To some fanfare, the White House announced a national cyber strategy last week. It breaks little new ground but still sends an important message that cyber continues to be a priority. Now action is needed to ensure it doesn’t become shelf-ware.

The Trump administration claimed this was the first such strategy since 2003 when President George W. Bush issued the National Strategy to Secure Cyberspace. That’s a little misleading. Though it wasn’t styled as a ‘strategy’ President Barack Obama issued a detailed cyberspace policy review within four months of taking office. He released the first international cyberspace strategy in 2011 and issued multiple cyber-focused executive orders and a cybersecurity action plan in 2016.

And my old office at the State Department, pursuant to a Congressional mandate, produced a wide ranging cyber strategy in 2015 that was far more detailed than this one. But every administration wants to claim it’s doing something new and different with little credit to what’s come before, so the branding here is hardly surprising. The new document is still very important because threats in cyberspace are increasing and it clearly defines this administration’s cyber policy. It doesn’t discard work and policy but builds on it.

The strategy comes almost two years into this administration, and a full year after a myriad of detailed reports were due from a host of federal agencies pursuant to the president’s executive order on strengthening cybersecurity last May. Those reports spanned the gamut from enhancing the cyber workforce to international engagement and deterrence in cyberspace.

Given the scope of those reports, one might assume that a strategy composed of their findings would be detailed and groundbreaking. With few exceptions however, it’s not. Instead it’s very high level, lacks detail and often restates past policies. In some areas, like articulating roles and responsibilities for federal agencies, it punts the hard issues, saying instead that these will be worked out in the future.

Hard as it is, defining roles and responsibilities, and who’s in charge of what, is central to an effective strategy. I expect that, as in the past, internecine turf wars (certainly not unique to cyber) made this too difficult. Still, if the National Security Council has a unique strength, it’s in resolving interagency battles. That’s become, I expect, a more difficult task given the abolition of the White House cyber coordinator role, and it’s disappointing that this could not be achieved with this document.

But, there’s a lot to like in this strategy even if it lacks real detail and often resorts to vague platitudes. It restates much of the US cyber canon, including the importance of internet freedom and the central role of multi stakeholder internet governance, welcome pronouncements to our allies and partners. That’s even more important now when attacks on the press and claims of ‘fake news’ often dominate the headlines and call into question our commitment to these ideals and when countries including China and Russia advance a contrary agenda of absolute internet sovereignty.

The strategy also sounds familiar themes on issues including the importance of battling cybercrime, concern about supply chain vulnerability, the need to strengthen cyber defences and the importance of public-private partnerships—all motherhood concepts of cyber doctrine. Condemnation of attempts by bad state actors to undermine our democracy is also welcome in the light of the president’s second guessing of Russia’s involvement.

Consistency with past practice shows we’re building on accomplishments and sends a strong message of continuity to our public and our partners. The very fact that the strategy’ been released sends a message that cyber continues to be a national priority. That’s especially helpful in light of the revelation in Bob Woodward’s book that the president characterised this area as ‘cyber sh*t’. Perhaps my favourite line in the strategy is ‘[c]yberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power’.

One of the critical shortcomings of past cyber policy is that senior decision-makers treat it as a bright shiny object that’s the purview of the technical rather than the policy community. I’ve long argued that integrating cyber as a core issue of national and economic security is fundamental to making real progress. Pretty words are one thing and action another. If the president doesn’t prioritise this area with resources and actions, or if he continues to undercut the messaging on Russian malign activity, all the words in the world will have little effect.

Some new points are noteworthy, but perhaps in tension. For one, the strategy includes the launch of an international cyber deterrence initiative and on the other, a relaxation of the rules governing retaliation, referenced in the strategy but largely articulated in National Security Advisor John Bolton’s ‘cyber-rattling’ comments at its launch.

