Bridging the Geopolitical Divide in Cyber Governance: The Role of Middle Power Cyber Diplomacy in Advancing Global Norms for Responsible State Behavior in Cyberspace

Abstract: Great powers are actively trying to impose their views on responsible state behavior in cyberspace in an attempt to obtain a strategic advantage. Lack of convergence has fomented an increasingly fragile global arena where mistrust prevails. Although middle powers’ influence may face significant domestic and international constraints, they can play a stabilizing and constructive role in finding common ground among great powers, promoting norms, and building coalitions on responsible state behavior in cyberspace with the aim of contributing to a more peaceful, secure and stable digital environment for all.

Introduction

As the internet continues to exert growing influence in multiple aspects of our existence, conflicting visions about what constitutes responsible state behavior in cyberspace have become a key component of strategic competition. Great powers are actively trying to impose their views to obtain a strategic advantage that will help them consolidate their power in an international environment characterized by a zero-sum approach. Multiple efforts to establish consensus among governments are facing an impasse as great powers find it difficult to adopt compromises that may imperil their vital interests. Lack of convergence has fomented an increasingly fragile global arena where mistrust prevails, jeopardizing international security and stability, and evidencing the need to find innovative ways to advance agreements. This article argues that, given this complex global context, middle power cyber diplomacy can contribute to a more peaceful, secure and stable digital global environment by finding common ground among great powers, promoting norms, and building coalitions on responsible state behavior in cyberspace.

The Global Cyber Security Landscape

Over the past two decades, relevant stakeholders have been working towards the development of cyber norms that can reduce the risks posed to the international order by cyber threats. The most significant results to date have been produced by the United Nations Group of Governmental Experts (UN GGE), comprised of 25 members, including the 5 permanent members of the UN Security Council. Between 2004 and 2021, the UN GGE produced important milestones: it confirmed that international law applies to cyberspace and is essential for maintaining peace and stability, and listed 11 voluntary non-binding norms on responsible state behavior in cyberspace.

In 2017, the UN GGE failed to reach an agreement. Topics that apply only in situations of armed conflict, such as the implementation of international humanitarian law, countermeasures, and the right to self-defense in cyberspace, were the main issues of disagreements. As a result, in 2019 the UN General Assembly supported Russia’s proposal to create an Open-Ended Working Group (OEWG) aimed at “making the United Nations negotiation process on security in the use of information and communications technologies more democratic, inclusive and transparent”. In 2021, both groups issued their final reports. “The establishment of dual tracks and the slow progress reflect the competing visions that states have in the development of cyber governance”.

States’ efforts to define the rules of the road in cyberspace outside of the UN have also taken place. The 2018 Paris Call for Trust and Security in Cyberspace defined nine common principles that addressed key issues, including the protection of the public core of the internet, the defense of electoral processes, the prohibition of hacking back operations by non-state actors, and the acceptance and implementation of international norms of responsible behavior. The Global Commission on the Stability of Cyberspace (GCSC) proposed in 2019 eight norms that supported cyber stability, “a condition in which individuals and institutions can be reasonably confident in their ability to use cyber services safely and securely, change is managed in relative peace, and tensions are resolved without escalation”.

Additionally, proposals have emanated from the private sector and civil society. The Tallinn Manual process, initiated in 2009, provides guidance on how existing international law applies to cyberoperations in and out of armed conflict. The 2017 Digital Geneva Convention by Microsoft calls on states to exercise restraint in developing cyber weapons, to commit to nonproliferation activities, and to avoid a mass event. Similarly, the Oxford Process builds consensus among scholars around “both positive and negative obligations of States in their foreign and domestic behavior pursuant to key principles and rules of international law – such as sovereignty, non-intervention, international human rights law and international humanitarian law”.

This non-exhaustive overview of the cybersecurity landscape demonstrates that cyberspace has become a major and favorable battleground for strategic competition. By trying to influence internet governance, great powers seek to gain an advantage in their contests with each other and consolidate their power in the fifth domain. Norms of responsible state behavior follow the same logic, since they are an integral part of global governance.

