This is the fourth edition of Eneken Tikk’s Cyber Norms Blogposts. This series of articles is published on a monthly basis in 2019. In these posts Dr. Eneken Tikk, Senior Advisor ICT4Peace Foundation, offers her insights on the international cyber norms dialogue. These Cyber Norms Blogposts will highlight normative contributions from states, regional and international organizations, industry and academia that could be considered in the dialogue on responsible use of ICTs by States.

Disclaimer: The views expressed in these Blogposts are not necessarily those of the ICT4Peace Foundation.

 

Search for Cyber Norms – Where to Look?
#4 The norms test: existing norms

The norms test was originally developed a few years ago as a tool for cyber policymakers to design effective and sustainable normative solutions to cybersecurity issues and avoid developing ‘new’ norms where preexisting normative frameworks exist that could be applied to international cybersecurity issues. The test has been used and further developed in ICT4Peace capacity building courses. However, this is the first time it is published to wider audiences.

This test is inspired by the acknowledgment of the many legal and policy instruments introduced to guide the use of ICTs. Between 1980 and 2018 more than 250 regional, multilateral and international instruments have been adopted to this end. While not all of them may be directly applicable to acute issues of international cybersecurity, the questions of preventing cyber conflict and increasing peace and stability in cyberspace likely contain elements that have been addressed in the past and to which normative solutions have been offered and applied. Holistic and systematic reviews of existing norms in this context have not been conducted.

This blog post is the first of the three steps aimed at promoting and implementing already existing norms. The term ‘norm’ requires some clarification. Within the UN Group of Governmental Experts on Developments in the field of information and telecommunications in the context of international security (GGE) setting, norms are referred to as voluntary, non-binding recommendations for behavior. Depending on the context, norms can also be understood as expectations of behavior, mostly associated with enforcement by social controls; or standards of behavior defined in terms of rights and obligations. The proposed test is generally applicable regardless of the definition one adopts.

In some areas, promoting of existing normative frameworks over proposing new norms has been the prevalent practice – for instance, many states have identified and promoted the Budapest Convention as the preferred regime for combatting cybercrime. Instead of opting for a new regime, states have made an effort to join the convention. In the context of international cybersecurity, however, states have been promoting some recommendations as ‘new’, without considering or referencing an already existing instrument or framework.

Discussing pre-existing normative frameworks in the context of acute cybersecurity issues allows a more detailed dialogue on the issue and its possible solutions. Building standards and guidance of responsible behavior on pre-existing frameworks avoids fragmentation of normative efforts and, in fact, builds normative coherence. This norms test seeks to maximize attention to already existing norms (step 1), allow detailing gaps in normative frameworks (step 2) and, where the gaps cannot be overcome on the basis of existing norms, offer ways to think about detecting and developing new standards of behavior (step 3). Step 1 is covered in the chart below. Steps 2 and 3 will be addressed in the next blogs.

Every solution has to originate and start from a clearly identified problem. In this context, the UN GGE work on cyber norms is notoriously vague on problem statements and related evidence. As a result, it becomes difficult to assess which issues, and how, the proposed norms are intended to solve, and whether and how the issues that the Group had in mind are best resolved by normative or perhaps technical approaches. For instance, some international cybersecurity issues could be overcome by increased (national) technical and societal resilience, of which laws and policies form just a small part alongside awareness, secure systems or appropriate organizational processes.

Where it has been determined that the issue in question is susceptible to a normative solution, reference to and reliance on already existing norms facilitates implementation: instead of framing and promoting certain standards of behavior as new, identifying contexts and instances where similar issues have been addressed with similar normative solutions offers ways to learn from and re-apply relevant experience.

Sometimes it may prove difficult to apply or translate a pre-existing norm to the issue at hand. In this case, it is essential to determine the reasons for this. For instance, the pre-existing norm may be regional or limited to multilateral practices, while the problem has been identified as requiring a universal solution. In this case, such a gap could be overcome by further endorsement of the norm, as per example many ratifications of the Budapest Convention in the past years.

If the gap is qualitative and the existing norm does not adequately cover the problematic circumstances, it is essential, before offering a new norm, to consider if this gap can be overcome by promoting a different interpretation of the norm than what it has been so far. It may require discussions such as to what extent can ‘cyber’ issues be translated into international telecommunications, where assistance in cooperation is limited to instances where the person of interest is identified or how an IP address can equally serve as basis for invoking such cooperation. The interest here is to avoid the disruption of existing normative approaches and established practices for simply contingent political convenience or lack of awareness.

Given the numerous recommendations and standards of behavior adopted in the fields of preventing cybercrime, increasing technical robustness and resilience, protecting critical infrastructure or data, conducting transactions online, information society development or crisis prevention, it is difficult to imagine that no precedent whatsoever exists for overcoming any clearly identified international cybersecurity issue. The existing normative solutions may not always be perfect of exactly match the situation in question. However, even in these instances, they serve useful starting points for detecting what has or hasn’t worked in the past.

At minimum, this test identifies the policy options that states have when discussing normative solutions to cybersecurity issues. If applied even in general terms, it helps avoiding presenting norms as new where they have existed and applied to same or similar issues in the past.

Dr. Eneken Tikk

Please download the norms test here.