I’m pleased that the strategy continues to emphasise the need for a cyber stability framework built, among other things, on voluntary norms of state behaviour, and for international engagement and capacity building. These have been staples of the US international program and leadership for many years. I was also happy to see an emphasis on deterrence, including aspiring to impose ‘swift, costly and transparent consequences when malicious adversaries harm the US or its partners’. That’s something, as I have written before, that we’re still not very good at.

While we’re getting better at naming and shaming some of those responsible for cyber events, that’s not sufficient to deter actors like Russia or North Korea. Real consequences for bad state behaviour that will affect their decision making is still desperately lacking. That creates the ‘norm’ that such bad behaviour is acceptable–or at least cost free.

The strategy seeks to address this, in part, through a new international cyber deterrence initiative that recognises that: ‘[t]he imposition of consequences will be more impactful and send a stronger message if it is carried out with a broader coalition of like-minded states.’ It seeks to build a coalition to collectively respond to shared threats by, among other things, coordinating responses, sharing intelligence, buttressing attribution, supporting each other’s responses and, most significantly, engaging in ‘joint imposition of costs against malign actors’. This emphasis on collective action and partnerships is a welcome counter to the prevailing narrative of ‘America alone’.

None of this is easy. Sharing information and coordinating action among disparate bureaucracies is difficult in the best of times but the building of this coalition was underway long before I left the State Department. This strategy gives it a welcome boost at a critical time. As the document was released, a large, multi-agency US delegation, and the delegations of numerous allies and partners, attended the Singapore International Cyber Week conference. It was a timely opportunity to progress this important initiative.

The other major development, that often overshadowed the strategy itself in media coverage, was Bolton’s statement that the rules governing the use of offensive cyber tools had been relaxed and that the White House ‘has authorised offensive cyber operations’ against US adversaries. The extent to which the rules have been relaxed and the nature of such operations remain unclear.

Like the 2011 International Strategy for Cyberspace, the new strategy says that all tools of national power, diplomatic, law enforcement, economic, cyber and military, can be used to respond to a cyber incident. Offensive cyber operations are an important part of this arsenal and their use in the right circumstances, consistent with international law, makes sense.

However, there are many unanswered questions, and some answers may have a negative impact on the international cyber deterrence initiative. Presumably this move does not mean that offensive cyber operations will be a tool of first resort. They should be reserved for when they are most effective. It’s widely accepted that the best response to a cyberattack is often not a cyber one. Cyber tools must be integrated into all our capabilities and not seen as some sort of magic button, particularly given that their use involves a fair amount of pre-planning. And despite the borderless nature of cyberspace, there’s a difference if such tools are used in adversary space or if they’re used to disrupt an adversary’s activities in neutral or friendly territory.

In an adversary’s space, the primary issue is escalation and that can be overcome with direct messaging. In third party space, unilateral cyber actions run the risk of damaging the alliances needed to take collective action against cyber and other threats, essentially making an international cyber deterrence initiative more difficult.

There may be times when the US needs to take unilateral action but in other cases it may be better to ask allies to employ their capabilities. How these diplomatic and partnership issues will be weighted and resolved in the new structure Bolton described is unclear, particularly when it’s reported that interagency consideration of these operations has been significantly curtailed. But failure to properly assess these issues risks the loss of the ability to respond collectively to incidents in the long term.

Inadvertent consequences, potential collateral damage, possible loss of control and retaliation and escalation must all be considered. Again, it’s not clear how the new structure will consider these issues. We need to develop and use these capabilities as part of an overall deterrence regime—but it’s important that they be integrated and balanced as one of many strategic responses.

The 2003 National Strategy to Secure Cyberspace was a generally good document and groundbreaking in its time. Yet, it was soon largely treated as shelf-ware, in part because folks were not ready to treat cyber as a priority and in part because there wasn’t consistent high-level implementation or emphasis. The new White House cyber strategy bears a lot of similarities to that document and, while cyber is now clearly in the mainstream, I fear it too will become little more than a collection of good words unless there’s a robust implementation plan, adequate resources and cybersecurity is made a real priority by the president himself.

