The evolution of global cybersecurity norms in the digital age: A longitudinal study of the cybersecurity norm development process

Developing cybersecurity norms and global normative cybersecurity behaviors play an increasingly critical role in global cybersecurity governance. This paper takes a longitudinal approach to analyze cybersecurity norms development activities during the period 1997–2020. A total of 206 individual cases were collected, and 233 individual cybersecurity norms were identified and compiled into 25 subject categories. Categorizing the norm subjects alongside the frequency of cases and norms identified each year allowed for a longitudinal view of cyber norm activities and the evolution in developments over these years. This examination enables us to categorize cybersecurity norms, including their dynamic focus and evolution patterns. By studying those viewed as “successful,” we gain guidance regarding the construction of global cybersecurity governance in the digital age.


Introduction
Wherever there is digital innovation, there are cybersecurity risks. These risks can result in significant societal impacts. One typical, although inconclusive example, is the 2016 Presidential Election in the United States of America. It demonstrates that technologies can be used to disrupt, hack, and/or potentially affect the outcome of political processes, such as elections (Persily, 2017). It further raises a series of allegations and/or legal cases surrounding members of the Russian Federation, or individuals acting on the Russian Federation's behest, influencing the U.S. Presidential Election and ultimately affecting the outcome. The outcome of these allegations and subsequent investigation(s) results in a profound loss of faith in the democratic process for the U.S. public, as well as seemingly profound anger at the Russian Federation and the U.S. government alike (in response to its apparent failed security and integrity measures). Should there be codified laws that prohibit governments or non-governmental organizations (NGOs) from utilizing technology to disrupt such essential democratic infrastructures? Can we achieve a consensus among international multilateral and multi-stakeholder organizations that such actions should not be allowed? Such an agreement regarding action or non-action within the realm of cyber security, cyberspace, and the use of information and communications technologies (ICTs) can be considered as the agreement of normative behavior, resulting in a cybersecurity norm in the digital age. While developing such a cybersecurity norm itself cannot reduce the cybersecurity risks for the whole society, it is the very first step for the journey of thousands of miles.
"Norms establish expectations about who the actors will be in a particular environment and about how these particular actors will behave" (Katzenstein Peter, 1996). A "norm" can be defined as a principle of right action, binding members of a group and serving to guide, control, or regulate behavior deemed proper and acceptable (Merriam-Webster, 2021). The literature on norms within the realms of political science and international relations (IR) has sought to understand how individual perceptions of right and wrong may grow into and/ or influence a population's collective behavior or expectation(s) of a particular behavior (Hurel & Lobato, 2018;Risse & Sikkink, 1999). As related to cyber security, cyberspace, and ICTs, the absence of normative behavior has become a growing concern to governments and private organizations alike. This significantly reduces the trust in digital products, evidenced by the increasing restrictions on digital trade over the years (Huang & Madnick, 2020). Consequently, this reduces the resilience of the global digital supply chain. Calls for "cyber norms" to secure and govern cyberspace (e.g., agreeing not to conduct ICT operations intended to disrupt the essential infrastructure of political processes, such as election processes), have become increasingly stronger as concern for regulation rises (Finnemore & Hollis, 2016). It is essential to understand that norms may provide shared understandings between states that allow them to work together on shared interests, while also managing relations where any interests may clash.
Several regional organizations such as the North Atlantic Treaty Organization (NATO), the Association of Southeast Asian Nations (ASEAN), and the European Union (EU) have heeded this call by attempting to push for the formation, implementation, and codification of normative behaviors in cyberspace among their members and their territories (Ang, 2018;Ruhl et al., 2020;Schmitt & Vihul, 2014). Other multi-stakeholder norm processes, such as the United Nations' Group of Governmental Experts (UN GGE) and the Internet Governance Forum ("London Process") have pushed for universal cyber norms for all nations (Finnemore & Hollis, 2016;Ruhl et al., 2020). Other cybersecurity efforts target norm development for a limited range of actors. This can be seen through discourse among major world powers such as China, Russia, and the United States (Finnemore & Hollis, 2016;White House Press Release, 2015). Additionally, some cybersecurity norm efforts have been made within specific interest areas, such as export control and data protection between nations and private sector organizations (Finnemore & Hollis, 2016).
However, given all the discourse and efforts made to develop and implement normative behaviors in cyberspace, the results are not looking fruitful. Some proposed norms (i.e., allowing life and death decisions to be delegated to machines) have failed early on, although a few (i.e., states should participate and cooperate in multilateral forums) have taken on popularity and continue to exist. Because of this inconsistency, it is crucial to develop a systematic and longitudinal view of cyber norms and analyze the differences between those that failed and those which remained consistent over time. Additionally, as many cybersecurity norms development efforts failed over years, some debate whether developing cybersecurity norms is meaningless (Grigsby, 2017;Hurel & Lobato, 2018). This also raises an essential question we intent to investigate regarding global cybersecurity governance: are we making progress in cybersecurity norm development and getting closer to reaching a consensus?
Hence, this project aims to identify possible trends in cyber norms development, focusing on identifying those norms that "worked" (remained consistently in effect) and those which did not. More specifically, by collecting 206 cases related to cyber norm construction since 1997, this study identified 233 cyber norms, and organized them into 25 subject-specific groups and five overarching high-level categories. The analysis demonstrates a three-phase evolution model for cyber norm construction: the international cyber norm activities rose steadily until 2010, and then activities seemed to gain momentum -until the total number of cases peaked in 2016, after which the total number of norms peaked in 2017. The sharp decline in the quantities of both cases and norms alike as the dataset reached 2020 demonstrated an overall lack of maintaining international collaborative efforts.
This three-phase evolution model enables us to further discuss the dynamic focus of cybersecurity norm development, demonstrating that the cyber norm development process is moving consistently toward more activity-oriented and law-oriented subjects. This indicates a progress in the construction of a global cybersecurity governance schema. However, during this process, more practices hindering the resilience of cyberspace and interest conflicts are emerging. Additionally, we are able to distinguish seven evolution patterns for cybersecurity norms. This includes not only those remained consistently in effect or being discarded but also those being able to early-and late-term breakthrough, being struggling, afflicted, or occasionally discussed. It shows that the global community is developing some consensus and building some ground rules for a future global cybersecurity governance schema, although there is still a long way to go.
The rest of this paper is organized as follows. Section 2 will discuss the literature surrounding cybersecurity, ICTs, and normative behaviors within cyberspace. Section 3 contains the methodology of our project. Section 4 will analyze the identified cases and norms to visually demonstrate our findings, leading us to discuss what an ideal cybersecurity environment would look like. Finally, this paper will conclude with insights regarding the data produced, as well as suggestions for future research.

