Download PDF This summer, a nearly seven-year process to write the rules that should guide state activity in cyberspace came to a halt.

This summer, a nearly seven-year process to write the rules that should guide state activity in cyberspace came to a halt. Since 2010, the United States had successfully corralled the world’s main cyber powers at the United Nations to agree to a set of increasingly prescriptive norms of what they could and could not do in cyberspace. The process broke down over the United States’ desire to have states explicitly endorse the notion that the laws of war applied to cyber conflict.1 Russia, China, Cuba and others refused to do so, on the grounds that it would give a green light to hostile actions in cyberspace.

US policymakers had invested hope and effort in the idea that cyber norms would help bring order to the seeming chaos of cyberspace. The online world is one of strategic instability, given the relative ease and stealth of state-sponsored attacks, and the fact that it is almost impossible to tell whether a purely defensive cyber action is in fact hostile.2 The United States, the United Kingdom and like-minded states held conferences, sponsored diplomatic initiatives at the United Nations and regional security bodies, and funded research to spread a series of norms intended to make cyberspace less prone to catastrophic strategic error.3 Think tanks, foundations and some technology companies joined in as norm entrepreneurs, hoping to make their mark on diplomatic negotiations.

Notwithstanding some significant progress over the years on cyber norms, the disproportionate attention given to them has overshadowed an equally important tool that could make cyberspace more stable: confidence-building measures (CBMs). CBMs may not be as high-profile or high-stakes as UN negotiations, but they have a long track record of improving stability during the Cold War, and there is some evidence that CBMs such as hotlines, military-to-military dialogues and operationally focused working groups could be applied to cyberspace. The world’s major cyber players, including the United States, Russia, China and the United Kingdom, should use the collapse of the UN talks as an opportunity to pause the proliferation of new norms and focus on practical measures to improve cyber stability.

A brief history of cyber norms

The Western diplomatic focus on cyber norms is largely a reaction to a Russian diplomatic initiative. In 1998, the UN General Assembly passed a Russian-sponsored resolution expressing concern that information and communications technologies (ICTs) could be used for purposes that may ‘adversely affect the security of States’.4 Russian concerns about cyber threats were prescient – and perhaps unsurprising given that the same year, the United States found a foreign actor, later identified as Russia, probing the Pentagon’s networks.5

Since the introduction of the UN resolution, Russia’s primary foreign-policy objective with respect to cyberspace has been the promotion, and ultimate adoption, of a cyber arms-control treaty that would, among other things, bar states from developing cyber weapons or using cyber means to interfere in the internal affairs of states.6 Moscow has sought support for its treaty largely by making the case that the internet is a chaotic environment that can threaten the security of states; that order is required to bring the chaos under control; and that the best way to do so is through a multilateral treaty, like those that have been relatively successful in banning chemical weapons or reducing nuclear stockpiles. In essence, Russia makes the case that a new technology requires new law to provide guidance to states in how to use it peacefully.7

The US has countered that such guidance already exists in the form of existing international law, and that no new treaty is required. Washington had argued that new treaties are time-consuming to negotiate, and that a treaty covering fast-evolving technology will almost certainly be obsolete by the time the negotiations conclude. US diplomats contend that existing international law, such as the UN Charter and the laws of war, are almost universally accepted and understood, and have stood the test of time, making them the perfect starting point from which to shape a discussion of what states can and cannot do in cyberspace. Privately, US representatives say that even if new international law to regulate cyberspace was desirable and could be achieved, Russia could not be trusted to abide by its terms.

