Strategically normative. Norms and principles in national cybersecurity strategies

To read the file of this research, you can request a copy directly from the authors.


This research applies a normative reading to 106 national cybersecurity strategies, most of them adopted after the cyberattacks against Estonia in 2007, an event that marked a strong shift toward securitisation of the use of information and communication technologies (ICTs). The paper identifies and discusses countries’ qualifications of afforded and expected standards of behaviour in the context of both national and international cybersecurity. The analysis is intended to contribute to the international debate around cybernorms and responsible behaviour in state use of ICTs.

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

... It is somewhat challenging to reconcile the established notions above with the contemporary cyber security. The relative lack of cyber defence discussion, in both international dialogue and national strategies (Kerttunen and Tikk 2019), can be explained by the predominantly non-military nature of the cyber threat. Despite wide use of language pointing to cyber conflict and warfare in cyberspace, there is little evidence of cyber operations leading to civilian casualties or the scope and scale of hostilities that have given rise to the very notion of civil defence. ...
... National cyber security strategies as well as regional and international recommendations require general social contracts around the proportionality, utility, and expected impact of cyber threat assessment, prioritisation of national efforts, information exchange, or law enforcement. Kerttunen and Tikk (2019) note that of the 107 national cyber security strategies, only a few assign specific cyber security roles to national defence organisations, whereas OSCE (2016) concludes that (mostly civilian) computer emergency response services are key to implementing confidence-building in cyberspace. Furthermore, there is an acknowledged dimension of human rights concerns attached to securitisation of the development and use of ICTs. ...
For more than a decade, the United States military has conceptualized and discussed the Internet and related systems as “cyberspace,” understood as a “domain” of conflict like land, sea, air, and outer space. How and why did this concept become entrenched in US doctrine? What are its effects? Focusing on the emergence and consolidation of this terminology, I make three arguments about the role of language in cybersecurity policy. First, I propose a new, politically consequential category of metaphor: foundational metaphors, implied by using particular labels rather than stated outright. These metaphors support specific ways to understand complex issues, provide discursive resources to some arguments over others, and shape policy contestation and outcomes. Second, I present a detailed empirical study of US military strategy and doctrine that traces the emergence and consolidation of terminology built on the “cyberspace domain.” This concept supported implicit metaphorical correspondences between the Internet and physical space, yielding specific analogies and arguments for understanding the Internet and its effects. Third, I focus on the rhetorical effects of this terminology to reveal two important institutional consequences: this language has been essential to expanding the military's role in cybersecurity, and specific interests within the Department of Defense have used this framework to support the creation of US Cyber Command. These linguistic effects in the United States also have implications for how other states approach cybersecurity, for how international law is applied to cyber operations, and for how International Relations understands language and technological change.
On February 16, 2016, a U.S. court ordered Apple to circumvent the security features of an iPhone 5C used by one of the terrorists who committed the San Bernardino shootings. Apple refused. It argued that breaking encryption for one phone could not be done without undermining the security of encryption more generally. It made a public appeal for “everyone to step back and consider the implications” of having a “back door” key to unlock any phone—which governments (and others) could deploy to track users or access their data. The U.S. government eventually withdrew its suit after the F.B.I. hired an outside party to access the phone. But the incident sparked a wide-ranging debate over the appropriate standards of behavior for companies like Apple and for their customers in constructing and using information and communication technologies (ICTs). That debate, in turn, is part of a much larger conversation. Essential as the Internet is, “rules of the road” for cyberspace are often unclear and have become the focus of serious conflicts.
International regimes are defined as principles, norms, rules and decision making procedures around which actor expectations converge in a given issue area. As a starting point, regimes have been conceptualized as intervening variables, standing between basic causal factors and related outcomes and behaviour. There are three views about the importance of regimes: conventional structural orientations dismiss regimes as being at best ineffectual; Grotian orientations view regimes as an intimate component of the international system; and modified structural perspectives see regimes as significant only under certain constrained conditions. For Grotian and modified structuralist arguments, which endorse the view that regimes can influence outcomes and behavior, regime development is seen as a function of five basic causal variables: egoistic self interest, political power, diffuse norms and principles, custom and usage, and knowledge
International norm dynamics and political change
Temple University Legal Studies Research Paper No. 2016-52, See also Martha Finnemore and Kathryn Sikkink, "International norm dynamics and political change", International Organization 52:4 (1998), pp. 887-917.
Little, Brown, 1977) and Martha Finnemore and Kathryn Sikkink
In addition to Katzenstein (1996) op.cit., normative landmark works on regimes and norms include e.g. Robert Keohane and Joseph S. Nye, Power and Interdependence (Boston, MA: Little, Brown, 1977) and Martha Finnemore and Kathryn Sikkink, "International norm dynamics and political change", International Organization 52 (Autumn 1998), pp. 887-917. On the epistemic assumptions on norms see Roland. L. Jepperson, Alexander Wendt and Peter J. Katzenstein, "Norms, identity, and culture in national security", in Katzenstein (1996), pp. 33-75.