Responsible Cyber Behaviour

Responsible cyber behaviour (RCB) refers to the collective expectations of state and non-state actors about how they should behave in cyberspace. “Behaviour” in this context comprises the values, norms, policies, practices and technologies that are meant to protect and secure cyberspace. These expectations are highly contested and vary across regions.

Within cybersecurity debates – and specifically in the context of the UN’s Open-Ended Working Group on the security of and in cyberspace (OEWG) and Group of Governmental Experts (GGE) – “responsibility” has often been associated with “responsible state behaviour”. Within this context, the term “responsible state behaviour” mainly concerns the collective expectations of UN member states in meeting and observing their international commitments to norms and international law. The debate largely concentrates on how states should behave towards each other, rather than how they ought to act domestically. As these discussions are held at the UN First Committee responsible for international peace and security, dialogue on responsibility in cyberspace is restricted to those parameters.

RUSI’s research, and this paper, takes a wider view, based on the premise that understanding RCB requires consideration of cultural values, regional alliances and domestic factors such as institutional or legislative setup. The objective of this paper is to provide a wider conceptual lens on RCB, looking beyond the UN debate and, to some degree, beyond Western perspectives.

The paper investigates two areas: states’ perceptions of what international responsibility entails; and how other multilateral bodies and initiatives have sought to frame responsibility. The research evidence, gathered via a series of semi-structured interviews and workshops, shows that:

• There is widespread recognition that the UN framework alone does not enable a sufficient understanding of RCB: elements of a state’s strategic preferences (such as regional dynamics, foreign policy, economic status and domestic regimes) are equally critical to a state’s view of RCB.

• Beyond the UN framework, states view RCB in at least three ways: as an economic driver; as a set of tools that help them define and signal unacceptable behaviour; and as a multi-sited diplomatic strategy to advance a national interest.

• Most states emphasise a positive interpretation of responsibility, linking RCB to economic development and prosperity.

• Cyber capacity building is the most consistent theme associated with RCB, as it provides states with mechanisms and resources that help them act responsibly in cyberspace.

• Some states emphasise the usefulness of negative responsibility measures, such as “naming and shaming” tactics, but most states avoid publicly identifying bad actors, concentrating instead on condemning behaviour generically and responding with discreet diplomatic and technical measures.

• Given increasingly fragmented multilateral governance and growing geopolitical divides, states have progressively used non-UN forums to develop norms and shared views on irresponsible behaviour.

Recommendations include:

• Encourage diplomatic engagement with non-Western attribution narratives: As non-Western states become more vocal in attributing behaviour, Western states should develop strategies to address emerging public attribution practices – especially by countries such as China and Russia – including by clarifying evidentiary standards and proactively communicating their own thresholds for public attribution. This can help manage the reputational risks of being named by adversarial states.

• Clarify expectations for private sector actors in cyber diplomacy and capacity building: International organisations and donors should define clearer expectations around the involvement of private companies in cyber capacity building, particularly regarding transparency, conflict of interest and alignment with international standards of responsible behaviour.

• Support the development of national legal and policy frameworks that define operational cyber responsibility: States, particularly in the Global South, should be supported in developing national policies that articulate their approach to cyber operations or the acquisition of cyber capabilities –including doctrines, thresholds for response and mechanisms for oversight – in line with international commitments.

• Integrate incident response practices into ongoing cyber norms discussions: Multilateral and regional cyber forums should seek to leverage more insights from national computer emergency response teams and technical agencies in discussions on cyber norms, with a focus on how real time responses to incidents reflect or challenge evolving expectations of responsible behaviour.

• Map how existing multilateral forums interpret and apply RCB principles: Researchers and policymakers should continue to collaborate to further develop a comparative analysis on how different multilateral organisations or groupings seek to shape and/or operationalise RCB (for example, the Shanghai Cooperation Organisation, the BRICS, the International Telecommunications Union, ASEAN, and the OECD), even where the term “RCB” is not explicitly used. This will help identify overlapping expectations and areas of normative divergence.

Introduction

In 2015, UN member states agreed on 11 international norms to guide their behaviour in cyberspace. The norms establish general expectations for interstate interaction in cyberspace on topics such as cooperation, information sharing, respect for human rights, assistance with major cyber incident recovery, and the reporting of vulnerabilities. These norms are part of a two-decade set of dialogues conducted by the UN Group of Governmental Experts (GGE) and the UN Open-Ended Working Group on the security of and in cyberspace (OEWG), respectively. Successive resolutions from these processes have established what has come to be known as the UN framework for responsible state behaviour, comprising four main pillars that encompass the 11 norms (Figure 1): international law, cyber norms, confidence building measures (CBMs), and cyber capacity building (CCB).

▲ Figure 1: UN Norms of Responsible State Behaviour in Cyberspace. Source: Bart Hogeveen, “The UN Norms of Responsible State Behaviour in Cyberspace”, Australian Strategic Policy Institute, 22 March 2022, p. 14. Edited by RUSI.

Despite geopolitical tensions between the US and China, the ongoing war in Ukraine, the crisis in Gaza and critiques concerning the erosion of the multilateral system, cyber has remained a slow but steady area of debate at the UN. Elements of the framework have been implemented regionally and domestically: since 2012, 32 countries have outlined their interpretations of international law’s application to cyberspace; public attribution of cyber incidents has become more frequent (albeit still limited to only a few states), CCB has gained prominence as a strategic investment area, and regional bodies have expanded their lists of cyber CBMs.

However, viewing responsibility in cyberspace solely through a UN lens is insufficient for understanding how responsible cyber behaviour (RCB) is perceived across different regions, and for identifying emerging state practices in this field, for a number of reasons:

1. The UN framework provides only a partial picture of debates on responsible behaviour in cyberspace and can create a limited view of international expectations of state/non-state actors’ observance of emerging standards of responsibility, leaving out a much broader field of initiatives, practices and dialogues.

