As international cyber norms take shape at a slow pace, experts consider how individual nations can lead, follow and take matters into their own hands.
The world needs cyber norms, experts say, but the U.S. might not be the nation to lead it there.
Americans have been pushing for cyber norms at the U.N. since President Barack Obama's 2011 International Strategy for Cyberspace, but the going has been painfully slow. A 2013 report from the U.N.'s Group of Governmental Experts presented a substantial -- but voluntary -- list of norms, including applying international law to the cyber realm and holding states responsible for attacks originating inside their own borders. And in September, Obama and Chinese President Xi Jinping announced a common understanding on cyber issues.
"This is a no-kidding presidential priority," said Chris Painter, the State Department's coordinator for cyber issues, at a Dec. 18 panel discussion hosted by the Center for Strategic and International Studies. "This really is something the president feels strongly about."
Norms that prohibit nations from cyberattacking one another's critical infrastructure and promote cooperation in cyber investigations, as the Group of Governmental Experts agreed to this summer, are exactly what the world needs, Painter argued, even if they are not binding.
"The more countries you have, even if [the standards are] voluntary, it really creates what the standard of behavior is," he added. "It really allows countries to rally around those, and if people are outside, it will act against them in the long term."
But real global agreement on cyber norms is a long way off.
"It's going to take years and maybe decades" until the world comes to a more holistic cyber agreement, said Catherine Lotrionte, director of Georgetown University's Institute for Law, Science and Global Security. "We're not going to have a universal treaty signed on all activities in cyberspace."
And even within the talks, "the United States may not be the best country to drive some of those discussions," said Ian Wallace, senior fellow and co-director of New America's Cybersecurity Initiative.
Small nations, such as early e-government-adopter Estonia or the Netherlands, might help lead the way in U.N. discussion groups, panelists said.
In the end, however, "international law develops based on state practice," Lotrionte said.
With that in mind, nations need to be much clearer as they stake out positions on malware development, use of force and, especially, taking down criminal hackers within their own borders, she added.
If the "good" countries don't establish explicit norms through practice, she warned, the bad guys will guide international norms-formation with practices of their own.
NEXT STORY: Audit finds Navy installations still vulnerable