India has assumed a stance of strategic ambiguity on the proliferation of norms for responsible state behaviour in cyberspace, positioning itself as a
‘bridge builder’ between the two camps that have emerged during multilateral cyber norm negotiations.
Its insistence on an enhanced role for intergovernmental institutions (such as the ITU) and its oscillating allegiance to the two polarised factions largely reflect the country’s long-standing focus on Westphalian sovereignty and the consequent belief in the primacy of the state as an actor in international affairs. This brings India to a certain degree of alignment with sovereignty-focused countries like China and Russia in the context of norm-building debates.
At the second substantive session of the Open-Ended Working Group (OEWG), India
argued that voluntary norms do not necessarily increase the predictability of state behaviour within the ICT environment, but was not openly against the adoption of new voluntary norms; for instance, the country
proposed the adoption of a new norm on refraining from weaponisation and offensive uses of ICTs along with countries like Iran, Cuba, and Nigeria.
Brazilian diplomats portray Brazil’s role in the often polarised debates on norms of responsible state behaviour as that of a
broker or strategic bridge-builder between the different camps rather than a mere ‘swing state’ and highlight that balancing between both camps serves to maintain an independent foreign policy. Brazil
sought to focus its chairmanship of UN GGE’s third and fourth iterations on three issues: the role of civilians in cyber conflict, the right to respond, and attribution. Since the 2013 Snowden revelations, the country has been a stark champion of data protection, showcasing
exceptional norm entrepreneurship
in relation to cyber-surveillance norms. Brazil has also
expressed support for the proposal of adopting a legally binding instrument in the medium to long-term to prevent the militarisation of cyberspace.
Peru stresses the need to make a
distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru
states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru
highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.