Background and literature review
The normative behaviors within cyberspace, ICTs, and cyber security are fairly new concepts compared to generationally accepted academic and professional pursuits. That being said, relevant literature is slowly increasing due to the growing understanding that these subjects are already at the forefront of international, national, and individual security and will be even more so in the future. As this paper focuses on the global cybersecurity norm development activities, we briefly discuss the concepts from social norm entrepreneurship theory and then apply them to the creation and implementation of cybersecurity norms.

Norm entrepreneurs
Alongside the theoretical frame(s) from where a [social] norm derives (i.e., the "origin"), norms must be introduced and ultimately promoted by one or more entities to remain subjects of discourse. In international relations (IR) theories, these actors are norm entrepreneurs (Finnemore & Sikkink, 1998;Benner, 2015CZina, 2021Iancu, 2019;Kleibrink, 2011;Kurusu, 2018;Lanteigne, 2017;Louw-Vaudran, 2016;Olsen, 2016;Rosales, 2020;Souaré, 2014;Stoeckl, 2015). Sikkink (2017) notes that the term entrepreneur may possess connotations of rationality, so another term that may be used is "norm protagonist." As described by Zwolski and Kaunert (2011), these "norm entrepreneurs" are credited with using various methods of persuasion to convince a population to embrace a specific norm or set of norms. The authors further describe norm entrepreneurs as being vital to a norm's success, stating that new norms are often introduced into a space where they must compete with other new norms, as well as existing ones.
These entrepreneurs may be considered more or less successful depending on the greater region within which they operate. The willingness of some geographic areas to accept or refute certain normative behaviors (as introduced by norm entrepreneurs) may be in part due to local or regional actors surrounding the importance of the norm(s) in question -but as they relate to the local context. In other words, certain types of norms -or their entrepreneurs -may not be successful in a normlocalization until more relevant stakeholders join the discussion(s). Because of this, local and regional actors have a large part to play in norm entrepreneurship -and should not be considered as passive targets as many transnational actors (Acharya, 2004). In regard to cyber norms, of course, this can be difficult -especially in the public-sphere, when local actors come in the form of national governments or specific government entities/agencies, and other regional or transnational actors come in the form of [generally political or very politically motivated] multilateral organizations. Acharya (2011) supplements the theory of norm localization with "norm subsidiarity" and relates this theory to states that are a part of what they refer to as the "third world." Although this specific label is one that could be up for debate -what the author makes clear is that in norm localization, the local actors may be considered as the "norm takers." In norm subsidiarity, local actors may have an elevated importance, and act as either "norm refectors and/or norm makers." This outward-looking concept of subsidiarity is poised neatly in opposition of the inward-looking theory of localization (Acharya, 2011). The author refers to it having stemmed from the local actors' fear of being dominated (e.g., colonization) by larger actors, and that by turning this fear into selfdetermination, smaller more local actors are able to interact on an even-playing-field with more powerful actors (Acharya, 2011). It is important to note, however, that the author states that norm subsidiarity is not solely useful for smaller actors (states) -and that, in fact, it is something that could be utilized by both big and small stakeholders, however, it may be most useful to those actors that come from a generally greater disadvantage when compared to their external counterparts -hence this author's usage of the term "third world." Whether it is socio-economic difficulties or political instability, there are various circumstances that could lead a state (of any size) to utilize subsidiarity in its dealings with more powerful (and generally larger) actors.
In the context of social change, Tankard and Paluck (2016) discuss various entrepreneurial features of norm interventions, such as the role model and the institution. The "role model" feature incorporates individual communication regarding a desired norm. In the context of social change, this may come in the form of a celebrity or politician acting as a spokesperson. An example of this could be seen by the role that Princess Diana had in advocating for the banning of landmines in military conflict(s) (MAG International, 2021). In contrast, the "institution" feature of norm intervention requires a third-party entity (i.e., an "overhead organization") to communicate the desired message in favor of or against the normative behavior in question. An example of this could be hearing a statement that was released directly from a company or government as opposed to hearing individualized statements from various employees. Payne (2001) warns us, however, that norms that do not reflect a genuinely voluntary consensus could be viewed as illegitimate.

Landmark cybersecurity norm entrepreneurs
Following the social norm entrepreneurship theory, we identify the landmark cybersecurity norm entrepreneurs and their activities in developing cyber norms, including the UN GGE, private sector, small states, and regional organizations.
The UN GGE. The most noteworthy international collaboration regarding cyber norms is the UN GGE. The UN GGE has been at the forefront of advocating for globally accepted norms that apply to all states and non-state actors alike. As seen in our case list later, the UN GGE saw little traction during the years 2004-2005 and 2009-2010. The 2012-2013 UN GGE, however, provided a landmark consensus report (Grigsby, 2017). It is important to note that this was the first time that world powers such as Russia, China, the US, India, the UK, France, and Germany agreed that international law (and specifically the UN Charter) is applicable and essential to maintaining peace and stability in cyberspace.
The UN GGE went on to provide another crucial consensus report in 2015, where new norms were endorsed; this time, the intention was given to guiding state cyber activity during peacetime. Such successes at the international level became crucial in spurring cyber norms dialog with external actors such as foreign governments or NGOs. For example, China and the US agreed that neither government would "conduct or knowingly support cyber-enabled theft of intellectual property" (White House Press Release, 2015). This norm was further agreed upon in bilateral and multilateral meetings among China and Australia, Canada, Germany, the UK, as well as by the G20. Agreeing on cyber norms outside of the scope of the UN GGE illustrates not only the willingness of nations to cooperate and collaborate in less internationalized settings but also the strength and inspiration that the UN GGE's productivity demonstrated to the international community. It has been argued, however, that the agreement between the US and China on cyber-enabled theft of intellectual property has not been fully adhered to, and that is simply paved the way for actors to find different and "less noisy" ways of conducting such activities (Burke, 2021).

The private sector
While the initial UN GGE consensus reports seemed to act as a catalyst for the international community's efforts toward safety and security in cyberspace via cyber norm discussions, the recent failures of the UN GGE to provide any such reports may, in turn, lead to non-governmental organizations taking over such leadership roles in international cyber norm discourse. This theory agrees with some existing literature on the future of norm participation, such as Henriksen's (2019) discussions on the future regulation of cyberspace in a non-UN GGE environment. The author states that a shift away from ambitious global cyberspace regulation initiatives is likely to be seen and that any future agreement will likely be between "likeminded" states. This fragmented international normative structure as likely to include a more central role for nonstate actors as these smaller initiatives aim to bring legal clarity to cyberspace and ICT governance. Hurel and Lobato (2018) argue that while state efforts have sought to promote norms of responsible behavior (e.g., "constitutive" norms, as later discussed), private technology companies are also leading cyber norm activities, specifically in the context of cyberspace stability and security. The authors highlight practices such as corporate diplomacy and lobbying as ways for the private sector to be able to interact with international policymakers.
As is seen in our case list, private companies and multi-stakeholder organizations such as Microsoft and the Munich Security Conference have also released their own cyber norm suggestions. Notably, Microsoft President Brad Smith called for a Digital Geneva Convention in 2017, after the company released its norm suggestions in 2014 and 2016 (Grigsby, 2017;Smith, 2017). This demonstration by non-governmental entities, undertaken either independently or in tandem with governments, serves the notion that various international cyber actors were committed to norm discussions. Differing from typical private sector participation, Microsoft not only demonstrates a focus on changing the behavior of states regarding cybersecurity norms but also seeks to stretch its own legitimacy from technical and economic services to international diplomacy within the realm of cybersecurity, cyberspace governance, and cyber norm discussions (Hurel & Lobato, 2018).