While I’m heartened by innovations like the cyber deterrence initiative, actions like the slashing of funding undermines strong language in the strategy that capacity-building is vital. The cyber coordinator role in the White House has been abolished when the strategy suggests we need it most. And, 14 months after I left the State Department, it still hasn’t reestablished a high level cyber position despite the evident need for it made clear by the strategy. I want us to be effective. I want us to better deter cyber threats using all the tools at our disposal. We cannot afford to ignore this issue or be complacent and while a new strategy is an important milestone, it must be followed by concerted action and a real implementation plan.

Late last week, the US Department of Justice filed a criminal complaint against a North Korean hacker—who allegedly acted on behalf of the North Korean government—in connection with a series of cyberattacks, including the cyber intrusion and attack against Sony Pictures in 2014. Among other things, this individual, along with other unidentified hackers, is alleged to be part of the Lazarus Group, which has been implicated in a wide range of malicious cyber activities—including the destructive WannaCry 2.0 worm that affected computers around the world in 2017 and the attempt to steal hundreds of millions from the Bangladesh Bank in 2016.

This is the first time that the US has criminally charged a North Korean government hacker and, like the indictment of five PLA officers for intellectual property theft a few years ago, it’s extremely unlikely that the charged individual (who apparently is in North Korea) will ever see the inside of a US courtroom. The charges are also unlikely to have any real effect on the malign cyber behaviour of North Korea. Unless other measures are brought to bear, North Korea isn’t really susceptible to being ‘shamed’, even when called out in such detail.

Nevertheless, the criminal complaint and supporting affidavit serve an important purpose. They demonstrate that, although it may take time, the US will expose malicious nation-state activity, including the individuals responsible and their tradecraft, for the world to see. Though more is required to achieve effective deterrence, this development sends an important foundational message, particularly when many doubt that effective attribution is possible.

I was part of the US government when we were dealing with the Sony attack in 2014. In one of the first instances of US government attribution of cyber conduct to a nation-state, President Barack Obama called a news conference and announced that North Korea was responsible. Shortly thereafter, he imposed sanctions on North Korea because of that and other activity. It was a watershed moment— to make public attribution at the highest level of our government sent a strong message that malicious state cyber activity would not be tolerated.

The move was coupled with extensive diplomatic outreach to allies and partners around the world to share our views and build support. Indeed that, and our outreach to partners in response to the Iranian distributed denial-of-service attacks against many of our financial institutions, served as the basis for our work to build a collective response by countries against shared cyber threats that continues today.

Still, the experience was also somewhat frustrating. Although nearly every commentator and researcher had said that North Korea was behind the Sony attack before Obama’s landmark press conference, many voiced doubts once the president and the US government went on the record. They challenged the evidence we put forth publicly as incomplete and instead offered a variety of alternative, often conspiratorial, theories.

The US government released far more corroborating information than it normally would, particularly when, as was the case then, no public criminal charges were brought. But it’s unreasonable to expect the US, or any government, to release all the information it has that led to attribution, especially when that information is particularly sensitive or could compromise sources and methods that are important in tracking and preventing future activity. This practice is no different from how attribution is handled for physical-world incidents. At the end of the day, in cyberspace or the physical world, attribution is a political (small p) decision based on all the information available. Countries nevertheless want to be highly confident that they’re right, because being wrong undermines future credibility and action.

Russian government representatives also tried to cast doubt on the attribution of North Korea, making the self-serving claim (especially in light of all the malicious cyber and physical activity they’re responsible for) that if one country is going to accuse another, the attribution must be essentially 100% ironclad based on publicly released evidence.

The Russian position fits in with Moscow’s practice of denying its involvement in everything from election interference to NotPetya in the cyber world, and from the UK poisonings to the Ukraine incursions in the physical one. Even when I was a federal prosecutor, the standard of proof when an individual’s liberty was at stake was never absolute but was instead beyond a reasonable doubt. Demanding absolute proof is a convenient way to deny malicious actions even when it’s clear who the perpetrator is. It’s also used as a subterfuge for getting insights into the information held by other countries to evade detection in the future.

