The discussion about international norms for state behaviour in cyberspace gained prominence at an international level through the 2015 report of the United Nations Group of Governmental Experts (UNGGE). The motivation to adopt a concept of norms was rather pragmatic as it had proven difficult to engage in discussions on the applicability of international law within the UNGGE. It was considered easier to find consensus on voluntary and non-binding norms, yet neither the UNGGE nor the academic literature clarify what the concept of norms – especially as opposed to law – means. This conceptual ambiguity between law and norms leads to difficulties regarding legal predictability as well as the establishment of responsibility and possible responses to breaches of norms. This paper briefly showcases this ambiguity in the international debate and in literature as they pertain to international norms for state behaviour in cyberspace. Multilateral negotiations and other initiatives can present ways to clarify these two concepts. However, venue choice and the form of cooperation can also influence the legal relevance of negotiation outcomes. Finally, complementary action can help clarify what states consider obligations in cyberspace as well as violations. But what action a state can take in response to a malicious cyber activity depends on the act being categorised as a violation of law or merely a violation of voluntary non-binding norms.
- The creation of the concept of voluntary, non-binding norms – as opposed to law – has led to conceptual ambiguity in the regulation of state behaviour in cyberspace.
- Conceptual ambiguity can lead to legal uncertainty and makes the determination of responsibility more challenging.
- Multilateral meetings and exchanges of ideas and interests play an important role in clarifying those ambiguities. But they can also further blur these two concepts.
- Additionally, complementary action can help clarify what states consider obligations in cyberspace as well as violations. However, the action that a state can take in response to malicious cyber activity highly depends on whether that activity is categorised as violating a law or merely breaching a norm.
- The debate over which norms states should adopt, for all the disagreement and back-and-forth, will prove a necessary part of the process; in the end, it will increase clarity, and therefore security, in cyberspace.