2. Both policy and scholarly debates on responsibility and accountability in cyberspace have been led by a narrow interest in the international security dimension advanced by the UN, which has focused on questions about attribution and the consequences (or lack thereof) of non-observance of agreed norms and international law.

3. While the UN framework is the outcome of consensus-based processes, the diplomatic power to shape the international agenda is concentrated in the hands of a few states. As a result, the consensus has, at times, been tabled and drafted by many, but meaningfully negotiated by only a select few.

4. States have struggled to track how the UN framework is implemented and referenced domestically (beyond, that is, general acknowledgements from ministries of foreign affairs or other departments that might be more attuned to international security dimensions of responsibility in cyberspace).

These challenges raise important policy questions: how and (whether) the UN framework is socialised beyond diplomatic circles, and how states have sought to demonstrate their commitments to it domestically. The challenges also underscore the limitations of a UN-centric perspective, which conceals an equally important policy question: how have different views of responsibility so far emerged via other international dialogues and across regions and countries?

Drawing on interviews, workshops, participant observation and a literature review, this paper responds to these and other challenges by taking stock of how notions of responsibility are socialised beyond the UN discussion in two ways:

1. Investigating states’ perceptions of how to exercise international responsibility: The paper provides an analysis of emerging state practices in response to the different components of the UN framework. It reflects on practical examples of how states have enacted international responsibility in terms of both positive responsibility (observance of rights, obligations and voluntary commitments) and negative responsibility (identifying or acting on lack of observance).

2. Identifying how other multilateral or multistakeholder forums define RCB beyond the UN: The paper offers a reflection of how RCB has been defined beyond the UN First Committee terminology, and provides a multi-sited perspective of international responsibility by analysing documents from other international organisations, multilateral groupings and regional bodies.

If left unaddressed, these challenges could erode confidence in and observance of accountability measures by states. For Western governments, understanding the limitations as well as the perceived biases of a UN-centric approach can help them to identify blind spots and opportunities for engaging in constructive dialogue with developing and Global South countries in multilateral negotiations. For most states, and for those in the Global South in particular, having a clear grasp of the evolving state practices at the domestic, operational and international levels, and how they already connect to international commitments, can help them to identify areas of existing and potential implementation.

Most crucially, and as this paper shows, although states might not explicitly use the terms “responsible state behaviour” or “responsible cyber behaviour”, this does not mean that expectations of responsible behaviour in cyberspace are not being shaped in other multilateral, thematic or bilateral forums. Understanding and tracking forums beyond the UN can help states identify values, motivations and emerging interpretations of RCB – including those that might not always be aligned with the UN framework.

Methodology

The structure and content of this paper were developed and collected throughout the duration of RUSI’s Responsible Cyber Behaviour project. The findings are based on a combination of different data collection methods that were used to map states’ views on RCB and the implementation of the UN framework (albeit not restricted to the latter). Data collection took place from July 2023 to October 2024, during which the author engaged with approximately 70 governments and other non-governmental experts.

The methodology used for data collection and analysis as part of this project included a set of primary sources (workshops, participant observation, interviews) and secondary sources for data collection (and literature review). Together, these sources cover the UN, other multilateral forums, national policies and scholarly analyses of RCB-related topics covered in this paper:

• Literature review: A review of literature from the past decade including (but not restricted to) academic papers, policy documents, official statements, resolutions and news pieces.

• Interviews: Semi-structured interviews with 15 government representatives from different regions. These interviews took place either as follow-ups to workshops or alongside participant observation. Their primary purpose was to fill gaps in information. Interviewees 1–7 were from the Indo-Pacific, interviewees 8–10 from Europe, interviewees 11–12 from the Middle East and Africa and interviewees 13–15 from Latin America and the Caribbean.

• Participant observation: The research team participated in cross-regional events held in London, New York, Accra, Santiago, Singapore and Kyoto. Participant observation included workshops in each of these locations, RUSI’s inaugural Securing Cyberspace Conference, and attendance at multilateral negotiations within the UN OEWG process and region-specific meetings. Data collection involved field notes documenting interactions and conversations at these events. Combining international and regional dialogues allowed the research team to engage with a broader range of stakeholders and identify emerging areas of RCB beyond the UN framework.

• Workshops: Research involved organising seven workshops, primarily for data collection. Two workshops addressed cross-regional topics, while five focused on gathering national perspectives on RCB within specific regions. Each workshop hosted 30–40 government representatives, along with 3–5 non-governmental participants on average. Given that states do not always publicise their positions or interpretations of cyber norms implementation, the workshops were designed to focus on specific cases and practices (for example, incident response, regional norms guidance, principles for responsible cyber operations and ransomware) to facilitate information sharing.

I. Defining Responsible Behaviour Beyond the UN Framework

As “responsibility” is a multifaceted term that conveys notions of morality, values, ethics and legal obligations, cybersecurity debates have incorporated both the ambiguity and challenges that accompany it. Some researchers have opted for alternative concepts, such as “accountability”, shying away from responsibility for a number of reasons. First, “responsibility” evokes strict notions of legal obligations – complying with regulations or international law, for example. Second, both binding and non-binding obligations are often framed as a negative responsibility, that is, focusing on ensuring that actors are held responsible for inaction/non-observance or violation of international commitments, rather than addressing the structure of incentives for them to engage in positive observance in the first place. The over-emphasis on a negative view of responsibility, combined with the absence of an international, legally binding instrument specifically dedicated to cybersecurity, often leads to a third challenge: the view that responsibility is values-driven and thus deemed less objective in calling out or defining “bad” or “irresponsible” behaviour.

However, responsibility is shaped by other factors beyond the UN framework and a state’s culture – that is, the ideas (shared beliefs and assumptions), norms, historical experiences and behaviours that inform a state’s approach to strategy, security, military affairs and cybersecurity. This paper seeks to better understand how cultural values shape and signify RCB – even if they are not aligned with or are broader than the UN framework. And while the UN framework has narrowed the scope of what analysts look for when seeking to understand views of responsibility, nonetheless it cannot and should not be neglected. This is why this paper assesses state practice in implementing the UN framework while simultaneously incorporating the views of responsibility articulated in other multilateral, regional and theme-specific forums. In so doing, this paper provides state and non-state actors with a clearer analytical lens through which to view the UN framework in a broader landscape of RCB, providing a practical means by which to identify interests, possibilities for convergence/divergence, and strategies for engaging in bilateral and multilateral cooperation – UN or otherwise.

