In October 2019, a major cyberattack on the Republic of Georgia disrupted thousands of government, media and private websites in the country, highlighting the escalating scope of cyber aggression. The following day, the University of Pennsylvania’s Perry World House and the Carnegie Endowment for International Peace convened key stakeholders from academia, industry and policy for a workshop to assess the state of global cyber norms processes. We’ve compiled the takeaways from the workshop, which was held under Chatham House Rules, in a new report. The discussions indicated that while the splintering of cyber norms processes in recent years raises cause for concern, fragmented initiatives provide reason for optimism that norms will eventually solidify.
Last week, the United States, United Kingdom, Australia and a number of European states publicly condemned Russia for the Oct. 28 cyberattacks against Georgia, reportedly attributed to Russia’s military intelligence service, the GRU. A rare example of collective attribution, the condemnation follows a joint statement signed by the U.S. and 26 other states in September 2019 pledging to hold states accountable for “bad behavior in cyberspace.” While this response is a welcome development, such accusations remain a modest response to increasingly flagrant cyber aggression: Indiscriminate cyberattacks like NotPetya, malware targeting critical infrastructure and large-scale cyber-enabled disinformation campaigns all demonstrate the acute need to solidify rules of the road for cyber operations.