[Maarten Van Horenbeeck] [International Relations and Political Science]
Norms development in regional political associations
Maarten Van Horenbeeck
maarten@daemon.be
This work is a portion of my Masters Thesis at the Freie Universitat Berlin. It does not cover the research portion of the thesis (which I may publish at a later point in time), but consists of the majority of the literature review.
Introduction
Cyber security is a complex domain for the development of international law. Technology, and its acceptable uses change both quickly and dramatically. The Budapest cybercrime convention took over five years to negotiate, after eight years of preparatory work. As a result, norms are emerging in international forums as alternatives to formal treaties and laws.
Norms consist of standards of appropriate behavior which are developed through a competition of existing behaviors (Finnemore and Sikking, 1998). This research will identify whether norms between states are most likely to develop when states participate in international formal treaty making or when they are most active participating in a regional community. In particular, this investigation will review the situation of norms development arising as part of a state's participation in the Association of Southeast Asian Nations (ASEAN).
Keywords: cyber norms, security, regional institutions
Cyber security and international law
Cyber security has become an increasingly important topic in political affairs. In itself, it consists of a very wide area of topics which vary from the enforcement of domestic security concerns online (for instance in the case of The People's Republic of China and other more authoritarian countries which regularly block content for domestic use), protection of the economic capability of a state by enabling businesses to protect themselves from industrial espionage or disruption and the self-protection of a government from espionage and meddling by foreign states.
While in this sense very much a security question, there are a few elements which make cyber security threats special, and different from traditional security threats which countries have faced. These include:
- A lack of accurate attribution: Reich, Weinstein, Wild and Cabanlong (2010) identified that anonymity on the internet poses significant issues to cyber security. They quote David Wheeler at the Institute for Defense Analyses as stating that "prepositioning is necessary for many attribution techniques" and that "attribution is difficult and inherently limited". As a result, defensive techniques which are built on top of attribution, such as deterrence are less effective in the cyber security domain.
- The concept of a "class break": this term, coined by security technologist Bruce Schneier (2007) implies that the internet permits for attacks "which can break every instance of some feature in a security system". Due to the limited resource buildup that is required, an attacker who identifies a new vulnerability in software can uniformly exploit it in all affected systems, rather than having to engage in physical effort, delaying his attack. This implies that a new attack can be universally known and utilized immediately, not permitting the deployment of traditional defenses that build up over time. For instance, when one realizes a lock is broken, one may decide to post a security guard at every door. The attacker can only break into a few doors before the guards are posted, limiting the impact of the vulnerability. When an electronic lock is broken, the attacker can immediately break all identical locks within minutes - defenses must be designed to ramp up at equal speed.
- Transitive effects: as the network is a shared resource, an effect generated by one state may impact other states, and be outside of their direct control. In 2008, the government of Pakistan decided that online video web site YouTube, owned by Google, should no longer be permitted to operate within the country. In order to do so, they applied a configuration change on the national internet routers to redirect traffic to YouTube to a temporary "black hole". Due to an error, one of the internet providers to the country copied the configuration change, and traffic to YouTube was diverted internationally, not just in Pakistan, leading to an outage for the US-based firm (Hunter, 2008). In another example, in 2012, software vendor Microsoft, faced with malware being hosted under a domain name owned by a Chinese corporation, enforced a right to protect its customers through a US-based court, stripping the company of its electronic assets and assigning them to Microsoft (Krebs, 2012)
In addition, finding areas of international agreement on cyber security tends to be very difficult. Due to the interconnectedness the internet offers, values and beliefs of a single country cannot be easily enforced, and using certain technologies, states do have some ability to enforce their own values and beliefs internationally
This makes for a very difficult situation for lawmakers and regulators. The development of international cyber security law is difficult, and tends to take significant amounts of time. The Budapest Convention on Cybercrime is the "first international treaty on crimes committed via the Internet and other computer networks" and deals with "infringements of copyright, computer related fraud, child pornography and violations of network security". It was opened for signature on November 23rd, 2011 (Council of Europe, 2001) and is still not universally ratified today. For instance, Canada, while signing the treaty in 2001, only ratified it in 2015, and other dominant technology players such as Israel have not signed the treaty at all. The development of international law is often slow, and is not always in line with technological developments. The concerns around "cyber bullying" for instance, only arose when consumer use of the internet became dominant, in most countries after the treaty's development in 2001.
