Embed Size (px)
Citation preview
International Cyber Norms in The Cyber and Information Security
Strategies of The Russian Federation and The Netherlands
Written by: Benno Elderkamp
Student number: 1227386
Supervised by: Prof. dr. B. Van den Berg // Liisi Adamson
Second Reader: Prof. dr. A.L.Dimitrova
Leiden University
Faculty of Governance and Global Affairs
Msc Crisis and Security Management
2
Index Introduction .......................................................................................................................................... 4
Research Question ............................................................................................................................ 6
Sub-Questions ................................................................................................................................... 6
Academic and Societal Relevance .................................................................................................... 6
Reading Guide .................................................................................................................................. 8
Theoretical Framework ......................................................................................................................... 9
(Cyber) Norms .................................................................................................................................. 9
Cyberspace, Cyber-Security, Information Security, Cyber-Attack, and Cyber Conflict ................. 11
Securitization .................................................................................................................................. 12
Methodology ....................................................................................................................................... 15
Research Design ............................................................................................................................. 15
Case Selection ................................................................................................................................. 15
Research Method ............................................................................................................................ 16
Limitations ...................................................................................................................................... 17
Data Collection and Analysis .............................................................................................................. 18
Documents Used ............................................................................................................................. 18
Operationalization ........................................................................................................................... 19
Validity and Reliability ................................................................................................................... 21
United Nations Group of Governmental Experts and Cyber Norms ................................................... 22
Norm Emergence ............................................................................................................................ 22
Norm Cascade ................................................................................................................................. 26
International Law and Human Rights ......................................................................................... 26
Infrastructure ............................................................................................................................... 27
Prevention, Deterrence, Attribution. ........................................................................................... 30
Norm Internalization ....................................................................................................................... 32
The Russian Federation and Cyber Norms .......................................................................................... 34
International law and Human Rights ............................................................................................... 34
3
Infrastructure................................................................................................................................... 37
Prevention, Deterrence, and Attribution .......................................................................................... 38
The Netherlands and Cyber Norms ..................................................................................................... 41
International Law and Human Rights ............................................................................................. 41
Infrastructure................................................................................................................................... 44
Prevention, Deterrence, and Attribution. ......................................................................................... 45
Comparison ......................................................................................................................................... 48
International Law and Human Rights ............................................................................................. 48
Infrastructure................................................................................................................................... 50
Prevention, Deterrence, and Attribution .......................................................................................... 51
Future of the UNGGE ..................................................................................................................... 53
Cyber Securitization ........................................................................................................................... 56
Securitizing Actors ......................................................................................................................... 56
Referent Objects ............................................................................................................................. 57
Existential Threat ............................................................................................................................ 59
Functional Actors ............................................................................................................................ 59
Speech Act ...................................................................................................................................... 61
Conclusion .......................................................................................................................................... 63
Cited Sources ...................................................................................................................................... 65
4
Introduction The world has experienced a rising number of cyber-attacks. A particular watershed moment
in cyber-attacks were the 2007 cyber-attacks against Estonia (Tamkin, 2017). It was the first
instance a state allegedly used state-sanctioned cyber-attacks to advance its own foreign policy
objectives. A second important cyber-attack was the 2010 Stuxnet malware attack against
Iranian nuclear power plants (Finkle, 2013). Both attacks showed many states that they were
unprepared to deal with such attacks. These attacks were an unforeseen phenomenon in the
world. Many states scrambled to establish their own cyber-security strategies in order to deal
with these issues stemming from cyberspace. States recognized that the insecurities derived
from cyberspace would have to be dealt with through collaboration on an international level.
These collaborative efforts continue to be undermined by several inherent issues.
One of these issues is a lack of a global mechanism to address cyber-attacks and
cybercrime, limiting the ability of states to attribute and assign appropriate punishment. This
issue is further problematised by a lack of universally accepted definitions and understandings
on many cyberspace related terms (Radunovic, 2017). Each individual public and private actor
tends to use a different set of terms and approach in dealing with the insecurities in cyberspace.
A lack of common language is a fundamental issue as it problematizes any collaborative effort
on cooperation and negotiations (Radunovic, 2017). In recent years, these collaborative and
cooperative efforts have come together within the United Nations Group of Governmental
Experts in the Field of Information and Telecommunications in the Context of International
Security (UNGGE).
The meetings within the UNGGE were initially promising. Although the initial
meetings did not deliver any significant progress, a landmark report was issued in 2013
(A/68/98, 2013). The report constructed a set of norms and concluded that international law
was applicable to cyberspace. Both norms and international law were deemed necessary for a
secure “open, secure, peaceful and accessible ICT environment” (A/68/98, 2013, p. 2). The
2015 report emphasised and expanded the progress made in the 2013 report. However, with
the 2016-2017 UNGGE, a roadblock was hit.
The purpose of the 2016-2017 meetings was to provide recommendations on how
international law would apply in cyberspace. The group of governmental experts failed to reach
a consensus and talks collapsed as a fundamental divide had arisen (Markoff, 2017). The divide
was between the United-States and like-minded states which include the Netherlands, and the
Russian Federation and their respective allies. The Russian Federation and its allies disagreed
5
on the application of international law to an online conflict. The like-minded states sought ways
for international law to be used during or as a means to respond to an online conflict (Grigsby,
2017). The Russian Federation and its allies argued for the creation of a new set of laws to
prevent a conflict which they felt should not occur at all (MODRF, 2011; A/69/723, 2015).
A second divide was on the meaning and nature of cyber conflict and cyberspace. The
different approach dictates the way each side views the construction of the problem and the
solution. Whereas the Netherlands speaks of cyberspace, the Russian Federation approaches it
as information space. Cyberspace by the Netherlands is “understood to cover all entities that
are or may potentially be connected digitally” (MODNL, 2012, p. 4). Information space is
defined by the Russian Federation as the “formation, creation, transformation, transmission,
use, and storage” of information which affects amongst other things “the individual and social
consciousness, information infrastructure and the information” itself (MODRF, 2011, p. 5).
These two different ideological approaches led to the collapse of talks at the 2017 UNGGE.
The future of the UNGGE remains uncertain, as no new meeting has been planned for the
future.
Nonetheless, the Russian Federation remains fixed on its primary objective to promote
a new set of international laws; presented as codes of conduct. These laws are to prevent states
from developing cyber weapons as a means to interfere in the internal affairs of states
(A/66/359, 2011; A/69/723, 2015). In contrast, the Netherlands continues to argue that such
laws already exist. The Netherlands firmly believes in approaching international matters
consistently and in line with its previous obligations (MFAICSNL, 2017). Meaning, the
Netherlands is reluctant to deviate from already established rules and regulations and wishes
establish the cyber norms in adherence of said framework. This reluctance to deviate is part of
the like-minded camps concern for the protection of human rights online and offline. They are
concerned about the growing number of states who violate these rights and seek to offset this
through the UNGGE (MFAICSNL, 2017). Despite these differences, both camps share a
common interest in seeking to improve the stability in cyberspace and to eliminate the
incentives which motivate states to take risk.
This thesis will look at how the cyber (information) security strategies of both states
have evolved between 2007 and 2017. These evolving strategies will be analysed to determine
whether they can explain their divergent ideological approaches towards the cyber norms
debate. The theory of securitization will be used to determine to what extent both states have
securitized their cyber (information) security strategies. The theory will further be used as a
6
means to determine the potential for reconciliation between both ideologies and the future of
the international cyber norms debate.
Research Question The purpose of the thesis is to answer the following main research question and sub-questions:
Research question: How have the cyber security strategies of the Netherlands and Russia
developed between 2007 and 2017, and to what extent can the development of their cyber
security strategies explain their (different) ideological approaches towards the cyber norms
debate?
Sub-Questions (1) What are (cyber) norms?
(2) What does the concept of securitization entail?
(3) How has the discussion on cyber norms evolved within the UNGGE working group?
(4) How is the development of international cyber norms framed within Russia’s approach
to cyber security?
(5) How is the development of international cyber norms framed within the Netherlands
approach to cyber security?
(6) What do these developments have in common, and to what extent do they differ?
(7) Is cyberspace securitized?
Academic and Societal Relevance The research has both academic and societal relevance. The academic relevance lies in the
research effort to examine a current development within the world and add to a growing body
of research. Research which debates whether cyberspace and cyber-security have been
securitized, and if so, to what extent. The research will investigate the motivations behind the
two dominant perspectives on cyberspace. These perspectives will be framed within the
UNGGE debate on cyber norms. Together, the research would add to the growing body of
academic literature which seeks to apply traditional theories like realism, deterrence, attribution
and onto the field of cyber-security. These theories are applied to test their applicability and
suitability, and as a means to gain understanding in an otherwise complex issue.
7
The societal relevance of the study would be to gain understanding in the Russian
Federations approach into its information security strategies. The Russian Federations position
is interesting as it is one of the major actors within cyberspace whose position is contradictory.
They have been noted to seek limits on states behaviour with respect to cyber-attacks to prevent
cyber conflicts. At the same time, the Russian Federation has repeatedly been accused of
conducting the same type of cyber-attacks it wishes to prevent. The 10-year (2007-2017)
approach could shine light into this duality of thinking.
The Netherlands plays a significant role within the cyber community. The Netherlands
is one of the most digitalised states in the world. Nonetheless, it has yet to experience a cyber-
attack on the same level as Estonia, Germany, the United Kingdom, and the United States. This
despite the Netherlands containing the largest internet exchange point in the Amsterdam
Internet Exchange (AMS-IX). In 2018, the ABN AMRO, ING, and Rabobank were hit by a
DDos attack which lasted for several hours before being resolved (Zwienen, 2018). In 2016 it
came to light that the Dutch-German company Rheinmetall Defence had been hacked since
2012, leading to a loss of information. It serves as one of the rare occasions that an act of digital
espionage could potentially be attributed to a specific Chinese hacker group; although this is
unconfirmed (Modderkolk, 2018). However, the arguably most impactful and known cyber-
attack was the 2011 attack on DigiNotar. The Iranian secret service allegedly used the
vulnerabilities in the digital certification of DigiNotar to spy on Iranian citizens, although some
suspect US involvement (Hijink, 2013). However, these cyber-attacks do not compare to those
experienced by other states; placing the Netherlands in a rather unique position.
With its relatively small size, the Netherlands is forced to rely on diplomacy and has
historically emphasised a firm belief in international law. Examining the Dutch approach could
provide valuable, more nuanced information. Similar results would not be present when
examining the United States (US), whose foreign policy does not rely entirely on its soft-power
capabilities. As one of the largest actors in cyberspace, its relation and approach to the UNGGE
norms debate would be influenced by its relationship with the Russian Federation and China.
This would effectively resort to a great power struggle; whereby objective comparison would
be clouded by the history of both states. Lessons learned from the Netherlands could be applied
to states who are within a similar “disadvantaged” position, either side of the ideological debate.
By contrasting and comparing Russia and the Netherlands, lessons can be learned from
both perspectives. The research could discover areas within which there is potential for
conciliation and convergence on cyber norms. Finally, the research may discover the path
forward for the establishment of international cyber norms.
8
Reading Guide
The path of the research shall be as followed. The focus and relevance of the thesis are
explained in the introduction. Following the introduction, the theoretical framework within
which the study will operate is discussed in chapter two. The thesis will discuss the
methodology in chapter three. The development and analysis of the UNGGE cyber norms
debate in chapter four. In chapter five the study will provide an analysis of the Russian
development of cyber norms and do the same for the Netherlands in chapter six. The results of
all two previous chapters will be analysed to compare and contrast the similarities and
differences in chapter seven. Chapter eight will analyse and determine to what extent cyber has
been securitized. Finally, chapter nine will conclude the thesis, followed by the cited sources.
9
Theoretical Framework A brief examination of the academic literature highlights the lack of commonly accepted
definitions for any cyber or information security related term. This is in part due to the inability
of states to agree on the meaning and means on how to solve many issues in cyberspace. This
chapter will elaborate on the theoretical framework which serves as the foundation of the
research. The first section will explore the concept of (cyber) norms and answer the sub-
question: “What are (cyber) norms?”. The second section will define cyber-space, cyber
conflict, cyber-attack, cyber-security, and information security. These definitions are important
for the continuation and influence the analysis within the thesis. The third section will explore
the theory of securitization and answer the sub-question: “What does the concept of and move
to securitization entail?”.
(Cyber) Norms
Finnemore and Sikkink (1998) define norms as “a standard of appropriate behavior for actors
with a given identity” (Finnemore & Sikkink, 1998, p. 891). Norms in this sense are approached
form a constructivist perspective, whereas a sociologist speaks of institutions when referring
to the same behavioural rules. March and Olsen (1998) define an institution as “a relatively
stable collection of practices and rules defining appropriate behavior for specific groups of
actors in specific situations” (March & Olsen, 1998, p. 948). A difference between norms and
institutions is that norms isolate single standards of behaviours. Institutions on the other hands
focus on a collection of rules and practices and how these are structured together and
interrelated (Finnemore & Sikkink, 1998) . The danger herein is that norms are often discussed
as if they are institutions. Sovereignty, for example, is often discussed as if it is a singular entity,
whereas, in reality, it is a collection of norms whose rules and practices changes over time
(Finnemore & Sikkink, 1998). Cyber norms in this context are thus standards of appropriate
behaviour for actors with a given identity in cyberspace. Cyber-security or information security,
on the other hand, are not singular entities. They are a collection of norms in the form of
practices and rules which change over time and attract new meaning as the norms evolve.
Norms are commonly categorised as either constitutive or regulative norms.
Constitutive norms “create new actors, interests, or categories of action (roles)” and regulative
norms “order and constrain behavior” (Finnemore & Sikkink, 1998, p. 891). Constitutive
norms create or define an activity. Regulative norms establish a set of duties or permissions
(Finnemore & Sikkink, 1998). Mazanec (2015) further distinguishes within the regulative
10
norms between constraining and permissive regulative norms. Constraining norms limit the
behaviour of states, whereas permissive norms suggest that certain behaviour is acceptable and
expected (Mazanec, 2015).
Finnemore and Sikkink go on to suggest a model of the life cycle of norms. The life
cycle suggests when and which norms are likely to reach a tipping point to be accepted. The
life cycle consists of three stages: norm emergence, norm cascade, and norm internalization. In
the first stage, norms entrepreneurs arise who are convinced something has to change
(Finnemore & Sikkink, 1998). These norm entrepreneurs use existing organizations and norms
to ensure the norms are adopted. When a norm has been adopted, it moves on to the second
stage: norm cascade. In the second stage states adopt new norms either in response to
international pressure, to enhance their domestic legitimacy, out of conformity, or for the sake
of their self-esteem (Finnemore & Sikkink, 1998). In the third stage, the norms become
internalized and professionals press for their codification. Over time, these norms are
internalized to an extent that they seize to be seen as norms.
The likelihood of norms reaching the tipping point in the third stage depends on the
timing. The timing is determined by legitimation, prominence, intrinsic qualities, adjacency
claims or path dependence, and world time context. States may adopt certain norms for the
sake of legitimacy or international status (Finnemore & Sikkink, 1998). When their domestic
legitimacy and power wavers, norms are adopted to perpetuate a state’s own ideology. Norms
are also more likely to be adopted when they are held by prominent and powerful states, or
when their intrinsic qualities make adopting said norms more likely. Norms that seek to end
human suffering or promote equality tend to be valued more and are more appealing to many
other states (Finnemore & Sikkink, 1998). Furthermore, norms are more likely to be adopted
when they resemble existing norms or can be derived from it. Norms also tend to arise as a
result of world events like as economic shocks or wars. Such events tend to lead to the search
of new norms and ideas to prevent a reoccurrence of said events (Finnemore & Sikkink, 1998).
Within cyberspace, norms primarily seek “to improve the stability of cyberspace and
remove the incentives inherent to cyberspace that encourage risk taking” (Grigsby, 2017, p.
111). Constraining these incentives should improve the stability of cyberspace and decrease
the risk of a cyber-attack or conflict (Grigsby, 2017).
11
Cyberspace, Cyber-Security, Information Security, Cyber-Attack, and Cyber Conflict In order to discuss the UNGGE norms and the security strategies of the Russian Federation and
the Netherlands, it is important to clarify what is meant by the concepts which are to be used
in this research. These concepts are cyberspace, cyber-security, information security, cyber-
attack, and cyber conflict. This clarification is particularly necessary considering the lack of
generally accepted definitions on any of these concepts.
There are many different approaches to defining cyberspace. However, for the purpose
of the research Kuehl’s (2009) definition of cyberspace will be used. Kuehl definiens
cyberspace as: “a global domain within the information environment whose distinctive and
unique character is framed by the use of electronics and the electromagnetic spectrum to create,
store, modify, exchange, and exploit information via interdependent and interconnected
networks using information-communication technologies” (Kuehl, 2009, p. 28).
Cyber-security, as defined by the Netherlands, is “the state of being free of danger or
damage caused by a disruption or failure of IT or through the abuse of IT. The danger or
damage caused by abuse, disruption or failure may comprise a limitation of the availability and
reliability of the IT, violation of the confidentiality of information stored in IT environments
or damage to the integrity of that information” (NCTV, 2017, p. 59).
Information security as defined by the Russian Federation is “the state of protection of
the individual, society and the State against internal and external information threats, allowing
to ensure the constitutional human and civil rights and freedoms, the decent quality and
standard of living for citizens, the sovereignty, the territorial integrity and sustainable socio-
economic development of the Russian Federation, as well as defence and security of the State”
(MFARFIS, 2016, p. 3).
