The year 2021 has seen new momentum in the global debate about cyber norms, that is, rules for appropriate and inappropriate state conduct related to the use of information and communication technologies (ICTs). Commonly, academic and policy debates focus on the diplomatic forums where these norms are negotiated. However, states also shape cyber norms through their actions. This means that states that want to promote cyber norms should also act accordingly. Germany figures among the avid supporters of cyber norms. Yet, does the German government practice what it preaches?
The year 2021 has seen new momentum in the global debate about cyber norms, that is, rules for appropriate and inappropriate state conduct related to the use of information and communication technologies (ICTs). Commonly, academic and policy debates focus on the diplomatic forums where these norms are negotiated. However, states also shape cyber norms through their actions. This means that states that want to promote cyber norms should also act accordingly. Germany figures among the avid supporters of cyber norms. Yet, does the German government practice what it preaches? To answer this question, I focus on a cyber norm according to which it is desirable for states to establish a vulnerabilities equities process (VEP), also known as government disclosure decision process (GDDP).
Cyber Norms: An Instrument for Mitigating International Cybersecurity Challenges
Cyber operations may serve political, intelligence, military, law enforcement, or criminal purposes. They pose a threat to international peace and security because the technical tools for such diverse cyber operations in part converge, and the technical attribution of these operations to their perpetrators remains a challenge. Therefore, cyber operations may result in increased insecurity, misperceptions, and conflict escalation on a global scale.
Cyber norms provide a way for addressing these threats to international peace and security. They are defined as "standards of appropriate behavior with respect to the use of ICT inconsistent with the objectives of maintaining international stability and security." In other words, cyber norms constitute shared expectations about (in)appropriate international state conduct while remaining voluntary and non-binding. Norms may specify desirable activities and positive duties, or prohibit specific actions.
Several characteristics explain why cyber norms are uniquely well-suited for addressing cybersecurity challenges compared to other policy instruments: First, they increase the predictability of ICT-related international state conduct and contribute to a shared understanding of appropriate behavior because they allow for criticism in cases of norm violations. Second, they can be negotiated relatively swiftly because they do not need to be ratified by parliaments (since they are non-binding). Third, they can be adapted to technological developments, which is crucial in the case of fast-moving technologies like ICTs.
In addition, other established international security instruments cannot readily be applied to ICTs: Both arms control approaches and export controls for software are difficult to design for ICTs because many software components can be used for offensive and defensive purposes. The nature of software would also make such agreements challenging to monitor and verify. Binding cybersecurity treaties, which could include sanctions provisions, are politically improbable given the polarization of the debate and would also take years, if not decades to negotiate and ratify. These limitations stress the importance of cyber norms.
The past decade has seen a variety of cyber norm proposals from both state and non-state actors. At the United Nations (UN), cyber norm debates began in 1998. Still, they only gained momentum when the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) was established. The first GGE was established in 2003 and five more followed. The groups bring together representatives from between 15 and 25 UN member states, including the five permanent members of the UN Security Council and members of all UN regional groups. They meet behind closed doors and only publish a substantial report if they reach a consensus, which the UN General Assembly endorses.
Out of the four substantial reports published through this process, two are particularly relevant to the global cyber norms debate: In 2015, the fourth GGE published a report that contained a set of eleven voluntary, non-binding cyber norms. When the entire UN General Assembly "welcomed" this report and "[c]all[ed] upon Member States [...] [t]o be guided in their use of information and communications technologies" by the report, this marked the first time the entire international community endorsed a cyber norm proposal. However, this report remained vague and left the concrete content of the norms open to interpretation. Although such ambiguity and openness is often a characteristic of norms, it was a significant step when, in 2021, the sixth GGE reached a consensus, after the fifth GGE had not done so in 2017. The 2021 report offers "an additional layer of understanding to [the 2015] norms" by explaining their relevance and suggesting ways for implementing them.
Whether States Practice What They Preach Matters for Cyber Norms Development
If states want to promote certain state conduct through cyber norms, they should also act accordingly, because state actions shape norms and states that aim at strengthening international norms are only credible if they abide by them.