The Concept of Responsible Cyber Behaviour

In contrast to the narrow nature of the concept of responsible state behaviour as it relates to the UN framework, this paper proposes an auxiliary concept to support present and future research on state practice and strategic preferences: responsible cyber behaviour. Countries such as the US, Australia and Canada have referred to “responsible state behaviour” as part of their cyber strategies. Other countries, such as the UK and Greece, have used the term “responsible cyber behaviour” in some of their national documents; the latter term does not restrict responsibility to state actors only. As research by RUSI and the Australian Strategic Policy Institute has shown, policy terminology varies across regions, but nevertheless the concept of RCB can enable a better understanding and tracing of state practice and strategic culture.

The word “responsible”, in this case, invites a reflection on the responsibilities of a range of actors (state and non-state) within the global cybersecurity governance regimes, as well as on the positive (incentives) and negative (obligations and expectations from the international community) responsibilities that they bear. The word “cyber” indicates the realm of that responsibility – that is, in or through cyberspace. Finally, “behaviour” deliberately focuses on practices and conduct that are seen as responsible/irresponsible, acceptable/unacceptable or lawful/unlawful in cyberspace.

A summary of this paper’s working definition of RCB is therefore:

RCB refers to the collective expectations of how actors should or should not behave in cyberspace. It is composed of the values, norms, policies, practices and technologies that inform/are articulated by stakeholders, including with the purpose of protecting and securing cyberspace.

It is not assumed here that countries have explicitly used the term “responsible cyber behaviour”, nor that they necessarily need to have done so for their cyber behaviour to be considered “responsible”. In this regard, this paper represents a multi-sited approach to international responsibility: that is, it investigates how other multilateral and thematic forums (as well as middle-ground and non-Western governments) have framed the idea of “responsibility” in this context.

Responsible Cyber Behaviour Beyond the UN

Since the start of 2022, the RCB project has mapped 12 case studies of how RCB is regionally and nationally defined and/or influenced by a country’s culture. These examples, in conjunction with the present research data, have highlighted that there are numerous themes associated with states practising responsibility that transcend the UN framework. This is the case, for example, with the association between RCB and government control over media content or free speech (due to government concerns about political and social instability), or RCB and the existence of tools and legal frameworks to effectively combat cybercrime (regardless of whether it remains unclear how intrusive cyber-intrusive tools might be and what their “legitimate use” means in practice).

Outside the UN framework and the realm of the First Committee on disarmament and international security, there is a vast patchwork of views on what defines RCB. As noted by one of the interviewees, “We try to follow the UN cyber norms and framework, but like any other international issues [sic], it’s quite complicated. We cannot outright say that [we agree with the consensus document and that is] what we want. We can only say that there are no objections”. Another interviewee said, “We are adamant that responsible state conduct starts with the eleven norms, but also recognise that the norms and framework don’t cover everything that everyone might consider as responsible behaviour. These are negotiated outcomes – and there are norms that we feel more strongly about than others”.

For all the states’ representatives interviewed and for most of those present in the workshops, RCB is primarily about having policies (for example, national cybersecurity strategies, cybercrime legislation and data protection legislation) and institutions (for example, national computer emergency response teams (CERTs) and cybersecurity agencies or centres) to enable the country to respond to and/or prevent incidents in accordance with their international commitments.

This chapter presents three snapshots of interpretations concerning RCB beyond the UN: RCB as an economic driver; RCB as an evolving set of practices to determine unacceptable behaviour; and RCB as a multi-sited diplomatic strategy to advance national interest. In so doing, it reflects on states’ responsibilities to develop their own capacities, in the context of different perceptions about economic development as it relates to cybersecurity; looks at how states have sought to identify malicious cyber activity without necessarily having to name and shame state-based/-affiliated/-sponsored cyber actors; and examines how the UN First Committee, rather than being an initiator, is only one of many sites through which a proposal for a legally binding instrument has been advocated for.

RCB as an Economic Driver: The Responsibility to Develop Capacities

Contrary to the predominantly negative view of responsibility being focused on calling out bad behaviour and deploying other “sticks” to deter malicious cyber activity, most developing countries favour a positive view of responsibility: one that is centred around the development of economic capacities.

The question of developing economic capacities has only been tangentially covered in discussions in the GGE and OEWG, and through CCB. In 2021, states agreed, within the context of the UN OEWG, on principles that should guide CCB. These principles are: process and purpose, partnerships, and people. However, as one of the interviewees noted, for a minister or a decision-maker in a state capital, RCB is as much about the “ability to have and establish the proper mechanisms to act responsibly” and assess how to effectively spend money as it is about the UN framework, adding, “responsible state behaviour [as postulated by the UN framework] should not be seen in a vacuum [given that] CCB is a fabric for [a state’s] development”. As this suggests, not only does the relationship between RCB and CCB extend well beyond the remit of the UN First Committee within the UN, it also takes different shapes and forms in other multilateral groupings, raising the questions: what are states’ responsibilities to develop capacities to tackle cyber threats and how do they perceive them? The following points describe some of the ways in which RCB relates to CCB and cyber capacity development within and beyond the UN.

• Capacity building enabling observance of international commitments: First, states have committed to implementing the UN framework. In this context, “capacity building” refers to the enablers and constraints for state observance of their collective commitments to the framework. Examples include initiatives that seek to enable states to develop their national position on how international law applies to cyberspace. Global Affairs Canada (GAC), for example, supported the AU with capacity building sessions to enable the development of a common African position, which led to the AU being the first regional body to publish a joint position of this kind.