As a result, in order for countries to successfully work together on cyber security, international law may not be the final answer. While major requirements will most likely still be negotiated in the legal arena, countries also must find ways to respond more quickly to emerging security challenges.
Norms and norms development
What are norms?
Axelrod (1986) described norms as a mechanism of conflict regulation, even in the lack of a central authority. This definition makes norms very relevant to contemporary political life. While within regions, there may be varying levels of governance above the concept of the nation state, in particular related to human rights, the general idea of national sovereignty has not changed, and is still reflected in the United Nations Charter (UN, 1945). While originally a social science concept developed outside of the realm of politics, it has recently been leveraged more to help drive conversation and change outside of rigid legal frameworks, or in places where legal authority is challenged or contested.
As a more formal definition, Axelrod stated "a norm exists in a given social setting to the extent that individuals usually act in a certain way and are often punished when seen not to be acting in this way". Noteworthy, in human behavior, Axelrod, in his study on norms, decided not to rely on an assumption of rationality, as in human behavior he saw "trial and error" be more common than "detailed calculations based on accurate beliefs about the future". While this assessment was based on actual human behavior, this thesis will implicitly provide some pointers on whether state behavior is different.
In the political science realm, Katzenstein (1996) has defined norms as "collective expectations for the proper behavior of actors with a given identity". Kelley (2002) expands on this by stating that new norms can "enable actors and create interests or categories of actions that otherwise would be impossible", and states election monitoring as a prime example. While under international law it seems implausible that states would invite other states to monitor the legitimacy of their election process, as states originally started doing so, more and more sought the international and domestic validity and confirmation that these states obtained, and the invitation of outside election monitors, in particular when the validity of the election outcome would otherwise be in doubt, became a norm.
How do norms get established?
Finnemore (1996) argues that new norms are developed when old norms are contested. However, for a norm to develop, the first requirement is to have a norms entrepreneur who strongly feels a particular value or belief should be upheld, and advocates it within the norms community, which may consist of both state and non-state actors. When it starts seeing some adoption, the acceptance of a norm can start to be distinguished.
Kelley (2002) quotes Kingdon (1984) as stating that "we should expect states to endorse international norms during periods of domestic turmoil in which the legitimacy of the elites is threatened". She describes "policy windows" as opportunities in which emerging norms are developed and actors arise which are willing to advocate these norms.
When a norm undergoes development, if it proves viable, it will reach a "tipping point" (Finnemore and Sikkink, 1998) at which norms cascade through the international system at a faster pace. Both authors identify three different reasons for a norms cascade to take place:
- "Pressure for conformity";
- "Desire to enhance international legitimation";
- "Desire of state leaders to enhance their self-esteem".
Upon a cascade, the final stage of the establishment of a norm is referred to as Internalization. At this point, the norm is so well established that it is considered to be the new normal, and adherence is easy and the preferred way of doing things.
Finnemore and Sikkink identify that each stage of the development of a new norm is characterized by a different set of actors: norm emergency is driven by "norm entrepreneurs with organizational platforms", they are cascaded by states and international organizations, and finally internalized through domestic law and bureaucracy.
Norms development: the external incentives model
The external incentives model, developed by Schimmelfennig and Sedelmeier (2004), is a way the European Union engages with the Central and East European Coalition countries. They describe it as a "rationalist bargaining model", in which actors maximize their power.
Information, threats and promises are made in hard negotiations, which lead to outcomes based on the relative bargaining power of both peers. They note as potential outcomes agreements or "rewards", in their proposed case leading up to an ultimate rewards, being granting of full EU membership. In this sense, the external incentives model is very much driven by realist thoughts, in the words of K.N. Waltz, seeing power both "as a means and an end" (1995).
Regarding norms transference, this thesis considers the external incentives model as an approach of developing norms, which mainly consists of hard negotiation and debate between state actors.
