Constructing Norms for Global Cybersecurity

In this paper, Finnemore and Hollis agree with the general tendency towards norms, rather than treaties, to ensure global cybersecurity, but contend that choices made in the process of norm development are as important as the substantive nature of the norms themselves. The general thesis of the paper being: cybernorm proponents must pay close attention to the ways in which norms are constructed, promoted, and institutionalized, in order to ensure that the norm is adopted and has the desired effect. They argue this by building upon social science literature in physical/conventional terrain and by arguing that the complex, dynamic nature of cyberspace necessitates close attention to process and strategy in norm development. In cyberspace, the ‘who-does-what-when’ is not clear due to the number of layers and actors involved, so here, process is stressed as a means for adapting to this multifaceted environment. This paper includes particular attention to the choices of norm entrepreneurs— individuals/groups/states who seek to cultivate new cybernorms— and how those choices affect the actors, context, and tools necessary for implementation. They argue that norm entrepreneurs face choices in defining the identity (who the norm applies to), behaviour (how the norm is regulated), propriety (the way the definition of improper behaviour is derived) and collective expectations (“the extent of intersubjectivity and internalization that norms receive”). In addition to these choices, norm entrepreneurs have tools at their disposal to promote adoption of the norm, namely: incentives, persuasion, and socialization. Finnemore and Hollis contend that each of these choices shapes the reception and success of the cybernorm, and thus, should receive due attention from the norm entrepreneur. This in-depth and interdisciplinary analysis is important because it clearly defines the stakes of the choices involved and roadmaps processes for robust norm development. Keywords: norms, cybersecurity, information and communication technologies, norm entrepreneurs, process-centred analysis