One of the early efforts to develop cyber norms and confidence-building measures was the 2015 Report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. This report established some consensus around the applicability of international law to state behavior in cyberspace. It affirmed that states should not conduct or knowingly support cyber operations that intentionally damage critical infrastructure or otherwise harm civilians. The report helped lay the groundwork for further international discussions on expanding norms of responsible state behavior in cyberspace.
Since that initial 2015 report, there have been ongoing multilateral efforts through forums like the UN Open-Ended Working Group, the Organization for Security and Cooperation in Europe, and other bodies to develop new and strengthen existing cyber norms. Some of the cyber norms that have emerged through these discussions and begun to gain widespread acceptance include calls for states to: refrain from cyber operations that intentionally damage critical infrastructure or disrupt the public emergency response; protect electoral and political processes from cyber interference; uphold principles of non-intervention in the internal affairs of other states; and consider the likelihood of collateral damage when conducting cyber operations.
In addition to norms, states have also sought to establish confidence-building measures that can reduce risks and misperceptions between states regarding cyber threats and state-sponsored activity. An early cyber CBM proposal came from the US and Russia in 2013, which suggested measures like inviting foreign experts to observe national cyber defense exercises, notifying other states of impending tests or network scans, and establishing communication channels for managing incidents or addressing vulnerabilities. While that initial US-Russia CBM proposal did not gain traction, the ideas have influenced subsequent discussions.
One notable confidence-building effort has been an ongoing series of cyber talks between the US and China since 2013. Through these discussions, the two powers have implemented practical CBMs like establishing a cybersecurity working group and hotline for managing crises, notifying each other of major cyber incidents, and hosting annual roundtables to increase transparency and discuss their national cyber policies. Observers see these US-China talks as helping to limit further escalation between the two countries in cyberspace, even as tensions remain high in other geostrategic issues.
On a broader scale, the UN has worked to develop a consensus set of global CBMs through the Open-Ended Working Group process. In 2021, the OEWG finalized 11 non-binding UN CBMs for countries to voluntarily adopt, covering areas like information exchanges on national cyber policies, building partnerships on cybercrime, cooperating on tracking and attributing cyber operations, establishing contacts for managing crises, and participating in international capacity building efforts. While these CBMs lack an enforcement mechanism, supporters argue they can promote stability if adopted widely.
Meanwhile, some regional blocs have also attempted tailored CBM frameworks. For instance, the Organization for Security and Cooperation in Europe established a comprehensive set of cybersecurity CBMs in 2016 that 55 OSCE participating states can implement on a voluntary basis. These CBMs include transparency measures like exchanging details on national cyber strategies, creating points of contacts, and hosting consultations to reduce tensions. The ASEAN Regional Forum has also floated some modest CBM proposals focused more on norms of state behavior and cooperation on cybercrime.
While significant challenges remain, there has been progress in developing a basic framework of cyber norms and confidence-building measures through multilateral forums. Widespread adoption of existing CBM proposals could help improve stability between states by increasing transparency, managing risks, and lowering the probability of escalation from misunderstandings in cyberspace. As malicious cyber activities continue rising globally, further strengthening international consensus on responsible state behavior and trust-building will remain a high priority.