Both definitions are heavily influenced by their specific interpretation and construction
of threats. These definitions lack a more generalized and objective approach which provides a
clearer distinction between the two definitions. A subjective approach would also influence the
meaning of a cyber-attack and cyber-conflict. Thus, for the purpose of this thesis cyber-security
will be defined as the protection or defence of ICTs in cyberspace, and the protection of those
who function in cyberspace and their assets. These include non-information-based and
vulnerable assets to threats using ICTs (Von Solms & Van Niekerk, 2013).
Information security is defined as the protection of information (data) itself. This
includes information beyond ICTs; meaning both online and offline information and
information which is stored or transmitted not using ICTs (Von Solms & Van Niekerk, 2013).
12
The Netherlands defines a cyber-attack as “a series of actions targeted at information systems,
where the availability, integrity or confidentiality of the information is affected” (NCTV, 2017,
p. 28). The Russian Federation defines a cyber-attack as “an offensive use of a cyber weapon
intended to harm a designated target” (Godwin et al., 2014, p. 44). Both definitions are not
satisfactory in their very specific construction of the target and construction of the “tool” with
which the attack is to be committed. Thus, for the purpose of this thesis a cyber-attack will be
defined as an action or actions within cyberspace targeted at ICTs or those who function within
it, where the availability or integrity of ICTs or ICT dependent systems and information is
damaged or disrupted.
Cyber conflict of this thesis is defined as “a tense situation between and/or among
nation-states and/or organized groups where unwelcome cyber-attacks result in retaliation”
(Godwin et al., 2014, p. 44).
Securitization The potential for retaliation or cyber conflict depends to a degree, whether or cyberspace has
been securitized. This section will conceptualize the Copenhagen Schools theory of
securitization. This conceptualization will be used as a guide the research and used to answer
the sub-questions, including: “Is cyberspace securitized?”.
The Copenhagen Schools securitization theory emphasises the danger of framing a
societal issue as a security issue. As a security issue, extraordinary measures are allowed to be
taken to resolve the issue. The securitizing actor transforms the issue into an existential threat
(Buzan, Wæver, & Wilde, 1998). This is not because an actual objective threat exits but rather
because the actor presents the issue as such. The threat does not have to be real but can be
imaged as well. The weight of a threat depends thus on the perspective of the actor who
perceives the threat. However, for extraordinary measures to be taken, the threat must be
threatening enough (Buzan et al., 1998).
A successful securitization process has several requirements. The first requirement is
to have a securitizing actor; the actor who securitises an issue by declaring it is existentially
threatened. The second requirement is to have a referent object; that which is seen as being
existentially threatened and needs to be protected (Buzan et al., 1998). A third requirement is
an existential threat; that which threatens the referent object. A fourth requirement is functional
actors. Functional actors are “actors who affect the dynamics of a sector, without being the
13
referent object or the actor calling for security on behalf of the referent object, this is an actor
who significantly influences decisions in the field of security” (Buzan et al., 1998, p. 36).
Beyond the securitizing actor, referent object, existential threat, and functional actors
the theory requires an audience to be successful. An audience who accepts the securitizing
actors move to securitize an issue in order for extraordinary measures to be taken (Buzan et al.,
1998). The securitizing actor needs to convince the audience via a speech act that normal rules
are insufficient and need to be changed. If the audience is unconvinced, the securitization
attempt has failed (Buzan et al., 1998).
The success of the speech act is dependent on two conditions: internal and external
conditions. The internal conditions are the linguistic-grammatical construction of the referent
object; meaning the speech act must refer to an existential threat, a point of no return, a solution,
and follow the dialects that are part of the sector (Buzan et al., 1998). An example of such a
dialect is sovereignty for politics. The speech act has a high chance of succeeding when above-
mentioned conditions are met. The external conditions refer to the securitizing actors social
and contextual standing. The securitizing actor needs to be in a position of authority in relation
to its audience. It is also easier for the securitizing actor to construct a security threat if it is
generally perceived to be threatening; such as guns or a tornado (Buzan et al., 1998).
However, Huysmans (2004) argues that this securitization process tends to narrow
democratic elements within a society in order to fight what is perceived as a threat. The law is
replaced with norms which have the same force of the law but not the same form. As a result,
these norms gradually undermine the separation of judicial, legislative, and executive powers
(Huysmans, 2004).
Bigo (2002) argues that through such measures governments have managed to gain
control over the political process by utilizing networks of surveillance and data mining (Bigo,
2002). This is because securitization relies on a set of normative assumptions and not objective
or empirical facts (Buzan & Hansen, 2009).
Trombetta (2008) argues against the negative assumptions made by the Copenhagen
School and as described by Huysmans and Bigo. Trombetta especially argues against the
proposed ‘logic of security’ which suggest the term security evokes and justifies a set of
extraordinary practices (Trombetta, 2008). The logic of security is that of war which follows
a zero-sum understanding of security. The logic of security could supposedly lead to the
depoliticization and marginalization of otherwise serious issues (Trombetta, 2008).
In discussing environmental security, Trombetta argues that the logic of security instead
is more flexible and not as rigid as the Copenhagen School argues. The securitization of
14
environmental issues has reframed the logic of security and the practices with it. As an
antagonistic approach to these environmental threats was not the best way to deal with such
issues (Trombetta, 2008). Preventive measures proved to be more effective. Within
environmental security, the appeal to security has “emphasized the relevance of preventive,
nonconfrontational measures and the importance of other actors than states in providing
security” (Trombetta, 2008, p. 600). Thus, securitization does not have to lead to the adoption
of extraordinary measures. It can also lead to cooperation. In respect to cyber norms, the
securitization of cyberspace thus does not have to lead to states adopting extraordinary
measures. It can lead to the diffusion of an issue and to cooperation.
15
Methodology
Research Design The main focus of this thesis is to examine how the cyber and information security strategies
of the Russian Federation and the Netherlands have developed, and to what extent this can
explain the different ideological approaches toward the UNGGE cyber norms debate. In order
to achieve this purpose, the study will follow a qualitative multiple case study design. The
multiple case study design is chosen as it allows for a more in-depth look at how both cyber
and information security strategies have been constructed over time, and how this has
influenced the international debate on cyber norms. The assumption herein being that their
ideological position towards the cyber norms debate should align with their cyber and
information security strategies.
Case Selection
The Russian Federation and the Netherlands were both chosen as representatives of the two
different ideological sides in the norms debate. The Russian Federation representing the
information security side, and the Netherlands the cyber-security side.
The Russian Federation is a global power in cyberspace and plays a significant role in
the UNGGE discussions. The Russian Federation has also on numerous occasions been accused
of carrying the type of cyber-attacks the UNGGE seeks to limit. The Russian Federation was
chosen instead of the China which tends to focus its efforts in Asia. China has furthermore (so
far) not actively used cyber-attacks as a means to further its foreign policy objectives. The
Russian Federation was also chosen for the sake of convenience and availability of documents
that could be used for this thesis. The Russian Federation simply had more sources available
in English than China.
The Netherlands was chosen over the United States as its position on cyberspace is well
documented within the academic literature and media. A comparison between the United States
and the Russian Federation would result in a battle of great powers and revolve around the
extremes of both ideological positions. The Netherlands allows for a more nuanced comparison
as it does not possess the hard-power of the United States. The Netherlands is forced to rely on
soft-power measures such as diplomacy to further its foreign policy objectives. Latvia, Estonia,
Lithuania, Belarus, Ukraine, and the rest of the East-European states all have a certain bias
against the Russian Federation as their major adversary. Their security strategies would be
influenced by their contentious history.
16
The decision to look at only two states is the result of time constraints. The scope of the
research would become too broad. There are also only two sides to the debate, which would
have meant two more states would have to be added to keep the balance. As stated, the Russian
Federation remains one of the few states of which there enough data available and in English.
A discourse analysis requires a small data set to analyse. Comparing over ten documents of
approximately fifteen UNGGE members would be impossible to do considering the time frame
of the research (+/- 8 weeks).
Research Method The research will use critical discourse analysis to analyse the security strategies of the Russian
Federation and the Netherlands. Discourse analysis allows for the study in the ways language
is used in texts and contexts. It considers the social and historical context which is important
for the study of cyber norms and the ideological positions of states. Through a longitudinal
approach, it becomes possible to see how the norms have changed over time and how the
position of states has changed with respect to the issue. Discourse analysis looks at the overall
strategy and impact of words. It looks at what is written, what is implied, and what is or is
unsaid in a text. As a result, discourse analysis only allows for a small number of text to be
examined. An advantage of discourse analysis is that it is context specific and relevant at any
given moment. It can reveal hidden motives and interpret them if necessary. Meaning in
cyberspace and cyber norms are never fixed and require a certain level of interpretation to be
understood.
To guide the discourse analysis, the study will use Buzan, Waever, and de Wilde’s
(1998) securitization theory. The theory focuses on the framing of speech acts and as such fits
the purpose of this study. The theory can help establish emerging patterns, their presentation,
and evolution of cyber norms by identifying the relevant actors and determine to what extent
the cyber norms and cyber and information security strategies are framed as an existential threat.
The study will primarily use both primary and secondary sources. Primary sources will be in
the form of the Russian Federation and the Netherlands (cyber and information) security
strategies and policies. Secondary sources will be the academic literature. The primary sources
are used as they can provide a historical account of the cyber and information security strategies.
The secondary sources will help to ground the information extracted from the primary sources
into reality and contextualise them.
17
Limitations Discourse analysis does not provide absolute answers. The meaning of a text is never fixed and
open to interpretation and negotiation. This can be problematic when discussing the definitions
of cyber related terms, whose meaning tends to change over time and perspective. However,
as it is the purpose of this study to analyse these changes, discourse analysis remains the most
suitable.
A limitation of using the theory of securitization is that it frames the issue in a certain
way. It is possible that certain frames or angles are missed due to this narrowing process. The
documents which will be analysed are governmental and thus contain a certain type of language.
It is unlikely that the entire truth will be revealed in said documents. Yet, they can still serve
as a good indicator as to the direction both states think in. A final limitation is that the study is
forced to rely on translations when analysing the Russian Federations information security
strategies.
The research also has to take into consideration the fact that there is no consensus on
the definition of any cyber related terms. The security strategies of both the Netherlands and
the Russian Federation tend to use various definitions inconsistently. Thus, although the
researched provides working definitions in the theoretical framework, this reality has to be
taken into account.
18
Data Collection and Analysis The research will focus on the cyber and information security strategies between 2007 and
2017. This 10-year time period is chosen as in 2007 Estonia was the subject of a cyber-attack.
It was the first time a state used cyberspace to advance its own foreign policy objectives. The
attack and rising amount of cyber-attacks subsequently initiated the wider policy discussion on
cyber-security and the necessity of developing norms to govern it (Tamkin, 2017). 2017 was
chosen as this was the year where the negotiations within the UNGGE came to a halt, and the
pursuit towards cyber norms was ceased until further notice.
Documents Used United Nations Group of Governmental Experts
1. Resolution Adopted by the General Assembly A/RES/53/70: Developments in the field
of information and telecommunications in the context of international security (1998)
2. Resolution Adopted by the General Assembly on 8 December 2003 A/RES/58/32
Developments in the field of information and telecommunications in the context of
international security (2003)
3. Report of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (2010)
4. Report of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (2013)
5. Report of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security (2015)
6. Report of the International Security Cyber Issues Workshop Series (2016)
Russian Federation
1. Russia’s National Security Strategy to 2020 (2009)
2. Military Doctrine of the Russian Federation (2010)
3. Conceptual Views Regarding the Activities of the Armed Forces of the Russian
Federation in the Information space (2011)
4. Basic Principles for State Policy of the Russian Federation in the Field of International
Information Security to 2020 (2013)
5. Military Doctrine of the Russian Federation (2014)
6. Russian National Security Strategy (2015)
19
7. Doctrine of Information Security of the Russian Federation (2016)
8. Foreign Policy Concept of the Russian Federation (2016)
9. Letter dated 12 September 2011 from the Permanent Representatives of China, the
Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the
Secretary-Genera (2011)
10. Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan,
Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations
addressed to the Secretary-General (2015)
The Netherlands
1. The National Cyber Security Strategy (NCSS) (2011)
2. The Defence Cyber Strategy (2012).
3. International Security Strategy: A secure Netherlands in a Secure World (2013)
4. Netherlands Defence Doctrine (2013).
5. The National Cyber Security Strategy 2 (NCSS) (2013).
6. International Cyber Strategy – Building Digital Bridges – Towards an Integrated
International Cyber Policy (2017).
7. Wereldwijd voor een veiling Nederland – Geïntegreerde Buitenland-en-
Veiligheidsstrategie 2018-2022 (2017).
8. Developments in the field of information and telecommunications in the context of
international security A/66/152 Report of the Secretary-General (2011).
9. Developments in the field of information and telecommunications in the context of
international security A/68/156/Add.1 (2013).
10. Developments in the field of information and telecommunications in the context of
international security- Resolution 69/28 (2015).
11. Developments in the field of information and telecommunications in the context of
international security- Resolution 71/28 (2017).
Operationalization
The following concepts are operationalized as a means to guide the research into indicators
along which the discourse analysis can be codified and the data be analysed.
20
Theory Concept Definition Indicators Securitization (Buzan, Waever, and Wilde, 1998).
Securitization The process in which a security actor frames a societal issue as an existential threatened by declaring a referent object – which justifies the usage of extraordinary measures to resolve the issue. Buzan, Waever, and Wilde identify several conditions Referent objects Securitizing actors Functional actors Speech act
Securitizing actors The actors who securitize an issue by declaring an it being existentially threatened Existential threat The object that is potentially harmful The referent objects Issues that are seen to be existentially threatened and have a claim to survival. Functional actors Actors who are not the referent or securitizing actors, but who significantly influences decisions in the security field. Speech act/Audience The target audience that must be convinced by the securing actors construction of the referent objects perceived threat.
Norms (Finnemore and Sikkink, 1998)
Norms A standard of appropriate behaviour Finnemore and Sikkink differentiate between two different type of norms: Constitutive and Regulative
• Constraining regulative (Mazanec, 2015)
• Permissive regulative (Mazanec, 2015)
Constitutive norms Constitutive norms create new actors, interests, or categories of actions. Regulative Norms Regulative norms order or constrain behaviour and can influence a states behaviour. (1) Constraining regulative norms
Indicate that certain behaviour is not acceptable. (2) Permissive regulative norms Indicates that certain behaviour is acceptable.
Model of the life cycle of norms (Finnemore and Sikkink, 1998)
Life cycle of norms
Suggests when and which norms are likely to reach a tipping point to be accepted. The life cycle has three stages: Norm emergence Norm cascade Norm internalization
Norm emergence Norm entrepreneurs arise that are convinced something much change. Norm cascade States adopt new norms in response to international pressure, conformity, esteem, and to enhance their domestic legitimacy. Norm internalization Norms become internalized as professionals press for the codification and adherence to these norms.
21
Validity and Reliability As the study follows a case study design, it has a limited external validity. The results cannot
necessarily be generalized onto other contexts. A similar study applied to two different states
on both ends of the ideological spectrum should provide similar results. However, there will
naturally be case specific differences.
Although a multiple case study of all UNGGE involved nations would have improved
the reliability, time constraints prevent the possibility. The scope of the research would be too
wide for a master thesis and difficult to control. The vast difference in the available
documentation would make any comparison unbalanced. The fact that the documents used are
institutional documents, which influences the language used in each document. This will
influence the reliability of the data and has to be taken into consideration. This can be resolved
through the use of discourse analysis, where context matters.
By using the theory of securitization through discourse analysis, specific boundaries
are set up which improve the reliability and validity of the research. However, in the case of
the Russian Federation, the language barrier has to be noted, which influences the language
used.
22
United Nations Group of Governmental Experts and Cyber Norms The UNGGE is one of the most important venues for discussing issues on cyberspace and
international security. Reports issued by the UNGGE are important in their ability to shape the
global agenda on cyber-security. Each report adds to the growing progress of creating an
international agreement on responsible state behaviour in cyberspace (Lewis & Vignard, 2016).
The purpose of this chapter is to discuss and discuss the sub-question: “How has the discussion
on cyber norms evolved within the UNGGE working group?”. The chapter has been divided
into three sections: norm emergence, to determine how the UNGGE came into being; norm
cascade, where the norms will be categorised and discussed; and norm internalization, to
discuss the breakdown of the UNGGE and its future. A future which is determined by the norm
entrepreneurs in the first stage of the life cycle of norms.
Norm Emergence
In the first stage of the life cycle of norms, norm emergence, norm entrepreneurs arise who are
convinced something must change (Finnemore & Sikkink, 1998). There are many different
actors within the UNGGE who could be considered norm entrepreneurs. Designating these
norm entrepreneurs is problematized due to the inherent nature of cyberspace. Cyberspace is
an all-encompassing entity which touches upon all aspects of society. This results in an
inexhaustible number of different actors who compete for different threat perceptions (Hansen
& Nissenbaum, 2009). Securitization theory assumes the opposite. Although the theory does
account for multiple actors, the initiation of the process is done, arguably, by a single
securitizing actor (Buzan et al., 1998). The securitizing actor declares an issue as existentially
threatened and by doing so, allows for extraordinary measures to be used to resolve the issue
(Buzan et al., 1998). In contrast, the life cycle of norms suggests that norm entrepreneurs will
respond to the same issue by creating new norms.
What the model and theory have in common is that they both see the state as the most
important actor (Buzan et al., 1998; Finnemore & Sikkink, 1998). Although non-state actors
can be norm entrepreneurs, only states can adopt and press for the internalization of norms.
