Corporate cyber norm emergence and norm entrepreneurship effort of IBM, Google, Huawei and Siemens

CORPORATE CYBER NORM

EMERGENCE AND NORM

ENTREPRENEURSHIP EFFORT OF

IBM,GOOGLE, HUAWEI AND SIEMENS

MASTER THESIS

Student: Deyan Hristov Thesis Supervisor: Dr. T. van Steen

Second Reader: Dr. T. Tropina Wordcount:18996 (exl. bibliography)

10.01.2021 The Hague, The Netherlands

Table of Content

Introduction………..…………4

Chapter I Theoretical Framework: Norms, Norm Emergence and Norm Entrepreneurship in the Context of Cyberspace/ Governance of Cybersecurity………7

1.1(Cyber)Norms and their relevance for the governance of cybersecurity……….……….7

1.2 Norm Emergence and Norm Entrepreneurship in the Cyber Domain……….10

1.3 Norm Entrepreneurship………..11

1.4Approaches to corporate norm entrepreneurship effort and groups in norm-entrepreneurship interactions: governments, industry and civil society ………13

1.5 Corporate Motivations and Organizational Platforms to promote cyber norms………….19

1.6 Literature review ………....21

Chapter II Methodology and Research design………...………..25

Research Design………..……….25

Methodology ………..………..……26

Data and Limitations ………..……….28

Chapter III Analysis ………..………..……29

IBM………..……….29 Google………..………33 Huawei………..………...………37 Siemens………..………...……41 Discussion………..………..43 Conclusion………..……….50 Bibliography………..……….53

List of Abbreviations

ARF- ASEAN Regional Forum

ASEAN- Association of Southeast Asian Nations CoT- (Siemens) Charter of Trust

CSR - Corporate Social Responsibility European Union- EU

GCHQ- Government Communications Headquarters Intergovernmental Organization(s)- IGO(s)

ICT – Information and Communications Technology MLAT - Mmutual Legal Assistance Treaty

NCSC- National Cyber Security Center OCA – Open Cybersecurity Alliance

OSCE-Organization for Security and Cooperation in Europe UN GGE – United Nations Group of Governmental Experts UN OEWG – United Nations Open Ended Working Group

Introduction

Cyber norms and cybersecurity, steer different actors active in the cyber domain to adopt dissimilar interpretations and discourses concerning the two concepts. For private companies, the digital domain might represent easy access to international markets and opportunity for economic development. On the other hand, nation states perceive cyberspace as a new and unexplored domain in international security. Nevertheless, recent events have revealed the risks and consequences from a cyber-attack for both private and public actors and have resulted into calls for robust governance of cybersecurity. The two cyber-attacks WannaCry and Not Petya, attributed to North Korea and Russia have raised the alarm bell about the vulnerabilities in the cyber domain (Broeders& van den Berg 2020). The consequences of the two cyber-attack include billions of dollars financial losses for companies and decline in the trust in digital technologies (Greenberg 2018). The increasing number of cyber-attacks, estimated to reach nearly 30 million per year and the regulation of cyberspace, is practically ineffective or does not exist (Nye 2014). As a result of the increasing number cyberattacks such as malware, ransomware, and phishing, which result not only in financial losses, but intellectual property theft has provoked reactions from states and technological companies alike. This includes calls for strengthening the governance of cyberspace through international law, regulations, and cyber norms (Adamson 2020). Although, states agree upon the applicability of international law in cyberspace, states appear to be less willing to invoke specific clauses of international law in the case of cyber-attack (Efrony&Shany 2018).

The effort of international community to establish regulations on information and communication technologies is rooted in the 1998 Russian proposal for UN resolution on “Developments in the field of Information and Telecommunications in the context of International Security” (UNGA 1999). The resolution, widely opposed by Western governments, aimed for the negotiation of a legally binding treaty that would prohibit the use of information weapons such as disinformation, thus preventing possible information wars (Broeders& van den Berg 2020). In 2004 the UN Group of Governmental Experts (UN GGE) aimed to provide clarifications about the scope of acceptable behavior in cyberspace, without the explicit objective to negotiate a treaty. The subsequent rounds of negotiations (2010,2013 2015) concluded with the adoption of several nonbinding norms framing the scope of

acceptable state behavior. The failure to achieve consensus on key issues during the 2017 signaled for the end of the norms process (Grigsby 2017). Major reason for the outcome is the diverging visions concerning the governance of cyberspace between the two opposing blocks. On the one side China and Russia demand for sovereignty in cyberspace, whereas US and Western countries demand for multistakeholder governance of cyberspace. (Broeders, van den Berg 2020).

