Not exactly... a diplomatic norm is a commonly-accepted agreement as to
expected behavior. It’s essentially a step short of a treaty.
The problem here is that the US, Russia, and China all want to preserve their
“right” to conduct offensive cyber operations against anyone they want, any
time they want, without it rising to the level of a diplomatic incident.
Pretty much everyone else (but most actively the Dutch, Singaporeans, and
French) agree that this is unacceptable behavior. But until diplomats agree on
a definition of what exactly is unacceptable, when it’s unacceptable, in what
context it’s unacceptable, by whom it’s unacceptable, and against whom it’s
unacceptable, there isn’t sufficient consensus to constitute a norm.
Once there’s a norm that’s clear and understandable for governments to agree
to, we can start picking up momentum. When a lot of governments agree to it,
violating it will become more and more diplomatically costly for the few
governments that do.
This is the stick. There has to be an opportunity cost incurred by governments
that attack private sector infrastructure.
That’s what we’re working towards.
-Bill
> On Nov 15, 2017, at 12:33, Mark Blackman <[email protected]> wrote:
>
>
>
>> On 15 Nov 2017, at 12:22, Bill Woodcock <[email protected]> wrote:
>>
>> Uh, none of that is relevant to the discussion. Call it pretty
>> infrastructure or tasty infrastructure or whatever pleases you.
>>
>> The question is what types of private-sector infrastructure you most
>> strongly feel should not be subject to governmental cyber attacks.
>>
>> -Bill
>
> Are the sort of people who would consider attacking private-sector
> infrastructure the sort of people who will pay any attention to any form of
> globally managed legislation, policy or regulation? Maybe you’re proposing
> this would be a mechanism for turning it into state-level legislation, policy
> or regulation?
>
> - Mark
>