Small states
In contrast to the previously discussed literature on norm entrepreneurs in the private sector, Crandall and Allan (2015) focus on the abilities and actions of small states such as Estonia and Singapore as they act as cybersecurity norm entrepreneurs. While Estonia has joined the ranks of cyber norm entrepreneurs, following Tankard and Paluck's (2016) roles of norm intervention (e.g., "role model" vs "institution"), its membership within NATO could be considered as both potentially advantageous and disadvantageous (Crandall & Allan, 2015). On the one hand, the actions taken by a NATO member state could be viewed as being inherently sanctioned by NATO, and therefore protected by the perceived power that comes with the membership of such an organization.
On the other hand, because it is in any particular actor's best interest to promote norms that inherently benefit themselves or their allies, having to answer to a larger/more powerful actor could in fact limit the smaller actor's abilities (Crandall & Allan, 2015). Huang and Madnick (2020) argue that Singapore could lead the world in developing a global standardized cyber code, especially for digital trade, given its current commitment to cyber security as part of its national strategy. Since 2015 Singapore has signed several bilateral cooperation agreements, declarations, and memorandums with different stakeholders, including the US, Canada, the UK, Japan, Germany, Australia, France, and Cisco and Financial Services Information Sharing and Analysis Center (FS-ISAC).
It should go without saying that it is just not up to small states to promote norm entrepreneurship within any specific domain -but it is nonetheless interesting to highlight the effective nature of small states and regional conglomerates (made up of several small-medium states) -and their regional power when compared to larger nations. Mačák (2017) goes so far as to say that this modern era demonstrates the unique opportunity for states [of no particular size] to reclaim their central role in international law-making as it relates to the law of cyber security. Furthermore, the success of states' participation in this process may even be measured on their willingness [and/or ability] to act in specific ways "legislative" ways regarding short, medium, and long-term strategies (Mačák, 2017). This promotes the ideal that the private sector should still be leaning on the public sector's capabilities to drive and steer discussions surrounding normative behaviors in cyberspace.
In addition to this, the legislative processsomething that only most national governments can truly accomplish -is something that is still critical to cyber norm discussions, as the inherent purpose is to agree on norms to the extent that some may be codified into law. This also presents a unique opportunity to the private sector, to continue to facilitate dialog among both private and public sector entities in attempts to foster discussions. This could assist the government and the relevant stakeholders in the long run regarding regulation/governance. The continuing discussions on that phone in the exact language or nature of specific norms that work or do not work can then translate to clearing up questions or confusion surrounding potential laws or regulations that may work or not work with both sectors.

Regional organizations
To promote the development of cyber norms, these small but impactful states intend to motivate the regional organizations, where they are a member of, to become the leaders of cyber norm entrepreneurs. Because of similarities in location, members of such organizations may be more inclined to agree or work together in a productive manner than members of large international organizations. While discussing various challenges and opportunities that regional organizations such as ASEAN may face, Tran Dai and Gomez (2018) emphasize the importance of confidence building and capacity building measures, particularly for multilateral entities. In 2018, ASEAN invited Singapore "to propose a mechanism to enhance [cyber] cooperation among the ASEAN countries." Ultimately, it may not be unreasonable to view the underlying motives of smaller, medium-sized, and larger multilateral entities as the same; they want the best for their members in the long run. In other words, members simply want to keep their homeland safe (Bannelier et al., 2019).
The European Union (EU) is another powerful, and much larger, regional organization that acts as a norm entrepreneur. There are many papers discussing the types of norms promoted by the EU, as well as how successful they have been, including lifelong learning policy (Kleibrink, 2011) and social policy (Bianculli & Hoffmann, 2016). One example of cyber norm development could be seen in the General Data Protection Regulation (GDPR), a piece of codified legislation also adopted by the United Kingdom (UK) (a former member of the EU). 1 While incentive mechanisms for these norms are the benefit of its member-states, the actions taken by the EU may even lead to reform or the adoption of similar data protection principles by countries outside of the union, such as the US, Japan, and and China.

The cybersecurity norm types and its life cycle
As cyberspace is a unique regulatory environment due to cyberspace's technical architecture and its governance structures (i.e., cyberspace's autonomy from sovereign control, the consistent regulatory role of code, and the presence of multi-stakeholder governance), the lessons and procedures from external environments may not apply (Finnemore & Hollis, 2016). There is, however, consistent agreement surrounding the importance of cyber norms. Current projects involving both academics and professionals focus on what specific cyber norms should be. Additionally, Finnemore and Hollis (2016) note that simply talking/agreeing about a norm is not enough, as norms are the outcomes of physical actions and social processes among particular groups of actors. Hence, understanding different cybersecurity norm types and their developing processes are important to the formulation and implementation of successful norms.

Cybersecurity norm types
Formulating cyber norms involves a variety of considerations. One norm may depict actions that should be taken (constitutive norms), whereas another may explicitly constrain behavior (regulative norms) (Finnemore & Hollis, 2016;Finnemore & Sikkink, 1998). These norms differ from codified laws due to their widespread acceptance among typically international actors, as well as their increasingly popular label of "voluntary/nonbinding." Hence, norms could be seen as alternatives to laws, as well as precursory agreements that could be eventually codified into law. Regarding the differences between domestic and international norms, Finnemore and Sikkink (1998) believe that these two types of norms are deeply connected and that many international norms actually began as domestic norms. However, it has become apparent that many internal domestic norms are actually implemented through references to external international norms (Finnemore & Sikkink, 1998). The authors called this the "two-level norm game," and one may be able to relate this to the processes by which the US codifies and upholds its own laws, differentiating individual states' laws from overarching federal law.