  Moreover, according to international law, states need to have the capacity to observe, respect and enact – whenever appropriate – their international commitments. CCB is not only an enabling element of the implementation of the framework but also an integral part of the state’s capacity to observe international law. Due diligence refers to a state’s obligation to not knowingly allow its territory to be used for acts contrary to the rights of other states. It constitutes an obligation of conduct where states commit to pursuing their best possible efforts to prevent, respond to or terminate malicious cyber activities. However, if a state is unable to determine who is responsible for a malicious cyber activity because, for example, it does not have the capacity to identify, mitigate or discern from where such activity emanates (jurisdictionally speaking), then it cannot attribute and affix responsibility to another state, making it inviable for them to undertake countermeasures – thus illustrating the critical relevance of CCB in mitigating existing observance shortfalls and in elevating attribution.

• Capacity building as state building: Interviews and workshop discussions showed that even though states might observe the UN framework, this does not guide the domestic RCB discussion. Rather, it is primarily led by development-related concerns such as CCB, economic prosperity and/or resilience, regardless of whether they are directly linked to the framework or not.

  Policymakers and ministers at the national level are much less concerned with the international law and norms dimensions of CCB. Capacity building is, first and foremost, an economic and development agenda directed at helping states respond to and/or prepare for a more digitally connected society. As one of the interviewees highlighted: “In the end, our cybersecurity agency’s focus is not cybersecurity but prosperity. To have that, you need to take risks – and we want to make sure we can manage those risks. Security is not the only thing that our nation needs, but the growth of [the] economy and safe and secure cyberspace are the main things”. It becomes clear that the economic prosperity narrative guides cybersecurity investment and not necessarily national security.

  Additionally, most states that engaged in this research associated RCB with developing core state functions for a more digitally-connected government – that is, with how capacity building enables the state to respond more effectively and proactively, and with the adequate legal and institutional resources. Unless a project explicitly relates to the OEWG (as is the case with the above-mentioned AU–GAC partnership, or with the Women in International Security and Cyberspace Fellowship), the connection with international commitments is often made ex-post in an attempt by the ministry of foreign affairs to translate existing initiatives into the OEWG agenda.

  As highlighted in the different workshops and interviews, the development of a national cybersecurity strategy, a national CERT and/or a cybersecurity agency can provide more transparency and predictability about a government’s action and mandate to act in cybersecurity-related areas. Such predictability is essential for creating an environment of stable development within which donor organisations such as international development banks know what they can expect in terms of implementation and returns.

  However, workshop participants from some states also noted that while organisational, institutional and policy measures that demonstrate RCB are important economic enablers, in the final analysis, one of the biggest challenges for them is ensuring they have sufficient budgetary resources to adequately purchase and renew licences for specific incident response and vulnerability management tools (as well the skills to effectively implement them).

• Regional bodies as catalysts for RCB: In recent years, regional organisations have started to play a key role in the implementation of the UN framework and beyond. Participants in the workshops highlighted how such organisations can: help track the implementation of international agreements; support the development of common positions on the applicability of international law in cyberspace; and develop further confidence building measures to enhance regional collaboration, and play a role as hubs for CCB.

  Both the AU and the EU have now published their respective common regional positions on how international law applies to cyberspace, boosting expectations that regional bodies can help strengthen RCB. During one of the workshops, participants discussed this matter and highlighted that:

  • Not all regional organisations should be expected to support the development of a common position. On the one hand, organisations such as the OSCE might not be well placed to advance a common position (due to geopolitical tensions regarding Russia’s membership), but will continue to work on CBMs and other forms of capacity building. On the other hand, the Organization of American States (OAS), under the auspices of the Inter-American Judicial Committee, facilitated a multi-year project from 2018 to 2022 which included a survey to identify areas of convergence and divergence on how international law applies to cyberspace. Even though the OAS produced five reports on the topic this has not produced a common position, due to varying degrees of political appetite and maturity to engage in the discussion. The level of political appetite is also influenced by a degree of historical and institutional unease among Latin American countries with the OAS as a regional organisation. This is partly because rather than focusing on specific subregions such as Latin America, South America or even Latin America and the Caribbean, it includes the US and Canada under the broader umbrella of “the Americas”. However, such dynamics have not stopped countries in the region from progressively publishing their views, as in the cases of Brazil (2021), Costa Rica (2023), Cuba (2024) and Colombia (2025).

  • Regional approaches to RCB, such as the common positions on international law, do not supplant individual national action, and can occasionally provide a stepping stone for states to develop the capacity and confidence to establish their own national positions. Diplomats in the workshops noted that common positions provide them with a reference document that they can use to articulate the importance of their national position within their respective government departments/ministries. The risk, however, is that governments with less capacity might settle for the common position and, in so doing, not progress with developing their own understanding – and consequently fall short of a progressive development and codification of international law.

RCB as Identifying Unacceptable Behaviour Beyond Public Cyber Attribution

Most of the discussion on unacceptable behaviour in cyberspace has revolved around a negative view of responsibility: that is, the ability of states to call out bad behaviour whenever necessary. The UK, the US, Canada, Japan, the EU and others have increasingly used sanctions, indictments (in the US), joint attributions and démarches to put pressure on state-sponsored groups from China, Iran, Russia and North Korea. The challenge, however, is that most countries do not publicly and politically attribute cyberattacks to other states, begging the question of how states can draw the lines of unacceptability if they are not inclined to politically and publicly attribute responsibility for perceived misdemeanours.

The research for this paper has identified at least three ways that states can signal (and have signalled) unacceptable behaviour, beyond public attribution:

1. Technical attribution and/or indirect endorsements/references to other technical reports.

2. Via other non-UN forums that seek to facilitate state convergence around a new norm targeting a specific unacceptable behaviour.

3. Through thematic initiatives that seek to better understand the problem and the non-state actors’ stake in it so as to devise norms for the group.

▲ Figure 2: State Practices in Signalling Unacceptable Behaviour Without Publicly Attributing Responsibility. Source: The author.

