Great power narratives on the challenges of cyber norm building

Abstract States, companies and civil society actors broadly agree that ICT misuse needs to be prevented through effective international policies and regulatory efforts. However, corresponding norm-building processes have been repeatedly characterized by setbacks and controversies regarding interpretations. Whenever such a situation has arisen, state representatives quickly engaged in intense storytelling, accusing their counterparts of seeking to impose “the law of the jungle” or of following hidden policy agendas at the UN. This paper focusses on the stories state representatives use to explain the international community’s recurrent failures, such as arms races, crisis escalations or destructive criminal acts. Using narrative concepts and methods, the analysis explores the dynamics of this emerging transnational public diplomacy, focusing on Russia and the United States in particular. Beyond comparing main structural elements of each narrative, the goal is to elucidate legitimization strategies and dilemmas, resulting in several policy implications. For example, United States representatives and allies need to make specific and concise references to UN cyber norms during public attributions, lest they could play into the hands of a counter-narrative of Western domination and hypocrisy.


Introduction
This paper focusses on the stories through which state representatives address an international audience to explain the recurrent failures of the international community to secure cyberspace. 1 Using narrative concepts and methods, it seeks to explore the dynamics of this emerging transnational public diplomacy, focusing on the accounts of the United States and Russia. Furthermore, the analysis will touch on inconsistencies and legitimization dilemmas that arise from internarrativity, i.e. the interlinkages between narrative discourses at different levels, for example international versus domestic. The paper therefore contributes to our understanding of legitimacy issues within international cybersecurity policy and raises awareness of major communication challenges within cyber diplomacy.
The analysis proceeds in four parts. First, it briefly introduces the emergence of a new public diplomacy of international cybersecurity. The second part explains the concept of narrative analysis. The following empirical section summarizes key propositions within international cybersecurity narratives of the United States and Russia respectively. In the fourth part, the paper conceptualizes and illustrates three types of internarrativity-related inconsistencies and legitimization risks. Finally, the conclusion foregrounds important policy implications of key findings.

The new public diplomacy of cybersecurity
In 2021, cyber diplomacy was in the spotlight as never before: Interested observers around the world could witness the first ever public UN Security Council meeting on cybersecurity, US President Biden's warning of a "real shooting war with a great power" as the result of a major subsequent cyber breach (The White House 2021a) or Russian President Vladimir Putin defending his country's cyber posture and diplomacy in an exclusive interview on NBC (NBC News 2021).
This paper aims to explore the new public diplomacy on cybersecurity by using the concepts and tools of narrative analysis, a burgeoning area within foreign policy analysis and, to some lesser degree, also within International Relations (see Oppermann and Spencer 2018;Krebs 2015aKrebs , 2015bRoselle, Miskimmon, and O'Loughlin 2014). Narratives, in a nutshell, "ascribe meaning by addressing what is happening, how, where, when and why it is happening and who the protagonists are" (Hagstr€ om and Karl 2019, 390). The political significance of narratives is visible in multiple contexts. One is within public legitimization efforts, where dominant stories privilege a range of policies while delegitimising even the mere articulation of others (Krebs 2015b, 813). Narratives are also key elements within evaluations of past policy choices, as for example through the construction of foreign policy fiascos (Oppermann and Spencer 2018).
The following study on the role of narratives within international cyber diplomacy for the first time identifies and explores some of the most important narratives in the field. It starts from the assumption that cybersecurity narratives cannot be developed in a political vacuum. Thus, challenges arise from the need to align with or compete against other narratives, as well as from trying to balance the diverging expectations of international and domestic audiences. Analytically, these challenges are all related to instances of "internarrativity" (Hagstr€ om and Karl 2019, 393), i.e. the way in which narratives intersect and affect each other at different levels.
More specifically, three types of internarrativity can potentially create legitimization challenges from the perspective of political decision-makers: First, international and domestic narratives intersect on certain issues. Second, policy narratives need to be aligned with "master narratives" (Hagstr€ om and Karl 2019, 388) or "strategic narratives" (Roselle, Miskimmon, and O'Loughlin 2014), lest they might weaken a country's grand strategy at the international level. Finally, narratives can provoke, or even unintentionally support, counter-narratives within situations of ongoing regulatory competition.