Cybersecurity norm life cycle
Apart from previously discussed norm types, existing literature also discusses the life cycle of norms. One widely adopted model is the three-stage process presented by Finnemore and Sikkink (1998). The first stage is the emergence of the proposed norm, when the normative behavior is first theorized and later discussed. The second stage involves the widespread acceptance of the norm by relevant participants/actors as norm cascade when participants follow suit in agreeing and adopting said norm. The third stage of the norm life cycle involves the internalization of the norm where a norm may be considered as "taken for granted." Between the first and second stages of the norm life cycle, there is a phenomenon called a "tipping point," or the threshold of normative change (Finnemore & Sikkink, 1998). The tipping point may be seen as the place in the life cycle where a theorized norm becomes conceptualized (accepted), subsequently leading to the process of internalization (adoption).
Although it is important to focus on each stage of the norm life cycle, as they are all important to the development and proliferation of norms -and their eventual codification into law, it is the beginning of this process (i.e., the first stage) that is the most uncertain. Of course, norms may fail at any point in their life cycle, however, once a norm has been widely accepted and integrated into everyday actions -it may be considered a simple (yet lengthy) formality to codify said norm into law.
This beginning "emergence" stage is where the authors place the most uncertainty -will the public and/or relevant stakeholders consider the norm in question as serious enough to promote or act upon? Sandholtz (2007) states that this first stage is anchored in the normative context of a given time [period] in which the [relevant] actors take decisions that are shaped by previous experiences. Furthermore, this hindsight context serves to inform the relevant stakeholders' understanding of the wider community and its standards for applying [new] rules (Sandholtz, 2007). In other words, the decision to promote an emerging norm to the wider community may be based largely on precedent. If previous norms were not taken kindly to in a community that does not easily accept change (as many communities are), then it is possible that those actors involved in norm proliferation may be dissuaded from spearheading the emergence of new norms. Although this may lead one to consider that norm emergence is a sort of gamble that is based largely on past success and failures, it also points to a recurring theme, that is, the importance of history and specific context. Without an understanding of how a certain community may react to emerging norms, it may be very difficult to work as a norm entrepreneur or as a stakeholder in discussions surrounding normative behaviors -let alone, push an emerging norm to be codified into law.
While turning into a law is considered as a strong indicator for the success of a norm, the relationship between social norms and laws is complex (Etzioni, 2000). It is widely held that strong social norms reduce the burden on law enforcement and that laws supported by social norms are likely to be significantly more enforceable (Etzioni, 2000). For example, it may not make sense to have a law against public intoxication in cyberspace, whereas it is justifiable to have such a standard in the physical world. What further complicates this matter is the extent to which the physical world relies on cyberspace for its operation(s). As technology continues to advance over time, as well as with the increasing number of Internet users due to the globalization and the COVID-19 pandemic, the world's critical infrastructure is becoming more reliant on cyberspace and ICTs. 2 This reliance means that the laws and procedures governing the two have become more intertwined.

Summary
As discussed above, current studies on cybersecurity norms focus on the role models and institutions for different cyber norm entrepreneurs over years. Additionally, while there exist studies on the lifecycle of social norms, there is lack of a clear classification, especially the success and failure for a norm. Such a gap is much more significant for the cyber norm developments. Hence, given the rapid changes of cyberspace governance over these years, the goal of this study is to develop a longitudinal framework to systematically investigate the evolution of cyber norms. Furthermore, rather than considering a norm as success or failure, this study further distinguished the "gray-area" between success and failure from a dynamic aspect, providing more in-depth understandings on the change of cyber norms.

Methodology
The methodology for this project consisted of open-coding research to collect relevant cases, which contained examples of cyber norms. After this collection, each document was reviewed to identify its norms, as well as its stakeholders' attitudes toward the norm(s). This was followed by data analyses to reveal the trend of these norms' developments over time.

Case collection
Cases were identified through navigating material and searching for keywords, such as cyber security, norm, agreement, treaty, dialog, and discourse. This research started with the UN GGE, Carnegie's Cyber Norms Index, and branched out to other cases involving regional organizations, private sector entities, and individual nations. We downloaded the corresponding report for each case, as it will publicly announce the cybersecurity norms the stakeholders proposed or adopted. Not every case had a corresponding full-length report. Some cases were simply web articles written about the agreement/dialog/conference with little to no specifics on what was actually discussed (i.e., reports on China's World Internet Conference), while others were fact-sheet write-ups or official press releases (i.e., Obama/Xi Jinping cyber dialog in the US). If a case was a part of a series (i.e., the annual UN GGE dialogs), then all other related cases were compiled.
It is important to note that several cases contained reports that were written in foreign languages (most notably older reports written in Russian), and these cases were omitted from our set of analyzed cases. Finally, 182 reports from the 206 cases until 2020 were collected. Participation within the total case set included 192 countries and hundreds of national and international private entities. 3

Open coding and code tree structure
This study analyzed the downloaded reports from each case using ATLAS.ti. 4 These documents were read thoroughly for indicators of specific cyber norms being discussed. Identified norms were split into two major categories: "for" and "against," differentiating between constitutive and regulative norms. If one norm regarded the support of a specific normative behavior, it was allocated the "for" pretext. Real examples of this include the UN GGE's 2015 consensus report statement, which said that "States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts." This was subsequently codified as the norm: CYBER ATTACKS for: responding to requests for help in the event of a cyber-attack. In contrast, if one norm was in opposition to one specific kind of behavior, it was allocated the "against" pretext. For example, the Global Commission on the Stability of Cyberspace (GCSC) specified in their 2019 report that "State and non-state actors should not commandeer the general public's ICT resources for use as botnets or for similar purposes." This was then codified as the norm: CYBER ATTACKS against: commandeering the general public's ICT resources for use as botnets or for similar purposes.
One other difference between the various categories was the separation of confidence-building measures (CBM). CBMs is defined as an action that reflects goodwill toward or a willingness to cooperate and work together toward a common goal (Harman, 2016). Furthermore, the typical purpose of CBMs is to decrease and/or mitigate escalations, misunderstandings, fear, and anxiety between two or more parties by emphasizing trust, cooperation, and mitigative diplomacy. An example of norm within our CBM subject-group is: "CONFIDENCE BUILDING for: ensuring the free flow of data while also protecting the integrity of that data and the privacy of individual users." Noting the "for" prefix in this example, this norm type is actually constitutive, and its subject is CBM. Next is an example of a norm with the type "CBM" under a different subject-group (note the "CBM" pretext): "STAKEHOLDER COOPERATION CBM: enhance law enforcement cooperation to reduce incidents that may be misinterpreted as hostile state actions." In addition to norms "for" or "against" a specific cause, norms that demonstrated a "disagreement" were also cataloged during the analysis. Although there were only seven norms identified for this category, these were specifically identified examples of where there was neither a clear support nor opposition for the particular norm. If a norm was placed in this category, it is likely that the cases from where that norm was identified explicitly stated the continuous disagreement surrounding said norm. One example of such disagreement arose in regard to invoking countermeasures in response to cyber-attacks. The norm in question was depicted as such "CYBER ATTACKS disagreement: invoking countermeasures in response to cyber-attacks." This issue became apparent from reading cases in which there were opposing arguments on whether countermeasures should be made in response to cyber-attacks, as well as the degree to which a countermeasure is deemed proportionate as a response.
For example, the 2014/2015 UN GGE report noted that "In their use of ICTs, States must observe, among other principles of international law, State sovereignty, the settlement of disputes by peaceful means, and nonintervention in the international affairs of other States." However, a 2017 joint cybersecurity dialog between the United Kingdom and Australia was significantly more articulate, mutually agreeing upon the "inherent right to self-defense" as derived from Article 51 from the UN Charter pertaining to state's activities in cyberspace. In cases like this, where multiple reports seemingly depict varying opinions on one issue, it is deemed a "disagreement." Aside from the four previously described categories, norms were further categorized by the subject to which they referred to. Some examples of these subject categories include "critical infrastructure," "digital economy," "digital governance," and "international law." Therefore, norms were ordered based on their behavior ("for," "against," "disagree," and "CBM"), as well as on the specific subjects to which they specifically pertained to. As summarized in Table 1, a total of 233 different norms in 25 different subjects were identified throughout this process. Note that some cases produced more than one norm. Cases such as the Singapore Norm Package, Microsoft's International Cybersecurity Norms Booklet, and multiple reports produced by the UN GGE, were large-scale collaborations among a variety of public and private international entities, resulting in lists of norm suggestions.
Finally, these 25 subject-specific groups were further organized into five (5) overarching categories. These five categories are as follows: (1) Responsibilities, focusing on the responsibilities of the different stakeholders within cyberspace; (2) Activities, focusing on the activities the stakeholders do; (3) Cyber Infrastructure, focusing on the aspects incorporated within cyber infrastructure; (4) Basic Principles, involving norms that relate to fundamental principles of cyber security; and (5) Law involving whether the cyber norms can become law and which law schema can be applied.

