Responsible Cyber Behaviour

Cyberspace has become a pivotal domain for geopolitical competition and statecraft, where vulnerabilities are systematically exploited and weaponised to advance state power. While certain sub-threshold activities, such as espionage, are tacitly regarded as “acceptable”, other behaviours remain ambiguously defined along the spectrum of responsible and irresponsible state conduct. This lack of clarity has significant implications for the present and future of the stability and security of the global digital ecosystem.

Over the past two decades, states have engaged in extensive multilateral discussions to delineate the “rules of the road” for cyberspace. These efforts, primarily undertaken within UN forums on international peace and security, have culminated in the development of a framework for responsible state behaviour in cyberspace. Anchored in four pillars – international law, norms, cyber capacity-building, and confidence-building measures – this framework represents a consensus-based approach to reducing ambiguity. However, its negotiation reflects a narrow focus, constrained by geopolitical tensions and divergent state priorities. The resulting diplomatic deadlocks and ongoing cyber confrontations between key actors – the US, China, Russia and others – highlight the challenges of operationalising the framework in practice.

This compendium seeks to expand the discourse on responsible cyber behaviour (RCB) by examining perspectives that have been under-represented in global debates. Moving beyond the confines of the UN framework and the perspectives of a select group of “capable” countries, this publication draws on region-specific case studies from North America, Latin America and the Caribbean, Europe, the Indo-Pacific, and the Middle East and Africa. These studies offer a critical lens on how states interpret and enact RCB, with approaches often shaped by unique regional dynamics such as developmental priorities, geopolitical pressures and climate concerns.

By exploring these diverse approaches, the compendium not only enriches understanding of RCB but also underscores the importance of contextualising global norms within local and regional realities. The compendium is the outcome of 11 workshops, as well as interviews and literature reviews conducted by the authors, undertaken under the aegis of the Global Partnership for Responsible Cyber Behaviour, a RUSI-led initiative with over 80 researchers dedicated to advancing regional research on RCB.

The case studies illuminate how responsibility is articulated and operationalised through institutional development, legal and regulatory frameworks, cooperative agreements, and responses to major cyber incidents. Collectively, they contribute to a more nuanced understanding of the interplay between global principles and localised practices, offering an essential foundation for advancing both scholarly enquiry and policy formulation on RCB.

Introduction

Louise Marie Hurel

Throughout the past two decades, most of the discussions concerning state responsibility in cyberspace have revolved around two specific processes in the UN: the Group of Governmental Experts (GGE) and the Open-Ended Working Group (OEWG) on the Security of and in the Use of Information and Communications Technologies. Taken together, these two processes have resulted in a series of UN resolutions that have sought to determine the “rules of the road” for state conduct in cyberspace. This aggregate set of resolutions has also been referred to as the “framework of responsible state behaviour” in cyberspace, which is made up of four key areas (see Figure 1).

▲ Figure 1: Four Key Areas of RCB

Notwithstanding the importance of the “framework” in setting an international benchmark for how states are expected to conduct themselves in cyberspace, defining “responsible” and “irresponsible” behaviour remains a highly subjective endeavour, for several reasons.

1. Notions of responsibility are deeply engrained in institutional, political, economic and/or legal cultures at the domestic level, which provide international discussions with a broadly interpretable language.

2. The nature of cyberspace makes it particularly challenging to attribute malicious activities as well as to determine intent, and thus it is difficult to establish the actor (state or non-state) behind a cyber incident.

3. The sub-threshold nature of most cyber operations and malicious activities allows state-affiliated or state-sponsored groups to make use of ambiguity and obfuscation to conduct activities that are disruptive, but not entirely unacceptable or unlawful.

4. Only 32 states to date have published their views on how international law applies to cyberspace, which means that there is still limited understanding of how key concepts such as sovereignty, non-intervention and due diligence are interpreted by states.

5. Defining responsible state behaviour in cyberspace is a political act and, as such, there are incentives and disincentives. In being clearer about certain types of conducts, a state is also “drawing a line” as to what it should and should not do, which is not always politically or strategically desirable.

6. As cyberspace involves the activities of many stakeholders beyond states, the diverse interests and perspectives of non-state actors have a significant role in shaping collective expectations on behaviour.

Taken together, these factors shows that despite there being a basis for the understanding of responsible state behaviour, there are still ongoing challenges in taking the debate beyond general agreements.

With this in mind, and to respond to the challenge of recognising discussions beyond the UN framework, as well as the interdependence of states with other stakeholders in enhancing cybersecurity, this compendium uses the term “responsible cyber behaviour” (RCB), rather than “responsible state behaviour”. This is not to negate the state as a key actor, nor the UN framework; rather, it is to recognise that such a concept might provide a useful analytical tool for exploring responsibility in cyberspace. In this regard, “responsible” refers to the responsibility of a range of actors within the global cyber-security governance regimes, while “cyber” indicates the realm of that responsibility – that is, in or through cyberspace. “Behaviour” purposely focuses on practices and conducts that are seen as responsible or irresponsible, acceptable or unacceptable, lawful or unlawful, in cyberspace.

Even when assessing state responsibility, this compendium still places it under the broader conceptual umbrella of RCB, as there are many other stakeholders that interact with, support and/or hold significant prominence in global cybersecurity politics (for example, large technology companies providing critical software and cybersecurity services). Moreover, and as this compendium argues, even though responsibility in cyberspace has been perceived as being directly linked to the “framework”, it is not solely defined by it. As the compendium shows, there are other factors at the regional and domestic levels that need to be considered, including:

• The association between responsibility and content control.

• How specific understandings of responsibility are encoded through laws, strategies and institutional settings.

• How regional threat landscapes impact how some states perceive what is appropriate and necessary, both in demonstrating responsibility and in defining irresponsible cyber behaviour.

Towards a More Culturally Sensitive View of Responsible Behaviour in Cyberspace

Notions of responsibility in cyberspace are negotiated via a series of concurrent (and at times, competing) forums – these can be multilateral, regional, theme-specific or multistakeholder. These forums may not use exactly the same term, but they nevertheless play a role in shaping auxiliary and synonymous references to responsible behaviour in cyberspace. A multisited view of RCB shows how norms and expectations of responsibility in cyberspace can and have been shaped beyond the UN and via other forums, as well as triggered by institutional developments and, in some cases, by cyber incidents.

The challenge is that these discussions happen in siloes and are disconnected from or not well accounted for in current policy and scholarly literature. This is why this compendium seeks to provide an integrated view of RCB across the international, domestic and operational spheres.

It is critical to understand that the UN framework is a product of the time and place in which it has been negotiated. As consensus arrangements negotiated within UN structures, the UN frameworks often conceal responsible state behaviour beyond “agreement” and like-mindedness. It can be argued that there are other components, such as national legislation (for example, cybercrime laws that define unlawful behaviour) and industry standards that equally shape RCB. The UN will likely continue to be the place for these discussions for the foreseeable future. However, because of the specific nature of where the discussions take place, there has often been a narrow view of where one should look to understand emerging state practice and collective views on RCB.

Therefore, equating RCB solely with the UN framework can lead to some analytical shortcomings in at least the following ways:

• The multilateral nature of the debate: The fact that these key discussions take place in a multilateral space means that the agreement and decision-making power over such processes ultimately sits in the hands of UN member states. This also means that non-state actors have a limited role to play in discussions about RCB – including the private sector, which owns most of the software development and infrastructure used to support governments; and civil society and academia, which are not only users of the technologies but also targets or receivers of the disproportionate effects of cyber incidents.

• The structure and politics of multilateral debates: While the previous point has been consistently recognised by both governmental and non-governmental stakeholders in the context of the OEWG, much less has been said about how the specific processes at the UN and the ways they operate also condition how these discussions take place. There are specific mandates for different “committees” within the UN. The state behaviour dialogues happen in the First Committee on Disarmament and International Security. This committee ultimately deals with the highest level of security concerns. The “framework” of voluntary commitments is crystallised through a years-long series of consensus-driven resolutions – but these still do not represent a legally binding commitment to those norms of expected behaviour. Such structures, processes and mandates have direct implications for what is considered to be within and outside the scope of the UN framework; for example, questions concerning the relationship between sustainable development and cybersecurity might not apply to the OEWG. Arguably, more development-leaning agendas would be considered if – and only if – they were framed as capacity-building concerns that are directly linked to the application of specific parts of the framework.

• Limited data and access: In terms of data, public information is restricted to transcripts, video recordings, resolutions and expert discussions with diplomats and legal experts who have, over the years, taken a seat at the table in these UN meetings. This poses practical and analytical challenges for the study of how norms and other parts of the framework have come to be accepted and mainstreamed via UN resolutions. Even though the framework builds on non-cyber references that already provide a foundation for many of the notions of responsibility socialised among member states in the context of the GGE and OEWG – such as international humanitarian law, the Articles on the Responsibility of States for Internationally Wrongful Acts, and the UN Charter – how international law applies to cyberspace, and how other dimensions of the framework reflect specific notions of responsibility, need to be further investigated.

• A diplomatic sphere: The UN-centrality of the debate on state responsibility in cyberspace means that the debates take place in a space that is often dominated by diplomats, rather than between those who possess the relevant expertise in cybersecurity. It is not often that domestic legislation or national cybersecurity strategies refer back to the “framework” – which is most familiar to diplomats and ministries of foreign affairs, and perhaps to other individual experts who have supported UN delegations from their respective capitals.

This compendium invites readers to reflect on how other examples, expressions and interpretations of responsibility are found beyond the international UN framework. It does so in at least three ways:

1. Going beyond norms implementation: The UN framework (and the 11 norms therein) is taken as a point of departure, but not as the entire framing or understanding of RCB. So, rather than concentrating on how these norms have been implemented – as other researchers already have – the following chapters consider how other processes can also help illustrate how notions of RCB are deeply engrained, both socially and institutionally.

2. Recognising that “responsibility” can look quite different from what has been agreed at the international level: Economic, social, regional, geopolitical and even environmental dynamics influence both directly and indirectly the priorities of national governments, including their views on RCB. As each chapter shows, while there can be some consistency in terms of the commitment to the UN norms and framework, there are quite a few other state views that might extend the scope delineated internationally.

3. Exploring case studies with the aim of providing a practice-based view of how states perceive responsible or irresponsible behaviour: Norms are what states have agreed to “say” that is acceptable or expected in terms of state behaviour, but when faced with a large-scale incident, further insights on what constitutes RCB emerge. This is illustrated in the chapters on Europe and Latin America and the Caribbean (LAC).

About the Compendium

In response to the challenges outlined above, the compendium offers a cross-regional set of views on the narratives underpinning notions of “responsibility” advocated at the national level. The compendium is the outcome of a year-long set of workshops undertaken within the context of the Global Partnership for Responsible Cyber Behaviour (GP-RCB), a RUSI-led initiative founded in 2023, involving more than 70 scholars from different regions, with the purpose of creating a platform for researchers to engage in regionally based and sensitive discussions of what RCB means from their cultural, social and economic perspectives. These discussions have informed the questions, cases and reflections explored in each of the chapters of this compendium. Chapters cover the following regions: Europe, the Indo-Pacific, LAC, the Middle East and Africa, and North America. The compendium reflects a regional breakdown in accordance with the five regions of the GP-RCB. Because of this, the regions covered are far from being exhaustive or indicative of a detailed regional breakdown. Recognising the limitations that this might present for subregional analyses, the compendium nonetheless provides a unique contribution of cross-regional case studies on RCB, with the aim of encouraging more research on regional and contextual interpretations of responsibility in cyberspace.

“Regional”, for the purposes of this project, does not refer to or presume regional cohesiveness, or refer to a “regional” position on RCB per se: rather, it should be seen as an aggregate set of national views (and cases) within a particular geographic region – even though there are case studies covering regional mechanisms in the Indo-Pacific chapter and the Middle East and Africa chapter. As noted by previous researchers, regions are, in and of themselves, highly contested units of analysis, some drawn by linguistic identity and history, others by political agendas.

In aiming to understand debates and factors that might have otherwise been overlooked in international discussions, the compendium makes three important contributions to advancing the study of RCB.

• It offers a space for reflection about the cultural drivers and gaps in the interpretation of “responsibility” in cyberspace.

• It offers an analysis of specific cases that provide a practice-driven discussion of behaviours that are perceived as responsible or irresponsible, acceptable or unacceptable, by different governments.

• It lays out reflections for future research and policy agendas.

Methodology

The research design for the compendium balances inductive and deductive approaches to the study of RCB. In practice, this means that rather than predefining RCB as a concept, researchers spoke to regional experts, organised workshops and reviewed existing literature to identify under-represented cases and perspectives on RCB in the current policy and academic literature.

The chapters address the following guiding questions:

• Contextual analysis: What are the key elements shaping RCB discourse and practice (for example, values, institutional frameworks, legislative developments, operational considerations)?

• Case studies: What are some examples of how the country or region in question has grappled with defining RCB? The cases outlined in this compendium include analyses of institutional arrangements, incidents and national cyber crisis responses, which illustrate different interpretations of what responsibility means in practice (for example, means to respond, capacity to recover and institutional accountability).

• Gaps and learnings: What are the gaps in the discussion that have emerged from research into this topic that merit further investigation?

While the authors vary in the ways that they seek to analyse each of these elements, they all draw on two or three data-gathering methods:

• Literature review: All chapters draw from official documents, legislation, policies, speeches, and academic and policy papers.

• Workshops: All chapters are the outcome of 11 workshops (two to three per region) conducted between December 2023 and May 2024. The first regional workshop gathered GP-RCB researchers with the purpose ofscoping the key elements associated with RCB for a particular region, and identifying potential case studies. For the second regional workshop, authors invited practitioners to join GP-RCB members in exploring the case studies identified in the first workshop.

• Unstructured/semi-structured interviews: Some authors used interviews to collect additional views from experts and policymakers from the region who may not have been able to attend the workshops.

Chapters Overview

In Chapter I, Patryk Pawlak focuses on the different pillars that support the views of European countries on RCB – as well as blockers and barriers. The chapter argues that, notwithstanding the diversity of countries in the region, if there is to be a “European approach to RCB”, this must revolve around strengthening the responsibility of different stakeholders within the cyber community, on the one hand, and strengthening the responsibility of external actors in relation to irresponsible behaviour, on the other. Most importantly, the chapter draws on the international relations literature on Responsibility to Protect to propose a typology for Europe’s “common but distributed responsibility”.

In Chapter II, Gatra Priyandita reflects on how countries in the Indo-Pacific view RCB. There are common perspectives in the ways in which Indo-Pacific states perceive “responsible” state behaviour in cyberspace, chief among which are the importance of sovereignty and non-interference. Yet states differ on how these principles apply, with most choosing to adopt a policy of ambiguity and/or silence. The chapter focuses on ASEAN and Pacific Island countries as two key case studies on the differing views and approaches in the region, the former having concentrated on the development of cyber confidence-building measures and the latter on an approach to RCB that is influenced by the region’s specific climate security threats and how these relate to critical infrastructure protection and resilience concerns.

In Chapter III, Mariana Salazar Albornoz analyses the LAC region. The chapter looks at the views of LAC states on RCB through a combination of contextual, legal and case-based analysis. The first part of the chapter focuses on the disparate levels of development and capacities in these states, while the second part reflects on their still-evolving positions on how international law applies to cyberspace. The third part reflects on the lessons learned from large-scale incidents in Costa Rica and Colombia, and how these inform RCB in the region.

Chapter IV looks at cases in the Middle East and Africa. Noran Fouad argues that, despite regional differences, RCB here is driven by several institutions, policies and intra-regional, rather than cross-regional, agreements that focus more on cyber governance than on “norms” per se. The chapter reflects on the AU’s push towards a common position on international law, among other efforts, as an indicator of commitment to RCB. It goes on to analyse an often under-explored case in the Middle East: the Gulf Cooperation Council and its institutional efforts to promote cyber dialogues among members in a region that is fraught with armed conflict and highly skilled cyberthreat actors.

Despite being the “smallest” region, North America encompasses two prominent “cyber powers”: the US and Canada. In Chapter V, Gavin Wilde examines how Canada and the US conceive their own responsible behaviour in cyberspace, rather than how they define it for others (for example, through attribution, sanctions and other “sticks” used to deter malicious cyber activity). The chapter reviews key legislation and institutional developments that have been signalled by both the US and Canada as key competencies for them to be able to “act responsibly”. Given the disproportionate presence of large cybersecurity and big-tech companies in the US, the chapter also gives some consideration to how state responsibility is interdependent with private responsibility.

While this compendium highlights the diversity of approaches, views and experiences of countries regarding what constitutes RCB, it does not seek to be either exhaustive or comparative. Each chapter offers reflections on whether countries in the region have engaged with the concept of RCB and, if not, how they have sought to define it, and provides case studies that can shine a light on often-underexplored countries, sub-regional groupings and incidents.

I. Europe

Patryk Pawlak

Through investigation of different European methods to forging cyber responsibility – regulation, standardisation, deterrence and assistance – this chapter advances the notion that European countries practise a common but distributed responsibility that assigns specific roles within the cyber ecosystem while clearly recognising the importance of all stakeholders. It extends responsibility from states to other actors, making them explicitly part of the solution. Rather than looking at legal interpretations of responsible cyber behaviour (RCB), this contribution investigates various cyber-driven discourses and practices of different stakeholder groups. It identifies five key pillars of RCB, seeing it in terms of a responsibility to shield, refrain, constrain, assist and uphold. In that sense, this chapter also contributes to the existing scholarship on responsibility.

Introduction: Decoding Cyber Responsibility

The European approach to RCB is characterised by a strong focus on the role played by various stakeholder groups – government agencies, the private sector and industry operators – in shaping the overall cyber resilience of a state, society or community. This is usually referred to as a “whole-of-society” and “whole-of-government” approach in developing cyber policies and strategies. Although crucial for effective and inclusive cyber policymaking, such diffused responsibility – in the absence of clearly defined duties and accountability mechanisms among different stakeholders – may lead to a lack of clarity over who is ultimately responsible for successes and failures. The specific rights and obligations of individual stakeholders are often, but not always, clearly defined in laws and regulations. This lack of clarity contributes to accountability gaps that need to be addressed at various levels beyond the state.

The analysis of diverse European responses to cyber incidents confirmed that cyber responsibility is a multidimensional concept that relies on direct and indirect causal links between an actor’s actions and the effects of those actions to better capture the complexities of causality-driven approaches to responsibility. “Material responsibility” explains responsibility by examining the direct causal link between actions and effects. For example, several European governments have assigned responsibility for malicious cyber operations against their critical national infrastructure (CNI) or democratic processes to Russia or China. Another approach is “political responsibility”, whereby actors may be responsible for specific outcomes by belonging to specific cultural or political communities in which they shape the worldview of what is and is not permissible. National public attribution of cyber operations that violate the UN framework of responsible state behaviour and national positions on the application of international law are examples of states signalling what is and is not acceptable in cyberspace. Their decisions to publicly call out behaviour that violates agreed norms – even without pointing a finger at the perpetrator – establish the parameters for what RCB means.