Similarly, only states can effectively securitize an issue and use extraordinary measures
through the logic of security (Buzan et al., 1998). In the context of the UNGGE, state actors
also serve as the most important actor, even if only non-state actors are not allowed to
participate. However, the cyber norms debate does not only exist within the boundaries of the
23
UNGGE and has been influenced by both state and non-state actors. Each who on their own
called for the creation of an international agreement on cyber norms.
A particular notable non-state effort was the Tallinn Manual 1.0 and 2.0 (M. N. Schmitt,
2013). With the support of the NATO Cooperative Cyber Defence Centre of Excellence
(CCDCOE) the manuals focused on the legal obligations of states in cyberspace (Schmitt, 2013,
2017) . In essence, the 1.0 Manual focused on interpreting how norms apply the conduct of
states in cyberspace. The 2.0 Manual significantly expanded the scope of the first manual,
expanding to include state responsibility, peacetime international law, sovereignty, attribution,
and human rights law (Schmitt, 2017). Much of the work done by the Tallinn manual is
reflected within the UNGGE norm construction. Non-state actors can be considered norm
entrepreneurs and functional actors, as each successive action, to some extent, shaped and
informed the UNGGE reports. Nonetheless, the relationship between state and non-state actors
is, in terms of power and resources, marked by a balance that is clearly in favour of states
(Bannelier & Christakis, 2017).
One of the first state actors to declare the necessity for change at the UN was the
Russian Federation in 1998 (A/RES/53/70, 1998). In resolution 53/70, Russia warns of the
potential misuse of information technologies by criminals and terrorists. The resolution further
suggests something must be done and calls for the development of international principles
(A/RES/53/70, 1998). In doing so, the Russian Federation fulfils the requirement to be
classified as a norm entrepreneur and potentially a securitizing actor. Criminals and terrorists
are both functional actors, in serving as existential threats. Yet, despite this, the resolution fails
to suggest a point of no return or a concrete solution and fails the international conditions of
the speech act. The Russian Federation is in a position of authority as a permanent member of
the UN Security Council. However, there are still issues concerning the audience it has to
convince.
The UN General Assembly should in this instance be the audience, be convinced by the
Russian Federations construction of the threat and solution. However, the resolution was
adopted without a vote first by the First Committee of Disarmament and International Security
and subsequently by the UN General Assembly. Meaning, in both instances there technically
was no audience to convince (A/RES/53/70, 1998). If there was an audience, it would have to
be the members of the First Committee Bureau (Belgium, Kazakhstan, Chile, Belarus, and
Egypt) who made the decision to accept the resolution (UNGAFC, 1998). However, this would
be a stretch as none of the official UN documents indicate any form of discussion on the subject
had taken place (A/RES/53/70, 1998). As such, the Russian Federations 1998 resolution can at
24
best be considered a securitization attempt by a norm entrepreneur, but one that did not meet
all of the required criteria to be successful. Since the 1998 resolution, the issue has become part
of the UN and evolved through multiple resolutions which were equally all adopted without a
vote.
The 2003 58/32 resolution notes an existential threat and functional actors in the
potential misuse of information technologies for criminal and terrorist purposes. The referent
object has evolved from the 1998 resolution and adds beyond international security and
stability the integrity of infrastructure of states, the security of states in the civil and military
field (A/RES/58/32, 2003). It also called for the creation of the UNGGE but did not call for the
creation of cyber norms. This was done in the UNGGEs 2010 report ( A/65/201, 2010).
The 2010 report reaffirmed the existential threat as the malicious use of tools and
technologies by criminals and terrorists. It created a new existential threat in expressing
concern about the potential usage of ICTs by states as instruments for warfare, intelligence, or
political purposes ( A/65/201, 2010). As a result of these concerns, the 2010 report calls onto
states to cooperate in developing a shared understanding on the use and prevention of these
malicious tools. International cooperation and the creation of cyber norms were emphasised as
being the way to reduce and prevent any misconceptions between states and threats to
international peace and security ( A/65/201, 2010). The 2010 report further recognises the role
the private sector and civil society as functional actors in reducing these threats. However, the
dominant role within the cyber norms debate remained assigned to the states themselves
( A/65/201, 2010).
Naming the 2010 report a successful securitization effort, would suggest an end to the
process and lead to the use of extraordinary measures, which clearly has not been the case. It
would also assume that each new state that joined the UNGGE agreed with the construction of
the referent objects and existential threats by the 2010 UNGGE member states and does not
take into account the somewhat arbitrary selection of the UNGGE members.
Members of the UNGGE were selected based on regional and political position and the
level of interest shown by the state to ensure an equitable geographical distribution. Members
of the UN Security Council (UNSC) were added automatically as part of the UN regulations
(Lewis & Vignard, 2016). It is difficult thus determine the direct level of interest of
participating member had shown prior to joining the UNGGE. Table 1 shows that with each
successive round, the interest in the UNGGE and creation of cyber norms has grown (Lewis &
Vignard, 2016).
25
Table 1 Participating Members UNGGE 2004-2005 2009-2010 2012-2013 2014-2015 2016-2017 Belarus Brazil China France Germany India Jordan Malaysia Mali Mexico Republic of Korea Russian Federation South-Africa United Kingdom United States of America
Belarus Brazil China Estonia France Germany India Israel Italy Qatar Republic of Korea Russian Federation United Kingdom United States of America
Argentina Australia Belarus Canada China Egypt Estonia France Germany India Indonesia Japan Russian Federation United Kingdom United States of America
Belarus Brazil China Colombia Egypt Estonia France Germany Ghana Israel Japan Kenya Malaysia Mexico Pakistan Republic of Korea Russian Federation Spain United Kingdom United States of America
Australia Botswana Brazil Canada China Cuba Egypt Estonia Finland France Germany India Japan Kazakhstan Kenya Mexico Netherlands Republic of Korea Russian Federation Senegal Serbia Switzerland United Kingdom United States of America
Source: (Lewis & Vignard, 2016).
It is important to note that due to the UNGGE rules, the Russian Federation as a permanent
member of the UNSC was part of the discussion since the first UNGGE in 2004. In contrast,
the Netherlands had to lobby or wait for its position in the 2016-2017 UNGGE and as such has
arguably been less influential in the debate. However, non-participating states were still able
to submit their official response to the UN General Assembly and vote on the final report and
continuation of each successive UNGGE (Lewis & Vignard, 2016). Within this context, the
non-participating members can be called functional actors in their ability to influence the
decisions made in the security field. They can only tentatively be named norm entrepreneurs
as their willingness to submit official responses indicated an interest and belief that something
must change. However, as their official responses were reactive instead of proactive, it cannot
be said they fully embrace the proactive qualities required of a norm entrepreneur. However,
naming the permanent members as norm entrepreneurs is equally problematic considering the
selection process. What can be said is that irrespective of the existence of securitizing actors
and norm entrepreneurs, the UNGGE discussion moved on from the norm emergence stage,
and onto the second, norm cascade stage. The potential lack of these actors and entrepreneurs
does question whether the norms in the 2013 and 2015 reports can be classified as norms to
begin with.
26
Norm Cascade This may be difficult considering the way both reports discuss the norms. The 2013 report
speaks of “recommendations on norms, rules, and principles of responsible behaviour by states”
(A/68/98, 2013, p. 8). The 2015 report changes this by only speaking “norms, rules, and
principles for the behaviour of States” (A/70/174, p. 7). The paragraphs do not make clear
which are norms, which are rules, and which are principles. However, accepting Finnemore
and Sikkings definition of (cyber) norms, norms are a set of rules and practices which govern
the behaviour of states (Finnemore & Sikkink, 1998). The differentiation between norms, rules,
and principles is minimal. As Shannon (2000) argues, “the more parameters norm possesses,
and the more ambiguous those parameters are, the easier it is for actors to interpret them
favourably” (Shannon, 2000, p. 293). This is beneficial to the UNGGE considering that both
the UNGGE governmental experts and the UN General Assembly have to reach a consensus
to release the final report (Lewis & Vignard, 2016).
A result of this consensus making is that the norms in the 2013 and 2015 reports cover
similar themes from which they do not deviate extensively. The norms can be categorized into
three themes: international law and human rights; infrastructure; and prevention, deterrence,
and attribution (A/68/98, 2013; A/70/174 2015). The themes represent the overarching points
of discussion within the UNGGE and the ideological division between the Russian Federation
and the Netherlands. In essence, international law and human rights determine the prevention,
deterrence, and attribution measures a state can undertake to protect their construction of its
infrastructure. The three themes are thus interrelated and affect the way states approach each
issue and the UNGGE debate overall. The three themes will thus be used in the rest of the thesis
as a means to better structure the research.
International Law and Human Rights
The 2013 UNGGE report was hailed as a landmark report as it concluded that international was
applicable to the use of ICTs by states in the ICT-environment (A/68/98, 2013). However, the
report fails to explain how or to what extent international law is applicable, or what it meant
by ICT-environment. Following Kuehl’s (2009) definition of cyberspace, ICTs are used as a
means to operate and connect with cyberspace. The use of ICT-environment instead may be a
more concrete and specific way for the UNGGE to focus on the use of ICTs by states, instead
of the more abstract nature of cyberspace. Nonetheless, it is still part of cyberspace and will be
27
referred to as such in order to avoid adding unnecessary confusion to the already ambiguous
UNGGE reports.
In their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign
equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States.
Existing obligations under international law are applicable to State use of ICTs. States must comply with their
obligations under international law to respect and protect human rights and fundamental freedoms; (A/70/174,
2015, p. 12).
The 2015 UNGGE report adds some clarification by explaining which principles of
international are applicable to the use of ICTs by states as mentioned above (A/70/174, 2015).
However, like the 2013 report, the 2015 report fails to explain how these principles apply to
the behaviour of states. It also fails to explain if and to what extent the respect to protecting
human rights and fundamental freedoms override a state’s rights of sovereignty, non-
intervention, and territorial integrity (A/70/174, 2015). Besides, as Von Heinegg (2015) argues,
there already is a general consensus that the laws, principles, rights, and freedoms as listed
above apply to the behaviour of states in cyberspace. The disagreement is not whether they
apply, but how they apply to cyberspace. As such they can therefore not really be considered
constitutive norms, as they do not extend a state power, create new interests or categories of
action. They are at best constraining regulative norms in that they limit the behaviour of states
instead of permitting certain behaviour through permissive regulative norms.
This lack of permissive regulative norms makes it difficult to argue what states are
allowed to do in cyberspace in relation to international law and the respect of human rights and
fundamental freedoms. This affects the way states approach prevention, deterrence, and
attribution measured by allowing states to interpret to an extent the manner in which they seek
to protect their infrastructure, which in itself has its definitional issues.
Infrastructure
The definitional issues concern the difference between the various ways the UNGGE addresses
the protection infrastructure. In general, the UNGGE reports norms speak of either critical
infrastructure or critical information infrastructure but fail to provide a definitional difference
between them. Lopez, Setola, and Wolthusen (2012) attempt to make a distinction between the
two definitions. They define critical infrastructure as those that are essential for the continued
availability and reliability of services. When these critical infrastructures are disrupted or
28
unavailable, they could cause severe economic damage or a loss of life (Lopez, Setola, &
Wolthusen, 2012). Critical information infrastructure is considered a critical infrastructure in
itself to stress the importance of the ICT sector. However, is also unique in that it provides the
interconnectedness and is a fundamental component to the operating of other critical
infrastructure. (Lopez et al., 2012). The problem with this definition is that the classification is
entirely dependent on the perspectives of states, who do not all agree what is or what is not part
of its critical infrastructure or critical information infrastructure (Mattioli & Levy-Bencheton,
2015).
The lack of explanation within the UNGGE reports is problematic as the report does
make an explicit difference between the two within the norms. The UNGGE norms mainly
address the critical infrastructure of states through permissive regulative norms and frame them
as referent objects. States are asked to protect their critical infrastructures; cooperate with states
whose critical infrastructures are “subject to malicious ICT acts”; and report responsibly on
ICT vulnerabilities as a means to reduce threats to ICT-dependent infrastructure (A/68/98,
2013; A/70/174, 2015, p. 8).
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law
that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical
infrastructure to provide services to the public (A/70/174, 2015, p. 8).
States are asked through a single constraining regulative norm not to damage or impair the use
of critical infrastructure which provide services to the public. The phrasing of the norm does
not make clear whether this indeed means the protection of critical infrastructure which
provides services, or to the ability of a state to provide services to the public. It also does not
explain what may be classified as critical infrastructure which provides services to the public,
as technically all infrastructure provides some services to the public. In its current state, it does
suggest that states are allowed to conduct and knowingly support ICT activity against critical
information infrastructure and is not to be considered a referent object.
The only information infrastructure referent object mentioned is the authorised
emergency response team’s information systems (A/70/174, 2015). This specification is still
problematized by the different criteria used by states in designating what are or what are not
authorised emergency response teams. The report also does not make clear to what extent a
difference will be made between public and private teams. According to the European Union
Agency for Network and Information Security (ENISA), the Russian Federation has 2
29
emergency response teams, whereas the Netherlands has 19 (ENISA, n.d.). The designation of
these teams is therefore somewhat arbitrary and explains how different perspectives by states
can result in different outcomes.
It does however not explain how both critical infrastructure and critical information
infrastructures fit within the framework of international law, human rights, and fundamental
freedoms. It makes it difficult to determine the boundaries of these referent objects. This
especially considering that the most significant threat to states is not damage or disruption of
their infrastructure, but rather cyber espionage or hacktivism.
These activities are largely perpetrated by non-state actors and do not have to damage
or impair the critical infrastructure or critical information infrastructure of a state (Bendovschi,
2015). Instead, states were more likely to be victims of a cyber-attack which granted
unauthorised access to information (Bendovschi, 2015). Espionage has an ambiguous position
in international law and is technically not forbidden by it; although the practice is frowned
upon by other states (Weissbrodt, 2013). States may want to avoid discussing cyber-espionage
in the UNGGE context. It would lead to an entirely separate discussion on the legality of
espionage and states rarely articulate their views on the relationship between espionage
(intelligence activities) and international law (Deeks, 2017). This is because states tend to
refrain from limiting their own flexibility in protecting themselves through means that are not
unlawful (Deeks, 2017).
However, discussing cyber-espionage would arguably fall within the mandate of the
UNGGE. Its mandate as established in resolution 58/32 is to “consider existing and potential
threats in the sphere of information security and possible cooperative measures to address them”
( A/RES/58/32, 2003, p. 2). Cyber-espionage is an existing threat within the sphere of
information security but does not necessarily threaten to damage or disrupt the infrastructure
of states. This argument is however entirely dependent on how the UNGGE defines existing
threats; something which it has not done in any of its reports.
Yet, there is no doubt that the UNGGE has securitized critical infrastructure and critical
information infrastructure. What that means however, is up to the interpretations of states. It
has arguably less to do with their physical structures, but more with their ability to provide
services. It could indicate that it would not matter if a specific infrastructure was damaged, as
long as its overall ability to provide services to the public was not inhibited. This ambiguity
can be problematic when discussing prevention, deterrence, and attribution measures which are
heavily dependent on what is or what is not deemed a referent object, and what is or is not an
existential threat.
30
Prevention, Deterrence, Attribution.
Most of the prevention, deterrence, and attribution measures presented within the norm revolve
around the notion that cooperation and the exchange of information can reduce the threats from
cyberspace (A/68/98, 2013; A/70/174 2015). However, much like the other norms, the norms
on prevention, deterrence, and attribution are limited and ambiguous.
States should cooperate in developing and applying measures to increase stability and security in the use of ICTs
and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace
and security (A/70/174, 2015, p. 7)
The norms on prevention, deterrence, and attribution are mainly framed as permissive
regulative norms and promote cooperation and the exchange of information (A/68/98, 2013;
A/70/174 2015). States are asked to not knowing let their territories be used for international
wrongful acts (A/70/174, 2015). The report fails to mention what international wrongful acts
are or how states are supposed to prevent these acts. In many cases, cyber-attacks are only
discovered as they occur, and others are only discovered after they have run for several months
or even years (Guitton, 2017). An example of this is Stuxnet. Researchers at Symantec believe
that the computer was developed as early as 2005 and deployed in 2007. However, the attack
was only discovered years later in 2010 (Finkle, 2013). As such, it is difficult for states to take
appropriate measures to prevent and protect their infrastructure from these threats.
Yet, states are still asked within the UNGGE norms to take reasonable measures to
ensure the integrity of the ICT supply chain, prevent the proliferation of malicious ICT tools,
techniques, and the use of harmful hidden functions (A/70/174, 2015). Abelson et al (2015)
argue that instead of leading to more security, such preventative measures would lead to less
security (Abelson et al., 2015). It would limit the number of available tools and mean that the
malicious actors would concentrate their efforts on only a small number of targets. Furthermore,
despite these measures, there will always be many different alternatives available for state and
non-state actors to acquire their tools and will not deter them in their activities (Abelson et al.,
2015).
Although the measure has a deterrence quality, the UNGGE norms do not address
issues concerning deterrence directly and they are mainly grouped together with preventative
measures (A/70/174, 2015). The issue is that the constraining regulative norms only limit
behaviour and seek to prevent it, but do not actively seek to deter it as well. This is rather
problematic considering that deterrence can play a significant role in regulating the behaviour
31
of states in cyberspace. Nye (2016) argues that the effectiveness of deterrence measures in
cyberspace depend on who and what measure is taken. They would rely on evoking
humanitarian law and call upon the taboo of using cyber-attacks against civilians (Nye, 2016).
As such, these deterrence norms may only be effective against major states and less so against
non-state actors and has to deal with issues of attribution (Nye, 2016).