Instead of promoting treaties, Washington and its allies turned to norms of responsible state behaviour in cyberspace. Norms are defined as shared expectations of proper behaviour and affect various aspects of international relations, such as the perceived taboo against the use of nuclear weapons.8 Western countries saw norms as a vehicle through which they could improve the stability of cyberspace by establishing a series of easily digestible rules based on existing international law, like the cyber equivalent of ‘don’t litter’, and promoting them aggressively.9 This approach became the foundation for the 2011 US International Strategy for Cyberspace.10

Despite their differences, the Kremlin and White House share a common interest: both seek to improve the stability of cyberspace and remove the incentives inherent to cyberspace that encourage risk taking. States find cyber tools appealing because they offer a number of advantages over traditional diplomatic or military tools. Firstly, they are relatively stealthy, and offer a degree of plausible deniability that tanks and missiles do not. Secondly, the costs of entry are fairly low – even small states such as Vietnam can buy commercially available cyber tools to infiltrate sensitive networks. Thirdly, cyber tools are inherently dual use, and are immune to counter-proliferation efforts – tracking the spread of software and malicious tools is next to impossible when compared to tracking nuclear materials and technology, for example. Placing limits on how states should use cyber tools, whether by treaty or by norm – and finding a way to make those limits stick – should therefore improve the stability of cyberspace and decrease the risk of conflict.

The quest for cyber stability has taken place in a number of international venues since Russia first introduced its UN resolution in 1998, but none has received more attention than the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE).

During its first rounds of meetings, in 2004–05 and 2009–10, the group failed to make significant progress. The 2012–13 GGE, however, issued a landmark report.11 For the first time, 15 countries, including Russia, China, the United States, India, the United Kingdom, France and Germany, agreed that ‘international law, and in particular the Charter of the United Nations is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment’.12 This was the first time major global powers had recognised that existing law was applicable to state activity in cyberspace, a big win for the United States. Russia also scored a win with the acknowledgement that ‘new norms’ could be developed over time given ‘the unique attributes of ICTs’, which could be interpreted as keeping the door open for possible treaties in the future.

The successes at the GGE created a flurry of norms-related activity. In 2014, China and the United States agreed that neither government would ‘conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage’.13 This fulfilled a long-standing US objective to stem the tide of Chinese pilfering of US firms’ intellectual property and trade secrets. Over the course of subsequent years, the norm was endorsed in bilateral declarations between China and the UK, Germany, Australia and Canada, as well as by the G20.14

In 2014–15, the GGE endorsed new norms, this time to guide state activity in cyberspace during peacetime.15 This included the norm that states should refrain from targeting each other’s critical infrastructure; that they should not target national computer-security-incident response teams (the digital equivalent of firefighters); that they should respond to requests for assistance; and that states should not knowingly let their territory be used for internationally wrongful acts using cyberspace (for example, acts that violate international law, such as the prohibition on the use of force).

States were not the only ones getting into the norms-setting game. Microsoft released its own set of norms in 2014 and 2016, and in 2017 Microsoft President Brad Smith called for a Digital Geneva Convention.16 Non-profits and academics pitched their own ideas, such as a proposal that states should not use cyber means to intentionally manipulate ‘the integrity of financial institutions’ data wherever they are stored or when in transit’, and a proposal for a Red Cross for cyberspace.17

The road ahead for norms looked clear. States were endorsing a handful of rules through bilateral and multilateral communiqués, and non-state actors were making their own proposals. It seemed like a particular coup for the United States, which had managed to steer the conversation away from Russian ideas for a treaty and toward a discussion of informal rules on its own terms.

End of the road for norms

Despite this proliferation of norms, the process hit a roadblock. The most recent GGE, which held its last meeting in June 2017, failed to reach a consensus report for the first time since 2004–05. The group’s mandate was to provide recommendations on how international law applies in cyberspace. In particular, the United States wanted the report to provide explicit endorsement of the applicability of the right to self-defence, international humanitarian law and the use of countermeasures. In the words of the US representative to the talks, this proved impossible because ‘some participants continue to contend that it is premature’ to make such determinations ‘and in fact, seem to want to walk back progress made in previous GGE reports’.18

The GGE talks collapsed for at least two reasons. Firstly, the flurry of norms-related activity had masked a fundamental divide between the US and its Western allies and Russia, China and others on the application of the laws of war to an online conflict. While Washington wanted to further develop how concepts such as neutrality, proportionality and distinction might constrain cyber conflict, Moscow and Beijing saw Washington trying to find justifications in international law for the use of cyber means during a conflict or of conventional means as a way to respond to cyber conflict, leading to destabilising activity. Russian and Chinese diplomats wanted to concentrate their efforts on preventing cyber-based conflict in the first place, instead of setting the rules for something that should not be allowed to happen.

