Cyber Norms Index and Timeline

Methodology and Structure

The interactive Cyber Norms Index and Timeline focus on cybersecurity in the context of international peace and security. They include documents released since 2007. The year 2007 was chosen as the cut-off because it presents a turning point in the international discussions about cybersecurity as described here. The documents were selected based on a qualitative analysis of their relevance according to experts in various countries and the related literature. Wherever possible, all documents were uploaded as downloadable PDFs.

This website is a living document and will be revised every three months based on future feedback and developments. Please share any feedback you might have with us by using our Feedback Submission Tool.

Please note that processes related to cybercrime are beyond the scope of this initiative. For more information on international efforts to combat cybercrime, the website dedicated to the Convention on Cybercrime is a useful resource.

The Timeline

The Timeline illustrates how the construction of international cybersecurity norms has developed over time. It is intended to be a resource for both users with existing knowledge of cyber norms processes and for newer users seeking to learn more about the evolution of cyber norms diplomacy since 2007.

The timeline contains over 150 documents in total and is filterable both by document type and by country. If a country is a member of a multilateral organization, and that organization is a party to an agreement included in the timeline, that agreement will still appear on the timeline when the country in question is selected as a filter. For example, the GFCE Delhi Communique appears when selecting Armenia a filter because Armenia is a member of the Council of Europe, which has endorsed the Communique.

Timeline nodes that appear in white contain documents that are searchable in the Cyber Norms Index below. Gray nodes contain documents that are not searchable in the Index.

Certain supplementary document types that can be found in the Document Library at the bottom of the page, such as ‘Statements on International Law Outside of the UN Process’ and ‘Submissions to the UN GGE + OEWG’ are not included in the timeline to ensure it remains easy to navigate and to use.

The Index

The Index compares existing language relating to international cybersecurity norms in multilateral outcome documents. Users can search documents by category of language or by specific keyword.

The most important document reflecting the international community’s views to date is the 2015 UNGGE report developed by governmental experts representing twenty states including the permanent five of the UN Security Council. The underlying database and structure of the Index was therefore designed to emulate the structure of the 2015 UNGGE report first, followed by elements from other relevant texts. Building on the structure of the 2015 UNGGE report, we developed a database for the text comparisons. The initial set of categories therefore reflected the outline and content of the 2015 UNGGE report. Additional categories were added subsequently to incorporate content included in other documents but not reflected in the UNGGE report. The final list of categories was the result of an iterative process revising the initial outline based on the results of comparing text elements.

The Index contains seven categories in total. ‘Process’ captures which institutions and documents cross-reference other regional and global processes in their respective outcome documents. This is a proxy for identifying and assessing the importance of the various nodes of this emerging regime complex. ‘General Framing’ contains references to general objectives and concerns related to the use of ICTs. ‘Threat Perception’ focuses on how documents perceive various ICT-related threats. The ‘Norms and International Law’ category compares the accords based on their references to various principles of international law, norms of behavior, confidence-building measures, and capacity-building efforts. The ‘Confidence Building Measures’ category consists of references to confidence-building measures meant to build trust between states. ‘Capacity Building’ is dedicated to measures states have undertaken to build international cyber capacity. Finally, a ‘Miscellaneous’ category consists of references to notable elements of cyber norms diplomacy not directly related to any of the other categories.

Every text element from the selected accords was coded based on its primary subject matter as it relates to the structure of the 2015 UNGGE report. To reduce complexity, we decided to code every text element only once and to assign it to a single category. The coding was therefore based on a qualitative assessment.

Document Library

The Document Library serves as a comprehensive repository of cyber norms documents released since 2007. It includes multilateral documents, plurilateral and bilateral texts, contributions by nongovernmental actors including NGOs and companies, and multistakeholder statements such as the Paris Call. Related collections of documents, such as statements on the applicability of international law to cyberspace and a comprehensive list of submissions to the UN Group of Governmental Experts and Open-Ended Working Group are also included. (The EU is listed separately considering its supranational status. Some statements on international law are part of official submissions to the UN and listed as such.)

When citing this resource, please use the following format: “Document,” Cyber Norms Index, Carnegie Endowment for International Peace, access date, URL.

For example:“G7 Declaration on Responsible States Behavior in Cyberspace,” Cyber Norms Index, Carnegie Endowment for International Peace, accessed November 6, 2017, http://carnegieendowment.org/publications/interactive/cybernorm