Three-phase evolution model for the development of cybersecurity norms
The analysis starts with the trends of cyber norms development cases and the norms identified within these cases. Allowing us to view the trend in annual changes, as seen in Figure 1, we are able to see the total breakdown of cases identified for this project.
Interestingly, there was one case identified early back in 1997, which is pre-dated the general use of the Internet. This means the community did notify the importance of cybersecurity norms so far backduring a time and era when cyber security and information technologies were just starting out. The total number of cases rose between 2015 and 2017 due to the outpouring support and structure given by the continuous UN GGE consensus reports. Although the UN GGE was unable to continue reaching a consensus after 2015, it appears that the traction undertaken by international actors and participants seemingly lagged behind this inactivity. Furthermore, global events such as the attacks on September 11, 2001 ("9/11"), the subsequent "War on Terrorism," the global economic crash in 2007/2008, and the intense outcry surrounding climate change may be variables that pushed nation states and international actors alike to continue to work together -ultimately slowing down, however, due to the eventual decline in leadership from flagship organizations such as the UN GGE. While the UN GGE's failure to provide consensus reporting partially result into this obvious decline in overall activity from 2017 onward, the change of presidency of the US and the COVID-19 pandemic are also obstacles for cyber norm development. Similarly, as shown in Figure 1 (b), the total number of norms per year demonstrates a similarly declining trend, confirming that cyber norm discussions have come to a standstill. One can argue that the peak number of norms in 2017 demonstrates the effective nature of the cases identified, even if there were not as many cases in this year as in previous years. However, the decline in the total number of cases from 2017 onward follows suit with the decline in the total number of norms, indicating an overall decline in activity.
To dig deep into cybersecurity norms over the years, we created a heatmap shown in Figure 2, which allowed us to investigate the evolution of

Phase 1: Trial Runs (2005-2012)
Before 2013, norm discussions could be perceived as "trial runs." This may define the first time that a norm was put on the table for discussion, in order to receive feedback from participating actors. This is important because it set the tone for participation in cyber norm discussions for the years to come. The large number of norms identified in 2005 is because of the first consensus report released by the UN GGE. This marked the start of the UN GGE's rise to the forefront of international cyber norm discussions.
Though there were small numbers of many different norms throughout the various groups identified at the beginning, some had a larger presence than others (i.e., "STATE RESPONSIBILITY for: adhering to rules and regulations agreed upon by previously enacted international law/mandates/treaties" which was identified three (3) times in 2005, as was "STAKEHOLDER COOPERATION for: coordinate/cooperate in preserving multistakeholder internet governance" and "STAKEHOLDER COOPERATION CBM: states should participate and cooperate in multilateral forums"). The generic nature of these norms strengthens the assumption that they were intended to "lay the foundation" for future norm discussions on these subjects. Similar "breakthrough" norms appear within norm groups such as Human Rights, CBMs, Capacity Building, and United Nations. These breakthrough norms, coupled with the identification of many other norms once or twice between 2005 and 2012 can be viewed as the build up for a breakthrough in norm discussion and implementation.

Phase 2: Booming (2013-2016)
Starting in 2013/2014, norm discussions reached an all-time high. Seeming to rely on positive feedback from the earlier years' "breakthrough" norms, the global discussion on cyber norms began to impact more specific subjects. What started out as acknowledging that nation states have the responsibility to adhere to the rules and regulations agreed upon by previously enacted international laws/treaties leads into discussion what actions a state may or may not be held responsible for (i.e., "STATE RESPONSIBILITY & SOVEREIGNTY against: conducting or supporting ICT-enabled theft of intellectual property, trade secrets, or other confidential business info"). More specially, the large presence of discussions surrounding and/or inherently representing norms specific to information exchanges themselves such as the norm labeled "INFORMATION EXCHANGE for: transnational/international cooperation and exchange of information." For some of these subjects, the lack of activity is due to the inherent nature of the topic at hand. For example, many actors/participants may not be as focused on subjects such as EMERGENCY RESPONSE or ARTIFICIAL INTELLIGENCE if they are having a difficult time simply implementing CONFIDENCE BUILDING MEASURES and CAPACITY BUILDING MEASURES within their cyber infrastructure. Similarly, concepts such as DIGITAL ECONOMIES and EMERGENCY RESPONSE could be described as "up and coming" subjects, and were not entirely relevant to actors still grappling with basic safety and security mechanisms in cyberspace.

Phase 3: Decline (2017-2020)
The start of phase 3 (2017) displays the peak number of cyber norms and then the total number of cases and norms drop drastically in 2018. The last two years of phase 3, 2019 and 2020, show a continuance in the post-peak decline, inferring a future of cyber norms that lacks international collaboration, with no flagship initiative at its forefront.
The vast majority of norms experienced little to no activity (despite the occasional outlier, as discussed below) since 2018 can be viewed as an indirect result of the lack of consensus reports published by the UN GGE. This trickle-down effect led to many participants in norm discussions to withdraw their efforts, and as cases declined, so did the activities surrounding norms.
Any norms that were identified during the year 2020 can be considered as the hope or seed for the future cybersecurity norm development. Due to the fact that the number of cases and norms identified in this year dropped so dramatically that even one (1) norm that was identified may be considered an outlier. Norms that persisted through the near-absolute declination of activity included but were not limited to "STAKEHOLDER COOPERATION for: encourage participation of other stakeholders such as the private sector, academia, and civil society orgs (as appropriate) for CBM and/or norm creation and implementation," "STAKEHOLDER COOPERATION for: conduct joint cybersecurity and/or related law enforcement exercises between nation states," "STAKEHOLDER COOPERATION CBM: it is important for other stakeholders such as regional and sub-regional bodies/entities be used to create, promote, and implement CBMs," and "INFORMATION EXCHANGE for: sharing of good/best practices in relation to ICTs and cybersecurity." Although the drastic decline in activity surrounding cyber norms going into and during the year 2020 may seem devastating, one must also remember two underlying issues: the following of the UN GGE's non-consensus by relevant actors in norm discussions, and the COVID-19 global pandemic. With these two factors in mind, the data depicted in 2020 could actually be considered expected, as the majority of the world was under lockdown.
That being said, 2020 also represents the trough of the steady decline of activity seen in surrounding norms, which originally started in 2016/2017 -hence why any norms that were identified during this year may be considered as important as the original "breakthrough" norms that spurred discussions and activity. The norms that persisted into 2020 may in fact relate to these "breakthrough" norms as they may also be similarly generic in nature.
Finding #1: There exist three phases for global cyber norm development including trail runs until 2012, booming between 2013 and 2016, but drastically declining since 2017, highlighting the critical role of the flagship initiative, the UN GGE.