Most of the states that participated in the RUSI/GP-RCB workshops, as well as other government representatives who were interviewed as part of this project, noted that a lack of public political attribution should not be equated with a posture of complacency or absence of political will with regard to calling out unacceptable behaviour. Some interviewees stressed that they are more concerned with rejecting a certain type of behaviour than with discrediting the actor behind it – especially in the case of a state-sponsored or state-affiliated cyber incident where they are unwilling to take the risk of facing a political or economic backlash. While such a strategy arguably seeks to manage the risk of interstate cyber escalation, the actions it produces are insufficient to deter state-linked actors from conducting malicious cyber activity; this is a trade-off of which most states are conscious. Moreover, these actors might also be less inclined to attribute as a consequence of their cultural background, strategic preferences and/or regional dynamics. As one interviewee put it, “I think it is easier for the EU and NATO to take sudden actions against Russia. But for countries in Southeast Asia, it might be harder, or perhaps not so convenient to take certain actions [such as public attribution]. What you fundamentally do is you preserve your space. … Culture is important, and it shapes our way of communicating our grievances. We might not do it publicly, but in the background, there is considerable action”.

In cases such as this, where there is no political will to name and shame state actors, the national cybersecurity agency or CERT often plays a significant (yet tricky) role in navigating between technical and political attribution. For example, Switzerland – the foreign policy of which has been characterised by a posture of neutrality – has not sought to publicly attribute. However, in 2024 the Swiss National Cyber Security Centre (NCSC) mentioned for the first time that a “presumed pro-Russian” group called “NoName” had claimed responsibility for launching a distributed denial of service attack against multiple websites of the Swiss Federal Administration in protest at Ukrainian President Volodymyr Zelensky’s attendance at the World Economic Forum’s annual meeting in Davos. The word “presumed” here is important, as it is an attempt to cautiously restate the self-affiliation of the NoName group to Russia while not explicitly ascribing responsibility to Russia. The Swiss NCSC’s role on this occasion illustrates the fine line between technically and politically attributing an incident.

Other countries might not even come so close to making a technical attribution but would rather use subtler strategies to indicate concern. For example, following the 2022 Russian attack to disrupt satellite communications provider Viasat’s services to Ukraine just a few hours before the full-scale invasion took place, Singapore referenced the cyberattack in a series of public statements from ministers at the end of 2022, and in 2023 the Cyber Security Agency of Singapore included a reference to the operation in its 2022 annual report, explicitly referencing the attribution to Russia made by the US, the UK, Australia and others. Interviewees and workshop participants noted that their governments have used consistent referencing as a tool for articulating unacceptable behaviour, while controlling for risks. Such a practice, which refrains from politically joining a broader coalition to attribute but refers to the attribution, favours signalling over punishing or shaming.

The factors that can prompt states to shift their posture towards making public attribution vary, and many of them have remained focused on the behaviour rather than the perpetrator (if state-sponsored or -affiliated), even after large-scale incidents. After 27 government bodies in Costa Rica were targeted by Russia-affiliated ransomware group Conti in 2022, the government was the first to declare a “national state of emergency” due to a cyberattack but did not go so far as to publicly associate the group with Russia. This example, as also highlighted during our GP-RCB regional workshop, shows that rather than seeing attribution as the ultimate tool to signal unacceptable behaviour, a country’s response to an incident can accelerate its maturity in defining red lines. In Costa Rica’s case, this was manifested through practices such as the government publishing its view on how international law applies to cyberspace, approving its national cybersecurity strategy (2023–27), strengthening the national CERT’s role as national cyber security coordinator, and receiving financial and capacity building assistance from the US to enhance recovery and response.

Estonia provides a contrasting example. The country had been a target for Russian state-sponsored cyber operations for nearly two decades, and yet in that time had decided not to publicly and politically attribute any cyberattacks. This approach changed in 2024, with the country naming, for the first time, Russia’s military intelligence service (the GRU) as responsible for a 2020 cyberattack targeting Estonian ministries. While scale might not have been as decisive a factor as it was for Costa Rica, the Estonian attribution was the outcome of a years-long build-up of their appetite for engaging in such practice. While no single trigger for the change in posture has been confirmed privately (as part of this research), or publicly, a number of factors can be seen to have created the enabling context for the change in posture: the fact that since Russia’s 22-day cyber campaign against Estonia in 2007 the EU had developed a cyber diplomacy toolbox encouraging the practice; more countries having signed up to joint cyber attributions; and the context of Russia’s ongoing war in Ukraine and and targeting neighbouring countries with cyberattacks.

Regional organisations or groups of like-minded countries can progressively enable an environment of trust wherein states that are disinclined to attribute individually can align themselves with existing public attributions without overcommitting. This is the case with the EU’s Cyber Diplomacy Toolbox (CDT). The CDT was established in 2017, and two years later was adopted by the Council of the EU as part of the EU’s Common Foreign and Security Policy, enabling sanctions to be imposed in line with the CDT’s provisions. In 2020, the Council imposed sanctions against cyberattacks for the first time. While it cannot be categorically stated that the CDT directly influenced Estonia’s shift in posture, these developments do illustrate that the existence of shared frameworks embedded in regional bodies can foster an environment of trust wherein member states can build upon and develop their national approach to cyber attribution.

However, there are still multiple reasons why a country might not seek to publicly attribute a cyberattack, including: avoiding exposure to potential retaliation from the state to which the malicious cyber activity is attributed; lacking the capacity to respond to and/or identify the origin of the malicious cyber activity; and/or expecting more information to be shared by countries that are trying to recruit support for specific public attributions. The tendency to use public attribution often shifts only after large-scale incidents: as seen in Albania after the Iranian group HomeLand Justice targeted Albanian government public services and government websites, or in the UK after the 2017 WannaCry ransomware attack attributed to North Korea’s Lazarus Group. Whether such trend is consistent across regions and cases remains uncertain. As shown in cases such as in Costa Rica, for example, the inclination to publicly attribute after a cyber-enabled national or diplomatic crisis is not a universal pattern. Additionally, countries embroiled in ongoing border disputes or facing persistent threat-actor clusters, such as India and Pakistan, have shown little inclination to publicly attribute cyber incidents.

