The world understands the rules of physical warfare, including what constitutes torture and conditions for holding prisoners of war.
There are norms which most nations follow and some decide to break. But everyone knows the rules.
And then there is cyberspace.
It's newer, it's somewhat mysterious, and it's wide open when it comes to how any person, any company, or any nation-state should operate.
Lack of cyber norms plague cyberspace and cybersecurity
It was 2017 when we interviewed the former Director of Operations at U.S. Cyber Command after his keynote at SecureWorld Detroit.
Major General Brett Williams (USAF, Ret.) explained how America's top cyber adversaries viewed the rules of cyberspace differently than the United States did.
"China and Russia, and this is a general statement, but they don't see near the separation between government activity and private sector activity that we do in the United States. They can use cyber pretty flexibly. They aren't as concerned with precedent and lack of international law... and we are."
Now, three years later, cyber norms are still up for debate.
Cybersecurity norms are at a crossroads
This issue is raised in a new paper by the Carnegie Endowment for International Peace. It uncovers four main points around cyberspace and geopolitics and says cybersecurity norms are at a crossroads.
The paper says there are competing and conflicting frameworks regarding cyber norms. Here are the main points:
1. Inherent characteristics of the cyber domain, especially its low barriers to entry to develop and to use cyber capabilities, that create serious multi-stakeholder cooperation problems, as states, corporations, proxy actors, and others all would need to adhere to norms
2. A lack of transparency about state behavior, which creates an inability to measure norm adherence to differentiate "aspirational norms" from actual "norms" and, within the latter category, to assess the breadth and depth of conformance by relevant actors
3. A dearth of great power cooperation to address this global public policy challenge, especially as geopolitics moves from identifying norms to internalizing them within relevant state and other stakeholder communities
4. A lack of clear incentives for internalizing norms—that is, articulating concrete benefits for adopting and internalizing one or more cyber norms or the costs that may follow a failure to do so
The Carnegie Endowment for International Peace also suggests a number of possible strategies for developing cyberspace and cybersecurity norms.
This includes research on how the idea of cyber norms vary from actual behavior and the examination of incentives to obey norms or the consequences (or lack thereof) for ignoring these norms.
It also says cybersecurity norms may flex based on worldwide events:
"Norms may be more realistic in some areas than in others, such as peacetime use of cyber capabilities compared with military cyber operations. Having multiple processes can prevent a roadblock in one area from impeding all progress."
And agreement on norms, even if only during peacetime, could help define some of the rules of the road when it comes to nation-state cyberattacks.
However, it is hard to imagine cybercrime syndicates following any sort of norms, except this: if we can make money, we'll do it.
[Check out the paper for yourself: Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads]
Related podcast: Top 3 nation-state cyber threats to the United States
For more, listen to the episode here, or on your favorite podcast platform.