Norms development the social learning model
The external incentives model, developed by Schimmelfennig and Sedelmeier (2004), is a way the European Union engages with the Central and East European Coalition countries. They describe it as a "rationalist bargaining model", in which actors maximize their power.
Information, threats and promises are made in hard negotiations, which lead to outcomes based on the relative bargaining power of both peers. They note as potential outcomes agreements or "rewards", in their proposed case leading up to an ultimate rewards, being granting of full EU membership. In this sense, the external incentives model is very much driven by realist thoughts, in the words of K.N. Waltz, seeing power both "as a means and an end" (1995).
Regarding norms transference, this thesis considers the external incentives model as an approach of developing norms, which mainly consists of hard negotiation and debate between state actors.
How can norms be identified?
Bjorkdahl (2002) notes that "a central problem with the conceptualization of international norms is how it is empirically possible to recognize a norm". She states that evidence of existence of a norm is often indirect, and it can only be revealed by identifying patterns of behavior that would be consistent with that norm, or through the study of rhetoric that expresses the ideas behind the norm.
Nadelmann (1990) performed a comprehensive study of how specific norms evolved in society- including the norm against "whaling", as well as the "war on drugs" and piracy. However, he had the benefit of dealing with issues that were long established, and had time to develop. Within cyber security, they're no general agreements on what is acceptable, and what is not. While there are clear areas of agreement on what constitutes certain crimes, such as child pornography, the law is much more blurry in other situations, such as adware, a form of malicious code which publishes unexpected advertisements.
As such, this study will need to make certain assumptions on what constitutes a norm, and what does not. Operationalizing this variable, a 'nascent norm' will be considered to be an area of agreement on what is acceptable, or not acceptable behavior between multiple states.
Cyber security norms enterpreneurship in government
Maurer (2011) evaluated the current cyber norms landscape within the United Nations. He distinguishes between two forms of law under the mechanism: hard, binding law developed by the United Nations Security Council (UNSC) and 'soft law' which is written, for instance by the UN General Assembly, and is intended to influence the behavior of states, while not offering the type of redress a UNSC resolution would. In his view, norms are developed for quickly changing situations, and can in the end lead to inform 'soft law' over time.
Within the United Nations, Maurer sees the development of cyber security norms development as focused on two areas: 'politico-military' issues focusing on national and international stability, and 'economic' affecting online crimes. Different UN bodies are responsible for guiding the conversation in either area- for instance, the International Telecommunications Union (ITU) and United Nations Institution for Disarmament Research (UNIDIR) focus on the first, while the United Nations Office on Drugs and Crime and United Nations Interregional Crime and Justice Research Institute offer platforms to debate the other.
Maurer also flags one other venue for norms entrepreneurship within the United Nations, which is the Internet Governance Forum (IGF). The IGF was convened through the Tunis Agenda, and serves as a meeting for multi-stakeholder policy dialogue, to allow the main constituencies of government, civil society, technical community and private sector to work together on pressing Internet governance issues. This forum is unusual for the United Nations, but was needed in the Internet space due to the lack of a central governance authority. As flagged earlier, on the Internet countries domestic decisions (such as blocking YouTube) can have significant impact on other countries. In addition, the majority of interest infrastructure is operated by private sector organizations, rather than by governments. The IGF, which explicitly does not have any decision-making authority, allows for the grassroots development and discussion of ideas, which can then be picked up by each of the respective governing parties (whether end users, government policy makers or private sector network operators) for consideration and implementation. The IGF convenes once annually, and in 2014 initiated a specific working group on cyber security, in which the author participates as a lead expert. The goal of this working group is to identify organizational "best practices" on how to deal with security incidents. These consist of very high-level guidance, such as which government departments are best placed to be involved in the handling of security incidents, identifying subtle differences in effectiveness between country implementations.
Maurer concludes that there are "clear signs of nascent cyber norms slowly emerging" within the United Nations community. He cites as evidence the increase in General Assembly resolutions and the requests of bureaucracies for technical assistance, particularly after 2005.