In addition to technical attribution or government reference to private companies’ threat intelligence reports or alerts, some states also signal unacceptable behaviour by leveraging like-minded forums to build consensus on other potential norms for RCB. This is the case with the G20 and G7 advocating for a norm against cyber-enabled theft of intellectual property (IP). This norm has not been explicitly recognised by UN processes, although it would fall broadly under the norm on not knowingly allowing a territory to be used for internationally wrongful acts. The G20 and G7 discussions about the norm emerged after the Obama–Xi agreement in 2015 – following comments from General Keith Alexander, former head of the US Cyber Command, describing China’s IP theft as “the biggest transfer of wealth in history”. The initial 2015 momentum also meant that the norm managed to gain traction in other groupings: the G20 leaders’ communique recognised state-sponsored economic cyber espionage as a risk to long-term economic growth in 2015, and a year later G7 member states also stressed their commitment “that no country should conduct or knowingly support ICT [information and communications technology]-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors”.

However, not all commitments persist over time. Current US–China relations and broader geopolitical context could not be more different from those in 2015, amid increasing international tensions involving Russia and between the US and China (especially after the discovery that the Chinese Ministry of State Security and the People’s Liberation Army were conducting cyber espionage and pre-positioning of malicious software in US critical infrastructure). While the G7 has continued and expanded its efforts in the cybersecurity domain, the G20 has become an ever-more contentious forum given the lack of a common position condemning Russia’s full-scale invasion of Ukraine and in the context of the trade war between the US and China – all of which has rocked the prospects for further norms diffusion and implementation across G20 member states.

States also engage in defining unacceptable behaviour by promoting or participating in exploratory discussions and groupings that seek to enable norms emergence. That is the case, for example, with the Pall Mall Process (PMP), an initiative set up by the UK and France in 2024 to discuss the proliferation and irresponsible use of commercial cyber intrusion capabilities, and with similar US-led efforts to control proliferation of commercial spyware via the Summit for Democracy, and the resulting joint statements. The topic of commercial cyber intrusion had not been referenced in UN GGE or OEWG resolutions prior to the PMP or the joint statements. Probably the closest reference to it was the norm that notes that: “States should [seek to] prevent the proliferation of malicious ICT tools, techniques or harmful hidden functions”. Despite the Summit for Democracy focusing exclusively on the most intrusive type of commercial cyber intrusion capability and the PMP focusing on getting less like-minded countries and companies on board to discuss irresponsible use of other tools (while recognising that there are legitimate uses), both initiatives arguably spurred momentum for the topic to be recognised for the first time in the UN OEWG 2021–25 interim annual progress report, in mid-2024. While the report did not add a new norm on the topic, it did recognise the threat that commercial cyber intrusion poses to ensuring state responsibility in cyberspace:

States noted the growing market for commercially-available ICT intrusion capabilities as well as hardware and software vulnerabilities, including on the dark web. States expressed concern that their ready availability to State and non-State actors was increasing the opportunity for their illegitimate and malicious use and making it potentially more difficult to mitigate and defend against the threats they pose, while emphasizing that such capabilities could be used in a manner consistent with international law. States further expressed concern that the dissemination of ICT intrusion capabilities by State and non -State actors could contribute to unintentional escalation and threaten international peace and security.

The cases above highlight a few examples of the practice of RCB beyond the UN, demonstrating: how consensus and signalling concerning irresponsible cyber behaviour need not start at the UN; that successful dissemination of a norm of unacceptability may or may not result in it being incorporated in UN resolutions; that the fact that a norm has not been accepted by UN processes does not mean that other countries might not take it up as a national commitment; that domestic motivations and demonstrations of condemned behaviours vary, yet still signal unacceptability (albeit through different means and practices); and that there is much more to learn about countries’ views of RCB – and consequently the demarcation of irresponsible behaviour – from incident responses.

RCB as a Diplomatic Strategy: The Quest for a Legally Binding Instrument for Cybersecurity

Whether a treaty or convention on cybersecurity is required has been the subject of a long-time contentious debate at the UN – and not without reason. With the exception of the AU’s Malabo Convention, the Budapest Convention on Cybercrime and the UN Cybercrime Convention, there is no “special” law for international security in cyberspace. And, as highlighted by different states, the absence of such lex specialis for cyberspace means that general rules of state responsibility and customary international law apply in the cyber context. While states remain divided into three camps regarding the development of special law – “no need”, “maybe later”, “urgently needed” – in UN OEWG and GGE negotiations Russia has sought to advocate for a treaty (special law) through other multilateral organisations and in bilateral dialogues.

Since 2013, the BRICS (Brazil, China, Egypt, Ethiopia, Iran, India, Russia, South Africa and the UAE) summit declarations have included mentions of espionage, cybercrime and international cybersecurity. The specific topics might have changed slightly over the years, but some notable examples include, in 2014, committing to “the negotiation of a universally legally binding instrument” for combating the criminal use of ICT. Subsequent years have seen the recognition and emphasis of “the importance of an open, secure, peaceful, stable, accessible and non-discriminatory environment for information and communications technologies”, in addition to “the importance of universally agreed norms, rules and principles, under the auspices of the UN, for the responsible behavior of States in the realm of ICTs, and uphold the centrality of the United Nations in their development”.

While some might question how closely summit declarations reflect states’ views, it remains the case that such declarations do illustrate how these states publicly, deliberately and politically endorse a particular narrative about RCB. These kinds of statement have also been accompanied by the establishment of cybersecurity-specific mechanisms under the auspices of the BRICS. This includes the Working Group on Security in the Use of Information and Communication Technologies and the BRICS Roadmap of Practical Cooperation on Ensuring Security in the Use of ICTs. These and other mechanisms provide a specific space for socialisation of norms and understandings of what RCB means within the BRICS, albeit with limited public visibility of the frequency of meetings, activities and outcomes.