Norms do not simply come into being because diplomats formulate them on paper at the UN or other forums. Instead, cyber norms evolve through long processes of negotiation. At the same time, actors constantly contest norms, that is, they question whether they should apply in given situations or how they should be applied. State practice – what states do in domestic policies and on the global stage – also plays a vital role in these processes: States shape cyber norms not only in diplomatic forums but through their actions. For example, when states observe the behavior of other states, the former infer which activities the latter consider appropriate or inappropriate. Furthermore, such behavior may lead to dialogue among states about the (in)appropriateness of the behavior, for instance in the form of praising, clarifying, or naming and shaming. This has implications for the development of cyber norms, particularly if there is a discrepancy between state practice and cyber norms formulated on paper.
Considering the importance of state practice to cyber norm development, in principle, all states interested in establishing robust cyber norms should practice the cyber norms they preach. This is even more applicable to states that portray themselves as “normative powers,” like Germany. These states seek to enhance their international profile by playing an active role in constructing international norms. Accordingly, their foreign policy credibility is at stake if they do not abide by the rules they seek to promote abroad. This foreign policy aspiration explains why the German government can be held to a higher standard than other states, and why it is especially pertinent to analyze to what extent the German government acts by internationally agreed cyber norms.
At the same time, to analyze how words and deeds relate, information about state behavior needs to be available. This is often a challenge for cyber norms because of the characteristics of ICTs, which facilitate anonymity and complicate attributing cyber operations to their perpetrators. Also, details about cyber operations tend to remain classified as they are often the responsibility of intelligence agencies. Against this backdrop, state conduct that is, at least in part, public, gains even more relevance for cyber norms debates. Therefore, I will analyze the case of establishing a vulnerabilities equities process.
The Cyber Norm: It is Desirable that States Establish a Vulnerabilities Equities Process
One topic that has received surprisingly little attention in cyber norms debates is the question of what governments do when they encounter software vulnerabilities. Such vulnerabilities are a cybersecurity concern because they can be leveraged through exploits (codes that exploit software vulnerabilities or security flaws), which in turn may be deployed in cyber operations. If the vendor of a particular software learns of a vulnerability, it can provide a patch or mitigation measure, which software users can then roll out on their device. If all these steps are carried out, the vulnerability can no longer be exploited on that device. Therefore, for the perpetrators of cyber operations, vulnerabilities known to the vendor may be less interesting than “previously unknown flaws or bugs that can sometimes be exploited to gain access to servers that house information or control networks and infrastructure.” These are called zero-day vulnerabilities because the vendor has had ‘zero days’ to address them.
If government entities discover or procure zero-day vulnerabilities, the government faces the choice of temporarily retaining or immediately disclosing these to the vendor. This often produces a conflict of interest between different governmental entities: On the one hand, the intelligence, law enforcement, or military entities that might deploy a cyber operation that leverages exploits based on the zero-day vulnerabilities in question will presumably argue for temporarily retaining them. On the other hand, entities responsible for cybersecurity, safeguarding digital rights, and consumer protection will presumably argue for immediately disclosing the vulnerability to the vendor.
Faced with this conflict of interests, governments may establish a vulnerabilities equities process (VEP). In the VEP established in the US, after a government agency submits a zero-day vulnerability to process, all involved governmental stakeholders consider their respective equities. These include the likelihood that others may discover the vulnerability, the harm it may cause to the US population if discovered and deployed by an adverse actor, and the national security benefit it may provide. Based on this composite picture, the government decides whether the zero-day vulnerabilities in question should be retained temporarily or disclosed immediately to the vendor. In other words, a VEP does not solve the conflict of interests but provides a structured path that considers the equities of all parties involved (compared to a status quo in which defensive cybersecurity agencies, for example, may not have a say in this decision).