The UNGGE does not directly discuss attribution or what measures states through
responsibility are supposed to undertake. The norms only mention that states should consider
the relevant information in terms of the larger context of the incident, the challenges of
attribution, and the extent of the consequences of attributing an incident (A/70/174, 2015). As
it stands, states can be held accountable failure to exercise under the principle of due-diligence
(Kulesza, 2009). States are expected to undertake reasonable measures, yet the UNGGE reports
does not explain responsibility to such an extent and neglect to mention it for the most part.
This despite the fact that responsibility is one of the major aspects of the cyber norms debate,
especially considering the legal definitions of aggression, use of force, and cyber-attacks
(Kulesza, 2009). Without a proper mechanism to determine state responsibility, states could
potentially unilaterally interpret the self-defence article (article 51 UN Charter) within
international law and end up in a cyber conflict (Kulesza, 2009; United Nations, 2015).
A further significant issue is however that most of these measures are focused on state-
actors instead of non-state actors. This despite the fact that non-state actors demand much more
attention than state actors and represent the actual dominant threat (Schmitt & Watts, 2016).
However, the state-centric approach of international law in inadequate the address the
challenge made by non-state actors in cyberspace. The added principles associated with
sovereignty and non-intervention further limit the states legally in dealing with or using cyber
operations against non-state actors (Schmitt & Watts, 2016). It makes sense that non-state
actors are not included within the UNGGE cyber norms debate.
Nonetheless, in their current form, the norms premature and require multiple iterations
before they potentially could be considered sufficient enough. In their current frame, the norms
feel more like placeholders; topics which are important and which will be discussed at a later
date. As such, it cannot be said that the norm cascade stage has been successful and is thus
unable to move onto the norm internalization stage.
32
Norm Internalization The unsuccessful move came in part as a result of the 2016-2017 UNGGE. The discussion at
the 2016-2017 UNGGE had, amongst others, moved towards discussing how international law
applied to states in cyberspace. At the centre of the discussion were the international
humanitarian law (IHL), right to self-defence, and state responsibility (Markoff, 2017). The
final report was supposed to address and clarify the application of these issues and move away
from the ambiguity of the previous reports. However, certain states were no longer willing to
apply these international law, rules, and principles onto cyberspace. They believed that they
should be free to act in cyberspace to achieve their political ends without limits or constraints
(Markoff, 2017; Rodrigues, 2017).
The same group of states believed that certain parts of international law were
incompatible with the objective of the UNGGE to seek the peaceful settlement and prevention
of conflicts. This fear was particularly aimed at the inclusion of IHL, state responsibility, and
the right to war (jus ad bellum) (Markoff, 2017; Rodrigues, 2017). It was thought that states
could potentially use international law to justify punitive actions such as sanctions or military
actions in cyberspace. States could do so by claiming to be victims of a malicious cyber-attack
and under the justification of self-defence retaliate (Mačák, 2017; Markoff, 2017; Rodrigues,
2017).
This frame of logic follows the securitization theories logic of security in a rather
conflicting way. In essence, they are securitizing against what they believe is a successfully
securitization process of other states. They believe other states will use extraordinary measures
to resolve their issues. The UNGGE reports naturally do not reflect this sentiment, although its
ambiguous does leave a lot much room for interpretation.
Dependent on this interpretation, it may appear that there is indeed a way in which
states are able to justify their “punitive” response. This is especially true concerning the norms
on prevention, deterrence, and attribution (A/70/174, 2015). The lack of clarity on these norms
may allow states to respond in certain ways which could be deemed to go against the
international law, rules, and principles in cyberspace. States are only asked to take into account
several considerations, but no limit is placed in their response or how this relates to issues of
responsibility.
The logic of security in the argument suggests states could securitize any cyber-attack
and use this frame to justify extraordinary measures. However, the 2013 and 2015 reports do
not discuss the issue of self-defense or the right to war (jus ad bellum) (A/68/98, 2013;
33
A/70/174 2015). The possibility for securitization through this framework is therefore only
possible due to the ambiguities as present in the reports. Instead, the reports securitized for the
most part states critical infrastructure and critical information infrastructures as referent objects
and criminals and terrorists, and extremists as existential threats. States in this instance were
framed as both referent objects and existential threats.
How these ambiguities in framing are understood, depends greatly on the interpretation
of the states that encounter them. The following chapters will delve into the security strategies
of the Russian Federation and the Netherlands, to determine their position towards these
contentious issues by using the three main themes as derived from the 2013 and 2015 reports,
namely: international law and human rights; infrastructure; and prevention, deterrence, and
attribution. The lack of clarity on these issues within the UNGGE invites states such as the
Russian Federation and the Netherlands to take different interpreting positions and lead to
unnecessary complex situations which are difficult to resolve and ensure the application of
international law in cyberspace.
34
The Russian Federation and Cyber Norms The Russian Federations information security development has, much like the UNGGE cyber
norms debate, been shaped by its complex relationship with international law. This approach
will have a significant influence in the way they interpret and approach the cyber norms as
presented in the 2013 and 2015 reports. Therefore, the purpose of this chapter is to answer the
sub-question “How is the development of international cyber norms framed within the Russian
Federations approach to information security?”. The approach of the Russian Federation within
is security strategies is often difficult to parse due to its often ambiguous and contradictory
nature.
International law and Human Rights
The starting position of the Russian Federation towards the UNGGE is that the existing rights,
principles, and obligations as derived from international law are insufficient to protect them in
cyberspace. They believe that current laws are unable to prevent potential malicious actors
from damaging or disruption its information infrastructure (A/66/359, 2011; A/69/723, 2015).
In contrast, the Russian Federation also argues that adherence to international law is in the
national interest and part of its national security objectives (MFARFFP, 2016; SCRF, 2013).
The solution to this contrasting position is for the Russian Federation the creation of a separate
international information security system (IISS) (MFARFIS, 2016; MODRF, 2011).
The overarching purpose of the IISS would be to counter the potential malicious use of
ICTs for activities which run contrary to existing international law, rights, principles, and
obligations (MFARFIS, 2016; MODRF, 2011). To realise this, the Russian Federation seeks
to create new laws or amend existing ones, until they are tailored to the specific interest of the
Russian Federation.
To contribute to the development of regional systems and establishment of a global information security system
based around universally recognized principles and standards of international law (respect for state sovereignty,
non-interference into internal affairs of other states, refraining from the threat or use of force in international
relations, right of individual and collective self-defence, respect for human rights and fundamental freedoms)
(SCRF, 2013, p. 6)
The interest of Russia is to have the IISS exist within the sphere of the UN and be linked to
“generally accepted principles of international law” such as sovereignty, territorial integrity,
and non-intervention (SCRF, 2013). However, beyond this, little is explained about its actual
35
construction and functioning. Nonetheless, some assumptions about its functioning can be
made based on the recommendations of the members of the Shanghai Cooperation (A/66/359,
2011; A/69/723, 2015).
In their 2011 and 2015 letters to the UN General Assembly, the Russian Federation,
amongst others, provided a codes of conduct to the UNGGE debate to provide an alternative
perspective against the UNGGE norms (A/66/359, 2011; A/69/723, 2015). However, despite
their presentation, these codes of conduct do not entirely qualify as norms along the line of the
UNGGE.
Like the UNGGE norms, a code of conduct are non-legal, in that the intent to adhere to
these norms or codes is derived from the context and environment they were created in (Bothe,
1980). The difference is that the UNGGE norms eventually have the potential to become legal
norms whereas the codes of conduct do not. The codes of conduct rely on a voluntary adherence
to the principles of sovereignty, non-intervention, territorial integrity, but do not include a legal
responsibility (A/66/359, 2011; A/69/723, 2015). The UNGGE reports do not discuss
responsibility or legal consequences either but do suggest that international law is applicable
in cyberspace (A/68/98, 2013). Thus, although the UNGGE norms currently do not qualify as
legal norms, it is mainly due to a lack of specification, clarification, and progress.
The purpose of the codes of conduct and the IISS combined is to establish a regime
with a voluntary adherence to universally recognized principles and standards of international
law but without any of its enforcement mechanisms (Von Heinegg, 2015). The issue is that the
UNGGE generally agrees on the inclusion of these principles (A/68/98, 2013; A/70/174 2015).
The difference being the development and interpretive position the Russian Federation has with
respect to these principles. These principles through the IISS are for the most part an effort by
the Russian Federation to extend its control over cyberspace (Von Heinegg, 2015).
This effort is problematized in respect to international law concerning human rights and
fundamental freedoms. The UNGGE takes a strict stance on protecting and ensuring these
rights and freedoms are universally applied in cyberspace (A/68/98, 2013; A/70/174 2015). In
contrast, the Russian state seeks to remain the guarantor of security and the rights of its citizens.
Meaning, the state should be responsible for the protection of these human rights and
effectively determine which rights and freedoms apply and which do not.
For the Russian Federation, the purpose of international law and the UNGGE cyber
norms should not be to limit or regulate the behaviour of states. Instead, the UNGGE norms
should focus on preventing the malicious use of ICTs by states and non-state actors altogether
(MODRF, 2011). The belief is that state and non-state actors could potentially use malicious
36
ICTs to damage or disrupt the Russian Federations information infrastructure for criminal,
terrorist, extremist, or separatist purposes (MOFRF, 2014; MFARFFP, 2016; SCRF, 2009,
2013). Sovereignty in this context is for the Russian Federation absolute. It awards each state
the right to manage its own cyberspace according to its domestic laws and regulations.
Sovereignty therefore also extends to give each state the right to control the flow of incoming
and outgoing information and as a result prevent the malicious use of ICTs (Krutskikh &
Streltsov, 2014).
Yet, despite being a fervent proponent of the sovereignty of states, the Russian
Federation fears said principle in relation to the use of self-defence. This in particular concerns
IHL and the use of force to include a cyber component (Krutskikh & Streltsov, 2014). The fear
is that the inclusion of a cyber component could lead to the legitimization of cyberconflicts
through the right of self-defence as described in article 51 of the UN Charter (UN Charter,
2015). The cyber-attack could be framed as the use of force and potentially lead to states using
extraordinary measures to defend themselves against the attack (Krutskikh & Streltsov, 2014).
An inherent issue in this logic for the Russian Federation is the possibility for wrongful
attribution (Krutskikh & Streltsov, 2014).
Although this may have been the case in the past, most cyber-attacks can and are
identified and attributed accurately (Jensen, 2012). The fear that a cyber-attack could justify a
cyber conflict also remains unsupported. Besides, not every cyber-attack which violates a
state’s sovereignty could convincingly be qualified as a use of force and trigger the self-defence
mechanisms (Von Heinegg, 2015). The UNGGE suggest that states are allowed to undertake
measures consistent with international law and the UN Charter, which would include Article
51. However, the right to self-defence in Article 51 is only permitted in cases of an armed
attack which cyber-attacks currently are not classified as (UN Charter, 2015). However, this
entirely depends on the definition cyber-attacks may obtain in the future. The lack of
clarification in the UNGGE reports can thus be dangerous if left open to the interpretation by
states.
The discussion on this issue during the 2016-2017 UNGGE did however not lead to a
consensus on the matter; indicating that the Russian Federation and its allies were unable to
convince the other participating members of their concerns (Lewis & Vignard, 2016). The push
for control by the Russian Federation is directly linked to the framing and interpretation of its
referent objects, the Russian information infrastructure, whose functioning is linked to its
sovereignty and survival.
37
Infrastructure Infrastructure in the Russian Federation is predominantly approached as information
infrastructure. Information infrastructure refers to the systems and means which use and store
information (SCRF, 2013). Unlike the UNGGE, the Russian Federation does not frequently
mention its critical information infrastructure and fails to explain the definitional difference
adequately. Instead, it focuses more on discussion its information infrastructure and critical
infrastructures separately, although they both fall under the Russian Federations national
security umbrella (MODRF, 2010, 2014). For Russia, the information infrastructure has to
remain a safe environment within which information can be circulated safely, is reliable, and
where damaging and disrupting impacts can be resisted. This resistance is framed as the
protection of human and civil rights, and to sustain the socio-economic development of the
Russian Federation (MFARFIS, 2016).
Enhancing the safe operation of information infrastructure objects, including with a view to ensuring stable
interaction between government bodies, preventing foreign control over these objects, and ensuring the integrity,
smooth operation and safety of the unified telecommunications network of the Russian Federation, as well as
ensuring the security of information transferred through this network and processed within information systems
in the territory of the Russian Federation (MFARFIF, 2016, p. 8)
The fear within the Russian Federation that its infrastructure is at a high risk to be damaged or
disrupted by state and non-state actors. The ultimate goal of protecting these systems is the
creation of a single unified system which is controlled by the state and supports the Russian
Federations national security objectives (SCRF, 2009). The threats from cyberspace are
directly linked to the survival of its information infrastructure. Damage or disruption to these
systems is seen as a violation of the Russian states sovereignty, non-intervention, and territorial
integrity (MODRF, 2010; A/69/723, 2015).
A problem is that the Russian Federation extends its information infrastructure to the
functioning of the organs of state power. Meaning, the Russian states ability to govern is linked
to the continuing of the information infrastructures (MODRF, 2010). Within such a framing, it
becomes difficult to see where the boundary of the Russian information infrastructure begins
and ends. It could encompass all infrastructure within the geographical borders, under the
notion that all critical infrastructure contains a component of information infrastructure (Lopez
et al., 2012). As such, it becomes another means for the Russian Federation to justify its total
38
control over the flow of information that passes through its information infrastructures
(Finnemore & Hollis, 2016; Von Heinegg, 2015).
In terms of human rights and fundamental freedoms, the Russian Federation would not
benefit from the application of international law onto cyberspace. Such a move would interfere
with its understanding of sovereignty in relation to the level of control it wishes to maintain
over its own cyberspace. Thus far, the Russian Federation has been relatively successful in
tightening its control over the flow of information in Russia (Freedom House - NET, 2017;
Freedom House - PRESS, 2017). The creation of the IISS is more of a condition which prevents
the violation of the Russian rights within cyberspace (SCRF, 2013). A separate system would
allow the Russian Federation to add its information infrastructure as a protected entity and
justify its level of control over it. Thus, the Russian Federation has clearly securitized its
information infrastructures as referent objects. Yet, instead of using extraordinary measures,
the Russian Federation instead supposedly seeks to promote its ideals on an international level
through the UNGGE (A/66/359, 2011; A/69/723, 2015). This approach to protecting the
information infrastructure and the information flow within, influences to a considerable degree
the prevention, deterrence, and attribution measures the Russian Federation is willing to
undertake.
Prevention, Deterrence, and Attribution
The objective of the Russian Federation is to prevent the malicious use of ICTs completely. A
significant part of this prevention effort is preventing the spread of information weapons and
the demilitarization of cyberspace (MODRF, 2011). Information weapon is defined only once
in 2011 as the means and methods used for the purpose of waging information war using
information technologies (MODRF, 2011). Information war is defined as:
…confrontation between two or more states in the information space for damaging the information systems,
processes and resources, which are of critical importance, and other structures, to undermining the political,
economic and social system, and massive brainwashing of the population for destabilizing the society and the
state, and also forcing the state to make decisions in the interests of the confronting party (MODRF, 2011, p. 5).
To prevent such an information war or conflict, the Russian Federation wants to create the IISS
as a legal regime for the non-proliferation and arms control of information weapons (SCRF,
2013). The existential threat is linked to the referent objects of international principles of
sovereignty, non-intervention, and territorial integrity and are thus also linked to efforts of
39
control. However, the above-mentioned application of a legal regime does indicate a rather
conflicting IISS if it is to pick and choose the instances where international law is applied.
Finnemore and Hollis (2016) argue that the proposed non-proliferation and arms
control measures have been met with little enthusiasm by other states (Finnemore & Hollis,
2016). Many of the states fear that these measures may not work and is largely dependent on
the definition used for malicious ICTs and information weapons. Furthermore, demilitarizing
cyberspace would be difficult in itself. All armed forces in the world use ICTs to a degree and
make use of both public and private infrastructures to do so (Gottwald, 2009; Von Heinegg,
2015). Even outside of a conflict, ICTs can be used for purposes which may go against the
interests of the Russian Federation. ICTs could facilitate political violence through collective
action and increase the mobilization of people. A particular example of this being the Arab
Spring. A revolution which was to a large extent facilitated by the use of social media and thus
information (Weidmann, 2015). However, ICTs could also be used by states to limit political
speech or for intelligence gathering efforts (Finnemore & Hollis, 2016; Weidmann, 2015). The
Russian Federation wants to protect and deter this possibility and believes it is allowed to take
all necessary measures to do so (MODRF, 2010).
Enhancing the protection of the critical information infrastructure and reliability of it’s functioning, developing
mechanisms of identification and prevention of information security threats and elimination of their effects, as
well as enhancing the protection of citizens and territories from the effects of emergencies caused by information
and technical impacts on the objects of critical information infrastructure (MFARFIS, 2016, p. 7).
These measures include the creation of information weapons and the involvement of the
Russian Armed forces as part of a strategic deterrence effort to prevent armed conflicts
(MODRF, 2010, 2011). No definition for strategic deterrence is provided, although it is
frequently discussed in relation to nuclear deterrence. The purpose of these deterrence
measures in cyberspace is to deter the use of ICTs for military or political aims which can
damage the sovereignty and territorial integrity of the Russian Federation (MFARFFP, 2016).
Following Nye (2016) categories of deterrence, the Russian Federation appears to rely on
entanglement measures. The purpose of the entanglement measures is to ensure that both sides
benefit from the status quo much like nuclear-deterrence (Nye, 2016).
