Research Questions What is the extent of international agreement, if any exists, over what cyber norms should accomplish and how they should be implemented? How have international norms governing other types of activities become established? Do existing international norms provide potential models for restraining cyber competition?
Recent years have seen a mounting concern in the United States over foreign efforts to harm election security or legitimacy through cyber means, increased cyber espionage, and attacks of growing sophistication. The United States has been engaged for almost a decade in international negotiations over agreed normative constraints on such activities, but the prospects for a comprehensive international agreement appear dim.
In this report, the authors develop a renewed agenda for utilizing cyber norms to limit destabilizing behavior in cyberspace. To do so, they survey the literature on norms and norm emergence and describe the process by which norms tend to arise. They identify the common and conflicting interests that major states have in cyberspace, summarize the history of intergovernmental and private-sector initiatives on cyber norms, outline the principles governing U.S. policy on the issue since 2007, and survey current proposals for cyber norms.
Based on this analysis, the authors propose a bottom-up, "outside-in" approach to promoting cyber norms that would allow the United States to bypass current international disagreements to encourage the development of norms to constrain the most destructive and escalatory forms of cyber aggression.
Key Findings There is no clear, emerging consensus on the precise shape of cyber norms. The gap on cybersecurity issues between the United States and both China and Russia remains very wide, and there is limited room for mutually agreed restraints on behavior. Cyberspace has specific characteristics that may impede the development of norms to restrict state behavior. Norms can affect state behavior even when leaders disagree with them, and they can become established through "bottom-up" efforts rather than being imposed by governments. Norms tend to be more effective when they are simple rather than complex and emotive rather than dry. The current status of international discussions does not provide the basis for believing that any universal agreements on cyber norms are feasible in the near term.
Recommendations Bring U.S. policy into alignment with norms that would restrain destabilizing cyber attacks. Enhance existing initiatives on cyber norms, including building a common position on prohibited behaviors with allies. Support efforts by nongovernmental entities to expand commitment to cyber norms. Impose costs on states that violate emerging cyber norms. Reaffirm and expand confidence-building mechanisms regarding cyber norms with Russia and China, and propose a working group with either or both to build toward limited areas of consensus and develop rules of engagement. Work to gain congressional approval of an institutional home within the U.S. government for the process of cyber norm development. Articulate bilateral, informal commitments with other powers to refrain from certain categories of cyber aggression. Convene intergovernmental, multistakeholder processes to gather a critical mass of partners in the effort. Identify specific normative constraints for general agreement, including prohibitions on the following: cyber attacks on critical infrastructure, direct interference in or manipulation of electoral and political processes, and activities designed to damage the availability or integrity of the public core of the internet.
Table of Contents Chapter One
The Challenge of Norms in Cyberspace
Chapter Two
Understanding Norms
Chapter Three
The Current Status of International Dialogues on Cyber Norms
Chapter Four
Identifying Next Steps in Cyber Norm Development
Research conducted by RAND National Security Research Division
This research was sponsored by the Office of the Secretary of Defense and conducted within the Cyber and Intelligence Policy Center of the RAND National Security Research Division (NSRD).
This report is part of the RAND Corporation Research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.