This chapter defines the Europe region rather broadly, including member states of the EU and the European Economic Area (EEA), the UK, and the countries in the Western Balkans, as well as Georgia, Moldova and Ukraine. It does not focus on any specific case study but rather offers signposts for navigating commonalities and differences in European approaches to RCB. Nonetheless, as this chapter demonstrates, much reflection in Europe is shaped by the approaches developed in the EU, through which a web of collaborative frameworks shapes the regulatory and institutional landscape beyond its member states. Given clear differences over what RCB means and the antagonistic relations between Russia and other European countries, this chapter does not reflect the Russian perspective on cyber responsibility. The analysis presented in this chapter builds on the conclusions of two workshops organised as part of the Global Partnership for Responsible Cyber Behaviour – one with researchers and another with policymakers – and policy documents, regulations and statements issued by national governments and EU institutions. The chapter begins by presenting the context that shapes European approaches to RCB. It then discusses different practices of RCB in Europe, and finally, building on this analysis, the chapter concludes with a presentation of pillars of common but distributed responsibility in the European context.

Contextualising European Perspectives

The discussion about RCB in Europe is shaped by several factors that impact the narratives and policies on what it means to “behave responsibly” or “be responsible” in cyberspace. Five elements are particularly relevant in shaping the European context: high levels of connectivity, strong regulatory culture, a significant cyberspace governance footprint, a high level of regional integration, and pressures on the overall security architecture.

High Levels of Connectivity

Countries in Europe are among the best connected in the world. While this makes their digital economies more competitive in global markets, it also creates vulnerabilities and demands for addressing digital risks. Europe’s dependence on internet connectivity and much higher levels of cybersecurity vulnerability compared with countries in Africa or Asia create specific obligations and duties on different categories of stakeholders. Governments are expected to protect their citizens and businesses, and industry is responsible for ensuring the uninterrupted and safe operation of digital services and CNI. Although similar expectations may also apply in other parts of the world, the high level of dependence on connectivity and associated vulnerabilities in Europe have significantly influenced European perspectives on RCB and have fed into regulatory and institutional frameworks.

Strong Regulatory Culture

Many of the commitments and obligations of different stakeholder groups are enshrined in specific regulatory acts and legislation adopted and implemented in the region. The region is characterised by a strong regulatory presence in cyberspace, primarily due to measures adopted by the EU and spread across the region through the EEA and the accession negotiations, as well as through the Council of Europe’s treaty-making activities. Two additional aspects are particularly important in this respect. First, laws and regulations adopted in the EU provide for robust accountability and enforcement mechanisms through the Court of Justice of the EU, the European Commission and the Council of Europe’s European Court of Human Rights. Second, obligations and duties created by EU legislation often apply to foreign entities operating in EU markets, creating an additional layer of responsibility (for example, the Cyber Resilience Act and the Network Information Security (NIS2) Directive).

Significant Cyberspace Governance Footprint

Another important aspect of the European approaches to RCB is that these countries were at the core of the decisions that resulted in the emergence of a complex governance system whereby cyber-related issues are discussed concurrently across different international organisations and institutions. This has occurred primarily through international and regional organisations such as the OECD, the Council of Europe and the EU. This means that European countries were involved in setting the parameters for the current understanding of what constitutes RCB. Consequently, any attempts to revisit the existing legal and policy frameworks are considered as challenging the status quo. In terms of institutions, regional organisations such as the EU, the Council of Europe, the OSCE and – to some extent – NATO are considered cornerstones of regional cooperation. Proposals for new institutions or attempts to concentrate decision-making on cyberspace in other organisations within the UN system can also be interpreted as attempts to shift power structures within the international system.

High Level of Regional Integration

The European region is also one of the most integrated regions of the world, with numerous regional organisations and platforms playing important roles in setting the rules for cyberspace governance. The EU is at the core of this institutional ecosystem. It drives legal and institutional processes among the 27 member states, as well as in other countries through a network of digital and cyber partnerships, such as the EEA, and through the accession process for the countries of the Western Balkans and Eastern Europe. In that sense, the process of European integration has served as a harmonising force. In addition, the Council of Europe, with the European Court of Human Rights, has served as the cornerstone for strengthening the rule of law and protection of human rights online, with several critical judgments setting the standard for the legal framework applicable in cyberspace. The OSCE has set the framework for international security cooperation, particularly by strengthening conflict-prevention mechanisms such as confidence-building measures in cyberspace.

Pressures on Security Architecture

Most recently, the European debate about responsibility has been influenced by the Russian war against Ukraine, which has tested not only the capabilities of European states to defend themselves in the cyber domain but also what they consider to be critical capabilities for strengthening resilience and defence. It has influenced their understanding of the norms of responsible state behaviour in cyberspace and how they should cooperate at the regional and international levels to deter malicious attacks and strengthen the accountability of perpetrators. At the same time, Russia’s invasion of Ukraine and its behaviour in cyberspace have significantly reshaped the existing institutional cooperation structures in Europe. While NATO has accelerated cooperation on cyber defence issues by adopting new doctrines and approaches, cooperation within the OSCE that focused primarily on confidence-building measures and strengthening member states’ capabilities in this respect has suffered a significant blow.

In summary, decades of cooperation among European countries translate into a relatively high level of trust and a strong culture of collaboration, which, despite national differences, often leads to the emergence of common approaches to defining RCB. At the same time, any legal, institutional or political challenges to this common understanding of RCB and the existing institutional and legal order (for example, the proposal for a new UN cybercrime convention) are interpreted by European governments and analysts as contestation that undermines the rules-based international order in cyberspace.

Practising Responsible Cyber Behaviour

The European experience allows us to distinguish at least four major dimensions through which RCB is defined and promoted: regulation, standards, deterrence and assistance.

Regulation

Although not coherently approached across Europe, regulation has become one of the key mechanisms for defining and promoting norms, rules and principles of RCB. Through legislative processes, treaty-making, self-regulation or voluntary norm-making processes, states create concrete duties or incentives for different categories of actors to behave responsibly in cyberspace. This is particularly important in countering arguments about cyberspace as a “wild west” without clearly prescribed rules. Even in the absence of a universal cyber treaty to govern state use of information and communications technologies and the discussions about the application of the existing international law to cyberspace, it can be argued that cyber behaviour is regulated through consumer laws, data protection laws and penal codes. Understanding the impact of regulation is critical. Legally defined responsibilities create specific duties and obligations that impact power relations between actors within the cyber ecosystem: governments over private companies and private companies over their users, among others.

The EU’s role in this respect has been critical, given the size of its market and the fact that many countries in the Eastern Neighbourhood and the Western Balkans are connected to the EU through various institutional mechanisms, with EU membership negotiations the most obvious example. Such regulation often carries extraterritorial implications and therefore reaches beyond the EU’s jurisdiction (for example, the General Data Protection Regulation, GDPR), significantly reducing the risk of regulatory evasion and making the content of the regulation even more significant from an international perspective. Regulation has also become a key instrument for managing the behaviour of multinational corporations and tech companies. The EU has adopted several pieces of legislation addressing different dimensions of behaviour in cyberspace, including the fight against disinformation (Digital Services Act), market concentration and competition (Digital Markets Act), and specific obligations for digital operators of financial services (Digital Operational Resilience Act, DORA).

Standardisation

Another approach adopted across Europe to ensure that actors behave responsibly in cyberspace is through setting standards, which provide the baseline for products and services in cyberspace. Standards offer a benchmark for governments regarding the minimum requirements needed for cyber resilience, ensure that the private sector provides adequate quality products and services, and offer guidance to industry operators in performing their tasks when delivering critical services. European lawmakers, regulators and standardisation bodies such as CEN-CENELEC and the European Telecommunications Standards Institute play a central role in this respect.

Numerous legislative acts adopted by the EU set clear standards for RCB by harmonising different approaches in the 27 member states and candidate countries. The NIS2 Directive sets out common standards for cybersecurity risk-management measures and reporting obligations, adoption of national cybersecurity frameworks, and establishment of competent authorities and single points of contact, among others. The Cyber Resilience Act aims to address the low level of cybersecurity of digital products and services and the insufficient understanding and information for users about the cybersecurity properties of products and services. Guidance on specific topics, such as the cybersecurity of 5G, complements the existing work undertaken by standards bodies, notably within the Service and System Aspects 3 workgroup of the 3rd Generation Partnership Project. Standards of behaviour in cyberspace are also set through regulation and self-regulatory frameworks concerning content moderation by online platforms. Further, the research community has played an important role in providing guidance on implementing the framework of responsible state behaviour, particularly by promoting the development of a common terminology and monitoring of cyber incidents, clarifying principles for implementing the framework of responsible state behaviour, and promoting results-based approaches to cyber capacity-building.

Deterrence

States practice RCB by strengthening their deterrence postures, both in terms of “deterrence by denial” (in other words, strengthening their own cyber resilience) and “deterrence by punishment” (in other words, imposing consequences on states engaging in malicious cyber operations).

In terms of deterrence by denial, being responsible in cyberspace implies putting in place high levels of cybersecurity. Overall, European countries have invested significant resources into strengthening their capabilities to increase the cost (in other words, make it more resource-intensive and expensive) for attackers. This has been achieved through enhancing institutional and human capacities as well as the enabling environment. For instance, legislative acts such as the EU’s Cyber Solidarity Act aim to improve preparedness and response to cybersecurity incidents by testing entities in crucial sectors such as finance, energy and healthcare for potential weaknesses, creating an EU Cybersecurity Reserve consisting of incident response services from private service providers (“trusted providers”), and ensuring mutual assistance during a cybersecurity incident. Despite differences in cybersecurity maturity levels, European countries generally score highly across various cybersecurity indeces and have relatively advanced cybercrime legislation, primarily due to the implementation of the Budapest Convention on Cybercrime, to which most European countries are signatories. Advanced cooperation among law enforcement agencies, including through Europol, has also contributed to strengthening deterrence by denial, with several high-profile arrests, botnet takedowns and destruction of dark web markets.

Deterrence by punishment is geared primarily towards influencing the calculus of perpetrators of malicious cyber activities by clearly defining potential consequences. The growing intensity and complexity of malicious cyber activities have strengthened international cooperation in this domain. EU countries have adopted a joint framework for diplomatic response known as the Cyber Diplomacy Toolbox (CDT). The most significant aspect of the CDT’s implementation was the introduction of the horizontal cyber sanctions regime, with targeted sanctions (travel bans and asset freezes) against individuals and entities linked to specific malicious cyber activities. The CDT does not define what constitutes RCB but clearly links potential responses to violations of the UN framework of responsible state behaviour. Statements are also used to signal how states see their own responsibility. In the statement issued following the attacks on Albania, the EU stressed its determination to prevent cyber attacks through enhanced resilience and its commitment to assisting in building up cybersecurity resilience in candidate and other countries, using all available EU tools (see Table 1).

▲ Table 1: References to RCB in Selected Government Statements

Box 1: Examples of Actions Focused on RCB

The Pall Mall Process

In addition to regulation, states have engaged in norms development processes. One example is the Pall Mall Process launched by the UK and France to set the guiding principles and highlight policy options for states, industry and civil society in relation to the development, facilitation, purchase and use of commercially available cyber-intrusion capabilities. Although the signatories recognise that states may have interests in legitimate and responsible development and use of such capabilities, the Pall Mall Process aims to address the challenge of access to commercially available cyber-intrusion capabilities that increases the opportunity for their malicious and irresponsible use.

The 2022 UK National Cyber Strategy

The UK’s 2022 National Cyber Strategy explicitly refers to “responsible cyber power” and clearly prescribes the elements of RCB. The vision expressed in the strategy commits the UK to being “a leading, responsible and democratic cyber power, able to protect and promote its interests in and through cyberspace in support of national goals”. These goals are to:

• Protect military deployments overseas.

• Disrupt terrorist groups.

• Counter sophisticated, stealthy and continuous cyberthreats.

• Counter state disinformation campaigns.

• Reduce the threat of external interference in democratic elections.

• Remove child sexual abuse material from public spaces online.

As a responsible democratic cyber power, the UK is expected to operate in a legal, ethical and responsible way. With that in mind, the National Cyber Force designs its operations in accordance with three core principles: accountability, precision and calibration. Key factors that ensure RCB operations include strict adherence to legal and ethical frameworks, robust oversight and accountability, thorough and established processes for governing operations (including authorisations), and cyber capabilities that can be controlled effectively and that are predictable.

Charter of Trust

Launched by Siemens, the Charter of Trust is a set of 10 principles signed by private sector actors to promote cybersecurity as a critical factor to the success of the digital economy. The Charter includes specific references to responsibility across different stakeholder groups; these include anchoring the responsibility for cybersecurity at the highest governmental and business levels by designating specific ministries and chief information security officers, as well as promoting responsibility throughout the digital supply chain.

As an element of “responsibilising” other states, European governments now issue statements on selected cyber activities – a practice that has gained importance in recent years (see Table 1). These statements are particularly useful for understanding the parameters of RCB. Even when they do not attribute an attack to a specific actor, they usually indicate what the authors consider to be responsible or irresponsible behaviour. The language of these statements has evolved significantly, from vaguer terms in the early days to more specific language in recent years. Their scope has also varied, ranging from calling out attacks aimed at degrading CNI, influencing democratic processes or undermining integrity, security and economic competitiveness, to increasing acts of cyber-enabled theft of intellectual property.

An important and under-analysed aspect is the dilemma that governments face when applying the UN framework of responsible state behaviour not in peacetime but in conflict. The EU did not reference the UN framework in its January 2022 statement on cyber attacks against Ukraine, but, as highlighted in Table 1, it has done so with regard to various peacetime cyber incidents. This suggests that governments struggle to apply the commitments in the UN framework to instances of interstate conflict. States in the region have also become more direct in attributing specific attacks. In a recent case, the UK, supported by allies, identified China and Chinese state-affiliated organisations and individuals as responsible for two malicious cyber campaigns targeting democratic institutions and parliamentarians. Such attributions are an important element in strengthening accountability in cyberspace in peacetime. More importantly, these statements and attributions often demarcate how states collectively signal and refer to “irresponsible behaviour” and “destabilising behaviour” and how they seek to reaffirm their importance of the commitments to the framework.

Assistance

European states also understand their responsibility as providing assistance to strengthen cyber resilience, combat cybercrime and enhance cyber-defence capabilities. Over the years, the EU, the UK, Norway and Switzerland have invested significant resources in cyber capacity-building. These efforts express a collective responsibility for strengthening the overall cyber ecosystem. EU states have led some of the most successful global projects (for example, the Global Action on Cybercrime Extended programme and its later iterations) and launched major initiatives such as the Global Forum on Cyber Expertise.

This approach is reflected in statements issued by the EU. In the case of Albania, the EU committed to “assisting in building up cybersecurity resilience in candidate and other countries, using all available EU tools”. In Ukraine, the EU committed to providing technical assistance to further build Ukraine’s resilience against cyberthreats and hybrid threats. In addition, there has been significant effort to strengthen operational support to partner countries. The EU, for example, has completed two Cyber Rapid Response Teams missions to support Moldova during the country’s presidential election and referendum.

The need for assistance highlights the different roles and responsibilities of the multistakeholder community, particularly the tech companies, industry operators, technical community and civil society.54 Each has different missions and duties, which they pursue with available tools and resources. For example, companies providing services to governments – such as Microsoft’s support to Albania – have a particular responsibility to ensure that their support empowers and enhances the capacities of their clients in the long term, rather than creating dependencies that might become too costly. They also have the obligation to ensure that the products and services they provide are safe.

Pillars of the Common but Distributed Responsibility in Europe

RCB can be approached as either a past-oriented concept (mostly in the context of legal responsibility and interpretations of state practice) or a future-oriented concept (when certain expectations of behaviour emerge from agreed norms and laws). The latter has been described by some as a new responsibility-based instrument that serves to govern transnational relationships. This understanding of responsibility is suitable in the context of cyber behaviour, where decisions about the content of global obligations, their allocations and potential sanctions are based on constant dialogue and their articulation with multiple stakeholders, especially the private sector.

The dynamic nature of RCB also implies varied understandings of main concepts such as rights-holders (individuals and social groups with particular entitlements) and duty-bearers (state or non-state actors obligated to respect, protect, promote and fulfil the human rights of rights-holders). This dynamism results in multilayered responsibility whereby state and non-state actors bear responsibility for specific aspects of cyber behaviour. The analysis of existing practices and approaches described earlier allows for the differentiation five key pillars of RCB in Europe.

Responsibility to Shield

Governmental and non-governmental actors within the cyber ecosystem are responsible for providing adequate levels of cybersecurity protection for their citizens, clients, end users and key stakeholders. These responsibilities are inscribed in laws, regulations, contracts and normative frameworks such as those mentioned earlier (for example DSA/DMA, NIS2, GDPR, DORA and the Cyber Resilience Act). They are responsible for the cybersecurity of those who have entrusted them with specific tasks. Therefore, all duty-bearers must take steps and measures that actively protect rights-holders from any adverse effects of cybersecurity incidents.

Responsibility to Refrain

Governmental and non-governmental actors have a responsibility not to undertake any malicious or illegal activity that may cause damage and harm to another country and its citizens. This responsibility is clearly spelled out in the UN framework of responsible state behaviour. Similarly, the private sector has a responsibility to refrain from releasing products and services to the market that have not been adequately tested. Numerous statements issued by the EU and individual states, as well as the self-regulatory approaches by the private sector mentioned earlier, illustrate this principle.

Responsibility to Constrain

When governments decide to use cyber operations against other actors (state or non-state), they have a responsibility to conduct such activities within the limits of existing domestic and international law, as well as norms of responsible state behaviour. Their actions should be guided by principles of proportionality and necessity. This means that states should abstain from cyber activities whose outcomes they cannot anticipate, or which might have a disproportionate impact on their targets. The UK’s definition of responsible cyber power and what it means in practice illustrates this point.

▲ Figure 1: Responsible Cyber Behaviour – Material Responsibility

Responsibility to Assist

European governments have emphasised the importance of technical assistance and cyber capacity-building as a means to support partner countries in strengthening their cyber resilience, fighting cybercrime and developing competence in cyber diplomacy. This commitment is not only expressed through declaration and policy documents such as the ones mentioned earlier but also translates into significant funding for cyber capacity-building initiatives from the EU, the UK, Switzerland, Norway, the Netherlands, France and Germany.

Responsibility to Uphold

Governments also define their responsibility as upholding the rules-based order in cyberspace, particularly the UN framework of responsible state behaviour. This aspect of political responsibility stems from their membership in international organisations and their contribution to shaping the existing international order. European states have confirmed this principle through numerous declarations, such as those mentioned in Table 1.

▲ Figure 2: Responsible Cyber Behaviour – Political Responsibility

Conclusions and Outlook

The analysis of different European policy approaches and practices on RCB leads to several additional observations that will impact the future of these debates.

First, there is a strong focus in Europe on political responsibility, with strong support for the UN framework of responsible state behaviour. Although there is overall agreement on the goals of the framework and a strong sense of responsibility to uphold it, decisions on implementation and choice of instruments are left to each state. This also explains the substantial focus on implementing the framework as part of the responsibility to assist identified by European governments.