Secondly, China, Russia and the United States fundamentally disagree over the nature of cyber conflict itself. Washington views cyber security as the protection of bits, software and hardware from unauthorised use – such as manipulating data, accessing confidential data or making data unavailable. In contrast, Beijing and Moscow prefer the term ‘information security’, which allows for state control over online content so as to preserve regime stability.

Russia, for example, already believes that it is in an information war with the United States. Vladimir Putin is reportedly convinced that the internet is a CIA project to facilitate regime change, and that the US intelligence community orchestrated the release of the Panama Papers to discredit Russia.19 The Kremlin uses its propaganda apparatus, including broadcasters RT and Sputnik, and the country’s troll factories, to counter perceived US dominance over the ‘information space’.20 The same thing, to a lesser extent, can be said of China, which has implemented extensive measures to control the flow of outside information that its citizens can access online, and is further tightening them.21 This ideological schism between cyber and information security made it challenging to reach consensus on new norms and implement what had already been agreed to in previous GGEs.

The largest problem may have been that the discussion among diplomats in UN conference rooms looked increasingly divorced from the operational reality of state-sponsored cyber actions. Despite the US exhortation that international law applies to cyberspace and that states should not knowingly attack critical infrastructure, the United States, along with Israel, allegedly launched in 2008 a covert operation called Olympic Games, which used malware, now known as Stuxnet, to sabotage Iran’s nuclear-enrichment facilities.22 Many legal scholars have concluded that the operation was almost certainly a use of force prohibited under the UN Charter.23 More recently, Russian state-sponsored hackers are suspected of having been responsible for cyber attacks that caused power outages in Ukraine in 2015 and 2016.24 Given that Russia denies it is at war with Ukraine, Russia’s actions against the Ukrainian power grid almost certainly violate the norm on prohibiting cyber attacks against critical infrastructure during peacetime.25

With no international arbiter to enforce compliance, states will cherry-pick the norms they want to follow in keeping with their interests. China, for example, came to accept the norm against cyber economic espionage partly because of pressure from the United States, but also in large part because it had domestic political and military reasons to rein in People’s Liberation Army hackers.26 Rules of behaviour for state activity in cyberspace only improve stability if states play by the same set of rules, not if they can pick and choose which rules they prefer to follow.

Even with these violations, defenders of the cyber-norms process will argue that it is too early to abandon it. They point to recent efforts by EU leaders to develop a ‘cyber toolbox’, which enables the bloc to levy sanctions in response to a state-sponsored cyber incident, as evidence that certain norms are being operationalised.27 Since the collapse of the GGE talks, the United States has publicly stated that it is now exploring options of developing a group of norm adherents – or ‘good guys’ – to pressure violators through shaming or other punitive measures.28 At their core, however, the EU and US approaches try to force a player to play a game using rules it does not believe are legitimate. Instead of building stability, a name-and-shame approach backed by sanctions or other diplomatic measures could increase the odds of a destructive cycle of response and counter-response, given that one side will not view the other’s actions as legitimate. Without a shared set of rules, one side will likely misinterpret the other’s actions, increasing the likelihood of conflict.

If not norms, what?

The end of the cyber-norms process does not mean that cyberspace is doomed to be an unstable Wild West. On the contrary, the stability of cyberspace can be improved through relatively simple means with which the United States and Russia have extensive experience: confidence-building measures.