The complaint and 179-page supporting affidavit in this case should help lay to rest a lot of the groundless claims that there wasn’t a strong factual basis for accusing North Korea. The affidavit is remarkable in its thoroughness and detail. I agree with those who have said that it reads like a thorough threat intelligence report with a criminal charging overlay. My former Justice and law enforcement colleagues deserve a lot of credit for all the work that went into the investigation. In any event, it tells a compelling story of the scope and scale of North Korean cyber activity. The fact that it fingers individuals (one by name) and organisations, and that it lays bare at least some of North Korea’s tradecraft in detail, alone make the document important.

The targeted sanctions imposed concurrently on the defendant and on a Chinese firm that employed him are also helpful. Though China and the US differ on many things, and we rightly remain concerned about Chinese malicious cyber activity, I think there’s some opportunity for common ground with China, assuming that it wouldn’t want rogue actors from other countries operating from its soil and, potentially, causing instability or exposing it to blame.

The criminal complaint and sanctions, though good, are still unlikely to deter North Korean actions in the future. For that to happen, they need to be part of a comprehensive plan that, among other things, includes putting pressure on the North Korean regime. Like with Russia, or any state adversary, that will require consistent, high-level messaging from the top. Sadly, that is lacking.

I’ve written before that, regardless the activities the US takes to hold Russia accountable for its malicious cyber activity, those efforts are undermined when the president himself not only refuses to publicly endorse them but undercuts those actions by casting doubt on Russia’s involvement. With North Korea, I fully understood why cyber issues wouldn’t be prominently raised during the first US–North Korea summit given the importance of denuclearisation, but thought it needed to be embedded in future dialogue with North Korea. Of course, the talks with North Korea seem largely on the rocks, but whatever their fate, it doesn’t seem likely that cyber matters will be raised despite last week’s charges. Worse yet, on the very morning that the criminal charges were announced, President Donald Trump tweeted about how well he and Kim Jong-un get along — hardly the messaging, on at least this topic, that’s likely to provoke North Korea to stop its activity.

Until we can do a better and more comprehensive job of pushing back on North Korea’s and other nation-states’ cyber activities, the use of criminal charges and other tools can only help lay an important foundation. But they will not, without more, deter our adversaries.

Open-source data is built on the foundation of long-term useability, authenticity and reliability. Its public nature means that it can be accessible anywhere with an internet connection.

Yet when we talk about the government data that needs to be protected for national security reasons, classified information—related to defence and intelligence services—often takes precedence. But what about the protection of unclassified, open-source government data?

Websites like data.gov.au, Trove and Parl Info Search host a broad range of data that collectively documents the political, social and cultural history of Australia. Over time, this data accumulates to paint a detailed picture of our country. It’s a high-value dataset given the trends big data analytics can reveal.

The Department of Communications and the Arts has estimated that the value of open government data is $25 billion per year—which represents 1.5% of Australia’s GDP. To give that some context, Australia is budgeting to spend 1.91% of its GDP on defence in 2018–19.

As outlined in the Attorney-General’s Department’s Protective Security Policy Framework, simply increasing the classification level of data isn’t enough to ensure its protection. The department recommends that agencies consider the potential business impact if something were to happen to their data. The policy framework outlines risks to aggregate data, including unauthorised disclosure and inconspicuous copying, modification or dissemination of information. And it warns of possible operational, reputational or monetary impacts for an individual agency or the government as a whole.

In an era of technological disruption, all it takes is the dissemination of disinformation to undermine national security.

Governments and private companies around the world are already starting to implement technologies and software to address data security. We’re now seeing the powerful combination of traditional information security, relating to controlled access to information and security of ICT systems, with the application of principles of long-term data preservation.

One example is Preservica, a software platform that incorporates the key data-preservation principles of useability, accessibility, security and authenticity. Once digital data has been created and stored, it is continually checked not only to prevent the obsolescence of file formats, but also to confirm the integrity of the data and metadata and ensure it hasn’t been manipulated. Preservica is being used by the UK National Archives, the European Commission and the Provincial Archives of New Brunswick in Canada.