Concepts, methods and data sources
Research on narratives distinguishes between different components (Oppermann and Spencer 2018, 272-276;Krebs 2015b, 12-13). The first, setting, denotes the stage or environment of an unfolding story. It is based on a range of assumptions (Roselle, Miskimmon, and O'Loughlin 2014, 75), including the salience of threats, the stakes involved, and the availability of viable policy options. The second element is the designation and characterization of protagonists or agents (Oppermann andSpencer 2018, 275, Roselle, Miskimmon, andO'Loughlin 2014, 75). All things being equal, it is easier to assign blame for undesirable international policy outcomes if the actors involved appear arrogant, incompetent or dishonest while striving for personal profits or gains within domestic politics rather than for legitimate foreign policy goals (Oppermann and Spencer 2018, 275). Finally, emplotment establishes "a link between the actions or non-actions of agents and the policies or consequences that are described as (un-)desirable" (Oppermann and Spencer 2018, 276). Thus, narrative blaming essentially requires the finger to be pointed at a capable actor, who due to some non-legitimate reason (characterization) intentionally sets a harmful chain of events (emplotment) in motion, despite demonstrably less harmful alternatives (setting) being available.
The following empirical analysis is limited to English language public statements of decision-makers of the United States and Russia. This is not to dismiss the significant influence of other states, including many in the Global South, on international cybersecurity discourses and cyber norm-building in particular. However, the primary research aim is identifying and exploring legitimization strategies and dilemmas, not explaining the outcome of UN norm building processes. Therefore, the public salience of diplomatic statements, and not their impact on negotiations per se is the key selection criteria. Since rhetorical interactions between the US and Russia arguably receive more global attention than most other bilateral exchanges (with the exception of the US-China dyad perhaps), the selection of these two countries constitutes a most-likely case design for identifying dilemmas of legitimization.
Data collection begins in 2017, the year of the failure of the fifth UN Group of Governmental Experts. The websites of the respective embassies of the two countries at the United Nations were systematically scanned via the search function for contributions on the topic of cybersecurity. Also, a number of high-profile events such as the UN Security Council meeting on cybersecurity in June 2021 have been specifically included in the sourcebook. The rationale, again, was to focus on statements with maximum global public salience. Finally, the data collection included domestic statements by both senior US and Russian decision-makers to control for the effects of different audiences, and to explore legitimization dilemmas that arise from differences between domestic and international narratives. In the US case, the sample includes a diverse set of media outlets. In the case of Russia, the data collection has been primarily focused on the websites of the two leading newspapers of the country, Izvestia and Kommersant. 4. The failure to stabilize cyberspacegreat power narratives The next two sections complement each other: The first systematically explores the content of Russian and US cyber diplomacy narratives, while the second points out inconsistencies and legitimacy challenges arising from internarrativity.

Russia
According to the Russian narrative, the international community is at the brink of perpetual cyberwar, with the "the information arms race [ … ] gaining momentum" (Ministry of Foreign Affairs of the Russian Federation 2017) 2 and the world facing an "existential" choice "between global cyber peace and cyberwarfare" (PMRFUN 2020a). Moreover, all UN member states "are equally vulnerable [ … ] and feel an urgent need to come out with a global response" (PMRFUN 2020a). There is thus a clear mandate to create a "specialized international legal instrument" (United Nations Office of Disarmament Affairs (UNODA) 2020c) since the existing rules and laws, Russia suggests, have proven insufficient in preventing cyberwarfare, constituting a "de facto 'legal vacuum'" (United Nations Office of Disarmament Affairs (UNODA) 2020a).
Within the Russian narrative, a new global system furthermore needs to accommodate "the interests of all states regardless of their capacities" (PMRFUN 2020a). Universal participation in the drafting of new rules is key in this regard, which is why any delegation of this task to "a narrow and 'elitist' expert platform" (Statement of Russian Delegation to OEWG, see UNODA 2020a) must be avoided.
