No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Unpacking cyber norms: private companies as norm entrepreneurs
Abstract
Concerns over practices in cyberspace are central to the consolidating international agenda for cybersecurity. Responses to such concerns come in different shapes and sizes, and are proposed by different actors. Whether it concerns intellectual property rights, the theft of trade secrets, collection of personal data, critical infrastructure protection, DNS security, or geopolitical issues, the rise of cybersecurity as a multifaceted global issue has led to the proliferation of governance mechanisms aimed at responding thereto. While state efforts have sought to promote norms of responsible state behaviour in cyberspace, we argue that technology companies are also taking the lead as norm entrepreneurs in the context of the stability and security of cyberspace. We explore the tensions between current literature on cyber norms and the role of private actors as potential norm entrepreneurs in global cybersecurity. In an attempt to determine the position of private actors in this field, we turn to practices such as corporate diplomacy and lobbying as avenues for highlighting the methods in which corporations engage in international policymaking in general, and cyber norms in particular. We look at Microsoft’s case to unpack the company’s role in the normative development of cybersecurity globally. We analyse documents containing the company’s policies and strategies, and argue that these efforts consist of an attempt to influence global public policies on cybersecurity. In conclusion, we note that, notwithstanding these efforts, the lack of coordination between different aspects of norm-making processes illustrates the challenges facing the advancement of international cyber norms.
... 3 We take the contestation over Microsoft's legitimacy as norm entrepreneur as an entry point to the discussion of how global cybersecurity governance unfolds in practice and how, instead of focusing on either the "public" or "private" aspects of it, cybersecurity governance happens in a grey zone of continuous contestation and negotiations over who can engage in norms-making, how norms are made and what counts as norm. In a previous study, we paid attention to the first question, looking at how private actors shape cybersecurity by means of public-private partnerships, lobbying, and self-regulation (Hurel and Lobato 2018). Now, we take a step further and look at how organizational complexity might highlight different modalities of exerting influence on public policy and engage in an interdisciplinary effort to portray the socio-technical arrangements (both intra-organizationally and internationally) as parts of a norms-making continuum. ...
... Some scholars have referred to these continuous efforts as "tech diplomacy" or "corporate foreign policy" (Economist 2019). We argue that such developments have resurfaced (see Hurel and Lobato 2018;Gorwa and Peez 2018) important discussions related to the different modalities of engagement of the tech sector in shaping and taking part in global/international cybersecurity. ...
... There has been far less attention to this dimension of private governance in cybersecurity scholarship. 4 As we argued elsewhere (Hurel and Lobato 2018), IR literature on norms presents an important first step to approach this gap. But it is not enough, for it offers a far less nuanced perspective on how different kinds of private groups engage with shaping international norms of behavior for state actors. ...
We take the contestation over Microsoft’s legitimacy as norm-entrepreneur as an entry point to the discussion of how global cybersecurity governance unfolds in practice and how, instead of focusing on either the “public” or “private” aspects of it, cybersecurity governance happens in a grey zone of continuous contestation and negotiations over who can engage in norms- making, how norms are made and what counts as a norm. In this chapter, thus, we seek to provide two major contributions to the ongoing debate on cyber norms. The first contribution is with respect to how norms are usually conceived within this debate. Rather than being contained in the written text (law and regulation), norms extend to the processes (see Finnemore and Hollis 2016) of negotiation that happens until it reaches its “final” (written) and also to the agencies, resources, and organizational and technological structures that are mobilized in order for it to reach widespread public debate. The “expectations of behavior” that are a necessary component of norms also come in different forms, including through an infrastructure of access established to promote values such as transparency and trust (e.g., Transparency Centers). The second relates to the understanding of how global cybersecurity governance unfolds in practice and which agencies count as legitimate in the process of negotiating cyber norms. As we argue, the question of who’s agency should count in cybersecurity norms development is also indissociable from the question of how norms-making processes are perceived and conceptualized. We look specifically at Microsoft as a case composed of a plethora of dimensions, including a somewhat intriguing diplomatic engagement. Despite its global reach, the company has consistently expanded the legal and policy engagement, developed an extensive list of cyber norms-specific documents, and invested in international cybersecurity initiatives (to name a few), all of which come together with promoting the security of their services and products. These and other dynamics have raised important questions as to what kind of role the private sector plays in global cybersecurity governance. We purposefully make use of the term “norms-entrepreneurship” to engage with a more critical discussion of what constitutes as norms-making in cybersecurity governance whilst simultaneously proposing a different starting point to the discussion, that is, the formal and informal practices within the private sector. This task is guided by the questions: how we can understand the role of private actors in cybersecurity governance and what it has to say about norms-promotion?
... But while it may represent a particular form of diplomatic-like engagement from the private sector, one might also wonder if this is truly an unprecedented step. In a previous study, we paid attention to how private actors shape cybersecurity and outlined at least three practices that characterise their influence in norms-development: public private partnerships, lobbying, and self regulation (see Hurel and Lobato 2018). This initial concern revolved around the understanding of private agency (who can engage in norms making?) and its contested legitimacy in cybersecurity governance. ...
... After having taken a proactive measure in advocating for a Digital Geneva Convention, the Company explicitly positioned itself as a quasi-diplomatic actor (Hurel and Lobato, 2018). Internally, it worked to develop whitepapers and policy documents aiming at broadcasting possible consensus areas for international cyber norms development and established a Global Security Strategy and Diplomacy Team, which then gradually transformed into the Cybersecurity Policy Team. ...
... Having gone through an extensive list of documents, we were able to identify further forms of communication that perhaps sets more clearly in the exercise of bringing coherence to the myriad of teams, programs and services -which we will explore in the next section, where we reassemble. In publishing whitepapers and policy papers Microsoft publicises their positions, provide an organised account of their strategy for policy engagement, and circulate their narrative for (i) cyber policy development and (ii) private sector inclusion (see Hurel and Lobato 2018). While this may be, at first, conceived as a "soft" approach to norms and policy-making, documents range from general frameworks for cloud to frameworks for national cybersecurity strategy development, cyberpolicy toolkits or even "mandatory" incident disclosure models (Microsoft n.d.). ...
This paper draws on the authors' previous research on corporate entrepreneurship and deepens its discussions about the role of industry in cyber norm promotion. More specifically, it analyses Microsoft's organizational complexity to understand what its engagement with cyber norms has to say about norms promotion and private governance in cyber security. This allows us to go beyond the concepts of corporate diplomacy, lobbying, and even security outsourcing, and grasp the practices, projects, and activities that underlie the company's engagement with cybersecurity. Theoretically, it draws on reflections from Actor Network Theory relational ontology and, empirically, it builds on Van Dijck's (2013) exercise of disassembling platforms and reassembling sociality to illustrate how different practices, technologies, initiatives, relations, policies, and teams are mobilized to shape/reshape specific understandings of acceptable codes of conduct in cyberspace. This exercise illustrates how legitimacy-building and normative influence — within private governance — emerges as an outcome of a set of complex interactions within and beyond the view of corporations as homogenous and opaque organizations.
... This way, hacking was gradually turned into "a service rather than a risk, and hackers become a valuable resource rather than a threat" (p.114 [34]), creating the foundation for a striving segment of the IT security market, which in turn effects the attribution space. Furthermore, private entities have come to the fore as "norm entrepreneurs" in emerging technology governance arrangements, giving them a much more active role in the shaping of political matters than previously acknowledged [41,42]. Calls for international attribution standards or an international attribution organization is one of the demands made in this context [7,[43][44][45]. ...
... Second, we deliberately chose a very well documented case in order to be able to highlight the details of the knowledge creation processes. Stuxnet, another case we could have used to show the working of the assemblage, has already received a lot of attention [41,[62][63][64]. In other cases, such as the Sony Pictures Hack, it would be more interesting to study the contestation process (and knowledge re-assemblage) that happens in the meaning-making phase (as was done in [22]). ...
Attribution is central to cybersecurity politics. It establishes a link between technical occurrences and political consequences by reducing the uncertainty about who is behind an intrusion and what the likely intent was, ultimately creating cybersecurity “truths” with political consequences. In a critical security studies’ spirit, we purport that the “truth” about cyber-incidents that is established through attribution is constructed through a knowledge creation process that is neither value-free nor purely objective but built on assumptions and choices that make certain outcomes more or less likely. We conceptualize attribution as a knowledge creation process in three phases – incident creation, incident response, and public attribution – and embark on identifying who creates what kind of knowledge in this process, when they do it, and on what kind of assumptions and previous knowledge this is based on. Using assemblage theory as a backdrop, we highlight attribution as happening in complex networks that are never stable but always shifting, assembled, disassembled and reassembled in different contexts, with multiple functionalities. To illustrate, we use the intrusions at the US Office of Personnel Management (OPM) discovered in 2014 and 2015 with a focus on three factors: assumptions about threat actors, entanglement of public and private knowledge creation, and self-reflection about uncertainties. When it comes to attribution as knowledge creation processes, we critique the strong focus on existing enemy images as potentially crowding out knowledge on other threat actors, which in turn shapes the knowledge structure about security in cyberspace. One remedy, so we argue, is to bring in additional data collectors from the academic sector who can provide alternative interpretations based on independent knowledge creation processes.
... This is because with the increased cyberspace, opportunities do not match the approaches of providing the desired protection. Cybercrime organizations have failed to adequately employ risk resilience tactics as one way of managing and mitigating any potential threat from cyberspace activity for the benefit of their clients (Hurel & Lobato, 2018). ...