The enforcement of these preventative measures can to some extent be linked to the
Russians deterrence measures. As part of the IISS, the Russian Federation advocates for the
creation of an international mechanism to continuously monitor cyberspace. The purpose of
40
the system would be to prevent the malicious use of ICTs in interfering in the internal affairs
of states and violate its sovereignty (SCRF, 2013). This system could in essence also be used
as a deterrence measure. States may be less likely to use information weapons or malicious
ICTs if their activities are continuously monitored. The implementation of this system may be
difficult. This measure of denial may be effective but does require states to have the resources
to do so (Nye, 2016). However, as Von Heinegg (2015) argues, not many states are capable of
monitoring their data traffic consistently and effectively. It would also require a state-centric
approach and a level of control over their ICT industry which only like the Russian Federation
have and are unlikely to be adopted by democratic states (Von Heinegg, 2015).Yet, this
monitoring system would follow the UNGGE norm recommendation that states should not
knowing allow their territory to be used for international wrongful acts (A/69/723, 2015). It
may be only way for states to be certain that their territory was not knowingly used. However,
according to the International Telecommunications Union (ITU), over 48% of the world’s
population uses the internet (ITUFAF, 2017). Effectively monitoring all this data traffic may
be impossible.
Nonetheless, the Russian Federation has securitized its information infrastructure and
contradictory advocated for both the use of extraordinary measures, but also for the non-
proliferation of these measures (SCRF, 2013). Through the framing of the referent objects and
the existential threats, it appears that the Russian Federation has not necessarily securitized its
information infrastructure, but rather the information it contains and its sovereign right to
control the access to said information within its territory. The development of its security
strategies is guided by this principle, which to a large extent is not compatible with the purpose
and objective of the UNGGE norms. The UNGGE reports recognise that (critical) information
infrastructures are referent objects and the jurisdiction states have over it (A/69/723, 2015).
However, this is in relation to human rights and fundamental freedoms which does not allow
the type of control the Russian Federation wants and advocates for through the UNGGE, and
which differs significantly from the approach of the Netherlands.
41
The Netherlands and Cyber Norms In contrast to the Russian Federations focus on control through sovereignty, the Dutch cyber-
security development has been shaped by its beliefs in the importance of cooperation, self-
regulation, and individual responsibility in a multi-stakeholder model (MODNL, 2012;
MOJNL, 2011; NCTV, 2013). These beliefs significantly influence the approach of the
Netherlands to cybersecurity and will be used to answer the sub-question: “How is the
development of international cyber norms framed within the Netherlands approach to cyber-
security?”.
International Law and Human Rights The Netherlands approach to cyber-security is framed as one which has a strong connection
and belief in the effectiveness and functioning of international law. With its limited
international power and open economy, the realisation of the Netherlands interests is dependent
on an effective and stable international legal. An order which ensures the stability, prosperity,
and security of the Netherlands (MFAISSNL, 2013; NCTV, 2018). It is particularly important
for the Netherlands economic security that other states can be held accountable based on mutual
agreements, transparency, and the objective to settle any dispute peacefully. Adherence to
international law thus protects the Netherlands from the arbitrary actions of other states
(MFAISSNL, 2013).
This belief in international law is transferred to the development of cyber norms, where
the Netherlands advocates for the creation of international agreements and an internet
governance model. This model has to, through the multi-stakeholder approach, take into
account the interests of the various public and private actors in cyberspace (MFAISSNL, 2013;
NCTV, 2018). To that end, the Netherlands wants a more detailed debate on the application of
international law in cyberspace and specifically cyber operations (MFAICSNL, 2017). It
believes, in respect to the UNGGE, that international law does not need to be reinvented. It is
consistency in application what needs to be ensured (MFAGVBNL, 2018; A/68/156/Add.1,
2013). The approach of the Netherlands on the applicability of international law aligns with
that of the UNGGE which similarly does not see a necessity to reinvent current laws (A/70/174,
2015).
However, the self-regulation, self-responsibility, and multi-stakeholder approach of the
Netherlands does not fit within the UNGGE approach. The multi-stakeholder model ascribes
responsibility to the relevant stakeholders whereas the UNGGE primarily sees states as the
42
responsible actor. The 2013 report briefly advises states in the norms to encourage the
participation of the private sector and civil society in improving security in cyberspace
(A/68/98, 2013). However, their role is no longer discussed in the 2015 report. The state
remains the only relevant actor and is responsible not only for its own actions but also that of
non-state actors who use its territory (A/70/174, 2015). As such, the multi-stakeholder model
distorts the process of securitization as the responsibility for resolving the security issue no
longer is the sole responsibility of the state. It goes against the logic of security as extraordinary
measures cannot be taken by design by non-state actors (Buzan et al., 1998).
A problem of the multi-stakeholder model is that it creates many different actors whom
each has a different perspective on what they perceive as existentially threatening. Yet,
Finnemore and Hollis (2016) argue that their inclusion can have benefits. The process of
inclusion can generate a behavioural change in attitudes and makes the spread and acceptance
of norms easier. Through participation, a sense of ownership of the norms is created, which in
return facilitates compliance through institutionalization (Finnemore & Hollis, 2016). For the
Netherlands, international forums such as the UN and NATO as part of the multi-stakeholder
approach serves as a means to achieve a greater security in cyberspace, whilst also raising
awareness on the protection of human rights and fundamental freedoms (MFAICSNL, 2017;
NCTVNCANL, 2018).
To maintain and advocate fundamental rights and freedoms internationally, the government pursues a policy on
human rights that includes an international cyber component. Respect for human rights is the basis for an open,
free and secure society. The protection of personal data and privacy, freedom of expression, the right to seek
information, freedom of association and assembly, and the prohibition on discrimination are under increasing
pressure from some governments, which use national security as a pretext for disproportional intrusions
(MFAICSNL, 2017, p. 14).
It is essential for the Netherlands that human rights and fundamental freedoms are safeguarded
both offline and online. The Netherlands believes these efforts are vital as a means to offset a
negative trend where a growing number of states are putting pressure on internet freedom
(MFAICSNL, 2017). To ensure the protection of these rights and freedoms, the Netherlands
seeks to have international law on human rights include a cyber component, and the protection
of personal data (MFAICSNL, 2017).
In terms of protection, the Netherlands does not believe in the threat or use of force and
respects the principles of sovereignty and prohibition of force in the UN Charter. However, in
recognizing Article 51, the Netherlands recognises the right for individual and collective self-
43
defence (MODNL, 2013). An exception to the prohibition on the use of force for the
Netherlands is in cases of humanitarian intervention. The Netherlands believes that a military
intervention is permissible as a last resort under strict conditions and exceptional cases which
can be justified on political or moral grounds (MODNL, 2013). These limitations are also
applied to the use of cyber operations (MFAICSNL, 2017). This inclusion may be premature
considering that there is still an ongoing debate on the application of human rights in
cyberspace (Schmitt & Vihul, 2014). The issue, according to Schmitt and Vihul concerns
defining what can and cannot be seen as a part of a personal object in cyberspace. This
definition will have an effect on how cyber-attacks can be qualified as violating human rights
and fundamental freedoms and as a result be immensely important to the UNGGE discussion
(Schmitt & Vihul, 2014).
In the current reports, the UNGGE norms do not directly or explicitly seek to guarantee
this level of personal protection. The norms speak of respecting Human Rights Council
Resolutions 20/8 and 26/13 and the UN General Assembly resolution 68/167 and 69/166
(A/HRC/RES/20/8, 2012; A/HRC/RES/26/13, 2014; A/RES/68/167, 2014; A/RES/69/166,
2014). The norms do not explicitly state the direct link between the respect for human rights
and the protection of personal data. However, resolution 69/166 does argue that the “unlawful
or arbitrary surveillance and/or interception of communications, as well as unlawful or arbitrary
collection of personal data…violate the rights to privacy and to freedom of expression”
(A/RES/69/166, 2014, p. 2). To that extent, the UNGGE agrees in principle with the
Netherlands on the importance of data protection although they are not explicit, explained, or
directly mentioned in the UNGGE reports.
There have been regional efforts made by the EU via the General Data Protection
Regulation (GDPR) to address the issue of processing and protecting personal data. The
regulation suggests that an individual’s data is something to be protected and that those who
collect and manage it must prevent its misuse or exploitation (2016/679, 2016).
This EU effort means it has securitized and defined personal data as a referent object.
This will not necessarily bring any changes for the Netherlands and its approach to the UNGGE
considering it already seeks to advocate for such measures. However, now that the GDPR has
gone into effect, its existence may be influential for the continuation of any potential future
UNGGE. It may have major consequences in relation to the application of international law
and human rights, the principles of sovereignty, non-intervention, and territorial integrity, and
in the framing and protection of the infrastructure of the Netherlands.
44
Infrastructure The Netherlands uses many different definitions to describe its infrastructure. It speaks of cyber
infrastructure, digital infrastructure, information infrastructure, critical information
infrastructure, IT infrastructure, ICT infrastructure, strategic infrastructure, essential
infrastructure, vital infrastructure, critical infrastructure, civil infrastructure, global
infrastructure, and on occasion simply refers to infrastructure (MODNL, 2012; MFAISSNL,
2013; MFAICSNL, 2017; MSJNL, 2011; NCTV, 2013). The most mentioned infrastructures
are critical infrastructure and information infrastructure although none of these definitions are
explained within the security strategies. This lack of explanation and cohesion is troubling
when compared to the UNGGE which only discusses critical infrastructure and critical
information infrastructure (A/68/98, 2013; A/70/174 2015).
An effort was made in 2015 and 2016 to create a classification and criteria of the critical
infrastructure in the Netherlands (MSJNL, 2015, 2016). The classification covers both public
and private infrastructure and is divided into two categories dependent on the economic,
physical, and societal consequences damage or disruption to those infrastructures would cause
(MJSNL, 2015). Category A includes energy, drink water, and nuclear infrastructure or
industry (MJSNL, 2015). Category B includes transport, chemical, financial, public
administration and since 2016 telecom and ICT infrastructure (MSJNL, 2015, 2016). In cases
of damage or disruption, category A infrastructure has a higher priority than category B
infrastructure (MJSNL, 2015). In relation to the UNGGE, this would suggest that critical
information infrastructure with respect to telecom and ICT are less important to the Netherlands
than its critical infrastructure. Thus, in terms of securitization, it would suggest that the
Netherlands believes is critical infrastructure is more important referent object.
Cyber security concerns ICT security and the security of information stored in ICT systems. Disruptions to ICT-
based services and processes may have major social consequences, and a disruption to vital services and processes
may even lead to social unrest. Protecting personal information, state secrets and other sensitive information is
vital for ensuring the trust parties have in the digital domain (NCTV, 2013, p. 18).
Nonetheless, in respect to the UNGGE, the Netherlands does mainly focus on its critical
information infrastructure and the economic and social consequences damage or disruption
might cause. Determining the economic cost and effect is more difficult and estimates vary
widely. Even so, Deloitte (2017) estimates that the Dutch economy approximately loses 10
billion euros or 1.5% of its GDP value per year. However, they also argue that the risk are
45
significantly outweighed by the benefits derived from cyberspace (Deloitte, 2017). Together,
this economic and social perspective has certain implications for the way the Netherlands
approaches prevention, deterrence, and attribution, which for the most part is defensively
orientated.
Prevention, Deterrence, and Attribution.
The Netherlands does not believe that a total and all-encompassing cyber defence is possible,
practical, or affordable (MODNL, 2012). Persistent and technological advanced opponents
would still be capable of damaging its infrastructure and cause the feared economic and social
damage or disruption. The objective is therefore to build as much flexibility in the protection
of its infrastructure and in the ability to actively respond to a cyber-attack (MODNL, 2012).
The purpose of this defensive flexibility is to protect data, the exchange of data, and the
infrastructures to a degree that they remain available, accessible, and functional in the aftermath
of a cyber-attack (MODNL, 2012).
To that end, the Netherlands believes that prevention is better and cheaper than a cure.
It believes that effective prevention is only possible if the interest and goals of the relevant
actors in cyberspace are aligned, which in turn allows for a more effective and accurate threat
assessment (MFAISS, 2013). The threat from cyberspace is framed as cyber criminality from
non-state actors, and digital espionage and disruptive attacks from state actors (Kingdom of the
Netherlands, 2015). The Netherlands also believes that certain state-actors are using cyber-
operations for political objectives which include spreading disinformation to influence public
opinion. This foreign influence could potentially lead to economic damage, the erosion of
democratic legitimacy, and a cyber arms race (MFAGBVNL, 2018).
These preventative actions are also supposed to function as deterrence measures. One
of these measures is the ban or the introduction of a mandatory export license on specific
hardware, software, and technology. These goods are supposed to be part of a list of controlled
goods and be incorporated into relevant EU Dual-Use Regulation and the Wassenaar
Agreement (MFAICSNL, 2017). The dual-use regulation includes “software and technology,
which can be used for both civil and military purposes, and shall include all goods which can
be used for both non-explosive uses and assisting in any way the manufacture of nuclear
weapons or other nuclear explosive devices” (428/2009, 2009, p. 3). There is currently an
ongoing debate and proposal to include cyber-surveillance technology to this definition.
46
The Netherlands is to a certain extent in favor of expanding existing controls. Yet, on
the other hand, they are also critical of the EUs proposal to amend the dual-use regulation list
(MFAICSNL, 2017). The fear is that these measures could disrupt the level-playing field on a
global level and disadvantage the EUs industry, seeing as the control list only applies to the
EU (MFAICSNL, 2017). Both regulations however fit within the objectives of the UNGGE
norms, which asks states to prevent the “proliferation of malicious ICT tools and techniques
and the use of harmful hidden functions” (A/70/174, 2015, p. 8). However, a ban or limitations
on these technologies could have implications for the law enforcement and intelligence service
“legal” use of these systems (Bromley, 2017).
Defensive operations in the information domain are designed to counter external influence and internal misuse or
corruption of vital friendly information systems. Offensive operations in the information domain focus on the
acquisition of information and intelligence, and the deliberate release of information in order to influence a
situation in support of the national interest. Activities in this domain are conducted in intelligence, information or
cyber operations or a combination of these (MODNL, 2013, p. 86).
The “legal” use involves the creation of offensive and defensive cyber capabilities (MODNL,
2013). The use of these capabilities is framed as a combination of preventative, deterrence
measures, and retaliatory (MODNL, 2013; MFAGBVNL, 2018). The purpose of these
capabilities is to detect, neutralise, deter, and if necessary retaliate proportionally to cyber-
attacks (MFAGBVNL, 2018). Offensive assets may be deployed for the sake of information
and intelligence gathering efforts. This could be done by infiltrating the relevant information
systems and networks of potential attackers. The gathered information and intelligence will be
used as an early warning sign and to assist counterintelligence activities (MODNL, 2012;
MFAICSNL, 2017). The purpose of defensive capabilities is to protect “friendly” data and the
supply of information (MODNL, 2013). Dutch intelligence services have already used these
information capabilities. They were able to penetrate the computer network of the Russian
hacker group Cozy Bear and monitor their activity, and witness them launch several attacks
against the US Democratic Party during the 2016 US Elections (Modderkolk, 2018). As these
efforts were directed at non-state actors, they are arguably acceptable according to the UNGGE
norms, although discussing their role falls outside of its purpose.
The Netherlands seeks to widen the scope of international legislation to encourage more
cross-border investigations and presses for the further ratification and spread of the Budapest
Convention on Cybercrime; in part to resolve issues of attribution. If the origin, perpetrator, or
objective of an attack cannot be identified, it limits the possible responses the Netherlands can
47
undertake (MFANL, 2017). The Netherlands already cooperates with private actors and
“friendly” states in several investigations to elevate the attribution issues and prosecute
potential suspects (MFANL, 2017). So far, the Netherlands has participated in several cross-
border investigation operations. They cooperated in 2018 with the United Kingdom and
Europol to shut down the DDoS-for-hire website WebStressers (Landelijke Politie, 2018).
They also cooperated with the United States, Germany, and Europol to shut down the dark web
marketplace Hansa (Greenberg, 2018).
However, these intelligence efforts of the Netherlands are ultimately contradictory in
nature, considering the UNGGE and securitization theory. On the one hand, the international
investigative efforts of the Netherlands comply with the requests of the UNGGE to cooperate
and exchange information for the sake of addressing threats and prosecuting terrorist and
criminal use of ICTs (A/68/98, 2013; A/70/174, 2015). Yet, these same efforts go directly
against the UNGGE cyber norms to prevent the use of harmful hidden functions (A/70/174,
2015). The Netherlands cannot both want the non-proliferation of cyber weapons and harmful
hidden functions and at the same time justify using it themselves. It creates a conflict in
securitization as it does and does not allow for the use of extraordinary measures. The UNGGE
has not clarified the “legal” usage of these measures and will be required to do so, especially
considering the opinions of other states like the Russian Federation which is firmly against the
use of these measures as shall be discussed in the next chapter.
48
Comparison This comparison will serve to answer the sub-question: “What do these developments have in
common, and to what extent do they differ?” The comparison will highlight the underlining
similarities and differences between the Russian Federation and the Netherlands and their
approach to the UNGGE cyber norms debate. The comparison will conclude by theorizing
whether the ideological differences can be reconciled and offer a path for the future of the
UNGGE cyber norms debate.
International Law and Human Rights
Despite their differences, both the Russian Federation and the Netherlands agree that
international law is applicable to cyberspace.
The Netherlands believes that existing international law does not need to be amended
and is sufficient to limit the behavior of states in cyberspace. The Russian Federation does not
believe this is the case and seeks to have existing international laws to be amended or replaced
by new laws via the creation of an IISS. The purpose of the system is to ensure adherence to
the principles of sovereignty, non-intervention, and territorial integrity. Through a hardcoded
adherence the Russian Federation wants to ensure its, and other states sovereign right to control
cyberspace according to their national laws and without interference from other states. The
Netherlands is against this system, as it wants to ensure the consistent and equal application of
international law and avoid its arbitrary application as would be the case under the IISS.