Despite such limitations, two key references to RCB have emerged publicly from the BRICS Summit declarations. The 2023 Johannesburg II Summit Declaration reintroduced a reference to the leading role of the UN in “developing a universal legal framework” on international ICT security after a six-year gap between it and the first time it had been mentioned in a BRICS Summit Declaration. The reference re-emerged at the same time as the UN Ad Hoc Committee on cybercrime was conducting its own negotiations for a global cybercrime treaty and was published less than two months after Russia, Belarus, North Korea, Nicaragua, Syria and Venezuela had submitted a concept document to the OEWG proposing a Convention on Information Security. While Russia was not the main sponsor for the latter – despite having historically been the country tabling the proposal for a convention on the topic – the reference shows that in settings such as the BRICS, there are specific leads pushing for RCB-related proposals such as a legally binding treaty on cybersecurity. Moreover, when this development is considered in the broader context of concomitant negotiation processes, it becomes evident how Russia advocates for similar agenda items across UN and non-UN forums. That is the case, for example, in Russia–Africa summits, where Russia has not only pushed for representatives from African states to “work towards legally binding norms” on the security of ICT but has also referred to it during OEWG negotiations in order to pressure African states.

The announcement of the expansion of the BRICS in August 2023 raised numerous questions as to what BRICS+ negotiations would deliver on cyber-related issues – if anything – given the increasing disparities of views among members.

The Shanghai Cooperation Organisation (SCO) has also been addressing cybersecurity issues. According to the 2023 SCO Deputy Secretary General, cybersecurity has been part of the SCO’s dialogues since 2006, when the group’s foreign trade ministers established the Ad Hoc Working Group on ICTs. In 2009, SCO member states signed an Agreement on Cooperation in Ensuring International Information Security, which provides a list of common threats, terms and concepts, and lists areas for future cooperation in cybersecurity and cybercrime. Notably, the document also includes a list of general principles, agreeing that “[cooperation and the activities in the international information space should meet] the conventional principles and rules of international law, including the principles of peaceful settlement of disputes and conflicts, non-uses of force, non-interference to internal affairs, respect of the rights and fundamental freedoms of the person, and also to the principles of regional cooperation and non-interference to national information resource.”

As the 2022 Joint Communiqué following the 21st Meeting of the SCO Council of Heads of Government (prime ministers) shows, initiatives in this field have continued. The document refers to the Concept of Cooperation of the SCO Member States in the Field of Digitalisation and Information Communication Technology (Bishkek, 14 June 2019 – not publicly available). Also in 2022 the SCO released a statement on the diversification of supply chains, noting:

We emphasise the devastating impact of unilateral economic measures, which run counter to the general principles and rules of the WTO, and of measures regarding the financial systems of the SCO member states on the security and stability of supply chains, as well as on the multilateral trading system and all its participants. We reaffirm our desire to ensure the resilience, reliability and stability of international supply chains, and maintain the openness and transparency of cooperation.

While not cyber-exclusive, the discussion does relate to views on the responsible use and development of technologies. On a similar topic, since 2022 the Samarkand Declaration and the New Delhi Declarations have iteratively stressed SCO states’ categorical opposition to the militarisation of ICT.

SCO member states have also reinforced their support for the “development of universal rules, principles and norms of responsible behaviour of states in this area, and in particular, welcome the development under the auspices of the UN of a comprehensive international convention against the use of ICT for criminal purposes”, while also reiterating the central role of the UN in countering threats in the information space by “creating a safe, fair and open information space, with respect of principles of state sovereignty and non-interference”.

Risks to Enactment of International Responsibility

Notions of responsibility or responsible behaviour are not always explicitly referred to within a UN First Committee but, as this section shows, they are nonetheless portrayed, encoded and exported in documents produced across multiple sites and by many types of actors. It is vital that scholars and policymakers track and reflect on how UN debates unfold not only in New York but also in other multilateral and multistakeholder discussions. This is because states might seek to:

• Advance and consolidate norms in smaller groupings on specific topics and then resocialise them in key processes such as the UN OEWG and its future regular mechanism for institutional dialogue. Ongoing ad hoc initiatives such as the PMP serve as an example of spaces where states, private sector actors and civil society collaborate to shape emerging norms before bringing them to multilateral forums such as the UN.

• Ensure complementarity of the different mandates of these organisations and processes whenever possible. This is the case, for example, with cross-referencing or enabling participation of International Telecommunications Union (ITU) representatives in OEWG dialogues with the purpose of understanding broader CCB initiatives.

• Identify areas of contention around or divergence from evolving international views on RCB. Despite the GGE and OEWG resolutions, as well as the restated commitment to the UN framework, other multilateral groupings or initiatives might share different values or concerns. This directly influences whether they will concentrate in areas such as development rather than deterrence, or on the development of a legally binding instrument rather than customary international law.

Additionally, throughout the interviews, workshops and participant observation in multilateral negotiations, the following challenges to the effective operationalisation of states’ international commitments to RCB – whether the UN framework or others – have been identified and need to be further investigated:

• Challenges in tracing norm implementation and political will: Despite widespread agreement among member states on voluntary commitments, implementing and monitoring adherence to international norms remains problematic. Efforts such as checklists created by Mexico, Australia and ASEAN have aimed to provide frameworks for assessing cyber norms, yet awareness and practical application are often lacking. This gap underscores the difficulty of translating commitments into measurable actions.

• Risks of a predominantly negative accountability framework: A negative approach to responsibility often concentrates on the consequences and reparations arising from wrongful or irresponsible actions. This state-centric, punitive view has notable shortcomings:

  • It marginalises non-state actors, despite their significant role in cyberspace.

  • It overlooks non-malicious actions that inadvertently cause harm.

  • It fails to account for variations in understanding and enacting responsibility, even within the context of international agreements.