Cybersecurity is becoming the center stage and the rightful stage for geopolitical and global business. With data privacy regulations in place, the world has experienced serious attacks. These attacks need specialized attention from highly skilled personnel to counter them. From the international perspective, venturing in cybersecurity business requires one to apply new approaches towards countering the attacks. Cybersecurity companies have raised over 21 billion dollars to create enough capital to enhance security and control. More cybersecurity unicorns such as Orca, Claroty, Wiz, Axonius and BigID have emerged to give their contribution. More and more entrepreneurs have identified this opportunity and are willing to benefit from such funding for easy startups. More than three million cybersecurity opportunities are yet to be exploited. This has been as a result of the talent gap between client's expectation and what service providers are able to offer. New entrepreneurs can utilize this opportunity and adopt the right technology when handling active cyber-attacks.
... International organizations, states and NGOs, and recently also private actors, are usually understood as drivers of this change, but individuals can become influential advocates of social norms too. The literature on norm entrepreneurship tends to overly focus on the process of norm entrepreneurship and its influence on norm formation (Kleibrink 2011;Stoeckl 2016;Hurel and Lobato 2018), but tends to take the norm entrepreneurs' agency for granted. We aim to contribute to this debate. ...
Why do some actors possess more leverage to diffuse norms than others? Although it is often assumed that norm diffusion simply 'happens' through the interaction of political and cultural systems, we argue that individuals and institutional flexibility play a crucial role in the success and failure of norm diffusion. Analyzing the contending interpretation and diffusion of the Common but Differentiated Responsibilities (CBDR) norm between the Independent Alliance of Latin America and the Caribbean (AILAC) and the Association of Southeast Asian Nations (ASEAN) within the UNFCCC, we illustrate how larger political mandates, the use of informal negotiation platforms and the skills and connections of negotiators played a crucial role in the respective success and failure of norm diffusion. While the more flexible and ad-hoc AILAC was able to effectively diffuse its interpretation of CBDR into the climate regime, the strictly intergovernmental ASEAN was unable to do the same. These findings advance the literature on norm entrepreneurs from the Global South and support several assumptions of the informal institutions theory. They also show, however, the importance of individuals as a defining condition of both norm entre-preneurship and the functioning of institutional platforms.
... international/en). Exploring the changing relationship between states, big tech, and citizens, recent scholarship has demonstrated how Microsoft positions itself as a dominant player in global cybersecurity governance, namely through practices of norm entrepreneurship and policy shaping (Fairbank, 2019;Gorwa & Peez, 2020;Hurel & Lobato, 2018). We add to this existing literature by examining how Microsoft also assembles publics around cybersecurity and thereby shifts notions of legitimacy and authority. ...
In this article, we advance the literature on publics in international politics by exploring the nexus between publicness and big tech companies. This nexus finds a significant expression in the increasing impact of big tech companies to mediate disputes over societal problems, deliver social goods and rearticulate public-private relationships. We develop an analytical framework by combining recent scholarship on assemblage theory and publics, allowing us to understand publicness as enacted in practices which revolve around issues and rearticulate relations of authority and legitimacy. To demonstrate the value of the framework, we show how Microsoft is involved in assembling publicness around cybersecurity. Microsoft does so by problematising and countering state-led cybersecurity activities, questioning the state as a protector of its citizens and proposing governance measures to establish the tech sector as authoritative, and legitimate “first responders.” With this rearticulating of public-private relations, we see the emergence of a political subject for whom security is not solely the right of a citizen secured by the state but also a customer service provided as per a service agreement. The study hence offers important insights into the connection between publicness and cybersecurity, state and big tech relations, and the formation of authority and legitimacy in international politics.
... Larger companies (such as Microsoft) are an exception to this rule: they seek cooperation with legislators and act as 'norm entrepreneurs' in matters related to cybersecurity, i.e., they engage in promoting societal, legal, and political norms regarding cybersecurity [88,89]. Also, though the platforms involved in enforcing the securitization of the digital public sphere are not necessarily intending this, it serves to enhance their power, particularly regarding the over-deletion of content [90]. ...
The application of securitization theory to cybersecurity is useful since it subjects the emotive rhetoric of threat construction to critical scrutiny. Floyd’s just securitization theory (JST) constitutes a mixture of securitization theory and just war theory. Unlike traditional securitization theory, it also addresses the normative question of when securitization is legitimate. In this contribution, I critically apply Floyd’s JST to cybersecurity and develop my own version of JST based on subsidiarity. Floyd’s JST follows a minimalistic and subsidiary approach by emphasizing that securitization is only legitimate if it has a reasonable chance of success in averting threats to the satisfaction of basic human needs. From this restrictive perspective, cyber-securitization is only legitimate if it serves to protect critical infrastructure. Whilst Floyd’s JST focuses exclusively on permissibility and needs instead of rights, I argue that there are cases in which states’ compliance with human rights obligations requires the guarantee of cybersecurity, most importantly regarding the human right to privacy. My version of JST is also based on the principle of subsidiarity, in the sense that securitization should always include stakeholders directly affected by a threat. To strengthen this kind of subsidiarity, focused on the private sector, I argue for the legitimacy of private active self-defence in cyberspace and emphasize the importance of a ‘whole-of-society approach’ involving digital literacy and everyday security practices. Moreover, I argue that far-reaching securitization on the nation-state-level should be avoided, particularly the hyper-securitization of the digital public sphere, following unclear notions of ‘digital sovereignty’.
... Against the backdrop of legal uncertainty associated with the presence of indeterminate terms under current legislation and the fact that recommended technical standards are typically not legally binding for business corporations, private actors may play an essential role in cybersecurity governance by implementing and shaping security standards. For example, Hurel and Lobato (2018) discuss the role of private companies as entrepreneurs of cyber standards, with particular attention to Microsoft's efforts to influence global security standards and policies. In this paper, however, we will focus more on the particular role that cyber insurance companies can play in promoting security standards. ...
Based on classical contagion models we introduce an artificial cyber lab: the digital twin of a complex cyber system in which possible cyber resilience measures may be implemented and tested. Using the lab, in numerical case studies, we identify two classes of measures to control systemic cyber risks: security- and topology-based interventions. We discuss the implications of our findings on selected real-world cybersecurity measures currently applied in the insurance and regulation practice or under discussion for future cyber risk control. To this end, we provide a brief overview of the current cybersecurity regulation and emphasize the role of insurance companies as private regulators. Moreover, from an insurance point of view, we provide first attempts to design systemic cyber risk obligations and to measure the systemic risk contribution of individual policyholders.
... There have also been several studies of non-state actors' attempts to construct global cybersecurity norms. Louise Marie Hurel and Luisa Lobato (2018), for instance, use Microsoft as an example to unpack the role of private companies as norm entrepreneurs. ...
China’s cyber norm-building efforts can be usefully explored based on the concept of the norm life cycle developed by Finnemore and Sikkink. Although China puts cyber sovereignty and government involvement at the core of its cyber governance approach, its Internet policies are a result of interactions between state agencies and business units, and recent reforms suggest greater involvement of Chinese companies. Moreover, many countries, including some from the West, have placed increasing emphasis on intergovernmental involvement and data sovereignty when developing their Internet policies. The EU, for instance, believes that digital sovereignty is necessary to protect its own market from US and Chinese technology giants. Despite the fundamental differences between Brussels's digital sovereignty and Beijing’s cyber sovereignty, the dichotomy between China’s sovereignty-oriented approach and the more open approach of Western countries is more blurred than it may appear, leading to Western countries, the EU in particular, potentially becoming more receptive to China’s cyber norms.
... Through cross-signing initiatives, attending and conducting meetings at the sidelines of major political gatherings, including G7 and G20 meetings, UN-led conventions or major security conferences, technology firms of the likes mentioned above have gained foothold in political arenas and have come to establish themselves as (quasi-)diplomatic actors (Hurel and Lobato 2018b;Gorwa and Peez 2018). 12 The resonance and uptake of private normative efforts across fora such as the European Union are evidence of their successfully executed roles as norm leaders and also speak to their capacity to promote diplomatic and political changes. ...
What are the consequences of making cyberspace increasingly reliant on satellites and other types of space infrastructure? And what is the meaning and significance of an interplanetary cyberspace? The chapter addresses these developments specifically concerning infrastructure, militarization, and privatization. The consequences observed are summed up as fragmentation, vulnerability, and uncertainty. Cyberspace in space implies fragmentation in terms of stakeholders and governance, and ultimately in terms of power and accountability. Vulnerability increases as cyberspace becomes satellite-based (space is certainly not a safe environment, and satellites can be attacked by anti-satellite weapons as well as new forms of hacking and denial of service. Uncertainty of is tremendous particularly both in terms of what norms and principles will apply (compare the debate on Internet freedom vs. Internet sovereignty), and whether militarization or civilian and even utopian ideas will prevail.
... First, the great power construct often incurs in an over-simplification of state-state relations in which private companies have considerable power over the BEYOND THE GREAT POWERS: CHALLENGES FOR UNDERSTANDING CYBER OPERATIONS IN LATIN AMERICA governance of networked infrastructures and the production of knowledge about threats. 9 The ransomware attacks promoted by the Russian group Darkside against the state-owned Brazilian energy supplier Copel 10 and, most notoriously, Colonial Pipeline, 11 provide examples of the pervasive private oversight over critical infrastructure. ...
... Under the background of the knowledge economy, increasing entrepreneurs get down to starting science and technology enterprises (Hurel and Lobato, 2018). As innovative and pioneering enterprises with high growth and high risk, science and technology enterprises mainly rely on high-tech research and development (R&D) talents. ...
