Global digital growth is continuing to fundamentally transform the lives of people, businesses and institutions, bringing people out of poverty, increasing wider prosperity, welfare and enabling new ways for governments and citizens to engage with each other. It is also creating a more connected world and supporting globalisation with greater access to free markets, democratic systems, prosperity and innovation.

But as we become more reliant on cyberspace, malicious cyber activity has grown in intensity, complexity and severity over recent years, with rising incidents of cybercrime and hostile states targeting critical national infrastructure, democratic institutions, business and media. There is too much at risk to allow cyberspace to become a lawless world and we need to continue to work together to identify the rules of the road in how international law applies to state behaviour in cyberspace just as it does to activities in other domains.

The 11 norms, as part of the UN framework of responsible state behaviour in cyberspace, is a way to help develop those rules of the road and the UK, as part of our outreach, is committed to supporting partners across all continents be better able to both implement the norms but also be better empowered to join in the international debate in the UN.

This ASPI programme has provided an insight into meaningful measures being put in place across ASEAN to deliver the norms, showcasing the region as trailblazing good practice and policies. Sharing and communicating these is in itself a confidence building measure and the examples shared in this report will have an impact across the global debate.

The UK, as a responsible democratic cyber power is proud to have supported this report and we look forward to future activity in the ASEAN region and globally to help shape the future frontiers of an open and stable international order in cyberspace.

- Will Middleton, Foreign, Commonwealth and Development Office, UK

Advances in cyber and critical technology underpin our future prosperity but they also have the potential to harm national and economic security interests and undermine democratic values and principles. The countries that can harness the current wave of innovation while mitigating its risks will gain significant economic, political and security advantages and will be at the forefront of 21st century leadership.

As states increasingly exert power and influence in cyberspace, it is important that there are clear rules in place. In other words, cyberspace is not the Wild West, all countries have agreed that existing international law applies in cyberspace and all countries have endorsed UN norms of responsible state behaviour.

The Plan of Action to Implement the ASEAN Australia Strategic Partnership 2020–2024 details our joint commitment to an open, secure, stable, accessible and peaceful ICT environment. Australia will continue to work closely with our ASEAN partners to deepen understanding and implementation of longstanding agreements of international law and norms in cyberspace.

This report, produced by APSI in partnership with Australia’s Cyber and Critical Technology Cooperation Program and the UK Foreign, Commonwealth and Development Office, is the result of a multi-year cyber-capacity building program focused on supporting the effective implementation of UN norms throughout ASEAN.

These 11 norms lay the groundwork for collective expectations for state behaviour in cyberspace. They are the bedrock on which regional and bilateral agreements around state behaviour in cyberspace are built and create a mutually reinforcing set of agreements and expectations.

Australia is grateful for ASPI’s tireless work on this important cyber-capacity building project helping to kickstart the process of understand and actioning the norms and behaviours which are central to an open, free, safe and secure cyberspace.

- Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, Australia

This document is the result of a multi-year cyber capacity-building program by ASPI in partnership with the UK Foreign, Commonwealth and Development Office and the Australian Department of Foreign Affairs and Trade (Cyber and Critical Technology Cooperation Program). Through the project, the partners sought to support member states of the Association of Southeast Asian Nations (ASEAN) with the implementation of the United Nations (UN) norms of responsible state behaviour in cyberspace. The content of this publication is primarily based on experiences, inputs and outputs from activities run under this program.

The UN norms were first agreed by a UN group of governmental experts in 2015. The group’s report was subsequently endorsed by consensus at the UN General Assembly in 2015 through resolution 70/237. It called on all member states ‘to be guided in their use of ICTs’ by the 2015 report. The focus on the operationalisation and implementation of the UN norms was also front and centre in the 2019–2021 round of UN First Committee negotiations. The report of the OEWG recommended that states ‘further support the implementation and development of norms’. The 2021 UNGGE report offers an additional layer of understanding to help governments with their implementation.

In 2018, the ASEAN leaders expressed a commitment to operationalise the UN norms as a core element in ASEAN’s approach to promoting regional stability in cyberspace. That same year, the ASEAN ministers responsible for cybersecurity subscribed in principle to the norms. At the 2019 ASEAN Ministerial Conference on Cybersecurity, they agreed to establish a working committee to develop a framework for implementation.

