Skip to main content Accessibility help

Constructing Norms for Global Cybersecurity

  • Martha Finnemore (a1) and Duncan B. Hollis (a2)


On February 16, 2016, a U.S. court ordered Apple to circumvent the security features of an iPhone 5C used by one of the terrorists who committed the San Bernardino shootings. Apple refused. It argued that breaking encryption for one phone could not be done without undermining the security of encryption more generally. It made a public appeal for “everyone to step back and consider the implications” of having a “back door” key to unlock any phone—which governments (and others) could deploy to track users or access their data. The U.S. government eventually withdrew its suit after the F.B.I. hired an outside party to access the phone. But the incident sparked a wide-ranging debate over the appropriate standards of behavior for companies like Apple and for their customers in constructing and using information and communication technologies (ICTs). That debate, in turn, is part of a much larger conversation. Essential as the Internet is, “rules of the road” for cyberspace are often unclear and have become the focus of serious conflicts.



Hide All

1 See Lichtblau, Eric & Benner, Katie, As Apple Resists, Encryption Fray Erupts in Battle, N.Y. Times, Feb. 18, 2016, at A1; Nagourney, Adam, Lovett, Ian & Peérez-Peña, Richard, Shooting Rampage Sows Terror in California, N.Y. Times, Dec. 3, 2015, at A1.

2 Cook, Tim, A Message to Our Customers, Apple (Feb. 16, 2016), at .

3 Id. The U.S. government insisted that it wanted a new operating system to access a single device, rather than a back door. Bennett, Cory, White House Denies FBI Seeking ‘Back Door’ to Apple iPhones, The Hill (Feb. 17, 2016), at .

4 See Lichtblau, Eric & Benner, Katie, F.B.I. Director Suggests Bill for an iPhone Hacking Topped $1.3 Million, N.Y. Times, Apr. 22, 2016, at B3.

5 Lichtblau, Eric, Security Czars on Apple’s Side in Privacy War, N.Y. Times, Apr. 23, 2016, at A1; Cassidy, John, Lessons from Apple vs. the F.B.I., New Yorker (Mar. 29, 2016), at . Use of the term ICT is widespread in global cybersecurity. Thus, we use it here notwithstanding that it is often used to refer to international courts and tribunals.

6 See Institute for Security & Safety, Bradenburg University of Applied Sciences, Cyber Security at Nuclear Facilities: National Approaches 2(June 2015); David Evans, Introducing the Wireless Cow, Politico ( June 29, 2015), at

7 Norms are expectations of proper behavior by actors with a given identity. See infra note 85 and accompanying text. As for cyberspace, notwithstanding theoretical debates, we understand the concept as the U.S. government does. White House, Cyberspace Policy Review: Assuring A Trusted and Resilient Information and Communications Infrastructure 1 (May 29, 2009), at (cyberspace refers to the “interdependent network of information technology infrastructures, and includes the Internet, telecommunication networks, computer systems,” processors, and controllers embedded in critical industries, as well as to “the virtual environment relating to information and interactions among people”).

8 Hoped for improvements include (1) deterring unwanted behavior, (2) catalyzing greater cooperation, and (3) improving ICT functionality. See Henry Farrell, Promoting Norms for Cyberspace 2–3 (Apr. 2015) (Council on Foreign Relations Cyber Brief), at; Lewis, James A., Liberty, Equality, Connectivity—Transatlantic Cooperation on Cybersecurity Norms, in Strategic Technology & Europe Programs, Center for strategic & International Studies, Liberty, Equality, Connectivity: Transatlantic Cybersecurity Norms 7, 8–14 (2014), at ; Hurwitz, Roger, A New Normal? The Cultivation of Global Norms as Part of a Cyber Security Strategy, in Conflict and Cooperation in Cyberspace: The Challenge to National Security 213 (Yannakogeorgos, Panayotis A. & Lowther, Adam B. eds., 2013).

9 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, paras.9–15, UN Doc. A/70/174 (July 22, 2015) [hereinafter 2015 GGE Report].

10 Formally, the Global Conference on CyberSpace. See

11 By way of examples, (1) the Shanghai Cooperation Organization has produced two international codes of conduct for information security, (2) the Council of Europe sponsored the Budapest Convention on Cybercrime, and (3) NATO funded an independent group of experts to author the Tallinn Manual on the international law applicable to cyberwar. See, e.g., International Code of Conduct for Information Security, in Letter Dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations Addressed to the Secretary-General, UN Doc. A/69/723, annex (Jan. 9, 2015) [hereinafter Revised SCO Code of Conduct]; Council of Europe Convention on Cybercrime, Nov. 23, 2001, ETS No. 185[hereinafter Budapest Convention]; Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013) [hereinafter Tallinn Manual].

12 See, e.g., White House Press Release, Fact Sheet: President Xi Jinping’s State Visit to the United States (Sept. 25, 2015), at (U.S.-China deal on commercial cyber espionage); Agreement Between the Government of the Russian Federation and the Government of the People’s Republic of China on Cooperation in Ensuring International Information Security, May 8, 2015 [hereinafter Russia-China Agreement] (unofficial English translation available at InofficialTranslation.pdf).

13 See, e.g., Wassenaar Arrangement, at (export controls regarding intrusion software and IP network surveillance systems); European Commission Press Release, Agreement on Commission’s EUD at a Protection Reform Will Boost Digital Single Market (Dec. 15, 2015), at

14 For notable exceptions, see, for example, Microsoft Corp., Five Principles for Shaping Cybersecurity Norms 8–10 (2013), at http:/ + Principles + for+Shaping+Cyber-security+Norms&form=dlc; Austin, Greg, Mcconnell, Bruce & Neutze, Jan, Eastwest Institute, Promoting International Cyber Norms: A New Advocacy Forum 49 (2015), at ; Eichensehr, Kristen E., The Cyber-law of Nations, 103 GEO. L. J. 317, 361–64 (2015).

15 For example, even if U.S. courts or Congress requires companies like Apple to include back-door capacities to decrypt in response to a warrant, the United States remains just one state, and Apple—like other ICTs— operates globally. See Peterson, Andrea, The Debate over Government ‘Backdoors’ into Encryption Isn’t Just Happening in the U.S., Wash. Post: The Switch (Jan. 11, 2016), at .

16 Erskine, Toni & Carr, Madeline, Beyond ‘Quasi-Norms’: The Challenges and Potential of Engaging with Norms in Cyberspace, in International Cyber Norms: Legal, Policy & Industry Perspectives 87, 88 (Osula, Anna-Maria & Roigas, Henry eds., 2016 ) (calling for analysis of existing context and distinguishing proposed— or “quasi”—norms from those with prescriptive force).

17 See Wassenaar Arrangement, supra note 13; NET mundial Multistakeholder Statement (Apr. 24, 2014), at

18 See Finnemore, Martha & Sikkink, Kathryn, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 909–15 (1998).

19 See Pagliery, Jose, The Inside Story of the Biggest Hack in History, CNN Money (Aug. 5, 2015), at ; Rashid, Fahmida Y., Inside the Aftermath of the Saudi Aramco Breach, Dark Reading (Aug. 8, 2015), at .

20 Rashid, supra note 19.

21 The Shamoon Attacks, Symantec Official Blog (Aug. 16, 2012), at

22 Pagliery, supra note 19.

23 Perlroth, Nicole, Cyberattack on Saudi Firm Disquiets U.S., N.Y. Times, Oct. 24, 2012, at A1; Zetter, Kim, The NSA Acknowledges What We All Feared: Iran Learns from US Cyberattacks, Wired (Feb. 10, 2015), at . Stuxnet is widely assumed to be a state-sponsored form of malware. Discovered in 2010, it infected similar systems worldwide but executed only on Iran’s Natanz facility, leaving other systems unharmed (although still requiring a patch once the virus became known). Zetter, Kim, Countdown to Zero Day: Stuxnet and The Launch of The World’s First Digital Weapon 354-58 (2014); Deibert, Ronald J., Black Code: Surveillance, Privacy, And The Dark Side Of The Internet 176–80 (2013); Langner, Ralph, Stuxnet: Dissecting a Cyberwarfare Weapon, 9 IEEE Security & Privacy 49, 49–50 (2011).

24 Rashid, supra note 19; see Bronk, Christopher & Tikk-Ringas, Eneken, The Cyber Attack on Saudi Aramco, 55 Survival 81, 85–88 (2013).

25 A flood in Thailand may also have contributed to demand. Goldman, David, Thailand Floods Could Create Laptop Shortage, CNN Money (Nov. 1, 2011), at .