Following up to Maurer's work, the UN convened a Group of Governmental Experts (GGE) to examine threats from cyberspace, and identify cooperative measures to address them. This work was initiated in 2010, and by 2015 delivered an initial report which recommended and documented several norms for consideration by the General Assembly:
- "Nations should not intentionally damage each other's infrastructure with cyber attacks";
- "Nations should not target each other's emergency responders";
- "Nations should assist other nations with investigating cyber attacks and cyber crime launched from their territories". (Marks, 2015).
Cyber security norms enterpreneurship in private sector
In conjunction with government efforts, private sector organizations have also been driving norms entrepreneurship. Perhaps the most vocal of these has been Microsoft Corporation, a large software and online services vendor, which in December of 2014 published a white paper with proposed cyber security norms.
In the paper, Microsoft focused particularly on enabling the globally connected society to grow unimpeded. As Matt Thomlinson of Microsoft (2014) writes, "norms should define acceptable and unacceptable state behaviors, with the aim of reducing risks, fostering great predictability, and limiting the potential for the most problematic impacts, including impacts which could result from government activity below the threshold of war".
Microsoft defined norms in two different categories:
- "Improving defenses", such as requiring states to have a clear policy on how to deal with software and service vulnerabilities;
- "Limiting conflict or offensive operations", such as exercising, caution when developing cyber weapons.
There is evidence of other norms emerging, for instance in the private sector community of exploit developers. These organizations develop and 'weaponize' exploits, which is attack code to abuse software vulnerabilities, and sell them, mainly to law enforcement and governments. Several organizations in this community have recently published a policy stating whom they offer their services too (mostly limiting themselves to governments that are members of NATO, ANZUS or ASEAN) (Vupen, 2014 and HackingTeam, 2014). While the adherence to these policies is under dispute, it appears to be becoming a de facto standard or "norm" within this special community of software vendors.
GoodHarbor, a private sector corporation chaired by former US National Security Advisor Richard Clarke, also published guidance on the development of international norms to secure cyberspace. He classified norms according to the main areas of Internet governance, Internet freedom, online privacy, cyber espionage, cyber crime and cyber war. Clarke (2014) notes that norms can exist as formal treaties, executive agreements, or other formal or informal agreements. He roots the need for security norms in history, noting that both maritime and air transportation are to a great degree based on norms rather than regulation. A relevant example is the original "duty to assist" which applied to vessels on the open seas, which was originally an unofficial agreement between boats men to allow them to "count on each other" and later become enshrined in the UN Convention on the Law of the Sea.
Cyber security norms enterpreneurship in civil society
While not necessarily pushing its own proposed norms, there have been a number of different civil society declarations on what a "norm set" for cyber security should look like.
Lewis (2014) of the Center for Strategic International Studies noted how the Internet "redefines legitimacy in international politics" and stresses persuasion and openness as new tools of influence. His organization proposes a framework for state behavior that clarifies the opportunity of norms to stigmatize specific disruptive cyber weapons and should include commitments to ensure an open Internet mostly operated by the private sector. In addition, such framework could extend dominant political rights onto online services platforms, limited only to a slight degree by government intervention. It should also enable operators to quickly and with limited limitations deploy additional network access.
As one of eight core principles, CSIS noted specifically that state actions should not threaten the stability of the global shared resource that is the Internet.
Regional political associations and their approach to security
Keohane roots international regimes in a closer analysis of how countries cooperate. He identified that whilst in a world of sovereign states, the idea of international institutions did not make sense, they did if they were seen as "devices to help states accomplish their objectives". In his view, institutions enable states to enter into agreements, and enforcing them- building transaction costs into collaboration mechanisms. (Keohane, 1998)
One institution is not like the others, though. While some have clear realist roots, such as the collective security design behind NATO, others seemed to have failed at their primary objective - such as the League of Nations in the onset of World War II.
This thesis reviews the ability of an institution to help drive the development of international norms. As not every institution is equal, it will review in particular the behavior of norms around ASEAN.
The Association of South East Asian Nations
In 1967, Indonesia, Malaysia, the Philippines, Singapore and Thailand initiated a pan-Southeast Asian project called ASEAN - the Association of South East Asian Nations (Narino, 2008).
Narino notes how the original development of ASEAN had three goals:
- "alleviate intra-ASEAN tension";
- "reduce the regional influence of external actors";
- "promote socio-economic development of its members".