Second, the attribution of responsibility remains one of the major issues in the practice of responsibility. Legal attribution is critical in assigning responsibility to states in line with existing international law and state practice. Actions by non-state actors may also be legally attributed to a state if the latter acknowledges and adopts the conduct as its own. However, political responsibility (and political attribution) does not necessarily require direct causation of harms, and decisions about attribution are usually taken based on nationally defined procedures. In the future, it will be important to further clarify and align such criteria at the international level. The multifaceted nature of attribution also raises questions about corresponding types of responsibility; for example, while legal attribution may trigger responsibility rooted in international law, technical attribution prescribes technical responsibility for providing infrastructure to enable malicious actors to conduct cyber operations. Similarly, a state from whose territory attacks originate does not necessarily carry technical or legal responsibility but has political responsibility to act.

Third, while European governments have attached significant attention to the question of attribution, there has been limited discussion about the question of “knowing”, which is central to several norms of responsible state behaviour. This gap needs to be addressed through further research and policy discussions. For example, the norms talk about states not “knowingly” allowing attacks to originate from their territories, but the parameters of “knowing” remain largely undefined. This opens the discussion about the responsibility of individual states to put in place institutions, tools and processes that increase overall situational awareness and contribute to improving the knowledge of states about what happens in their respective networks. This carries concrete implications for other adjacent debates, especially on cyber capacity-building needs and priorities.

Finally, the research and policy community needs to address the challenges of diffused responsibility. While it is true that effective cyber policies require cooperation and involvement of different stakeholder groups (“cyber is a team sport”), additional work is needed to better understand how specific responsibilities are delineated and understood within the multistakeholder community. The lack of clarity on this issue makes drawing the borders of responsibility difficult and ultimately undermines efforts to strengthen accountability in cyberspace.

II. Indo-Pacific

Gatra Priyandita

This chapter explains the similarities and differences between how Indo-Pacific states perceive the concept of “responsible cyber behaviour” (RCB). While RCB is not featured within the cybersecurity lexicon of the Indo-Pacific, regional governments, civil society and industry have articulated their expectations of what it means to be a “responsible” actor. Indo-Pacific states’ cybersecurity strategies and national position papers within the UN and regional architectural processes maintain their commitment to the global framework of responsible state behaviour in cyberspace. Their approach recognises the applicability of customary international law in cyberspace and voluntary commitment to the UN’s 11 norms of responsible state behaviour. But despite common views on the importance of sovereignty as a basis of international relations in cyberspace, Indo-Pacific states have different perceptions of what RCB looks like, including different attitudes on how to respond to irresponsible behaviour.

Introduction

It is unsurprising that Indo-Pacific governments and societies have different ideas of what constitutes RCB. The region comprises over 40 states, including major markets such as India and China, as well as smaller Pacific Island states. The region accounts for nearly half the world’s population and drives about $50 trillion in economic activity. It is also a key arena for US–China strategic competition, with both powers pursuing sometimes-competing goals in multiple domains, including cyber. But the region is also home to regional powers – such as Australia, India, Indonesia, Japan and South Korea – that are actively attempting to assert their own visions for the international order. Meanwhile, state-sponsored cyber actors, such as those in China and North Korea, engage in espionage, intellectual property theft, infrastructure disruption and financial crime. These activities often mirror geopolitical rivalries, as in the India–Pakistan cyber conflict, where Pakistani-based threat actor APT36 targets Indian entities and India’s Patchwork APT conducts espionage in Pakistan. Geopolitical tensions shape cybersecurity dynamics, impacting how states perceive threats and choose to cooperate. For instance, cybersecurity has emerged as an area of cooperation in some minilateral groupings, such as the Quad (Australia, India, Japan and the US) and AUKUS (Australia, the UK and the US), where states move to share information and intelligence regarding state-sponsored cyber operations.

This chapter examines the diverse perspectives from across the Indo-Pacific region on what it means for states to demonstrate RCB. The analysis attempts to capture perspectives from four subregions: Northeast Asia, South Asia, Southeast Asia and Oceania. Given the wide range of states involved, some will inevitably receive more attention than others. Furthermore, there is the additional risk that more “cyber mature” states (for example, Australia, China and Japan) will receive far more attention, given just how developed and well-articulated their positions on responsibility in cyberspace may be. To mitigate this risk, the Australian Strategic Policy Institute (ASPI) organised virtual discussions with experts from across the Indo-Pacific to test regional perspectives on RCB as part of the Global Partnership for Responsible Cyber Behaviour (GP-RCB) regional workstream – also ensuring the participation of experts from a wide range of states. The research for this chapter also specifically engaged with researchers from several jurisdictions – often less represented in discussions on RCB – in order to do an additional deep dive into how their countries of study perceive RCB. Insights from these virtual discussions and additional analyses further inform this chapter, allowing the articulation of perspectives from a wider range of states, rather than those that have been more vocal on these topics, such as Australia, China and Japan.

This chapter argues that a state’s expectations of “responsibility” in cyberspace are shaped by international experiences and the unique national characteristics of individual states, the latter of which are affected by historical experiences, political systems and sources of insecurity. Variation in national experiences shape how states develop approaches to international security in cyberspace, including over questions concerning attribution, countermeasures and the use of multilateral and minilateral platforms. States also have different experiences in how these rules are enforced domestically; imposing stricter guidelines on the use of information and communications technologies (ICTs) internally may be complicated by inter-service rivalries, poor civilian control over the security and defence apparatus, and/or weak oversight mechanisms.

Across the Indo-Pacific, many states are particularly cautious about the principles of sovereignty and non-interference, shaped by recent experiences in nation- and state-building, especially in South Asia, Southeast Asia and the Pacific Island states. These experiences have created an environment where governments prioritise preventing the misuse of cyberspace by criminals, insurgents and terrorist organisations. In international affairs, these shared experiences have reinforced the importance of multilateralism for addressing issues of peace, security, capacity-building and information sharing. States in these regions are generally more cautious about developing (or even declaring) offensive cyber capabilities (including for countermeasures) – which can be seen as a violation of sovereignty – and publicly or politically attributing cyber attacks to state actors.

In contrast, Australia, Japan, South Korea and New Zealand – cyber-mature states with clearly defined state-based threats to their cyberspace – have articulated national positions which suggest that they are willing to be more assertive in cyberspace, including by publicly attributing attacks. While Japan and South Korea have traditionally been cautious about attributing cyber attacks, particularly due to diplomatic sensitivities, recent shifts indicate a growing recognition of the need for stronger attribution measures, especially in the face of increased threats from state actors such as North Korea and China. Both states are exploring more proactive measures in deterrence and response, demonstrating a different approach from their counterparts in the broader Indo-Pacific region.

The analysis presented in this chapter is informed by content analysis of primary documents (such as cybersecurity strategies and national positions in the UN), as well as virtual discussions and interviews with government officials and the expert community. The chapter has two main sections. The first examines areas of convergence and divergence in national attitudes to the different features that make up how states perceive the international and internal dimensions of responsibility in cyberspace. The second examines two case studies – ASEAN’s adoption of the 11 UN norms of responsible behaviour in cyberspace, and cyber capacity-building in Pacific Island states – to highlight how unique international and domestic considerations inform national attitudes to cyberspace.

Interpreting Responsible Cyber Behaviour

Unpacking the International Dimensions of RCB

This section examines how Indo-Pacific states converge and diverge when interpreting the international dimensions of RCB. This interpretation can be uncovered by examining how states have expressed their preferences and concerns on how states interact with one another in cyberspace. In looking into these debates, this section examines how attitudes towards international law and norms compare between Indo-Pacific states, including the rule of law, multilateralism, sovereignty and cyber capacity-building.

International Law and Norms

As members of the UN General Assembly, all Indo-Pacific states have agreed to the framework of responsible state behaviour in cyberspace. Such frameworks themselves rely on the UN Charter and the associated rules of customary international law, both of which apply to activities in cyberspace. Indo-Pacific states also agree on the application of the 11 UN norms of responsible state behaviour, which guide what states principally can and cannot do in cyberspace. In agreeing to this collective framework, Indo-Pacific states commit to broad sets of actions that constitute state responsibility in cyberspace, including to not use ICTs for malign purposes (such as attacking critical national infrastructure CNI, during peacetime) and to commit to ensuring secure cyberspace by responding to the misuse of cyberspace domestically by criminals. In 2018, ASEAN became the first (and, thus far, only) regional organisation in the world to formally adopt the 11 UN norms, an initiative that will be further explored in one of this chapter’s case studies. ASEAN also works with regional partners to identify how these norms can be operationalised.

Despite the global consensus on the collective framework in principle, states have different understandings of how international law applies to cyberspace. Among states in the region, only a few – most notably Australia, China, Japan and Singapore – have managed to articulate how it applies in cyberspace. Those that have articulated national positions have done so as a means of either defining the debate or encouraging transparency. For example, Australia has explicitly stated that it has published its views in order to “deepen understandings and set clear expectations”, given that “activities conducted in cyberspace raise new challenges for the application of international law”. Through this effort, states that have articulated their interpretations have gone beyond recommitting to the UN framework by, among other actions, providing technical definitions of key terms (for example, “coercion”, “sovereignty” and “cyber operations”) and/or further articulating positions and/or policies on elements of how international law can be applied to cyberspace, including subjects such as countermeasures, attribution and international humanitarian law.

However, most Indo-Pacific states have not been explicit in articulating how international law should apply. This includes larger states, such as India, Indonesia, South Korea and Vietnam. While reasons for not producing national positions vary, some states may lack the technical capacity (and/or a sense of urgency) to establish positions, an exercise that requires high expertise in the intersections of digital affairs and international law. Ambiguity on national positions can also be strategic, as it allows states to flexibly navigate an international legal environment that is increasingly becoming polarised by strategic competition. In particular, this allows non-aligned states to avoid the impression of leaning too closely towards one state. For example, some states may seek to exploit this ambiguity to prevent spillover into other issues, which may have an impact on their economic and technological relationships with other states.

An ongoing diplomatic issue is the question of whether a distinct international treaty on international security in cyberspace is necessary. While the UN General Assembly has accepted that the existing body of international law can be sufficiently applied to cyberspace in principle, some states have questioned its value in practice and have instead advocated for new rules. The Shanghai Cooperation Organization – whose member states are predominantly Indo-Pacific states – first proposed the creation of an International Code of Conduct for Information Security in 2011 (with a revised draft in 2015). More recently, many Indo-Pacific states supported the creation of an international cybercrime treaty that would consider content-related crimes, including disinformation and copyright infringement (issues that the Budapest Convention on Cybercrime does not specifically cover), and offer more precision in concepts surrounding ICT. Initial discussions that led to the Convention Against Cybercrime received support from many Indo-Pacific states, including China, Cambodia, Indonesia, Malaysia, Pakistan, Thailand and Vietnam, none of which have acceded to the Budapest Convention. Reasons for extending this support likely vary, but some states did so to ensure that the international treaty would be inclusive of the varied perspectives on what constitutes cybercrime and how international cooperation should function. Others saw a distinct international cybercrime treaty as useful to help to harmonise technical definitions and cooperation mechanisms.

Another ongoing diplomatic issue is content security. Internal security concerns shape national approaches to cybersecurity and help to explain why many Indo-Pacific states prefer a cybersecurity policy – or a system of international law – that covers content-related crimes, such as disinformation and online hate. In this chapter’s examination of India, Indonesia and Pakistan, it was found that attitudes towards content security are in part driven by concerns about terrorism. In key policy documents, each of these states has expressed a desire to see strengthened law enforcement and government cooperation to prevent the misuse of cyberspace by terrorist groups. For example, India’s contribution to the 2022 Open-Ended Working Group (OEWG) annual progress report explicitly called for “strengthen[ed] law enforcement cooperation to prevent the use of cyberspace for terrorist purposes”. In other states, such as Cambodia and China, the preference for addressing content-related crimes may also be attributed to regime security. Internal security concerns prompted a preference in several states to see an international cybercrime treaty that covers content-related crimes. However, such attitudes run counter to the preferences of liberal democracies, such as Australia and New Zealand, which fear that the criminalisation of such activities might have a negative effect on the freedom of expression online.

Responding to Cyber-Enabled Threats

Indo-Pacific states adopt varied approaches in reinforcing the principles of international law and the 11 UN norms. Most states opt to use multilateral and bilateral mechanisms to reiterate key principles. This includes incorporating principled commitments (such as those concerning the application of the UN Charter and commitment to providing cyber capacity-building) in cyber agreements. For example, ASEAN member states have responded to cyber-enabled threats by working to operationalise the norms of RCB, including through the publication of a checklist.

Many states also respond to cyber-enabled threats by focusing inward and dedicating resources to building internal resilience against cyber attacks. This means building the capacity to respond to cyber incidents, establishing baseline cybersecurity standards for key entities, and establishing the legal, institutional and regulatory framework for cyber governance. For example, recognising that the country is vulnerable to being exploited by domestic and foreign hackers, the Indonesian government has worked with experts, industry and other stakeholders to improve its capacity to map out the cyberthreat landscape, improve incident response, and introduce needed legislation to protect critical information infrastructure and improve incident reporting requirements.

Diplomacy is also used to fulfil domestic resilience-building needs through advocating for international support and assistance for cyber capacity-building and/or using multilateral, bilateral or minilateral mechanisms for information and intelligence sharing. Cyber capacity-building has emerged as a key priority in diplomatic agendas across the region. For example, the Pacific Island states’ cyber engagement with Australia, New Zealand and European states involves support for capacity-building in operational, legal and policy matters. Australia also supports Pacific Island states by deploying cybersecurity experts to the region to support incident response and cyber resilience-building.

For some states, however, cyber resilience-building is seen as not enough. Australia, Japan, New Zealand and Singapore have explicitly confirmed the applicability of the law of countermeasures to cyber operations to protect CNI. They agree that states may take proportionate action to retaliate against a malign cyber actor, should it induce the actor to comply. Several states have adopted measures such as active cyber defence and/or have adopted offensive cyber capabilities to respond to potential cyberthreats. For example, Australia has adopted a policy of retaliating against malign cyber forces by disrupting and degrading their computer systems. However, some other states, such as Indonesia and Pakistan, have cautioned against countermeasures due to the fear that such efforts might trigger a cyber arms race and risk the further militarisation of cyberspace.

Another means of responding to cyber attacks is through attribution, where states “name and shame” actors (particularly states) that behave irresponsibly in cyberspace. In the Indo-Pacific, several states – including Australia, Japan, South Korea, Malaysia and China – have either technically or politically attributed cyber operations to a state. The majority of Indo-Pacific states have not made any public attributions against states (and even fewer have committed to policies on cyber attribution). There may be several reasons for this. First, cyber attribution requires certain technical capabilities – ranging from digital forensics to language skills – that may not necessarily be available to most states. Second, many states choose not to attribute cyber attacks in order to prevent direct confrontation with other states, especially if they lack the capacity to conduct the necessary forensics to formally attribute. Third, cyber attribution may compel states to respond either with reciprocal cyber measures or through alternative non-cyber actions – steps that some states might be reluctant or unwilling to take.

Multilateralism

Across the Indo-Pacific, states agree on the importance of international cooperation to ensure peace, security and stability. Multilateralism stands as the preferred form of cyber diplomacy for many Indo-Pacific states. Through these channels, states aim to develop common understandings on issues such as cybercrime, data privacy, cybersecurity and the use of cyber capabilities in conflicts. Regional discussions on cyber, such as those that centre on ASEAN, facilitate exchanges of best practices, promote transparency and build trust, thereby ideally contributing to a more stable and secure cyberspace.

There is, however, a shift in turning to other kinds of mechanisms beyond multilateral forums to affirm the global framework on RCB. Increasingly, states are acting in coordination with other states to respond to malicious state cyber attacks, invoking international law. Through the Five Eyes intelligence arrangement, Australia and New Zealand have attributed cyber attacks with the US, the UK and Canada. Japan and South Korea have also issued several joint cyber attributions with other states. In a recent development, some states have jointly presented public statements warning of certain malign state actors in cyberspace; for example, the intelligence chiefs of Australia and New Zealand – again, through the Five Eyes network – have made public statements warning of China’s use of cyber capabilities to irresponsibly secure economic goals. The emergence of smaller groupings as a platform for voicing concerns about issues in cyberspace may stem from growing disillusionment in some states over the limitations of multilateral mechanisms in terms of asserting international law and norms. This has prompted like-minded states to band together over shared security concerns. For example, the Quad arrangement’s growing focus on cybersecurity is, in part, driven by shared concerns about Chinese cyber operations and a desire to strengthen ICT and technological supply chain security. The Five Eyes intelligence network’s decision to call out China’s irresponsible use of cyber capabilities is also an example of more transparent collaboration in response to a shared security concern.

Sovereignty

The political character of the Indo-Pacific region stands as uniquely “Westphalian”, given recent experiences of colonisation and nation- and state-building. Insecurity about internal security challenges has led to a situation whereby governments tend to be more concerned about misuses of cyberspace by criminals, insurgents, terrorist organisations and even opposition groups. As a result, there are strong domestic sensitivities about foreign interference, including in the cyber domain, especially if foreign states are suspected of sponsoring or supporting certain domestic groups.

In light of this, the principle of sovereignty plays a crucial role in shaping attitudes in cyberspace, including how states articulate national positions on what constitutes “responsible” cyber behaviour. For example, Indonesia’s concerns about the global proliferation of offensive cyber capabilities are partly driven by the potential use of these tools for espionage, which can undermine a country’s sovereignty. There is a principled belief across the region that states shall not use cyber tools to violate another country’s sovereignty by intervening in their domestic affairs or using force to undermine physical infrastructure. However, this belief is often not clarified clearly in national policy documents; most often, it is only communicated and understood during private correspondence with officials. As such, how exactly the principle of sovereignty applies to cyberspace remains a matter of debate, as few states have clearly articulated their views on what it means not to “violate” another country’s sovereignty.

▲ Table 1: Select Views on Sovereignty. Sources: Australian Government, DFAT, “Annex B: Australian Implementation of Norms of Responsible State Behaviour in Cyberspace”, 2019; Indonesian Ministry of Foreign Affairs, “Statement at the First Substantive Session of the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security”, 2021; Government of Singapore, “How International Law Applies to the Use of Information and Communications Technologies by States”, OEWG Fourth Substantive Session, 6–10 March 2023; Government of China, “China’s Views on the Application of the Principle of Sovereignty in Cyberspace”, 2021.

In the Indo-Pacific, the debate over sovereignty in cyberspace is most prominently shaped by discussions on “data sovereignty”. For many states in the region, data sovereignty is increasingly intertwined with broader national interests, given the central role of cyberspace in national security, economic stability and societal wellbeing. As a result, Indo-Pacific states tend to adopt a cautious and protective approach towards cyberspace, treating it as an extension of their sovereign territory that requires robust safeguards against external threats. This protective stance manifests in policies designed to assert greater control over digital infrastructure, data flows and digital governance. For example, India, Indonesia and Thailand have pursued data localisation laws and stringent cybersecurity regulations aimed at preventing foreign access to critical data and digital assets. These measures reflect broader concerns about cyber espionage and foreign interference, reinforcing the perception that cyberspace must be governed as a critical domain of state sovereignty.

