The constant evolution in cyberspace creates immense opportunity – and risk. While the internet makes it easy to innovate and share information rapidly, it also creates ample opportunity for relatively ambiguous and highly destructive cyberattacks. As global critical infrastructure grows ever more interconnected, so do both the attack surface and the potential cost of cyberattacks. Incidents such as SolarWinds, NotPetya, and WannaCry have demonstrated the devastating, widespread, and often non-targeted impacts of cyberattacks on innocent civilians
Establishing norms for state behavior in cyberspace is critical to building a more stable, secure, and safe cyberspace. Norms are defined as “a collective expectation for the proper behavior of actors with a given identity,” and declare what behavior is considered appropriate and when lines have been crossed. Cyberspace is in dire need of such collective expectations. However, despite efforts by the international community and individual states to set boundaries and craft agreements, clear and established cyber norms for state behavior remain elusive. As early as 2005, the UN Group of Governmental Experts (GGE) and UN Open-Ended Working Group (OEWG) both aimed to create shared “rules of the road,” but fundamental disagreements between states and a lack of accountability and enforcement mechanisms have prevented these initiatives from substantively implementing cyber norms. As a result, the international community and individual states are left with no accountability mechanisms or safeguards to protect civilians and critical infrastructure from bad actors in cyberspace.
In 2018, the Paris Peace Forum convened states and international organizations with civil society and the private sector to address persistent failures of peace, including in cyberspace. Participants issued the Paris Call for Trust and Security in Cyberspace as a result of the initial Forum. While not initially involved in the drafting, the United States announced its decision to support the Call at the 2021 edition of the Forum. This Paris Call invites all cyberspace actors, across states, non-profits, and private sector actors to come together to face digital threats endangering citizens and infrastructure. As of today, the Paris Call has over 80 nation-state governments, 700 private sector entities, and 390 civil society organizations’ public supporters.
The Call is based on nine common principles to secure cyberspace, for adoption by states, international organizations, and private-sector actors. These nine principles create the framework for discussion, debate, and development towards stronger norms and a more stable cyber space. After negotiations and stalemates in the UN GGE and OEWG processes, the Paris Call is arguably the best available tool for a wide range of actors to interact on the inclusive governance of cyberspace and build trust.
As international organizations have failed to make significant progress, operationalizing and implementing cyber norms requires sustained leadership from cyber powers and democracies like the United States. As the world’s preeminent cyber power, the United States has a unique opportunity to shape the future of cyber norms by building on the principles of the Paris Call.
This brief outlines exactly how the United States can leverage the Paris Call and its principles to structure its approach to unilaterally committing to cyber norms and establishing a more secure and democratic cyberspace. Outlined below, the Paris Call’s Nine Principles offer a compelling framework for unilateral commitments the U.S. can make to strengthen state norms and behavior in cyberspace. For each principle of the Paris Call, this paper presents a single action or unilateral commitment that the U.S. can take to align with the goals of each principle.
Saunders, Bethan and Alex Cooper. “Advancing Cyber Norms Unilaterally: How the U.S. Can Meet its Paris Call Commitments.” Belfer Center for Science and International Affairs, Harvard Kennedy School, January 2023