Other states in the region joined later- leading to a total of 10 member states today. ASEAN operates based on a charter that provides its legal status and framework and sets it goals. Those goals today are mainly focused on peace and security, regional resilience, the maintenance of Southeast Asia as a nuclear weapons free zone, peace, poverty reduction, building the region's capability to deal with crime and illicit drugs and maintain ASEAN as a competent actor in its relationships with external partners (ASEAN, 2015b).
Narino identified how ASEAN is notable for its lack of direct outcomes. While the organization participates in several treaty-building exercises, it does not drive many of them itself, and has relatively few measurable outcomes for the regional community. From this point of view, he believes the organization to be difficult to explain from a liberal or institutionalist theoretical lens. However, he does note that from a socio-constructivist lens, the organization promotes key norms and practices within the region - and convincing other states in the region to adopt the behaviors it proposes.
The most meaningful reason for this is the mechanism ASEAN developed to deal with contentious issues - the development of a set of guidelines called the "ASEAN Way". These guidelines allow its members to discuss even the most contentious of issues without closing the door for debate. Goh (2014) lists these principles as "seeking agreement and harmony, the principle of sensitivity, politeness, non-confrontation and agreeability, the principle of quiet, private and elitist diplomacy versus public washing of dirty linen, and the principle of being non-Cartesian, non-legalistic". Go notes that in recent years, these principles have received addition of four more formal ones: territorial integrity, non-interference in internal affairs, peaceful settlement of disputes, and "renunciation of the threat or use of force".
In order to deal with the security issues afforded to it, and enlarge the group of states that could be involved in the ASEAN Way approach to security issues, in 1993, the 26th ASEAN Ministerial Meeting developed the ASEAN Regional Forum (ARF).
The ASEAN Regional Forum as a guarantor of security and stability
One of the unique things about the South East Asia region is that it does not have a traditional "balance of power" (Chanto, 2003). While the Soviet Union had an inordinate amount of impact, there are no regional hegemons amongst its membership, and each member of the region maintained its own, independent relationships with countries such as the People's Republic of China, or the United States. After the cold war, Chanto notes, though, the countries were much more free to act due to the lack of a formal agreement with their major neighbor to the North, different from the Eastern European countries and the Warsaw Pact. However, there was clear benefit from involving middle powers such as Australia, South Korea and India and engage larger powers such as the People's Republic of China and the United States, as a group.
Johnston (1998) notes how it is in this context that ASEAN developed the ASEAN Regional Forum as a multilateral security institution. However, he distinguishes how it is a non-formal association where anyone who joins is a "participant" rather than a member. In his view, this lack of institutionalization was built on the fact that it was unclear to what degree a risk of instability existed in the region and the vast differences in material power between the participants. He notes that the ARF is a great example of an institution developing over time based on its needs, rather than along a pre-planned trajectory where an outcome was all but uncertain. The organization maintains the ability to organize intercessional governmental and non-governmental working groups on topics that are of concern to several of its members, with specific attention to defense, nuclear weapons and peacekeeping.
Perhaps it is this lack of non-conformity to standard institutionalism theory that makes the ARF a potential suitable candidate for norms development. Katsumata (2006) assessed the organization based on its conventional theory of establishment, as noted by Chanto. He found there are several reasons why this explanation is insufficient. One of the more compelling ones is the nature of confidence building measures (CBM) in Asia as being normative, rather than strategic. Compared to other regional security mechanisms such as the Organization for Security Cooperation in Europe, he finds they are more based on dialogue and enhancing contacts within the region. Based on interviews with ARF participants, Katsumata notes the ARF drives them to a "logic of appropriateness" and thus setting norms on intra-region collaboration. He goes as far as to call the ARF a "norms brewery" for the region.
Reference list
ARF (2014a). Co-Chair's Summary Report of the ARF Workshop on Measures to Enhance Cyber Security - Legal and Cultural Aspects. Retrieved, July 18th 2015 from http://aseanregionalforum.asean.org/files/library/ARF%20Chairman's%20Statements%20and%20Reports/The%20Twentyfirst%20ASEAN%20Regional%20Forum,%202013-2014/22%20-%20Co-Chairs'%20Summary%20Report%20-%20ARF%20Workshop%20on%20Measures%20to%20Enhance%20Cyber%20Security,%20Beijing.pdf.