Capacity-Building

Across the Indo-Pacific, states agree that cyber capacity-building – both receiving and giving support – is a fundamental component of international cooperation in cyberspace. Among more cyber-mature states, such as Japan and Australia, there is a proactive effort to provide support to less cyber-mature states, including by helping local incident response units and collaborating on developing the capabilities of security operations centres. Meanwhile, less cyber-mature states have openly demonstrated the desire to receive cyber capacity-building support as a means of overcoming challenges in cyber governance, incident response and technical understanding. Some states also actively use regional organisations for this purpose: for example, ASEAN member states have underlined the importance of international cooperation and capacity-building to support the implementation of the 11 norms of RCB in the use of ICTs. ASEAN member states can also receive support for cyber capacity-building from one another or from donor states. Such support can be obtained through ASEAN’s immediate dialogue partners and/or by using its extensive network of cyber capacity-building programmes and initiatives, such as the ASEAN Cyber Capacity Program, ADMM (ASEAN Defence Ministers Meeting) Cybersecurity and Information Centre of Excellence, and ASEAN–Japan Cybersecurity Capacity-building Centre.

Some states have called for states to provide cyber capacity-building without political conditions. For example, the research for this chapter revealed that the Cambodian government is against the provision of support for cyber capacity-building that is conditional on changes to the domestic political systems of states. This perspective is based on concerns that Cambodia has been sidelined from receiving certain support due to its authoritarian political system. Meanwhile, Pacific Island states have advocated for more sustainable forms of cyber capacity-building, as such efforts would not only have a positive effect in building local capacity to respond to cyber challenges but would also be potentially more climate-friendly, given that less air travel is needed by experts from donor states.

Unpacking the Internal Dimensions of RCB

Beyond looking into the international dimensions of RCB, this chapter provides a snapshot of how states try to demonstrate responsibility domestically. This exercise involves looking into the kinds of regulations, standards and oversight mechanisms available to states to ensure that they do not irresponsibly use ICTs. Across the Indo-Pacific, many governments have the capability to conduct domestic surveillance. However, in a highly diverse region with a complex make-up of democratic and authoritarian political systems, how states try to demonstrate responsibility is not always clear or straightforward. For example, national intelligence agencies do not always make guidelines on the use of ICTs for domestic or international surveillance publicly available. Moreover, given the expertise required to oversee the use of ICTs by governments, not all parliaments are well equipped to hold the national security apparatus to account on its use of these technologies. In the states examined for this compendium, the laws and specific guidelines governing the state use of ICTs for national security reasons remain under-developed or under-explored. For example, neither Pakistan nor Cambodia maintains specific controls or transparency requirements for purchasing and selling cyber-enabled technologies. While Indonesia has legal and regulatory requirements for procuring surveillance technologies, their enforcement remains unclear. Even Japan, as a cyber-mature country, does not publicly detail how its authorities are restricted in using cyber tools. As a means of committing to certain international commitments, some states abide by clearer sets of guidelines for the sale and use of cyber tools. For example, the Wassenaar Arrangement for conventional weapons commits some Indo-Pacific states – including Australia, India, Japan, South Korea and New Zealand – to limiting the export of technologies that can be used for cyber-enabled attacks. For Japan specifically, it also maintains a general principle on the export of weapons and military technology, which limits it to friendly states.

More broadly, governments across the Indo-Pacific have attempted to demonstrate RCB by establishing the necessary cybersecurity standards domestically to ensure compliance from various organisations – from industry and universities to government entities. Pacific Island states have looked to the Budapest Convention on Cybercrime as offering the gold standard for cybercrime law. Other states may be inspired by the Convention but have not opted to directly adopt these standards; rather, they have chosen to design domestic cybersecurity standards with local considerations in mind. In some states, such as Japan and Taiwan, industries that produce more technologically advanced products and items of higher intellectual property value are subjected to more stringent cybersecurity measures.

Case Studies

Case Study 1: ASEAN Norms and Institutions

In April 2018, ASEAN leaders met in Singapore and released the ASEAN Leaders’ Statement on Cybersecurity Cooperation. In essence, the statement saw the adoption of the 11 UN norms of responsible state behaviour in cyberspace, as it “recognised” the need for all member states to adopt a “set of common, voluntary and non-binding norms” in order “to enhance trust and confidence in the use of cyberspace”. The Leaders’ Statement also called for further identification of a concrete list of voluntary, practical norms of state behaviour in cyberspace that ASEAN can work towards adopting, taking reference from the 11 UN norms. This agreement further attempts to provide the initial normative foundations for regional cooperation in cyberspace. The decision to adopt the norms undoubtedly reflects the deep economic interests in the value of cyberspace and the security-related concerns held by the mostly emerging cyber powers about the misuse of ICTs by state actors.

First, the Leaders’ Statement reflects the economic lens through which ASEAN member states perceive cyberspace. Despite serious concerns about the threats online, member states recognise the transformative powers of digital technology as a means of bolstering economic growth, addressing economic and social ills, and facilitating speedier public services. Yet, to safeguard peaceful coexistence in cyberspace, officials agreed (at least in principle) that there has to be coordination to share best practices and information on cybersecurity policy, coordinate on incident response, and work to build capacity in less cyber-mature states. On this basis, and with strong advocacy from Singapore, member states agreed that an international normative framework was necessary for guiding state conduct in cyberspace.

Second, the adoption of these norms may also be credited to ASEAN’s desire to play a meaningful role in international discussions on cyber norms. Given that ASEAN provides a major platform for international engagement on security issues and confidence-building measures through both the ASEAN Regional Forum and the East Asia Summit, adopting these norms is meant to be a way to offer ASEAN member states the collective opportunity to highlight how the norms can be operationalised and understood widely, as well as perhaps exported to other parts of the Indo-Pacific region, particularly great powers such as China. The opportunity to articulate what the norms mean operationally would (ideally) allow ASEAN to play a more proactive role in shaping international attitudes in cyberspace. As such, the adoption of these norms is part of ASEAN’s long-standing pursuit of “socialising” major powers in the Indo-Pacific region – this time, by attempting to localise an internationally agreed set of norms.

Given that non-interference is a nearly sacrosanct principle in ASEAN, it is also fundamental to highlight that the voluntary nature of these norms allows member states to commit with some flexibility. It allows states, at the very least, to first rhetorically commit to the norms and eventually work towards internal operationalisation. The principle of non-interference will, nonetheless, be a further hurdle in enforcing ASEAN’s capacity to both internationally socialise other states and domestically enforce the norms as structural impediments, including a lack of common legal understanding and an absence of enforcement mechanisms.

Case Study 2: Pacific Island States and “Climate-Friendly” Cyber Capacity-Building

For the purposes of this chapter, the Pacific Island states refer to the 12 independent smaller island states that are wholly located in Melanesia, Polynesia and Micronesia. This subregion – which has an overall population of roughly 12 million – shares common perspectives on how states should behave in cyberspace. Among others, states abide by the application of international law and norms in cyberspace, meet basic cybersecurity standards as outlined by the Budapest Convention on Cybercrime and accept that cyber capacity-building support is necessary to build cyber resilience. There are also distinct threats to the subregion’s cyber ecosystem, in the form of natural disaster-related challenges and the social problems emanating from cyber-enabled crimes. While the latter is not unique to the Pacific, it is a primary source of cyber-enabled threat. Pacific Island governments are increasingly concerned about the social and economic effects of malign cyber activities on their citizens. In this respect, the 2018 Boe Declaration has placed cybersecurity resilience as a priority. In responding to cyber-enabled challenges amid problems with under-resourcing, many Pacific Island states require financial and technical assistance from donor states in combating threats in cyberspace. Because of the existential threat of climate change, Pacific Island states have uniquely stood out in advocating to ensure that all forms of cyber support pay attention to the effects of climate change.

Pacific Island states see an abundance of cyber capacity-building support from donor states (particularly Australia and New Zealand) and through formal multilateral groupings, such as Partners in the Blue Pacific. Despite the abundance of support, concerns over the effects of climate change are influencing attitudes towards cyber policy in several ways. First, they have led to an increasing call for cyber capacity-building support to be sustainable, not only to allow local Pacific Islanders to domestically build cyber capacity but also to ensure that any form of support does not have a further effect on increasing carbon emissions (such as through flights or uses of energy-inefficient technologies). Second, there has also been a call for states to be inclusive when delivering technological or cyber capacity-building support. This particular preference is rooted in growing concerns over the implications of strategic competition in the ICT space, as well as the continuing need to invest in (or receive) ICT infrastructure that is not only inexpensive but also climate-resilient and energy-efficient. Existential concerns over the effects of climate change and the need to meet development goals mean that Pacific Island states perceive RCB in other states to lie in the provision of support that is highly empathetic of their development and security needs.

Conclusion

While no Indo-Pacific state has employed the term “responsible cyber behaviour” as a distinct concept within its diplomatic lexicon, these states do maintain interpretations of what it means for states to be responsible actors in cyberspace. States have committed to the global framework for RCB as a means of demonstrating that they are themselves responsible actors. These international commitments inform Indo-Pacific states of how they expect other states to behave. But underpinning national interpretations of RCB are the unique historical, security and economic contexts of individual states. Attitudes toward sovereignty, multilateralism and capacity-building converge and diverge because of these national differences. How states demonstrate their own “responsibility” domestically also demonstrates these national differences.

Across the Indo-Pacific, national attitudes towards cyberspace are strongly influenced by principles of sovereignty and non-interference, reflecting historical experiences in nation- and state-building, particularly in South Asia, Southeast Asia and the Pacific Island states. These states prioritise protecting their cyberspace from misuse by criminals, insurgents and terrorists, leading to a cautious approach that includes a reluctance to develop or declare offensive cyber capabilities or attribute cyber attacks to state actors. Multilateralism is seen as essential for advancing peace, security, capacity-building and information sharing. In contrast, Australia, Japan, South Korea and New Zealand, driven by clearly identified state-based threats, have adopted more assertive cyber policies. These states are increasingly open to attributing cyber attacks and exploring proactive deterrence measures.

There is also a seeming trend in which more cyber-mature states (such as Australia, China, Japan and Singapore) tend to have more articulated interpretations of RCB. While it is possible to assume that states would articulate their positions more clearly as time goes by, it is also possible that strategic competition in the Indo-Pacific encourages more states to adopt a policy of ambiguity and silence on cyber diplomacy. With the UN OEWG process becoming increasingly polarised into identifiable camps between different forms of “like-minded” states, a community of states seeking to avoid entanglement may choose to continue to avoid articulating clear positions. While this may seem unavoidable, it is possible to focus international cooperation and capacity-building on improving national capabilities to instead defend against cyberthreats. Encouraging states to behave responsibly internally is fundamental to ensuring that they genuinely behave responsibly internationally.

▲ Table 2: Select Indo-Pacific Perspectives on RCB

III. Latin America and the Caribbean

Mariana Salazar Albornoz

States from the Latin America and the Caribbean (LAC) region have actively participated in debates in the UN and other forums on responsible cyber behaviour (RCB) since these debates began more than two decades ago. Nevertheless, the LAC region still lags behind others on developing a common understanding of what constitutes RCB. There are two reasons for this.

First, there is an enormous disparity among LAC states regarding cyber capabilities, readiness and response, a disparity that is inextricably linked to unequal levels of development. The International Telecommunication Union’s (ITU) Global Cybersecurity Index 2024, which compares the legal, technical, organisational, capacity-development and cooperation measures in relation to cybersecurity of 194 states across five tiers, includes only one LAC state (Brazil) in the highest tier (“Role-modelling”) and three LAC states (Ecuador, Mexico and Uruguay) in the second-highest (“Advancing”), while the rest are widely distributed among the third (“Establishing”) and fourth (“Evolving”) tiers, and one (Antigua and Barbuda) is in the fifth and last tier (“Building”).

Second, amid the particular challenges faced by the region, cybersecurity – understood in its broad sense to include cybersecurity, cyber defence and cybercrime, all three of which require state involvement, albeit at different levels – does not yet seem to be among the priorities of many LAC states. The LAC region represents approximately 8% of the world’s population and 7.3% of global gross domestic product, yet figures from 2023 show 27.3% of LAC’s population (172 million people) living in poverty. Added to these inequalities, LAC “is the most violent region of the world, and violence keeps rising”, with “the number of homicides per person … five times higher than North America, and 10 times [higher] than in Asia”, accounting for “one-third of the world’s total deaths by homicide”. Besides social, domestic and political violence, organised crime has been the primary source of violence in LAC since the early 2000s. High levels of inflation, human rights abuses, political instability, insecurity, corruption and ineffective judicial systems are widespread, with many LAC states ranking among the lowest in the World Justice Project’s Rule of Law Index. At the interstate regional level, while LAC does not face the same kinds of geopolitical battles and armed conflicts as other regions of the world, political and diplomatic tensions and ruptures among LAC states have increased significantly in the past few years. Considering these challenges, while LAC countries cite a “thirst for development and sustainability … they are often slow to understand the importance of cybersecurity as a pillar for achieving the sustainable and resilient kind of development they seek amid more pressing agendas”.

This context has meant that many LAC states have not adopted a proactive or preventive approach to cybersecurity. Rather, as signalled by Belisario Contreras, the “key trend” in LAC has been “a reactive approach, where countries strengthen their defences after experiencing attacks”. According to Louise Marie Hurel and Joe Devanny, “it is neither new nor rare for Latin America’s governmental and other sectors to be targeted in cyberspace”, and in fact, “the region faces many of the same cyberthreats as others, ranging from apparently global hackers-for-hire to groups more ostensibly aligned to the interests of specific states with strategic interests in the region”.

In recent years, highly disruptive cyber incidents have significantly affected government information and interests in the LAC region. For example, in 2021 the Guacamaya hacker group extracted 6 TB of confidential military information from the Mexican Secretariat of National Defense, the largest attack of its kind in Mexico’s history, which had the potential to “cause a collapse of institutions”. In 2022, the Conti group carried out a ransomware campaign against several Costa Rican government entities, stealing and leaking over 600 GB of data, leading Costa Rica to declare a state of emergency. Also in 2022, the BlackCat group carried out a ransomware attack against the Colombian government-owned Empresas Públicas de Medellín (EPM), one of the largest public energy, water and gas providers in the country, paralysing its operations and online services. These recent incidents have led some LAC states to significantly strengthen their cybersecurity institutions, policies, legislation and technical capabilities.

The purpose of this chapter is to identify, from emerging LAC states’ narratives and practical experience in recent years, a clearer and more concrete understanding of what constitutes RCB for LAC states. More than interpretations, the chapter seeks to provide tangible examples from which to draw lessons for the understanding of RCB. The analysis presented in this chapter is the result of academic research and two workshops held in early 2024 with the participation of leading academics and practitioners from the LAC region.

The chapter begins with a focus on the participation in and narrative of LAC states in multilateral forums regarding RCB, particularly in the realms of international law and norms. It then focuses on the recent cyber incident response practice of LAC states, with a particular emphasis on the case study countries of Costa Rica and Colombia. The chapter concludes by identifying, from the emerging narrative and practice, 10 lessons learned that form part of the understanding of RCB in LAC. These cover: confidence-building; institutional and legal frameworks; inter-agency collaboration; collaboration with the private sector; international cooperation; communications strategies; the alignment between states’ national measures and positions in multilateral forums; training and capacity-building for government officials; preventive security measures; and digital literacy and human capital development.

Discussions on International Law and Norms in Responsible Cyber Behaviour

Since the addition of information security to the agenda in 1998 UN multilateral discussions on RCB have been carried out through the following:

• Six Groups of Governmental Experts (GGEs) on Developments in the Field of Information and Telecommunications in the Context of International Security, which convened between 2004 and 2021.

• One Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security, which convened from 2019 to 2021.

• One OEWG on the security and use of information and communications technologies (ICTs) created for the period 2021 to 2025, the deliberations of which are currently ongoing.

As noted above, various LAC states have participated actively in these discussions. The 2009–10 GGE’s 15 members included a government expert from Brazil, the 2012–13 GGE’s 15 members included one from Argentina, the 2014–15 GGE’s 20 members were chaired by the Brazilian expert and included experts from Colombia and Mexico, and the 2019–21 GGE, composed of 25 members, was chaired by the Brazilian expert and included two additional experts from Uruguay and Mexico. Various LAC states were also active participants in the discussions of the 2019–21 OEWG and continue to be so in the ongoing discussions of the 2021–25 OEWG.

LAC states have joined the consensus reports recognising that international law is applicable and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment. This was recognised in the 2013, 2015 and 2021 UN GGE reports and in the 2021 OEWG report, and was reaffirmed by the UN General Assembly. These reports called on states to refrain from taking any measures not in accordance with international law. They also concluded that further common understandings needed to be developed on how international law applies to state use of ICTs, which remains the subject of ongoing debates in the UN.

To further elicit discussion on the issue of the extent to which international law is applicable in cyberspace, besides its report, the 2019–21 GGE produced an official compendium of voluntary national contributions from state experts participating in the GGE, focused specifically on the question of how international law applies to the use of ICTs. Despite the fact that experts from three LAC states participated in that GGE, only Brazil submitted its national contribution to the compendium in 2021, becoming the first LAC state to publish its views on the applicability of international law in cyberspace. This submission was coherent with Brazil’s role as chair of the GGE and was included among a wider set of measures adopted by Brazil to consolidate its cyber diplomacy and strengthen its internal cybersecurity governance structures.

The discussion continues in the ongoing 2021–25 OEWG, which has called on states to publish official, comprehensive national positions presenting their interpretation as to how, or the extent to which, international law applies in cyberspace, and two regional organisations, the EU (composed of 27 states) and the AU (composed of 55 states), have done so. Among the 193 UN member states, the number is advancing slowly but steadily, yet many states have still to publish their positions. The number of published comprehensive national positions currently includes only three from the LAC region – Brazil, with the above-mentioned submission of 2021; Costa Rica, which published its national position in 2023, likely as part of the measures adopted to strengthen its cyber capabilities and to enter into international cooperation agreements following the Conti attacks; and Cuba, whose comprehensive national position, published in 2024, was built on frequent verbal statements over the years in the OEWG.

In general terms, and notwithstanding a few differences on specific issues, the positions of Costa Rica and Brazil follow broadly similar lines in their interpretation of the extent to which international law applies in cyberspace. The same may be said for the verbal statements issued by most of the other LAC states, except for Cuba, which seems to stand well apart from the rest of the region on this matter. Table 1 provides a general thematic comparison of the issues contained in the comprehensive national positions published by Brazil, Costa Rica and Cuba.

▲ Table 1: General Thematic Comparison of the National Comprehensive Positions on International Law in Cyberspace of Brazil, Costa Rica and Cuba

As noted above, the reasons for the caution of LAC states about issuing comprehensive national positions have likely been the disparities in cyber capabilities and legal understandings of the topic in the region, added to the low priority given to proactive adoption of cybersecurity frameworks, among other challenges. It may also be the case that this conservative approach represents a strategic political decision by those LAC states to wait and analyse the positions taken by other states, and thus to avoid taking sides unnecessarily in the geopolitical cyber battles of other states in which they are not involved.