The empirical study reported here aims to improve the effectiveness of knowledge-based talent management in science and technology enterprises and promote the stable development of enterprises. First, the impact of entrepreneurs’ psychological cognition and personal characteristics on entrepreneurial activities is analyzed based on entrepreneurial psychology. Then, the theory of key competence is introduced to study the management mode of knowledge-based talents. The advantages of talents in enterprises are sorted out through constructing the key competency model to manage talents efficiently. The technology-based enterprise M is taken as an example for analysis by the key competence model to obtain 18 key capability indexes. Through the principal component analysis of 255 employees’ survey results, finally, four factors are extracted (business execution ability, team cooperation ability, strategic thinking ability, and management decision-making ability), which can reflect 68.92% of the total key competence. The average values of “business execution ability” and “team cooperation ability” in the first-level dimension of key competence index are 4.14 and 4.24, respectively, which can be regarded as the essential key competence. The investigation results of the academic qualifications of staff of M indicate that 6% of employees have a doctorate, 38% have a master’s degree, 37% have a Bachelor’s degree, and 19% have a junior college degree or below. Moreover, knowledge-based employees are basically satisfied with the organization and management of the company, but they are dissatisfied with the training mechanism and promotion mechanism. Therefore, enterprises should pay attention to the psychological needs of knowledge workers and the innovation of talent management. The research results are of significant value for science and technology enterprises to absorb and retain knowledge-based talents and promote the common development of enterprises and employees.
... Threat actors often exploit vulnerabilities in digital products, making information and communication technology (ICT) companies an initial target of their operations in order to reach their ultimate goals (Hurel and Lobato 2018). The exploitation of vulnerabilities within the supply chain of digital products by Advanced Persistent Threat (APT) actors may impose high economic costs and impact international stability. ...
... Important recent work has laid the foundations for examining norms related to cybersecurity from multiple perspectives (Finnemore & Hollis, 2016; Tikk-Ringas, 2016; Dai & Gomez, 2018;Hurel & Lobato, 2018;Pawlak & Biersteker, 2019;Broeders & van den Berg, 2020). On this basis, more extensive analyses that go beyond disciplinary lenses are beginning to emerge, but we continue to lack a comprehensive understanding of the normative impetus for processes-in-the-making. Grasping who has the means and the capacity to stimulate, promote, and sustain normative change, and under what conditions this process takes place, is central to taking forward debates on governance reform in the digital environment. ...
This special issue is the first to systematically address the activity we call “normfare” - the assiduous development of norms of very different character (public and private, formal and informal, technically mediated and directly implemented) by different actors (platforms, standard-setters, states) as an answer to the wide range of challenges facing internet governance. We bring together contributions from leading anthropologists, technologists, political scientists, legal and communication scholars exploring how norms underpin the new ordering of the internet, whether in explicit or implicit forms. Through various theoretical lenses, contributions analyze the impact of platforms, states, civil society, expert groups and key individuals on restructuring the normative order of the internet, and present empirical evidence for instances of norm creation, legitimation, contestation and opposition. Valuable new insights for norm development processes come from case studies, ethnographies, legal and discourse analysis and interdisciplinary approaches locating agency and power plays. In this introduction, we define the key concepts applicable to norm entrepreneurship and discuss their interplay in internet governance debates, followed by an overview of the articles included in the special issue. In the final section, we reflect on the implications of our new research agenda.
... Second, the Special Issue contributes to the norms literature by focusing on mediators as a new actor in the norms literature. Current research on agency has focused on different actors as norm entrepreneurs, including individuals (Alford 2008;Bratberg 2011;Budabin 2015), diaspora communities (Antwi-Boateng 2011), regions and regional institutions (Allison-Reumann 2017;Checkel 2005;Ingebritsen 2002), Transnational Advocacy Networks (TANs) (Acharya 2013b;Keck and Sikkink 1998;Price 2003;Risse et al. 1999), states (Sandholtz 2008), and business groups (Flohr 2010;Hurel and Lobato 2018;Sj€ ostr€ om 2010). Mediators constitute a yet unexplored actor in the norms literature. ...
International mediators are often tasked to promote liberal norms. However, dilemmas created in diffusing these norms, influenced by the mediators’ interaction with the conflict parties and a decline of the liberal international order, have fueled debates about how norms are diffused through mediation, whether mediators should and can promote norms, and what norms they promote. The IR literature provides rich theoretical frameworks on norms, which could help navigate these questions. Yet, mediation scholars have not systematically integrated ideational aspects in their analyses. This Special Issue fills this gap by providing the first comprehensive analysis of how norms matter in mediation. It thereby not only shares novel analytical insights on norms in mediation, but also enriches the conceptualizations of three central notions in the norms literature: the norm diffusion process, the agency of actors, and the nature of the diffused norms.
... The Private Security Events Database, directed by Deborah Avant of the University of Denver, provides an accessible place on the Internet to report and quickly disseminate information relating to private military and security companies and incidents involving their employees. As the private military and security industry becomes more diversified, more focused research will also be published on the regulation of specialized sectors of the industry, such as the outsourcing of intelligence and cyber capacities (Cavelty, 2015;Farrand & Carrapico, 2018;Hurel & Lobato, 2018;Leander, 2014;Shorrock, 2008) or the privatization of maritime security functions (Caldwell, 2012;Liss, 2013;Ralby, 2018). Now that these companies have been operating for decades, it is possible to gather both quantitative and qualitative data to measure the industry's effectiveness. ...
... This makes economic sense given that they directly indemnify the victims. Yet, technology companies have taken the lead as cyber norm entrepreneurs (Hurel and Lobato 2018) and no traditional insurers have yet signed the Cybersecurity Tech Accord led by Microsoft. 9 ...
Definitions of war found in cyber insurance policies provide a novel window into the concept of cyber war. Mediated by market forces, changes in policy wording reflect shifting expectations surrounding technology and military strategy. Legal cases contesting war clauses probe state-formulated narratives around war and offensive cyber operations. In a recent legal case, an insurer refused to pay a property insurance claim by arguing the cause of the claim—the NotPetya cyberattack—constitutes a hostile or warlike action. To understand the implications, we build a corpus of 56 cyber insurance policies. Longitudinal analysis reveals some specialist cyber insurance providers introduced policies without war clauses until as late as 2012. Recent years have seen war exclusions weakened as cyber insurance policies affirmatively cover “cyber terrorism”. However, these clauses provide few explicit definitions, rather they prompt a legal discourse in which evidence is presented and subjected to formal reasoning. Going forward, war clauses will evolve so insurers can better quantify and control the costs resulting from offensive cyber operations. This pushes insurers to affirmatively describe the circumstances in which cyber conflict is uninsurable.
... However, cyber norms remain contested at the international level (Grisby, 2017). More recently, the interest of researchers shifted to the role of the creators (mostly private entities) and exploiters (sub-, semi-, and non-state actors) of digital technologies in shaping the behavioral standards that new regulation needs to take into account (Hurel & Lobato, 2018). States need to know how their intelligence services work in cyberspace, because through their tools and practices they set practical norms of acceptable (cyber) espionage with far-reaching effects on state behavior in cyberspace (Georgieva, 2019). ...
In the last decade, cyber incidents have become more expensive, more disruptive, and in many cases more political, with a new body of theoretically informed research emerging in parallel. This article provides the intellectual history to situate this literature in its broader evolutionary context. After identifying and discussing six drivers from the fields of technology, politics, and science that have been influential in the evolution of cyber security politics and how it is studied, we describe three historically contingent clusters of research. Using the same driving factors to look into the future of research on cyber security politics, we conclude that it is a vibrant and diverse biotope that is benefitting from its interdisciplinarity, its relevance for policy, and its cognizance of the interplay between technological possibilities and political choices of state actors.
... Insurers also take a position within the norms debate by advocating against offensive cyber operations-a role predicted by Anderson (1994) in 1994. This provides another instance of a private company acting as a cyber norm entrepreneur (Hurel and Lobato, 2018). As hierarchical networks pursuing shareholder value, insurers are different in structure and purpose to the transnational advocacy networks described by Keck and Sikkink (2014). ...
Definitions of war found in cyber insurance policies provide a novel window into the concept of cyber war. Changes in policy wording reflect shifting expectations surrounding technology and military strategy as mediated by market forces. In a recent legal case, an insurer refused to pay a property insurance claim by arguing the cause of the claim, a cyber attack, constituted a hostile or warlike action. We build a corpus of 56 cyber insurance policies. Longitudinal analysis reveals distinct market trends. Some specialist cyber insurance providers introduced policies without war clauses until as late as 2012. Recent years have seen war exclusions weakened as cyber insurance policies affirmatively cover "cyber terrorism". This article explores the economic, strategic, and regulatory forces driving war clauses in cyber insurance policies. We then discuss how these definitions contest state-formulated narratives around war by arguing that the insurance industry can influence discourses on offensive cyber operations. Insurance policies constitute private contracts that do not confer rights or responsibilities on third-parties, in this case states. Legal cases do, however, provide a symbolic platform to present evidence about offensive cyber operations and subject it to legal reasoning. Nevertheless, states maintain significant structural power in influencing what evidence can be presented in court and in controlling its production by intelligence agencies.
... 41 Ultimately, only states make international law; moreover, there are obvious question marks surrounding the legitimacy of endeavors initiated by private actors. 42 Still, these initiatives do contribute in important ways to "the pluralisation of international norm-making." 43 The proliferation of cyber norms initiatives that are non-state driven but state-oriented gives states a unique opportunity to learn from, engage with, and react to those initiatives. ...