26 Rashid, supra note 19; Pagliery, supra note 19.

27 Center for Strategic & International Studies, Net Losses: Estimating The Global Cost of Cybercrime 6 ( June 2014), at

28 See, e.g., Gemalto Releases Findings of 2015 Breach Level Index (Feb. 23, 2016), at press/Pages/Gemalto-releases-findings-of-2015-Breach-Level-Index.aspx.

29 Hackett, Robert, What to Know About the Ashley Madison Hack, Fortune (Aug. 26, 2015), at .

30 See U.S. Office of Personnel Management, Cybersecurity Resource Center, at The OPM compromise included security-clearance and background-check information for 21.5 million former and current federal employees and contractors, including data such as drug and alcohol habits, criminal history, and marital troubles. Id.; Michael Adams, Why the OPM Hack Is Far Worse Than You Imagine, Law-Fare (Mar. 11, 2016), at; Ex-NSA Officer: OPM Hack Is Serious Breach of Worker Trust, NPR (June 13, 2015), at

31 Pepitone, Julianne, China Is ‘Leading Suspect’ in OPM Hacks, Says Intelligence Chief James Clapper, NBC News (June 25, 2015), at .

32 See, e.g., Peterson, Andrea, The Sony Pictures Hack, Explained, Wash. Post: The Switch (Dec. 18, 2014), at .

33 Stuxnet interfered with industrial control systems at Natanz by instructing centrifuges to run at various—and unsustainable—speeds. Zetter, supra note 23, at 341–42; Langner, supra note 23, at 50.

34 For more cybersecurity definitions, see Cyber Security Initiative, Global Cyber Definitions Database, New America, at

35 This definition tracks loosely one that the U.S. government previously used. See U.S. Department of Defense, Instruction No. 5205.13: Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities 10 (Jan. 29, 2010), at More recent U.S. definitions have become unwieldy. See “cybersecurity,” Department of Homeland Security, National Initiative for Cybersecurity Careers and Studies, A Glossary of Common Cybersecurity Terminology, at files/documents/Common%20Cyber%20Language_S508C.pdf.

36 Accord Singer, P.W. & Friedmaan, Allan, Cybersecurity and Cyberwar: What Everyone Needs to Know 34 (2014); National Institute of Standards & Technology, U.S. Department of Commerce, Glossary of Key Information Security Terms 57–58 (Richard Kissel ed., 2013), at

37 See, e.g., Popper, Nathaniel, The Bell Rings, Computers Fail, Wall St. Cringes, N.Y. Times, July 9, 2015, at A1; Drew, Christopher, United Halts Fights for 2 Hours, Blaming Faulty Network Equipment, N. Y. Times, July 9, 2015, at B2. For online speech controls, China is the paradigmatic example. Bill Marczak, Nicholas Weaver, Jakub Dalek, Roya Ensafi, David Fifield, Sarah Mckune, Arn Rey, John Scott-Railton, Ronald Deibert & Vern Paxson, China’s Great Cannon, Citizen Lab (Apr. 10, 2015), at

38 Lin, Herbert S., Offensive Cyber Operations and the Use of Force, 4 J. Nat’l Security L. & Pol’y 63, 64, (2010).

39 ICT functions fall broadly into four layers. A bottom “link” layer includes the physical media allowing transmission of data packets. Next are the “network” and “transport” layers; the “network” layer breaks data into packets with their source and destination identified via an addressing system of “headers.” The “transport” layer ensures reliable transmission of data packets, routing them from one network to another. At the top of the stack, the “applications” layer converts data into useful things like Web pages or files. Each layer functions independently; Google Chrome works regardless of whether the link layer employs DSL or wi-fi. For a further—and more precise— account, see The OSI Model’s Seven Layers Defined and Functions Explained, Microsoft Corp. (2014), at

40 See National Institute of Standards & Technology, National Vulnerability Database, at Because many users fail to patch their systems, these vulnerabilities still constitute serious security risks.

41 Greenberg, Andy, New Dark-Web Market Is Selling Zero-Day Exploits to Hackers, Wired (Apr. 17, 2015), at .

42 The Federal Bureau of Investigation, for example, used a zero-day vulnerability to catch people using online child pornography sites. Nakashima, Ellen, In War on Child Porn, FBI Borrows Hackers’ Techniques, Wash. Post, Jan. 22, 2016 , at A3.

43 DDoS attacks often occur via “botnets,” networks of compromised computers culled together to do the bid ding of an unauthorized remote user, often without the owner’s knowledge. Singer & Friedman, supra note 36, at 44.

44 In spearphishing, an adversary poses as a trusted party to induce the victim to introduce malware into his or her network (such as by opening an email attachment). The Shamoon virus accessed Saudi Aramco’s networks via spearphishing. Wueest, Candid, Security Response: Targeted Attacks Against the Energy Sector 12–14, Symantec (2014), at attacks_against_the_energy_sector.pdf ; Rashid, supra note 19.

45 Viruses spread by attaching themselves to programs or files and cannot infect a computer unless users open the program or file. Worms self-replicate, spreading without human interaction. Trojan horses are seemingly innocent programs containing malware. Rootkit programs allow hackers access to computer functions as administrators while remaining hidden from operating systems and antivirus software. Mohamed Chawki, Ashraf Darwish, Mohammad Ayoub Khan & Sapna Tyagi, Cybercrime, Digital Forensics and Jurisdiction 39–51 (2015); A Glossary of Common Cybersecurity Terminology, supra note 35 (defining “rootkit”).

46 See Steinberg, Joseph, Massive Internet Security Vulnerability—Here’s What You Need to Do, Forbes (Apr. 10, 2014), at .

47 Alam, Mohammad Nazmul, Paul, Subhra Prosun & Chowdhury, Shahrin, Security Engineering Towards Building a Secure Software, 81 Int’l J. Computer Applications 32, 33–34 (2013).

48 Lin, supra note 38, at 67–68.

49 See Kosner, Anthony Wing, Actually Two Attacks in One, Target Breach Affected 70 to 110 Million Customers, Forbes (Jan. 17, 2014), at ; supra note 30 and accompanying text (re: OPM).

50 See, e.g., Landler, Mark & Markoff, John, After Computer Siege in Estonia, War Fears Turn to Cyberspace, N.Y. Times, May 29, 2007, at C7; Myers, Steven Lee, Estonia Computers Blitzed, Possibly by the Russians, N.Y. Times, May 19, 2007, at A8.

51 See Simone, Alina, How My Mom Got Hacked, N.Y. Times, Jan. 4, 2015, at SR1, at ; Fox-Brewster, Thomas, How Hackers Breached Two Gambling Payment Providers to Harvest ‘Millions’ of Records, Forbes (Nov. 5, 2015), at . Recently, ransomware has targeted entire hospital networks. Zetter, Kim, Why Hospitals Are the Perfect Targets for Ransomware, Wired (Mar. 30, 2016), at .

52 Zetter, supra note 23, at 341– 42, 363.

53 Greenberg, Andy, Hackers Remotely Kill a Jeep on the Highway—with Me in It, Wired (July 21, 2015), at .

54 See Zetter, Kim, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016), at .

55 Logic bombs are programs hidden within seemingly innocuous programs that execute their payloads at a specified time or when certain conditions are met.

56 The exploit “Titan Rain” persisted for at least three years. Lewis, James A., Computer Espionage, Titan Rain and China, Center for Strategic & International Studies (Dec. 2005), at ; Graham, Bradley, Hackers Attack via Chinese Web Sites, U.S. Agencies’ Networks Are Among Targets, Wash. Post, Aug. 25, 2005, at A1.

57 Mandiant Threat Report: M-Trends 2015: A View from The Front Lines 3 (2015), at This figure represents an improvement from earlier years. See id.

58 Lin, supra note 38, at 82.

59 But see Boyle, Darren, British Teenager Was Part of Team of Hackers Who Caused Government Websites in The UK and USA to Crash, Daily Mail (Aug. 19, 2015), at .

60 See Zetter, Kim, Feds Say That Banned Researcher Commandeered a Plane, Wired (May 15, 2015), at .

61 Myers, supra note 50. The DDoS began after Estonia relocated a World War II memorial to Russian war dead. Id.

62 See, e.g., Fantz, Ashley, As ISIS Threats Online Persist, Military Families Rethink Online Lives, CNN (Mar. 23, 2015), at ; Reisinger, Don, Anonymous Declares Cyber War on ISIS. Why It Matters, Fortune (Nov. 16, 2015), at .

63 See Waddell, Kaveh, FBI’s Most Wanted Cybercriminals, Atlantic (Apr. 27, 2016), at .

64 Nakashima, Ellen, China: Hackers’ Arrested, Wash. Post, Dec. 3, 2015, at A3.

65 See NSA Targets World Leaders for US Geopolitical Interests, Wikileaks (Feb. 23, 2016), at

66 Andrues, Wesley R., What U.S. Cyber Command Must Do, 59 Joint Forces Q. 115 (2010); Deibert, supra note 23, at 183; Valentino-Devries, Jennifer & Yadron, Danny, Cataloging the World’s Cyberforces, Wall St. J. (Oct. 11, 2015), at .

