The Resurrection of International Cyber Norms? Analyzing Governmental Statements on Cyber Operations Targeting Health Infrastructures during the COVID-19 Pandemic

The COVID-19 pandemic is transforming society’s digital behaviour, aggravating previous cybersecurity challenges and creating new ones. One emerging challenge is the widening attack surface, including of health infrastructures, to malicious cyber operations that leverage people’s fear and concern toward the new virus. The ensuing cyber operations targeting health infrastructures and pandemic response entities have pressured states to take actions to secure their populations. One policy instrument to prevent or mitigate cyber conflict are international cyber norms, or rules for responsible state behavior in cyberspace. Before the outbreak of the pandemic, the cyber norms debate had been characterized as having “reached a dead end” (Henriksen, p. 2), but following the recent widely covered attacks on the health sector, many states and collective entities have published statements in which they negotiate established or nascent cyber norms proposals. Following Gold’s (2020, para 15) hint that “[i]f malicious cyber disruption during a pandemic does not galvanize global action on cybersecurity issues, what will?” (Gold 2020, para 15), in this paper, we analyze whether this constitutes a resurrection of cyber norms. We examine 14 statements, published between April 17, 2020, when the US published the first statement on the issue, and July 20, when Russia made the (at the time of writing) most recent statement. Among them are eight national statements, by Australia, Canada, China, Estonia, New Zealand, UK, US, Russia, and five collective statements, by the EU (High Representative and the President of the Commission), a Joint OEWG Report Proposal from Australia, Czech Republic, Estonia, Japan, Kazakhstan and the US, NATO, the Parliamentary Assembly of the Mediterranean, and World Health Assembly. In our analysis, we focus, firstly, on the content of states’ pronouncements: Which actions do they condemn? Do they make a normative statement? If they make a normative statement, we secondly examine their normative point of reference. The latter can range from existing cyber norms framework like the 2015 United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), the Paris Call for Trust & Security in Cyberspace, the Tallinn Manuals, or the Shanghai Cooperation Organization's International Code of Conduct for Information Security to new and emerging norms, for instance, those currently being elaborated in the context of the United Nations Open-Ended Working Group (OEWG). And thirdly, which patterns and alignments evolve? We use discourse analysis to identify key nodal points and fixed meanings identifiable in these statements.