The participation of LAC states that have not yet published comprehensive national positions has remained limited to sporadic verbal statements on specific issues in segmented discussions of the OEWG. The frequency of such statements has increased during the past five years. Nonetheless, Maria Pilar Llorens argues that these states face difficulties in adopting a narrative of their own. While, on the one hand, LAC states have called for the development of a distinctly Latin American perspective on the international governance and legal framework of cyberspace, which takes into account, for example, the impact of the cyber capabilities development gap, at the same time, most of their statements rely on narratives and resources produced by states from the Global North and have not brought new, regionally adapted elements to the discussion.

In parallel to the discussions on international law, UN processes have also led, over the decades, to the adoption of 11 voluntary norms for RCB, within the realm of the 2013, 2015 and 2021 GGE reports, with guidance on the interpretation and implementation of the agreed norms. These voluntary, non-binding norms contain general recommendations to states on confidence-building measures, capacity-building and cooperation, with the purpose of reducing risks to international peace and security and contributing to conflict prevention through cyberspace.

At the regional level, efforts within the Organization of American States (OAS) have been undertaken to complement (not duplicate) the UN processes. In 2020, the OAS General Assembly adopted a resolution

reaffirming the applicability of international law to cyberspace and the importance of implementing voluntary, non-binding norms for responsible State behaviour in cyberspace as set forth in the consensus reports of the United Nations Group of Governmental Experts.

The OAS has also contributed to promoting further cybersecurity understanding, transparency and capacity-building in the Americas. The OAS’s Inter-American Committee against Terrorism (Comité Interamericana contra el Terrorismo, or CICTE) has been carrying out its cybersecurity programme for more than 15 years, through which it assists OAS members in the development of cybersecurity capabilities at the technical and public policy levels. Among other endeavours, it assists in the development of national cybersecurity strategies, prepares regional reports and publications, and provides training to public and private officials, as well as students, on cybersecurity and cyber operations. Under this programme, the Network of Government Cyber Incident Response Teams (CSIRTs) of the OAS members, known as the CSIRTAmericas Network, promotes the exchange of information on cybersecurity threats, provides technical assistance to strengthen CSIRT services, and offers training to cybersecurity specialists in the CSIRTs.

Moreover, since 2017, OAS member states have agreed, within CICTE’s Working Group on Cooperation and Confidence-Building Measures in Cyberspace, on 11 confidence-building measures to promote increased cooperation, transparency, predictability and stability among states of the Americas in the use of cyberspace. These include providing information on national cybersecurity policies, identifying a national point of contact at the political level to discuss the implications of hemispheric cyberthreats, strengthening capacity-building and training, exchanging best practices, and fostering multistakeholder dialogue and cooperation.

For its part, the OAS’s Inter-American Juridical Committee (IAJC) started working on international law and cyberspace in 2018, with a view to contributing to further transparency on how American states understand the application of international law to cyberspace. The results of a questionnaire distributed to OAS members were published in an IAJC report in 2020. Among its conclusions, the report reaffirmed the wide disparities among regional states in terms of technical capabilities and legal expertise on the subject, as well as internal institutional challenges, such as a lack of clarity in the assignment of responsibility for cyber issues among the authorities within each state, and a lack of inter-institutional dialogue between internal authorities that could directly or indirectly involve cyber issues. The IAJC organised a training session for OAS member states in 2022 and published another report in that year on the main processes, resources and legal issues involved when discussing the applicability of international law to cyberspace, to serve as a guide to support LAC states in preparing their comprehensive national positions.

These international and regional multilateral discussions on international law and norms are all applicable to cyberspace and are particularly relevant in view of the fact that to date, there is no specific international or regional binding treaty applicable to LAC states that is exclusively dedicated to RCB. Unlike other regions, LAC states are not part of a regional military alliance governed by common, binding norms to respond collectively to cyberthreats. There are only a few specific chapters or clauses on, or related to, cybersecurity in other more general treaties and instruments to which some LAC states are party, such as the examples illustrated Table 2.

▲ Table 2: Selected Instruments Applicable to LAC States with Sections on Cybersecurity

In light of these examples, a comprehensive normative perspective of what constitutes RCB for LAC must take into account both the dedicated multilateral discussions that are evolving in the UN and the OAS, and the specific provisions on cybersecurity contained in treaties on other issues, such as trade or data protection. As evidenced above, these specific provisions to date focus mainly on strengthening the capabilities of CSIRTs and the international cooperation among them, as well as on adopting security safeguards for data protection.

Recent Cyber Incident Responses by LAC States

Due to the evolving nature of the normative discussions on RCB in the multilateral arena, a correct understanding of what constitutes RCB needs to consider lessons learned from existing state practice. As indicated in previous sections, the LAC region has faced serious challenges in the past few years in relation to cyber incidents. As Hurel notes, “the year 2022 was in many ways a wake-up call for countries in the region and a reminder of both old and emerging threats”. According to Cecilia Tornaghi, the digital transformation in the region following the Covid-19 pandemic, involving considerable innovation in areas such as fintech and e-commerce, “has not been matched by efforts and investments to keep digital systems safe”.

This section examines two serious cyber incidents that affected Costa Rica and Colombia in 2022 and analyses the state responses, as presented by state experts during the workshops held in preparation for this chapter. By incorporating lessons learned from state practice into a normative approach, this section seeks to offer a fuller understanding of what RCB means in practice for the LAC region, as well as how incident responders perceive RCB in moments of large-scale cyber crisis.

Costa Rica

In April 2022, Costa Rica suffered a severe ransomware attack by the Conti and Hive groups, both reportedly based in the Russian Federation. The attack started on 11 April, when the groups gained access to the Ministry of Finance. This soon allowed them to access other government agencies, including the Ministry of Science, Technology and Telecommunications and the National Meteorological Institution. In total, the attack affected 33 institutions in the country. The Conti group demanded $10 million from the Costa Rican government in exchange for not releasing any of the stolen information on the dark web. The government refused to pay, labelling the hackers “terrorist groups”, as a result of which Conti uploaded approximately 672 GB of data from various government agencies to its leak site. The effects of the attack continued for several months until the end of June 2022.

The attack occurred three weeks before the new president of Costa Rica, Rodrigo Chaves, took office. As described in the workshops, this was an institutional challenge in itself for the Costa Rican government, because, as it was the end of an administration, there was no budget left to respond to the attack. On 8 May, the first day of his presidency, Chaves officially declared a state of emergency in Costa Rica, indicating that the attack was unprecedented in the country, had crippled the government’s ability to operate and had affected the national economy, because it disrupted tax collection and exposed citizens’ personal data.

Analysing the government’s response strategy to the attack, as described during the second workshop, the following successes can be identified:

• Inter-agency cooperation: Incumbent president Carlos Alvarado established a working group in April with the participation of the relevant government agencies.

• Multistakeholder participation: Contacts were made with the private sector to evaluate, from a multisector perspective, how best to detect and contain the incident. The government received technical assistance from Microsoft.

• Communications strategy: A communications strategy was adopted: on the first day, political and technical groups were created, and a press release was published; over the next two days, press conferences by ministers were held; on the third day, a message from new Costa Rican president Rodrigo Chaves was issued. From the fourth day, a daily press conference was established, accompanied by a press release and a video from which the media could extract the key messages. A protocol for communications was adopted in order to avoid disinformation.

• International cooperation: Formal and informal international cooperation with states and computer emergency response teams (CERTs) in other countries was sought. Formal cooperation agreements were signed by Costa Rica with Spain, Estonia and Israel, which proved to be very useful. Israel and Spain, together with the US, helped Costa Rica to restore its services. The country also received donations of money and incident response teams from various countries that were deployed to Costa Rica, in addition to the collaboration of intelligence services (including the FBI and Israeli intelligence). The US has since “announced plans to provide $25 million in assistance to establish a cybersecurity operations centre by 2026”.

• Sharing best practices: Costa Rica has now shared its best practices with other states to promote the adoption of preventive measures in preparation for a cyber attack.

As a result of these actions, by the second week of the attacks, the detection and containment measures had started to work, and by the third week they were complete. The US State Department offered a $10 million reward for information leading to the identification of persons in a leadership position within Conti. As indicated in the Cyberlaw Toolkit, Hive was eventually shut down in January 2023 following a coordinated effort by Europol and the German, Dutch and US authorities. Multisector communication and cooperation, both among national agencies and internationally, emerge from this case as essential components that shape RCB at the domestic level.

Colombia

In Colombia in December 2022, EPM, one of the largest public energy, water and gas providers in the country, owned by the district of Medellín and providing services to 123 municipalities, suffered a severe BlackCat/ALPHV ransomware attack. The attack also affected AMBITCO, a financial company, and the Universidad Piloto de Colombia, a private university. The attack affected the delivery of water and energy services and electronic payments, and created a loss of confidence in digital environments. For two weeks, these services were totally inoperative, and it took approximately 30 days to recover them. In response to the incident, the Colombian government received assistance from the Spanish multinational private company Indra; however, as stated by a government official during the workshops, help did not arrive until 36 hours after the incident began.

This was not the first serious cyber attack against a state institution in Colombia in 2022. In February, the servers of the Colombian National Food and Drug Surveillance Institute was subject to a cyber attack from BlackByte. The impact of this attack included the blocking of movement of food, medicine and raw materials; logistics cost overruns of 35% to 40%; an increase in food prices; and, as noted by government officials during the workshops, a loss of public confidence in the authorities responsible for vigilance and control.

Despite the seriousness of these cyber incidents, Colombia’s capacity to respond does not seem to have significantly strengthened in their aftermath. A year later, in September 2023, the Ransomhouse hacker group launched a cyber attack against IFX Networks, a cloud service provider, which affected at least 50 Colombian state entities, including the Ministry of Health and Social Protection and the Superior Council of the Judiciary, as well as private entities and the supply chains of technological service providers. The attack also affected authorities in Chile and Panama. In fact, Ransomhouse itself informed Chile’s CSIRT, which in turn informed the relevant Colombian authorities. A total of 300 machines were rendered unusable in the Colombian Ministry of Health, obstructing the provision of critical health services. The attack also affected agricultural services and, as stated by government officials in the workshops, again provoked a loss of confidence in digital environments. The affected systems were completely down for about two weeks, and took around 30 days to recover.

Unlike those of Costa Rica, Colombia’s responses seem to have lacked fluency in terms of inter-agency and international communication and cooperation, and it appears that the country also lacked a wider network of multistakeholder partners to assist the state in ensuring a swifter and more effective response to the incidents.

Lessons Learned

The comparison between the cyber incidents in Costa Rica and Colombia shows the difference that a strengthened and coordinated national response can make in terms of prevention. From the analysis of both cases by the LAC experts who participated in the workshops, the following lessons are drawn:

1. Confidence-building: Cyber incidents erode society’s trust in institutions. It is essential to continuously implement confidence-building measures in order to counter this effect.

2. Institutional and legal frameworks: Institutional and legal frameworks for responding to cyber incidents should cover not only public safety threats but also national security threats in the cyber realm, to ensure adequate response against cyber incidents affecting states’ infrastructure.

3. Inter-agency collaboration mechanisms: Cyber incident responses in the LAC region have evidenced a problem of disarticulation among the various government agencies involved in dealing with cyberthreats within each state, and a lack of formal mechanisms for dialogue and coordination. LAC states should establish long-term inter-agency cooperation and coordination mechanisms for cyber incident response. Participants should include both public safety and national security institutions, as well as national and foreign policy institutions.

4. Cooperation with the private sector: The private sector is willing and able to help governments in incident response. Collaboration from the tech industry has proven to be key, particularly in view of LAC states’ limited resources. Governments should build and maintain communications channels with the private sector. In turn, companies should ensure that their assistance is provided swiftly and without undue delay.

5. International cooperation: International cooperation with states and CSIRTs of other countries, particularly from the LAC region, has proven to be highly useful when responding to cyber incidents. As identified by Contreras, a “significant trend is the strength of international collaboration, with Latin American nations actively engaging in global dialogues and partnerships to strengthen cybersecurity measures”. Formal cooperation agreements should be adopted by states to provide a solid framework for the assistance. In addition, informal cooperation channels and personal contacts among cyber authorities and experts of different states are of great help when faced with a cyber incident, and should be encouraged and nurtured through networking meetings, forums and associations.

6. Communications strategy: Cyber incidents in the region have evidenced that LAC states’ laws and policies lack uniformity on what information must be shared, and with which actors, when responding to a cyber incident. LAC states should put in place strong communications strategies specifically designed to deal with cyber incidents. These strategies should include defining the teams and authorities involved in the response, key messages, an institutional protocol for communications, the ways in which interactions will be carried out with the media, and the spokespersons and measures needed to prevent disinformation. In addition, the strategy should manage public information and statistics, be transparent, and define and show “quick wins” when these are achieved.

7. Alignment between states’ national measures and positions in multilateral forums: Many LAC states face a dissociation between their discourse at the international level and their incident response at the domestic level. LAC states’ strategies for strengthening their cyber capabilities and frameworks at the domestic level should include positioning their views coherently within UN forums.

8. Training and capacity-building for government officials: There is a “revolving door” phenomenon whereby the rotation of certain public officers as a result of changes in government administrations results in a loss of knowledge and a lack of continuity of cybersecurity policies. To avoid this, states must ensure continuous training and capacity-building efforts in relation to new teams in charge of cybersecurity policy and cyber incident response.

9. Preventive security measures: States must always put in place and periodically update security measures in their technological infrastructure in order to control vulnerabilities. Moreover, they should encourage continued investment in cybersecurity infrastructure and technologies, including cloud solutions and security software, to defend against emerging threats.

10. Digital literacy, human capital development and education: States should continually encourage digital literacy and carry out efforts to bridge the digital divide in their societies. Research shows that “investing in talent and culture around cybersecurity is a foundational step that can drive maturity, resilience and risk reduction over time, benefiting organizations and citizens alike”.

Conclusions

The understanding of what constitutes RCB in the LAC region is complex and evolving. From the normative side, apart from some specific provisions on CSIRT capabilities and international cooperation, and on data protection contained in some trade and data protection treaties to which LAC states are party, there is no international or regional binding treaty specifically devoted to RCB applicable to LAC states. Most LAC states accept the applicability of the voluntary, non-binding norms and measures adopted in multilateral forums for RCB, as well as the applicability of international law in cyberspace. However, only three out of the 33 LAC states have, to date, published national positions on the extent to which international law applies in cyberspace. This low number reflects the wide disparity in technical capabilities and legal preparedness among LAC states.

However, this situation is starting to change. Faced with significant cyber attacks in recent years, LAC states have been forced to shift from a relatively dormant state in terms of cyber incident and response, to an active, hands-on approach in response to specific cyber incidents that have affected them.

The understanding of RCB in LAC is now shaped by important lessons learned. Confidence-building, strong institutional and legal frameworks, effective inter-agency and international collaboration, strong cooperation with the private sector, an effective communications strategy, alignment in national and foreign policy, capacity-building, preventive security measures and digital literacy have emerged as essential components of RCB in the LAC region. While the normative approach advances slowly in the region, the practical approach to RCB seems to be advancing at a much quicker pace. Seen together, both approaches help inform the nascent regional understanding of RCB in the LAC region as a tool for further strengthening cyber capabilities there.

IV. The Middle East and Africa

Noran Fouad

Digitalisation processes have been vastly accelerated in various countries across the Middle East and Africa in recent years. This can be seen in the growing investment in digital infrastructure by governments, telecommunication companies, tech start-ups and world tech giants such as Google, Microsoft and Apple. In several countries in the Middle East, huge investments are being directed to the building of smart cities, growing the digital health market and supporting an expanding e-commerce market that is projected to be worth more than $3.45 billion by 2026.

Similarly, studies show that information and communication technology (ICT) projects in Africa increased from 93 projects worth $3.7 billion in 2003–05 to 464 projects worth $23.5 billion in 2018–20. These developments have largely been accompanied by widening disparities within and across countries, adding a digital layer to socioeconomic inequalities. For instance, most of the growth in mobile internet adoption in the Middle East is in high-income countries (such as, the UAE, Kuwait and Saudi Arabia), whereas in lower-income countries, particularly those affected by conflicts (such as Libya, Yemen and Syria), users face low-speed internet and loss of connectivity for long periods. Data also shows that 61% of people living in sub-Saharan Africa live within range of broadband but do not use it, and that Africa as a whole has one of the widest digital gender gaps in the world.

These digitalisation processes have also resulted in a remarkably challenging cyberthreat landscape. For example, according to an IBM report conducted on companies in the UAE and Saudi Arabia, their cost of data breach was the second-highest in the world in 2023, after the US, with an average cost of $8.07 million. African countries are experiencing an alarming increase in the number of cyber incidents, particularly those targeting businesses. For instance, Kenya, one of the leading countries in Africa in terms of access to digital infrastructure, experienced 860 million cyber incidents in 2022 alone, increasing from 7.7 million in 2017. It is thus no surprise that more attention is now being directed towards cyber governance and the need for cooperation to develop regulations, strategies and specialised institutions to address cybersecurity needs in the Middle East and Africa. These efforts have been well documented and analysed by literature and reports in the past few years.

However, one important aspect of cyber governance remains largely under-explored in policy and academic circles: the conceptualisation of, practices relating to, and discussions on “responsibility” in cyberspace in the Middle East and Africa. In most cybersecurity literature, the issue of responsible cyber behaviour (RCB) is discussed in the context of the UN Group of Governmental Experts (GGE) on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security and the Open-Ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. These are platforms in which many countries in the Middle East and Africa are not necessarily active, and they remain primarily dominated by the superpowers. This is not to suggest that there is an absence of discussions on responsibility in these regions; rather, it indicates different prioritisation and conceptualisation of what RCB should entail or address.

Whereas responsibility in Western discourse is more focused on state-launched or state-backed cyber attacks targeting other states, the focus in many countries in the Middle East and Africa is on combating cybercrime by non-state actors as a key challenge facing the digital economy – as shown in this chapter. “State responsibility” may refer to building capacities to detect and mitigate cybercrimes, due diligence or raising awareness. Importantly, in these two regions, many discussions that are relevant to the concept and practice of RCB do not happen on conventional diplomatic platforms, but rather are driven by several institutions, policies and intra-regional (rather than cross-regional) agreements that focus more on cyber governance than on “norms” per se. Further, scrutiny of state behaviour in cyberspace is often pushed forward by civil society organisations, aimed at holding governments accountable as part of a larger framework of respecting human rights and individual freedoms. All such developments take place in challenging geopolitical contexts that may slow progress on reaching agreements on a specific meaning of “responsibility”. The fact that, at the time of writing, more than 45 armed conflicts are taking place in the Middle East and North Africa, while Africa has the second-highest number of armed conflicts of any region in the world, challenges prospects for increasing cooperation within and among countries to develop unified “national” or “regional” perspectives on cybersecurity issues more generally.

Against this background, this chapter seeks to address the aforementioned gap in research and analysis by developing regionally grounded understandings of RCB in practice. This is achieved in two ways: through desk-based research on regional dynamics and countries’ perspectives and responses to evolving cybersecurity challenges, and through targeted workshops with local and international cybersecurity experts focusing on countries in the Middle East and Africa. The chapter reflects and builds on the viewpoints of academics and practitioners in the Middle East and Africa, which were collated in three online workshops run in December 2023 and January 2024 by RUSI’s Global Partnership for Responsible Cyber Behaviour (GP-RCB). The key question on which the discussions in these workshops were based was: what does RCB mean to this region from a practical perspective?