To that end, the Netherlands seeks to include a cyber component into the protection of
human rights and fundamental freedoms. The UNGGE agrees to an extent on the inclusion of
human rights and fundamental freedoms but does not explain how these norms are to be applied
or enforced. Hathaway and Shapiro (2011) argue that such enforcement measures do not have
to involve threats or the use of violence. However, there must be an actor somewhere that is
tasked to ensure compliance; something which currently does not exists within the UNGGE
(Hathaway & Shapiro, 2011). The Russian Federation is adamantly against the inclusion of a
cyber component within human rights (Krutskikh & Streltsov, 2014). It fears that the inclusion
of a cyber component could lead to the legitimization of a cyber conflict by evoking the right
to self-defence as described in Article 51 of the UN Charter. The unlawful use of ICTs would
remove the issue from the sphere of international law and allow for the use of excessive force
and threaten international peace and security (Krutskikh & Streltsov, 2014).
49
However, this fear is unsupported. Not every cyber-attack could convincingly be
classified as a violation of a state’s sovereignty, non-intervention, territorial integrity, human
rights or fundamental freedoms (Von Heinegg, 2015). Furthermore, a violation of these
principles, rights and freedoms, would not count under the right to self-defence as described in
Article 51, which only allows the use of self-defence to occur in cases of an armed attack which
a cyber-attack certainly is not (United Nations, 2015). These measures would also go against
the purpose of the UNGGE norms which seek to limit this behaviour. Instead, the UNGGE
norms encourage cooperation and the exchange of information and call for the settlement of
disputes through these peaceful means.
Yet, the continued ambiguity and lack of explanation or clarification of the UNGGE
norms drives the Russian Federation to create the IISS. A system which effectively becomes a
means for the Russian Federation to ensure its brand of information security in cyberspace. The
fear for the Russian Federation is that state and non-state actors could use ICTs for political
and military purposes and as a result allow for destructive or disrupting information to violate
its sovereignty. Its efforts of control are mainly aimed at regulating these flows of information
in cyberspace, to prevent this from occurring. The issue is that these measures essentially go
against the principles of human rights and fundamental freedoms as advocated by the UNGGE
and the Netherlands. These rights and freedoms seek to protect, amongst others, the right to
privacy and the freedom of expression. The Russian Federation at the same time believes it is
the state’s prerogative through sovereignty to dictate what does and what does not fall under
these rights and freedoms. The irony being that it argues against the application of international
law by referring to another.
This of pick-and-choose and alter mentality must ensure the Russian Federation has full
control and whereby the principles of sovereignty, non-intervention, and territorial integrity are
applied if only to ensure its domestic laws trump that of human rights and fundamental
freedoms and overall ensure the Russian states security policy objectives. An effort which goes
against the UNGGE norm which suggests that states should “comply with their obligations
under international law to respect and protect human rights and freedoms” (A/70/174, 2015, p.
12).
The Netherlands does not seek the same level of control and ensures its domestic laws
are in line with international law instead of the other way around. It is, however, unable to
support the Russian objective to extend the states control over cyberspace. Through its multi-
stakeholder model and mostly privately-owned infrastructure, the Netherlands would be unable
to comply or even entertain the notion. Rather than attract more control, the Netherlands seeks
50
the inclusion of other relevant non-state actors to include, believing their inclusion is essential
for securing cyberspace.
The creation of the IISS would be a monumental effort and span multiple decades due
to the fact that ICTs, cyberspace, touches upon every single aspect of daily life. The
construction of new norms in an international setting would have to go through the entire
catalogue of existing international law from labour, treaties, economics, human rights, trade,
armed conflict, and criminal law. It has already been proven difficult to have all states agree
on more than one viewpoint, application of international law, and the interpretation of said law
within the UNGGE. Ironically, it is far more likely that through the application of existing laws
such an IISS could be set in place to monitor or arbitrate on cyber or information security issues.
In general, the position of the Russian Federation towards the UNGGE norms debate on
international law appears contradictory and lacks a particularly well-presented feasible
direction. The Netherlands, in contrast, offers little resistance. The UNGGE norms debate does
not explicitly reflect the Netherlands entire objective but is does not limit it either and follows,
for the most part, the Netherlands in terms of protecting its infrastructure.
Infrastructure
The UNGGE debate allows for the both the Netherlands and the Russian Federation to frame
their critical infrastructure and critical information infrastructure as a referent object. However,
there is some disparity in the use of different definitions. The UNGGE mainly allows for the
protection of a state’s critical infrastructure and to a lesser extent critical information
infrastructure. The Russian Federation approaches its infrastructure mainly from the critical
infrastructure and information infrastructure perspective. The Netherlands uses many different
definitions of which critical infrastructure and information infrastructure are discussed the most.
There is an obvious overlap concerning the framing of the referent object in all three
approaches. However, the difference lies in the underlining motivations of why these
infrastructures are referent objects.
For the Russian Federation, the national interest is the protection of its information
infrastructure (online and offline) from damage or disruption. The functioning of the
information infrastructure is linked to the functioning and continuation of the Russian state
through adherence to the principles of sovereignty, non-intervention, and territorial integrity.
The purpose of protection is to create a unified system which ensures the survival of the Russian
Federation. It is not made evidently clear whether the protection of the physical information
51
infrastructures stands above the protection of the flow and storage of information. This,
especially considering that the existential threats are framed as terrorists, criminals, extremists,
and separatists. The fear is that these existential threats would be capable of spreading
destructive information and result in social unrest and threaten the survival of the regime.
The Netherlands focuses on a similar protection of the flow of information but does not
include an offline component beyond a respect of human rights and fundamental freedoms
which it believes are universally applicable. It also similarly seeks to infrastructure and
information infrastructure and the storage and transport of information. However, it is arguably
less interested in the information itself. What may be more important is that the infrastructure
remains capable of facilitating and transporting said information for the sake of its economic
objectives. There is a fear that this information can be manipulated, but the Netherlands does
not link said manipulation to the survival of the state.
This does leave the question as to what the Russian Federation and the Netherlands
have effectively securitized beyond their infrastructures. This question primarily revolves
around the framing of data as a referent object and the relation of personal data with respect to
human rights and fundamental freedoms. Both states recognise its value, although it may be a
topic which falls beyond the discussion of the UNGGE. Its lack of inclusion in the UNGGE
norms does indicate that the approach of both states to the UNGGE may appear to be similar
but has significant underlying differences which will need to be addressed. The protection of
data would significantly influence the norms debate. This, in turn, will also influence the
prevention, deterrence, and attribution measures states will be allowed to undertake.
Prevention, Deterrence, and Attribution Both the Russian Federation and the Netherlands believe they, through their sovereignty, have
the right to take necessary measures to defend themselves and prevent cyber-attacks. The
UNGGE reports does not explicitly allow this, but instead ask states to resolve their disputes
through peaceful means; meaning cooperation and the exchange of information.
The Russian Federation has a different perspective and instead seeks to prevent the
spread of information weapons and advocates for the demilitarization of cyberspace. The non-
proliferation and demilitarization efforts are shared by the Netherlands and to an extent also by
the UNGGE which suggests that states should prevent the proliferation of malicious ICT tools
and techniques. In a somewhat different approach, the Netherlands seeks to ban or introduce a
mandatory export license on specific hardware and software and make them part of the list of
52
dual-use goods; meaning goods which can be used for both civil and military purposes.
Together with 42 states, including the Russian Federation, the Netherlands is part of the
Wassenaar Agreement, a voluntary export control regime. The measure is different from that
of the Russian Federation as the Netherlands does not necessarily seek the non-proliferation or
demilitarization. Instead, it primarily wants to prevent the export of these goods and prevent
the import of these goods by potentially malicious actors.
The UNGGE is unclear to what extent it wants states to seek to prevent the proliferation
of malicious ICTs and what is specifically meant with that definition. The dual-use list can be
problematic in relation to ICTs considering that even a personal computer, tablet, or
smartphone could be used for both civil and military purposes. The contradictory position is
that despite arguing for the limitation of hardware and software technology, the Netherland and
the Russian Federation also actively seeks to create offensive and defensive cyber capabilities.
The creation of these capabilities is framed as part of the Netherlands prevention,
deterrence, and retaliatory measures. Offensive operations are focused on acquiring
information and intelligence, and the release of information (including deception) to influence
a situation for the sake of the national interest. Similar to the Netherlands, the Russian
Federation frames the creation of information weapons as part of its prevention and deterrence
efforts, specifically aimed at preventing an armed (cyber) conflict. A secondary purpose of
these weapons is to deter the use of ICTs for military or political purposes which can potentially
damage or disrupt the Russian information infrastructure and result in violations to its
sovereignty, non-intervention, and territorial integrity.
The UNGGEs position towards the creation and usage of these capabilities and
weapons is conflicting. By asking states to take appropriate measures to protect their
infrastructure, the measures by the Netherlands could be considered acceptable. This would
not be the case with the Russian Federation. Although the creation of information weapons is
framed as a preventative and deterrence measure, their usage can only be offensive and would
actively go against the norm to prevent the proliferation of malicious ICTs. A norm under
which the Netherlands offensive and defensive capabilities arguably would not fall under as its
purpose is not to be destructive or disrupting like the Russian weapons are.
In line with its aspirations, the Russian Federation seeks to include these preventive and
deterrence measures in the IISS; those being the non-proliferation and demilitarization efforts.
Part of this effort would be a monitoring function which subsequently holds states responsible
for preventing the malicious use of ICTs against other states. Although the system is somewhat
in line with the UNGGE norms to prevent the knowing use of its territory, it remains unfeasible
53
for most states to realise. Despite its potential effectiveness, it does require states to have the
necessary resources to implement such a system (Nye, 2016). Not many states possess the
resources to monitor their data traffic consistently enough to be effective. Many democratic
states like the Netherlands are unlikely to adopt such a measure due to the inherent violations
of human rights and fundamental freedoms it would involve. Most of these democratic states
currently require a court order before they are able to intercept and monitor suspects (Brown,
2015). Expanding this system would also require a more detailed construction of the referent
object and existential threats.
Instead of a monitoring system, the Netherlands emphasizes the expansion of the
international investigative capabilities by seeking the expansion of international legislation on
cybercrime. Together with the intelligence from the offensive and defensive cyber capabilities,
both efforts would assist in preventing and attributing cybercrimes. These cross-border
investigations would fulfil the UNGGE objective to promote the criminal investigation into the
criminal and terrorist use of ICTs. It is also more in line with the reality of cyber-attacks and
their perpetrators, which are predominantly non-state actors. Yet, the discussion on the role of
non-state actors is not a part of the UNGGE and would require a separate debate. The Russian
Federation is against the expansion of these cross-border investigations, fearing that the
(involuntary) exchange of information and access as part of the investigations attribution
efforts could be an excuse and serve as a means for an adversary to penetrate its information
infrastructure; resulting in a violation of its sovereignty, non-intervention, and territorial
integrity (Krutskikh & Streltsov, 2014).
Future of the UNGGE The position of the Russian Federation and the Netherlands towards the UNGGE can be
explained via their security strategies; but they do not explain the UNGGE reports in its entirety
which for the most part comes as a result of its ambiguous construction and lack of explanation.
The lack of explanation and the inherent confusion may serve well within the context of the
UNGGE, but it does not help the purpose of applying international law to cyberspace by having
state interpret the norms as they wish. This issue is further exasperated by the voluntary and
non-binding nature of the norms, which makes it possible for states to decide whether they to
adhere to them or not. The logic behind the ambiguous UNGGE norms construction could be
explained through the belief that only a few like-minded states will initially accept them, after
which more states will slowly follow (Hurwitz, 2014). However, through the ideological
54
division, the Russian Federation and its allies in the Shanghai Cooperation Organisation should
be counted as well. The problem lies in the additional belief that all states should be subject to
some of these norms and that they will come to accept them in time through incentives,
confidence-building measures, or sanctions employed by the like-minded states (Hurwitz,
2014). It is unlikely that the Russian Federation will alter its position through the above-
mentioned measures. The larger disagreement between both groups is on who should set the
norms, and which states should be subject to them (Hurwitz, 2014).
The disagreement between both states on sovereign control over cyberspace is unlikely
to disappear or be resolved in the immediate future. The Russians top-down model contrast
starkly with the Netherlands bottom-up approach as evident through its multi-stakeholder
model (Eichenseir, 2015). The survival component for the Russian Federation will most likely
be too great a hurdle for it to overcome and side with the Netherlands. The bottom-up model
of the Netherlands would also not be feasible or acceptable from the perspective of the Russian
Federation as an authoritative regime. The IISS directly contradicts this approach and instead
would increase the sovereign control of states to regulate cyberspace. Cyberspace would be
assimilated into the sovereign territory of states and allow for similar protective measures as
awarded to the protection of a state’s physical borders (Eichenseir, 2015).
If a new UNGGE were to be established, it would have to start at the beginning, in order
to re-considering the motivations of those who disagreed. place. The development of the
security documents of the Russian Federation and the Netherlands have not changed
significantly between 2007 and 2017. This means that both ideological different approaches
have existed long before the creation of the 2013 and 2015 UNGGE report; that is, if it can be
called an ideological difference.
The different ideological approach is between the right of states to control its portion
of cyberspace and regulate the flow of information against potential destructive or disruptive
information against the protection of human rights and fundamental freedoms which require
the freedom of expression, right to seek information, the freedom of assembly and association,
and non-discrimination. In essence, the ideological division revolves around the age-old debate
on the freedom of expression against national security; and something which has been seen a
resurgence with the rise of right-winged extremism (Mchangama, 2016).
Although it is a genuine discussion and ideological difference, the interpretation and
motivation for national security has a different meaning for the Russian Federation. Silencing
dissident voices and limiting the flow of information which critiques the regime should not be
considered an ideological position. Instead, the Russian Federation and its allies have
55
appropriated an already existing discussion and linked it to their objections on the use of force
and right to self-defence which overall are not very strong arguments. These objections mask
the more pressing concern the Russian Federation has in the application of international law,
human rights, and fundamental freedoms. This position and the general fears of the Russian
Federation are not reflected within the UNGGE reports. They are entirely assumed based on
their perspective on how the application of international law may turn out; which is only
possible due to the ambiguous construction of the reports. It is understandably an opportunity
for the Russian Federation and its allies to essentially legitimize its control over their corner of
cyberspace. Yet, it will never be acceptable to the like-minded states such as the Netherlands.
It leads to questions on the motivations of states that participated within the UNGGE despite
knowing that this was a likely outcome. This considering that the cyber and information
security strategies of both the Netherland and the Russian Federation have not changed
significantly between 2007 and 2017. Their participation could perhaps then only be explained
as part of a securitization process, whereby the continued belief in an existential threat ensures
their continued strive towards the creation of norms on an international level.
56
Cyber Securitization There are several different ways, in the current research, through which cyberspace could have
been securitized. The UNGGE, Russian Federation, and the Netherlands could all have
successfully securitized cyberspace together or without the other two having done so as well.
The problem is that technically speaking only one state should be able to do so in an
international setting. If cyberspace has been securitized, this would imply a certain degree of
action and should have influenced the UNGGE norms discussion to some degree. It would also
signal the probability that states will remain motivated to resolve the insecurities from
cyberspace, and whether or not they are likely to change their mind. The following chapter will
seek to answer the sub-question: “Has cyber securitized?” The chapter will look at the
developments presented in the previous chapters in order to determine whether cyberspace has
successfully been securitized, and if so, to what extent.
Securitizing Actors In theory, the securitizing actor could be anyone who is able to construct an issue as being
existentially threatened through a speech act. The success of this depends significantly on the
status of the actor and the context within which the actor attempts to securitize an issue (Buzan
et al., 1998). Additionally, the theory also positions a definitive moment in time where the
speech act is accepted by the audience and leads to an issue being successfully securitized or
not. A successful securitization act would imply that the issue has received a disproportional
amount of resources and attention and has legitimized extraordinary measures to resolve the
issue (Buzan et al., 1998). However, the framing and expected results as presented by the theory
present certain problems in determining the potential of a successful securitization within the
UNGGE, the Russian Federation and the Netherlands.
The initial problem exists in the nature of cyberspace; which is a global entity but
cannot be limited within the boundaries of one state. Its global status should allow for multiple
actors, at different points in time, to declare their own portion to be existentially threatened. It
is not clear whether it is possible for a singular securitizing actor to declare cyberspace as
existentially threatened and convince the whole world of it through a speech act; although it
should theoretically be possible. Nonetheless, designating these securitizing actors within the
UNGGE is difficult, in part due to the limitations of the theory.
The 1998 resolution of the Russian Federation fails to meet the required indicators due
to issues in designating the audience who would have accepted its construction of the
57
existential threat and referent objects. The resolution and those that followed were all accepted
without a vote which may suggest no audience was needed for the issue to be successfully
securitized. However, even if the instance is accepted as a successful securitization move, it
hardly led to a diversion of resources, an increase in attention or the use of extraordinary
measures. Instead, following the life cycle of norms, the UNGGE was established to investigate
existing and potential threats in cyberspace; meaning, that the process of determining the
referent objects and existential threats had yet to begin and would continue to evolve over many
years. Although securitization theory does not dictate a specific timeframe between the
securitization effort and the use of extraordinary measures, it does imply a rather faster process
than witnessed within the UNGGE. 14 years is a long time to act upon a potential successful
securitization act.
