Continue your mission
The evolving legal and normative framework governing state behavior in cyberspace, covering the UN GGE and OEWG processes, the Tallinn Manual, foundational legal questions on use of force and self-defense, and why the gap between agreed norms and actual state conduct matters for risk governance practitioners.
# Cyber Norms and International Law
Cyber norms are the agreed standards of responsible state behavior in cyberspace. International law as applied to cyber operations refers to the body of treaties, customary international law, and judicial decisions that govern what states may and may not do when they use cyber tools as instruments of policy. Together, these two bodies of guidance represent the closest thing the international community has to a rulebook for state conduct in the digital domain.
The critical practical distinction is between norms, which are voluntary standards of expected behavior, and binding international law, which carries the force of legal obligation. In cyberspace, the boundary between these two categories is frequently blurred. States have reached broad consensus that existing international law applies to cyberspace, but persistent disagreements over how specific rules apply to specific cyber operations mean that the practical legal constraints on state behavior remain deeply contested.
For organizations operating critical infrastructure, conducting cross-border business, or serving government sector clients, understanding this normative and legal environment is not academic. The evolving framework shapes national cybersecurity law, the regulatory requirements imposed on operators of essential services, and the diplomatic and legal tools available when state-sponsored attacks occur. Within the Planetary Defense Model, the Risk Governance and Assurance (RGA) domain tracks this evolving environment because it directly determines what compliance obligations clients face and what legal remedies exist when those clients are targeted.
The modern effort to establish cyber norms through multilateral diplomacy began in earnest at the United Nations in the early 2000s. The central venue was the UN Group of Governmental Experts (GGE), a deliberative body composed of representatives from a rotating set of member states, typically fifteen to twenty-five countries, tasked with studying threats from the use of information and communications technologies and recommending cooperative measures.
The GGE process produced three landmark reports. The 2013 report established the foundational consensus that international law, including the UN Charter, applies to state conduct in cyberspace. This was not self-evident at the time: some states had argued that cyberspace was a new domain requiring entirely new legal frameworks, while others contended that existing law already fully applied without modification. The 2013 report resolved this debate in favor of existing law, though it left the specific application of many rules undefined.
The 2015 GGE report went further by establishing eleven voluntary, non-binding norms of responsible state behavior. These norms addressed a range of conduct including attacks against critical infrastructure serving the public, such as financial systems, power grids, and water treatment facilities; the obligation to assist states that request help responding to cyber incidents; cooperation between computer security incident response teams (CSIRTs); and the prohibition on knowingly allowing one's territory to be used as a base for internationally wrongful cyber acts. The 2015 norms became the de facto baseline reference for diplomatic discussions about responsible state behavior, and subsequent bilateral and multilateral agreements frequently invoke them.
The 2021 GGE report reaffirmed the 2015 norms, added implementation guidance on how states could operationalize each norm domestically, and addressed new topics including the security of the ICT supply chain. The 2021 report also acknowledged the emergence of the Open-Ended Working Group process, a parallel diplomatic track that expanded participation beyond the invitation-only GGE model.
The UN Open-Ended Working Group (OEWG), established in 2018 and producing its first report in 2021, broadened participation to all UN member states and opened limited consultative roles to civil society and industry. The OEWG operates on a principle of universal inclusion that has both strengthened the legitimacy of its outputs and complicated the process of reaching consensus, since states with fundamentally incompatible interests in cyberspace must formally agree on language. A second OEWG cycle was established in 2021 with a mandate running through 2025, focused on translating the agreed normative framework into practical implementation capacity.
The relevance of cyber norms and international law to practitioners is not always obvious. Norms are voluntary. State actors routinely violate them. The enforcement mechanisms are diplomatic rather than coercive. So why should a security program manager or a risk governance professional pay attention?
The answer operates on three levels.
First, the normative framework shapes national law. When states commit to cyber norms at the international level, they create domestic political and legal pressure to codify those commitments in national legislation. The European Union's Network and Information Security (NIS and NIS2) directives, the U.S. CISA reporting requirements, and sector-specific cyber regulations in critical infrastructure all reflect, in part, the normative commitments governments have made at the international level. Organizations subject to these regulatory regimes are indirectly subject to the normative framework whether they know it or not.
Second, the legal framework determines what governments can legally do in response to cyber attacks, and that response calculus affects how threat actors calibrate their operations. If a state believes that a specific cyber operation crosses the threshold for an armed attack, it may invoke the right to self-defense under Article 51 of the UN Charter. If it believes the operation violates sovereignty but does not rise to the level of an armed attack, it may respond with countermeasures. These legal determinations by targeted governments shape the operational environment in which threat actors, including those that target private sector organizations, make their risk calculations.
Third, for government sector clients and organizations operating in regulated critical infrastructure sectors, the legal environment directly affects incident response strategy. A ransomware payment to a sanctioned group is illegal under OFAC regulations. A cyber attack that crosses certain legal thresholds may trigger government assistance obligations or mandatory incident reporting. Understanding where these thresholds are requires understanding the underlying legal framework.
The foundational legal question in cyber operations is whether the UN Charter's prohibition on the use of force, codified in Article 2(4), and the corresponding right of self-defense in Article 51, apply to cyber operations. The current international consensus, established in the 2013 GGE report and affirmed repeatedly since, is yes: the Charter applies to cyberspace.