With a regional composition that reflects the GP-RCB’s regional structure, the chapter aims to outline key themes, research areas and questions that will inform future research on countries in the Middle East and Arica. The chapter acknowledges the complex and extensive political and socioeconomic differences between countries in these regions, and highlights the need for separate analysis in future research.

Additionally, the chapter aims to introduce perspectives that go beyond the obvious “big players” in the Middle East and Africa, be they Israel or Iran, Kenya or Nigeria. Although it acknowledges the prominent roles these countries play in digital spaces and their influence on regional cybersecurity discussions, the chapter addresses gaps in the literature and develops the research on RCB by shifting the analysis beyond the major powers. The aim is to create more space for other significant actors who may be under-represented in research and analysis on RCB. Accordingly, in workshop discussions, two important case studies appeared as relevant starting points for analysis: the Gulf Cooperation Council (GCC) and the AU.

The choice of these two case studies was made inductively following the first workshop, in which both organisations were highlighted as significant players in current cybersecurity governance efforts in their respective regions. There are many big players in the Middle East, making it difficult to offer a comprehensive understanding of the entire region, given scope, research design and space limitations. Added to this is the problematic – and inherently contested – concept of the “Middle East” as a “region” as such, which masks differences among countries. The GCC was chosen as a case study due to the status that its countries enjoy in technology leadership, both in the Middle East and around the world. As James Shires argues, “the Middle East” has a different connotation in the world of cybersecurity from that which it has in general international relations literature, with most of the Middle East events and conferences that tackle cybersecurity centred on the GCC countries. The AU, meanwhile, has been playing a major role in cybersecurity governance and digital policy in Africa since the adoption of the AU Convention on Cybersecurity and Personal Data Protection in 2014. Despite the various persistent challenges to developing a “common” position on, or approach to, responsibility in Africa, as discussed later in the chapter, the AU has managed to institutionalise many of its initiatives, which warrants further investigation.

The aim of this chapter, therefore, is to identify areas where understandings of responsibility or (un)acceptable state behaviour have been prominent in existing cyber governance initiatives or state cyber practices; areas where the development of such understandings at the national, bilateral or regional levels is impeded or challenged; and areas where opportunities for advancing responsibility in governing cybersecurity can be realised. The chapter is divided into three sections. The first analyses the peculiarities of RCB in the Middle East and Africa as a dimension of the efforts to govern cybersecurity and cyberspace within complex political and geopolitical contexts. The second and third sections consider the specificities of the two case studies, the GCC and the AU.

Responsible Cyber Behaviour Through a Regional Lens

One of the main conclusions emerging from workshop discussions was that international debates on RCB mostly assume that the key threats to address are those engendered by states or by the most sophisticated cyber actors targeting other countries – a view that does not necessarily reflect perceptions in the Global South. As noted by participants, in many countries in the Middle East and Africa, the question of RCB is primarily triggered by domestic politics – for example, states’ use of cyber tools against citizens, or the abuse of certain technologies. In such cases, it is mostly civil society organisations that trigger conversations on holding states accountable for any abuse of their cyber power. The cyberthreat landscape is slightly different too, with cybercrimes such as business email compromise, ransomware and phishing being seen as the most important in cybersecurity discussions in these regions. As many studies show, unlike advanced economies, emerging economies must develop novel policies and institutions to address cyberthreats, particularly those targeting the financial sector. This poses various policy challenges, given the limited cyber capacities, human capital and financial resources of many such countries.

Looking specifically at Middle East states’ perspectives, RCB appears to be primarily approached in terms of building state capabilities to detect and mitigate cyberthreats. Many countries have been persistently building their cyber capabilities, passing laws aimed at securing internet communications (for example, around 13 Arab countries have enacted some form of cybercrime or computer crime law), and establishing national cyber incident response protocols. The idea of using such capabilities “responsibly” has been largely tied to protecting national security interests. For example, the UAE was one of the first countries in the region to cooperate with allies, including the US and the UK, in order to establish its National Electronic Security Authority and to develop a national cyber strategy. Such efforts specifically linked building the state’s cyber capabilities and intelligence-gathering with defence against terrorism.

The second aspect of responsibility from states’ perspective, as discussed in the Middle East workshop, can be seen in external engagement with partners on cyber governance initiatives. Although the participation of Middle Eastern countries in UN forums such as the GGE has generally been sporadic, and only four countries from the region are signatories to the Budapest Convention on Cybercrime (Israel, Morocco, Tunisia and Turkey), there have been other notable efforts to solidify external engagement and combat cybercrime. In 2010, for instance, the Arab League issued the Arab Convention on Combating Information Technology Offences, with the aim of strengthening cooperation between states to defend against cybercrimes. Egypt has been particularly active in internet governance initiatives and in the World Summit for Information Society (WSIS). Following resolutions issued at the WSIS, the Arab Internet Governance Forum (Arab IGF) was established in 2012 to monitor developments relating to internet governance in the region; it has since hosted various meetings, including in Kuwait in 2012, Algeria in 2013, Beirut in 2014 and 2015, and Cairo in 2020. Similarly, through negotiations with Oman, Saudi Arabia gave funding to the International Telecommunication Union (ITU) to establish the Arab Region Cybersecurity Centre in 2013 in order to enhance regional cooperation. Most recently, the Arab League announced the formation of the Council of Arab Ministers of Cybersecurity, proposed by Saudi Arabia, with Riyadh approved as the headquarters. The Council will have the mission of developing strategies and initiatives to enhance Arab collective efforts on cybersecurity.

Third, information operations have been integral to cybersecurity approaches in the Middle East region. Several information campaigns to influence public opinion or push forward certain narratives have been repeatedly launched by governments, including in Iran, Israel and Saudi Arabia. Further, cybersecurity infrastructure that enables mass surveillance and solidifies government control over information has been widely adopted as part of states’ responsibility to combat “terrorism” and protect national security. This was particularly heightened during the Arab uprising in 2011, when many governments increased their control over cyberspace and broadened their use of digital surveillance tools. Such policies are widely adopted, particularly for monitoring social media. For example, in 2019, the Turkish government accused voices on social media critical of its military operation in Syria of “terrorism” and subjected them to detention, criminal investigations and travel bans. This approach is reflected in cybercrime laws in the region, as many include provisions that limit free speech online. In 2023, for example, Jordan adopted a new – heavily criticised – cybercrime law that increases government control over online content and criminalises posts that promote “immorality”, demonstrate “contempt for religion” or undermine “national unity”. Such practices create an environment of mistrust in government initiatives and impede prospects for stakeholder engagement in developing a coherent national, bilateral or regional approach to RCB.

Prospects for cooperation on cyber governance are further challenged by the complexities of the geopolitical context. The Middle East has been riddled with various geopolitical conflicts and rifts that are persistently reflected in cyberspace. This is particularly true in the case of Iran and its long-standing rivalry with Israel and many Arab countries. Several attacks have been widely attributed to the Iranian government since the targeting of the Saudi company Aramco in 2012. For example, in 2020, Iran was accused of launching a cyber attack on water utility networks in Israel and the UAE, leading to what the media labelled a retaliatory measure from Israel, which allegedly hacked into the Iranian port of Shahid Rajaee, one of the country’s most important logistics hubs, disrupting its operations. Several other carefully calibrated attacks have been launched against Iran, including those by Predatory Sparrow, a hacking group believed to be linked to Israel. The threat that Iran poses to many countries in the region has historically played a major role in Arab–Israeli rapprochement and was one of the driving forces behind the 2020 Abraham Accords, the bilateral agreements on Arab–Israeli normalisation signed by Israel and several countries in the region, including Bahrain, the UAE, Morocco and Sudan. Intra-state conflicts have similarly been spilling into the cyber world, through non-state groups or militias that repeatedly target governments, including Cyber Hezbollah, the Syrian Electronic Army and the Yemen Cyber Army.

The situation is slightly different in Africa, as it is widely believed that many African countries lack the technical capacity to develop sophisticated tools for offensive cyber operations. This comes with a few exceptions, however, including reports about the Moroccan government hacking the phones of Algerian politicians using Pegasus spyware in 2021. What has been extensively reported is states’ use of cyber espionage to target political dissidents, either abroad, such as in operations conducted by the government of Ethiopia, or domestically, as in the case of Uganda. Matters are complicated by the presence of multiple intra-state armed conflicts in the region, including those in Cameroon, Congo, Ethiopia and Mali. Many countries have pushed for responsibility in relation to preventing advanced economies from using offensive cyber tools to target other states. Nigeria, South Africa and Egypt are among those that have voiced concerns about many countries’ growing militarisation of ICTs and stockpiling of vulnerabilities (keeping software and hardware vulnerabilities that are unknown to vendors for future use), and have demanded more transparency in reporting such vulnerabilities.

There are many disparities in technical capacities, political structures and legislative frameworks in African countries that cast a shadow over their ability to coordinate RCB standards. Some, such as Mauritius and Tanzania, stand out as leaders in cybersecurity, through their engagement in cross-border collaborations, investments in ICT infrastructure and active computer emergency response teams. Other countries, however, either do not have sufficient economic or technical capacities to prioritise cybersecurity, or are crippled by political instability and armed conflicts that hinder cybersecurity initiatives. Such disparities make harmonisation of standards and practices of cyber governance a challenge. Added to this are disparities in approaches to external partners, with some countries aligning with Russia and China, and others leaning towards partners in the West. This warrants further research to see how the positions of Middle Eastern and African countries might differ from other countries playing the same manoeuvring strategy between superpowers, for example India and South Korea.

Despite the challenging nature of developing a harmonised regional approach to cyber governance, subregions and subregional organisations have been making progress in coordinating their efforts. These include the Economic Community of West African States (ECOWAS), the East African Community (EAC), the Southern African Development Community (SADC) and the Economic Community of Central African States (ECCAS). The role played by these communities helps in developing frameworks and directives that address the question of responsibility. One notable example was the ruling by the ECOWAS Community Court of Justice that Togo’s decision to shut down the internet amid protests against the government in 2017 was illegal and a breach of citizens’ freedom of expression. The court also ruled that Nigeria’s seven-month Twitter ban in 2021 was illegal and that the government must amend a controversial section in its cybercrime law that is widely believed to harm freedom of expression.

Similarly, some states have been implementing unilateral or bilateral initiatives on cybersecurity cooperation. One example of this is the collaboration between Togo and the UN Economic Commission for Africa (UNECA) to host the first African heads of state Cybersecurity Summit in 2022, which culminated in the Lomé Declaration on cybersecurity. This declaration signified a commitment from more than 27 countries in the region to foster cybersecurity initiatives. Kenya has also been playing a leading role in East Africa to promote and advance cyber governance. Added to this are other non-state and multistakeholder platforms that have been pushing for responsibility issues, including the Africa Internet Governance Forum (AfIGF).

There are numerous capacity-building projects directed towards Africa that experts believe should be geared towards ensuring implementation, accountability and responsibility, rather than the current focus on training alone. The Council of Europe, for example, on the basis of mutual legal assistance treaties (MLATs), is committed to capacity-building in Nigeria and is working with the Ministry of Justice to revise the cybercrime legal framework that has been questioned by the ECOWAS court. This is a subtle approach to demanding accountability where capacity-building is strategically directed at enhancing RCB rather than at trainings alone, which do not contextualise cyber capacity-building to local needs.

Nevertheless, several constraints were outlined in the Africa workshop discussions that limit progress on issues of responsibility in various ways. First, these constraints impede the development of rules, legislation and institutions to address the question of RCB, domestically and regionally. Second, they challenge the formation of coherent, regional cybersecurity positions that would counter the dominant, often Western-centric narratives on cyber norms and RCB. Third, even within each region, it is often difficult to translate regional, multilateral initiatives into national implementation and priorities. These constraints, as well as potential cooperation enablers, are discussed further in the next two sections, with the GCC and the AU as case studies.

The Gulf Cooperation Council

Discussions on and interest in cyber governance have been growing rapidly in the GCC in recent years. Even during a temporary paralysis of cooperation due to a rift between the UAE and Qatar as part of what is often called the “diplomatic crisis” of 2017–21 – initiated mostly after reports indicated that the UAE government had allegedly hacked into the Qatari state news agency – discussions at technical levels continued. Hence, after a long period of inactivity in UN processes and ad hoc committees, most GCC countries are now developing strong national coherence, statements and positions to articulate their cybersecurity approaches. For example, the national cybersecurity authorities in Saudi Arabia and Qatar have international diplomacy departments that have been vocal on cybersecurity issues. Both institutions have also recently signed a Memorandum of Understanding to enhance joint cooperation. This was followed by Qatar announcing the launch of its National Cybersecurity Strategy 2024–2030. Further, there is a growing projection of national cybersecurity capability on the global stage through multiple platforms, including the Global Cybersecurity Forum held in Riyadh and the GISEC Global Conference held in Dubai, in which various global partners participate to share knowledge and know-how on cybersecurity-related issues.

At an organisational level, there have been multiple efforts to institutionalise cybersecurity initiatives and foster cooperation among countries in the region. This can be seen in the establishment of the Permanent Committee and Ministerial Committee for Cybersecurity in the GCC, aimed at enhancing cooperation and developing joint policies and procedures to address cyberthreats. There are also growing efforts at collaboration with other external allies, including the US, the UK and the EU. This can be seen, for example, in the convening of the GCC–US working group specialising in cybersecurity, whose establishment was endorsed in a security-related ministerial workgroup with both sides. The same goes for negotiations between the GCC and the UK on a free-trade agreement, which would have significant implications for fostering security cooperation between the two parties – especially on cybersecurity, a key area in negotiations thus far. Moreover, a recent high-level forum between the GCC and the EU on regional security and cooperation included cybersecurity as one of five key areas of proposed cooperation. This is part of bigger security cooperation initiatives such as the establishment of the Gulf Academy for Strategic and Security Studies as an affiliate of the GCC, based in the UAE, with the goal of providing cybersecurity training to GCC leaders and developing shared understanding on security issues in the region.

Two key issues have been receiving the most attention from GCC countries. The first is the protection of critical national infrastructure (CNI), a response to multiple cyber attacks that targeted CNI sectors in the region, particularly the oil and gas industries. The second is information sharing on social media and the extent to which it challenges state sovereignty. Since 2011, there have been an increasing number of arbitrary arrests and travel bans imposed on critics and activists in the Gulf region, and a growing crackdown on online expression. Governments’ punitive actions in relation to what they label “fake news” as part of their cybercrime laws are likely to remain a divisive issue. This is further complicated by GCC governments’ increasing engagement with problematic private actors, which diminishes the prospect of civil society involvement in defining government responsibility. For example, numerous reports have been published about the use by the governments of Saudi Arabia, the UAE, Bahrain and Oman of Pegasus spyware, developed by Israeli company NSO Group, to target activists. Another prominent case is that of the UAE company, Dark Matter, which recruited former intelligence operatives from the US and Israel to launch espionage operations targeting other governments and human rights activists. As a response, discussions in both the Middle East and Africa workshops emphasised the importance of civil society initiatives, which have been increasingly active in creating fact-checking pages to target misinformation and disinformation on social media platforms, advocating for women’s rights, campaigning to boycott certain private sector companies, and making a general push for legislation in support of human rights and freedom of speech in cyberspace.

As noted in discussions with experts in the GCC workshop, many GCC governments regulate technology markets and invest heavily in technology companies and incubators. Governments are already pushing entrepreneurs to invest some of those funds in securing their software and hardware products. Therefore, the question of responsibility for governments’ direct investment choices is important to explore, given their powerful role. This could be a potential area of collaboration, particularly when such investments are directed towards or received from foreign companies, whether American, Russian, Chinese or from other countries. Such collaboration must, however, take into consideration the substantial differences among GCC countries in terms of cyber capabilities, readiness, diplomatic efforts and general awareness of cybersecurity issues, which result in continuous competition. As outlined at the Middle East workshop discussions, such disparities can be seen, for instance, in the relationship between the GCC countries and global technology companies. Major cloud and social media companies see the region as a very attractive market, but their offerings in terms of infrastructure and R&D vary across countries.

It is important to note too that the prospect of economic cooperation as a driver for more collaborative cybersecurity governance, whether among GCC countries or between the AU and other countries in the Middle East, is complicated by the geopolitical situation. In June 2023, the UAE’s cybersecurity chief said at the Cyber Week Conference in Tel Aviv, “Thank God for the Abraham Accords”. This signified the willingness of the UAE to maximise its cooperation with Israel on cybersecurity matters, predominantly in combating threats from Iran as a common “enemy”. However, the Abraham Accords have since been challenged by the war in Gaza. For example, Saudi Arabia has declared that it will not establish ties with Israel before the latter ends its war in Gaza, nor before an independent Palestinian state is established – how this would affect the state of cybersecurity in the region is a question that remains. The use of high-tech and automated weapons in Gaza, either for targeting or surveillance, will likely have regional and global implications for the conversation on RCB more generally.

The African Union

In recent years, various AU initiatives have demonstrated the significance of cybersecurity in the region’s policy agenda to foster the digital economy and improve internet access and availability. The Digital Transformation Strategy 2020–2030 is a case in point, in which the AU Commission identified cybersecurity, privacy and personal data protection as some of the cross-cutting themes for digital transformation to achieve prosperity and inclusivity. In addition, cyber governance has been approached as fundamental to economic growth and the eradication of poverty, as part of the African Continental Free Trade Agreement. The Policy and Regulation Initiative for Digital Africa, a joint initiative among the AU, the EU and the ITU, is another important initiative that solidifies cooperation and conversations with international partners on RCB. Most recently, the AU’s Convention on Cybersecurity and Personal Data Protection, also known as the Malabo Convention, entered into force in July 2023, signed by only 16 countries, nine years after it was adopted. Although it remains unratified by most AU countries, the Malabo Convention offers a basis for instigating a discussion on RCB, through its reaffirmation of a commitment to international human rights conventions – fundamental in the UN context.

On the issue of state responsibility, the AU has taken a primarily informal and indirect approach, framed around the application of the international law on cyberspace. For instance, in November 2022, the AU’s Peace and Security Council (PSC) acknowledged for the first time the applicability of international law to cyberspace, noting that “the fundamental principles of international humanitarian law are also applicable to cyberspace”. Most recently, in January 2024, the PSC adopted the Common African Position on the Application of International Law to the Use of ICTs in Cyberspace, which stresses respect for the territorial sovereignty of states, the prohibition of the use of force or intervention in states’ affairs, and the obligation to combat malicious conduct in cyberspace by non-state actors.

Securing the digital economy, and particularly fintech, is one of the key areas where common understanding has been developed. For example, 44 countries signed up to the African Continental Free Trade Area in 2018 with the purpose of facilitating digital trade in Africa – including cybersecurity and online safety. Another promising initiative in this regard is the Smart Africa alliance, which includes 39 countries and is aimed at accelerating sustainable development in Africa through the use of ICTs. As noted by participants in the Africa workshop, the alliance has been promoting important projects, including the bulk purchase of wholesale submarine and satellite internet bandwidth, along with several other joint investments. Such initiatives do not reflect a “traditional” UN interpretation of RCB seen through an international peace and security lens, but they are likely to push all governments to engage in reaching a common or shared understanding of how responsibility – when seen through the lens of development in a digital economy that includes security (of data and systems) – can also refer to the responsibility to invest collectively in efforts to secure cross-border connectivity.