Furthermore, the theory does not discuss the possibility of other state actors or non-
state actors individually securitizing the issue and only later on joining in on the international
effort. This was the case of the Netherlands and many other states within the UNGGE process.
The theory does not describe the role of states which have securitized the same issue but are,
through institutional regulations, not allowed to participate directly in the discussion; meaning
the Netherlands until the 2016-2017 meetings. Finally, the theory does not explain the role of
states which took part in the securitizing effort, but who left, only to either return or not return
to the discussion at all. With these many potentially different securitizing actors, the theory
does not facilitate the possibility of different perspectives on the same existentially threatened
issue and does not account for the potential convergence or evolvement of ideas, existential
threats, and referent objects through norms.
Referent Objects The theory of securitization would suggest that the referent objects is fixed before any means
to protect the referent object are discussed. The theory also assumes to a degree that the
securitizing actors frame their referent objects and interpret its existential threat along a similar
line. However, the theory does not take into account the possibility of different states
constructing their own referent objects which may or may not be represented at all within an
international context such as the UNGGE. Each UNGGE could represent a new securitization
round, where the framing of the different indicators evolves with each meeting until the norms
are finalized. Yet, the theory does not allow for such an iterative securitization process.
58
The referent objects described within the UNGGE norms are critical infrastructure,
critical information infrastructure, ICTs, and ICT-dependent infrastructure, and the information
systems of authorized emergency response teams. The reports also frequently mention
international peace and security but do not explain why these objects are referent objects. The
lack of criteria on these subjects allows for different interpretation by both the Russian
Federation and the Netherlands on what they consider and interpret as referent objects. Both
states recognize the status of their own critical infrastructure and critical information
infrastructure and that of their allies. Although it is discussed in general terms within the
UNGGE, the Russian Federation and the Netherlands do clearly make a distinction between
their infrastructure and that of their potential adversaries.
A larger question pertains to what the boundaries of cyberspace are and to what extent
a distinction between critical infrastructure and critical information infrastructure makes sense.
Cyberspace has penetrated every aspect of daily life to a degree that there might not be any
critical infrastructure which is not ICT-dependent or could exist without cyberspace. Almost
every issue being dealt with on a national or international level has a cyber component, from
terrorism to trade, to environmentalism and the rise of extremism. Within in this context,
cyberspace is the one things that connect them all. Considering these issues would be a part of
the UNGGEs mandate to consider existing and potential threats and cooperative measures to
address them.
The UNGGE is supposed to regulate the behaviour of states in cyberspace but neglects
to discuss a larger discussion on what cyberspace is. It neglects to discuss what the role of the
state is and should be in cyberspace, and to what extent the behaviour of states should be
regulated through containing or permissive regulative norms. Meaning, should the UNGGE
norms regulate the behaviour of states in cyberspace concern all behaviour and include
behaviour in regards to things such as agriculture, education, medical and immigration; sectors
which use ICTs and are ICT-dependent. Or should the UNGGE norms only focus on the
behaviour of states in small and selective areas such as crime and terrorism as appears to be
the case with the current UNGGE reports?
Doing so may be preferable for the UNGGE but does neglect the construction of
referent objects of other states such as the Russian Federation and the Netherlands. Underlining
their critical infrastructure and critical information infrastructure lies the deeper question on
the status of data as a referent object. Added to this would be a discussion on the rights of states
to determine what is or what is not destructive or malicious information and data. The
protection of this information or data is linked to either the survival of the state in the Russian
59
case or the economy and society in the case of the Netherlands. Altogether, the framing of the
referent object is important as it can to a large extent determine the type of existential threat
each of these different referent objects may expect.
Existential Threat The frame of existential threats can refer to many different actors within cyberspace and the
UNGGE. The UNGGE constructs these existential threats as criminals, terrorist, extremists,
and (other) states. It is not necessarily the existence of these actors that is considered a threat,
but rather their behavior in relation to using cyberspace to commit their acts. The UNGGE does
not describe or explain what these acts may be beyond describing them as the malicious use of
ICTs.
For the Russian Federation, the existential threat is mainly constructed as criminals,
terrorists, extremists, separatist, and other states using ICTs in a way which would violate the
Russian states sovereignty and principles of non-intervention, and territorial integrity. The
Netherlands frames the threat more generally as state and non-state actors attempting to damage
or disrupt its infrastructure in terms of potential economic loss or social disruption. They pay
little attention to the use of these malicious tools by states against non-state actors, which
should be an important part of the discussion, even if it falls outside the mandate of the UNGGE.
Nonetheless, it is especially important for states like the Netherlands, where a significant part
of its infrastructure is in the hands of (semi) private actors. This refers to a larger debate with
respect to framing the referent object on the distinction that should be made between public
and private property in relation to the functioning of the state and society.
Like most of the other indicators and definitions, it depends entirely on the
interpretation of states and the definitions used. However, the ambiguity may be preferable for
the sake of reaching a consensus on the final report which has to account the opinions of many
different state actors and potentially many different functional actors as well.
Functional Actors Dependent on the context, states can be functional actors. Within the context of the UNGGE
states can be both securitizing actors and functional actor’s dependent on their participating
status. The problem with the UNGGE discussion is that more often then not, states could be
securitizing actors and declare an issue existentially threatened, be referent objects which need
protection, be existential threats and functional actors to other states. Meaning, the participating
60
member states of the UNGGE are effectively securitizing against themselves. Yet,
securitization theory does not allow for the functional actor to also be the securitizing actor or
referent object. The functional actor is supposed to be actors who significantly influence the
decisions in the security field. These are the context of the UNGGE states. Even if they were
not considered functional actors, they would still be referent objects. It may be possible to make
a distinction between directly participating states, attributing states, and non-participating
states. Not all states directly take part in the UNGGE. Only 24 out of 193 UN member states
participated in the 2016-2017 UNGGE, and only 15 states beyond of the participating states
contributed with their official responses (A/72/315, 2017). The problematic part is determining
to what extent the participation of these contributing states could be considered significant.
In general, it is almost impossible to know which who are functional actors unless their
contribution is clearly noted. This is especially true for existential threat actors such as
criminals and terrorists who through their existence and actions influence the decisions made
by states and the UNGGE and therefore could be considered functional actors. The same could
be said about the UN. The UNGGE debate takes place under the umbrella of the UN and its
contextual influence through the rules and regulations as imposed on governmental groups of
experts (Lewis & Vignard, 2016). It is those rules that determine the criteria for which state is
allowed to participate and thus directly influence the direction of the debate. This influence is
also extended to the construction of the norms and the release of the final reports, which
through regulations require a consensus to be released (Lewis & Vignard, 2016).
Determining the functional actors within the Russian Federation and the Netherlands is
somewhat easier. The Netherlands through its multi-stakeholder seeks the inclusion of all
relevant stakeholders in crafting and enacting its cyber-security strategies. Within this
framework, non-state actors are both functional actors, securitizing actors, referent objects, and
in certain cases also existential threats. They provide the government with information on what
they perceive are existential threats and referent objects. It is not a one directional relationship
as is the case with the Russian Federation. In Russia, the state is the directive organ of power
who dictates what is and what is not an existential threat and functional actor. However, the
Russian Federation does work with other states in regional organizations such as the Shanghai
Cooperation Organization. The Netherlands similarly cooperates within the framework of the
EU and NATO. However, unlike the Netherlands, the Russian Federation approaches the
UNGGE debate as a collective, being part of the Shanghai Cooperation Organization. This
would make the organization a securitizing actor in itself and a functional actor to the UNGGE,
further complicating the issue. In general, it can be said that with most of the other indicators,
61
the status of an actor as a functional actor depends greatly on the time, place, level of
cooperation, and perspective; which is carried over in determining the occurrence of a speech
act.
Speech Act It is unlikely that any speech would have convinced a state of the necessity to securitize
cyberspace. The speech act indicator supposes that an audience has to be convinced by the
securitizing actors construction of the threat. As discussed in the previous paragraphs,
determining these actors is difficult or at the very least has many caveats. If we accept that the
Russian Federation securitized cyberspace in 1998 by uttering a speech act then no other state
actor could ever securitize again. Each state would have to adhere to the construction as
ascribed by the Russian Federation. However, as adoption of the resolution has not resulted in
the use of excessive force, it cannot be said that the process was successful in the traditional
sense. Cyberspace could be securitized following Trombetta’s (2008) arguments and not have
resulted in the use of extraordinary force, but instead led to cooperation within the UNGGE.
Even so, as evident by the discussion within this chapter, attempting to locate the
corresponding objects or actors results in a circular discussion. The nature of cyberspace does
not allow for declarative statements to be made. There are too many exceptions and definitions
which need to be accounted for, which move the theory away from its original construction. It
is thus, in its current state it is impossible to declare that cyberspace has successfully been
securitized from the UNGGE perspective.
When viewed from the perspective of the Russian Federation and the Netherlands, then
cyberspace is definitely securitized; albeit very specific parts of it. Part of this securitization
process would have to take into account that the securitizing actor convinced itself of its own
construction of the referent objects and existential threats. Threats, some of which have
arguably already been securitized such as critical infrastructure and criminal and terrorist’s
activities.
For the Russian Federation, information and data would still be securitized even without
cyberspace, and the same can be said for the Dutch economy and society. Nevertheless, all
these different issues have gained a cyber aspect through cyberspace which required a re-
securitization of the issues to include said cyber component. However, none of these acts of
securitization have led to the use of extraordinary measures; especially considering the lack of
a cyberconflict. Thus, to say that cyberspace has been successfully securitized would grossly
62
understate the complexity that is cyberspace. What is required is research to examine each
individual sector/ issue area to determine whether it has been re-securitized with a cyber
component or not. Only then could one definitively state that cyber has been securitized.
However, until then, it is more prudent to say that very specific areas in cyberspace have indeed
been securitized.
63
Conclusion The analysis presented in the thesis of the Russian Federations and the Netherlands cyber and
information security strategies has demonstrated some similarities, but ultimately many
underlining differences in their development and approach towards the UNGGE cyber norms
debate. The development of these cyber and information security strategies has remained
consistent between 2007 and 2017 and explains the Russian and Dutch different ideological
approaches to the UNGGE.
The approach of the Russian Federation to the cyber norms debate has been guided by
its objective to reaffirm the sovereign right of states to govern and control cyberspace according
to their national laws and in the name of national security. To ensure this right, the Russian
Federation requires the UNGGE norms discussion to include a hardcoded adherence to the
principles of sovereignty, non-intervention, and territorial integrity. Adherence to these
principles is to ensure no other states has a right to interfere in the way the Russian Federation
manages its cyberspace. Management of which is linked to the survival of the Russian state,
which is threatened by the spread of destructive or disrupting information by criminals,
terrorists, extremists, and separatists. A point of contention for the Russian Federation is that
this right to control clashes with the UNGGEs inclusion and promotion of human rights and
fundamental freedoms.
The inclusion of these rights and freedoms has been a significant part of the Netherlands
development and approach of its cyber-security strategies. The approach of the Netherlands
has primarily revolved around promoting its multi-stakeholder model and adherence to existing
international laws a means to resolve the insecurities from cyberspace. The Netherlands
requires a consistent application of international law together with a free and open cyberspace
to realise its economic and foreign policy objectives. Thus, instead of control, the Netherlands
believes in cooperating with the relevant stakeholders in cyberspace to combat the threats it
faces. This threat is constructed in economic and social terms. The Netherlands fears that a
cyber-attack could either lead to significant economic loss or social displacement or disruption
of its citizens. It is thus important for the Netherlands to have the UNGGE norms include a
cyber component in order to ensure the protection of human rights and fundamental freedoms
online and offline.
The Russian Federation is against this inclusion as the insurance of human rights and
fundamental freedoms. Its inclusion would undermine the Russian states efforts to control the
flow of damaging and disrupting information. For the Russian Federation, human rights and
64
fundamental freedoms are connected to the sovereign right of the Russian state to protect its
citizens against destructive or disrupting flows of information. In contrast, the Netherlands
especially wants the inclusion of these rights and freedoms because it fears certain states will
use its control and influence over cyberspace to silence dissenting voices and violate human
rights and fundamental freedoms in the process.
The resulting UNGGE reports are an ambiguous mix of these ideological positions;
giving it the appearance that both sides have been taken into account. However, it is never
entirely clear what is precisely meant by the norms, how they to apply, or how and to what
extent they are to be enforced. The norms include references to sovereignty, non-intervention,
and territorial integrity, but also the protection of human rights and fundamental freedoms yet
never explicitly explain which has a higher priority. This is a problem born out of a lack of
explanation and definitions which subsequently limits many of the arguments made within the
thesis. Arguments which are primarily based upon the different perspectives and interpretations
of definitions, weaknesses in the theory of securitization, and as a result often rely on
technicalities to make an argument.
As a result of these many limitations, the UNGGE discussion feels premature as it fails
to address the most pressing concerns in the world appropriately. Part of the initial UNGGE
discussion should have focused on defining and clarifying many of the cyber-related concepts.
Now, the interpretation is left up to the states and allows for wildly different assumption to be
had Russian Federation and the Netherlands. What is needed is clarity and consistency in their
interpretation form an international legal perspective and not necessarily from an academic one.
A significant portion of the academic literature already has devoted a lot of time theorizing on
different cyber-related definitions. An international effort to construct these definitions is
needed, even if it may not fall under the mandate of the UNGGE.
Nevertheless, what appears to be evident is that the UNGGE discussion does not discuss
the most pressing issue both the Russian Federation and the Netherlands are concerned with;
that being the status of information and data in cyberspace as a referent object. It is also the
status of this information and data which connects to the ideological division on control for the
sake of national security versus human rights and fundamental freedoms. It should therefore
be the recommended that future research devotes to resolving this problematic connection
between the topics; especially as discussing these issues does not fall under the mandate of the
UNGGE. Unless the above-mentioned, and the definitional problems are resolved, it may
difficult to see any significant behavior change through the creation and implementation of
international cyber norms.
65
Cited Sources Abelson, H., Anderson, R., Bellovin, S. M., Benaloh, J., Blaze, M., Diffie, W., … Weitzner, D. J. (2015).
Keys under doormats: mandating insecurity by requiring government access to all data and
communications. Journal of Cybersecurity, 69. https://doi.org/10.1093/cybsec/tyv009
Bannelier, K., & Christakis, T. (2017). Cyber-Attacks – Prevention-Reactions: The Role of States and
Private Actors (SSRN Scholarly Paper No. ID 2941988). Rochester, NY: Social Science
Research Network. Retrieved from https://papers.ssrn.com/abstract=2941988
Bendovschi, A. (2015). Cyber-Attacks – Trends, Patterns and Security Countermeasures. Procedia
Economics and Finance, 28, 24–31. https://doi.org/10.1016/S2212-5671(15)01077-1
Bigo, D. (2002). Security and Immigration: Toward a Critique of the Governmentality of Unease.
Alternatives: Global, Local, Political, 27(1_suppl), 63–92.
https://doi.org/10.1177/03043754020270S105
Bothe, M. (1980). Legal and Non-Legal Norms – a meaningful distinction in international relations? *.
Netherlands Yearbook of International Law, 11, 65–95.
https://doi.org/10.1017/S0167676800002725
Bromley, M. (2017). Export controls, human security and cyber-surveillance technology: Examining
the proposed changes to the EU Dual-use Regulation, 1–40.
Brown, C. S. D. (2015). Investigating and Prosecuting Cyber Crime: Forensic Dependencies and
Barriers to Justice. International Journal of Cyber Criminology, 9, 55–119.
https://doi.org/10.5281/zenodo.22387
Buzan, B., & Hansen, L. (2009). The evolution of international security studies. Cambridge, UK ; New
York: Cambridge University Press.
Buzan, B., Wæver, O., & Wilde, J. de. (1998). Security: a new framework for analysis. Boulder CO
[etc.]: Lynne Rienner.
Deeks, A. (2017). Intelligence Communities and International Law: A Comparative Approach (SSRN
Scholarly Paper No. ID 2700900). Rochester, NY: Social Science Research Network. Retrieved
from https://papers.ssrn.com/abstract=2700900
Deloitte. (2017). Cyber Value at Risk in The Netherlands 2017 - Dealing efficiently with cybercrime |
Cyber Risk | Deloitte. Retrieved 27 May 2018, from https://www.sbs.ox.ac.uk/cybersecurity-
capacity/system/files/Deloitte_Cyber%20VaR%20NL%202017.pdf
Eichenseir, K. E. (2015). The cyber-law of nations. Georgetown Law Journal, 103(2), 317–379.
European Council. (2009). Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a
Community regime for the control of exports, transfer, brokering and transit of dual-use
items. Retrieved 1 June 2018, from https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32009R0428&from=EN
66
European Parliament, & Council of the European Union. (2016). Regulation (EU) 2016/679 OF The
European Parliament And Of The Council OF 27 APRIL 2016. Retrieved 27 May 2018,
from http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
European Union Agency for Network and Information Security. (n.d.). CSIRTs by Country -ENISA.
Retrieved 29 May 2018, from https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-
inventory/certs-by-country-interactive-map/csirt-inventory.pdf
Finkle, J. (2013, February 26). Researchers say Stuxnet was deployed against Iran in 2007. Reuters.
Retrieved from https://www.reuters.com/article/us-cyberwar-stuxnet/researchers-say-
stuxnet-was-deployed-against-iran-in-2007-idUSBRE91P0PP20130226
Finnemore, M., & Hollis, D. B. (2016). Constructing Norms for Global Cybersecurity. American
Journal of International Law, 110(3), 425–479.
https://doi.org/10.5305/amerjintelaw.110.3.0425
Finnemore, M., & Sikkink, K. (1998). International Norm Dynamics and Political Change.