In late 2018, the New York Times reported that the U.S. Cyber Command had targeted individual Russian hackers in order to deter them from engaging in conduct that could affect the organization and outcome of the U.S. mid-term elections. This unusual preemptive step suggests that states are looking for creative solutions to safeguard their national interests in cyberspace. But to what extent should their conduct be guided by considerations of international law? In this essay, I explore several key aspects of that central conundrum. I argue that (1) we should see cyberspace as an underregulated (but not ungoverned) domain; (2) a main reason for that state of affairs lies in a unique strategic dilemma innate to the cyber domain; and (3) non-state initiatives, including the eponymous “rule book on the shelf,” have a critical role to play in the development of the law in this area.
... conclusIon It may be that states are not convinced of the need to regulate cyberweapons, which means that decisive political will supporting prohibition is unlikely. Certainly, we have not yet seen sufficient evidence of their promised capabilities to engage the public imagination or to engender moral entrepreneurship or resistance on the issue (Nadelmann 1990; but see, Hurel and Lobato 2018). The emphasis thus far has been on regulation, in keeping with other weapons classes; these attempts are partial and contested. ...
This chapter renders explicit what is submerged in previous analyses of cyberweapons regulation and governance: the operations of power in shaping this field of politics and policy. It addresses nascent attempts to regulate cyberweapons and explores the operations of power in the global information-technological assemblage that shape their development, possession and use. First, a short preamble sets out the conceptual foundations of the chapter in terms of both regime theory and power analysis in International Relations. There follow four outline case studies, each focusing on an aspect of cyberweapons regulation and governance previously established as problems for the development of a global cyberweapons regime. The first concerns productive power and the role of the NATO Tallinn Manual Process in constructing cyberweapons as legitimate military instruments. The second is the role of US structural power in incentivising cyberweapons markets, which undermines multilateral attempts to regulate dual-use technologies associated with cyberweapons. The third examines the Internet as a source of institutional power, arguing that the design of the Internet provides affordances for cyberweapons. The fourth addresses compulsory power and diplomatic relations between the great powers, which resolve to differing interpretations of sovereignty that constrain the emergence of a global cyberweapons regime.
This research examines the role of psychological operations as strategic instruments for normative change, with a focus on the Cold War broadcasts of Radio Free Europe and Radio Liberty. Using a constructivist framework, it identifies three key components shared by psychological operations and the norm change process: the agency of norm entrepreneurs, the use of framing techniques, and the intended normative influence. Through an in-depth analysis of archival documents, this research explores how the radio broadcasts reshaped public perceptions, countered Soviet narratives and promoted democratic norms across the Iron Curtain. The core findings reveal that psychological operations extend beyond simple information dissemination, operating as a dynamic and strategic approach for promoting norms. This approach relies on the employment of tailored framing and coordinated involvement of state and non-state actors, directed by intelligence agencies to craft and convey messages that foster desired normative shifts. These actors, identified here as norm entrepreneurs, bear responsibility for the planning and execution of psychological operations utilizing strategic communication skills to promote norms that resonate effectively with their target audiences.
International discussions on establishing and implementing norms for behavior in cyberspace have spanned over two decades. However, differences in what constitutes ‘acceptable conduct’ have hindered progress in forming these norms. In recent years, Western countries have adopted a strategy to signal what is considered unacceptable behavior by publicly attributing cyberattacks and intrusions. I argue that this act of official public attribution serves as a practice for countries to express their disapproval of inappropriate cyberspace behavior and condemnation and can cumulatively shape international practices, holding the attacking state accountable. I explore this by (1) analyzing new data from the European Repository of Cyber Incidents, which shows patterns of official public attributions for the years 2000–2023, providing exploratory directions and trends, and (2) examining the Iranian cyberattack against Albania in 2022 and its subsequent official public attributions as an illustrative case study. I demonstrate how repeated instances of official public attribution can contribute to the development of a common practice that signals dissatisfaction of a specific behavior. As state-sponsored cyberattacks and intrusions are on the rise, this practice could have an accumulative effect.
Cet article analyse en détail le projet Internet.org mis en place par Facebook, visant à connecter les pays en développement à internet – projet qui constitue un véritable laboratoire pour cerner le rôle que les grandes plateformes numériques entendent jouer en tant qu’acteurs des relations internationales. Inscrit dans la continuité des travaux de l’économie politique internationale, l’article étudie comment, au travers d’Internet.org, cette entreprise s’est efforcée d’exploiter, pour son plus grand bénéfice, les marchés en devenir des pays des Suds, mais aussi comment, par ce biais, elle s’est érigée en acteur pouvant résoudre leurs problèmes de développement socio-économique. Il montre comment, en investissant ce domaine, Facebook a promu une vision très spécifique de ce que le développement doit être, en accord avec ses propres intérêts – une vision que la firme s’est efforcée de faire partager à une échelle globale, au travers d’une véritable offensive diplomatique. La stratégie poursuivie par Facebook dans ce cadre et le discours la légitimant sont cernés à partir d’un abondant corpus constitué de documents produits par l’entreprise et son dirigeant, Mark Zuckerberg.
How can we explain the varying participation of non-state actors in UN cybersecurity governance? While research often underlines the importance of non-state actors in governing cybersecurity, research on international non-state actors’ activities also shows that shrinking spaces reduce opportunities for these actors. So far, we do not know how these two seemingly opposing developments impact UN cybersecurity governance. In this article, we analyze how state interests, ideas on representation, and institutional context affect non-state actor participation in three UN forums for cybersecurity, namely the IGF, OEWG, and AHC. Based on qualitative data and a quantitative participation analysis, we find that institutional mandates of forums remain open to non-state actors but to varying degrees. Conflicts among states affect non-state actors strongly, but often indirectly, because their participation becomes politicized, and states increasingly contest ideas on their participation. These effects concern all groups of non-state actors. All in all, our results suggest that UN cybersecurity governance is still open to non-state actors, but despite functional arguments, their participation is facing growing resistance over time. At the same time, reasons why non-state actors choose to participate or not require more consideration.
By combining theoretical discussions with real-world examples, The Politics of Cyber-Security offers readers valuable insights into the role of cyber-security in the realm of international politics. In the face of persistent challenges stemming from the exploitation of global cyberspace, cyber-security has risen to the forefront of both national and international political priorities. Understanding the intricacies and dynamics of cyber-security, particularly its connections to conflict and international order, has never been more essential. This book provides the contextual framework and fundamental concepts necessary to comprehend the interplay between technological opportunities and political constraints. Crafted to resonate with a diverse audience, including undergraduate and postgraduate students, researchers, course instructors, policymakers, and professionals, it aims to bridge gaps and foster understanding across various backgrounds and interests.
It is only in the last two decades that states have started to focus on the need to use traditional diplomatic means in discussions surrounding cyber-policy. This article explores how these discussions have been progressively ‘diplomatised’. Diplomatisation is proposed in this article as a process which involves external and internal dynamics of institutionalisation and positioning, both of which are essential for the successful creation of a new diplomatic field. Understanding the emergence of cyber-diplomacy is crucial to recognise the successes, frustrations and opportunities associated with the (lack of) regulation when it comes responsible state behaviour in this domain. This article does so based on 40 interviews conducted with diplomats and experts involved in the emergence of cyber-diplomacy. It looks at the idiosyncratic evolution of this field within specific nation states as well as overall developments at the international level, particularly within the context of the United Nations.
Microsoft is making strategic attempts to change the US government's practices of exploiting technical vulnerabilities in Microsoft software for military and intelligence purposes. So far, these efforts have not borne fruit. Microsoft's strategy has much in common with one of the most common strategies proposed by the IR literature on norm entrepreneurship in terms of exposing the contradictions between the government's ideals and practices. The article contributes to this literature by examining Microsoft's strategy through Lacanian psychoanalysis and suggests that it fails to work as intended, not because the US public or those in government remains unaware of the contradictions, but because the strategy is unable to address the existing desire to transgress the cyber ideals. Lacan's formula for transformation, the Analyst Discourse, provides an alternative framework for examining norm entrepreneurial potential in light of such transgressions. It proposes that the entrepreneur must occupy a 1 Draft-accepted by International Studies Quarterly. position as the (psycho)analyst who hystericizes the norm violator. The article revisits Microsoft's attempt to halt the militarization of cyberspace and argues that the proposal of becoming a "Cyber Red Cross" holds a potential to hystericize but cannot succeed as long as Microsoft refuses to repress its status as a profitable cyber expert.
Based on classical contagion models we introduce an artificial cyber lab : the digital twin of a complex cyber system in which possible cyber resilience measures may be implemented and tested. Using the lab, in numerical case studies, we identify two classes of measures to control systemic cyber risks: security‐ and topology‐based interventions. We discuss the implications of our findings on selected real‐world cybersecurity measures currently applied in the insurance and regulation practice or under discussion for future cyber risk control. To this end, we provide a brief overview of the current cybersecurity regulation and emphasize the role of insurance companies as private regulators. Moreover, from an insurance point of view, we provide first attempts to design systemic cyber risk obligations and to measure the systemic risk contribution of individual policyholders.
