A few years back, I was lucky enough to be invited by research scientists at MIT’s Computer Science and Artificial Intelligence Lab — especially the late Roger Hurwitz — to participate in a Minerva Grant project studying norms and governance in cyberspace. In the interim, norms have become one of the hot topics in cybersecurity discussions in international fora. Together with Martha Finnemore, I began to think more about the processes by which norms work, including the ways they relate to international law.
I’m pleased to report that after a couple of years of research and thinking, Marty and I have the results of our work forthcoming in the American Journal of International Law: Constructing Norms for Global Cybersecurity. You can get a preview of the article on SSRN here. And, for those looking to learn more about our piece, here is the abstract:
Cybersecurity now stands at the top of the U.S. security agenda. As sources of cyber insecurity have proliferated, States and other stakeholders have increasingly turned to norms as the regulatory tool of choice, hoping to shape the behavior of diverse actors in this space. Proponents of cybernorms have so far focused on what the new norms should say and on what behaviors they should require or prohibit. They have paid little attention to how new norms would actually work—how they could successfully be constructed and the processes by which they would create desired effects. In other words, they have paid a lot of attention to the “cyber” component of cybernorms but very little attention to the “norms” component and the issues of how normativity actually works in the world.
In this Article, we offer an inter-disciplinary analysis of the processes by which cybernorms might be constructed and some of the choices and trade-offs involved in doing so. We first situate the current discourse in the varying contexts surrounding cybersecurity. We define the norm concept and examine the diverse array of norms currently populating the landscape of cyberspace. We next draw on the rich body of work in social science about norm construction in other policy areas to understand how norms can be cultivated successfully and how they create effects, both intended and otherwise. Of course, if cyberspace is unique, lessons from other policy domains might not be applicable but we assess these arguments and find them unconvincing.
Our paper then unpacks some of the strategic choices facing norm promoters in their decisions on which norms are needed, who should conform to them, not to mention where and how they should do so. We do not prescribe a particular path for norm promoters, but rather emphasize the need to recognize and accommodate the consequences and trade-offs these choices involve. Our paper thus offers lessons for States, industry, civil society, and others interested in promoting norms in cyberspace. By situating our work in both international law and international relations, this paper also provides a case study of the strategic social construction of norms that offers both political scientists and international lawyers more information on how non-legal mechanisms could regulate global problems like cybersecurity.
Comments and thoughts on the article are most welcome as Marty and I are continuing to do more research and writing in this space. Next up, is a project that assesses various ways to institutionalize a norm such as the duty to assist idea that I first called for a few years back.