The United States has retained a disproportionate influence over the internet’s architecture, a position that other global powers are challenging with alternative models of internet governance. While the United States advocates for a multi-stakeholder approach based on an open, free, global, interoperable, reliable, and secure internet that prioritizes free speech and free market; other great powers, like China, prioritize state sovereignty and place the state over the rights of individuals to facilitate a more controlled and closed digital environment that contributes to social stability and safeguards national political security. As strategic competition and internet governance fragmentation intensify, great powers will be less willing to negotiate the adoption of shared norms.

The absence of binding international norms governing state behavior in cyberspace poses growing risks to global stability and security. As we become more dependent on the digital world, also grows our vulnerability to malicious cyber activities that erode trust. At the global level, trust is at the heart of states’ interactions, it is what enables international cooperation and the sharing of information that will lead to peace and stability. “The lack of norms about appropriate uses of cyber-operations makes it difficult for states to trust that others will use restraint”, perpetuating a cycle of insecurity, aggression, and instability.

The impasse in recent years on negotiations to define rules of responsible state behavior in cyberspace does not mean that norms are irrelevant or unnecessary. “Norms create expectations about behavior that make it possible to hold other states accountable. Norms also help legitimize official actions and help states recruit allies when they decide to respond to a violation.” Mindful about the importance of crafting global rules over time to manage this wicked problem, middle powers have a particular interest in bringing a measure of order to cyberspace given their characteristics and their increasing dependence on the digital domain.

The Stabilizing and Constructive Role of Middle Power Cyber Diplomacy: Strategies, Tools, and Constraints 

Although there is no set definition of middle power, experts generally agree that these countries are willing and able to influence the trajectory of global governance, including the cyber domain. Middle powers lack the military dominance or economic incentives to impose their will on other states; tend to be highly integrated into the global economy to boost their development; are strong advocates of multilateral institutions where they can exercise influence; and are vulnerable to cyberthreats given their high degree of interconnectedness. To exert their strategic activism, middle powers “contribute to building norms that not only influence the trajectory of global cyber governance but also restrain great powers and safeguard their own agency and interests”. Therefore, “middle powers are not solely driven by a sense of altruism”, they are strategic players seeking a more secure, stable and peaceful cyberspace where they can thrive.

History has witnessed successful middle power diplomacy. After the Cuban Missile Crisis in 1962, Mexico launched a campaign to denuclearize the region that culminated with the adoption of the 1967 Treaty for the Prohibition of Nuclear Weapons in Latin America and the Caribbean (Treaty of Tlatelolco). The document prevents the spread and use of nuclear weapons in the area, and its protocols require The Netherlands and the five nuclear powers of the UN Security Council to respect the agreement within the territories under their international responsibility in the zone of application of the Treaty.

As a result of the effective activism of Mexico as a middle power, the Treaty was the first attempt to successfully denuclearize a populous region; allowed the region “to deploy its economic capacity and resources for peaceful economic development rather than expending them on unproductive nuclear arms races”; and inspired similar agreements and initiatives worldwide. Mexico was able to form a powerful coalition of small and mid-size countries with the aim of limiting the ambitions of nuclear powers in the region while protecting the national security interests of the Latin-American and Caribbean countries.

Effective middle power diplomacy in cyberspace

1: Middle powers as reliable neutral partners

As great power competition intensifies, middle powers seek to establish themselves as reliable partners to all sides and to exert an independent, flexible, self-interested activism with a “growing desire… for more control over the shape of the global order and greater influence over specific outcomes”. This is also true in cyberspace, where strategic competition has prevented great powers from reaching an agreement on responsible state behavior. Middle powers are well-positioned to bridge the divide as impartial actors that can effectively and constructively engage with multiple great powers at once to facilitate dialogue, reconcile differences, and uphold global cooperation.

As one of the most digitized countries in the world, The Netherlands sees cyberthreats as a significant menace to its strategic security interests and digital way of life. To address these challenges The Netherlands has committed itself to promoting an international rules-based order, playing an active role in finding common ground between like-minded and non-like-minded countries “on smaller specific topics that could cascade into a wider consensual understanding of regulation that is needed for activities in the realm of cyberspace”, such as the protection of the public core of the internet.