Devletin, ülkesi üzerinde hakimiyeti ülke unsurlarının tamamını kapsamaktadır. Bu bağlamda geçit hakkı, devletlerin ana ülkelerinden ayrı düşen ülkelerine ulaşma ve ülkeleri ile bağlantı kurma ihtiyacından kaynaklanan bir hak olarak karşımıza çıkmaktadır. Uluslararası hukukta geçit hakkının varlığı sabit olsa da bu hakkın kaynağı ve niteliği gibi hususlar tartışmalıdır. Geçit hakkının kaynağı, mahiyeti, kalıcı olup olmadığı gibi hususlar hakkın vasıflandırılmasına etki eden unsurlardır. Bununla birlikte geçit hakkı öğretide, özel hukuktan yapılan analoji vasıtasıyla uluslararası hukuka aktarılan irtifak hakkı kavramı ile karşılanmaktadır. İrtifak hakları Roma hukukundan bugüne karada devletlerin iç hukuklarında yer alan ayni bir hak türüdür. Bu hak, ilgili devletin anklav ülkesine erişebilmek için tesis edilen geçit hakkını nitelendirmek için kullanılmaktadır. 19 ve 20. yüzyılın başlarında irtifak hakkına ilişkin kabul, öğreti ve uygulamada hâkim olsa da ilerleyen yıllarda bu görüşe getirilen eleştiriler kavramsal olarak irtifak haklarının, geçit hakkını niteleyecek şekilde kullanılmasına engel olmuştur. 9 Kasım 2020 tarihli Azerbaycan ve Ermenistan arasında akdedilen andlaşma ile neticelenen II. Karabağ savaşı neticesinde; Azerbaycan’ın anklav niteliğindeki parçası olan Nahçıvan ile Azerbaycan ana ülkesini bağlayan “Zengezur hattı” ile ilgili tartışmalar tekrar uluslararası toplumun gündemine gelmiştir. Bu kapsamda anılan Andlaşma’nın 9.maddesi Nahçıvan Özerk Cumhuriyeti ile Azerbaycan arasında ulaşımın Zengezur bölgesinde teşkil edilecek bir koridor ile sağlanmasını öngörmektedir. Netice olarak bahse konu Andlaşma’da öngörülen geçit hakkının uluslararası hukuk bakımından taşıdığı anlamın tespit edilmesi gerekliliği doğmuştur. Çalışmamız Zengezur hattına ilişkin sürmekte olan bu tartışmaya uluslararası hukuk penceresinden geçit ve irtifak hakkı kavramları bağlamında yaklaşarak hem söz konusu gündeme yapıcı bir katkı sunmak hem de uluslararası hukukta geçit ve irtifak hakkı kavramlarını tekrar tartışmaya açmayı hedeflemektedir.
Hukuk, dijital çağda siber alandaki insan faaliyetinin düzenlenmesinde önemli araçlardan biridir. Siber alanın hukuku
küresellik ve çok hukukluluk özelliklerine sahiptir. Küresellik özelliği, alanda uygulanacak hukukun ulusal, bölgesel ve devletlerarası bir çerçeveyle sınırlandırılamamasını ifade eder. Bu özellik, bölgesel yargı yetkilerinin, ulusal hukuk düzenlerinin ve uluslararası ilişkilerin yanında sosyal ve kültürel sınırları zorlayan bir yapıya odaklanmayı gerektirir. Siber alanın hukukunun diğer özelliği olan çok hukukluluk, farklı normatif düzenlere ve hukuki çoğulluk tartışmalarıyla birlikte düşünülmesi gereken farklı kural koyuculara referans verir. Siber alanda, geleneksel devlet hukuku dışında, insan davranışlarını çeşitli yaptırımlar yoluyla düzenleyen normatif sistemler vardır. Siber alanın hukuku, devletler, şirketler ve kullanıcılar arasındaki iş birliği, pazarlık ve çatışma ilişkileriyle biçimlenir. Siber alanda cereyan eden bu ilişkilerin meydana getirdiği hukuksal düzenlemeler ve hukuki kurumlar, bir düşünce sistemini ve belirli ekonomik ilişkilerin yeniden üretimini ifade eder. Siber alanda kural koyucu aktörler olan ve özellikle normları biçimlendiren ve uygulayan devlet ve şirketler arasında işlevlerin ve rollerin değişimi öne çıkmaktadır. Devlet ve şirket aktörleri arasındaki ilişkiye odaklanan bu çalışma, hukukun oluşumunda kurumsal değişim ve aktörler arasındaki sınırların bulanıklaşması, devletlerin şirketleşmesi ve şirketlerin devletleşmesi olgularını açıklayarak, bu dönüşümü internet yönetişimi, gözetimin ticarileşmesi, devletler arasındaki ilişkilerde şirketlerin pozisyonları açısından örneklendirmektedir. Bununla birlikte, devletler ve şirketler arasındaki ilişkilerin, rol ve işlev değişiminin hukuk alanında da çeşitli sonuçları vardır. Sermayenin hareket özelliklerinin siber alanı ilgilendiren hukuksal düzenlemelere etkisi, esnekliğin artması, hesap verilebilirliğin ve denetimin azalması, yumuşak hukuk, sözleşme ve kod gibi düzenlemelerin yaygınlaşması, son kullanıcıların hak ahiplerinden tüketicilere dönüşmesi, bu dönüşümün sadece usule değil aynı zamanda esasa dair olması siber alanda devletler ve şirketler arasındaki ilişkilerdeki değişimin hukuk alanındaki sonuçları olarak ele alınmıştır.
Developing cybersecurity norms and global normative cybersecurity behaviors play an increasingly critical role in global cybersecurity governance. This paper takes a longitudinal approach to analyze cybersecurity norms development activities during the period 1997–2020. A total of 206 individual cases were collected, and 233 individual cybersecurity norms were identified and compiled into 25 subject categories. Categorizing the norm subjects alongside the frequency of cases and norms identified each year allowed for a longitudinal view of cyber norm activities and the evolution in developments over these years. This examination enables us to categorize cybersecurity norms, including their dynamic focus and evolution patterns. By studying those viewed as “successful,” we gain guidance regarding the construction of global cybersecurity governance in the digital age.
The Cyber Defense Review Vol. 7 No. 3 Summer 2022
Contrary to its original founding history, the Internet appears to be increasingly instrumentalized by state actors. Autocracies, in particular, are increasingly using cyberspace as a space for offensive conflict resolution. However, democratic states have also developed genuine power resources in digital space, primarily on the basis of their technological superiority. This literature review provides an analysis of the political science research landscape’s approach to power in cyberspace to date. Previous conceptualizations are compared and combined into an integrative model that differentiates mainly between power resources and power functions. To make these empirically visible, the proxy-concept is first discussed in terms of its theoretical implications and then used as an analytical reference category for discussing specific debates about power in cyberspace. These relate firstly to the use of offensive cyber proxies by autocratic states, secondly to the instrumentalization of defensive cyber proxies by democratic states, and thirdly to the respective role of state proxies for both regime types in the context of an agenda-setting function at the international level. In each case, a distinction is made between the two categories at the hard and soft power level, which makes it possible to more explicitly elaborate the limited, but in part existing, significance of material power functions that can be pursued by proxies in cyberspace. In all three empirical fields, power in cyberspace refers predominantly to information as a central resource, which is used primarily to manipulate existing asymmetries vis-à-vis external and internal actors on the part of autocratic and democratic governments. In this context, power plays an important role for offensive as well as defensive escalation control in the context of conflicts, but also power resources of non-state actors, which are aimed at discursively influencing international efforts to regulate cyberspace as a conflict resolution domain.
New technologies create new challenges for global security that leave even the most militarily powerful countries vulnerable to attack. Countries are gearing up for electronic warfare and, in this realm, the old rules of international conflict either do not apply or have not been developed. Governments have yet to find stable policy solutions to match potential cyber threats. The challenge then is to establish new global norms concerning acceptable behavior in cyberspace. This article analyzes the attempts to construct global cybersecurity norms. It differs from much of the existing literature on norm‐construction since it moves beyond the interstate level to examine subnational groups and private sector actors that function as norm entrepreneurs in this policy area. The article posits that while nation states remain central, nonstate actors are playing an increasingly important role in cybersecurity norm‐building, supplementing state action, and, to some degree, compensating for state inaction when cooperation reaches an impasse.
Related Articles
Glen, Carol M. 2014. “Internet Governance: Territorializing Cyberspace?” Politics & Policy 42 (5): 635‐657. https://doi.org/10.1111/polp.12093
Hellmeier, Sebastian. 2016. “The Dictator's Digital Toolkit: Explaining Variation in Internet Filtering in Authoritarian Regimes.” Politics & Policy 44 (6): 1158‐1191. https://doi.org/10.1111/polp.12189
Zeng, Jinghan, Tim Stevens, and Yaru Chen. 2017. “China's Solution to Global Cyber Governance: Unpacking the Domestic Discourse of ‘Internet Sovereignty.’” Politics & Policy 45 (3): 432‐464. https://doi.org/10.1111/polp.12202
The stability in the cyber domain is rapidly deteriorating on several fronts marked by increasing sophistication of cyberattacks, declining consensus on global internet governance and intensifying great power competition. These challenges were critical turning points among nation-states to recalibrate prevailing cyber diplomatic engagements. This article investigates the increasing prominence of deterrence in the practice of cyber diplomacy in the Asia Pacific. Using Japan and Australia as case studies, it argues that both states continue to adhere to the conceptual tenets of cyber diplomacy, however, in practice, there is a growing integration of deterrence—cyber capabilities and public attribution/naming and shaming—in the equation at varying degrees and intensities. The article endeavours to make two important contributions: First, revitalize the existing cyber diplomacy framework by challenging the extant literature’s view of deterrence’s limited application—underpinned by cold war analogies—and the implausibility of conducting attribution of cyberattacks. Secondly, evaluate Japan and Australia’s cyber diplomacy based on empirical evidence. Key findings suggest that deterrence reinforces/complements the fundamental elements present in the cyber diplomacy playbook. While slight variation exists, there is a strong acquiescence between Japan and Australia to expand existing cyber cooperation to tackle critical and emerging technologies, supply chain, and data governance.
