Why International Order in Cyberspace Is Not Inevitable
Within the realm of contemporarily defined conventional warfare, nations have developed a set of practices called norms that define the rules of engagement. As the definition of conventional warfare has evolved over time with the inclusion of once emerging techniques like strategic bombing so too have the norms governing the uses of these technologies. Norm evolution theory examines these changes and divides their “life cycle” into “three stages… norm emergence, norm cascade, and norm internalization,” enabled by “norm leaders and norm entrepreneurs.” For cyberwarfare, clearly an emerging technology, this evolution is underway, with the UN and NATO acting as key examples of norm leaders. Unfortunately, cyberwarfare differs both in its use-patterns and methodologies in important ways, potentially hamstringing the emergence of cyber norms.
Since the actions of these “norm leaders” is so intrinsically tied to the prospects of cyber norms, Manzanec examines the doctrines of the US, China, and Russia, the “preeminent cyber actors.” Unlike with other previously emerging technologies, such as nuclear weapons, the primary actors generally regard cyberwarfare as an area where “each nation has more to gain from engaging… than from restricting it.” Accordingly, Russia and China have developed sophisticated capabilities that they seem to use with impunity. Conversely, the United States, though publicly restrained, has been exposed through various leaks, among the most important of which is Edward Snowden’s disclosure of top-secret NSA programs. These leaks, which fomented distrust “among adversaries and allies,” negate any constraining influence the US had. As such, the leaders in cyberspace have shown little interest in creating norms.
Additionally, cyberwarfare differs heavily in its methodologies from most other types of conventional warfare. Though they “have some commonalities with certain weapons…, overall, they are truly unique.” This makes creating new norms (necessary since existing norms do not apply) more difficult: norm-entrepreneurs cannot easily “graft… to existing norms.” Further, cyberwarfare’s extreme secrecy, for example around “zero-day” vulnerabilities, has created the perception that cyberwarfare is impossible to defend against, “limit[ing] the effectiveness of reciprocal agreements” and fostering proliferation. Together, these factors, along with the simple fact that it is too late to preemptively create norms, bode poorly for the organic adoption of cyber-norms.