The unregulated nature of cyberspace and the poor outlook for the development of strong international governance of cyberspace has resulted into several corporate led efforts to stablish international cyber norms. In 2017, Microsoft called for the creation of a “Digital Geneva Conventions’ among countries to address international cybersecurity concerns (Smith 2017). Microsoft argued that state-led cyber-operations inflict growing costs of incident response and customer protection to private companies. Similarly, in 2018 Microsoft made a further step to strengthen the role of private actors in the governance of cyber space, during the Paris Peace Forum (Gorwa&Peez 2020). Furthermore, prior to these two international events, Microsoft has been laying grounds for development of cybersecurity through series of norm proposals and technical recommendations for policy-making regarding various communication technologies(Gorwa&Peez 2020).Such company-led initiatives represent a pledge for the necessity for security in cyberspace, through international cyber norms delineating the scope of acceptable behavior in cyberspace, applicable to state and non-state actors alike(Börzel and Deitelhoff 2018).

Research Problem

Considering the slow progress of intergovernmental negotiations to adopt norms and regulations for the governance of cyberspace, progressively tech companies appear to take increasing role in the governance of cybersecurity. These developments in governance of cybersecurity, suggests for redefining of the roles different actors play in the governance of the field and focus research efforts on studying the role of private actors. Based on norm emergence literature, this thesis explores the mechanisms and the motivations that drive technology companies to take the role of cyber norm entrepreneurs. The study acknowledges the existence of wider pool of technology giants, and thus goes beyond studying the norm entrepreneurship effort of Microsoft. To achieve this objective, the research question of the thesis is as follows “How and why does corporate cyber norm entrepreneurship contribute to the emergence of

international cyber norms?” To answer the question and contribute to the emerging field of

corporate cyber norm entrepreneurship, the research examines the norm entrepreneurship effort of IBM, Google,Huawei and Siemens.

Relevance of the study and structure of the paper

Cyber norms and norm emergence are embedded in the broader field of cybersecurity are relevant not only for scholars in academia, but also policy makers and practitioners in the cyber field. By looking at larger number of companies and drawing more nuanced picture of their norm entrepreneurship efforts, the study aims to contribute to academic discussions concerning the role of private companies in the governance of cybersecurity. Additionally, the study aims to build-upon current body of theories on norm emergence, by looking at the actors, mechanisms, motivations relevant for companies to engage in cyber norm entrepreneurship. On societal level, the research is relevant for practitioners and corporate executives as would illuminate how their organizations can actively contribute to the security and stability of cyberspace. Additionally, the study is particularly relevant for companies that are leaders in specific branch of the digital domain and are interested in shaping the norms and regulations in their field of concern, based on their vision and preferences

To address the research question, set in this thesis, the paper is divided in the following way: The first chapter builds the theoretical framework for this research by looking at theories on norm emergence, norm entrepreneurship and the actors and organizational platforms relevant for this process. Regarding organizational platforms the chapter elaborates upon multi-stakeholder, industry and governments for cyber norm emergence. Based upon the theoretical framework, the final part of the first chapter synthesizes, earlier studies on cyber norm emergence and identifies literature gap, which is addressed in the paper. The second chapter provides overview of the methodological choices for answering the research question and elaborates upon the research design and limitations of the study. Additionally, the chapter elaborates upon the variables incorporated in this study and how they are operationalized. The third chapter is divided into two parts. The first part analyses provide analysis on the corporate norm entrepreneurship effort of IBM, Google, Huawei, and Siemens and studies the motivations and mechanisms to engage in such processes. The second part of the chapter is the discussion, which considers the meaning, relevance, and importance of the results in relation to the literature review and research question the final part of the paper provides a conclusion

of the findings in this paper and suggests grounds for future research on corporate cyber norm entrepreneurship.

