New Ways to Frame Responsible Cyber Behaviour Beyond the UN

Responsible cyber behaviour (RCB) refers to the collective expectations of state and non-state actors about how they should behave in cyberspace. ‘Behaviour’ in this context comprises the values, norms, policies, practices and technologies that are meant to protect and secure cyberspace. These expectations are highly contested and vary across regions.

Within cybersecurity debates – and specifically in the context of the UN’s Open-Ended Working Group on the security of and in cyberspace (OEWG) and Group of Governmental Experts (GGE) – ‘responsibility’ has often been associated with ‘responsible state behaviour’. Within this context, the term ‘responsible state behaviour’ mainly concerns the collective expectations of UN member states in meeting and observing their international commitments to norms and international law. The debate largely concentrates on how states should behave towards each other, rather than how they ought to act domestically. As these discussions are held at the UN First Committee responsible for international peace and security, dialogue on responsibility in cyberspace is restricted to those parameters.

RUSI’s research, and this paper, takes a wider view, based on the premise that understanding RCB requires consideration of cultural values, regional alliances and domestic factors such as institutional or legislative setup. The objective of this paper is to provide a wider conceptual lens on RCB, looking beyond the UN debate and, to some degree, beyond Western perspectives.

The paper investigates two areas: states’ perceptions of what international responsibility entails; and how other multilateral bodies and initiatives have sought to frame responsibility. The research evidence, gathered via a series of semi-structured interviews and workshops, shows that:

• There is widespread recognition that the UN framework alone does not enable a sufficient understanding of RCB: elements of a state’s strategic preferences (such as regional dynamics, foreign policy, economic status and domestic regimes) are equally critical to a state’s view of RCB.
   
• Beyond the UN framework, states view RCB in at least three ways: as an economic driver; as a set of tools that help them define and signal unacceptable behaviour; and as a multi-sited diplomatic strategy to advance a national interest.
   
• Most states emphasise a positive interpretation of responsibility, linking RCB to economic development and prosperity.
   
• Cyber capacity building is the most consistent theme associated with RCB, as it provides states with mechanisms and resources that help them act responsibly in cyberspace.
   
• Some states emphasise the usefulness of negative responsibility measures, such as ‘naming and shaming’ tactics, but most states avoid publicly identifying bad actors, concentrating instead on condemning behaviour generically and responding with discreet diplomatic and technical measures.
   
• Given increasingly fragmented multilateral governance and growing geopolitical divides, states have progressively used non-UN forums to develop norms and shared views on irresponsible behaviour.

Recommendations include:

• Encourage diplomatic engagement with non-Western attribution narratives: As non-Western states become more vocal in attributing behaviour, Western states should develop strategies to address emerging public attribution practices – especially by countries such as China and Russia – including by clarifying evidentiary standards and proactively communicating their own thresholds for public attribution. This can help manage the reputational risks of being named by adversarial states.
   
• Clarify expectations for private sector actors in cyber diplomacy and capacity building: International organisations and donors should define clearer expectations around the involvement of private companies in cyber capacity building, particularly regarding transparency, conflict of interest and alignment with international standards of responsible behaviour.
   
• Support the development of national legal and policy frameworks that define operational cyber responsibility: States, particularly in the Global South, should be supported in developing national policies that articulate their approach to cyber operations or the acquisition of cyber capabilities –including doctrines, thresholds for response and mechanisms for oversight – in line with international commitments.
   
• Integrate incident response practices into ongoing cyber norms discussions: Multilateral and regional cyber forums should seek to leverage more insights from national computer emergency response teams and technical agencies in discussions on cyber norms, with a focus on how real time responses to incidents reflect or challenge evolving expectations of responsible behaviour.
   
• Map how existing multilateral forums interpret and apply RCB principles: Researchers and policymakers should continue to collaborate to further develop a comparative analysis on how different multilateral organisations or groupings seek to shape and/or operationalise RCB (for example, the Shanghai Cooperation Organisation, the BRICS, the International Telecommunications Union, ASEAN, and the OECD), even where the term ‘RCB’ is not explicitly used. This will help identify overlapping expectations and areas of normative divergence.