• Over-reliance on public attribution by a select few: Public attribution and practices such as “naming and shaming” remain key tools for signalling unacceptable cyber behaviour. These actions highlight prohibited targets, methods and effects, serving as a deterrent for some states. However, this approach is not universally embraced – most states refrain from public attribution, which in turn hinders the development of more comprehensive and strategic responses beyond a limited coalition of like-minded states.

• Disparities in national capacities and their impact: The absence of clarity regarding whether states are unwilling or unable to effectively respond to malicious cyber incidents (or adhere to international commitments) complicates the assessment process. This uncertainty can lead to an over-reliance on assumptions, further impeding efforts to accurately evaluate state capabilities and willingness to address emerging cyber threats and norms implementation.

Conclusion: Widening the Lens on Responsible Cyber Behaviour

This paper has demonstrated that RCB extends beyond the parameters established by the UN. While the UN framework continues to play a critical role in shaping international discussions on cyber responsibility, it is only one part of a broader evolving landscape.

The following key insights emerged from this study:

1. RCB as a multidimensional concept: Responsibility in cyberspace is not confined to legal obligations or diplomatic commitments within UN-led processes. Many states perceive responsibility through the lens of economic development, national resilience and CCB. The UN framework provides a foundation, but state practice indicates that cybersecurity is often framed in terms of economic security and domestic stability rather than purely in terms of international law.

2. The role of alternative norm-setting bodies: Multilateral organisations such as the G7, the BRICS and ASEAN and regional cybersecurity frameworks play a crucial role in defining and reinforcing cyber norms. These organisations provide alternative venues for states to engage in cyber diplomacy, shape expectations around responsible behaviour and develop cooperative mechanisms outside the UN framework. The diversification of norm-setting spaces reflects both geopolitical realities (in other words renewed minilateralism) and the need for more flexible, context-specific approaches to cyber governance.

3. Operational responsibility and emerging norms: Beyond the high-level diplomatic discourse, states demonstrate RCB through national policies, incident response practices and engagement with technical communities. While some states prioritise deterrence and attribution, others focus on discreet diplomatic and technical responses to cyber threats. The emergence of new policy discussions – such as pre-positioning cyber capabilities, commercial cyber intrusion and the role of private sector actors – illustrates the evolving nature of challenges facing RCB.

Implications for Policymakers and Researchers

As geopolitical dynamics continue to shift, tracking and analysing RCB beyond the UN will remain an essential task for ensuring diplomats and policymakers are equipped to negotiate diverging views on RCB.

Understanding RCB beyond the UN framework is crucial for both policymakers and scholars. Western governments must recognise the limitations and perceived biases of a UN-centric approach to cybersecurity, which may not fully capture the concerns of developing nations. For non-Western states, especially those in the Global South, acknowledging their own cyber practices and aligning them with broader international commitments can enhance their strategic positioning in global cyber governance.

With that in mind, further research is needed in the following areas:

1. Non-Western perspectives on cyber responsibility: More studies should explore how different cultural, economic and political contexts shape state approaches to RCB. This includes investigating how regional and national security policies integrate cyber responsibility in ways that differ from dominant Western perspectives in key areas including attribution, institutional setup and incident response. Examining how Global South nations define and implement cyber norms within their own strategic priorities will be key to fostering a more inclusive and representative cyber governance framework. However, there are thornier policy challenges ahead that merit further research: as countries such as China, Russia and others become more comfortable in conducting public cyber attribution against the US, for example, Western governments will need to reflect on how publicly naming and shaming – usually used as a negative accountability measure – can be instrumentalised against them. The emergence of non-Western attribution will put renewed pressure on the expected level of information shared in those attributions and the kinds of behaviours that are deemed unacceptable.

2. The role of private sector actors: Given their influence on cyber norms, the responsibilities of private companies to ensure international cybersecurity should be further examined. Many global technology firms play a dual role as both enablers and enforcers of cybersecurity measures. Their involvement in CCB, threat intelligence sharing and incident response demands greater scrutiny. Future research should focus on how private entities can be held accountable for their role in cybersecurity governance, shape the political economy of cybersecurity, and contribute to fostering RCB at an international level.

3. Operational cyber responsibility: A deeper assessment of how states justify and conduct cyber operations, including legal and ethical considerations, will be crucial for shaping how RCB is applicable to the design, conduct, approval and assessment of cyber operations, for example. This includes an exploration of how states define acceptable thresholds for cyber defence and retaliation, the legal frameworks governing cyber operations, and the impact of emerging cyber capabilities on national security. Additionally, research should examine how cyber operations intersect with human rights obligations and the role of oversight mechanisms in ensuring compliance with international law. Moreover, emerging practices such as pre-positioning – increasingly seen on the part of state-affiliated groups linked to China – pose a challenge to RCB, as they explore the fine line between tacitly acceptable practices (espionage) and cyber operations. It remains uncertain whether a norm will develop in this sphere or whether there will be a growing consensus rejecting the practice of pre-positioning. However, developments in this area will continue to present relevant tests to defining operational responsibility as it relates to states’ international commitments.

4. Incident response and cyber norms as RCB in practice: While much of the existing research focuses on diplomatic and legal frameworks, there is a growing need to investigate how states respond to real world cyber incidents. Understanding how national CERTs, intelligence agencies and law enforcement bodies interact in the wake of cyberattacks will provide valuable insights into how cyber norms are operationalised. Future research should assess how best practices in cyber incident response contribute to broader international expectations of responsible behaviour.

5. The evolution of cyber norms in multilateral forums: Beyond the UN, various international and regional organisations continue to shape discussions on RCB. Further research should examine how alternative forums – such as the OECD, ITU and regional cybersecurity initiatives – influence cyber governance. Investigating how these organisations establish new norms, enforce existing agreements and facilitate capacity building efforts will be essential for understanding the future trajectory of global cybersecurity cooperation in RCB, even if they do not employ the same terminology.

Louise Marie Hurel is a Research Fellow in RUSI’s Cyber and Tech research team. Her research interests include incident response, cyber capacity-building, cyber diplomacy and non-governmental actors’ engagement in cyber security.