CBMs are steps that adversaries take to increase the transparency of their respective actions with a view to reducing mistrust. Over time, as trust is built, adversaries can begin taking cooperative actions that improve stability, such as refraining from taking action an adversary can perceive as aggressive. Traditional examples of CBMs include exchanges of white papers and doctrines, creating a phonebook that includes relevant points of contact in either country to de-escalate crises, and people-to-people exchanges, such as sending military officers to another country’s military university. During the Cold War, the United States and the Soviet Union used CBMs frequently. Both countries agreed to creating a crisis hotline, or ‘red phone’, to avoid a repeat of the Cuban Missile Crisis, and inked a treaty to stop their respective naval ships from harassing each other.29

Unlike norms, CBMs do not require countries to agree to a predefined and shared set of ideological principles. In fact, they exist precisely because states disagree on matters of ideology but recognise that they have a shared interest in preventing mistakes from triggering a military conflict. In cyberspace, all of the major powers – especially those with nuclear weapons – have an interest in avoiding activity that could lead to a cyber conflict overflowing into the physical world.

Already, some countries have started to negotiate and implement CBMs. In 2013, the United States and Russia established a hotline allowing either country to ‘make formal inquiries about cybersecurity incidents of national concern’.30 The hotline is only known to have been used once, when the United States requested Russia cease its cyber activities against election-related targets during the 2016 presidential election. Although internal Democratic-affiliated emails had already been made public by the time the request was made, the Washington Post reported that US intelligence observed that Russia did not escalate its activity as election day approached, and ‘may have reduced it’.31 Given the sorry state of US–Russia relations since at least 2012, the fact that Russia seems to have modified its behaviour in response to the US request is a testament of the potential value of CBMs to reduce destabilising activity, even where severe political differences remain.

The United States has also established CBMs with China. As a result of the 2015 agreement prohibiting cyber espionage for commercial gain, Washington and Beijing agreed to hold a regular bilateral dialogue focused exclusively on cyber issues. Through this effort, the United States and China have set up a communications channel that has facilitated bilateral cooperation on taking down botnets.32

Multilateral CBMs also exist. The Organisation for Security and Cooperation in Europe (OSCE) was largely created for this purpose, and its members have already agreed to a series of cyber-security CBMs, in 2013 and 2016, that include the voluntary exchange of white papers and the promotion of the responsible disclosure of hardware or software vulnerabilities that could be used to develop malware.33

These successes should be applauded, but new CBMs need to be developed between the major cyber powers. Working on a bilateral basis, the United States should consider approaching China to conduct cyber war games. For example, Washington and Beijing could consider how they would respond if either side saw the other targeting or compromising critical-infrastructure systems, beyond traditional espionage. Such a simulation would allow both sides to better understand each other’s respective decision-making processes, and find ways to reduce the risk of escalation if the simulated attack was found to have been unsanctioned by one side.

New CBMs need to be developed

Another avenue US policymakers should explore is the inclusion of cyber operators – those in the intelligence community and military who actually do the hacking – in existing bilateral dialogues. This presents obvious difficulties, given that it would reveal the identities of individuals the United States would rather keep a secret. Nevertheless, it would bring an element of operational reality to discussions that are often dominated by diplomats and policy wonks who may know very little about how a cyber operation is actually carried out. The United States is believed to have tried this approach with China during the Obama administration, but faced Chinese resistance. The Trump administration should keep working to get cyber operators from the People’s Liberation Army and the Ministry of State Security to attend, using the value Beijing places on the US–China cyber dialogue as leverage.34

Knowing the ins and outs of cyber operations matters because one of the hardest things to determine in cyberspace is an attacker’s intent. Some scholars have called this the ‘cyber-security dilemma’, whereby defensive actions in cyberspace by a defender can be perceived as offensive by an attacker, leading it in turn to take defensive action the original defender views as aggressive.35 This can lead to a destabilising and escalatory cycle. Having adversarial operators explain the logic and intent behind previous intrusions can establish patterns of behaviour that can be used to interpret future cyber operations. Over time this can reduce misperceptions, much like military exchanges can increase the odds that operational manoeuvres will not be misinterpreted. The United States could try this approach with China, given the marked improvement in the cyber relationship between the two countries in the last two years.