In terms of global cooperation, multiple initiatives hold promise, including cooperation with law enforcement agencies in countries of the Global North by sharing information. Initiatives between Interpol and Afripol (the African Union Mechanism for Police Cooperation), which have launched an operation to combat cybercrime in 25 African countries, are an important example. It is important to note here, however, and as highlighted by expert conversations in the workshops, that any cooperation for information sharing with governments in the West should be done within MLATs to make sure that the obligation to share information goes both ways and does not only benefit one side. Such treaties could themselves be used to share best practices among participating states and to foster conversations on RCB.

Experts pointed out a general disconnect between researchers and policymakers in many countries in Africa. This problem is twofold. On one side, there is not enough research-enabling data, particularly regarding government practices, or clear communication of government priorities. On the other, there are not enough calls from governments for researchers to be involved in agenda-setting on cybersecurity issues, due either to a lack of infrastructure or platforms that would help translate research into policymaking processes, or to a lack of desire on the part of governments to listen to researchers on this matter. The participation of civil society in such conversations is also impeded by various issues, including a lack of technical knowledge and funding, and some governments’ perception that any external funding to such organisations could present a national security risk. Many civil society organisations view governments’ reluctance to share information as a form of opposition to stakeholder engagement, which complicates engagement even further.

Importantly, many government practices have set “negative norms” that stifle stakeholder engagement, especially internet shutdowns. Data shows that in 2022 alone, seven African governments shut down their internet nine times, four of which were during political protests. There has also been some targeting of particular social media platforms; this includes Uganda blocking Facebook in advance of a contentious general election, and Nigeria’s ban on Twitter.

Another important challenge to developing shared understanding on RCB is that of the deep disparities among AU countries, whether historical, political or cultural. This is one reason why workshop participants partially believed that it is difficult for the AU to argue that it is speaking on behalf of the entire region or to assume there is a common “African” position on cybersecurity matters. Expert discussions revealed, however, that over the years, some technical and operational teams – for example, CERTs – have managed to foster cooperation through informal information-sharing channels, building elements of trust among themselves even when governments have not been responsive to such efforts. Workshop participants noted that the subregion of Central Africa has an advantage in this regard, as its regulations for digital financial systems, for example, are set by a central regulator. This means that no country can choose not to cooperate.

Conclusion

Drawing general conclusions across two markedly different “regions” is undoubtedly challenging, particularly when attempting to analyse them within a single study. The purpose of this chapter has been to identify key themes and questions for further research that can deepen understanding of how RCB manifests uniquely across regions and countries, rather than to present a definitive overview of RCB in the Middle East and Africa. The approach shifts the focus from “cyber norms”, which are primarily studied within Western-centric frameworks, to looking closely at examples from the Global South, where diverse practices, policies and institutions have been established to enhance cyber governance. Examining such practices provides important insights into how different actors may view (un)acceptable state behaviour in cyberspace, even if the concept of “responsibility” as such is not used. As highlighted in the chapter, regional (and subregional) bodies have an important role to play as enablers for the discussion on RCB – a discussion that they thereby hold on their own terms, focusing on topics such as development, combating cybercrime and protecting CNI, while also addressing important elements of UN commitments, such as international law.

However, as was emphasised in workshop discussions, one reason why many countries in Africa and the Middle East have been reluctant to participate in international norm processes is the institutional perception that the discussion on cyber issues has matured to a degree that any participation in agenda-setting would be considered a late arrival. It is becoming increasingly difficult for many governments to grapple with the speed of innovations and developments in technology, and discussions on responsibility may not, therefore, be seen as a priority. Currently, the political will for cooperation remains primarily focused on issues of peace and stability, rather than on RCB. Although it may seem that lack of resources is a key impediment to achieving progress on cyber governance in relation to responsibility, in many instances, countries have in fact been active on particular platforms on particular issues when such active engagement has been sought, in order to have a bigger impact. This means that at the heart of the problem could be dual issues of political will and of the structure of the incentives to participate.

This chapter has shown that, for many countries in the Middle East, RCB has been approached in terms of building the state’s cyber capabilities to protect national security, combat cybercrime and control the circulation of information online. Prospects for cooperation on cyber governance in the region are challenged by geopolitical rifts and intra-state conflicts. Looking at the GCC as a case study, the protection of CNI and information operations have been of particular importance to states’ cyber governance initiatives. Although the rivalry with Iran was once seen as a potential catalyst for rapprochement between GCC countries and Israel, the ongoing wars in the region complicate this endeavour and raise questions about the legitimacy of using automated weapons for targeting and surveillance as part of military operations – questions that have wider implications for global discussions on cybersecurity and the use of technology in warfare.

Africa has witnessed a particularly active role played by subregional groups, such as ECOWAS, the EAC, the SADC and the ECCAS, in cybercrime legislation and instigating discussions on cyber responsibility. This has been especially focused on fostering the application of international law to cyberspace. Such subregional, rather than continental, forums for cooperation have overcome the challenges of harmonising policies among African countries with deeply rooted disparities, though those disparities have nevertheless impeded the AU’s ability to develop an “African” position on cyber matters.

Future research and analysis should focus on the multiple areas where the roots of cooperation on responsibility in the AU and the GCC can be further developed, bearing in mind the importance of there being sufficient incentives for governments to cooperate. In addition to combating cybercrime and securing the digital economy, workshop discussions concluded that the responsibility of non-state actors is an issue where common understanding among governments could be improved. Several cyber attacks in the Middle East and Africa have been launched by non-state actors. In view of the political and security situation in the two regions, including the wars in Gaza and Lebanon, and military coups against the democratic takeover of governments in Africa, regulating the work of non-state actors and debating their responsibility in cyberspace is a topic that governments are, most likely, open to engaging with. As such, this is an important area for future research.

Disinformation is another area that many governments in the two regions see as a priority in the field of technology governance. There is, therefore, an opportunity to use this topic to engage in multistakeholder conversations on localised approaches to content moderation, for example, that would also get social media companies on board. However, any such discussions should occur through an inclusive policy framework that includes civil society organisations in all state-led cyber governance initiatives, including through regular multistakeholder consultations. This also requires governments to refrain from punishing non-compliance with state-imposed frameworks and conceptualisations of security and privacy, and there must be more inclusion of individual rights in data protection and cybersecurity legislation and strategies.

V. North America

Gavin Wilde

On cyber-related issues, Canada and the US are bound together by a broad range of institutions, values and common practices. Both states are founding members of NATO and part of the Five Eyes intelligence-sharing relationship with the UK, Australia and New Zealand. Forged in the wake of two world wars, these long-standing bonds both underpin and engender overlap in the North American approach to responsible cyber behaviour (RCB). This chapter was written before the start of the second Trump administration and thus does not reflect on policy shifts after December 2024.

However, the two allies diverge somewhat in how they realise RCB, as a production of either moderation or boldness. Fundamentally, Canada perceives responsibility as an extension of self-restraint; the US, by contrast, perceives it as a byproduct of its own positive actions and those of like-minded partners and allies. Bridging this divide and situating these approaches within a broader rubric of UN-agreed principles of RCB will likely require more explicit clarity from North American capitals. Meanwhile, major technology multinationals based in Canada and the US can act both independently of, and in concert with, their home countries, lending them structural and market influence over how “responsibility” is defined.

Diplomatically, the US and Canada have advanced common cause on these issues internationally. Both have had delegations active in past sessions of the UN Group of Government Experts and Open-Ended Working Groups, and have worked in concert within the Organization of American States, the OSCE, the G7, ASEAN and others to implement the 11 voluntary, non-binding UN norms agreed by consensus in 2015.

Even among otherwise adversarial states, in times of heightened geopolitical tension, the ability of Canada and the US to make progress towards the establishment of international cyber norms is noteworthy. However, such consensus-based, aspirational documents by design obscure the cultural values, operational considerations and institutional imperatives that tend to prevail at the national level – which sometimes override the aspirational policies and strategies concerning responsibility. In other words, particularly in the ephemeral domain of cyberspace, the so-called “say–do” gap can be wide.

This gap also stems from the tendency to focus on detailing and curbing the objectionable behaviour of other states in cyberspace, while maintaining latitude and ambiguity in one’s own. The US and Canada have historically been vocal when it comes to calling out what they see as “unacceptable behaviour”, although the latter relatively less emphatically, through advisories, public attributions, sanctions, indictments and other punitive measures. However, this chapter examines how Canada and the US conceive of responsible behaviour beyond an external view of responsibility – that is, the responsibility of “other” states – and reflects on their own part. The disparities between domestic organisational instincts and diplomatic aims abroad are neither new nor exclusive to Canada and the US, but it is through exploring these dynamics that more understanding and progress might be achieved on developing, establishing and implementing RCB norms – both bilaterally and internationally.

Drawing on expert roundtable workshop discussions on both countries held in early 2024, this chapter begins by briefly discussing the evolution of these countries’ strategic cultures on cyber issues, including the pivotal historical inflection points that shaped them. Using journalistic, academic and civil society insights and analyses of these inflection points and major trends in the evolution of North American thinking on cyber writ large, the chapter then characterises the dominant philosophies and entities that manifest each country’s views of RCB. It then briefly touches on the unique and substantial role that the private sector plays in North American concepts of responsibility, and concludes with expert views on how to both clarify and harmonise these concepts with those agreed to under UN auspices.

Canada

Canada broadly conceives of RCB as a byproduct of diplomatic coalition-building and consensus, explicitly grounded in international law and philosophically rooted in states’ restraint. Relative to the US, Canadian officials have only recently adopted a more assertive stance on cyber issues, stemming in part from increasing cyber attacks, as well as from a desire to become more independently capable.

Until well into the previous decade, Canada’s cyber policy focus was primarily defensive – dedicated to protecting government systems from cyber espionage and helping its citizens to avoid becoming victims of cybercrime. From the early to mid-2010s, several events augured a more assertive Canadian stance.

In the aftermath of Edward Snowden’s revelations in 2013, for example, officials concluded that Canada was perhaps too heavily dependent on the US for digital intelligence and should become more independently capable of collecting its own. The following year, for the first time, Canada attributed a major cyber intrusion against its National Research Council to Chinese state-backed actors, elevating the threat of industrial cyber espionage in public discourse. Russian state-linked hack-and-leak operations against the US elections in 2016 and France in 2017 also galvanised policy attention in Canada, and Prime Minister Justin Trudeau’s government later signalled its intent to “assume a more assertive posture in the cyber domain”.

By 2018, the most substantial national security reforms in a generation were working their way through the legislative process. Among the most sweeping changes envisioned were major investments in cybersecurity, and formally empowering the country’s signals intelligence agency, the Communications Security Establishment (CSE), to conduct offensive cyber operations, including “active defence” measures designed “to influence, interfere, degrade or disrupt the capabilities, intentions or activities of an adversary”. The legislation, Bill C-59, also enhanced the CSE’s ability to provide technical support to military and law enforcement agencies. A public-facing arm of the CSE, the Canadian Centre for Cybersecurity, was established to facilitate dialogue and exchange on these issues with businesses and the public. Canadian scholars subsequently explored the implications of this new assertive mandate in an attempt to square it with international law, the correct civil–military balance, and the necessary oversight. Military theorists, meanwhile, worked to develop capabilities and strategy.

In January 2019, Canada created the Rapid Response Mechanism with other G7 countries to exchange insights and threat intelligence in response to cyber attacks. Despite a persistent focus on such multilateral efforts, “Canada appears to have had more success in bilateral and ad hoc initiatives or through working with its traditional security partners” on cyber issues, according to Carleton University professor Stephanie Carvin.

Even where Canada’s “active” cyber operations have been publicly avowed – such as those targeting unspecified foreign extremist or cyber-criminal groups – these more assertive measures are still couched largely in defensive terms. According to a Department of Defence spokesperson, “being assertive doesn’t just mean going on the offensive, but ensuring our networks, systems and applications are well protected. This is where our focus primarily lies”. This has not spared military and national security leaders from periodic criticism, however, to the effect that Canada’s cyber strategy remains “ad hoc”, lagging behind NATO allies, and too reliant on international norm-building to protect Canadian citizens and interests from persistent and growing cyberthreats. As some expert roundtable members and partners also noted, Canada’s strategic culture can be “aggression-averse”, and might reasonably be critiqued as “reactive” to national security threats in cyberspace.

Meanwhile, legislation makes it clear that cyber operations against foreign targets are to be an option of last resort, employed only when alternative tools are insufficient or untimely. In contrast to legislative oversight in the US, such operations fall squarely under the remit of the Cabinet as an executive function. Scholars note that insufficient oversight here may risk violating Canadians’ privacy rights. If conducted by the Canadian Armed Forces, offensive cyber operations are subject to the same strictures as any other use of force, requiring a Cabinet-level decision. Meanwhile, the minister of foreign affairs must accede to foreign cyber operations conducted by the CSE under its recently updated mandate. In strict keeping with international law, these operations cannot cause physical harm or impede traditional government functions such as law enforcement or democratic exercise. However, as Canadian analyst Alex Rudolph writes, “the risk in giving CSE the full capability set and mandate to conduct similar operations, even when tasked by the government, is that much of this will occur with minimal oversight or disclosure to the public”.

Relative to the US, Canada has been more austere in issuing formal attributions for cyber intrusions and attacks, preferring to separate actors from behaviours, in the hope of depoliticising “responsibility”. As some workshop contributors noted, traditional notions of rules and responsibilities (often touted by the US as part of an international order it seeks to lead) are often perceived by smaller, less capable states as jingoistic, absent more content and context. Judging from publicly available insights, Canada’s gradually more assertive posture in cyberspace in recent years has been both austere and cautious, with deference to international law and multilateral progress on building norms.

The US

Driven by both its dominant position as a cyber power and a defence and security culture that prioritises dominance, the US views “responsibility” as a byproduct of state-driven action, rather than of restraint. As it has historically done in other securitised domains, the US considers a preponderance of power to be linked with a duty to define – and enforce – the rules in otherwise ungoverned spaces. In practice, this has largely relegated RCB to diplomatic and theoretical discussions, while a strategy of “persistent engagement” in cyberspace prevails operationally. While concertedly engaged in and supportive of UN and other international frameworks, the US leaves sufficient rhetorical ambiguity in its approach to cyber norms to enable flexibility and assertiveness in cyberspace.

As the birthplace of the internet and arguably the world’s first and foremost “cyber power”, the US has a long track record of theorising about state behaviour in cyberspace, and discussing it in multilateral forums. From the late 1980s through to the late 2000s, the US gradually adopted the view of cyberspace as a domain of competition and conflict, and cybersecurity as a core national security function. The discovery in 2010 of the Stuxnet worm – which the US and Israel had reportedly deployed to disrupt Iran’s nuclear programme – marked an inflection point in how states perceive conflict in cyberspace. It was the first major demonstration that destructive physical effects – rivalling those achievable with kinetic weapons, but with far more deniability – could be delivered digitally in pursuit of geopolitical objectives.

As in other areas of foreign and security policy, the US’s preponderance of technological, economic and military might informed Washington’s approach to governing an ungoverned space. President Barack Obama’s administration issued the country’s first International Strategy for Cyberspace in 2011, considered “the first government document worldwide to focus entirely on the international aspects of cyber issues”. Since then, the US has both engaged and expanded its cyber diplomacy at the UN and elsewhere.

Building on the National Security Agency’s (NSA) already formidable intelligence-gathering capabilities in cyberspace, the world’s first cyber military combatant command, US Cyber Command (USCYBERCOM), was established in 2010. Its preliminary mission was to defend US military networks; beyond that, the command would “respond to cyber attacks under … military authority and would operate under standard rules of engagement. If the command need[ed] to work in a foreign country … it would need the authority of the U.S. combatant commander for that region with approval by the president”.

The ensuing decade proved consequential for how this approach would evolve. Most notably, unauthorised disclosures by Edward Snowden in 2013 sparked global scrutiny of US cyber-enabled espionage. North Korean hackers breached Sony Pictures Studios in California in 2014, prompting a national conversation about the extent to which the American private sector should depend on the US government for protection in cyberspace. In 2015, the White House secured Beijing’s (ultimately brief) restraint from conducting industrial espionage against American companies – including in cyberspace. Russian interference in the 2016 US presidential election gave propaganda and information warfare parity with technical intrusions in terms of cyberthreat perceptions. By that time, Washington had become convinced that a purely defence posture of primarily military-related networks would be insufficient. By November 2016, USCYBERCOM had conducted its “most complex offensive cyber operation … to date”, against the Islamic State. As commercial entities and critical infrastructure operators suffered increasingly costly and disruptive cyber attacks in the years that followed, political pressures would grow to increase and enhance these measures.

The shift in philosophy – and thus a more expansive, assertive posture in cyber operations – would be codified in US strategy documents as “persistent engagement” and “defend forward” (PE/DF). These terms encapsulate the notion that the US would aim to neutralise cyberthreats at their source, prior to their manifestation in sensitive networks (publicly or privately operated). Cyber operations would be routinely conducted proactively, in grey, contested or adversary online spaces, “just as the US Navy keeps the peace by sailing the seas, or the US Air Force secures airspace by patrolling the skies”.

Furthermore, operations are not confined to military circles. In recent years, US law enforcement agencies have more aggressively pursued offensive cyber operations – with potential global reach – with an eye to pre-emptively disrupting threats. A range of mature US military, intelligence and criminal investigative authorities are now invoked to conduct offensive cyber operations. However, the mechanisms for deconflicting, formalising and clarifying the exercise of these authorities remain opaque, if not classified. The publicly acknowledged contours of National Security Presidential Memorandum 13 and the Vulnerabilities Equities Process – which broadly outline the inter-agency processes for coordinating military offensive cyber operations and handling the discovery of major software vulnerabilities, respectively – offer some insights. Still, a robust understanding of how officials delineate the limits of US RCB remains elusive. Moreover, some legal scholars have noted that non-military agencies, such as the FBI, have become more assertive in cyberspace – again with potentially global reach – but lack a clear legislative mandate and guidelines for doing so.

Kurt Sanger, former Deputy General Counsel of USCYBERCOM, has been reported as saying that the utility of such capabilities “lies in enabling strategic effect without entitling the adversary to use force in self-defence, coupled with a unique ability to modulate the level of impact in a way that is not possible with kinetic operations”. The operational complexity required to strike this balance is matched by the complexity of doing so while adhering to international law and norms – the principles which the US acknowledges should prevail in cyberspace. Some cyber scholars and military theorists argue that this domain differs from “conventional environments, which poses a challenge to the relevance of these rules”. Indeed, while there is consensus that the law of armed conflict applies in cyberspace in times of war, a patchwork of treaties, case law and customary law leaves room for digital espionage and subversion – some of which, as in the case of elections, states consider escalatory.