ARF (2014b). Co-chair's Summary Report of the ARF Workshop on Proxy Actors in Cyberspace. Hoi An City, Quang Nam Province, Viet Nam. Retrieved, July 18th 2015 from http://aseanregionalforum.asean.org/files/Archive/19th/19th%20ARF,%20Phnom%20Penh,%2012July2012/Co-Chairs%20Summary%20Report%20-%20ARF%20Workshop%20on%20Proxy%20Actors%20in%20Cyberspace.pdf
ARF (2014c). Co-chair's Summary Report of the ASEAN Regional Forum Cyber Incident Response Workshop. Retrieved, July 18th 2015 from http://aseanregionalforum.asean.org/files/library/ARF%20Chairman's%20Statements%20and%20Reports/The%20Twentieth%20ASEAN%20Regional%20Forum,%202012-2013/21%20-%20Co-Chairs%20Summary%20Report%20-%20ARF%20Workshop%20on%20Cyber%20Incident%20Response,%20Singapore.pdf.
ARF (2014d). Co-Chair's Summary Report of the ARF Seminar on Confidence Building Measures in Cyberspace. Seoul, Republic of Korea, 11th-12th of September 2012. Retrieved, July 18th 2015 from http://aseanregionalforum.asean.org/files/library/ARF%20Chairman's%20Statements%20and%20Reports/The%20Twentieth%20ASEAN%20Regional%20Forum,%202012-2013/20%20-%20Co-Chairs%20Summary%20Report%20-%20ARF%20Seminar%20on%20CBMs%20in%20Cyberspace,%20Seoul.pdf.
ASEAN (2015). About the ASEAN Regional Forum. Retrieved, May 27th 2015 from http://aseanregionalforum.asean.org/about.html
ASEAN (2015b). The ASEAN Charter. Retrieved, May 27th 1015 from http://www.asean.org/archive/publications/ASEAN-Charter.pdf.
Axelrod, Robert (1986). An evolutionary approach to norms. American Political Science Review. Vol. 80, Issue 4, pp. 1095-1011.
Berg, Bruce (2008). An introduction to content analysis. Qualitative Research Methods for the Social Sciences: International Edition. New York City: Pearson.
Bjorkdahl, Annika (2002). Norms in International Relations: Some Conceptual and Methodological Reflections. Cambridge Review of International Affairs. Vol. 15, Issue 1, pp. 9-23.
Chanto, Sisowath Doung (2003). The ASEAN Regional Forum - the emergence of "soft security". Dialogue and Cooperation. Vol 3, pp. 41-47.
CA/Browser Forum (2015). CA/Browser Forum members. Retrieved, July 8th from https://cabforum.org/members/.
Checkel, Jeffrey T., 1998, "The Constructive Turn in International Relations Theory", World Politics, Vol. 50 , Issue 2, January 1998, pp. 324-348
Checkel, Jeffrey T. (1999). Norms, Institutions, and National Identity in Contemporary Europe. International Studies Quarterly, Vol. 43, No. 1, pp. 83-114
Clarke, Richard A. (2014). Securing Cyberspace Through International Norms. Retrieved, June 27th from http://www.goodharbor.net/media/pdfs/SecuringCyberspace_web.pdf.
CCDCOE (2011). Korea's National Cyber Security Masterplan. Retrieved, July 3rd 2015 from https://ccdcoe.org/sites/default/files/strategy/KOR_NCSS_2011.pdf.
CoE (2015). Convention on Cybercrime (CETS No. 185). Treaty Status. Retrieved, July 15th 2015 from http://www.conventions.coe.int.
CoE (2010). Convention on Cybercrime: a framework for comprehensive legislation and joint action against cybercrime. Regional workshop on cybercrime. Tbilisi, Georgia, May 13th 2010. Retrieved July 25th 2015 from http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/cy_project_in_georgia/Presentations/Regional%20Ws%20on%20Cybercrime_13May10/2215_ConventionCybercrime_CSchulman.pdf.
