US official affirms effectiveness of cyber norms during the Munich Cyber Security Conference

Nearly three years ago, in March 2021, the UN membership agreed to adhere to 11 cyber norms. This milestone marked the culmination of extensive negotiations and aimed to alleviate global concerns regarding the malicious use of information and communications technology (ICTs) in cyberspace.

However, despite the agreement on norms, subsequent international experience has revealed that mere agreement, even when politically binding, is insufficient to ensure compliance or stability in cyberspace. This raises questions about the efficacy of such agreements.

Liesyl Franz, Deputy Assistant Secretary at the US State Department’s Bureau of Cyberspace and Digital Policy, explained during an interview with Recorded Future News at the Munich Cyber Security Conference that the purpose of these norms wasn’t to establish a UN-driven enforcement mechanism against states engaging in online misconduct. Rather, they provide a clear framework defining expected behaviours. When states or entities violate these norms, they can be held accountable based on this established foundation.

Political attributions are often framed within the language of these norms, formalised as a framework for responsible state conduct in cyberspace. For instance, when the UN and its allies accused China of supporting the Microsoft Exchange campaign, they emphasised ‘irresponsible state behavior’. Similarly, while the EU refrained from directly attributing the campaign to a state-sponsored group, its condemnation highlighted actions contradictory to responsible state behaviour norms endorsed by all UN member states.

She also added, ‘The other thing that the normative framework has been very helpful in, is because it has positive norms and capacity building — coming to the aid of other countries — it’s a message if we, as the United States in coordination and partnership with other countries, provide assistance to countries who are a victim of cyber incidents.’