There were a lot of congratulatory, positive vibes surrounding the recent conclusion of the final meeting of the UN’s second and final open-ended working group (OEWG) on responsible state behavior in cyberspace. This is natural after a protracted (2021–25) period of discussion. And the positivity reverberated partly because the process was able to reach any agreement, at a time when multilateral agreement is difficult to achieve. Specifically, the process agreed to modalities for a new, permanent standing body—the Global Mechanism—providing a forum for future structured discussion of the global cyber diplomacy agenda.
These outcomes were, however, more modest than the level of congratulation suggested. Looking back at twenty years of cyber diplomacy, the record of achievement is arguably unimpressive. There are undoubtedly areas of genuine achievement, such as cyber capacity building. Capacity building’s significant place in the OEWG’s final draft is unsurprising, given that it is arguably cyber diplomacy’s greatest tangible achievement. It should also be noted that cyber diplomats work extremely hard, patiently arguing over each line of text, and sometimes laboring over issues as esoteric as how to ensure stakeholder participation in multilateral meetings while finessing every state’s right to veto such participation.
However, storm clouds are on the horizon, even regarding capacity building. Two of the biggest and most mature cyber diplomacy actors—the United States and United Kingdom—are cutting their assistance programs and diplomatic workforces over the next five years. With aid budget cuts across a wider range of donor states, it is an open question whether cyber capacity building—the star performer of the past decade of cyber diplomacy—will be in a worse position in 2031 (the proposed review date for the UN Global Mechanism) than it is now.
There are prudential strategic reasons for states to maintain their commitment to capacity building, not least that “digital solidarity” benefits everyone and that reducing these efforts risks competitors filling the resultant gap. But it remains to be seen to what extent it is shielded from the impact of wider aid cuts in several likeminded states. The utility of the Global Mechanism’s machinery would be undermined significantly if states reduce these capacity building commitments.
Beyond capacity building, the record of cyber diplomacy is less impressive. The much-celebrated eleven norms agreed in 2015 read like a list of perfunctory, self-evident truths. At best, they are simply obvious statements of prudential state behavior. At worst, they can appear so routinely flouted as to undermine confidence in the normative process itself. This is particularly the case with the three prohibitive norms—against permitting malicious cyber activity in a state’s jurisdiction, and against maliciously targeting critical infrastructure, or computer emergency response teams, in another state. Cyber crime has only become more of a global menace in the decade since states notionally agreed not to permit malicious cyber activity in their jurisdictions, and infrastructure pre-positioning also appears to be a worse problem in 2025 than it was when the norm against targeting infrastructure was first elaborated.
In truth, no one should have expected the normative process to be a panacea. International relations scholar Martha Finnemore wrote in 2011 that a normative approach was more akin to managing a chronic problem than it was to quickly treating a curable condition. Even earlier, information security scholar Dorothy Denning pointed out in 2001 that global agreement to counter cyber crime (now visible in the effort to ratify the global cyber crime treaty) was always likely to be easier to reach than expecting states to agree about how they themselves should behave in cyberspace. The normative approach to responsible state behavior was embraced precisely because a treaty-based alternative was discounted.
The clue to the problem with the norms is the lack of enforceability or meaningful accountability: The UN’s norms, rules, and principles of responsible state behavior in cyberspace are entirely voluntary and nonbinding. Beyond notional embarrassment at being the culprit whose operations are the subject of public attribution—which does not seem to be a particularly effective curb on the operations of those attributed culprits—there is nothing to hold states to account for failing to uphold the normative commitments they have made. Some states, such as Russia, curiously appear to have suffered little reputational damage globally for harboring cyber criminals.
Moreover, as the cybersecurity researcher and executive Dave Aitel noted in 2017, the “painful truth” about efforts to foster global agreement on constraining offensive cyber operations “is not that the world’s governments disagree with each other, but that every government disagrees internally.” While the diplomatic community and external stakeholders labor patiently to develop consensus statements on the UN norms, other parts of many governmental systems—both military and intelligence institutional actors—will be defending their equities in intragovernmental discussions. Or, in states where the interagency mechanics are less elaborated bureaucratically, they will simply be doing their own thing, whatever the diplomats say. Put differently, Bart Hogeveen—a senior fellow at the Australian Strategic Policy Institute—suggested in 2022 that the UN norms represent what states believe is acceptable and unacceptable in cyberspace, but it might be closer to the truth to say that it is what their diplomats say about acceptability and unacceptability, not necessarily what they (or parts thereof) actually believe and how they behave. This is problematic for the integrity of the multilateral normative process as an exercise in confidence building. The bad faith of some undermines the whole process for everyone.
This is not to say that diplomacy is a negligible instrument of cyber statecraft. But it does suggest sharp limits to the efficacy of multilateral normative diplomacy. Much has been done constructively at bilateral and regional levels, particularly in the field of capacity building. Where diplomats are empowered and resourced to support these efforts, there are real gains to be had in improving the global baseline in cybersecurity and its necessary underlying enablers. But it isn’t immediately obvious that a dedicated line of standing multilateral dialogue about cyber capacity building, which is part of the Global Mechanism’s offering, is what this process most needs over the next five years. There are other forums and organizations that could continue to be used to good effect. In some cases, the OEWG is proposing initiatives at the UN level that might unnecessarily duplicate existing non-UN initiatives.
In part, this can be seen as a cyber-specific manifestation of a wider trend in how certain states interpret what it means to prioritize multilateralism. For some states, it does not matter whether an initiative is well-meaning—for example, the tech pillar of the previous U.S. administration’s Summit for Democracy or the U.K.-France initiative (the unfortunately named Pall Mall Process, which has nothing to do with the U.K. version of the Monopoly board) to mitigate the harms of the global commercial cyber capabilities market. If such initiatives are pursued outside the auspices of the UN, then they will struggle to gain approval. Conversely, on this logic, the pursuit of something under UN auspices is, inherently, superior to trying to improve existing efforts outside of the UN, notwithstanding the fact that achieving progress at this level is harder because of the variety of disagreements that exist between states. Managing the consequences of this conjuncture will be a significant part of the Global Mechanism’s business. Progress is more likely in smaller, less internally divided forums.
If the current state of global cyber diplomacy is truly historic, it is not because of the magnitude of its achievement, but due to what it says about the limits of twenty years of painstaking diplomatic effort. The debate about whether the Global Mechanism should embed existing norms, or should elaborate new norms, rather misses the point. Norms don’t get anyone very far.
The early period of cyber diplomacy occurred when cyber operations had little salience in the global public mind. This is less true today. The proliferation of cyber threats, particularly the experience of cyber crime, is felt around the world. But there is no evidence that this rising salience has made diplomatic efforts to curb these threats more likely to succeed. It is true that the Global Mechanism is likely to begin its work next year, and that the global cyber crime treaty will enter into force in subsequent years, but it would be wrong to expect either of these multilateral developments to make a significant impact on the proliferation of cyber threats. More can reasonably be expected from efforts at bilateral, minilateral, and regional levels to materially improve cyber capacity and resilience, and to coordinate operational efforts to counter cyber threats.
For the foreseeable future, states should arguably give compellence a chance, intensifying existing efforts to reshape the systemic factors that currently facilitate state-originated or state-tolerated cyber threats. It is likely that coordination and collaboration in the operational field is a more effective vector for states’ collective efforts. Cyber norms are fine as far as they go. But recalcitrant states need to be made to understand that it is in their interests to behave more responsibly. To date, that effort has failed.