Taken together, the Russian narrative emphasizes that there is a path to effective and universal regulations. At the same time, it claims that any progress was shortly undermined by Russia's adversaries. Thus, the United States and their partners are labeled as "an 'elite' minority" or "small group" that seeks to usurp a legitimate global agenda (PMRFUN 2020a; Vladimir Shin, Russian Ministry of Foreign Affairs (UNODA) 2021d). Even worse, their ultimate desire appears to eventually "discredit the role of the UN" itself and to de facto replace it with "more 'comfortable' regional platforms," such as NATO (PMRFUN 2017).
Attributes of egoism and aggression are coupled with allegations of deceptive and dishonest behavior within the Russian narrative, since whatever policy suggestions Western countries make, it is "only to serve their own interests" (PMRFUN 2017). Thus, past agreements are twisted (PMRFUN 2021a) and "certain norms within international law" are tailored "to make it possible to use force in the digital field (The MFA RF 2017) or to justify "unilateral pressure and sanctions on other Member States" (PMRFUN 2020a). Essentially it is the attempt of some states to "impose their 'own rules of the game' in information space from the position of force" (PMRFUN 2021b). Not all of this follows from a rational reflection on national interests, as illustrated by Vladimir Shin with regard to Western opposition to a new OEWG mandate: The reason for such an attitude is the fact that it was a Russian initiative. I understand that there are some countries strongly opposing anything that contains the word "Russia." But is it an objective approach or is it a perception that is politically and ideologically biased? (UNODA 2021d) Finally, Western opposition to Russian initiatives is also occasionally explained as the result of domestic political troubles particularly within the United States. Thus, President Putin argued that accusations of government-backed hacking came from those who wish to "provoke new conflicts before our meeting with Biden" (quoted in BBC 2021). Later, in his NBC interview, he expressed his hope that with the Biden administration progress would finally be possible and that "the domestic political situation-in the U.S. will not prevent this from happening" (quoted in NBC News 2021).
Western countries are therefore portrayed in an unambiguously negative way, mostly as being selfish and deceitful, yet occasionally also as being ignorant or weak. In contrast, Russia itself appears as an honest consensus broker, following the conviction that "lives matter more than political dividends" (PMRFUN 2020a) and that "under no circumstances should the information space become another battlefield" (PMRFUN 2017). Therefore, Russia advocated for the necessity of conflict prevention and "the principles of the non-use of force, respect for state sovereignty" and "noninterference in internal affairs of other states" (The MFA RF 2017). As a norm entrepreneur, it was Russia who first "raised the issue [ … ] in the United Nations," with a draft resolution in 1998 (PMRFUN 2017a). In the early 2000s, it was again Russia who, according to the Russian narrative, initiated the GGE process and then, after the format was no longer inclusive enough, who launched the more open and democratic negotiation process within the OEWG in 2019 (PMRFUN 2021a).
Finally, the Russian narrative presents a plot where there is a clear chain of causality from the behavior and intentions of the United States and Western allies to the ineffectiveness of the global framework for stabilizing cyberspace. Thus, by promoting unilateral interpretations, the United States and like-minded partners seek to "revise the results of discussion held at specialized UNGA platforms" (PMRFUN 2021b) and thus risks to undermine already existing achievements and understandings, for example those enshrined in the UN GGE 2015 report, "a hard-won consensus and fragile consensus formula which should not be broken" (PMRFUN 2020a).
A similar story unfolded with the UN GGE and UN OEWG 2021 consensus reports that presented "a thoughtfully calibrated and well-balanced package of arrangements," reflecting difficult negotiations in both groups (PMRFUN 2021a). Yet to the detriment of international stability, "Western colleagues try to pick separate, the most convenient provisions, and [ … ] present their national views as a global consensus" (PMRFUN 2021b). Already during deliberations within the OEWG, Russia also complained about an excessive focus on implementing existing norms, while preventing the inclusion of new ones, for example through the idea of a Programme for Action (PoA), which was "'planted' by a group of States led by France" (Delegation of Russia to the OEWG, see UNODA 2021).
Whether in 2017 or in 2021, it is thus Western proposals who, by distracting from the real issues and by focusing the discussion on controversial concepts, "push the international information space closer to unpredictable and undesirable scenarios" (PMRFUN 2020a). By working toward the creation of rules on the basis of "the right of the strongest" (PMRFUN 2017), they inevitably come into conflict with the "peace-oriented concept suggested by Russia" (PMRFUN 2017), which explains the repeated negotiation impasses on various occasions and the continued deficiency of international regulation.
At the same time, and outside the UN, the United States is accused of having refused to engage at the bilateral level. For example, Russia's ambassador to the United States in 2021 listed altogether six unsuccessful Russian attempts to initiate a dialogue or comprehensive programme on information security with the United States, but all these initiatives, the ambassador claimed, were met with no reaction (quoted in Heilbrunn 2021). Also, within Russian domestic media, Russian decisionmakers blame their Western counterparts for refusing to cooperate on practical matters (see, for example, Izvestia 2020a). The reasons for the West's "unscrupulous efforts to smear Russia "(Russian Foreign Ministry spokeswoman Maria Zakharova in Izvestia 2020b) can be found in "internal political problems" (Chairman of the Federation Council of the Russian Federation Valentina Matvienko quoted in Izvestia 2017a).
With regard to the UN, Russia is portrayed as a norm-entrepreneur whereas Western actors are accused of side-lining the UN and pursuing a "right-of-the-strongest" approach (Andrei Krutskikh in Izestia 2017b). Overall, the differences between Russian international and domestic legitimization strategies, despite variations in tone, seem strikingly small.

United States
As within Russian narratives, US representatives emphasize that the effects of malicious actions in cyberspace can hardly be contained within national borders, requiring global actions in response (Ambassador Thomas-Greenfield, quoted in United States Mission to the United Nations 2021). 3 Further progress, according to the US narrative, now requires state-level implementation and compliance: The framework UN Member States have worked so hard to develop now provide the rules of the road. We have all committed to this framework. Now, it is time to put it into practice (Ambassador Thomas-Greenfield, quoted in USMUN 2021).
Stabilizing cyberspace therefore requires to "focus our efforts on the implementation of existing consensus norms, not the creation of entirely new normative concepts" (United States Delegation to OEWG, see UNODA 2020b). Furthermore, much of this implementation will be the done by individual states and coalitions, not by the UN, because "individual States may need to take measures to address threats in cyberspace when collective action is not feasible" (United States Delegation to OEWG, see UNODA 2020b). More recently, the "stage" for stabilizing cyberspace also tends to shift to the bilateral level, since it is there where Russia and the United States can or cannot "bring some order" (US President Biden quoted in CNN 2021).
In terms of the motives of US antagonists and the nature of their actions, there is clearly a difference between US storytelling within and outside the UN. Outside UN bodies, US officials make rather confrontational statements, on many occasions characterizing Chinese and Russian cyberattacks as "destructive and costly" (The White House 2018), "irresponsible" and "aggressive" (The White House 2021d), "indiscriminate" (US President Biden quoted in Nakashima 2021) and "pervasive and destructive" (The United States Department of Justice 2020). Perhaps the harshest critique, questioning the rationality of the Russian approach, came from Assistant Attorney General for National Security John C. Demers, saying that "no country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite" (quoted in The United States Department of Justice 2020). While all these characterizations are certainly unflattering, they have rarely been combined with accusations of deceitful or hypocritical behavior, at least until recently. A notable exception is US Foreign Minister Pompeo commenting on suspected Russian cyberattacks against Georgian websites in 2020, saying that these actions "contradicts Russia's attempts to claim it is a responsible actor in cyberspace" (quoted in The Washington Post 2020).
At UN level, in contrast, US storytelling rarely gives the impression of antagonistic relationships. Even after the 2017 UN GGE failure to reach consensus, particularly on the applicability of international law, the US representative emphasized the "productive and serious nature of much of the negotiations" (United States Mission to the United Nations 2017). Four years later, after both the UN GGE and the UN OEWG issued consensus reports, the statement of the US ambassador to the United Nations did not entail any negative comments at all, despite the verbal all-round of her Russian counterpart in the same UN Security Council meeting. Instead, it stressed the "remarkable willingness to bridge differences and to reach consensus" of all involved negotiating parties (USMUN 2021).
Another notable difference of actor characterizations was observed during UN cybercrime negotiation processes. Here, Russia was said to be an inappropriate sponsor of a cybercrime-related resolution and openly accused of being hypocritical, "putting forward a resolution claiming to counter cybercrime just weeks after it was caught perpetrating a cyber-attack on an entity of the UN system, the Organization for the Prohibition of Chemical Weapons" (USMUN 2018). The Russian initiative therefore was a "blatant effort to put the fox in charge of the henhouse" (USMUN 2018).
Finally, setting, actors, and outcomes are woven together through emplotment, particularly by blaming China and Russia for a deteriorating security situation and for impeding collective action at the UN level. For example, with regard to the Russian initiative for negotiating a universal treaty against cybercrime, the US claimed that this would "only serve to stifle global efforts to combat cybercrime" (The USMUN 2019). During negotiations within the UN OEWG, it was Russian and Chinese actions both inside and outside the UN that stood in the way of effectively stabilizing cyberspace. In the words of the US representative in this forum: Although our preference would be for all States to act together to address threats in cyberspace, we have to acknowledge reality: some states are unwilling to do so, and, in some cases, states are actually conducting or sponsoring malicious activity in cyberspace". (United States Delegation to the OEWG, see UNODA 2020b) Furthermore, Russian and Chinese proposals for additional norm-building deliberations and specialized legal instruments were rejected on the ground that they constitute "premature" and "impractical" departures from the real task of operationalizing existing international law (United States Delegation to the OEWG, see UNODA 2020b).

Discussion
In the remainder of this paper argues that three types of internarrativity result in inconsistencies and legitimization challenges both in the case of the US and Russia. The first one relates to the interplay between international and domestic narratives. As research on the role of strategic concealment has shown, conflict parties have often a common interest in not acknowledging escalatory dynamics, for example the use of proxy armies, in order to keep a minimum of policy flexibility and to escape the influence of domestic foreign policy hawks (Carson 2018). Similar fears of reputational risks and increasing domestic pressure to retaliate may prevent states from publicly disclosing information about cyber norm-violations and extraordinary destructive cyberattacks (Schulzke 2018, 9). At the same time, these concerns need to be balanced against responding to alleged attribution by others and escape being held accountable for the recurrent failure of the international community to secure cyberspace. This dilemma is aggravated by the long-term effect of promises and implicit performance standards within domestic narratives, for example during election campaigns. In case of the incoming Biden administration, the President elect campaigned on a clear promise to distance his policies from the Russia collusion of the preceding Trump administration. This domestic narrative merged with the idea of a much tougher stance on Russian cyberattacks the moment that President Trump downplayed and miscategorized the SolarWinds Hack at the end of 2020. As Presidentelect Biden told reporters in December 2020: We will make dealing with this breach a top priority from the moment we take office. (quoted in Business Insider 2020) Part if this prioritization entailed a strong commitment to communicate clear red lines to the Russian government right from the start of the administration. This became even more pertinent following a wave of devastating ransomware attacks of Russian origin and increasing Russian disinformation campaigns. Thus, after meeting President Putin in Geneva, President Biden explained: I made it clear that we will not tolerate attempts to violate our democratic sovereignty or destabilize our democratic elections, and we would respond. (quoted in CNN) A few weeks later, after a bilateral phone call with Vladimir Putin, the White House press secretary reaffirmed this retaliatory threat, saying The President made clear the United States will take any necessary action to defend its people and critical infrastructure. (Cimpanu 2021) Yet only a few weeks later, there was growing resentment within the US Congress, as well as among media commentators and security experts, about the way in which the Biden administration refused to take retaliatory measures in the face of new cyber incidents (Dilanian 2021;Harding, MacCabe, and Lewis 2021). To diffuse criticism of having discredited its own cyber deterrence efforts, White House officials tried to realign their international and domestic narratives, suggesting for example that retaliation might happen secretly (CNBC 2021). White House officials were also quick to notice that "we didn't set the measure at some verbal commitment from Vladimir Putin that Russian criminals would stop hacking [ … ], we set the measure at whether over the next 6 to 12 months, attacks against our critical infrastructure actually decline coming out of Russia" (National Security Adviser Jake Sullivan quoted in Dilanian 2021).
A second type of internarrativity that may result in legitimacy challenges concerns the way in which policy narratives validate or disconfirm so-called master or "strategic narratives" (Miskimmon and O'Loughlin 2017, 112). In the Russian case, the relationship between international cybersecurity and strategic narrative is mostly one of mutual reinforcement. Thus, allegations of hypocrisy, double standards and disdain for international law as key characteristic of Western diplomacy can be found in both policy and strategic narratives (Gorenburg 2019;Joja 2019). Also, there is a close link between the concept of Russophobia within Russian foreign policy narratives (Oates and Steiner 2018, 3-4) and the idea of an Anti-Russian bias within US cybersecurity discourses. In contrast, Russia's insistence on the need of inclusive participation and the protection of weaker nations does contradict a key demand within Russia's strategic narrative, i.e. to be recognized as member of the concert of great powers, "an elite group of states reinforcing a hierarchy" within international relations (Miskimmon and O'Loughlin 2017, 115). This approach to world order, where great powers strike deals with each other behind closed doors and often at the expense of weaker nations (Barbashin and Graef 2019, 34), fits much better with President Putins plea for bilateral agreements, as for example within the NBC interview. Yet by supporting the OEWG as an inclusive and transparent process, a "cyber agora," the Russian narrative may complicate the enactment of Russia as a great power (Kurowska 2020, 95). Russian acknowledgments of vulnerability or even inferiority-for example with regard to the dominant economic position of Silicon Valley-is fueling a similar contradiction. It certainly facilitates international coalition-building in some contexts, for example within BRICS. It may also provide an additional rational for the creation of a separate Russian internet segment. Yet at the same time, it is hard to reconcile with the idea of Russia as a world power, still a key element of the domestic legitimization of Russian authoritarianism. What is more, Russia's claim to not take part in the militarization of cyberspace in any way is poorly compatible with the imperatives of deterrence policy, within and beyond the cyber domain. There is therefore a need to balance such diplomatic statements with signs of resolve, abundant capacities, and dormant cyber strike capabilities. For example, Andrei Krutskikh described the current situation as follows: The situation when two cowboys stand, aiming at each other with "cyber colts," is abnormal. We're willing to drop our colt if they omit it. (Kommersant 2018, own translation) No matter how skillful Russian decision-makers navigate the tension between deterrence needs, authoritarian power politics, and cyber diplomacy, it will always offer opportunities for others to emphasize and amplify these inconsistencies and contradictions.
This already blends into a third dimension of internarrativity that centers on the relationship between competing international narratives. The argument starts from the Russian narrative which clearly aims for recognition as norm-entrepreneur by emphasizing their leadership in drafting constructive policy proposals and in initiating innovative negotiation formats. It also seeks to shift blame for the failure of stabilizing cyberspace to other states by highlighting obstructionist behavior, essentially alter-casting these states as norm-antipreneurs (Bloomfield and Scott 2017). From the perspective of the US, who prefer gradual implementation of the existing normative framework over radical change, entering into such blaming games at the UN might well be a double-edged sword. The more it draws attention to serious and grave violations of norms, the more it might underline the inadequacy of the existing governance architecture and thus play into the hands of the Russian narrative of a necessary radical reform.
This dilemma might be one reason why US officials at the UN refrain from explicit accusations. It might also explain, at least to some degree, why they hardly ever mention the UN norms of responsible state behavior during public attribution statements. President Biden's warning following the US-Russian bilateral summit, that "if, in fact, they violate these basic norms, we will respond with cyber" (The White House 2021b), might already count as the least vague reference to the UN global cyber norms, and even in this case, it is hard to say what norms exactly he was referring to. Russian officials themselves occasionally suggested that within the current regulatory structure, malicious behavior is to be expected and unavoidable. A case in point is a rhetorical question of the Russian representative within the OEWG, asking "if international law applies in cyberspace, why are foreign hackers electing the President of the United States?" (quoted in Broeders and Cristiano 2020).
Coming back to the influence of master narratives, it might be precisely the lack of references to these norms within US accusations that created useful material for Russian counter-narratives: The West deliberately shies away from spelling out the rules it purports to follow [ … ] The beauty of these Western "rules" lies precisely in the fact that they lack any specific content. When someone acts against the will of the West, it immediately responds with a groundless claim that "the rules have been broken". (Lavrov quoted in  Thus, US repeated characterizations of the SolarWinds Hack as "indiscriminate," "destabilizing" and "potentially disruptive" (senior White House official quoted in Nakashima 2021), "malicious" and running counter to the widely shared goal of "a secure, and reliable Internet" (The White House 2021c), without ever clarifying how it affected existing international law and norms, might unintentionally have reinforced Russia's strategic narrative.

Concluding remarks and implications
States, companies and civil society actors broadly agree on the need to prevent ICT misuse through effective international regulation. However, corresponding normbuilding processes have been repeatedly characterized by set-backs and have not yet led to a decline in the number and severity of cyber incidents. This paper used narrative analysis to explore how states seek to escape and divert blame for this outcome, engaging in an intense public diplomacy competition. Moreover, it emphasized different types of internarrativity as a source of policy dilemmas and legitimization risks.
Several policy implications follow from this analysis. It is first essential to take the narrative dimension of cyber public diplomacy more seriously. A good example is the Budapest Convention on Cybercrime of the Council of Europe, whose opponents seek to delegitimize by portraying it as an instrument of Western hegemony since non-Western states had no say in its original formulation. To counter such narratives, advocates of the Budapest convention need to go beyond demonstrating functional benefits of acceding to the Convention. Rather they should emphasize that the Convention historically was never meant to become a fixed set of rules and protocols, rather it provided a process of mutual learning that is open to accommodate new interests and priorities at later points.
A second policy implication refers to the domestic level: Political candidates should resist the temptation of making bold promises and raising unrealistic expectations about their ability to deter cyberattacks. Otherwise, they will find it difficult or even impossible to later reconcile their domestic and international narratives. In a worst case scenario, domestic political pressure will force them to engage in cyber diplomatic brinkmanship. Another implication is that Western policymakers have not yet fully exploited the weaknesses of competing cybersecurity narratives, particularly with regard to their inherent tensions. The way in which Russian status-seeking undermines their rhetoric of inclusivity and equality is a case in point. Similar contradictions arise from implicit Russian deterrence threats. Referencing more Russian sources would be key to amplify such contradictions, and thus to be able to forge alliances with swing states and other undecided stakeholders more easily. It bears mentioning that in general, Russian decision-makers and journalists display a greater readiness to pick up on Western policy statements, academic papers and media reports to amplify and exploit internarrativity for their advantage, both in an international and domestic context (see for example Izvestia 2020a).
Finally, Western decision-makers need to consider the unintended consequences of their own public diplomacy efforts more carefully, again very much dependent on internarrativity. In general, moving aways from vague attribution statements to being specific about norm violations, as the United States did in their recent comment on cyberattacks in Albania (The White House 2022), is a good way to counter Russian allegations of Western hypocrisy and arbitrariness. That being said, the overall political context (including the salience of relevant strategic narratives) always matters. For example, it is one thing to accuse Russia of violating cyber norms in the context of strained but still peaceful international politics. But doing so specifically with regard to the Russian invasion of Ukraine may blowback by offering the Russian leadership a way to add some ambivalence to an otherwise very clear overall picture.
In all domains except cyber, 4 Ukraine is the underdog, fighting for its very existence against a reckless aggressor who violates even the most basic norms of international humanitarian law. Why then emphasizing the (so far) rather limited cyber dimension of the war, where both Ukraine and Russia, through actions and rhetoric, have indicated their willingness to use malware to target civilian infrastructures? These are the kinds of questions which surface once internarrativity is taken into account during public diplomacy efforts. Notes 1. I wish to thank the anonymous reviewers and journal editors at Policy Design and Practice for very helpful comments and suggestions. Earlier drafts of this paper have been presented at the 2021 Annual Conference of the The Hague Programme on International Cyber Security and at the 2021 EISA Annual Conference where I received very valuable feedback from co-pannelists and discussants. Also, I am grateful to Jantje Silomon and Alexander Graef for commenting on the paper and for improving my research design and data collection. 2. For the sake of readability, the terms are hereafter abbreviated to MFA RF. 3. For the sake of readability, the terms are hereafter abbreviated to USMUN. 4. On the overal role of cyber operations in the war in Ukraine see Kaminska, Shires, and Smeets (2022). On Ukranian efforts to crowdsource offensive cyber operations see Soesanto (2022).

Disclosure statement
No potential conflict of interest was reported by the author(s).

Funding
This work was supported by the German Federal Foreign Office.