This paper investigates whether and how the twin UN processes of the UN Group of Governmental Experts (UN GGE) and the Open-Ended Working Group (OEWG) are willing and able to address two 'below-the-threshold' problems in their deliberations. The call for the protection of the public core of the internet and the call for the protection against foreign election interference have been flagged by many state and non-state parties for consideration by both processes. This paper analyses the threats that the vulnerability of the public core of the internet and foreign election interfere pose for stability in cyberspace, as well as the legal and normative proposals that have been suggested to promote responsible state behaviour. On the basis of the public documents that states have submitted to the more transparent OEWG process, the contours are sketched of what the inclusion of these issues in possible consensus reports for both processes may look like. The OEWG concluded its deliberations with a consensus report that addresses some aspects of these issues, shifting the task of further elaboration and guidance firstly onto the ongoing UN GGE process, as well as onto the new OEWG 2021-2025 and other UN processes that are emerging.
The United Nations OEWG (Open Ended Working Group) focused on cybersecurity provides the context for an examination of idea entrepreneurship regarding the role of nonstate actors and the concepts of human rights, gender and sustainable development against the backdrop of a global pandemic and increasing cybersecurity challenges. Crafting a cross-disciplinary conceptual framework based upon a review of relevant literatures, this study uses archival and content analysis to highlight those organizations serving as idea entrepreneurs and those contesting such ideas. Findings include the presence of key divides among idea entrepreneur organizations (including among nation-state organizations themselves) as well as key linkages among a ‘galaxy’ or interconnection of ideas forged with potential to bridge such divides. Additionally, mention of the pandemic emerges as a factor catalyzing idea entrepreneurship with a focus on critical infrastructures.
This article explores the actions of Chinese stakeholders as norm entrepreneurs in mobile Internet standard-making within the 3rd Generation Partnership Project (3GPP). Through semi-structured interviews with key experts from the Internet stakeholder communities, this article contextualises a rapidly transforming and increasingly politicised issue in the broader context of China's engagement with the global multistakeholder Internet governance architecture, as well as the debate on China's rise in the Liberal International Order. Furthermore, it incorporates the views and experiences of technologists working first-hand in standard-making, as they are often disregarded in political-scientific literature. Through the analytical lens of cognitivist regime theory, this article argues that the stronger China and Chinese stakeholders grow economically and politically, the more they become involved in the existing Internet governance regime complex, increasing their influence in the existing institutional arrangements without necessarily acting for changing their norms, rules, and principles. Through these theoretical and methodological approaches, new light is shed on the role of private and public Chinese stakeholders and on the relation between them.
Cybersecurity is a contested concept. While some definitions focus on technical aspects, other insist on the strategic and geopolitical dimensions. Recently, the definition has included development-related aspects in an increasingly digitalised economy. Instead of cybersecurity, international organisations such as the OECD and private companies now focus on the management of digital risk. While this shift represents an opportunity to include new actors and issues on the political agenda, it does not lead to the de-securitisation of cyberspace, nor to the promotion of cyber peace. This article explores the debates around the definition of cybersecurity with a particular focus on how Colombia became one of the first states to follow the 2015 OECD guidelines on the management of digital risk as part of an effort to join the organisation. It describes how the resulting perspective on cybersecurity evidences a market-centred approach focusing on the development of a digital economy. However, it also discusses why the evolution of cybersecurity policies in Colombia represents a missed opportunity to design a cyber peacebuilding policy in a post-conflict context.
The article examines the legal qualification of state-led information operations that aim to undermine democratic decision-making processes in other states. After a survey of the legal attitudes of states towards such operations during the Cold War, the impact of the digital transformation on the frequency and quality of information operations is explained. The article assesses scholarly responses to the outlined paradigm shift regarding the prohibition of intervention, respect for sovereignty, and the principle of self-determination. The study then inquires whether it is possible to detect a change in how states qualify adversarial information operations by tracking recent state practice and official statements of opinio juris . The survey concludes that there is insufficient uniformity to allow for an inference that the content of the analysed rules of customary international law has already shifted towards more restrictive treatment of foreign interference. As a possible way forward, the article ends with a proposal to focus on deceptive and manipulative conduct of information operations as the most viable path to outlaw such state behaviour in the future. Instead of attempting to regulate the content of information, this approach is better suited to safeguard freedom of speech and other potentially affected civil rights.
This research seeks to understand the role that corporations can play as global cyber norm entrepreneurs via a case study of tech giant Microsoft’s engagement in emergent international cybersecurity norms. Two key questions are addressed, including how Microsoft has been acting as a norm entrepreneur and what these actions indicate about the company's underlying objectives. Understanding Microsoft's processes and aims as a norm entrepreneur can help scholars better determine how corporate actors may fit into – or challenge – both existing norm creation theories and the development of global cyber policies. This research highlights three key takeaways that may inform further research: (1) In contrast to traditionally state-centric IR norm research, more focus is needed on the relationship between corporations and citizens when companies are acting as cyber norm entrepreneurs; (2) Four main objectives drive Microsoft’s attempts at cybersecurity norm entrepreneurship: trust building, software protection, balance of responsibility and sociopolitical influence; and (3) Microsoft provides an empirical example of a private corporation utilising all of Finnemore and Hollis’ tool categories for norm entrepreneurs. Through exploring the paths by which Microsoft strives to influence state behaviour and position themselves as a legitimate stakeholder in global cyber norm debates, we can gain insight into the methods and objectives of this newly identified form of corporate entrepreneurship and better understand the role that private actors may have in the ongoing formation of global cyber norms.
Norms for cyberspace remain highly contested internationally among governments and fragmented domestically within governments. Despite diplomatic activities at the United Nations over the past two decades, intersubjective agreement on norms governing coercive cyber power is still nascent. Agreed upon, explicitly stated norms are considered voluntary, defined vaguely, and internalized weakly. Implicit state practice is slowly emerging, yet poorly understood, and cloaked in secrecy. This raises the question: how do norms emerge for cyberspace? What has been the contribution of the UN process to the international community’s understanding of norms for cyberspace? Why did the process collapse in 2017, the very same year that two of the biggest cyber attacks to date—WannaCry and NotPetya—caused indiscriminate economic harm worldwide each with an estimated cost of several billion U.S. dollars? And why did member states, in an unprecedented move in the UN’s history, create two separate processes dedicated to the same issue in 2018? To answer these questions, this article analyses the various factors feeding into the dynamic process of norm contestation including an in-depth discussion of the process at the United Nations, the role of international law, and the main points of critiques.
How private groups increasingly set public policy and regulate liveswith little public knowledge or attention.
From accrediting doctors and lawyers to setting industry and professional standards, private groups establish many of the public policies in today’s advanced societies. Yet this important role of nongovernmental groups is largely ignored by those who study, teach, or report on public policy issues. Public Policymaking by Private Organizations sheds light on policymaking by private groups, which are not accountable to the general public or, often, even to governments.
This book brings to life the hidden world of policymaking by providing an overview of this phenomenon and in-depth case studies in the areas of finance, food safety, and certain professions. Far from being merely self regulation or self-governance, policymaking by private groups, for good or ill, can have a substantial impact on the broader publicfrom ensuring the safety of our home electrical appliances to vetting the credit-worthiness of complex financial instruments in the run-up to the 2008 financial crisis.
From nonprofit associations to multinational corporations, private policymaking groups are everywhere. They certify professionals as competent, establish industry regulations, and set technical and professional standards. But because their operations lack the transparency and accountability required of governmental bodies, these organizations comprise a policymaking territory that is largely unseen, unreported, uncharted, and not easily reconciled with democratic principles. Anyone concerned about how policies are madeand who makes themshould read this book.
We have arrived in an age of mega-hacks in which high-impact, high-attention cyber-incidents are becoming the new normal. The increase in strategically consequential, targeted cyber-incidents is met with intensified efforts to reduce the risk of cyber-conflict through norms-building, mainly geared towards creating deterrent effects at the state level. While these new developments have an overall stabilizing effect on cyber-international relations, the narrow focus on destructive cyberattacks and on state-to-state relations is creating unintended, security-reducing side-effects
This article explains how it is possible to arrive at the paradoxical conclusion that an increased reliance on private actors (in the guise of private military companies) could consolidate public peace and security in the weakest African states. It argues that this conclusion can only be reached if the dynamics of the market for force are neglected. The basic claim is that the market as a whole has effects that cannot be captured by focussing on single cases. The article analyses these effects, departing from the empirical functioning of supply, demand and externalities in the market for force in order to spell out the implications for public security. More specifically, the article shows that supply in the market for force tends to self-perpetuate, as PMCs turn out a new caste of security experts striving to fashion security understandings to defend and conquer market shares. The process leads to an expansion of the numbers and kinds of threats the firms provide protection against. Moreover, demand does not penalize firms that service ‘illegitimate’ clients in general. Consequently, the number of actors who can wield control over the use force is limited mainly by their ability to pay. Finally, an externality of the market is to weaken existing security institutions by draining resources and worsening the security coverage. This gives further reasons to contest the legitimacy of existing security orders. In other words, the development of a market for force increases the availability and perceived need for military services, the number of actors who have access to them and the reasons to contest existing security orders. This hardly augurs well for public security.
Recent literatures have become sceptical about the concept of an international, preferring to make claims about new forms of imperial or exceptional politics. This article examines the relation between these three concepts as conventionally understood within discourses of internationalism; expresses scepticism about the use of the term ‘imperial’ for capturing what is at stake in challenges to international order; and seeks to clarify what is at stake in contemporary practices of exceptionalism. Where exceptions were conventionally declared at the limits of the sovereign state, qualified by the ordering capacities of a system of sovereign states, enabled by a theory of history marking the modernity of sovereign authorities and inhibited by resistance to imperial and theological order, exceptions are now enacted in ways that exceed official cartographies of sovereign authorization. Consequently, traditions and debates about what it means to secure the modern subject that have largely reproduced options laid out by Carl Schmitt and Hans Kelsen in the 1920s and 1930s must become engaged with questions about the limits of specifically modern forms of political life. If exceptions are not being made where they are supposed to be made, subjects will not be secured where they are supposed to be secured.