It is this uncertainty – and the lack of conceptual clarity around whether cyber operations are an extension of warfare, intelligence or some other mode of statecraft – that raises questions about the degree to which PE/DF theory aligns, in practice, with RCB. However much coherence the concept might lend to Washington’s internal deliberations, it remains hotly debated among cyber conflict scholars whether the approach will actually constrain global competition in cyberspace, rather than intensify it. States may perceive (correctly or not) US PE/DF activities “not as a reasonable response to their own norm-busting behaviour, but as an escalation”, notes cyber scholar Jason Healey. The fact that the pre-eminent US military and intelligence-gathering organisations operating in cyberspace – USCYBERCOM and the NSA – fall under the same “dual-hatted” leadership might also complicate reliable signalling internationally.

Even with the foundation of those rules to which the US has agreed internationally – from the Budapest Convention on Cybercrime in 2001 to the framework of UN-developed cyber norms in 2015 and 2021 – a range of “interpretive questions” likely enable US officials to flexibly pursue PE/DF in a manner they deem responsible. For instance, the US has refrained from concrete stances or definitions on issues such as state sovereignty, countermeasures and non-intervention. The US has (sometimes grudgingly) become more publicly transparent about the policy processes guiding its offensive cyber operations. It is also willing to publicly define adversary behaviours as “irresponsible”. However, this have not translated into a more explicit delineation of what specific types of cyber activity constitute “responsible state behaviour”, and which do not.

Expert contributors at the workshops ultimately assessed that the US has come to both implicitly and explicitly adopt the view that its own responsibility in cyberspace is defined more by commission than by restraint. In other words – with due deference to international law and guided by relevant norms – for those with the capability to act in service of a more secure cyberspace, their foremost responsibility is to do so. As a 2019 joint statement with like-minded states reads, “we will work together on a voluntary basis to hold states accountable when they act contrary to [the UN framework], including by taking measures that are transparent and consistent with international law. There must be consequences for bad behaviour in cyberspace”. In Washington’s view, responsible states must not only refrain from such behaviours, but also work together to punish them. In this regard, US diplomatic signalling on cyber issues has often functioned more as post hoc reprisal than as preventive remedy.

America’s diplomatic focus has, however, grown and progressed rapidly in recent years. In 2022, the US State Department established a standing bureau dedicated to cyberspace and digital policy more broadly – including a Senate-confirmed envoy to lead it, former US Marine Corps officer and technology executive Nathaniel Fick. The bureau’s remit is expansive, from bolstering technological expertise in the ranks to developing and implementing the US’s first International Cyberspace and Digital Policy Strategy. The latter, released in early 2024, sets out an ambitious and expansive agenda to make the digital ecosystem – including the hardware, software and physical infrastructure underpinning it – more secure, trusted and resilient. The strategy explicitly notes that success will be the product of “solidarity” among partnerships and coalitions sharing similar values – an evolution beyond the more “utopian” vision of a singular global internet of previous eras, implicitly acknowledging a more fractured global arena with competing models for development and security. Under this rubric, the Department of State aims to “organize and execute sustained diplomatic pressure campaigns to raise international and public awareness of significant cyberthreats and to increase the costs and risks to malicious cyber actors”, in conjunction with the operational efforts of inter-agency partners.

Insofar as cyberspace remains ill-defined and ungoverned, the US seeks to define by doing, and to govern by superiority. Possessing both significant cyber capabilities and a host of digital dependencies – and with several revisionist adversaries to contend with – the US perceives itself as the pre-eminent cyber power. On the global stage, it considers its role both determinative and indispensable, as much by duty as by licence.

The Role of the Private Sector

In both Canada and the US, there is growing appreciation for the way in which commercial actors are able to shape cyberspace – for good or ill – at a speed, scope and scale that governments acting alone simply cannot match. Since many of the biggest multinational tech companies are based in North America, they enjoy some degree of autonomy in how they perceive and pursue RCB – often as consequentially as states themselves. With the US and Canadian governments and militaries depending on these same companies to develop and maintain technological solutions, both capitals and corporate boardrooms navigate a blurred line between regulatory and voluntary measures.

Particularly since the Sony Pictures hack in 2014 by North Korean state actors, American and Canadian cyber strategists have pondered the degree to which commercial entities should depend on or expect protection from the state in cyberspace. In the interim, new legislative and regulatory initiatives in both countries have been aimed at shifting the onus of security from end users and consumers to developers and suppliers, and to operators of critical national infrastructure (CNI). Where prevention and deterrence have previously been the dominant themes of national strategy documents, these have come instead to emphasise resilience and security, both in supply chains and in the initial design of hardware and software programs.

Particularly in the US – which is among the largest customers for technological goods and services in the world – officials have come to see governmental “purchasing power” as a way to incentivise more robust security in these offerings. As of 2023, both American and Canadian market regulators have cast corporate cybersecurity practices as being somewhat akin to the fiduciary obligations of publicly traded companies toward their shareholders. These steps have come on the heels of a number of recent intrusions into sensitive governmental and corporate systems by Russian and Chinese cyber actors in particular – including some which could be blamed as much on faulty or lax design choices and security protocols as on the sophistication of state-backed hackers. Even so, many commercial stakeholders are quick to point out that increasing concerns about liability and proprietary information can have a chilling effect on proactive tipping and information exchange with government cyber officials (Canada’s C-26 legislation attempts to assuage such confidentiality concerns).

Meanwhile, both North American countries view domestic and international standards-setting organisations as key to enhancing cybersecurity more broadly, and to ensuring open, interoperable internet protocols. These include the US Commerce Department’s National Institute of Standards and Technology, as well as voluntary multilateral entities such as the International Organization for Standardization, the Internet Corporation for Assigned Names and Numbers, the Internet Engineering Task Force, the International Telecommunication Union and the Institute of Electrical and Electronics Engineers.

The North America-based tech sector, in partnership with civil society, has similarly arrayed itself to lead against irresponsible behaviours in cyberspace. This positions these non-governmental, commercial actors to play a substantial role in defining “responsibility” on the international stage, whether through the very initial design of their widely used products, through advocacy and awareness campaigns, or through alignment with the national security interests of their predominantly Western, liberal democratic host states and user bases. For instance, initiatives such as the Charter of Trust, the Paris Call for Trust and Security in Cyberspace, the Cybersecurity Tech Accord and the Global Cyber Alliance aim to forge consensus and galvanise private sector action against cyberthreats – in addition to and beyond that which governments can achieve alone. Many of these same commercial entities have also joined government-led initiatives such as the international Counter Ransomware Initiative of President Joe Biden’s administration, and have joined the US and Canada as signatories to the UK-led Pall Mall Declaration against the proliferation of commercial spyware.

Even so, workshop participants noted that the “private sector” is not a monolith – hence a recognition of the need not just for symbolic declarations about making cyberspace safe for everyone, but also for institutionalising the rubric that “those with the most capability must shoulder the most responsibility”, particularly when it involves CNI and key resources.

This patchwork of voluntary, collaborative and enforced cybersecurity measures is aimed at pushing the boundaries of private and commercial capacity to withstand illicit state activity. Even so, North American leaders have retained a clear monopoly on certain kinds of operations. For instance, commentators and officials have periodically proposed – while legislators have ultimately resisted – calls to relax restrictions on otherwise illegal vigilantism by private citizens or commercial actors. Canada and the US appear to have concluded that such “hack-back” or “deputisation” proposals ultimately entail more escalatory and normative risks than they do benefits to global cybersecurity. Meanwhile, the more recent proliferation of so-called “hacktivists” amid Russia’s war in Ukraine – as well as the influx of Western commercial support to Kyiv – has reinvigorated debates about states’ responsibility for hackers operating in their territory, as well as about what behaviours might qualify an individual citizen or corporation as a “combatant” in cyberspace during wartime.

Clarifying “Responsibility”

Expert roundtable participants broadly agreed that North American leaders are likely to maintain some ambiguity in their definition of “responsibility” in cyberspace. This lack of clarity will limit the efficacy of international norms. In the US in particular, more explicit clarity about how the PE/DF strategy is intended to align with the principles of RCB may be necessary. As operations conducted under this rubric are often cast as norm-building exercises, more can be done to clearly distinguish them from the types of irresponsible – as opposed to merely objectionable – cyber activities of adversaries.

Meanwhile, with the barriers to entry lower than ever for non-state and commercial actors to engage in cyber operations, the margins for third-party contractors and commercial proxies will only widen. Hence more explicit delineation may be needed, as North America is a leading target of state-backed cyber operations. Expert roundtable participants Richard Harknett and John Bruce (American and Canadian scholars, respectively) thus propose that North American leaders draw on a schema of “awful, (un)lawful, and (ir)responsible” when assessing or addressing state behaviours in cyberspace – including their own. These criteria could encompass a broader range of activities conducted using ICTs, including information operations on social media, non-state hacktivism and illicit surveillance.

These are areas where additional research and policy recommendations will be necessary to guide state activities, set public expectations and signal to allies, partners and adversaries, particularly as cloud-based exploitation and pre-positioning – which have gained salience as US officials have addressed the presence of Russian spies moving laterally within cloud services, and the problem of Chinese malware in US critical infrastructure – fit within this rubric. Such specificity will help to solidify international norms, harmonise threat perceptions and justify response measures, even as the threat environment evolves.

Ultimately, the approaches to RCB of the US and Canada are consequential in their own right – the former as the putatively dominant cyber power, the latter as a close ally, and as both part of major transatlantic institutions such as NATO and the Five Eyes. To bridge gaps within and beyond the North American region, workshop participants therefore recommended a more harmonised approach to digital privacy, a focus on anti-trust measures to yield more cybersecurity from market competition, and increased “safe harbour” measures to elicit good-faith efforts from private industry.

Conclusions

Louise Marie Hurel

As this compendium has demonstrated, there is a diversity of approaches, views and experiences that reflect how different states see responsible cyber behaviour (RCB). The compendium does not seek to be exhaustive; rather, it offers region-based reflections on how states have engaged with RCB as a concept. Case studies in this publication offer concrete examples of how incidents, institutions and policies can help us investigate RCB beyond the UN framework. The case studies identify unique characteristics defining RCB contextually, in terms of development, climate, content control, business development and offensive cyber capabilities, among others. Altogether, the compendium provides a complex yet enriching future agenda for research on RCB at the intersection between the international, domestic and operational notions of responsibility. The compendium makes at least two important contributions to the advancement of the study of responsibility in cyberspace:

1. It explores perspectives that have been overlooked in international discussions, by reflecting on the cultural drivers and gaps in the interpretation of “responsibility” in cyberspace. For example, the Indo-Pacific region emphasises sustainable and inclusive capacity-building, and how cyber capacity-building (CCB) should consider the context of climate change. In the Middle East and Africa, on the other hand, it seems that responsibility is much more closely tied to combating cybercrime by non-state actors, the role of civil society in holding governments accountable, and concerns with development.

2. The compendium offers a practice-driven discussion of behaviours perceived as responsible or irresponsible, acceptable or unacceptable, by different governments. For example, European states emphasise political responsibility and public attributions to strengthen accountability, while North American countries, particularly the US, adopt a strategy of “persistent engagement” and “defend forward” to neutralise cyberthreats at their source, in addition to public or joint attributions.

Enacting Responsible Cyber Behaviour

As this compendium shows, RCB can be demonstrated in different ways. Despite regional differences, the compendium highlights some key methods through which states have sought to enact, showcase or indicate what RCB is, domestically and regionally:

• Institutions: It is clear from the case studies that institutional development can be seen as a country’s attempt to confer certain roles and responsibilities regarding cyber security onto a specific body (new or existing). This does not presumptively mean that a state is considered a responsible actor merely by the fact that it has, for example, cyber security authorities or bodies in charge of conducting defensive or offensive cyber operations. Rather, it illustrates that, for some regions, the move to include cyber security as part of a specific institutional design might signal states’ collective commitment to addressing RCB as part of their agenda.

• Laws and regulations: As a key instrument of statecraft, laws and regulations are the bedrock of RCB enactment. They determine the roles and responsibilities for governmental and non-governmental entities working on cyber issues, and they set standards and requirements for baseline cyber security domestically, among other things. For example, the AU’s Malabo Convention serves as a basis for instigating discussions on RCB, reaffirming commitments to international human rights conventions.

• Speeches and official statements: States frequently issue statements to signal what they perceive as acceptable and unacceptable behaviour. As the Europe chapter shows most thoroughly (but is also observable in other chapters), public attribution and joint statements are some of the activities that states undertake to call out malicious cyber activity originating from or associated with another state.

• Cooperation agreements: RCB is also enacted through bilateral and cross-regional agreements and cooperation on CCB. ASEAN’s adoption of the UN norms to enhance trust and confidence in cyberspace, and the AU’s common position on the applicability of international law in cyberspace, exemplify regional cooperation in establishing common standards and perceptions for RCB, as well as joint commitments.

Drivers of Responsible Cyber Behaviour

There are other factors that might drive a state to use these tools to consolidate and/or project RCB. The compendium touches on the following drivers:

• Climate change concerns: The Indo-Pacific region’s emphasis on sustainable capacity-building reflects the intersection of cyber security with environmental and climate security priorities. Because of their immediate exposure to climate change, Pacific Island countries have advocated for more sustainable cyber capacity-building efforts, pushing donors to be more empathetic about their development and security needs.

• Existing geopolitical tensions: Geopolitical rivalries across most of the regions surveyed have been a key driver of the creation of like-minded or minilateral environments for RCB discussions. In the cases of India and Pakistan, cyberspace targeting follows offline tensions – as with many other countries. European countries, the US, Canada and other “allies” have seen joint attributions as a main way of framing who the key threat actors are, and to which countries or regions they are linked. For others, mere proximity to major cyber powers – as in the cases of Indo-Pacific countries in relation to China – can have the opposite effect, with geopolitical tensions making countries more cautious and reluctant to attribute.

• The capacity to name and shame: European states’ practice of public attributions serves as a mechanism for indicating what states view as irresponsible and unacceptable behaviour, and for shaming malicious cyber actors. It remains an open question whether malicious cyber activity can be deterred through public attributions, but the practice is effective in cases where states are seeking to highlight a lack of accountability from other states. While this compendium features mostly public attributions, the capacity to conduct technical non-public attribution is another key aspect of a state’s domestic responsibility to know about and act on information regarding malicious cyber activity originating in its territory.

• Pressure to respond to large-scale incidents: Driven by the need to address significant cyberthreats, Latin American and Caribbean states have shifted from a largely reactive to a proactive response to cyber incidents. Cyber incidents in Costa Rica and Colombia have shown how large-scale incidents, especially ransomware, have propelled states in the region to strengthen their posture in relation to domestic and operational responsibility, through passing legislation, developing proposals for national cyber-security agencies, and CCB.

• Developing and maturing a national position on RCB: The case studies in this compendium show a range of ways in which states have matured their views on RCB. Canada’s evolution from a defensive to a more assertive cyber policy highlights the importance of developing a clear national stance on cyber issues domestically. More traditionally, one of the key ways of signalling RCB is through the publication of national positions or statements on the applicability of international law in cyberspace.

• Business and sustainable development continuity: Securing the digital economy, particularly in Africa, underscores the role of cyber security in supporting economic stability and growth. This is a much under-represented dimension of RCB, yet a cross-cutting one in relation to countries in regions including the Asia-Pacific, LAC and the Middle East.

• Controlling the information space: The intersections between RCB and information flows are clear from a variety of state behaviours. These range from Middle Eastern states’ use of cyber-intrusive tools to Indo-Pacific states’ support of content-related crimes such as disinformation and online hate, to European countries seeking to develop standards of behaviour in cyberspace through regulatory approaches to online platforms’ content moderation. On the one hand sits the need to control information, while on the other is, the need to ensure that online platforms are more accountable and transparent.

Key Reflections and the Future Agenda for Responsible Cyber Behaviour

• While all UN member states have agreed to the RCB framework, connecting it to the domestic level remains a challenge. This is particularly the case with the development of national positions on how international law applies to cyberspace.

• Rather than seeking one definition, the research and debate about RCB can be richly investigated through a more culturally sensitive understanding of the drivers and means through which states seek to consolidate and project notions of responsibility. In some ways, this compendium shows that despite international commitments (and questions concerning their adequate observance), “responsibility” is what states make of it domestically and how they negotiate it, relationally and interdependently, with other states – that is, at the UN or through joint statements (for example, on international law or joint attributions).

• The compendium underscores the importance of understanding regional perspectives and practices in shaping global norms and expectations. By recognising the unique contexts and priorities of different regions – as well as not taking regions as coherent, cohesive or monolithic units of analysis – it contributes to a more nuanced and comprehensive understanding of RCB on a global scale.

• The role of silence or non-public statements remains under-studied. Publishing statements can be framed as an accountability and transparency measure for states. However, there are multiple reasons why states decide not to be more public about their views on RCB. These can be linked to a lack of capacity (human or economic) to produce documents such as national cyber-security strategies, a lack of political prioritisation and funding, a less public approach to cyber attribution and deterrence (for example, rapprochement), or a broader political strategy of not publicly disclosing thresholds for certain types of cyber operations or activities.

• Additionally, while RCB is a term that encompasses responsibility beyond governments, the compendium reflects a cross-regional structure and thus a still somewhat state-centric view of responsibility. Future research on RCB should also consider what the term means for private companies working in cyber security, reflecting on how existing international commitments from these companies concerning corporate social responsibility practices and/ or joint statements (from business associations) and initiatives (for example, Tech Accord) illustrate how companies – and non-state actors more broadly – have sought to signal and engage in RCB.

Louise Marie Hurel is a Research Fellow in RUSI’s Cyber and Tech research team. Her research interests include incident response, cyber capacity-building, cyber diplomacy and non-governmental actors’ engagement in cyber security.

Patryk Pawlak is a Part-Time Professor at the Robert Schuman Centre for Advanced Studies at the European University Institute in Florence and a Visiting Scholar at Carnegie Europe. Since December 2023, he is the Project Director for the Global Initiative on the Future of the Internet (GIFI) – a two-year project funded by the European Union to promote the Open Internet and the Declaration for the Future of the Internet (DFI).

Gatra Priyandita is a Senior Analyst at the Australian Strategic Policy Institute, working on cyber diplomacy and the geopolitics of technology and cyber. He is also currently a Visiting Fellow at the Australian National University’s (ANU) Coral Bell School of Asia-Pacific Affairs. He holds a PhD in Political Science from the ANU.

Mariana Salazar Albornoz is a Professor of International Law, International Humanitarian Law and International Criminal Law at Universidad Iberoamericana in Mexico City.

Noran Fouad is a Senior Lecturer in Digital Politics at Manchester Metropolitan University and an Associate Fellow at RUSI. Her research explores the intersections of technology, security and governance, with a particular focus on cyber security. Her areas of interest include critical approaches to cyber security in international relations, the global politics of cyber security, the inequalities and injustices engendered by cyber policies, and the intersection of cyber security with biosecurity.

Gavin Wilde is a Senior Fellow in the Technology and International Affairs programme at the Carnegie Endowment for International Peace, and an Adjunct Professor at the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. He previously served as Director for Russia, Baltic and Caucasus Affairs at the US National Security Council, and for more than a decade as a Senior Analyst at the National Security Agency.