CoE (2013). The cybercrime legislation of Commonwealth States: Use of the Budapest Convention and Commonwealth Model Law. Retrieved, July 20th 2015 from http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Reports-Presentations/2571_Commonwealth_cy_leg_v21_27Feb%20rev_final_CoE.pdf.
DHS (2014). Critical Infrastructure Sectors. Retrieved, July 10th from http://www.dhs.gov/critical-infrastructure-sectors.
Finnemore, Martha and Sikkink, Kathryn (1998). International Norm Dynamics and Political Change. International Organization, Vol. 52, pp. 887-917.
FBI (2014). Update on Sony investigation. Retrieved, July 18th 2015 from https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
Freedom House (2015). Freedom in the world: scores and subscores. Retrieved, July 4th 2015 from https://freedomhouse.org/report/freedom-world-aggregate-and-subcategory-scores#.VbWMNRNVhBc.
FMPRC (2014a). Foreign Ministry Spokesperson Qin Gang's Regular Press Conference on May 28th, 2014. Retrieved, July 2nd 2015 from http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/t1160500.shtml.
FMPRC (2014b). Foreign Ministry Summons US Ambassador to China Max Baucus over US Justice Department's Announcement of Indictment Against Chinese Military Officers. Retrieved, July 5th 2015 from http://www.fmprc.gov.cn/mfa_eng/wjbxw/t1158146.shtml.
Goh, Gillian (2000). The 'ASEAN Way': Non-intervention and ASEAN's role in conflict management. Stanford Journal of East Asian Affairs. Vol. 3, No. 1. Pp. 113-118.
Greenwald, Glenn (2013). NSA collecting phone records of millions of Verizon customers daily. The Guardian Newspaper. June 6th, 2013.
Holsti, O. R. (1968). Content analysis. The Handbook of Social Psychology. Reading, MA: Addison-Wesley.
Heller (2005). The Relevance of the ASEAN Regional Forum (ARF) for Regional Security in the Asia-Pacific. Contemporary Southeast Asia, Vol. 27, No. 1, pp. 123-145.
Hunter, Philip (2008). Pakistan YouTube block exposes fundamental Internet security weakness: Concern that Pakistani action affected YouTube access elsewhere in world. Computer Fraud & Security. Vol. 2008, Issue 4, pp. 10-11.
IDA (2011) National Cyber Security Masterplan 2018. Retrieved, June 28th 2015 from http://www.ida.gov.sg
<
IGF (2015). About the IGF. Retrieved, July 4th 2015 from http://www.intgovforum.org/cms/aboutigf.
Johnston, Alastair Iain (1999). The Myth of the ASEAN Way? Explaining the Evolution of the ASEAN Regional Forum. Imperfect Unions: Security Institutions over Time and Space. Pp. 287-305.
Katsumata (2006). Establishment of the ASEAN Regional Forum: constructing a 'talking shop' or a 'norm brewery'? The Pacific Review, 19:2, pp. 181-198.
Keohane, Robert O. (1998) International Institutions: Can Interdependence work? Foreign Policy, No. 110, pp. 82-96+194
Kelley, Judith. (2008). Assessing the Complex Evolution of Norms: The Rise of International Election Monitoring. International Organization, Vol. 62, Issue 2, pp. 221-255.
Kingdon, John (1984). Agendas, Alternatives and Public Policies. Boston: Little, Brown.
Krebs, Brian (2012). Malware Dragnet Snags Millions of Infected PCs. Krebs on Security. Retrieved, June 7th 2015 from http://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
Lewis (2014). Liberty, Equality, Connectivity: Transatlantic Cybersecurity Norms. Retrieved, June 20th 2015 from http://csis.org/files/publication/140225_Lewis_TransatlanticCybersecurityNorms.pdf.
Marks, Joseph (2015). UN Body agrees to US norms in cyberspace. Politico. Retrieved, July 12th 2015 from http://www.politico.com/story/2015/07/un-body-agrees-to-us-norms-in-cyberspace-119900.html.