The emergence of private authority has become increasingly a feature of the post-Cold War world. In The Emergence of Private Authority in Global Governance, leading scholars explore the sources, practices and implications of this erosion of the power of the state. They analyse and compare actors as diverse as financial institutions, multinational corporations, religious terrorists and organised criminals, and assess the potential for reversal of the situation. The themes of the book relate directly to debates concerning globalization and the role of international law, and will be of interest to scholars and students of international relations, politics, sociology and law.
This book assesses the impact of norms on decision-making. It argues that norms influence choices not by being causes for actions, but by providing reasons. Consequently it approaches the problem via an investigation of the reasoning process in which norms play a decisive role. Kratochwil argues that, depending upon the strictness the guidance norms provide in arriving at a decision, different styles of reasoning with norms can be distinguished. While the focus in this book is largely analytical, the argument is developed through the interpretation of the classic thinkers in international law (Grotius, Vattel, Pufendorf, Rousseau, Hume, Habermas).
Managers of multinational organizations are struggling to win the strategic competition for the hearts and minds of external stakeholders. These stakeholders differ fundamentally in their worldview, their understanding of the market economy and their aspirations and fears for the future. Their collective opinions of managers and corporations will shape the competitive landscape of the global economy and have serious consequences for businesses that fail to meet their expectations. This important new book argues that the strategic management of relationships with external stakeholders – what the author calls "Corporate Diplomacy" – is not just canny PR, but creates real and lasting business value.Using a mix of colourful examples, practically relevant tools and considered perspectives, the book hones in on a fundamental challenge that managers of multinational corporations face as they strive to compete in the 21st century. As falling communication costs shrink, the distance between external stakeholders and shareholder value is increasingly created and protected through a strategic integration of the external stakeholder facing functions. These include government affairs, stakeholder relations, sustainability, enterprise risk management, community relations and corporate communications. Through such integration, the place where business, politics and society intersect need not be a source of nasty surprises or unexpected expenses. Most of the firms profiled in the book are now at the frontier of corporate diplomacy. But they didn’t start there. Many of them were motivated by past failings. They fell into conflicts with critical stakeholders – politicians, communities, NGO staffers, or activists – and they suffered. They experienced delays or disruptions to their operations, higher costs, angry customers, or thwarted attempts at expansion. Eventually, the managers of these companies developed smarter strategies for stakeholder engagement. They became corporate diplomats. The book draws on their experiences to take the reader to the forefront of stakeholder engagement and to highlight the six elements of corprate diplomacy.
The Power of Human Rights (published in 1999) was an innovative and influential contribution to the study of international human rights. At its center was a 'spiral model' of human rights change which described the various socialization processes through which international norms were internalized into the domestic practices of various authoritarian states during the Cold War years. The Persistent Power of Human Rights builds on these insights, extending its reach and analysis. It updates our understanding of the various causal mechanisms and conditions which produce behavioural compliance, and expands the range of rights-violating actors examined to include democratic and authoritarian Great Powers, corporations, guerrilla groups, and private actors. Using a unique blend of quantitative and qualitative research and theory, this book yields not only important new academic insights but also a host of useful lessons for policy-makers and practitioners.
This revised and updated second edition features over twenty new chapters and offers a wide-ranging collection of cutting-edge essays from leading scholars in the field of Security Studies. The field of Security Studies has undergone significant change during the past 20 years, and is now one of the most dynamic sub-disciplines within International Relations. This second edition has been significantly updated to address contemporary and emerging security threats with chapters on organised crime, migration and security, cyber-security, energy security, the Syrian conflict and resilience, amongst many others. Comprising articles by both established and up-and-coming scholars, The Routledge Handbook of Security Studies provides a comprehensive overview of the key contemporary topics of research and debate in the field of Security Studies. The volume is divided into four main parts: Part I: Theoretical Approaches to Security Part II: Security Challenges Part III: Regional (In)Security Part IV: Security Governance This new edition of the Handbook is a benchmark publication with major importance for both current research and the future of the field. It will be essential reading for all scholars and students of Security Studies, War and Conflict Studies, and International Relations. © 2017 selection and editorial material, Myriam Dunn Cavelty and Thierry Balzacq. All rights reserved.
Purpose
There is growing contestation between states and private actors over cybersecurity responsibilities, and its governance is ever more susceptible to nationalization. The authors believe these developments are based on an incomplete picture of how cybersecurity is actually governed in practice and theory. Given this disconnect, this paper aims to attempt to provide a cohesive understanding of the cybersecurity institutional landscape.
Design/methodology/approach
Drawing from institutional economics and using extensive desk research, the authors develop a conceptual model and broadly sketch the activities and contributions of market, networked and hierarchical governance structures and analyze how they interact to produce and govern cybersecurity.
Findings
Analysis shows a robust market and networked governance structures and a more limited role for hierarchical structures. Ex ante efforts to produce cybersecurity using purely hierarchical governance structures, even buttressed with support from networked governance structures, struggle without market demand like in the case of secure internet identifiers. To the contrary, ex post efforts like botnet mitigation, route monitoring and other activities involving information sharing seem to work under a variety of combinations of governance structures.
Originality/value
The authors’ conceptual framework and observations offer a useful starting point for unpacking how cybersecurity is produced and governed; ultimately, we need to understand if and how these governance structure arrangements actually impact variation in observed levels of cybersecurity.
On February 16, 2016, a U.S. court ordered Apple to circumvent the security features of an iPhone 5C used by one of the terrorists who committed the San Bernardino shootings. Apple refused. It argued that breaking encryption for one phone could not be done without undermining the security of encryption more generally. It made a public appeal for “everyone to step back and consider the implications” of having a “back door” key to unlock any phone—which governments (and others) could deploy to track users or access their data. The U.S. government eventually withdrew its suit after the F.B.I. hired an outside party to access the phone. But the incident sparked a wide-ranging debate over the appropriate standards of behavior for companies like Apple and for their customers in constructing and using information and communication technologies (ICTs). That debate, in turn, is part of a much larger conversation. Essential as the Internet is, “rules of the road” for cyberspace are often unclear and have become the focus of serious conflicts.
List of Tables Foreword Notes of Contributors List of Abbreviations PART I: PUBLIC-PRIVATE PARTNERSHIPS AND DEMOCRACY Introduction: Partnerships, Democracy and Governance M.Bexell & U.Morth Partnerships, Boundary Blurring and Accountable Actorhood K.Svedberg Helgesson Public-Private Partnerships and the Democratic Deficit: Is Performance-Based Legitimacy the Answer? J.Pierre & G.Peters Partnership Accountability Need not be Democratic Accountability J.Steets & L.Blattner PART II: PARTNERSHIPS AND DEMOCRATIC VALUES IN GLOBAL GOVERNANCE Public Markets and Private Democracy? The Renegotiation of Public and Private in Global Politics K.Dingwerth & T.Hanrieder From Business Unusual to Business as Usual: The Future Legitimacy of PPPs with Multilateral Organizations B.Bull & D.McNeill Transnational Standard-Setting Partnerships in the Field of Social Rights: The Interplay of Legitimacy, Institutional Design and Process Management M.Beisheim & C.Kaan From Rhetoric to Practice: The Legitimacy of Global Public-Private Partnerships for Sustainable Development K.Backstrand Coordinating Actors in the Fight against HIV/AIDS: From 'Lead Agency' to Public-Private Partnerships C.Jonsson UNDP, Business Partnerships and the (UN)democratic Governance of Development C.Gregoratti PART III: CONCLUSIONS Conclusions and Directions M.Bexell & U.Morth Index
This book celebrated the 50th anniversary of the Universal Declaration of Human Rights by showing how global human rights norms have influenced national government practices in eleven different countries around the world. Had the principles articulated in the Declaration had any effect on the behavior of states towards their citizens? What are the conditions under which international human rights norms are internalized in domestic practices? And what can we learn from this case about why, how, and under what conditions international norms in general influence the actions of states? This book draws on the work of social constructivists to examine these important issues. The contributors examine eleven countries representing five different world regions - Northern Africa, Sub-Saharan Africa, Southeast Asia, Latin America, and Eastern Europe - drawing practical lessons for activists and policy makers concerned with preserving and extending the human rights gains made during the past fifty years.
The abstract for this document is available on CSA Illumina.To view the Abstract, click the Abstract button above the document title.
Throughout this century, modernists have been proclaiming that technology would transform world politics. These days futurists argue that the information revolution is leading to a new electronic feudalism, with overlapping communities laying claim to citizens' loyalties. But the state is very resilient. Geographically based states will continue to structure politics in an information age, but they will rely less on traditional resources and more on their ability to remain credible to a public with increasingly diverse sources of information.
While escaping consistent theoretization so far, the impact of 'cyberization' on the conduct of international relations can be more thoroughly grasped by studying the reconfiguration of global governance techniques brought about by the virtual mediums. The cyberspace remains a highly contested arena for policy-making, and its current institutional architecture is dominated by a multiplicity of tensions over who is entitled to decide on issues that go beyond the traditional functions of the state and what practices of governing are most appropriate in this context. By applying the Foucauldian concept of governmentality to investigate the global discourses of security in the cyberspace, this chapter sheds light on a shift in the rationality of governing, and brings empirical evidence of the dominant discourse(s) of security in the cyberspace in the United Nations (UN) ambit. It reveals that, despite the common acknowledgement of cyber dangers as imminent, transnational and very diffuse, an inclusive and dialectical approach to cybersecurity is not yet in place. © Springer-Verlag Berlin Heidelberg 2014. All rights are reserved.
