Strategically normative. Norms and principles in national cybersecurity strategies



It is hard to overestimate the role of a national cybersecurity or information security strategy. Balancing between infinite ambitions and finite resources, these instruments legitimise demands, level expectations and reinforce rights and freedoms. Strategies constitute effective administrative tools to create a division of responsibility and labour between governmental agencies and between the public and private sector. This paper applies a normative reading to 106 national cybersecurity strategies, most of them adopted after the cyberattacks against Estonia in 2007, an event that marked a strong shift toward securitisation of the use of information and communication technologies (ICTs). The paper identifies and discusses countries’ qualifications of afforded and expected standards of behaviour in the context of both national and international cybersecurity. The analysis is intended to contribute to the international debate around cybernorms and responsible behaviour in state use of ICTs.

Key points

  • National strategies inform domestic and global audiences of the normative foundations and goals of governmental policies.
  • Such information is essential for developing understanding of mutual expectations of responsible behavior, formulating positions for regional and global negotiations and calibrating capacity building in the field.
  • Countries need to study what other governments are doing and why. Such mutual learning, supported by regional organisations and academic communities, improves the overall awareness of similar challenges and issues that states have to address amid contingent ambitions and resources.
  • Better awareness and understanding may lead to better appreciation of differing approaches and ultimately contribute to international peace, security and stability.



Join the EU Cyber Direct Network

Subscribe to the EU Cyber Direct newsletter and receive updates on our latest research, news, and events