In compiling this document, ASPI intends to contribute to the ongoing UN and ASEAN working groups, and offer participants region-specific perspectives based on real and observed examples of good practice. The information was gathered through various regional workshops and training activities that took place between 2019 and 2021, and supplemented with open-source research.

This document consists of two main parts:

1. An explanation of the norms implementation process.
2. Practical guidance on implementation with examples from the ASEAN region.

Each government is responsible for its own pathway to implementation and for informing other states of its efforts. Expectations of national and regional implementation will alter as states start to focus on local implementation and as understanding of the norms’ meaning grows.

This document should help kickstart that process of understanding and actioning. It should be considered a living document that supports a gradually maturing regional approach.

This document will help policymakers and state officials answer questions such as:

• What examples can governments consider to demonstrate their efforts in implementing the UN norms?
• How can a state demonstrate that it is implementing and following the UN norms of responsible state behaviour in cyberspace?
• Where can a state find advice, assistance and support to advance further implementation efforts?

Part A: the implementation process explained

In this first part of the document, the process for implementation of the UN cyber norms is explained. It starts with a clarification of the concept of international norms, how the cyber norms work and what practical steps make up an implementation effort. Examples of mechanisms and tools to demonstrate implementation efforts are also provided. At the end, we elaborate on the reasons why states would want to make an effort to implement the UN norms of responsible state behaviour in cyberspace.

Full text of the UN cyber norms

1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICTdependent infrastructure;
11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

What are the UN norms of responsible state behaviour in cyberspace?

The UN norms of responsible state behaviour in cyberspace (Figure 1) are 11 voluntary and non-binding rules that describe what states should and should not be doing in cyberspace.

Figure 1: The UN norms of responsible state behaviour in cyberspace

The content of the 11 norms reflects the expectations that the broader international community has of each state and regional organisation.¹ They express a common opinion of what is considered to be responsible behaviour by states. Naturally, this collective opinion of what is responsible and what is irresponsible behaviour develops over time as understanding of cybersecurity deepens, incidents occur, and more governments contribute to the process.

The purposes of the norms as reflected in UNGA Resolution 70/237 are to reduce risks to international peace and security, and to contribute to conflict prevention. They have been crafted to deal with state-to-state actions that could potentially carry the highest risks to international peace and security and the welfare of citizens.

Norms in international affairs are political agreements. They do not infringe on a state’s sovereignty or impose legal obligations on states.³ In fact, the norms provide a common basis for a state to design strategic direction, develop capabilities and execute actions in a responsible manner.

The UN norms process

International efforts to establish norms of responsible state behaviour in cyberspace concentrate around the work of two groups: the UNGGE and the OEWG.

The first UN group of governmental experts convened between 2004 and 2005, and a sixth round of negotiations concluded in 2021. Four rounds concluded with consensus reports, in 2010, 2013, 2015 and 2021. The OEWG was first established in 2019, and a second round has commenced in 2021 for a period of five years.

The UNGGE and OEWG are predominantly intergovernmental negotiation processes with—at times—opportunities for consultations with non-government organisations and civil society. Those consultations have, however, a non-official character.

Member states of ASEAN have been participating in all the meetings of the UNGGE and the OEWG that have convened since 2004. Figure 5 shows ASEAN member states’ participation in the UNGGE and OEWG since 2004. Stars indicate a country’s membership of the UNGGE, and its active participation in the OEWG as determined by written submissions or oral statements.

Figure 5: ASEAN member states’ participation in UN norms processes 2004-2021.

Notes: * Although Brunei has not participated in the UNGGE or the OEWG, it did offer a national views document in 2017; it was the first ASEAN member state to do so. # Although Vietnam did not offer written submissions or made any statements, representatives formally attended OEWG meetings in New York.