Obra que reconstruye el origen y evolución de las actuales redes transnacionales que, con la utilización de las nuevas tecnologías informativas como recurso organizador y aglutinador, han logrado constituirse en movimientos más o menos presionadores en la defensa de los derechos humanos, de la protección ambiental y de una mayor equidad de género, entre otros.
The Role of Business in Global Governance offers an empirically rich analysis of the new political role of corporations in the co-performance of governance functions beyond the state. Within comparative case studies, potential explanations of the political role of transnational corporations are systematically tested.
Transnational public-private partnerships (PPPs) have become a popular theme in International Relations (IR) research. Such partnerships constitute a hybrid type of governance, in which nonstate actors co-govern along with state actors for the provision of collective goods, and thereby adopt governance functions that have formerly been the sole authority of sovereign states. Their recent proliferation is an expression of the contemporary reconfiguration of authority in world politics that poses essential questions on the effectiveness and the legitimacy of global governance. In this article, we critically survey the literature on transnational PPPs with respect to three central issues: Why do transnational PPPs emerge, under what conditions are they effective, and under what conditions are they legitimate governance instruments? We point to weaknesses of current research on PPPs and suggest how these weaknesses can be addressed. We argue that the application of IR theories and compliance theories in particular opens up the possibility for systematic comparative research that is necessary to obtain conclusive knowledge about the emergence, effectiveness, and legitimacy of transnational PPPs. Furthermore, the article introduces the concept of complex performance to capture possible unintended side effects of PPPs and their implications on global governance.
This study aims to analyze the concept of corporate diplomacy, that is, the organizational behavior aimed at implementing favorable conditions for carrying out corporate activities. By following a cognitive-linguistic approach, the analysis outlines the meaning of corporate diplomacy along various dimensions, and in relation to other 'bordering' concepts such as diplomacy, economic or commercial diplomacy, negotiation, and public relations. The result of the analysis allows to better define what corporate diplomacy is, and offers interesting cues for acknowledging this activity as an important function of firms with intense relationships with governments and other entities alike.
Imagine a data storage and retrieval system that stores millions of discrete files in such a way that they can be accessed, searched, and retrieved by millions of users who can access the system wherever they are connected to the Internet. Imagine that this system is under a multipronged attack. Its enemies have used a variety of techniques, ranging from shutting down the main search server under the threat of armed seizure, to inserting malicious files to corrupt the system, to capturing and threatening the operators of storage devices. Imagine that even through all these assaults, the system continues to operate and to provide high-quality storage, search, and retrieval functionality to millions of users worldwide. That would be a system worth studying as a model for cybersecurity, would it not? That system has in fact been in existence for five years. It has indeed been under the kinds of attacks described over this entire period. It is the peer-to-peer music file-sharing system. It is the epitome of a survivable system. Its primary design characteristic is radically distributed redundant capacity. The primary economic puzzles in understanding whether it is a model that can be harnessed to design survivable systems more generally are these: Why there is so much excess capacity for its core components - storage, processing, and communications capacity, in the hands of many widely distributed users? And how one might replicate it for uses that are somewhat less controversial than sharing music files.
Norms have never been absent from the study of international politics, but the sweeping “ideational turn” in the 1980s and 1990s brought them back as a central theoretical concern in the field. Much theorizing about norms has focused on how they create social structure, standards of appropriateness, and stability in international politics. Recent empirical research on norms, in contrast, has examined their role in creating political change, but change processes have been less well-theorized. We induce from this research a variety of theoretical arguments and testable hypotheses about the role of norms in political change. We argue that norms evolve in a three-stage “life cycle” of emergence, “norm cascades,” and internalization, and that each stage is governed by different motives, mechanisms, and behavioral logics. We also highlight the rational and strategic nature of many social construction processes and argue that theoretical progress will only be made by placing attention on the connections between norms and rationality rather than by opposing the two.
- Deitelhoff Nichole
Network Responses to Network Threats: The Evolution into Private Cyber-security Associations.” Public Law and Legal Theory Working paper no. 115. Florida State University College of Law
- Amitai Aviram
The Routledge Research Companion to Security Outsourcing
- Joakim Berndtsson
- Christopher Kinsey
Berndtsson, Joakim, and Christopher Kinsey. 2016. The Routledge Research Companion to Security
Outsourcing. London: Routledge.
Democracy and Public-private Partnerships in Global Governance
- Magdalena Bexell
- Ulrika Mörth
Bexell, Magdalena, and Ulrika Mörth. 2010. Democracy and Public-private Partnerships in Global
Governance. New York: Palgrave Macmillan.
A Digital Geneva Convention: Nobel Prize-Worthy or Dangerous
- Monika Ermert
Ermert, Monika. 2017. "A Digital Geneva Convention: Nobel Prize-Worthy or Dangerous?" Intellectual
Property Watch. Accessed January 17, 2018. https://www.ip-watch.org/2017/12/19/digital-genevaconvention-nobel-prize-worthy-dangerous/.
Cultivating International Cybernorms. Chapter 6
- Marta Finnemore
Finnemore, Marta. 2011. "Cultivating International Cybernorms. Chapter 6." In America's Cyber Future:
Security, Prosperity in the Information Age, edited by Kristin M. Lord and Travis Sharp. Washington,
DC: Center for a New American Security. Accessed October 10, 2017. http://citizenlab.org/
cybernorms2011/cultivating.pdf.
The End of Cybernorms
- Alex Grigsby
Grigsby, Alex. 2017. "The End of Cybernorms." Global Politics and Strategy 56 (6): 109-122.
International Cyber Security Norms: Reducing Conflict in a Internet-dependent World
- Angela Mckay
- Paul Nicholas
- Jan Neutze
- Kevin Sullivan
McKay, Angela, Paul Nicholas, Jan Neutze, and Kevin Sullivan. 2014. "International Cyber Security
Norms: Reducing Conflict in a Internet-dependent World." White paper. Microsoft.
Cyber Insecurity: Competition, Conflict, and Innovation Demand Effective Cyber Security Norms
- Jan Neutze
- Paul Nicholas
Neutze, Jan, and Paul Nicholas. 2013. "Cyber Insecurity: Competition, Conflict, and Innovation
Demand Effective Cyber Security Norms." Georgetown Journal of International Affairs:
International Engagement on Cyber III: State Building on a New Frontier (2013-14), 3-15,
Washington, DC, Georgetown University Press.
Microsoft Incident Response and Shared Responsibility for Cloud Computing
- Alice Rison
Rison, Alice. 2016. "Microsoft Incident Response and Shared Responsibility for Cloud Computing."
Microsoft Azure, April 14. https://azure.microsoft.com/en-us/blog/microsoft-incident-responseand-shared-responsibility-for-cloud-computing/.
A Message to Our Customers
- Tim Cook
Cook, Tim. 2016. "A Message to Our Customers." Apple Inc., February 16. Accessed March 10, 2018.
https://www.apple.com/customer-letter/.
Five Principles for Shaping Cybersecurity Norms
- Microsoft
Microsoft. 2013. "Five Principles for Shaping Cybersecurity Norms." White paper. Microsoft
Corporation.
In It Together -Developing Cybernorms is a Shared Responsibility
- Scott Charney
Charney, Scott. 2016. "In It Together -Developing Cybernorms is a Shared Responsibility." The
Security Times, February. Accessed March 10, 2018. https://blogs.microsoft.com/eupolicy/2016/
02/12/in-it-together-developing-cybernorms-is-a-shared-responsibility/.
From Articulation to Implementation: Enabling Progress on Cyber Security norms
- Scott Charney
- Erin English
- Aaron Kleiner
- Niemanja Malisevic
- Angela Mckay
- Jan Neutze
- Paul Nicholas
Charney, Scott, Erin English, Aaron Kleiner, Niemanja Malisevic, Angela McKay, Jan Neutze, and Paul
Nicholas. 2016. "From Articulation to Implementation: Enabling Progress on Cyber Security
norms." White paper. Microsoft: June.
Cyber-security and Private Actors
- Myriam Dunn Cavelty
Dunn Cavelty, Myriam. 2016. "Cyber-security and Private Actors." In Routledge Handbook of Private
Security Studies, edited by Abrahamsen Rita and Leander Anna, 89-99. New York: Routledge.
Cyber Norm Emergence at the United Nations-an Analysis of the UN's Activities Regarding Cyber-security
- Tim Maurer
Maurer, Tim. 2011. Cyber Norm Emergence at the United Nations-an Analysis of the UN's Activities
Regarding Cyber-security. Cambridge, MA: Belfer Center for Science and International Affairs.
The Rise of Corporate Diplomacy (Finally!)
- Michael D Watkins
Watkins, Michael D. 2007. "The Rise of Corporate Diplomacy (Finally!)." Harvard Business Review
Online. https://hbr.org/2007/05/the-rise-of-corporate-diplomac.
The Process of Security
- Bruce Schneier
Schneier, Bruce. 2000. "The Process of Security." Schneier on Security, April. Accessed March 23, 2018.
https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html.
International Law and State Behaviour in Cyberspace Series
- Unidir
UNIDIR. 2015. "International Law and State Behaviour in Cyberspace Series." Compendium of Regional
Seminars. United Nations Institute for Disarmament Research. Accessed October 20, 2017. http://
www.unidir.org/files/publications/pdfs/compendium-of-regional-seminars-en-638.pdf.