The United States and its close allies could also increase the transparency of their military doctrine and cyber capabilities. For example, the United States, United Kingdom and Australia have all publicly declared that they are using cyber weapons to combat the Islamic State (also known as ISIS or ISIL). Others, such as Canada, are beginning to integrate and explicitly authorise their armed forces to build military cyber capabilities.36 By sharing their experiences, the United States and its allies can demonstrate to Russia, China and others what infrastructure and materiel they are allowed to target, the legal review processes involved and the chain of command for decision-making. Providing transparency into the decision-making process – and not the cyber weapons themselves – makes US actions more predictable and reduces the risk of misinterpretation without revealing exploits and toolsets.

* * *

The development of norms had a good run. The UN GGE process received significant attention, and national-security policymakers became seized of the need to develop cyber-stability measures. Global powers were able to agree on some baseline ground rules, such as the applicability of international law to cyberspace, but attempts to go further, such as obtaining explicit endorsement for the laws of war, are likely a bridge too far, at least for now. US strategy needs a rebalancing, with the norms discussion moving into the background for now. Given the size of the problem, CBMs may seem small bore. But unlike norms, which require an ideological agreement on the nature of cyber conflict, they offer practical steps toward making cyberspace safer.


1 Michele Markoff, ‘Explanation of Position at the Conclusion of the 2016–2017 UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security’, US Department of State, 23 June 2017,

2 Ben Buchanan, ‘The Cybersecurity Dilemma: Where Thucydides Meets Cyberspace’, Council on Foreign Relations, 30 January 2017,

3 See Chair’s Statement to the London Conference on Cyberspace, UK Foreign and Commonwealth Office, 2 November 2011,; Organisation for Security and Cooperation in Europe, ‘Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies’, Permanent Council Decision No. 1,106, 3 December 2013; and ‘Report of the International Security Cyber Issues Workshop Series’, United Nations Institute for Disarmament Research and Center for Strategic and International Studies, 2016,

4 UN General Assembly, ‘Developments in the Field of Information and Telecommunications in the Context of International Security’, A/RES/53/70, 4 January 1999,

5 Thomas Rid, Rise of the Machines: A Cybernetic History (London: W.W. Norton & Co., 2016), Chapter 8.

6 ‘Basic Principles for State Policy of the Russian Federation in the Field of International Information Security to 2020’, unofficial translation,; and ‘Convention on International Information Security’, Russian Ministry of Foreign Affairs, 22 September 2011,

7 See, for example, Adrian Croft, ‘Russia Says Many States Arming for Cyber Warfare’, Reuters, 25 April 2012,

8 Martha Finnemore and Kathryn Sikkink, ‘International Norm Dynamics and Political Change’, International Organization, vol. 52, no. 4, Autumn 1988, pp. 887–917.

9 Martha Finnemore, ‘Cultivating International Cyber Norms’, in Kristin M. Lord and Travis Sharp (eds), America’s Cyber Future: Security and Prosperity in the Information Age (Washington DC: Center for a New American Security, June 2011),

10 White House, ‘International Strategy for Cyberpace: Prosperity, Security, and Openness in a Networked World’, May 2011,

11 UN General Assembly, ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ [hereafter Report of the 2013 GGE], A/68/98, 24 June 2013,

12 Ibid., p. 8.

13 Office of the White House Press Secretary, ‘Remarks by President Obama and President Xi of the People’s Republic of China in Joint Press Conference’, 25 September 2015,

14 See Rowena Mason, ‘Xi Jinping State Visit: UK and China Sign Cybersecurity Pact’, Guardian, 21 October 2015,; Wendy Wu, ‘Handshake to End the Hacking: China and Germany Pledge for Peace in Cyberspace by 2016’, South China Morning Post, 9 November 2015,; Jamie Smyth, ‘Australia and China in Pact Against Cyber Theft’, Financial Times, 24 April 2017,; ‘China, Canada Vow Not to Conduct Cyber Attacks on Private Sector’, Reuters, 26 June 2017,; and G20 Communiqué, Antalya, 15–16 November 2015,