The 2015 GGE report contains a norm stating that “[s]tates should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure”. While this formulation remains unclear and could refer to a VEP or to the promotion of coordinated vulnerability disclosure in the private sector, the 2021 GGE report clarifies that “[a]t the national […] level, States could consider putting in place impartial legal frameworks, policies and programmes to guide decision-making on the handling of ICT vulnerabilities and curb their commercial distribution as a means to protect against any misuse that may pose a risk to international peace and security or human rights and fundamental freedoms." In other words, the two GGE reports in combination formulate the cyber norm that it is desirable that states establish a VEP. It should be noted that this norm is worded more reservedly than other cyber norms, which mention things that states “should” or “should not” do, so it is regarded as a desirable practice rather than a clear, positive duty. Nevertheless, the actors who drafted the norm aimed at regulating state behavior, so the previous argument that states should practice what they preach still holds.
To compare Germany’s cyber norm commitment to practice, it is indicative to review Germany’s role in the drafting of these norms and then analyze whether the country has actually practiced the desirable behavior the norm specifies.
In both GGE groupings, a German governmental expert negotiated the consensus report with international counterparts. Also, Germany supported the 2015 consensus report in the UN General Assembly (the 2021 report has yet to be passed in the UN General Assembly). In other words, in diplomatic forums, Germany supported the idea that states should establish VEPs since 2015. In short, from a cyber diplomacy standpoint, Germany should establish a VEP.
However, despite its diplomatic commitment to the issue, Germany has yet to establish such a process at home. The government has been discussing the issue for several years, a multistakeholder group independent from the government formulated a policy proposal, and members of the Bundestag have repeatedly called for launching such a process. Nevertheless, the government has yet to make good on its plans. This is particularly noteworthy as the German Federal Government passed a set of legal amendments referred to as the Second Law for the Improvement of Security for Information Systems, which specifies the duties of government agencies regarding software vulnerabilities but does not develop a VEP.
Again, the German government mentioned the issue in its 2021 German Cybersecurity Strategy, which formulates the objective of “responsible handling of zero-day vulnerabilities and exploits” and explicitly states that the ministry will establish a “binding process” to this end. However, the strategy fails to outline the path for achieving the objectives it formulates.
Why Germany Should Practice the Cyber Norms it Preaches
To date, Germany’s cyber diplomacy faces the dilemma that the country has yet to put into practice what it has committed to in diplomatic circles. Gaps between words and deeds or struggles between distinct ministries may not be unusual in politics. Still, from a cyber norm development perspective, divergences between diplomatic commitments and domestic policy fundamentally undercut states’ cyber diplomacy efforts. This is because the construction of cyber norms is a social process in which state practice is as important as the words diplomats sign on paper. By failing to establish a functioning VEP at home, the German government effectively signals to other states that the issue is not a priority. This has implications far beyond German policy: If even a country that highly prioritizes cyber norms and portrays itself as a normative power both nationally and at the EU level does not abide by cyber norms it co-drafted, why should other states abide by them? This question is even more pressing for states that were not part of the GGE and therefore did not even have a say in the formulation of these norms.
Unlike treaties, cyber norms are voluntary and non-binding. This means that they do not include legal mechanisms to ensure compliance and sanction norm violations. States have political instruments at their disposal: When others violate cyber norms, states may use cyber norms as a baseline for identifying the violation and then employ complimentary policy instruments to respond, such as joint public attribution statements, sanctions, or other response instruments. Yet, even in the absence of such instruments, cyber norms spread through more subtle mechanisms: socialization, imitation, conviction, and attraction. All of these require, at the very least, strong "norm entrepreneurs" who not only formulate norms, but also promote them among others and, crucially, observe them at home. As it stands, Germany’s domestic cybersecurity policy is effectively countervailing its cyber diplomacy efforts.
It could be argued that Germany is in good company, as most states have failed to establish VEPs. Since VEP processes are usually classified, little is known about the exact number of states that have established them. Among the states that have published information on their VEPs are Australia, Canada, the United Kingdom, and the United States. Others, like the Netherlands, have stated that they have put a process in place without publishing further details. This presumably leaves several other states in the same position as Germany: Co-authors of the 2021 GGE consensus report that have not established a VEP at home. Still, not all co-authors have the same financial and politico-legal capabilities as Germany and, as mentioned above, not all of them aspire to the same normative standard.