The practical difficulty lies in determining when a cyber operation rises to the level of an "armed attack" that triggers the right of self-defense. The International Court of Justice's Nicaragua decision established that not every use of force constitutes an armed attack; the test is one of scale and effects. Translating this test to cyber operations requires asking whether the effects of a cyber attack are equivalent to those of a conventional armed attack. An operation that destroys physical infrastructure, causes casualties, or disables critical national systems would likely cross the threshold. An operation that causes temporary disruption, embarrassment, or economic loss probably does not.
The threshold question has significant practical implications. Below-threshold operations, which include the vast majority of state-sponsored cyber activity, do not trigger the right of armed self-defense, but they may still be internationally wrongful under other legal theories, including the principle of non-intervention and the sovereignty principle.
The sovereignty principle holds that states have sovereign authority over their cyber infrastructure within their territory. Unauthorized penetration of another state's government networks, or interference with its critical infrastructure systems, constitutes a violation of sovereignty under international law. This principle is relatively settled in the GGE and OEWG processes, though some states (notably the United States at various points) have been cautious about endorsing it too broadly, given their own offensive cyber activities.
The due diligence principle, which emerged strongly in the 2015 GGE norms, holds that states must not knowingly allow their territory to be used for internationally wrongful cyber acts against other states. This norm creates an obligation on states that host criminal or state-sponsored cyber actors to act against those actors when they are on notice. In practice, states like Russia have demonstrably violated this norm by allowing ransomware operations to proceed from their territory unimpeded. The norm provides diplomatic and legal vocabulary for calling this out, but no enforcement mechanism to stop it.
The Tallinn Manual is a non-binding academic study of how international law applies to cyber operations, produced by groups of independent international law experts convened by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). Tallinn 1.0 (2013) addressed the law applicable to state-sponsored cyber operations, focusing on the jus ad bellum (when force may be used) and jus in bello (law of armed conflict) questions. Tallinn 2.0 (2017) expanded the analysis to cover peacetime operations below the armed attack threshold, addressing state sovereignty, human rights law, diplomatic law, and the law of the sea as applied to cyber operations.
The Tallinn Manual does not represent official state positions and is explicitly non-binding. Its importance lies in the rigor of its legal analysis and its influence on state legal thinking. Many government legal advisors in Western states treat the Tallinn Manual as the most authoritative available analysis of these questions, even when their governments have not formally endorsed its conclusions. For practitioners advising government clients, familiarity with Tallinn Manual concepts is essential for understanding the legal reasoning that will govern incident response discussions at the interagency level.
The Planetary Defense Model addresses international law and cyber norms within two domains: Risk Governance and Assurance (RGA) and Threat Intelligence and Defense (TID). This dual placement reflects the reality that the normative framework operates simultaneously as a governance environment shaping regulatory requirements and as an intelligence context shaping how threat actors behave.
In the RGA domain, CDA's Perpetual Compliance Assurance (PCA) methodology tracks the evolving legal and regulatory environment that directly determines what clients are required to do. The international norms framework is upstream of most domestic regulation affecting critical infrastructure operators. Understanding UN GGE outputs, OEWG developments, and state practice in applying international law allows CDA to anticipate regulatory changes before they are codified and help clients build compliance programs that are durable across regulatory cycles.
In the TID domain, CDA's Predictive Defense Intelligence (PDI) methodology incorporates the norms framework as part of the threat actor context layer. Understanding what states have formally agreed not to do, and observing where their actual operations deviate from those commitments, provides a sharper picture of threat actor intent and risk tolerance. States that systematically violate norms they have formally accepted are not constrained by diplomatic pressure; they are constrained only by technical capability, operational risk, and perceived cost-benefit calculations. PDI analysis incorporates this understanding to produce more accurate threat assessments for clients in targeted sectors.
The practical conclusion CDA draws for government sector and critical infrastructure clients is this: the norms framework has real value as a rhetorical, diplomatic, and legal tool, but it does not function as an operational constraint on sophisticated state actors. Compliance with domestic regulatory regimes is mandatory; the normative framework helps explain where those regimes are headed. Defensively, organizations cannot rely on international law to deter attacks from Russia, China, North Korea, or Iran. They must build technical defenses that function in the absence of effective international enforcement.
The 2013 UN GGE report established that international law applies to state conduct in cyberspace. The 2015 report established eleven voluntary norms of responsible state behavior, including the prohibition on attacking civilian critical infrastructure and the obligation to cooperate on incident response.
The UN Charter's prohibition on the use of force and the right of self-defense both apply to cyber operations, but the threshold for what constitutes an "armed attack" in the cyber domain remains debated and unanswered by any binding international authority.
The Tallinn Manual provides the most detailed non-binding analysis of international law applied to cyber operations. While not representing official state positions, it is the primary reference for legal advisors in Western governments.
The gap between agreed norms and actual state behavior is large and persistent. Russia, China, North Korea, and Iran all conduct operations that clearly violate norms they have formally accepted at the UN. The framework functions as a diplomatic and rhetorical tool, not as an operational constraint.
For risk governance practitioners, the norms framework is relevant because it shapes domestic regulation. For threat intelligence practitioners, it is relevant because understanding where states have chosen to violate their commitments clarifies threat actor intent and risk tolerance.
CDA's RGA domain tracks this environment through the PCA methodology, ensuring clients understand the regulatory trajectory driven by international normative commitments. CDA's TID domain incorporates norm violation patterns into PDI threat actor assessments.
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.