Treaty is a Pipe Dream." Council on Foreign Relations.
October 27, 2011. http://www.cfr.org/cybersecurity/why-cybersecuritytreaty-pipe-dream/p26325# (accessed October 10, 2015).
Stevens, Tim. "Deterrence and Norms in Cyberspace." Contemporary
Security Policy 33, no. 1 (Apr 2012): 148-170.
Sukumar, Arun Mohan. "india's New 'Multistakeholder' Line Could Be a
Gamechanger in Global Cyberpolitics." The Wire. June 22, 2015.
http://thewire.in/2015/06/22/indias-new-multistakeholder-line-could-be-agamechanger-in-global-cyberpolitics-4585/ (accessed October 14, 2015).
United Nations Office for Disarmament Affairs. Treaty on the NonProliferation of Nuclear Weapons.
http://www.un.org/disarmament/WMD/Nuclear/NPT.shtml (accessed
October 18, 2015).
United States. "International Strategy for Cyberspace." President of the
United States, May 2011.