From Cyber Norms to Cyber Rules: Re-engaging States as Law-makers

Abstract

Several indicators point to a crisis at the heart of the emerging area of international cyber security law. First, proposals of internationally binding treaties by the leading stakeholders, including China and Russia, have been met with little enthusiasm by other states, and are generally seen as having limited prospects of success. Second, states are extremely reluctant to commit themselves to specific interpretations of controversial legal questions and thus to express their cyber opinio juris. Third, instead of interpreting or developing rules, state representatives seek refuge in the more ambiguous term ‘norms’. This article argues that the reluctance of states to engage themselves in international law-making has generated a power vacuum, lending credence to claims that international law fails in addressing modern challenges posed by the rapid technological development. In response, several non-state-driven norm-making initiatives have sought to fill the void, including Microsoft’s cyber norms proposals and the Tallinn Manual project. The article then contends that this emerging body of non-binding norms presents states with a critical window of opportunity to reclaim a central law-making position, similarly to historical precedents including the development of legal regimes for Antarctica and nuclear safety. Whether the supposed crisis will lead to the demise of inter-state cyberspace governance or to a recalibration of legal approaches will thus be decided in the near future. States should assume a central role if they want to ensure that the existing power vacuum is not exploited in a way that would upset their ability to achieve their strategic and political goals.