The digital world needs new rules. The absence of common norms is leading to instability and conflict. Commercially, large US based Internet companies are under pressure in Europe to comply with the continent’s tax policies. They are under pressure in the rest of the world to comply with stringent conditions restraining the freedom of expression. Strategically, the absence of a shared understanding on cyber security and cyber warfare has fostered insecurity with ever growing evidence of cyber attacks against key targets including banks, hospitals and the electricity grid.
Global norm making in other areas of the public commons has had an amorphous trajectory combining universalism, multilateralism, regionalism and bilateralism. In trade for instance, from the beginning a multilateral approach was adopted with the establishment of the General Agreement on Trade and Tariffs in the early days of the post war era. Yet regionalism has seconded the multilateral track with the proliferation of regional trade agreements that were viewed as the building blocks of the normative framework for global trade. In the field of disarmament related to weapons of mass destruction, the goal has been universalism. The Non Proliferation Treaty binds almost all nations with the exception of Israel, Pakistan, North Korea and India. A similar degree of universalism has been achieved for the global regimes for the prohibition of chemical and biological weapons. In climate change however, regionalism was more effective with the EU taking the lead in establishing an internal system of carbon commitments which was then extended eventually to the global sphere.
Norm making for cyber space is likely to follow a path reflecting the diversity of strategic options. There will be policy areas where from the outset a multilateral approach would be needed. That is particularly the case for the governance of the Internet where not only multilateralism but also multistakeholderism has been implemented with ICANN. Similarly for the taxation of e-commerce a global set of rules would need to be established. The World Trade Organisation stands as the most appropriate venue for this task. But a more selective approach will be required to establish norms in other key areas of the cyber universe.
There are few rules at present guiding the cross boundary behavior of state actors in relation to cyber security for instance. Many countries have therefore developed capabilities to explore and capitalize on the cyber deficiencies of their rivals. China, in particular, has been framed as an aggressive actor with its reliance on state linked groups of hackers. Chinese hackers have been linked to data breaches from large retailers to government entities like the US Office of Personnel Management. The building blocks for the development of normative code of conducts as well as binding cyber security rules are set to be a network of bilateral agreements. The US-China Agreement of October last year paved the way to the G20 Summit Declaration of November which included for the first time a shared commitment by G20 governments of restraint in cyber space.
But more generally, the chronology of global norm making has amply demonstrated the unique value of a well-functioning transatlantic partnership. It was indeed with a sense of joint leadership that America and Europe have fostered an international policy environment conducive to rule making. The cyber policy domain remains an exception. The lack of an effective transatlanticism in cyber rule making is due to the corrosive impact of the US electronic surveillance as disclosed by the whistle blower Snowden. These activities have bedeviled the relationship between Brussels and Washington as witnessed by difficulties over the establishment of common and binding standards for protecting online privacy.
That is also why the current US-EU negotiations on data privacy are of essence. An agreement will not only eliminate current uncertainties over cross border data transfers but it will help to re-establish a cooperative transatlantic dialogue on cyber policy that can and should be leveraged to advance global efforts of norm making for an open, free and secure cyber world.