The inequality of stakeholder participation for cyber norm development
The maps of the world depicted below, as shown in Figure 3, demonstrate the participation of various countries in the cases that were identified in this project.
The most active country was the US, which participated in 88 cases. Following was China with 58 cases, and then India and Russia -each having participated in 40 cases. The differences in colors represent the levels to which a country participated in the cases within our dataset. For example, countries with darker colors, such as the United States, China, Russia, and India, all had higher levels of participation than countries with lighter shading. It is important to note the different types of states which this project review. The majority of the countries participated in the reports published by the UN GGE, due to the nature of the international community's involvement in the UN. Other multilateral organizations, which produced cases in this report, include regional and trans-regional entities such as the European Union (EU), the North Atlantic Treaty Organization (NATO), the Association of Southeast Asian Nations (ASEAN), the African Union (AU), the Shanghai Cooperation Organization (SCO), the Organization for Security and Co-operation in Europe (OSCE), the Group of Seven (G7), the Organization of American States (OAS), the Group of 20 (G20), BRICS, and the Munich Security Conference (MSC). Aside from these organizations, this project includes a variety of reports produced by bilateral and multilateral discussions between governments throughout the world.
The decline seen in the number of country participants per case as well as the total number of cases per year is relevant because the UN GGE discontinued their consensus report publishing in 2015. Since its inception in 2004, the UN GGE has been one of the most prominent and influential organizations in cyber norms and has acted as a catalyst for the global emphasis on normative behaviors in cyberspace. Because of the UN GGE's importance within the international discourse surrounding cyber norms, one can speculate that separate actors and organizations began to follow the same trajectory in participation and action. Because of this, the trend of participation may also be reflected in the total number of cases per year. Figure 2 demonstrates those countries that are actively interested and engaging in the discussions surrounding normative behaviors in cyberspace. This, in turn, demonstrates international cooperation, exchanges of information and best practices, and the importance of a globalized effort toward creating more safe and secure cyberspace.
One of the most striking observations in Figure 3 is the drop in participation from many countries in the Middle East/North African (MENA) region, as well as from the majority of the rest of the African countries. Although this paper may not be equipped to answer why this specific regional decline in participation occurred, this decline may demonstrate the underlying inequality in development and growth regarding cyberspace and the use of ICTs. As the continued advancements in technology and cyber infrastructure may be considered to be the future of global society, such lack of participation subsequently leaves very large populations out of any large-scale future growth. Additionally, it appears that many of the countries lost in phase 3 were solely "propped" up by the efforts of the UN GGE, as the UN may be considered to be one of the most representative international organizations. If the UN GGE failed, then many countries that solely relied on such inclusivity came to find themselves with little to no other alternative for continuing cyber norm discourse. One could surmise that many of these countries may not have the individual power or technological capabilities to work individually on cyber norms and infrastructure, therefore, regional initiatives have become even more important than they were before the continued failure of the UN GGE.
Finding #2: While the participants in cyber norm development are worldwide, there exists an inequality that many countries rely on the UN to participate in global cyber norm development. Without other options, calling for more regional cyber initiatives, while a select few powerful  Responsibilities  58  35  2  3  18  Activities  66  44  11  2  9  Cyber Infrastructure  71  32  5  0  34  Basic Principles  31  25  1  0  5  Law  7  3  1  2  1  Total  233  139  20  7  67 countries are leading the cyber norm development process could help shape the future cyberspace governance.

The focus dynamics of cybersecurity norm development
As previously discussed, the 233 norms identified by this study were organized into five high-level categories for organizational purposes. As shown in Table 2, the largest category is "Cyber Infrastructure," and the smallest is "Law." Generally, cyber norm developments are focusing on achieving a consensus on the cybersecurity responsibility for different stakeholders and their activities within the infrastructure of cyberspace, while some norms set the basic principles and very few are relative to the law in the data we collected. This is consistent with the fact that the global cyber governance system is still in its infancy and few developments can connect to law. The right side of Table 2 outlines an in-depth picture of the types of norms within each of the five high-level categories. Considering norms with the pretext "for" and "against" are constitutive and regulative norms respectively, it is logical that either of these categories would frequently be the largest in population size within a given high-level category. "CBM" norms would be considered the next most frequently seen norm type (albeit, with one exception, as seen in the cyber infrastructure category, where more CBM norms were identified than both constitutive and regulative norms). The quantity of CBM norms in the dataset should not deter from their importance, however, as these norm types are essential for strengthening cyberspace as a whole, along with the relationships of relevant stakeholders.
One interesting take away from Table 2 is the lack of "disagreement" norms under the high-level category "Basic Principles." This may suggest that throughout norm discussions in the dataset, there may have been little individual grievances among participating stakeholders as to the nature of the principles that bind all relevant actors in cyberspace. Norm subjects under the "Basic Principles" high-level category include but are not limited to human rights, cyberspace stability, digital equality, and access.
To understand the change of focus during the cyber norm development process, we further consider the percentage of norm types within the highlevel categories in each phase of the timeline. From Figure 4(a), we can see a straightforward pattern that the percentage of norms within the category "Responsibilities" is decreasing, while the same percentage for activities is increasing. This means that the discussion is moving from clarifying the responsibilities of different stakeholders to more detailed activities. Additionally, the percentage of norms in "Cyber Infrastructure" and "Law" in phase 3 is just slightly lower than the phase 2% but still higher than phase 1. This means that cyber norm developments are moving in the right direction.
Consistent developments in the realm of cyber norms have surrounded nations' critical infrastructures, and the normative behaviors that should be observed in regard to these infrastructures, as well as those behaviors that should be observed when dealing with other aspects of cyber security and cyberspace. Since these two categories are on an overall upward trend from Phase 1 to Phase 3 (1997-2020), we surmised that these are important topics of discussion amongst global leaders and therefore have the potential to be subjects where agreement(s) can be made, and safety can be procured for relevant stakeholders. Therefore, although the cyber norm development activities are declining in phase 3, we can observe that such efforts are still moving forward for more details and are law-oriented.
On the other hand, in Figure 4(b), we can see that most of the cyber norm developments are constitutive in nature (e.g., their labeled type is "For"). However, it is clear that there is an increasing trend for regulative ("Against") and "Disagreement" norm types. This may be because there were more practices identified that could harm the resilience of cyberspace over these years. Such practices include cyber-attacks, notably using malware or ransomware against governments or the private sector. For example, US business travel management firm CWT was impacted by a ransomware attack through the use of the "Ragner Locker" program (Dossett, 2021). CWT paid the hackers approximately $4.5 million USD to regain control of their systems and information.
Additionally, observing the increase of "disagreement" norms indicates the growing conflicts of interest among different stakeholders in cyberspace. An example of such tensions can be easily seen between the United States and China. Specific issues of concern such as surrendering intellectual property to the Chinese government by US companies wishing to operate in the country frequently remain the topic of US-China cyber relation discourse (Levite & Jinghua, 2019). The good news is that, as shown in Table 2, such disagreement is not about the basic principles or the infrastructure of cyberspace but are in fact more oriented toward practicality.
Finding #3: The cyber norm development process is moving consistently toward more activity-oriented and law-oriented subjects, revealing progress in the construction of a global cybersecurity governance schema. However, during this process, more practices hindering the resilience of cyberspace and interest conflicts are emerging.