67 See Markoff, John, Before the Gunfire, Cyberattacks, N.Y. Times, Aug. 13, 2008, at A1.

68 See Zetter, supra note 54.

69 See Greenemeier, Larry, Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers, Sci. Am. (June 11, 2011), at ; Lipson, Howard F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues 13–15 (Nov. 2002), at . Technical attribution is not impossible but takes time and skill. Attribution may also come from secondary intelligence, mis takes, or luck. Hollis, Duncan B., An e-SOS for Cyberspace, 52 Harv. Int’l. L.J. 373, 397–401 (2011); see also infra notes 196–203 and accompanying text.

70 Martin C. Libicki, Cyberdeterrence and Cyber War 44(2009). Nor have assumptions about authors based on the type of attack proved reliable. See Zetter, Kim, Israeli Hacker ‘The Analyzer’ Indicted in New York— Update, Wired (Oct. 29, 2008), at (noting three teenagers per petrated “Solar Sunrise” exploit, which the United States had mistakenly assumed was state organized).

71 Landler & Markoff, supra note 50 (re: Russia); Kim, Jack & Holland, Steve, North Korea Denies Hacking Sony, U.S. Stands by Its Assertion, Reuters (Dec. 20, 2014), at .

72 See supra note 64 and accompanying text.

73 White House, International Strategy for Cyberspace 10 (May 2011), at; see also Lyngaas, Sean, NSA’s Rogers Makes the Case for Cyber Norms, FCW (Feb. 23, 2015), at ; Lyngaas, Sean, State Department Presents Cyber Norms to Congress, FCW (May 18, 2015), at ; Lotrionte, Catherine, A Better Defense: Examining the United States’ New Norms-Based Approach to Cyber Deterrence, Geo. J. Int’l Aff. 71, 73 (2013); Panayotis A. Yannakogeorgos & Adam Lowther, The Prospects for Cyber Deterrence: American Sponsorship of Global Norms, in Conflict and Cooperation in Cyberspace, supra note 8.

74 International Code of Conduct for Information Security, in Letter Dated 12 September 2011 from the Permanent Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United Nations Addressed to the Secretary-General, UNDoc. A/66/359, annex (Sept. 14, 2011). The Shanghai Cooperation Organization member states subsequently offered a revised version. Revised SCO Code of Conduct, supra note 11.

75 See Julie Bishop’s Statement for Plenary Session on International Peace and Security, Global Conference on Cyberspace (Apr. 17, 2015), at; Bert Koenders, Opening Speech, Global Conference on CyberSpace 2015 (Apr. 16, 2015), at

76 See Five Principles for Shaping Cybersecurity Norms, supra note 14, at 5–10; Nicholas, Paul, Proposed Cybersecurity Norms to Reduce Conflict in an Internet-Dependent World, Microsoft: Cyber Trustblog (Dec. 3, 2014), at .

77 See, e.g., A Call to Cyber Norms: Discussions at The Harvard–MIT–University of Toronto Cyber Norms Workshops, 2011 and 2012 (2015);International Cyber Norms, supra note 16; Broeders, Dennis, The Public Core of The Internet: AN International Agenda for Internet Governance 2 (2014), at internet_Web.pdf ; Carnegie Endowment for International Peace, Cyber Policy Initiative (2016), at

78 See, e.g., Eichensehr, supra note 14, at 361–64. Alternatively, this treaty hostility might be part of a larger trend. See Agora, , The End of Treaties, AJIL Unbound (May 2014).

79 See GA Res. 53/70 (Jan. 4, 1999); Report of the Secretary-General on Developments in the Field of Information and Telecommunications in the Context of Information Security, UN Doc. A/54/213 (Aug. 10, 1999); Letter Dated 23 September 1998 from the Permanent Representative of the Russian Federation Addressed to the Secretary-General, UN Doc. A/C.1/53/3 (Sept. 30, 1998); Tim Maurer, Cyber Norm Emergence at the United Nations—an Analysis of the UN’s Activities Regarding Cyber-security 17 (Belfer Center for Science and International Affairs Discussion Paper 2011-11, 2011), at

80 See Budapest Convention, supra note 11; Grigsby, Alex, Coming Soon: Another Country to Ratify the Budapest Convention, Council on Foreign Relations: Net Politics (Dec. 11, 2014), at 2014/12/11/coming-soon-another-country-to-ratify-to-the-budapest-convention/ .

81 See International Telecommunications Union, Final Acts of the World Conference on International Telecommunications, Dubai, Dec. 3–14, 2012, at; Maurer, Tim & Morguss, Robert, Tipping The Scale: An analysis of Global Swing States in The Internet Governance Debate 2–3 (2014), at ; Klimburg, Alexander, Commentary: The Internet Yalta 3 (Feb. 5, 2013), at .

82 Nicholson, Brendan, Bishop: We Don’t Support a New Cyber Crime Treaty, Australian (Apr. 17, 2015), at .

83 See supra note 73; White House, Foreign Policy: Cybersecurity, at

84 See 2015 GGE Report, supra note 9, para. 13; Tallinn Manual, supra note 11.

85 Katzenstein, Peter J., Introduction: Alternative Perspectives on National Security, in The Culture of National Security: Norms and Identity in World Politics 1, 5 (Katzenstein, Peter J. ed., 1996). The older, international regimes literature defined norms as “standards of behavior defined in terms of rights and obligations.” Krasner, Stephen D., Structural Causes and Regime Consequences: Regimes as Intervening Variables, in International Regimes 1, 2 (Krasner, Stephen D. ed., 1983). This definition was not well connected to the sociological literature, however, and ignores identity issues and vast swathes of normativity beyond “rights and obligations” that have proven central to more recent norms research.

86 See 2015 GGE Report, supra note 9; Revised SCO Code of Conduct, supra note 11. The Shanghai Cooperation Organization’s efforts, in particular, have proven controversial for many states, making their norm products as much an example of a like-minded grouping as of a universal one.

87 European Commission Press Release, supra note 13 (re: Data Protection Directive). In 2014, the African Union adopted a cybersecurity treaty that requires fifteen ratifications to enter into force. African Union Convention on Cyber Security and Personal Data Protection, June 27, 2014, AU Doc. EX.CL/846(XXV).

88 North Atlantic Organization, Treaty, Cyber Defence (June 23, 2016), at .

89 See White House Press Release, Fact Sheet: President Xi Jinping’s State Visit to the United States, supra note 12; Mason, Rowena, Xi Jinping State Visit: UK and China Sign Cybersecurity Pact, Guardian (Oct. 21, 2105), at ; see generally Lotrionte, Catherine, Countering State-Sponsored Cyber Economic Espionage Under International Law, 40 N.C. J. Int’l & Com. Reg. 443 (2015). For a discussion of norms as a “bilaterally-focused activity,” see Hathaway, Melissa E. & Klimburg, Alexander, Preliminary Considerations: On National Cyber Security, in National Cyber Security Framework Manual 33–34 (Klimburg, Alexander ed. 3, 2012), at .

90 Anne-Marie Slaughter, A New World Order (2004) (see pp. 1–35 for an overview of the argument). On the relative effectiveness of transnational network communities, see Verdier, Pierre-Hugues, Transnational Regulatory Networks and Their Limits, 34 Yale J. Int’l L. 113, 130–63 (2009).

91 See Tallinn Manual, supra note 11; Budapest Convention, supra note 11.

92 Budapest Convention, supra note 11, Arts. 2–12.

93 The National Institute of Standards and Technology, for example, has a “Voluntary Framework” for critical infrastructure cybersecurity. Cybersecurity Framework: Background: Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology (June 9, 2016), at

94 The Forum of Incident Response and Security Teams, or First, is an association of computer security incident response teams (CSIRTs) that, inter alia, offers members a “Best Practice Guide Library.” FIRST Best Practice Guide Library, First (2016), at

95 See Kushner, David, The Masked Avengers: How Anonymous Incited Online Vigilantism from Tunisia to Ferguson, New Yorker, Sept. 8, 2014, at 48, 50–59.

96 U.S. Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2: Cybersecurity (Oct. 13, 2011), at

97 NET mundial Multistakeholder Statement, supra note 17, pt. 1. For an alternative survey of cybersecurity processes, see Joe Nye’s “regime complexes” approach. Joseph S. Nye Jr., The Regime Complex for Managing Global Cyber Activities 7–13 (May 20, 2014), at

98 Michael Barnett & Martha Finnemore, Rules for The World: International Organizations In Global Politics 18 (2004); Barnett, Michael N. & Finnemore, Martha, The Politics, Power, and Pathologies of International Organizations, 53 Int’l Org. 699, 710 –15 (1999); Ronald L. Jepperson, Alexander Wendt & Peter J. Katzenstein, Norms, Identity, and Culture in National Security, in The Culture of National Security: Norms and Identity in World Politics, supra note 85, at 33, 54.