The Netherlands has participated in the UN GGE, the OEWG, and the Organization for Security and Co-operation in Europe to enhance constructive discussions on the interpretation of international law. It organized the Fourth Global Conference on Cyberspace in 2015, whose Global Forum on Cyber Expertise strengthened cyber-related international cooperation. It launched the GCSC in 2017. Additionally, it supported the development of the Tallinn Manual 2.0 by offering training courses on the applicability of international law in cyberspace; and by leading the Hague Process to “ensure states have a voice in the efforts to set forth the international law that governs their activities in cyberspace”. By relying on new platforms that promote dialogue and capacity-building measures, The Netherlands has positioned itself “as a non-threatening actor with a tradition of honest brokerage” that can facilitate and positively influence the adoption of cyber norms.

2: Middle powers as norm entrepreneurs

Middle powers can also act as norm entrepreneurs to establish new international standards of behavior. Multilateral institutions play a crucial role in achieving this objective because they give middle powers the opportunity to rely on their soft power diplomacy to alter other state’s preferences and patterns of behavior. With a strategic long-term vision, middle powers seek to define a new normal that will not only protect and advance their interests in and through cyberspace but also respond to an international community increasingly affected by cyberthreats, conferring them a certain degree of respectability and good reputation.

Estonia has played a key role as norm entrepreneur by leveraging its expertise and knowledge as a highly reliant state on information and communication technologies, as well as its relatability and reputation among other states to facilitate dialogue and negotiations in multilateral fora. After the 2007 Russian cyberattacks that left Estonians disconnected from the internet for several weeks, Estonia has tried to strike a balance between strong cyber defense capabilities and the need to apply existing international law to cyberspace to promote responsible state behavior.

In 2004 Estonia proposed the NATO Cooperative Cyber Defence Centre of Excellence, which has hosted the Tallinn Manual process since its inception. It has promoted the adoption and implementation of the Council of Europe Convention on Cybercrime, raising awareness about the need for international legal frameworks, confidence building measures to combat cybercrime, and capacity-building programs to help developing nations implement the Treaty and strengthen their digital infrastructure. Its diplomatic efforts were crucial in revitalizing the UN GGE after the “2007 attacks showed that inter-state conflicts could have a cyber dimension”, and in achieving a consensus report in 2015 about 11 voluntary non-binding norms on responsible state behavior in cyberspace. Additionally, it co-chaired the GCSC’s normative work in 2019. By becoming one of the first countries to understand the importance of international cooperation in managing cybersecurity, Estonia has relied on negotiations and dialogue within multilateral institutions to reach agreements on norms, consolidating “itself as a cyber norm entrepreneur if not as a cyber norm pioneer”.

3: Middle powers as coalition builders

In international relations alliances are key to advancing political objectives. In the cyber domain, “coalition-building among middle powers can make a real difference in advancing thematic agendas [by focusing on creating consensus], even if support from one or more great powers is not forthcoming”. Alliances generate awareness on issues of concern, provide initiatives with greater legitimacy, bestow concerted actions with stronger impact, and gather the critical mass necessary to prompt nations to join a desired trend. Middle powers can also use their soft power, such as capacity building initiatives, to build stronger partnerships, adding to their reputation and neutral stance in international negotiations.

Singapore has “always supported a rules-based multilateral system in every domain of the global commons, … keenly aware that the alternative –where might makes right– would be disastrous for a small state like Singapore”. It has mainly relied on the Association of Southeast Asian Nations (ASEAN) to propel initiatives aimed at defining responsible state behavior in cyberspace. Since 2016, it has annually hosted the ASEAN Ministerial Conference on Cybersecurity. Also, it encouraged ASEAN to become the first and only regional organization to subscribe in principle and implement the UN GGE’s 11 voluntary non-binding norms of responsible state behavior in cyberspace, serving as a reference for other countries.