Swedish company Enigio Time is based on similar principles. Its aim is to ‘provide proof of the truth’ and digital data integrity in what it calls a ‘#PostTruth era’. Enigio Time software generates a timestamp on a digital document, leaving unchangeable proof of the content of the document when it was created.

Another technology that could also contribute to data integrity is blockchain. Blockchain is commonly associated with Bitcoin and cryptocurrencies, but it could also contribute to data integrity. It creates a record of data that is stored permanently in multiple locations. Despite some scepticism about it, governments around the world have already begun testing and implementing blockchain technology.

The Netherlands, Georgia, Sweden, the UAE, Canada and Estonia either use blockchain or have piloted blockchain projects for a variety of government services.

One example that stands out is the Chilean government’s use of blockchain for the preservation and security of its environmental data.

Earlier this year, the Chilean National Energy Commission launched a project called Energia Abierta (Open Energy). It aims to increase the security, integrity and traceability of energy information by storing publicly available data, such as national electric capacity, energy prices and emission levels, on the Ethereum blockchain technology. The commission says that public information, particularly related to energy, is critical for investment decisions and shaping policies.

Chile’s emissions data could, for example, be manipulated by foreign actors who could then criticise the government for not meeting its commitment to the Paris climate agreement, which Chile has ratified. A discrepancy in the information held by energy providers, the energy commission and other national agencies could severely undermine trust in Chile’s governance.

In Australia, blockchain is starting to appear on the government’s agenda. Last year CSIRO’s Data61 conducted research into blockchain and its potential applications in the government and business sectors. Its report Distributed ledgers: scenarios for the Australian economy over the coming decades, concluded that blockchain technology can enhance the trust, accountability and auditability of data storage.

In the 2018–19 budget, the Australian government allocated $700,000 to the Digital Transformation Agency to research how blockchain could be used to support government services. And only last week the government signed a five-year agreement with technology company IBM to help further its digital transformation agenda.

Data accessibility is also on the government’s agenda, as seen by the Productivity Commission’s 2017 report into data availability and use, the data sharing for innovation agenda, and the 2015 public data policy statement.

The value of accurate, reliable and verifiable open-source information shouldn’t be underestimated. Australia needs to take advantage of new technologies as they emerge and reframe its approach to the security and preservation of open-source data.

‘Indonesia is one of the most dynamic economies in the region and is poised to become one of the region’s largest and most vibrant digital economies.’ That was Prime Minister Malcolm Turnbull’s message to the Indonesia–Australia Digital Forum (IADF), held in Jakarta on 31 January and 1 February. At the same event, President Joko ‘Jokowi’ Widodo said that ‘the digital age increasingly present[s] challenges for [Indonesia] from a social, economic and governance perspective. This era demands that everything be digitalised with increased speed and efficiency.’

This was one reason that Jokowi ordered the establishment of the National Cyber and Encryption Agency (Bandan Siber dan Sandi Negara, or BSSN) last May. Its nearest Australian counterpart might be the Australian Signals Directorate (ASD). The BSSN combines the former national encryption agency, the Indonesia Security Incident Response Team on Internet Infrastructure and some resources from the Ministry of Communications and Informatics (KOMINFO). The BSSN is set to become the central authority for coordinating and driving improved cybersecurity in Indonesia.

Like Australia, Indonesia is reshuffling its bureaucratic machinery that deals with cyber issues. Three years ago, a presidential decree mandated that the Coordinating Ministry for Political, Legal and Security Affairs (POLHUKAM) would lead on cyber issues. Over the last few years, Australia and other nations have been working intensively with the Cyberdesk at POLHUKAM to develop a national cybersecurity strategy for Indonesia.

The new division of responsibilities and reporting lines are still being fleshed out. But the move raises some fundamental questions. For example, will policy development and executive functions be separated? Will cybersecurity be organised in a decentralised way or pushed down from the president’s office? Will the necessarily secretive culture of cryptographers be opened up so that BSSN serves as a cybersecurity centre for government, industry and Indonesian citizens?