Chapter I Theoretical Framework: Norms, Norm Emergence and Norm

Entrepreneurship in the Context Cybersecurity Governance

The chapter builds the theoretical framework for norm emergence and norm entrepreneurship. First, the chapter discusses the nature and characteristics of a norm and its relevance in the context of cybersecurity governance. Next, the chapter develops Finnemore and Sikkink model for norm emergence and norm entrepreneurship and how the two concepts are applicable in the context of private actors and the tools available these actors to convince other parties about the necessity of a norm. Thirdly, the chapter provides overview of the types of actors, motivations and organizational platforms which could be utilized by corporate cyber norm entrepreneurs in their norm emergence efforts. The final part of the chapter provides systematic overview of the current body of research on norm entrepreneurship and identifies the knowledge gap in the literature.

1.1(Cyber)Norms and their relevance for the governance of cybersecurity

Unlike many essentially contested concepts which are either too broad or scholars fail to reach consensus upon the definition, norm is well established and defined concept in the disciplines of political science and sociology (Finnemore&Hollis 2016). Katzstein defines norms as “collective expectations for the proper behavior of actors with given identity” (Katzstein 1996 p.5). This definition provided by Katzstein is widely accepted among scholars and serves as a standardized definition, providing the basic characteristics of a norm (Finnemore&Sikkink 1998). However, the definition provided by Katzstein is too limited as it does not include elaboration of the components necessary to establish a norm. Finnemore and Hollis build upon Katzstein’s work to provide more elaborate definition for norm. Finnemore and Hollis point out that the first two components, identity, and behavior, provide a reference to the group which is subject to the norm and the scope of specific actions which members of the given community are expected to perform. The third component, propriety refers to the basis upon which the scope of appropriate and responsible behavior is formulated (Finnemore&Hollis 2016). Factors shaping the identity and the scope of behavior could be politics, professional standards, and

culture. The last component collective action, points to the social construction of the norm and its intersubjective character (Finnemore&Sikkink 1998). This implies that norms are not developed in vacuum or by single actor and event but are rather norms are the product of shared understanding held by members of the group about what appropriate behavior developed throughout prolonged period of interaction (Finnemore&Hollis 2016).

In the context of cybersecurity governance, cyber norms are applicable to different identities and could establish varying types acceptable behavior across different groups of actors. Most notable example concerning the relevance of cyber norm is related to state actors and their participation in intergovernmental bodies such as the United Nations Group of Government Experts (UN GGE), and the UN Open-Ended Working Group (UN OEWG). These organizations establish cyber norms such as prohibiting the use of cyber weapons against critical infrastructure and are applicable to national governments (Broeders& van den Berg 2020). On the other hand, cyber norms may apply to identities other than states and could be applicable to non-state actors such as members of a given industry. The Siemens Charter of Trust is an example of cyber norms focused at establishing framework of acceptable behavior to members of the technology industry. The behavior component of cyber norms, refers to the regulatory nature of norms by imposing duties and obligations to actors by prescribing, banning, or allowing specific activities in cyberspace. Other norms may have constitutive character and can create new rights or actors in the cyber domain (Barnett&Finnemore 2004). Example of newly developed actor is the system administration or institutions such as the Internet Corporation for Assigned Names and Numbers (Finnemore&Hollis 2016). Respectively, cyber norms serve as regulatory tool to prevent various forms of malicious activities taking place such as cyber-attacks which might have severe consequences for international security (Hurwitz 2014). Despite norms are applicable to various actors set different constraints on their behavior, norms also have varying characteristics in terms of membership and opportunities to be enforced.