99 The Transmission control Protocol/Internet Protocol (TCP/IP) refers to the protocols permitting end-to-end connectivity for users following a set of norms on addressing, transmitting, routing, and receiving data packets. No one is required, however, to use TCP/IP; its use is voluntary for those seeking to join the Internet. See 2 W. Richard Stevens, TCP/IP Illustrated: The Protocols 1–20 (1994).

100 For decades, the Department of Commerce stewarded the authoritative root zone file, which contains names and addresses for top-level domains—.com,.org, and so on—via contracts with ICANN to carry out the Internet Assigned Numbers Authority and Verisign for root zone management. On March 14, 2014, the United States indicated it would transition authority over the Internet Assigned Numbers Authority to a new, multistakeholder process, which remains under negotiation. See NTIA IANA Functions’ Stewardship Transition, at; Milton L. Mueller, Ruling The Root: Internet Governance and The Taming of Cyberspace 156–84 (2002).

101 See, e.g., Bodansky, Daniel, Rules vs. Standards in International Environmental Law, 98 ASIL Proc. 275, 276–80 (2004); Sullivan, Kathleen M., Foreword: The Justices of Rules and Standards, 106 Harv. L. Rev. 22, 57–59 (1992); Schlag, Pierre J., Rules and Standards, 33 Ucla L. Rev. 379, 381–90 (1985). Although scholarship usually focuses on the rules/standards or rules/principles distinctions, we regard all three regulatory forms as related.

102 See Choosing & Applying a Character Encoding, W3C (Mar. 31, 2014), at (directing use of Unicode).

103 See Fed. Trade Comm’n v. Wyndham Worldwide Corp., 799 F.3d 236, 240–41 (3d Cir. 2015). Later, Wyndham settled with the Federal Trade Commission, agreeing to establish a consumer data-protection program. See Fair, Lesley, Wyndham’s Settlement with the FTC: What It Means for Businesses—and Consumers, Federal Trade Commission (Dec. 9, 2015), at .

104 This principle directs that, when coding, application-specific functions should occur in end hosts of networks rather than intermediary nodes. Saltzer, Jerome H., Reed, David P. & Clark, David D., End-to-End Arguments in System Design, 2 ACM Transactions on Computer Systems 277, 278–80 (1984).

105 See, e.g., 2015 GGE Report, supra note 9, para. 9; supra notes 82–83 and accompanying text.

106 See generally Abram Chayes & Antonia Chayes, The New Sovereignty: Compliance with International Regulatory Agreements (1995).

107 Lessig, Lawrence, The Regulation of Social Meaning, 62 U. Chi. L. Rev. 943, 1008–16 (1995); see also McAdams, Richard H., The Origin, Development, and Regulation of Norms, 96 Mich. L. Rev. 338 (1997).

108 Vienna Convention on the Law of Treaties, Art. 26, May 23, 1969, 1155 UNTS 331.

109 See Anderson, Kenneth, The Ottawa Convention Banning Landmines, the Role of International Non-governmental Organizations and the Idea of International Civil Society, 11 Eur. J. Int’l L. 91, 104–09 (2000); Maslen, Stuart & Herby, Peter, An International Ban on Anti-personnel Mines: History and Negotiation of the “Ottawa Treaty, 38 Int’l Rev. Red Cross 693 (1998).

110 See, e.g., Computer Fraud and Abuse Act, 18 U.S.C.A. §1030 (2012) (United States); Computer Misuse Act 1990, ch. 18, §§5(2)(b), (3)(b) (United Kingdom); Criminal Law of the People’s Republic of China, Art. 286 (Mar. 14, 1997) (China); Penal Code §202a(1) (Germany); Information Technology Act 2008 §43(a) (India).

111 Tallinn Manual, supra note 11; Information and Communications Technology for Development, GA Res. 68/198 (Dec. 20, 2013).

112 Svensson, Måns & Larsson, Stefan, Intellectual Property Law Compliance in Europe: Illegal File Sharing and the Role of Social Norms, 14 New Media & Soc. 1147, 1157–60 (2012).

113 See G-20 Leaders’ Communiqué, Antalya Summit, November 15–16, 2015, para. 26, at http://www.; Organization for Security & Co-operation in Europe, 2013 Istanbul Final Declaration and Resolution on Cyber Security, at; Revised SCO Code of Conduct, supra note 11.

114 NET mundial Multistakeholder Statement, supra note 17; Montevideo Statement on the Future of Internet Cooperation, ICAAN (Oct. 7, 2013), at

115 Katzenstein, supra note 85, at 6 (“Culture refers to both a set of evaluative standards (such as norms and values) and a set of cognitive standards (such as rules and models) that define what social actors exist in a system, how they operate, and how they relate to one another.”).

116 See supra notes 1–5 and accompanying text.

117 See, e.g., CISO Executive Forum, Information Systems Security Association (2016), at

118 See, e.g., Lawrence Lessig, Code and Other Laws of Cyberspace 190 (1999); Greenstein, Shane, Commercialization of the Internet: The Interaction of Public Policy and Private Choices or Why Introducing the Market Worked So Well, in 1 Innovation Policy and The Economy 151, 154 (Jaffe, Adam B., Lerner, Josh & Stern, Scott eds., 2001), at .

119 See supra notes 1–5, 15, 116, and accompanying text (re: encryption); Baker, Stewart, Making Hackback Hum drum, Wash. Post: Volokh Conspiracy (Nov. 22, 2015), at ; Lin, Patrick & Roff, Heather, Should Washington Allow Companies to Strike Back Against Hackers? Wall St. J., May 10, 2015, at R5.

120 Compare Iasiello, Emilio, Ramping Down Chinese Commercial Cyber Espionage, Foreign Pol’y J. (Dec. 9, 2015), at , with Gady, Franz-Stefan, Top US Spy Chief China Still Successful in Cyber Espionage Against US, Diplomat (Feb. 16, 2016), at .

121 The Helsinki Accords set up an organizational forum—which today has become the Organization for Security and Co-operation in Europe—to host dialogues on issues ranging from human rights to security. See Conference on Security and Co-operation in Europe: Final Act, 14 ILM 1292 (1975), available at

122 See generally Daniel C. Thomas, The Helsinki Effect: International Norms, Human Rights, and The Demise of Communism (2001). Risse, Ropp, and Sikkink’s “spiral model” of human rights change provides a more detailed theorization of this process. See Risse, Thomas & Sikkink, Kathryn, The Socialization of International Human Rights Norms into Domestic Practices: Introduction, in The Power of Human Rights: International Norms and Domestic Change 1, 17–35 (Risse, Thomas, Ropp, Stephen C. & Sikkink, Kathryn eds., 1999).

123 Sunstein, Cass R., Incompletely Theorized Agreements in Constitutional Law, 74 Soc. Res. 1 (2007). Sunstein’s idea shares some similarities with John Rawls’s ideas of overlapping consensus. See Rawls, John, The Idea of an Over lapping Consensus, 7 Oxford J. Legal Stud. 1 (1987).

124 Sunstein, supra note 123, at 1–3.

125 See Ryan Ellis, The Vulnerability Economy: Zero-Days, Cybersecurity, and public Policy 3– 6 (Feb. 4, 2015), at; Vulnerability Disclosure Policy (2016), CERT, at

126 See Sugden, Robert, Spontaneous Order, 3 J. Econ. Persp. 85, 87–97 (1989).

127 See David, Paul A., Clio and the Economics of QWERTY, 75 Am. Econ. Rev. 332 (1985). The QWERTY configuration on contemporary keyboards was designed for inefficiency—to slow typists and keep manual keys from jamming. Today, we remain locked into this suboptimal social norm for keyboard construction because switching to a more efficient alternative is too costly. Id. at 333–36.

128 When and how to distinguish mere repeated practices of states from those accepted as law remains subject to debate. See, e.g., Kammerhofer, Jörg, Uncertainty in the Formal Sources of International Law: Customary International Law and Some of Its Problems, 15 Eur. J. Int’l L. 523, 525–26 (2004); Roberts, Anthea Elizabeth, Traditional and Modern Approaches to Customary International Law: A Reconciliation, 95 AJIL 757, 757–60 (2001).

129 See Leiner, Barry M., Cerf, Vinton G., Clark, David D., Kahn, Robert E., Kleinrock, Leonard, Lynch, Daniel C., Postel, Jon, Roberts, Larry G. & Wolff, Stephen, A Brief History of the Internet 13 (2003), at .