To remain a credible actor in future cyber norms debates, Germany should implement the cyber norms it has supported in diplomatic forums through national policies. This includes the question of a VEP but also other topics like promoting encryption, where cyber norms commitments and Germany's practices similarly diverge. Meanwhile, as long as cyber norms commitments and domestic policies continue to diverge, the government could put in place mechanisms to identify and resolve these tensions. A first step would be a cyber diplomacy strategy, which Germany does not yet have but which the Federal Foreign Office is currently preparing. Hopefully, such a strategy would take into account that international cybersecurity policy challenges cannot be solved by Germany alone but require international cooperation – and to this end, Germany needs to be seen as a reliable and credible partner, not one that applies a double standard, one to others and a different one to itself.
- Ari Schwartz and Rob Knake (2016): “Government’s Role in Vulnerability Disclosure. Creating a Permanent and Accountable Vulnerability Equities Process.” Harvard Kennedy School Belfer Center for Science and International Affairs. https://www.belfercenter.org/sites/default/files/legacy/files/vulnerability-disclosure-web-final3.pdf.
- Centre for European Policy Studies (2018): Software Vulnerability Disclosure in Europe. Technology, Policies and Legal Challenges. Report of a CEPS Task Force. https://www.ceps.eu/wp-content/uploads/2018/06/CEPS%20TFRonSVD%20with%20cover_0.pdf
- Matthias C. Kettemann and Alexandra Paulus (2020): “An Update for the Internet. Reforming Global Digital Cooperation in 2021.” Stiftung Entwicklung und Frieden (Global Governance Spotlight, 4/2020). www.sef-bonn.org/en/publications/global-governance-spotlight/42020.
- Matthias Schulze (2019): “Governance von 0-Day-Schwachstellen in der deutschen Cyber-Sicherheitspolitik.” Stiftung Wissenschaft und Politik, May 2019. https://www.swp-berlin.org/publications/products/studien/2019S10_she.pdf.
- Nicole Perlroth (2021): This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury Publishing. https://www.bloomsbury.com/us/this-is-how-they-tell-me-the-world-ends-9781635576061.
- Sven Herpig (2018): “Governmental Vulnerability Assessment and Management. Weighing Temporary Retention versus Immediate Disclosure of 0-Day Vulnerabilities. A Proposal Supported by the Transatlantic Cyber Forum.” Stiftung Neue Verantwortung, August 2018. https://www.stiftung-nv.de/sites/default/files/vulnerability_management.pdf.
- United Nations General Assembly (2021): Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security (UN Document A/76/135). https://undocs.org/en/A/76/135.
 As explained in greater detail below, a vulnerabilities equities process (VEP) refers to a structured process that considers the equities of all relevant governmental stakeholders to decide whether a governmental agency that has encountered a vulnerability should immediately disclose it to the software vendor, so that the latter can develop a patch or temporarily retain it for the purposes of future cyber operations. Strictly speaking, government disclosure decision process is the generic term, while vulnerabilities equities process refers to the process established in the United States. However, the latter has become a general shorthand, which is why I use the term here.
 There is also no established VEP at the European Union level. While the EU is increasingly developing cybersecurity policies, most notably through the Cyber Diplomacy Toolbox, a fundamental obstacle for a more assertive role of EU institutions is that foreign and security policy remains the responsibility of member states, so EU action in this field is contingent on a consensus among all 27 member states. Neither the Cyber Diplomacy Toolbox nor the 2020 EU Cybersecurity Strategy mention the objective of establishing a VEP.
 These include Brazil, China, Estonia, France, India, Indonesia, Japan, Jordan, Kazakhstan, Kenya, Mauritius, Mexico, Morocco, Norway, Romania, Russia, Singapore, South Africa, Switzerland, and Uruguay.
The opinions expressed in this text are solely that of the author/s and do not necessarily reflect the views of the Heinrich Böll Stiftung Tel Aviv and/or its partners.