Aware of the importance of international cooperation to set the rules of the road in the digital space, Singapore has also leveraged its soft power to strengthen its alliances. In 2016, it established the ASEAN Cyber Capacity Programme focused on cyber policy, legislation, strategy development and incident response. The ASEAN-Singapore Cybersecurity Centre of Excellence has helped deepen the region’s cyber security capabilities and enhanced its ability to respond to emerging global cyber threats. Furthermore, Singapore supported the launch of the ASEAN Regional CERT in 2024. By leading these initiatives, Singapore has built a reputation as a middle power committed to responsible state behavior in cyberspace, garnering the support of ASEAN countries and hoping that other nations will join these efforts.

Challenges that constrain middle powers’ influence

Although middle powers have the potential to lead an inclusive process aimed at defining norms of responsible state behavior in cyberspace, they face significant constraints. On the international front, “middle-sized nations frequently find themselves in difficult diplomatic circumstances where they have to balance the conflicting interests of more powerful nations”, forcing them to dilute their goals or choose sides when their vital interests are at play. Also, middle powers’ heavy dependence on regional organizations or coalitions can restrict their room for maneuver, reducing their strategic agency. Additionally, relying on non-enforceable norms gives transgressions the power to hinder or revert progress, undermining middle powers’ efforts.

On the national front, lack of specialized talent, dedicated resources, technical capacity, internal coordination, and policy consistency through time can thwart middle power’s efforts, weakening their credibility. Political or social instability, as well as institutional weakness can deviate attention and necessary resources away from international activism. Moreover, “lack of domestic appetite for… middle-power roles and/or an increase in perceived risks of carrying out such roles in the midst of geopolitical tensions could diminish the political will and capital targeted towards shaping global… governance”.

Although some experts believe that the current global structural transition and domestic trends are discouraging middle powers’ activism and pushing them towards extinction, the committed and sustained efforts of The Netherlands, Estonia, and Singapore towards defining a rules-based digital order show that middle powers are steadfast and agile strategic players with a long-term vision focused on achieving a peaceful, secure and stable digital global environment that can safeguard their interests in and through cyberspace.

Recommendations

The following recommendations identify key actions that middle powers can take to elevate their influence in building a more peaceful, secure and stable cyber domain:

1: A professional, well-resourced, objectives-oriented, and committed diplomatic cyber force increases middle power’s credibility and reputation as effective, capable, reliable, and responsible stakeholders in cyberspace. This requires establishing a cyber diplomacy unit within foreign ministries tasked with addressing cyber issues from a crosscutting approach, coordinating interagency efforts before international actors, and training professional cadres on cyber diplomacy to advance middle power’s interests.

2: “In a cyber domain that is largely owned and operated by the private sector, meaningful progress in developing and upholding expectations for responsible behavior will require much closer cooperation between governments and industry, as well as civil society”. By maintaining a constructive and consistent dialogue with the private sector and civil society, middle powers add meaningful and influential voices to their efforts, gradually cement progress, make it incumbent upon states to comply with norms, and avoid potential setbacks.

3: Middle powers must engage with other middle powers from different geographical regions to build the critical mass necessary to detonate changes in states’ preferences and patterns of behavior that will lead to a more secure and stable cyber domain. This will reinforce the neutrality of their approach; balance the influence and concerns of stronger nations; enrich the international standard-setting process with different perspectives and experiences; and create the collective impact required to advance norms of responsible state behavior. Middle powers are more effective and have greater impact when working in concert.

Conclusion

Mired in the zero-sum game of high-level politics, great powers increasingly find it hard to reach significant and lasting agreements in different areas, including responsible state behavior in the digital domain. This context has opened an opportunity for middle powers to assume greater agency in the international system, serving as a stabilizing and constructive force in the cyber domain. Although middle powers’ influence may face significant domestic and international constraints, they possess a unique capacity to foster trust and dialogue through transparency, legal clarity, and multistakeholder engagement. As geopolitical tensions deepen, the world may benefit from increasingly relying on these diplomatically agile states, who can play a meaningful role in finding common ground among great powers, promoting norms, and building coalitions on responsible state behavior in cyberspace to contribute to a more peaceful, secure and stable digital environment for all.