Skip to main content

Cybersecurity Experts Discuss International Cybersecurity Norms

October 20, 2015


Jessica L. Beyer

International Policy Institute Conference

The third conference panel of JSIS’s New Frontiers in International Affairs: A Conversation on the Arctic, Space, and Cybersecurity – Views from the Puget Sound and the Potomac, addressed the following questions: What are the current international cybersecurity norms? How can they be improved? What is the potential for public-private collaboration in developing and maintaining good cybersecurity norms? Cybersecurity is a diverse and broad field and the panel reflected that span.

Professor Sara Curran moderated the panel and the speakers included:

  • Jessica Beyer, cybersecurity postdoc, Jackson School of International Studies
  • Scott Godwin, General Manager in the National Security Directorate, Pacific Northwest National Laboratory Center
  • David C. Gompert, Senior Fellow, the RAND Corporation; former Principal Deputy Director of National Intelligence
  • Paul Nicholas, Senior Director, Trustworthy Computing, Microsoft Corporation

The emergence of cybersecurity as an issue area coincides with the growing role of the Internet in every aspect of our daily lives. Our dependence on the Internet and computers means that it can be weaponized, as the Stuxnet virus illustrates. Attacks could occur on key infrastructure with the potential to cripple economies or even cause physical harm to individuals. Tensions between major actors in the international system, such as China and the US, combined with the fuzzy lines between cyber-warfare, cyber-espionage, and cyber-crime make the development of positive cybersecurity norms critical.

Cybersecurity does not just matter at the state-to-state level, but state-to-state tensions illustrate the need to protect critical infrastructure from cyber-war (or even cyber-crime). At this level, many successful industry-government partnerships and entities work to ensure the safety of the population. However, much work needs to be done in this area.

One of the major cybersecurity challenges facing the world is that even though there is a focus on state-to-state cyber-warfare, most of the devices people use to access the Internet and engage in most normal economic activity are created and maintained by businesses such as Microsoft. Therefore, industry must be part of the conversation—particularly as we move into the age of the Internet of Things.

Finally, the complexity of cybersecurity issues is reflected in the difficulty of creating shared cybersecurity norms at the international level. Countries do not agree about what the Internet should be domestically, something largely generated by concerns (or lack of concern) around the free flow of information. This then leads to difficulties in deciding the form of formal institutions for international Internet governance.

Three major themes emerged from the panel.

First, state-to-state negotiation will be key in establishing the rules that govern cyber-warfare and other particularly heinous uses of information and communication technology. There appears to be promise that positive steps will occur in this direction.

Second, there are considerable barriers to creating and maintaining international agreements around cybersecurity.

Third, the best way to generate positive cybersecurity norms is a multi-stakeholder model that involves government, industry, and academia—as well as other relevant actors.

The panel was the first step in a year-long effort to generate shared solutions and thinking around cybersecurity challenges through conversations between government, industry, and academia.

The IPI’s focus on cybersecurity is in line with JSIS’s commitment to the study of cybersecurity. For the past three years, JSIS has worked with Microsoft around cybersecurity issues through the applied research projects. For more information about this collaborative effort, please see here:

This event and publication were made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.