Recall that one dimension of a norm is “identity”:to whomdoes a norm apply?
In cyberspace, could be individuals, programmers, firms, etc.
In this mini lecture, we will discuss norms that would applyto sovereign states.
But, important to remember others could exist.
TWO OBVIOUS WAYS TO DESIGN NORMS INCYBERSPACE
Limit behaviors.
Example:cyberexploitationisOK, but cyber attacks arenot.
Limittargets.
Example:government/military targets are legitimate,private firms, individuals are not.
POSSIBLE OBSTACLES TO CYBER NORMS
Powerful states find cyber operations too useful.
Difficult tofindaproprietythatworksforallstates.
Evenifstates agree that there should be norms, they often disagree onwhat thosenormsshouldbe.
Thenatureofcyberspacemakesithardtoknowifnormsarebeingupheld, which weakenscollective expectations.
POWERFUL STATES FIND CYBER OPERATIONS TOOUSEFUL
Argument: states like U.S., China find cyber operations too useful towant to give them up; will not support norms that restrict them.
Haveseensimilarbehavior in norms surrounding weapons (ex: chemical weaponsnot useful so powerful states sign on; anti-personnel landmines still useful sopowerful states do not sign on).
Smaller states may want norms, but persuasion won’t work, and they donot have the power or reputation for incentives or socialization to work.
DIFFICULT TO HAVE PROPRIETY THAT WORKS FORALL STATES
Argument: different states have different bases or frameworks forthinking about what is “right” or “wrong”; can be difficult to find amutual basis to support a norm.
Example:U.S.firmly sees separation between “private” economy and“public” security; China does not.
Even bases thatseemcommon (ex. sovereignty) may be interpretedquite differently by different states.
NATURE OF CYBERSPACE MAKES IT HARD TOKNOW IF NORMS ARE BEING UPHELD
Argument: It is hard to know who is doing what on the internet, oreven to know that a cyber operation has happened, making itdifficult to know if a state has broken a norm.
Essentiallythe “plausible deniability” problem.
Suspicions of cheating mayweaken collective expectations.
Moreofaproblemtheharderthebehavioristodetect.
WHATKINDSOFCYBER NORMS AREWEMOSTLIKELYTOSEE?
Useful to (or at least not detrimental to) the great powers.
Based on widely-agreed principles (probably international law).
Alternatively, might see norms that only apply to certain types of states.
Restrict easily-observed behaviors.
Cyberattacksamorelikelytarget than cyber exploitation.
CONCLUSION
While there areanumberofwaystoconstructcybernorms, two obviouswaysareby limiting behaviors or targets.
Three obstaclestocybernorms are: powerfulstatesmayprefernottohavethem;hard to find a common basis for the norms across states;norm violations are hard to detect.
The most likely norms to arise are those that avoid these three obstacles.