As Jokowi noted, cyber presents a multitude of challenges and opportunities for Indonesia. The archipelago has more than 130 million users who access the internet primarily through mobile phones and Facebook. In the region, Indonesia is one of the greatest sources of cyberattacks, as well as the largest target of attacks, as a result of its developing internet infrastructure (it ranked 73rd of 139 countries in the World Economic Forum’s 2016 Network Readiness Index), combined with narrowly applicable regulations and lax cyber hygiene standards. Even so, Indonesia’s IT industry and internet-based start-ups are booming. At the IADF, Indonesian leaders proudly pointed to billion-dollar start-ups GO-JEK (transport), Tokopedia and Bukalapak (online marketplaces), and Traveloka (online bookings).

While there’s an important economic angle to Indonesia’s cyber engagement, the government’s main focus seems to be on threats rather than opportunities. Last January when he was appointed head of the BSSN, Major General Djoko Setiadi emphasised that his priority would be to counter internet hoaxes and fake news. At a capacity-building workshop for Indonesian officials organised by ASPI’s International Cyber Policy Centre in late January, similar online threats were identified as the primary concerns for Indonesian society. Cybercrime, the vulnerability of critical infrastructure and privacy loss remain second-order priorities for the moment.

Like in many other developed and developing states, the government has introduced more robust legislation and giving greater power to security agencies. Indonesia’s well-known, and all too often referred to, Electronic Information and Transactions Law from 2008 was only revised in 2016. It authorises the Ministry for Communications and Informatics  to terminate access to online material—by blocking websites or ordering internet service providers to do so—containing immoral content, hate speech, insults or defamation.

Indonesia will figure prominently in Australia’s international cyber agenda. DFAT’s international cyber engagement strategy, which ‘champions an open, free and secure cyberspace’, targets the entire Indo-Pacific region. The Indonesia–Australia Cyber Dialogue, inaugurated in 2017, serves as a channel to discuss issues of mutual concern. But there’s the bigger question as to how much Australia can support Indonesia in promoting a free, open and secure cyberspace while accommodating Jakarta’s concern about exercising sovereignty.

During the IADF, the head of the Australian Cyber Security Centre (ACSC) welcomed the opportunity to work with BSSN. This is an obvious bond to be cultivated. Both ASD (under which the ACSC sits) and BSSN will face similar challenges in transitioning from running high-secrecy operations to serving as a platform for collaboration between government, industry and civil society.

At the policy level, the situation is blurrier. It’s unclear whether Indonesia’s strategic direction will come from the president’s office or from the agency itself. If it’s the agency, which will also implement the strategy, that would surely affect the checks and balances within the administration and the parliament’s ability to exercise oversight. Alternatively, the remaining skeleton desk at the Coordinating Ministry for Political, Legal and Security Affairs could play a role.

While the roles and responsibilities of Indonesia’s domestic agencies are being debated (and challenged), opportunities are slipping away. As a country that’s forecast to rocket into the world’s top global economies, Indonesia will gain enormous benefits if it can provide conditions that foster a free, open and secure internet. Its tech-savvy population and sizeable e-market are already flourishing, but the growth of its e-economy could dramatically accelerate if the government gets its settings right.

In broader strategic terms, Indonesia is also vital. If it chooses a stifling Chinese approach, it would be hugely damaging to efforts to keep the internet in the region dynamic, open and secure. Handily, as a young, vibrant democracy, an open approach makes much more sense.

When cyber-security professionals were polled recently at their annual Black Hat conference in Las Vegas, 60% said they expected the United States to suffer a successful attack against its critical infrastructure in the next two years. And US politics remains convulsed by the aftermath of Russian cyber interference in the 2016 election. Are cyber-attacks the way of the future, or can norms be developed to control international cyber conflict?