In parallel to the UN-facilitated intergovernmental negotiation processes, various multistakeholder and other government-led initiatives have formed too. Examples include:

• Cyber Tech Accord: a commitment of 150+ companies to work together and follow a set of principles that seeks to protect and empower users and customers
• Paris Call for Trust and Security in Cyberspace: a multistakeholder commitment to work together to reduce risks to the stability of cyberspace and to build up confidence, capacity and trust
• Agreement on Cooperation in the Field of ICTs: a proposal by the Shanghai Cooperation Organisation’s six member countries for an international code of conduct
• World Wide Web Foundation Contract for the Web: an internet community-led initiative to advance principles of accessibility, affordability, availability and rights-based principles of respect for human rights and privacy for all in the operations of the internet.

What do norms do?

Norms typically codify existing state practice. The UN norms, as introduced in UNGA Resolution 70/237, set the standards of what the international community considers responsible on the basis of observed behaviour by state actors in the past and currently. With these agreed norms, activities and intentions of states can be subjected to assessments. States can be complimented on their response to an incident, or national practices can be heralded as global good practice. Also, states can be reprimanded if they haven’t done enough to prevent an incident, or if they have used cyber capabilities in an irresponsible manner.

In practice, governments will use international norms, such the UN norms of responsible state behaviour in cyberspace, in three ways:

1. To serve as a point of reference to reassure other states of their good intentions and to demonstrate that they are constructive members of the international community.
2. To serve as a point of reference to guide national cybersecurity policy and national cybersecurity investments.
3. To serve as a point of reference to hold other actors responsible for behaviour that is not in line with the UN norms for responsible state behaviour.

Governments that embrace the UN norms and can report on their efforts contribute to predictability, trust and confidence in cyberspace.

How do norms work?

The implementation of internationally agreed political agreements is always challenging. As they have been crafted through an intergovernmental negotiation process, their language and terminology can be ambiguous. For that reason and in the absence of an overall blueprint, it is important that states find their own way and form their own view and approach to embracing the UN’s normative framework.

Figure 2: The four components that make up the UN framework of responsible state behaviour in cyberspace.

The 11 norms should be seen in their entirety and not as a ‘pick-and-choose’ menu. It is important that governments review their efforts in a comprehensive manner covering aspects that touch on issues of national (cyber)security, security of ICTs as well as on constructive inter-state relations.

Furthermore, governments need to keep in mind that the 11 norms are part of a broader framework that also includes the recognition that international law applies to state conduct in cyberspace, a set of confidence-building measures and a commitment to coordinated capacity building.⁴ Together, those four components make up the UN framework of responsible state behaviour in cyberspace (Figure 2).

In general, the more states show commitment to the norms and actively engage in their implementation, the more robust the norms become and the more compelling the call for compliance becomes.

What does the implementation of international norms involve?

States can demonstrate their implementation of international norms of behaviour in various ways (see figure 3). Typically, implementation occurs at three different levels: at the level of political endorsement, national laws and policies, and actions on the ground (Figure 3).

1. First, political endorsement can be demonstrated, for example, through voting in favour of relevant resolutions at the UN General Assembly, by subscribing to ASEAN leaders’ statements and by (prime) ministerial statements.
2. Second, states can integrate or internalise norms (explicitly or implicitly) in national legal frameworks, strategies and national policies.
3. Third, a state can demonstrate implementation by referring to its government practices in the form of its institutional capabilities, doctrine and procedures, and actions. Those practices can offer de facto evidence of a state’s effort to follow norms of responsible behaviour, as they demonstrate an ability and willingness to act.

Implementation of international norms of responsible state behaviour

Figure 3: A framework for the implementation of norms.
_{Source: The author.}

Responsibility for the implementation of the UN norms rests with governments. In practice, however, meaningful implementation will rely on individual governments’ ability and willingness to consult and collaborate with industry, civil society organisations, the internet technical community and academia, and on governments’ ability to ensure a whole-of-government approach.

For the purpose of including views, expertise and capabilities of non-government stakeholders, mechanisms such as a national action plan or a national road map are proven methods that help build a national or whole-of-economy approach to cybersecurity.

What’s a trajectory for the implementation of norms?

Building a national approach to cybersecurity let alone the implementation of the UN norms is neither straightforward nor instant. Typically, stakeholders go through a step-by-step process of gradually increasing their understanding, maturity and comfort with the topic (see figure 4).

1. A first step is to build awareness across the government of its international responsibilities. This could be achieved through a dedicated training program or awareness campaign on the UN norms.
2. This should lay the foundation for a cross-governmental recognition that the government is committed to the UN’s normative approach and is willing to be guided by it in its national and international cybersecurity activities.
3. What follows could be an assessment of where the country stands in its implementation efforts. Such a baseline assessment could be done by a third party or through a whole-of-government mapping process.
   
   Figure 4: A step-by-step process towards implementation.
4. The outcome of the baseline assessment will inform the government of its strengths and areas for improvement.
5. This could then lead to domestic investments in particular areas of cybersecurity, to requesting assistance from the global cyber capacity-building community, or to offers of expertise to others.
6. At the end of these steps, one can presume a state to be implementing the UN norms commensurate with its own means and capabilities.

The implementation of norms is a dynamic process that evolves as a country’s maturity in cybersecurity grows over time. At the same time, it’s unlikely that any state will ever reach a state of ‘full implementation’, just as no state will ever be 100% cybersecure.

How can governments demonstrate implementation?

For the purpose of the UN norms (to reduce risks to international peace and security, and to contribute to conflict prevention), it is critical that states demonstrate what they’re doing and what they intend to do. Therefore, documenting and reporting are critical in implementation.

There are several ways for states to make their views, achievements and known capacity shortfalls known.

1. Reporting through the UN Secretary-General

On regular occasions, the UN Secretary-General invites member states to share their views and assessments (see figure 6). Governments can share their ‘general appreciation of the issues of information security; efforts taken at the national level to strengthen information security and promote international cooperation in this field; the content of concepts such as the application of international law; and possible measures that could be taken by the international community to strengthen information security at the global level’.

Figure 6: UN member states’ views and assessments

2. Submissions through UN working groups

As part of the ongoing OEWG process, member states are encouraged to provide written submissions or statements to the working group. The statements are shared by the UN Secretariat to other member states, the chair(s) and non-government stakeholders. States are also encouraged to participate in a UN-facilitated survey of their national efforts and experiences.

3. ASEAN Regional Forum

The ARF’s semi-annual Inter-Sessional Meeting on ICT Security offers participants an opportunity to exchange their views on the regional and global ICT landscape and their efforts and initiatives. For the ARF’s annual security outlook, member countries are asked to submit a contribution that includes a section for ‘cyber/ICT security’.

4. Recognition by third party/ies

A state can engage third-party organisations to perform an external assessment and prepare a report. This could be done through a capacity-building relationship, such as ASPI’s national norms implementation reports (see figure 7). ASEAN member states can also make use of their academic and think-tank organisations such as those represented in ASEAN–ISIS and the Council for Security Cooperation in the Asia Pacific (CSCAP).

Figure 7: ASPI national norms implementation reports

Why would states make an effort to implement the UN cyber norms?

There are a few reasons why states would make the effort to implement international norms, such as the UN norms of responsible state behaviour in cyberspace.

1. Cyber resilience. By following the recommendations from the norms and through acts of implementation, States are effectively strengthening their national cybersecurity maturity. Therefore, implementation of the norms is directly contributing to a nation’s ability to protect against malicious cyber activity, reduce exposure to risks and vulnerabilities in ICTs, and respond to malicious ICT activity.
2. International credibility. Most states want to be, and be seen as, responsible members of the international community. Showing demonstrable support for norms of responsible behaviour adds to a country’s international and regional credibility. Domestically, the implementation of international norms helps governments provide direction to their national cybersecurity policy and developments.
3. Contribute to norm-setting. The effective demonstration of implementation allows states to shape the common opinion of what is and what is not considered responsible behaviour of states and ensure that international expectations align with the local and regional context.
4. Reassurance, accountability and transparency. In a situation in which a large enough group of states can show demonstrable implementation of the UN norms, each within its own means and capabilities and within its national and regional context, a global environment is created in which states can be reassured of each other’s willingness and ability to prevent unnecessary tensions and unintended conflict. Altogether, this adds to the accountability and transparency of state activities in cyberspace.

To read part B, please download the full report here.