International Organization, 52(4), 887–917.
Freedom House - Net. (2017, October 27). Freedom on the Net 2017: Manipulating Social Media to
Undermine Democracy. Retrieved 26 May 2018, from
https://freedomhouse.org/sites/default/files/FOTN_2017_Final.pdf
Godwin, J., Kuplin, A., Frederick Rauscher, K., & Yaschenko, V. (2014). Critical Terminology
Foundations 2: Russia-US Bilateral on Cybersecurity, 1–82.
Gottwald, S. (2009). Study on critical dependencies of energy, finance and transport infrastructures
on ICT infrastructures. Retrieved 25 May 2018, from https://ec.europa.eu/home-
affairs/sites/homeaffairs/files/e-library/docs/pdf/2009_dependencies_en.pdf
Greenberg, A. (2018). How Dutch Police Took Over Hansa, a Top Dark Web Market | WIRED.
Retrieved 27 May 2018, from https://www.wired.com/story/hansa-dutch-police-sting-
operation/
Grigsby, A. (2017). The End of Cyber Norms. Survival, 59(6), 109–122.
https://doi.org/10.1080/00396338.2017.1399730
Guitton, C. (2017). Foiling cyber attacks. In 2017 International Conference on Cyber Security And
Protection Of Digital Services (Cyber Security) (pp. 1–7).
https://doi.org/10.1109/CyberSecPODS.2017.8074853
Hansen, L., & Nissenbaum, H. (2009). Digital Disaster, Cyber Security, and the Copenhagen School.
International Studies Quarterly, 53(4), 1155–1175. https://doi.org/10.1111/j.1468-
2478.2009.00572.x
Hathaway, O., & Shapiro, S., J. (2011). Outcasting: Enforcement in Domestic and International Law.
Yale Law Journal, 121, 252–2405.
67
Hijink, M. (2013). ‘NSA maakte gebruik van hack IT-bedrijf DigiNotar’. Retrieved 5 June 2018, from
https://www.nrc.nl/nieuws/2013/09/14/nsa-maakte-gebruik-van-hack-it-bedrijf-diginotar-
a1431586
Human Rights Council. (2012). 20/8. The promotion, protection and enjoyment of human rights on
the Internet. Retrieved 31 May 2018, from https://documents-dds-
ny.un.org/doc/RESOLUTION/GEN/G12/153/25/PDF/G1215325.pdf?OpenElement
Human Rights Council. (2014). 26/13 The promotion, protection and enjoyment of human rights on
the Internet. Retrieved 31 May 2018, from http://hrlibrary.umn.edu/hrcouncil_res26-13.pdf
Hurwitz, R. (2014). The Play of States: Norms and Security in Cyberspace. American Foreign Policy
Interests, 36(5), 322–331. https://doi.org/10.1080/10803920.2014.969180
Huysmans, J. (2004). Minding Exceptions: The Politics of Insecurity and Liberal Democracy.
Contemporary Political Theory, 3(3), 321–341. https://doi.org/10.1057/palgrave.cpt.9300137
International Telecommunication Union. (2017). ICT Facts and Figures 2017. Retrieved 30
May 2018, from https://www.itu.int/en/ITU-
D/Statistics/Documents/facts/ICTFactsFigures2017.pdf
Jensen, E. T. (2012). Cyber deterrence. Emory International Law Review, 26(2), 773–824.
Kingdom of the Netherlands. (2015). Developments in the field of information and
telecommunications in the context of international security Kingdom of the Netherlands 2015
General appreciation of the issues of information security. Retrieved 1 June 2018, from
https://unoda-web.s3-accelerate.amazonaws.com/wp-
content/uploads/2015/08/NetherlandsISinfull.pdf
Krutskikh, A., & Streltsov, A. (2014). International Law and the Problem of International Information
Security, 1–65.
Kuehl, D. (2009). From Cyberspace to Cyberpower: Defining the Problem. In Cyberpower and
National Security. Washington: Potomac Books.
Kulesza, J. (2009). State Responsibility for Cyber-attacks on International Peace and Security. Polish
Yearbook of International Law, (29), 139–151.
Landelijke Politie. (2018). Operation Power Off – Police close down largest DDoS website. Retrieved
27 May 2018, from https://www.politie.nl/nieuws/2018/april/25/operation-power-
off-%E2%80%93-police-close-down-largest-ddos-website.html
Lewis, J., & Vignard, K. (2016). Report of the International Security Cyber Issues Workshop Series.
United Nations Institute for Disarmament Research (UNIDIR) and Centre for Strategic and
International Studies (CSIS). Retrieved from
http://www.unidir.org/files/publications/pdfs/report-of-the-international-security-cyber-
issues-workshop-series-en-656.pdf
Lopez, J., Setola, R., & Wolthusen, S. D. (2012). Critical infrastructure protection information
infrastructure models, analysis, and defense. Berlin: Springer.
68
Mačák, K. (2017). From Cyber Norms to Cyber Rules: Re-engaging States as Law-makers, 30(4), 877–
899. https://doi.org/10.1017/S0922156517000358
March, J. G., & Olsen, J. P. (1998). The Institutional Dynamics of International Political Orders.
International Organization, 52(4), 943–969. https://doi.org/10.1162/002081898550699
Markoff, M. (2017, June 26). Explanation of Position at the Conclusion of the 2016-2017 UN Group of
Governmental Experts (GGE) on Developments in the Field of Information and
Telecommunications in the Context of International Security. Retrieved 3 March 2018, from
/remarks/7880
Mattioli, R., & Levy-Bencheton, C. (2015). Methodologies for the identification of Critical Information
Infrastructure assets and services — ENISA [Report/Study]. Retrieved 25 May 2018, from
https://www.enisa.europa.eu/publications/methodologies-for-the-identification-of-ciis
Mazanec, B. M. (2015). The evolution of cyber war: international norms for emerging- technology
weapons. Place of publication not identified: Potomac Books.
Mchangama, J. (2016). Freedom of Expression and National Security.(Symposium: The Freedom of
Expression). Society, 53(4), 363–367. https://doi.org/10.1007/s12115-016-0029-1
Ministry of Foreign Affairs of the Russian Federation. (2016). Doctrine of Information Security of the
Russian Federation. Retrieved 3 March 2018, from
http://www.mid.ru/foreign_policy/official_documents/-
/asset_publisher/CptICkB6BZ29/content/id/2563163
Ministry of Defence. (2012). Defence Cyber Strategy - Cyber security - Defensie.nl [onderwerp].
Retrieved 27 May 2018, from
http://www.ccdcoe.org/strategies/Defence_Cyber_Strategy_NDL.pdf
Ministry of Defence. (2013, November 20). Defence Doctrine - Publication - Defensie.nl [publicatie].
Retrieved 27 May 2018, from
https://english.defensie.nl/downloads/publications/2013/11/20/defence-doctrine-en
Ministry of Defence of the Russian Federation. (2010). Military Doctrine of the Russian Federation.
Retrieved 26 May 2018, from http://kremlin.ru/supplement/461
Ministry of Defence of the Russian Federation. (2011). Conceptual Views Regarding the Activities of
the Armed Forces of the Russian Federation in the Information Space. Retrieved 26 May 2018,
from http://www.ccdcoe.org/strategies/Russian_Federation_unofficial_translation.pdf
Ministry of Defence of the Russian Federation. (2014). The Military Doctrine of the Russian Federation.
Retrieved 26 May 2018, from http://rusemb.org.uk/press/2029
Ministry of Foreign Affairs. (2013, June 21). International Security Strategy - Policy note -
Government.nl [beleidsnota]. Retrieved 27 May 2018, from
https://www.government.nl/documents/policy-notes/2013/06/21/international-security-
strategy
69
Ministry of Foreign Affairs. (2017, February 12). International Cyber Strategy - Parliamentary
document - Government.nl [kamerstuk]. Retrieved 27 May 2018, from
https://www.government.nl/documents/parliamentary- documents/2017/02/12/international-
cyber-strategy
Ministry of Foreign Affairs. (2018, March 20). Geïntegreerde Buitenland- en Veiligheidsstrategie
(GBVS) - Rapport - Rijksoverheid.nl [rapport]. Retrieved 27 May 2018, from
https://www.rijksoverheid.nl/documenten/rapporten/2018/03/19/praatplaat-
geintegreerde-buitenland--en-veiligheidsstrategie-gbvs
Ministry of Foreign Affairs of the Russian Federation. (2016a). Doctrine of Information Security of the
Russian Federation. Retrieved 26 May 2018, from
http://www.mid.ru/foreign_policy/official_documents/-
/asset_publisher/CptICkB6BZ29/content/id/2563163
Ministry of Foreign Affairs of the Russian Federation. (2016b). Foreign Policy Concept of the Russian
Federation (approved by President of the Russian Federation Vladimir Putin on November 30,
2016). Retrieved 26 May 2018, from http://www.mid.ru/foreign_policy/official_documents/-
/asset_publisher/CptICkB6BZ29/content/id/2542248
Ministry of Security and Justice. (2011). The National Cyber Security Strategy (NCSS) - Strenght
Through Cooperation. Retrieved from https://english.nctv.nl/binaries/cyber-security-
strategy- uk_tcm32-83648.pdf
Ministry of Security and Justice. (2015). Voortgangsbrief Nationale Veiligheid 12 Mei 2015. Retrieved
31 May 2018, from https://www.nctv.nl/binaries/voortgangsbrief-nationale-veiligheid-12-
mei-2015_tcm31-32518.pdf
Ministry of Security and Justice. (2016, September 16). Nationale Veiligheid; Brief regering;
Voortgangsbrief Nationale Veiligheid [officiële publicatie]. Retrieved 31 May 2018, from
https://zoek.officielebekendmakingen.nl/kst-30821-32.html
Modderkolk, H. (2018). Dutch agencies provide crucial intel about Russia’s interference in US-
elections. Retrieved 27 May 2018, from https://www.volkskrant.nl/g-b4f8111b
National Coordinator for Security and Counterterrorism. (2013, May 14). National Cyber Security
Strategy 2 - From Awareness to Capability [webpagina]. Retrieved 27 May 2018, from
https://english.nctv.nl/binaries/national-cyber-security-strategy-2_tcm32-84265.pdf
National Coordinator For Security and Counterterrorism. (2017, November 23). Cybersecuritybeeld
Nederland 2017: Digitale weerbaarheid Nederland blijft achter op groeiende dreiging | NCSC
[webpagina]. Retrieved 3 March 2018, from
https://www.ncsc.nl/actueel/Cybersecuritybeeld+Nederland/cybersecuritybeeld-nederland-
2017.html
National Coordinator for Security and Counterterrorism. (2018, April 21). Nederlandse Cybersecurity
Agenda: Nederland digitaal veilig - Rapport - Rijksoverheid.nl [rapport]. Retrieved 27 May
70
2018, from https://www.rijksoverheid.nl/documenten/rapporten/2018/04/21/nederlandse-
cybersecurity-agenda-nederland-digitaal-veilig
Nye, J. S. (2016). Deterrence and Dissuasion in Cyberspace. International Security, 41(3), 44–71.
https://doi.org/10.1162/ISEC_a_00266
Radunovic, V. (2017, February 17). Towards a secure cyberspace via regional co-operation. Retrieved
4 March 2018, from https://www.diplomacy.edu/blog/new-study-towards-secure- cyberspace-
regional-co-operation
Rodrigues, M. (2017). Declaration By Miguel Rodríguez, Representative Of Cuba, At The Final Session
Of Group Of Governmental Experts On Developments In The Field Of Information And
Telecommunications In The Context Of International Security. Retrieved 25 May 2018, from
https://www.justsecurity.org/wp-content/uploads/2017/06/Cuban-Expert-Declaration.pdf
Schmitt, M. N. (2013). Tallinn Manual on the International Law Applicable to Cyber Warfare.
Cambridge University Press.
Schmitt, M. N. (2017). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
Retrieved 24 May 2018, from
Schmitt, M., & Vihul, L. (2014). The Nature of International Law Cyber Norms, 1–35.
Schmitt, M., & Watts, S. (2016). Beyond State-Centrism: International Law and Non-state Actors in
Cyberspace. Journal of Conflict and Security Law, 21(3), 595–611.
https://doi.org/10.1093/jcsl/krw019
Security Council of the Russian Federation. (2009). Russia’s National Security Strategy to 2020 -
Rustrans. Retrieved 26 May 2018, from http://rustrans.wikidot.com/russia-s-national-
security-strategy-to-2020
Security Council of the Russian Federation. (2013). Basic principles for State Policy of the Russian
Federation in the field of International Information Security. Retrieved 26 May 2018, from
http://www.scrf.gov.ru/security/information/document114/
Shannon, V. P. (2000). Norms Are What States Make of Them: The Political Psychology of Norm
Violation. International Studies Quarterly, 44(2), 293–316. https://doi.org/10.1111/0020-
8833.00159
Tamkin, E. (2017). 10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for
Cyber Threats? Retrieved 5 June 2018, from https://foreignpolicy.com/2017/04/27/10-years-
after-the-landmark-attack-on-estonia-is-the-world-better-prepared-for-cyber-threats/
Trombetta, M. J. (2008). Environmental security and climate change: analysing the discourse.
Cambridge Review of International Affairs, 21(4), 585–602.
https://doi.org/10.1080/09557570802452920
United Nations. (2015). Charter of the United Nations: Chapter VII — Action with respect to Threats
to the Peace, Breaches of the Peace, and Acts of Aggression - Article 51. Retrieved 31 May
2018, from http://www.un.org/en/sections/un-charter/chapter-vii/index.html
71
United Nations General Assembly. (1998a). A/53/PV.79 - United Nations Official Document - General
Assembly Official Records Fifty-third Session 79th plenary meeting Friday, 4 December 1998,
10 a.m. New York. Retrieved 4 June 2018, from
http://www.un.org/en/ga/search/view_doc.asp?symbol=A/53/PV.79
United Nations General Assembly. (1998b). A/RES/53/70 - Developments in the field of information
and telecommunications in the context of international security. Retrieved 24 May 2018, from
http://undocs.org/A/RES/53/70
United Nations General Assembly. (1998c). First Committee Bureau - Disarmament and International
Security. Retrieved 4 June 2018, from https://www.un.org/ga/53/session/first/bureau1.htm
United Nations General Assembly. (2003). A/RES/58/32 - Resolution adopted by the General Assembly
on 8 December 2003. Retrieved 24 May 2018, from
http://www.un.org/en/ga/search/view_doc.asp?symbol=A/RES/58/32
United Nations General Assembly. (2010). A/65/201 - Report of the Group of Governmental Experts
on Developments in the Field of Information and Telecommunications in the Context of
International Security. Retrieved 24 May 2018, from
http://www.un.org/ga/search/view_doc.asp?symbol=A/65/201
United Nations General Assembly. (2011). Letter dated 12 September 2011 from the Permanent
Representatives of China, the Russian Federation, Tajikistan and Uzbekistan to the United
Nations addressed to the Secretary-General. Retrieved 24 May 2018, from
http://undocs.org/A/66/359
United Nations General Assembly. (2013a). A/68/98 - Report of the Group of Governmental Experts
on Developments in the Field of Information and Telecommunications in the Context of
International Security. Retrieved 24 May 2018, from
http://www.un.org/ga/search/view_doc.asp?symbol=A/68/98
United Nations General Assembly. (2013b). A/68/156/Add.1 - Developments in the field of
information and telecommunications in the context of international security- Report of the
Secretary-Genera- Addendum** A/68/156/Add.1 - E. Retrieved 31 May 2018, from
http://undocs.org/A/68/156/Add.1
United Nations General Assembly. (2014a). A/RES/68/167 - Resolution adopted by the General
Assembly on 18 December 2013 - 68/167. The right to privacy in the digital age. Retrieved 31
May 2018, from https://ccdcoe.org/sites/default/files/documents/UN-131218-
RightToPrivacy.pdf
United Nations General Assembly. (2014b). A/RES/69/166 - Resolution adopted by the General
Assembly on 18 December 2014 - 69/166. The right to privacy in the digital a. Retrieved 31
May 2018, from http://undocs.org/en/A/RES/69/166
United Nations General Assembly. (2015a). A/69/723 - Letter dated 9 January 2015 from the
Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation,
72
Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General.
Retrieved 26 May 2018, from http://undocs.org/A/69/723
United Nations General Assembly. (2015b). A/70/174 - Report of the Group of Governmental Experts
on Developments in the Field of Information and Telecommunications in the Context of
International Security A/70/174. Retrieved 25 May 2018, from
http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174
United Nations General Assembly. (2017). A/72/315 - Developments in the field of information and
telecommunications in the context of international security - Report of the Secretary-General.
Retrieved 4 June 2018, from http://undocs.org/A/72/315
Von Heinegg, W. H. (2015). International Law and International Information Security: A Response to
Krutskikh and Streltsov. International Law and International Information Security, 9, 1–17.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers &
Security, 38(C), 97–102. https://doi.org/10.1016/j.cose.2013.04.004
Weidmann, N. B. (2015). Communication, technology, and political conflict: Introduction to the special
issue. Journal of Peace Research, 52(3), 263–268.
https://doi.org/10.1177/0022343314559081
Weissbrodt, D. (2013). Cyber-conflict, cyber-crime, and cyber-espionage. Minnesota Journal of
International Law, 22(2), 347–387.
Zwienen, S. van. (2018, January 29). Na ABN AMRO en ING ook Rabobank getroffen door zware
cyberaanval. Retrieved 5 June 2018, from https://www.ad.nl/binnenland/na-abn-amro-en- ing-
ook-rabobank-getroffen-door-zware-cyberaanval~a0eae3f8/
