The Cyberspace Solarium Commission on Norms
Sang Lee is a director for cyber engagement with the Cyberspace Solarium Commission.
Ainsley Katz is a cyber strategy and policy analyst with the Cyberspace Solarium Commission.
Karrie Jefferson is a director for cyber engagement with the Cyberspace Solarium Commission.
Val Cofield is a senior director and lead for task force three with the Cyberspace Solarium Commission.
Laura Bate is a director for cyber engagement with the Cyberspace Solarium Commission. You can follow her @laura_k_bate.
The U.S. Cyberspace Solarium Commission (CSC), which released its report on March 11, 2020, evaluated different strategic approaches to defending the United States against cyberattacks of significant consequence. Per the 2019 National Defense Authorization Act, the commission was divided into three task forces. Among those teams, ours focused on using norms and non-military tools of state power to secure cyberspace.
As we conducted our research, we found significant differences in the uses of the term “norms,” which complicated efforts to articulate a path forward for the United States and even raised questions about the viability of norms as a tool for shaping behavior in cyberspace. Generally speaking, norms are considered to be “collective expectations for the proper behavior of actors with a given identity,” as defined by Peter Katzenstein in The Culture of National Security: Norms and Identity in World Politics. Below, we describe variances from this definition with no intent to redefine existing terms, but rather to provide greater context to the CSC report’s discussion of norms.
“Big N Norms”
In one sense, norms are frameworks for behavior articulated in statements, documents, or other declarations made by governments around the world. In other words, norms are what governments say they will do and what they expect others to do. Our task force came to refer to these as “big N norms.” In this context, big N norms are the product of intentional entrepreneurship and are voluntary, non-binding principles to which stakeholders in cyberspace agree. These include the norms put forth by the UN Group of Governmental Experts (GGE), such as requiring states to not knowingly conduct or support wrongful acts in cyberspace, including actions that intentionally damage either critical infrastructure or intentionally target emergency response teams.
“Little n Norms”
The following is another description of how our team saw the term “norms” used in practice. Students of norms will note that this definition does not align with conventional academic concepts but rather reflects an observed alternate usage. In this sense, the term “norms” refers to informal descriptions of what governments actually do in cyberspace. These norms occur when repetition of behavior, consciously or unconsciously carried out, goes unchallenged long enough to become a habit. Seeing the term “norms” used in this sense, we began to refer to these tolerated and habitual behaviors as “little n norms.”
Notably, our definition of little n norms did not necessarily have a sense of “oughtness,” which Martha Finnemore, a leading expert in the field and contributing expert to CSC, and other scholars consider a defining characteristic of norms. Rather, little n norms carry no judgement on appropriateness, or whether the expected behavior can be considered good or bad. This use of norms is closer to what might be simply called a description of how the world actually is.
Tensions between Definitions
Reversing Little n Norms and Creating Big N Norms
A lot of the policy discussion has revolved around reversing and containing little n norms. For example, despite bilateral efforts between the United States and China and statements from the G20 and G7, continuing cyber-enabled intellectual property theft has effectively established a little n norm. Therefore, it could be tempting to propose that the United States needs to push for a new big N norm against intellectual property theft.
However, creating new big N norms is not without potential consequences. In particular, Russia has pushed for a new treaty on cybercrime in the United Nations, which the United States fears will allow them to propose and promote new big N norms that conflict with a free, open, and interoperable cyberspace. As American leaders have consistently advocated, the United States should continue to strive for the application of existing big N norms and strengthen the existing norms to which national governments already agreed in the 2015 GGE report, rather than bending to pressure to create new big N norms.
Turning Big N Norms Into Little n Norms
In the converse case, there are big N norms that are not yet little n norms. For example, the UN GGE’s norm against attacking critical infrastructure should make attacks against hospitals off-limits. Yet, even in the midst of a global health crisis, health-care infrastructure in the United States and abroad is suffering from cyberattacks. But does such a failing mean that big N norms (formal agreements) are ineffective at promoting responsible little n norms (behavioral habits)? We argue in the CSC report that this is not the case. Rather, shaping behavior in cyberspace requires strengthening and enforcing big N norms so they change little n norms, effectively turning the principle into practice. Academics refer to this process as internalization.
How the CSC Approached Norms
In the CSC report, we talk about strengthening both big N norms and little n norms as a component of a “layered cyber deterrence” strategy. Broadly, the path to improvement that we see is through a self-reinforcing process. An international coalition of like-minded countries can coalesce around the shared goals and values articulated in big N norms. That coalition can then enforce their shared big N norms, thereby shaping little n norms to match big N norms over time. Such a coalition can employ deterrence and cost-imposition tools to greater effect than unilateral action. A group of a dozen like-minded governments demonstrated this recently by jointly condemning the October 2019 cyberattack on Georgia and attributing it to the Russian Federation.
Building this kind of international support does not come without effort; winning over non-aligned countries and bolstering relationships with U.S. partners and allies takes leadership and resources. That is fundamentally why the CSC recommends, among various capacity and confidence building measures, the creation of a new bureau within the U.S. Department of State, called the Bureau of Cyberspace and Emerging Technologies, led by an assistant secretary. This bureau would be responsible for coordinating norms implementation internationally. By leading the formation of this coalition, the United States can create the essential mechanisms needed to strengthen existing norms, shape behavior, and build a more stable and secure cyberspace.