Maurer, Tim (2011). Cyber Norm Emergence at the United Nations. Retrieved, June 20th 2015 from http://belfercenter.ksg.harvard.edu/files/maurer-cyber-norm-dp-2011-11-final.pdf
Microsoft (2014). International Cybersecurity Norms: Reducing conflict in an Internet-dependent world. Retrieved, June 25th 2015 from https://blogs.microsoft.com/cybertrust/2014/12/03/proposed-cybersecurity-norms/.
Microsoft (2015). Microsoft Active Protections Program. Retrieved, July 9th from https://technet.microsoft.com/en-us/security/dn467918.aspx.
MOSTI (2011). National Cyber Security Policy of Malaysia. Retrieved, June 28th 2015 from http://cnii.cybersecurity.my/main/ncsp/NCSP-Policy2.pdf.
Nadelmann, Ethan A. (1990). Global prohibition regimes: the evolution of norms in international society. International Organization, Vol. 44, Issue 4. Pp. 479-526.
Narino (2008). Forty years of ASEAN: A Historical Review. The Pacific Review, 21:4, pp. 411-429.
Nissenbaum, Helen and Hansen, Lene (2009). Digital Disaster, Cyber Security, and the Copenhagen School. International Studies Quarterly, Vol. 53, pp. 1155-1175.
Reich, P.C, Weinstein, S., Wild, C. and Cabanlong, A.S. (2010). Cyber Warfare: A review of theories, law, policies, actual incidents - and the dilemma of anonymity. European Journal of Law and Technology. Vol. 1, Issue 2.
Ropp, Stephen C. and Sikkink, Kathryn (1999). The Power of Human Rights: International Norms and Domestic Change. Cambridge: Cambridge University Press.
Schimmelfennig, Frank and Sedelmeier, Ulrich (2004). Governance by Conditionality: EU rule transfer to the candidate countries of Central and Eastern Europe, Journal of European Public Policy, 11:4, pp. 661-679.
Schneier, Bruce (2003). Beyond Fear: Thinking sensibly about security in an uncertain world. Gottingen: Copernicus Books.
Shaohui, Tian (2014). Spokeswoman: China opposes cyber attack targeted at third nation. Retrieved, July 20th from http://news.xinhuanet.com/english/china/2014-12/22/c_133871514.htm
UN (1945). Charter of the United Nations. Retrieved, June 24th 2015 from http://www.un.org/en/documents/charter/intro.shtml.
UNODC (2013). Open-ended intergovernmental expert group to conduct a comprehensive study of the problem of cybercrime. Retrieved, July 25th 2015 from http://www.unodc.org/unodc/en/organized-crime/expert-group-to-conduct-study-cybercrime-feb-2013.html.
UNTC (2015a). International Convention for the Suppression of the Traffic in Women and Children. Retrieved, June 26th 2015 2015 from https://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=VII-3&chapter=7&lang=en.
UNTC (2015b). International Convention on the Harmonization of Frontier Control of Goods. Retrieved, June 26th 2015 2015 from https://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XI-A-17&chapter=11&lang=en.
UNTC (2015c). Convention on the prohibition of military or any other hostile use of environmental modification techniques. Retrieved, June 26th 2015 from https://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XXVI-1&chapter=26&lang=en.
UNTC (2015d). International Opium Convention. Retrieved, June 26th 2015 from https://treaties.un.org/pages/ViewDetailsIV.aspx?src=TREATY&mtdsg_no=VI-2&chapter=6&Temp=mtdsg4&lang=en.
UNTC (2015e). Convention for the Protection of Producers of Phonograms against Unauthorized Duplication of their Phonograms. Retrieved, June 26th 2015 from https://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XIV-4&chapter=14&lang=en.
UNTC (2015f). Protocol to Eliminate Illiciti Trade in Tobacco Products. Retrieved, June 26th 2015 from https://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=IX-4-a&chapter=9&lang=en.
UNTC (2015g). Convention relating to the Status of Refugees. Retrieved, June 26th 2015 from https://treaties.un.org/pages/ViewDetailsII.aspx?src=TREATY&mtdsg_no=V-2&chapter=5&Temp=mtdsg2&lang=en.
Waltz (1995). Realist thought and neorealist theory. Journal of International Affairs, Vol. 44, no. 1, pp. 21-37