130 U.S. Department of Justice Press Release, U.S. Charges Five Chinese Military Hackers with Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage (May 19, 2014), at; Schmitt, Michael S. & Sanger, David, 5 in China Army Face U.S. Charges of Cyberattacks, N.Y. Times, May 20, 2014, at A1.

131 See Tiezzi, Shannon, China’s Response to the US Cyber Espionage Charges, Diplomat (May 21, 2014), at ; Ferranti, Marc, Reports: NSA Hacked into Servers at Huawei Headquarters, Reports Say, PC World (Mar. 23, 2014), at .

132 Although the United States never formally admitted a role in Stuxnet, media reports have made that claim. See Sanger, David E., Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. Times, June 1, 2012, at A1; Deibert, supra note 23, at 177.

133 See, e.g., Finnemore & Sikkink, supra note 18, at 895–99; Goddard, Stacie E., Brokering Change: Networks and Entrepreneurs in International Politics, 1 Int’l Theory 249 (2009); Acharya, Amitav, How Ideas Spread: Whose Norms Matter? Norm Localization and Institutional Change in Asian Regionalism, 58 Int’l Org 239 (2004); Koh, Harold Hongju, Why Do Nations Obey International Law, 106 Yale L.J. 2599, 2630–34, 2648 (1997); Sunstein, Cass R., Social Norms and Social Rules, 96 Colum. L. Rev 903, 929 (1996).

134 See, e.g., Martha Finnemore, National Interests in International Society 69–88 (1996); Sikkink, Kathryn, Transnational Politics, International Relations Theory, and Human Rights, 31 Pol. Sci. & Pol. 517, 518–19 (1998).

135 See Abbott, Kenneth W. & Snidal, Duncan, Values and Interests: International Legalization in the Fight Against Corruption, 31 J. Legal Stud. S 141, S154–71 (2002); Wang, Hongying & Rosenau, James N., Transparency International and Corruption as an Issue of Global Governance, 7 Global Governance 25, 30–38 (2001).

136 See Price, Richard, Reversing the Gun Sights: Transnational Civil Society Targets Land Mines, 52 Int’l Org. 613, 620–39 (1998).

137 See Bellamy, Alex J., The Responsibility to Protect—Five Years On, 24 Ethics & Int’l Aff. 143, 143 (2010). Before R2P garnered UN support, Gareth Evans first articulated it as chair of a Canada-sponsored international commission. International Commission on Intervention and State Sovereignty, The Responsibility to Protect, at vii (2001), at

138 See supra notes 12, 130–31, and accompanying text.

139 On frames and “frame alignment,” see generally Benford, Robert D. & Snow, David A., Framing Processes and Social Movements: An Overview and Assessment, 26 Ann. Rev. Soc. 611 (2000); Snow, David A., Rochford, E. Burke Jr., Worden, Steven K. & Benford, Robert D., Frame Alignment Processes, Micromobilization, and Movement Participation, 51 Am. Soc. Rev. 464 (1986).

140 As a result, framing is a lively research topic in sociology, political science, and other fields. See, e.g., Chong, Dennis & Druckman, James N., A Theory of Framing and Opinion Formation in Competitive Elite Environments, 57 J. Comm. 99 (2007); Benford, Robert D., An Insider’s Critique of the Social Movement Framing Perspective, 67 Soc. Inquiry 409 (1997). Lessig uses the term meaning managers to describe this kind of agency in shaping norms and social context. Lessig, Lawrence, Social Meaning and Social Norms, 144 U. Pa. L. Rev. 2181, 2189 (1996).

141 See generally Price, supra note 136.

142 See supra notes 1–3, 15, 116, and accompanying text.

143 See, e.g., Vance, Cyrus R. Jr., Molins, Franc¸ois, Leppard, Adrian & Zaragoza, Javier, When Phone Encryption Blocks Justice, Int’l N.Y. Times, Aug. 12, 2015, at 8.

144 See David Kaye (Special Rapporteur), Report on the Promotion and Protection of the Right to Freedom of Opinion and Expression, paras. 13, 42, UN Doc. A/HRC/29/32 (May 22, 2015).

145 Finnemore & Sikkink, supra note 18, at 896–901.

146 See Acharya, supra note 133, at 243–45; Price, supra note 136, at 617.

147 The 2015 GGE Report called on states to support various peacetime cybernorms, including the following: not conducting or knowingly supporting ICT activity that intentionally damages critical infrastructure; not knowingly targeting another state’s CSIRTs; and not using their own CSIRTs for malicious activity. 2015 GGE Report, supra note 9, para. 13.

148 Grigsby, Alex, The 2015 GGE Report: Breaking New Ground, Ever So Slowly, Net Politics (Sept. 8, 2015), at ; Korzak, Elaine, The 2015 GGE Report: What Next for Norms in Cyberspace?, Lawfare (Sept. 23, 2015), at .

149 Sunstein, Cass R., Free Markets and Social Justice 38 (1999).

150 See Kathryn Sikkink, The Justice Cascade: How Human Rights Prosecutions are Changing World Politics 11 (2011); Sommer, Udi & Asal, Victor, A Cross-national Analysis of the Guarantees of Rights, 35 Int’l Pol. Sci. Rev. 463 (2014). “World polity” theorists (sometimes called “sociological institutionalists,” or “the Stanford School”) would argue that these cascades are part of a powerful world culture that has spread and thickened over the past century as many norms and organizational forms have “gone global.” The spread of cybernorms would very much fit with their arguments. See George M. Thomas, Institutional Structure: Constituting State, Society, and The Individual (1987); John Boli & George M. Thomas, Introduction to Constructing World Culture: International Nongovernmental Organizations Since 1875, at 1 (John Boli & George M. Thomas eds., 1999); Meyer, John W., Boli, John, Thomas, George M. & Ramirez, Francisco O., World Society and the Nation-State, 103 Am. J. Soc. 144 (1997).

151 See supra notes 12, 89, 113, and accompanying text.

152 See generally Wayne Sandholtz & Kendall Stiles, International Norms and Cycles of Change (2009); Wayne Sandholtz, Prohibiting Plunder: How Norms Change (2008).

153 See Tallinn Manual, supra note 11; Hollis, Duncan B., Re-thinking the Boundaries of Law in Cyberspace: A Duty to Hack?, in Cyberwar: Law & Ethics for Virtual Conflicts 129 (Ohlin, Jens, Govern, Kevin & Finkelstein, Claire eds., 2015).

154 This is true for law as well as for norms more generally. See Jutta Brunnée & & Stephen J. Toope, Legitimacy and Legality in International Law: An Interactional Account 8 (2010).

155 These processes are deeply intertwined, and scholars employ varying nomenclature and categorizations. Goodman and Jinks focus on material inducement, persuasion, and acculturation. Ryan Goodman & Derek Jinks, Socializing States: Promoting Human Rights Through International Law 4 (2013). Johnston condenses the mechanisms to two: persuasion and social influence. Johnston, Alastair Iain, Treating International Institutions as Social Environments, 45 Int’l Stud. Q. 487, 487 (2001). Checkel emphasizes strategic calculations, role playing, and normative suasion. Checkel, Jeffrey T., International Institutions and Socialization in Europe: Introduction and Framework, 59 Int’l Org. 801 (2005).

156 Our analysis assumes that incentives (and persuasion and socialization) are felt by states and other institutions via human agents who represent them. There is therefore no need to anthropomorphize states in order to rely on the sociological literature to assess behavior and beliefs. Accord Goodman & Jinks, supra note 155, at 40–41.

157 See, e.g., 2015 Heroes and Villains of Human Rights and Communication Surveillance, Access Now (2016), at The international relations literature often focuses on nongovernmental organizations and otherwise weak actors since these norm entrepreneurs challenge various theoretical assumptions about international relations—most notably, the realist view. But we should still remain attentive to the pervasive role of the strong in creating norms.

158 See, e.g., European Commission Press Release, supra note 13; Ashford, Warwick, EU Data Protection Rules Affect Everyone, Say Legal Experts, Computer Weekly (Jan. 11, 2016), at .

159 For more on norm internalization, including the idea of “obedience,” see Koh, supra note 133.

160 See supra notes 126–32 and accompanying text (re: habit).

161 For an interdisciplinary assessment of persuasion, see Ratner, Steven R., Law Promotion Beyond Law Talk: The Red Cross, Persuasion, and the Laws of War, 22 Eur. J. Int’l L. 459 (2011). Johnston and Goodman/Jinks differentiate persuasion, which is cognitive, from social influences and socialization, which are rooted in relationships. They recognize, moreover, that ideal-type distinctions break down in empirical situations since most real-world interactions involve both cognition and social relations. Johnston, supra note 155, at 496; Goodman & Jinks, supra note 155, at 29–30. Jürgen Habermas’s work on “communicative action” is central to much persuasion research. 1 Jürgen Habermas, Theory of Communicative Action (1984). For international relations applications, see Risse, Thomas, “Let’s Argue!”: Communicative Action in World Politics, 54 Int’l Org. 1 (2000).