The patterns of success (and failure) for cyber norms
Based on the three phases we identify above, for each cyber norm, we surmised seven possible patterns involving the presence or lack thereof in activity over years. Patterns #1-4 could be considered "successful" norms for the sake of this project, while #5-7 would be considered not successful (or "failed"), due to not being present at the end of the timeline. More specifically, pattern #1 ("Successful") describes the most successful norms, of which there was only one identified in the total dataset: "HUMAN RIGHTS for: respecting human rights and fundamental freedoms; applying them to cyberspace/ICT use, etc." Although this norm may be vague in nature, it is important that numerous cases and participants noted such a concept as important to the basic principles of cyber security, cyberspace, and the use of ICTs. Furthermore, this norm's success provides a potential framework for future norm discussions (and possible agreements), by setting a "base" where most stakeholders can agree on something and from where these stakeholders may be able to stage and align future discourse on cyber norms. Patterns #2 ("Early Breakthrough") and #3 ("Late-Term Breakthrough") describe what could be considered "breakthrough norms," as these norms were introduced later in the timeline. Ultimately, there are many reasons as to why Early Breakthrough and Late-Term Breakthrough norms could have appeared. For instance, it is possible that the stakeholders responsible for these norms were waiting for other preconditions (such as other more basic norms) to be met before more complex norms were introduced. For example, norms within the "LAW" category were more frequently seen in discussions within phases 2 and 3 of the dataset. In fact, there were even several identified cases of "LAW" norms being discussed in phase 1, with no continuity seen until the later two phases. One could argue that the relevant stakeholders put discussions on cyber norms as they related to law and legality to the side during points where discussions were still being held on the core values of cyberspace (i.e., "HUMAN RIGHTS," "CONFIDENCE BUILDING MEASURES," and "DIGITAL EQUALITY").
Pattern #4 ("Struggling") describes norms that appear to be struggling to maintain their importance. However, these norms can prove to be critical as the global cyber norm development community re-identifies their importance. For example, norms related to "EDUCATION" have been sporadically seen throughout the dataset. Although today sees both broad and technical depths of cyber education being more widely accepted than they were in the early 2000's, there are still questions surrounding the need for universal standards, and more specifically, how any such standard would be met by the relevant public and private entities. Although norms that fit this pattern "Struggling" may not catch much traction throughout the dataset, their presence or lack thereof still serves as soft indicators for the direction(s) that cyber norm discussions may (or may not) be heading.
Pattern #5 ("Afflicted") is considered the more interesting of the patterns for failed norms because it describes norms that appeared to be successful throughout the timeline but then abruptly disappeared in the latest stage. One reason for such an abrupt disappearance could be due to the overall decline of the total number of cyber norm cases, but it could also be because these norms were put aside or discarded for more important norms. For example, the heatmap depicts number norms within the high-level categories of "RESPONSIBILITIES" and "ACTIVITIES" which fall into this pattern "Afflicted" by being present for the majority of the dataset, only to abruptly disappear in Phase 3. The number of norms for this pattern within the category "CYBER INFRASTRUCTURE" and "BASIC PRINCIPLES" was generally lower throughout Phase 3 and into 2020, which may indicate a preference to resort to stronger corevalues related to cyberspace and cyber security during times of uncertainty.
Pattern #6 ("Occasional") describes those that appear in the booming stages but are not in focus during the decline stage. As shown in Table 3, the majority (62.23%) of cyber norms we identify belong to this category. One reason that these norms may fit this pattern is that they are not "mature" and did not play fundamental roles in the global cyber governance schema. For example, norms within the category "NON-STATE RESPONSIBILITY" may not be viewed as particularly critical to the international community, when disagreement continues over "STATE RESPONSIBILITY" in cyberspace. Other similar discrepancies could be seen when comparing the trajectory of norms directed at the "PRIVATE SECTOR," in contrast to those intended for the "UNITED NATIONS." Pattern #7 ("Discard") refers to those norms that were no longer identified after 2013 and were considered to be failed norms, as they did not harness enough interest/discussion to continue. Many of the norms seen in this section could be found across all categories within the dataset. Some notable examples include norms within the categories of "INTERNATIONAL LAW" and "DOMESTIC LAW." Although the rapid decline of norms related to governance may seem concerning, it would be premature to believe that all discussions surrounding the safety, security, and stability of cyberspace halted. As the heatmap and dataset show, the various norm lifecycle patterns may very well provide an inside look into the various importance placed on particular norm subjects. For example, norms relating to core values (e.g., "HUMAN RIGHTS") and best practices (e.g., "INFORMATION EXCHANGE AND TRANSPARENCY") continued through Phase 3.
Finding #4: There exist seven evolution patterns for the development of the global cyber norms. While most norms are occasionally discussed or discarded, the community is able to create successful, breakthrough, and struggling norms, which can set the ground rules for future global cybersecurity governance.

