Voluntary, non-binding norms of responsible state behavior
National positions[edit | edit source]
"[..] another element of the United States’ strategic framework for international cyber stability: the development of international consensus on certain additional voluntary, non-binding norms of responsible State behaviour in cyberspace that apply during peacetime.
Internationally, the United States has identified and promoted four such norms:
- First, a State should not conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets, or other confidential business information with the intent of providing competitive advantages to its companies or commercial sectors.
- Second, a State should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public.
- Third, a State should not conduct or knowingly support activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents. A State also should not use CSIRTs to enable online activity that is intended to do harm.
- Fourth, a State should cooperate, in a manner consistent with its domestic and international obligations, with requests for assistance from other States in investigating cyber crimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from its territory.
These four U.S.-promoted norms seek to address specific areas of risk that are of national and/or economic security concern to all States. Although voluntary and non-binding in nature, these norms can serve to define an international standard of behavior to be observed by responsible, like-minded States with the goal of preventing bad actors from engaging in malicious cyber activity. If observed, these measures—which can include measures of self-restraint—can contribute substantially to conflict prevention and stability. Over time, these norms can potentially provide common standards for responsible States to use to identify and respond to behavior that deviates from these norms. As more States commit to observing these norms, they will be increasingly willing to condemn the malicious activities of bad actors and to join together to ensure that there are consequences for those activities.
It is important, however, to distinguish clearly between international law, on the one hand, and voluntary, non-binding norms on the other. These four norms identified by the United States, or the other peacetime cyber norms recommended in the 2015 UN GGE report, fall squarely in the voluntary, non-binding category. These voluntary, non-binding norms set out standards of expected State behavior that may, in certain circumstances, overlap with standards of behavior that are required as a matter of international law. Such norms are intended to supplement existing international law. They are designed to address certain cyber activities by States that occur outside of the context of armed conflict that are potentially destabilizing. That said, it is possible that if States begin to accept the standards set out in such non-binding norms as legally required and act in conformity with them, such norms could, over time, crystallize into binding customary international law. As a result, States should approach the process of identifying and committing to such non-binding norms with care."
"DoD lawyers also advise on how a proposed cyber operation may implicate U.S. efforts to promote certain policy norms for responsible State behavior in cyberspace, such as the norm relating to activities targeting critical infrastructure. These norms are non-binding and identifying the best methods for integrating them into tactical-level operations remains a work in progress. But, they are important political commitments by States that can help to prevent miscalculation and conflict escalation in cyberspace. DoD OGC, along with other DoD leaders, actively supports U.S. State Department-led initiatives to build and promote this framework for responsible State behavior in cyberspace. This includes participation in the UN Group of Governmental Experts and an Open-Ended Working Group on information and communications technologies in the context of international peace and security. These diplomatic engagements are an important part of the United States’ overall effort to protect U.S. national interests by promoting stability in cyberspace."