162 See supra notes 139–44 and accompanying text.

163 See generally Ronald R. Krebs, Narrative and The Making of us National Security (2015).

164 See Cybersecurity Framework, supra note 93.

165 Stryker, Sheldon & Statham, Anne, Symbolic Interaction and Role Theory, in 1 The Handbook of Social Psychology 311, 325 (Lindzey, Garnder & Aronson, Elliot eds., 1985) (“Socialization is the generic term used to refer to the processes by which the newcomer—the infant, rookie, or trainee, for example—becomes incorporated into organized patterns of interaction.”); Johnston, supra note 155, at 494 (quoting Stryker & Statham, supra). Goodman and Jinks refer to “acculturation”—”the general process by which actors adopt the beliefs and behavioral patterns of the surrounding culture.” Goodman & Jinks, supra note 155, at 4.

166 Johnston, supra note 155, at 500. Socialization often has a strong status element, with lower-status actors seeking to meet expectations (and adopt the norms) of high-status actors. Id.

167 See Meyer, John W., Ramirez, Francisco O. & Soysal, Yasemin Nuhoglu, World Expansion of Mass Education, 1870–1980, 65 Soc. Educ. 128 (1992).

168 Ramirez, Francisco O., Soysal, Yasemin & Shanahan, Suzanne, The Changing Logic of Political Citizenship: Cross-national Acquisition of Women’s Suffrage Rights, 1890 to 1990, 62 Am. Soc. Rev. 735 (1997).

169 See supra note 66 and accompanying text. For more on mimicry, see DiMaggio, Paul & Powell, Walter W., The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields, 48 Am. Soc. Rev. 147, 151 (1983).

170 Create a CSIRT, CERT (2016), at; Morgus, Robert, Skierka, Isabel, Hohmann, Mirko & Maurer, Tim, National CSIRTs and Their Role in Computer Security Incident Response, New America (Nov. 19, 2015), .

171 United States Telecommunications Training Institute, at On military professionals’ newfound interest in cybersecurity, see Tikk-Ringas, Eneken, Kerttunen, Mika & Spirito, Christopher, Cyber Education as a Field of Military Education and Study, 75 Joint Forces Q. 57 (2014).

172 See Margaret E. Keck & Kathryn Sikkiink, Activists Beyond Borders: Advocacy Networks In International Politics (1998); Katzenstein, Suzanne, Reverse-Rhetorical Entrapment: Naming and Shaming as a Two-Way Street, 46 V and. J. Transnat’l L. 1079 (2013); Murdie, Amanda M. & Davis, David R., Shaming and Blaming: Using Events Data to Assess the Impact of Human Rights INGOs, 56 Int’l Stud. Q. 1 (2012); Hafner-Burton, Emilie M., Sticks and Stones: Naming and Shaming the Human Rights Enforcement Problem, 62 Int’l Org. 689 (2008).

173 See Frank Schimmelfennig, The EU, NATO and The Integration of Europe: Rules and Rhetoric 272 (2003).

174 See Finnemore, Martha, Legitimacy, Hypocrisy, and the Social Structure of Unipolarity: Why Being a Unipole Isn’t All It’s Cracked Up to Be, 61 World Pol. 58, 72 (2009).

175 The growing international relations literature on”practices” speaks to this process. See, e.g., International Practices (Emanuel Adler & Vincent Pouliot eds., 2011). Work on”norm enactment” provides a somewhat different understanding of these processes. See Wiener, Antje & Puetter, Uwe, The Quality of Norms Is What Actors Make of It: Critical Constructivist Research on Norms, 5 J. Int’l L. & Int’l Rel. 1 (2009); Wiener, Antje, Enacting Meaning-in-Use: Qualitative Research on Norms and International Relations, 35 REV. Int’l Stud. 175 (2009).

176 In humanitarian relief circles, original apolitical “Dunantist” norms are being challenged by more “Wilsonian” norms favoring political transformation. Barnett, Michael, Humanitarianism Transformed, 3 Persp. on Pol. 723, 728 (2005).

177 See Legro, Jeffrey W., Which Norms Matter?: Revisiting the “Failure” of Internationalism, 51 Int’l Org. 31 (1997).

178 See, e.g., Carpenter, R. Charli, Governing the Global Agenda: “Gatekeepers” and “Issue Adoption” in Transnational Advocacy Networks, in Who Governs The Globe? 202 (Avant, Deborah D., Finnemore, Martha & Sell, Susan K. eds., 2010); see also Carpenter, R. Charli, Studying Issue (Non)-adoption in Transnational Advocacy Networks, 61 Int’l Org. 643 (2007).

179 See supra text accompanying note 100.

180 Clifford Bob, The Global Right Wing and The Clash of World Politics 109 (2012).

181 Franklin, Marianne, Championing Human Rights on the Internet—Part Six: Summing Up, Too Much or Not Enough?, Open Democracy (Feb. 5, 2016), at .

182 Susan K. Sell, Cat and Mouse: Industries’, States’and NGOs’Forum—Shifting in the Battle over Intellectual Property Enforcement (2009), at

183 Nakashima, Ellen & Mufson, Steven, U.S., China Vow Not to Engage in Economic Cyberespionage, Wash. Post (Sept. 25, 2015); Sheehan, Matt, China Mocks U.S. “Hypocrisy” on Hacking Charges, World Post (May 20, 2014), at .

184 Goodman & Jinks, supra note 155, at 172.

185 See Gneezy, Uri & Rustichini, Aldo, A Fine Is a Price, 29 J. Legal Stud. 1 (2000).

186 Risse, Thomas & Ropp, Stephen C., Introduction and Overview, in The Persistent Power of Human Rights: From Commitment to Compliance 3 (Risse, Thomas, Ropp, Stephen C. & Sikkink, Kathryn eds., 2013 ); Risse & Sikkink, supra note 122, at 17–35. Risse, Ropp, and Sikkink’s “spiral model” was developed to describe promotion of human rights norms that are often highly contentious, especially when governments view human rights as a threat to regime stability. Some cybernorms may be analogous, like Chinese and Russian definitions of”cybersecurity” as “information security,” which allow (or require) state control of communications’ content. Other cybernorms may be less contentious and more in the nature of a coordination problem; for example, TCP/IP norms derive from a desire for interconnectivity. A more mixed-motive example might be using the Secure Socket Layer to ensure encrypted communications between a server and a client. Promotion and adherence in each of these cases may follow a different trajectory and go through different stages.

187 The “regime complex” literature also addresses issues raised by multiple, often competing configurations of norms. See Alter, Karen J. & Meunier, Sophie, The Politics of International Regime Complexity, 7 Persp. On Pol. 13 (2009); Raustiala, Kal & Victor, David G., The Regime Complex for Plant Genetic Resources, 58 Int’l Org. 277 (2004); Helfer, Laurence R., Regime Shifting: The TRIPs Agreement and New Dynamics of International Intellectual Property Lawmaking, 29 Yale J. Int’l L. 1 (2004).

188 See, e.g., Shackelford, Scott J., Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance, 62 Am. U. L. Rev. 1273, 1283 (2013) (noting that rate of technological advancement contributes to cyberspace being a “unique space”).

189 Moore, Gordon E., Cramming More Components onto Integrated Circuits, 86 Proc. IEEE 82 (1998), reprinted from Electronics, Apr. 19, 1965, at 114. But see Clark, Don, Moore’s Law Shows Its Age, Wall St. J. (Apr. 17, 2015), at (suggesting that doubling rate is slowing).

190 See supra note 6; J. M. Porup, Malware in the Hospital, Slate (Jan. 25, 2016), at internet_connected.html; LaFrance, Adrienne, When You Give a Tree an Email Address, Atlantic (July 10, 2015), at .

191 As a result, some norms have taken years, if not decades, to form and spread (for example, abolition). See, e.g., Robin Blackburn, The Overthrow of Colonial Slavery, 1776–1848 (1988).

192 Chowell, Geraldo, Viboud, Cécile, Hyman, James M. & Simonsenn, Lone, The Western Africa Ebola Virus Disease Epidemic Exhibits Both Global Exponential and Local Polynomial Growth Rates, Plos Currents: Outbreaks (Jan. 21, 2015), at ; Honner, Patrick, Exponential Outbreaks: The Mathematics of Epidemics, N.Y. Times (Nov. 5, 2014), at .

