Ilina Georgieva
By implementing novel intelligence techniques in cyberspace, security and intelligence agencies have become major actors in the cybersecurity landscape. As they no longer just passively gather information for their governments but conduct both defense and offense operations in cyberspace, they signal international actors that their conduct is at least tolerable, even if not officially acceptable. Thereby, the intelligence agencies generate norms for the rest of the international community. Yet, they remain under the international regulation radar for being sub-state entities. Consequently, the main argument of this article is the following: To prevent the hollowing-out of cyber regulation efforts, the norm-setting role of intelligence actors should be taken into account when designing cyber norms.
International cybersecurity regulation is still in its infancy due to ongoing debates on how international law applies to the cyber domain. Cyber norms processes–designed to create some general rules of the road in the meantime–have also not come to fruition yet. This is partially due to the inherently slow nature of creating international regulations, where agreements even among friends are laborious. A further reason is the general preference of international actors for strategic ambiguity (Broeders, Boeke, & Georgieva, 2019Broeders, D., Boeke, S., & Georgieva, I. (2019). Foreign intelligence in the digital age. Navigating a state of ‘unpeace’. The Hague Program For Cyber Norms Policy Brief. September 2019. [Google Scholar], p. 3) when dealing with quickly evolving cyber threats and capabilities. Not committing to a regulatory framework helps them buy time, while exploring and stretching both technological and normative boundaries.
/arc-anglerfish-arc2-prod-mco.s3.amazonaws.com/public/6KK3K4IJPND2LLWWQQHAOZKA2I.jpg)