We can learn from the history of the nuclear age. While cyber and nuclear technologies are vastly different, the process by which society learns to cope with a highly disruptive technology shows instructive similarities. It took states about two decades to reach the first cooperative agreements in the nuclear era. If one dates the cyber-security problem not from the beginning of the internet in the 1970s, but from the late 1990s, when burgeoning participation made the internet the substrate for economic and military interdependence (and thus increased our vulnerability), cooperation is now at about the two-decade mark.

The first efforts in the nuclear era were unsuccessful United Nations–centered treaties. In 1946, the US proposed the Baruch plan for UN control of nuclear energy, and the Soviet Union promptly rejected locking itself into a position of technological inferiority. It was not until after the Cuban Missile Crisis in 1962 that a first arms control agreement, the Limited Test Ban Treaty, was signed, in 1963. The Nuclear Non-Proliferation Treaty followed in 1968, and the bilateral US–USSR Strategic Arms Limitation Treaty in 1972.

In the cyber field, Russia proposed a UN treaty to ban electronic and information weapons (including propaganda) in 1999. With China and other members of the Shanghai Cooperation Organisation, it has continued to push for a broad UN-based treaty.

The US resisted what it saw as an effort to limit American capabilities, and continues to regard a broad treaty as unverifiable and deceptive. Instead, the US, Russia, and 13 other states agreed that the UN secretary general should appoint a Group of Governmental Experts (GGE), which first met in 2004.

That group initially produced meagre results; but, by July 2015, it issued a report, endorsed by the G20, that proposed norms for limiting conflict and confidence-building measures. Groups of experts are not uncommon in the UN process, but only rarely does their work rise from the UN’s basement to a summit of the world’s 20 most powerful states. But while the GGE’s success was extraordinary, last month it failed and was unable to issue a consensus report for 2017.

The GGE process has limitations. The participants are technically advisers to the UN secretary general rather than fully empowered national negotiators. Over the years, as the number of GGE member states increased from the original 15 to 20 and then to 25, the group became more unwieldy, and political issues became more intrusive. According to one diplomat who has been central to the process, some 70 countries have expressed interest in participating. But as the numbers expand, the difficulty of reaching agreement increases.

There are a wide range of views about the future of the GGE process. A first draft of a new report existed at the beginning of this year, and the able German chairman argued that the group should not rewrite the 2015 report, but try to say more about the steps that states should take in peacetime.

Some states suggested new norms to address data integrity and maintenance of the internet’s core structures. There was general agreement about confidence-building measures and the need to strengthen capacity. The US and like-minded states pressed for further clarification of the earlier agreement that international laws of armed conflict, including the right of self-defence, apply in cyber space, but China, Russia, and their allies were reluctant to agree. And the deterioration in US–Russian relations soured the political climate.

Moreover, whereas some states hope to revive the GGE process or enlarge it into a broader UN process, others are sceptical, and believe that future progress will be limited to discussions among like-minded states, rather than leading to universal agreements.

Norms that may be ripe for discussion outside the GGE process could include protected status for the core functions of the internet; supply-chain standards and liability for the ‘internet of things’; treatment of election processes as protected infrastructure; and, more broadly, norms for issues such as crime and information warfare. All of these are among the topics that may be considered by the new informal International Commission on Stability in Cyberspace established early this year and chaired by former Estonian Foreign Minister Marina Kaljurand.

Progress on the next steps of norm formation will require simultaneous use of many different formats, both private and governmental. For example, the 2015 agreement between China and the US to limit industrial cyber espionage was a bilateral accord that was later taken up by the G20.

In some cases, the development of norms among like-minded states can attract adherence by others at a later point. In others, such as the internet of things, norms for security standards may benefit from leadership by the private sector or non-profit stakeholders in establishing codes of conduct. And progress in some areas need not wait for others.

A regime of norms may be more robust when linkages are not too tight, and an overarching UN treaty would harm such flexibility at this point. Expansion of participation is important for the acceptance of norms, but progress will require action on many fronts. Given this, the failure of the GGE in July 2017 should not be viewed as the end of the process.