A desirable future environment for cybersecurity norm development
A desirable future environment for cybersecurity norm development would consist of continuing discourse surrounding normative behaviors in cyberspace in order to produce norms that appear very similar to what is designated as "successful" in this paper. This environment of cooperation would include participants that consistently formulate and deliberate about new cyber norms, as well as work toward improving-upon existing cyber norms. Individual cyber norms should remain in discussion until they reach a state in which all relevant parties agree on their adoption. It is important that the process of formulation, discussion, and eventual adoption be maintained in peaceful and nonpartisan environments, with multi-stakeholder cooperation and collaboration. The norms that are discussed should also be peaceful in nature; either constitutive in promoting peaceful practices in cyberspace and the use of ICTs or regulative against combative or antagonistic actions related to cyberspace and the use of ICTs.
This desirable future environment for cybersecurity norm development would not solely focus on participating in the cyber-norm life cycle but would also focus on upholding and improving upon these norms. As is the case with many other fields, cyber security is continuously evolving. Additionally, technological advancements and the wider arena of international politics are equally dynamic. Because of this, it is important that the entities participating in norm formulation, discussion, and adoption are also mindful of holding others, as well as themselves, responsible for acting in accordance with these norms. In addition, these relevant stakeholders and participants must acknowledge the need for flexibility for their colleagues. The changing landscape will also present opportunities for these actors to review and improve upon previously adopted norms in a collaborative effort.

Conclusion
This project compiled a total of 206 cases for the years 1997-2020, with 146 participating countries and 233 identified cyber norms. Importance was placed on the changes in norm activity over time, with specific intent to determine which norms "successful" (remained consistent"), and which did not. The data and analyses from this project led us to conclude that a desirable future would encompass large levels of participation by public and private sector actors, alongside international organizations. The data shown depicts patterns from the years 1997 to 2020, revealing a threephase evolution model with seven different patterns for the global cybersecurity norm development.
More specifically, the boom in international activity and participation surrounding cyber norms throughout phase #1 (2005-2012) and #2 (2013-2016) may be attributed to an overall high in international cooperation and participation. These high levels of activity may be due to the overwhelming boom in international cooperation that culminated in the aftermath of several global events including but not limited to the "War on Terror," the 2007/2008 Global Economic Crash, and the rise in cooperation against Global Climate Change. The continued consensus reporting by the UN GGE may have acted as a catalyst for this cooperation, spearheading information exchanges, the flow of ideas, and multi-stakeholder governance. However, the decline in activity post-2017 may be attributed to the lack of consensus reporting by the UN GGE, which eventually affected an overall decline in international participation.
Importantly, while the number of cases, norms, and participations show a consistent three-phase evolution model, the analysis of the norms' focuses and patterns reveals that the cyber norm development process is moving consistently toward more activityoriented and law-oriented subjects, revealing progress in the construction of a global cybersecurity governance schema. While many norms are occasionally discussed or discarded, the community can create cybersecurity norms that can play the ground rules for future global cybersecurity governance schema.
Therefore, from the data and analysis of this project, our strongest suggestion is for an international organization to regain control of the "wheel" driving cyber norm entrepreneurship, discourse, and implementation. This organization would be pushing cyber-related agendas surrounding transnational information sharing, capacity building, education, and opening the floor for conversations regarding cyberwarfare and the role of a state in regard to cyber-attacks perpetrated by non-state actors. This occupation was held by the UN GGE until its failure and may be the key to driving the future of normative behaviors in cyberspace. If large organizations such as the UN are unable to effectively operate among its large membership, then it is recommended to work toward cooperation among the many regional organizations that already exist, to streamline productivity across borders. When moving forward for cybersecurity norm developments, those norms with a struggling or affiliated pattern can be a good start for the community to reach agreements.
It is important to note that even a successful norm emergence, promotion, and adoption (and even the subsequent codification into law) does not protect a norm from future failure or erosion. Of course, laws may be repealed, or even broken -and this is the same with norms (although it could be argued that generally breaking a law has more serious institutional consequences than breaking a largely agreed-upon norm). One could even go as far as to say that the simple contestation of emerging or affected norms could prove dangerous for the longevity of their life-cycle. Deitelhoff and Zimmermann (2018) discuss a variety of norms that were contested to the point that they lost their legitimacy in the greater international community -and have even seen a reemergence of the actions that specifically went against said norm(s). For example, the use of mercenaries within a nation's armed forces has largely been an indicator of reckless leadership (or at the very least, unethical and possibly indicative of desperation). It could be argued that recent years have shown the reemergence of mercenary groups being used by state actors to either provide plausible deniability for specific actions or act as a supplementary force to a nation already demoralized or dysfunctional military.
The authors reference the norm against utilizing mercenaries as a "dead" norm, whereas other norms such as the generally agreed upon norm against the use of torture are eroding. This could be through the broader international communities' unwillingness to denounce or act against actors that employ torture -or it could be that the international community is becoming more willing to accept certain circumstances where torture may be useful. Regardless of which is the reason (or if there are others that are not mentioned here) -what is clear is that norms may erode if they are frequently or forcibly contested by a group of stakeholders (of varying power and influence) or by at least several key actors that may have stronger individual influences than others.
One of the most significant limitations of this study was that we were unable to collect every cybersecurity case for the given timeline, as there are most likely more than 182 reports regarding cybersecurity norms during the years 1997-2020. Additional research regarding the basic trend for the change in norms per each high-level norm category would be useful to further discuss the findings in this study. Furthermore, while some norms succeeded and pushed past the last year in our timeline, others failed. A future study looking into why each of these norms succeeded and failed may also be useful in confirming patterns outlined in this study or predicting/demonstrating new patterns in the future. Last but not least, we acknowledge that cybersecurity norms alone by themselves do not mean being adopted. Hence, additional explorations on the potential enforcement mechanisms, such as law, regulation, and standard to increase the efficiency of developed norms would be valuable.
Developing the cybersecurity norm is the first step and may be also the easiest step for effective cyberspace governance. This study demonstrates its challenging and swing for the last two decades. However, in due time, hope remains strong for the global community to take ahead of the existing success regarding cyber norms to continue to promote a safe, secure, and accessible cyberspace.

Notes
1. For a more in-depth discussion on the GDPR and its implications, see Marotta, A, and Madnick, S. 2021. "A Framework for Investigating GDPR Compliance Through the Lens of Security." Springer Nature Switzerland. pp. 16-31. Available at https://link. springer.com/chapter/10.1007/978-3-030-83164-6_2. 2. An example of critical infrastructure's reliance on cyberspace technologies has most recently been seen in the field of healthcare. Hospitals are reliant on electrical power grids to use many pieces of advanced medical equipment. If these grids are turned off by a nefarious actor through a cyber-attack, the result could be catastrophic to the hospital's patients, some of whom are kept alive through the use of electrical equipment (e.g., ventilators). 3. Our data are collected on early 2021 so that the data after that was not included. There are 15 cases in 2020, listed by Carnegie Cyber Norm Index while only 4 are searchable. And there are about 200 countries in the world, see https://www.geographyrealm.com/howmany-countries-are-there/. Please check Appendix B for more details on the collected cases. 4. Please check Appendix A for the example on the coding process using Atlas.TI. 5. In Appendix C, we provided the breakdown of the number of times each norm was identified throughout the timeline, which enables us to create the heatmap.

Disclosure statement
No potential conflict of interest was reported by the authors.