193 See Maxmen, Amy, How the Fight Against Ebola Tested a Culture’s Traditions, Nat’l Geographic (Jan. 30, 2015), at .

194 Nevertheless, half the world—57 percent, or 4.2 billion people—still lacks regular Internet access. Broad Band Commission for Digital Development, The State of Broadband 2015: Broadband as A Foundation for Sustainable Development 8 (2015), at Documents/reports/bb-annualreport2015.pdf.

195 See Adoption of the Paris Agreement, UN Doc. FCCC/CP/2015/L.9/Rev.1 (Dec. 12, 2015).

196 As the adage goes, “On the Internet, nobody knows you’re a dog.” See,_nobody_knows_you%27re_a_dog#/media/File:Internet_dog.jpg. The original cartoon, by Peter Steiner, was published July 5, 1993, in the New Yorker.

197 See supra notes 69–72 and accompanying text.

198 Tor Project, Users of Tor, at

199 Eichensehr, Kristen, Cyber Attribution Problems—Not Just Who, But What, Just Security (Dec. 11, 2014), at .

200 Rid, Thomas & Buchanan, Ben, Attributing Cyber Attacks, 38 J. Strategic Stud. 4 (2015); Lindsay, Jon R., Stuxnet and the Limits of Cyber Warfare, 22 Security Stud. 365 (2013).

201 53 Admitted False Flag Attacks, Washingtonsblog (Feb. 23, 2015), at

202 If anything, “Big Data” and the “Internet of Things” make it harder to remain anonymous, given how they track and gather data. See supra notes 6, 190; Crawford, Kate & Schultz, Jason, Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms, 55 B.C. L. Rev. 93 (2014).

203 See Schneier, Bruce, Hacker or Spy? In Today’s Cyberattacks, Finding the Culprit Is a Troubling Puzzle, Chris Tian Sci. Monitor (Mar. 4, 2015), at .

204 Cohen, Julie E., Cyberspace as/and Space, 107 Colum. L. Rev. 210, 210 –11 (2007).

205 See, e.g., John Perry Barlow, A Declaration of the Independence of Cyberspace (Feb. 8, 1996), at; Johnson, David R. & Post, David, Law and Borders—the Rise of Law in Cyberspace, 48 Stan. L. Rev. 1367, 1375–76 (1996).

206 See, e.g., Demchak, Chris C. & Dombrowksi, Peter, Rise of a Cybered Westphalian Age, 5 Strategic Stud. Q. 32 (2011); Jack L. Goldsmith & Tim Wu, Who Controls The Internet?, at xii (2006); Kerr, Orin S., The Problem of Perspective in Internet Law, 91 GEO. L. J. 357, 359–61 (2003).

207 See Chander, Anupam & Leˆ, Uyeˆn P., Data Nationalism, 64 Emory L. J. 677 (2015).

208 Lee, Jyh-An & Liu, Ching-Yi, Forbidden City Enclosed by the Great Firewall: The Law and Power of Internet Filtering in China, 13 Minn. J. L. Sci. & Tech. 125 (2012).

209 See Duncan B. Hollis, Stewardship Versus Sovereignty? International Law and the Apportionment of Cyber space 6–7 (paper prepared for the Cyber Dialogue forum, Toronto, Canada, March 18–19, 2012) (on file with authors).

210 See generally Klimburg, Alexander, Mobilising Cyber Power, 53 Survival 41 (2011) (noting, in contrast, how Chinese and Russian governments regularly assume that they can control nonstate actors).

211 See, e.g., UN Convention on the Law of the Sea, Dec. 10, 1982, 1833 UNTS3; Marrakesh Agreement Establishing the World Trade Organization, Apr. 15, 1994, 1867 UNTS 154; Extractive Industries Transparency Initiative, at; see also Haufler, Virginia, Disclosure as Governance: The Extractive Industries Transparency Initiative and Resource Management in the Developing World, 10 Global Envtl. Pol. 53 (2012).

212 Lessig, supra note 118; see also Jonathan Zittrain, The Future of The Internet and How to Stop It(2008); Lawrence Lessig, Code: Version 2.0 (2006); Wu, Tim, When Code Isn’t Law, 89 Val. Rev. 679 (2003).

213 See generally Steven Weber, The Success of Open Source (2004).

214 See supra notes 1–5, 15, 116, 142– 44, and accompanying text; When Back Doors Backfire, Economist (Jan. 2, 2016), at Lessig also makes this point. Lessig, supra note 118, ch. 5.

215 See, e.g., McBride, Sarah & Richwine, Lisa, Epic Clash: Silicon Valley Blindsides Hollywood on Piracy, Reuters (Jan. 22, 2012), at .

216 See generally, Haas, Peter M., Introduction: Epistemic Communities and International Policy Coordination, 46 Int’l Org. 1 (1992).

217 Tunis Agenda for the Information Society 6, UN Doc. WSIS-05/TUNIS/DOC6 (Rev.1)-E (Nov. 18, 2005), at For more on the multistakeholder definition, see Tim Maurer, Cyber Norm Emergence at The United Nations (2011), at

218 See Laura Denardis, The Global War for Internet Governance, ch. 1 (2014).

219 Jennifer Granick, Changes to Export Control Arrangement Apply to Computer Exploits and More (Jan. 15, 2014), at

220 Raymond, Mark & DeNardis, Laura, Multistakeholderism: Anatomy of an Inchoate Global Institution, 7 Int’l Theory 572 (2015).

221 See supra parts I (contexts) and II (normative elements and tools).

222 Barack Obama, Remarks by the President on Securing Our Nation’s Cyber Infrastructure (May 29, 2009), at

223 The United States, for example, has pushed states at the GGE to agree not to target critical infrastructure, while seeking heightened critical industry cybersecurity at home. See, e.g., Grigsby, supra note 148; Cybersecurity Framework, supra note 93.

224 See supra notes 142–44 and accompanying text.

225 In its 2013 report, the GGE agreed that “International law, and in particular the Charter of the United Nations, is applicable” to the “ICT environment.” Developments in the Field of Information and Telecommunications in the Context of international Security, UN Doc. A68/156/Add.1 (Sept. 9, 2013). Attempts to elaborate on that statement in the 2015 report failed. See Fidler, David, The GGE on Cybersecurity: How International Law Applies to Cyberspace, Net Politics (Apr. 14, 2015), at . The Tallinn Manual, by contrast, had more success in elaborating an array of norms based on this first one. Tallinn Manual, supra note 11, at 3, 13.

226 See supra notes 85–125 and accompanying text.

227 See supra note 12 and accompanying text.

228 See supra notes 12, 89, 113,151, and accompanying text; Nicola, Stefan, China Working to Halt Commercial Cyberwar in Deal with Germany, Bloomberg News (Oct. 29, 2015), at .

229 See Bennett, Cory, Russia, China United with Major Cyber Pact, Hill (May 8, 2015), at ; Russia-China Agreement, supra note 12.

230 Guzman, Andrew T., Why LDCs Sign Treaties That Hurt Them: Explaining the Popularity of bilateral Investment Treaties, 38 Va. J. Int’l L. 639, 643 (1998).

231 See Freedom Online Coalition, at

232 Depth refers to the extent to which actors depart from what they would have done in the norm’s absence. See Goodman & Jinks, supra note 155, at 97; Guzman, Andrew T., How International Law Works: A Rational Choice Theory 154–56 (2008).

233 As of August 1, 2016, the Budapest Convention, supra note 11, had forty-nine parties, including, most recently, Australia, Canada, and Japan. See Chart of Signatures and Ratifications of Treaty 185: Convention on Cyber crime, at The African Union treaty may also be a concrete example of mimicking, hoping to replicate the Budapest Convention’s success. African Union Convention on Cyber Security and Personal Data Protection, supra note 87.

234 See Freedom Online Coalition, WG-1—an Internet Free and Secure, at (recommending “greater stakeholder-driven and human rights respecting approaches to cybersecurity”); Revised SCO Code of Conduct, supra note 11, para. 2(3) (emphasizing norms against using ICT to “interfere in the internal affairs of other States or with the aim of undermining their political, economic and social stability”).

235 Compare Wassenaar’s attempts to reduce trade in surveillance technology with norms of states like China that have such systems baked into their technological architecture. See Wassenaar Arrangement, supra note 13; Lee & Liu, supra note 208, at 133 (China); Marczak et al., supra note 37 (China).

236 NET mundial Multistakeholder Statement, supra note 17, and accompanying text.

237 2015 GGE Report, supra note 9, annex.

238 See supra notes 79, 147, and accompanying text.

239 See supra note 225 and accompanying text.

240 See supra notes 98–104 and accompanying text.

241 See Abbott, Kenneth W., Keohane, Robert O., Moravcsik, Andrew, Slaughter, Anne-Marie & Snidal, Duncan, The Concept of Legalization, 54 Int’l Org. 401, 412–14 (2000).