Academic literature provides clarification on the definition of a norm and its utility in prescribing or constraining behavior in given issue area. However, the situation with the essence of a norm and the opportunity to enforce it appears to be more nuanced as some norms can be legally binding or nonbinding and participation may be voluntary. Adamson argues that discussions on cyber norms needs to be addressed in terms of continuum (Adamson 2020). On the one side of the continuum is characterized by norms codified in international agreements

and treaties which are considered as hard laws and are legally binding upon signatory parties. However, such norm setting can only be negotiated and developed by states, as they are the sole actors possessing international legal personality. By contrast, on the other side of the continuum can be placed “weak” voluntary and non-binding norm setting arrangements where participation is open for various types of actors. In the context of cyber norms, the capacity to shape legally binding norms through negotiating treaties remains exclusive to nation states, although such may also participate in non-binding agreements. Respectively, norms established through international law and treaties are legally binding for states and disputes over the application of the law can be decided by international courts and tribunals. By contrast, non-state actors such as private companies have the capacity to develop nonbinding cyber norms. Such norms can be established through processes such as industry code of conduct, industry alliances, charters of trust and other processes. Despite the different functions and objectives of each type of these processes, they share common characteristics such as voluntary membership and are non-binding.

The emergence of non-state actors on the international arena over the last two decades, has introduced state-oriented disciplines such as international relations and international law with new theoretical and practical challenges (Eggenschwiler&Kulesza 2020). Factors such as globalization and technological advancement, have produced new layer of complexity in international affairs and have given rise to array of new actors. Non-state actors have been key contributors to international policymaking in areas such as cybersecurity. Reasons for that are to be found in the contribution of private companies both in the development and expansion of cyberspace (Eggenschwiler&Kulesza 2020). Besides the production of software, hardware and digital services, technological companies are actively engaged in the governance of cyberspace and the emergence of cybersecurity norms. The failure of intergovernmental efforts to establish cyber norms through the UN GGE and the increase of cyber incidents both in terms of consequences and frequency, resulted into several non-state led initiatives aiming to establish framework for norms of acceptable behavior in cyberspace (Hern 2017). Among other, such examples include the Digital Geneva Convention, Cybersecurity Tech Accord and the ICT4Peace Foundation which aim to promote responsible behavior in the use of telecommunication technology (Eggenschwiler&Kulesza 2020) Yet, unlike state-led initiatives, such calls for cyber norms do not have legally binding character and are voluntary. Respectively, the constant threat of cyber-attacks and poor governance of the domain, resulted

into private companies taking the role of norm entrepreneurs iin the process of the development of norms regulating behavior in cyberspace.

Respectively how international cyber norm is defined, depends upon the disciplinary perspective and the actor considering this question (Adamson 2020). On the one hand, norms considered by proponents of international law, norms can be considered as lacking utility due to their inability to address the issue adequately and sufficiently at stake (Grigsby 2017). Defining a norm through a strictly legal perspective, such can be established by treaties or customary international law (Adamson 2020). By contrast, norm considered through international relations and constructivist approaches materialize through shared expectations and standards (Adamson 2020). In that regard, as the objective of this paper is to research the role of private technology companies in the process of norm emergence, norms are to be defined as non-binding and the participation in norm-making processes is voluntary.

1.2 Norm Emergence and Norm Entrepreneurship in the Cyber Domain

Norms can emerge through different pathways and actors. Some may emerge spontaneously or through norm entrepreneur. Finnemore and Sikkink develop abstract model which enables the study of the emergence of norms and the methods applied by norm entrepreneurs through the norm “life-cycle.” (Finnemore and Hollis 2016). The first stage of the norm cycle focuses on “norm emergence” in which norm entrepreneurs attempt to persuade “a critical mass of states” that the norm is vital (Finnemore and Sikkink 1998). Norm entrepreneur may be any actor or a group of actors which have a norm that they want to propagate to members within a given group or other external actors. The function of norm entrepreneur can be adopted by different range of actors, regardless of the issue addressed by the norm. Actors may have different backgrounds and motivations and norm entrepreneurs could be individuals, industries, NGOs, states, or intergovernmental organizations such as the United Nations (Finnemore and Hollis 2016). The advocacy of norm entrepreneurship becomes successful when a “tipping point is reached. This implies that the given community or actor, has accepted the norm and reaching this point provides the preconditions for the second stage of the norm life cycle, namely norm cascade (Finnemore&Sikkink 1998). This stage is characterized by attempts by other actors to imitate and follow the new norm and the principles of acceptable behavior. Further, during this stage the new actors which have accepted the norm, could also take the role of norm entrepreneurs. This can be achieved by engaging in attempts to socialize and convince other

parties to accept the norm. The final third stage is characterized by the norm internalization. At this stage, the framework of acceptable behavior established by the new norm, serve as a benchmark for assessment (Finnemore&Sikkink 1998). However, the completion of the entire “life cycle “is not a necessary condition for the acceptance of a norm and is neither inevitable(Finnemore&Hollis 2016).