15 United Nations General Assembly, Report of the 2015 GGE, A/70/174, 22 July 2015,

16 See Paul Nicholas, ‘Proposed Cybersecurity Norms to Reduce Conflict in an Internet-Dependent World’, Microsoft, 3 December 2014,; Scott Charney, ‘Cybersecurity Norms for Nation-States and the Global ICT Industry’, Microsoft, 23 June 2016,; and Brad Smith, ‘The Need for a Digital Geneva Convention’, Microsoft, 13 February 2017,

17 See Tim Maurer, Ariel Levite and George Perkovich, ‘Towards a Global Norm Against Manipulating the Integrity of Financial Data’, Lawfare, 28 March 2017,; and Duncan Hollis and Tim Maurer, ‘A Red Cross for Cyberspace’, Time, 18 February 2015,

18 Markoff, ‘Explanation of Position’.

19 See Masha Lipman, ‘Putin’s Fear of the Internet’, New Yorker, 25 April 2014,; and Director of National Intelligence, ‘Assessing Russian Activities and Intentions in the Recent US Elections’, 6 January 2017,

20 Office of the Director of National Intelligence, ‘Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution’, 6 January 2017,

21 See Brian Fung, ‘Apple Is Pulling VPNs from the Chinese App Store. Here’s What That Means’, Washington Post, 31 July 2017,; and Su-Lee Wee, ‘China’s New Cybersecurity Law Leaves Foreign Firms Guessing’, New York Times, 31 May 2017,

22 David E. Sanger, ‘Obama Order Sped Up Wave of Cyberattacks Against Iran’, New York Times, 1 June 2012,

23 Kim Zetter, ‘Legal Experts: Stuxnet Attack on Iran Was Illegal “Act of Force”’, Wired, 25 March 2013,

24 Andy Greenberg, ‘How an Entire Nation Became Russia’s Test Lab for Cyberwar’, Wired, 20 June 2017,

25 Shaun Walker and Owen Bennett, ‘Russia Withdraws Signature from International Criminal Court Statute’, Guardian, 16 November 2016,

26 Tom Mitchell and Gabriel Wildau, ‘Xi Jinping’s Anti-Corruption Purge Takes Aim at China’s Military’, Financial Times, 2 March 2015,

27 Sico van der Meer, ‘EU Creates a Diplomatic Toolbox to Deter Cyberattacks’, Council on Foreign Relations, 20 June 2017,

28 Office of the White House Press Secretary, ‘Remarks by Homeland Security Advisor Thomas P. Bossert at Cyber Week 2017 – As Prepared for Delivery’, 26 June 2017,

29 ‘Agreement Between the Government of The United States of America and the Government of The Union of Soviet Socialist Republics on the Prevention of Incidents On and Over the High Seas’, Moscow, 25 May 1972,

30 Office of the White House Press Secretary, ‘Fact Sheet: U.S.–Russian Cooperation on Information and Communications Technology Security’, 17 July 2013,

31 David Ignatius, ‘In Our New Cold War, Deterrence Should Come Before Détente’, Washington Post, 15 November 2016,

32 Adam Segal, ‘The Continued Importance of the U.S.–China Cyber Dialogue’, Council on Foreign Relations, 23 January 2017,

33 OSCE, ‘OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies’, Permanent Council Decision No. 1,202, 10 March 2016,

34 Segal, ‘The Continued Importance of the U.S.–China Cyber Dialogue’.

35 Ben Buchanan, The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations (Oxford: Oxford University Press, 2017).

36 Alex Grigsby, ‘Canada’s Military Gets More Cyber, and the Headaches That Come With It’, Council on Foreign Relations, 22 June 2017,

Alex Grigsby is the Assistant Director of the Digital and Cyberspace Policy programme at the Council on Foreign Relations.

Back to content list

Survival: Global Politics and Strategy

December 2017–January 2018

Also available in Kindle and iPad format:

Kindle UK > 

Kindle US >

iBookstore UK >

iBookstore US >

Table of Contents

Available to download as a PDF >