242 On grafting, see supra note 146 and accompanying text.

243 See supra notes 9, 225, and accompanying text. On states’ strategic use of international organizations, see Tikk-Ringas, Eneken, The Implications of Mandates in International Cyber Affairs, Geo. J. Int’l Aff. 41 (2012).

244 See Wassenaar Arrangement, supra note 13.

245 See supra note 81 and accompanying text.

246 See Wassenaar Arrangement, supra note 13.

247 See, e.g., Sternstein, Aliya, This Cyber ‘Safeguard’ Is Hurting US Defenses, Defense One (Jan. 13, 2016), at .

248 See, e.g., Freedom Online Coalition, supra note 231; NTIA IANA Functions’ Stewardship Transition, supra note 100; Global Conference on CyberSpace, supra note 10 (London Process); see also Austin Et Al., supra note 14 (proposing new cybernorms forum).

249 The Stockholm Internet Forum’s chair described 2014 as “the year of infinite meetings,” but the pace has continued unabated. See Anna-Karin Hatt, Minister for Information Technology & Energy, Swedish Ministry of Enterprise, Energy, and Communications, Opening Address at the Stockholm Internet Forum (May 27, 2014), at

250 See, e.g., Hollis, Duncan B. & Newcomer, Joshua J., ‘Political’ Commitments and the Constitution, 49 Va. J. Int’l L. 507 (2009); Raustiala, Kal, Form and Substance in International Agreements, 99 AJIL 581, 613 (2005); Abbottet al., supra note 241; Lipson, Charles, Why Are Some International Agreements Informal?, 45 Int’l Org. 495 (1991). Other scholarship describes the trade-offs via levels of uncertainty, risks of opportunistic behavior, and diversity in interests and preferences. Abbott, Kenneth W. & Snidal, Duncan, Hard and Soft Law in International Governance, 54 Int’l Org. 421 (2000).

251 Lipson, supra note 250, at 511.

252 Setear, John K., Treaties, Custom, Iteration, and Public Choice, 5 Chi. J. Int’l L. 715, 725–27 (2005).

253 International relations scholars have suggested that treaties are thus less flexible than political commitments. Lipson, supra note 250, at 500. Although sometimes true, modern treaties (for example, multilateral environmental agreements) may contain built-in adjustment mechanisms to accommodate new facts, scientific developments, or agreements. See Brunnée, Jutta, Treaty Amendments, in The Oxford Guide to Treaties 347 (Hollis, Duncan B. ed., 2012); Helfer, Laurence R., Nonconsensual International Lawmaking, 2008 U. Ill. L. Rev. 71, 75 (2008).

254 Hollis & Newcomer, supra note 250, at 512, 526.

255 For a domestic analysis, see Gersen, Jacob E. & Posner, Eric A., Soft Law: Lessons from Congressional Practice, 61 Stan. L. Rev. 573 (2008).

256 Hollis & Newcomer, supra note 250, at 526. Treaties do, however, regularly contain exit provisions. Laurence R. Helfer, Terminating Treaties, in The Oxford Guide To Treaties, supra note 253, at 634.

257 Lipson, supra note 250, at 511.

258 See, e.g., Lynch, David J & Dyer, Geoff, Chinese Hacking of US Companies Declines, Financial Times (Apr. 13, 2016), at .

259 Hollis & Newcomer , supra note 250, at 526.

260 See supra notes 196–203 and accompanying text.

261 Raustiala, supra note 250, at 592.

262 See supra note 126 and accompanying text.

263 See supra note 110 and accompanying text.

264 See Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, div. N (2015).

265 Hill, Jonah Force, Problematic Alternatives: MLAT Reform for the Digital Age, Harv. Nat’l Security J. (Jan. 28, 2015), at .

266 See supra notes 142–44 (re: encryption), 171 (re: cybersecurity professionals).

267 Consolidated Appropriations Act, 2016, supra note 264; Grigsby, supra note 148; 2015 GGE Report, supra note 9, para. 13(j).

268 Goodman & Jinks, supra note 155, at 180.

269 Id. at 180–82.

270 This appears to be the Organization for Security and Co-operation in Europe’s strategy. See Organization for Security and Co-operation in Europe, Permanent Council, Decision No. 1106: Initial Set of OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies, PC.DEC/1106 (Dec. 3, 2013), at

271 See supra notes 120–22 (re: insincere conformity), 123–125 (re: incompletely theorized agreements), and accompanying text. Of course, actors could try to pursue both simultaneously.

272 Allott, Philip, The Concept of International Law, 10 Eur. J. Int’l L. 31, 43 (1999).

273 See Iasiello, supra note 120.

274 See Farrell, Henry & Finnemore, Martha, The End of Hypocrisy: American Foreign Policy in the Age of Leaks, Foreign Aff., Nov./Dec. 2013, at 22.

275 See Nakashima, supra note 64; Iasiello, supra note 120. But see Gady, supra note 120.

276 See Goodman & Jinks, supra note 155, at 23.

277 Id. at 167. The tolerability calculus may depend on what Goodman and Jinks call “targeting capacity”— namely, the “capacity to direct pressure against specific actors.” Id. at 183. Incentives do not work well in poor targeting-capacity cases since targeted actors can avoid the coercive costs or pass them off to other actors. The attribution problem often complicates targeting for cybersecurity. Only when the actor’s identity may be determined can incentives lead to norms. The threat of cybersanctions against specific Chinese officials, for example, may explain their adherence to the cyberespionage norm.

278 Id.

279 See supra notes 161–64 and accompanying text.

280 WHO Framework Convention on Tobacco Control, May 21, 2003, 2302 UNTS 166.

281 Kal Raustiala, NGOs in International Treaty-Making, in The Oxford Guide to Treaties, supra note 253, at 150, 168–69.

282 See 2015 GGE Report, supra note 9, para. 13(f); Grigsby, supra note 148.

283 See supra note 172 and accompanying text.

284 This is true whether or not the company intended it. See, e.g., Fox-Brewster, Thomas, Thunderstrike 2: Remote Attacks Can Now Install Super Stealth ‘Firmworm’ Backdoors on Apple Macs, Forbes (Aug. 3, 2015), at ; Seth Rosenblatt, Lenovo’s Superfish Security Snafu Blows Up in Its Face, C/NET (Feb. 20, 2015), at

285 Stryker, Cole, The Problem with Public Shaming, Nation (April 24, 2013), at .

286 Budapest Convention, supra note 11, Art. 35.

287 George C. Marshall European Center for Security Studies, Program on Cyber Security Studies (PCSS), at

288 United States Telecommunications Training Institute, supra note 171; Sacks, Samm, Cybersecurity Won’t Be the Biggest Deal at China’s World Internet Conference, Fortune (Dec. 15, 2015), at .

289 GA Res. 70/237, para. 5 (Dec. 30, 2015). The resolution contemplates the GGE reporting back to the General Assembly in 2017.

290 2015 GGE Report, supra note 9, para. 13. The new GGE will expand its membership from twenty to twenty-five governmental experts.

291 See, e.g., Andrew Guzman & Tim Meyer, Goldilocks Globalism: The Rise of Soft Law in International Governance (2015); Brummer, Chris, Why Soft Law Dominates International Finance—and Not Trade, 13 J. Int’l Econ. L. 623 (2010); Commitment and Compliance: The Role of Non-Binding Norms in The International Legal System (Dinah Shelton ed., 2000).

292 This is not to say that international lawyers have ignored this issue; several have done significant work on international law’s social processes. E.g., Koh, supra note 133; Goodman & Jinks, supra note 155. Moreover, global administrative law has emphasized thinking more about how processes and other administrative tools may improve global governance. See, e.g., Benedict Kingsbury, Nico Krisch & Richard Stewart, The Emergence of Global Administrative Law, Law & Contemp. Prob., Summer 2005, at 15.

* The authors’ research was funded, in part, by a Minerva Grant (No. N00014-13-1-0878) from the U.S. government in cooperation with Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory. The authors thank Jeffrey Dunoff, Virginia Haufler, Alexander Klimburg, Tim Maurer, and participants in the fourth Annual DC IR Workshop for helpful comments, as well as Dalila Berry, Rachel Reznick, and Laura Withers for excellent editorial and research assistance. We are particularly indebted to our late colleague, Roger Hurwitz, of MIT, who introduced the two of us and encouraged us to write this article together. The views expressed are those of the authors alone.

Related content

Powered by UNSILO

Constructing Norms for Global Cybersecurity

  • Martha Finnemore (a1) and Duncan B. Hollis (a2)


Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed.