Why international law and norms do little in preventing non-state cyber attacks

Abstract

\n In this article, I investigate why international law and norms have failed to keep cyberspace peaceful. The problem comes mainly from their failure to address what non-state actors, such as individual hackers and technology firms, do in cyberspace. Created by the extensive input of government officials decades ago with heavy focus on states as primary actors of international politics, international law is incoherent with the dominance of non-state actors as de facto operators of cyberspace. The critical problem shared by international law and institutions of having no “teeth” to penalize non-state violence extends to cyberspace. As a result, noncompliance with international law has become practical, and it has even bolstered the private sector, especially major technology firms, to assert themselves in the legal void, leverage their digital products to reshape norms, and become norm entrepreneurs in the business of digital defense. However, the multiplication of norm entrepreneurs has accelerated in an uncoordinated manner, and the way they built their interests does not neatly align with those of the states. While some norms of cyberspace behavior have been accepted, many others remain contested. In the meantime, norm discourse in diplomatic venues, including in multilateral debates at the United Nations, has become highly undemocratic, dominated by a small mix of great powers and active middle powers that are also split over what norms should guide state and nonstate behaviors.