Finnemore and Sikkink’s norm life cycle model enables to study the process of norm emergence as a whole or focus the study on single stage of the process. For instance, research might focus only on the first stage of norm development – norm emergence. This would enable to develop more focused approach for studying the underlaying processes of norms emergence and therefore produce more comprehensive analysis by examining single component of the process (Finnemore&Hollis 2016). In that regard, considering the purpose of this study to examine the involvement of private companies in the development of cyber norms, the rest of the section examines the concept of norm entrepreneurship and the role of norm entrepreneurs.

1.3 Norm Entrepreneurship

The first stage of norm emergence is composed of two key elements relevant for the successful creation of a norm. This entails a norm entrepreneur promoting certain norm and an organizational platform through which norm entrepreneurs can disseminate the new norm (Finnemore&Hollis 2016). Finnemore and Sikkink identify the scope of possible norm entrepreneurs is not fixed and actors such as citizens, states, NGOs, and industry have the capacity to become norm entrepreneurs. These actors can serve as “meaning makers” or “meaning managers” of an event or an issue (Finnemore&Sikkink 1996). For instance, international humanitarian norms which have established the foundations for the First Geneva Conventions, have been developed by the International Committee of the Red Cross. Similarly, individuals such as Elizabeth Stanton have adopted the role of norm entrepreneur by leading international campaigns for women’s suffrage (Finnemore&Sikkink 1996). Traditionally, in the cyber norm discourse, the community of actors actively engaged in shaping international cyber norms is undisputedly championed by states (Broeders& Van den Berg 2020).

In norm emergence, norm entrepreneurs play active role in calling for attention on an issue and frame it by using appropriate language to interpretate the events. Framing is key moment, as enables norm entrepreneur to clearly define the problem and signal possible mechanisms to

address the issue. (Finnemore&Hollis 2016). Besides meaning making and indicating solutions, norm entrepreneurs are incentivized to first frame issues, since frames tend to be “sticky” and difficult to change over time. First movers could exploit early stages of framing by providing normative recommendations that suits their interests and serves as a step to achieve their goals. Respectively, by mobilizing sufficient support in the early stages, norm entrepreneurs could shape the norm based on their own vision and this will provide obstacles for latecomers willing to redefine it (Finnemore&Hollis 2016). In the context of norm proposals for cybersecurity, framing efforts can be seen on various occasions. For instance, the already established norm in the software industry to prevent the incorporation back doors in their software to protect privacy, represents significant obstacle to law enforcement agencies to amend the norm so that encrypted information could be used to respond to security threats (Kaye 2015).

The second component of norm entrepreneurship focuses on the organizational platforms utilized to promote new norms (Finnemore&Hollis 2016). Depending on the promoted norm in certain scenarios, norm entrepreneurs could use already established platforms to promote new norms. On the other hand, more recent issues might require norm entrepreneurs to establish new platforms to promote new norms. In the context of cybersecurity, examples of already established organizational platforms which could be used by norm entrepreneurs to call for the development of norms are the Munich Security Conference, UN GGE or UN OEWG (Hurel&Lobato 2018). On the other hand, the Cybersecurity Tech Accord initiated by Microsoft is an example of newly established platform by norm entrepreneurs to promote cyber norms (Gorwa&Peez 2020).

Besides organizational platforms, particular attention should be paid on the mechanisms and tools used by norm entrepreneurs to develop and disseminate norm. The tools available in the toolbox of norm entrepreneurs include incentives, persuasion, and socialization. Norm entrepreneurs could utilize one tool or all of them simultaneously in their strategies to call for new norm. (Finnemore&Hollis 2016). Incentives could take the form of financial benefits, improved public image or even punishment in certain cases. Failure to comply with norms concerning data protection, companies are threatened with significant financial sanctions (Ashford 2016). On the other hand, persuasion is a universal tool applied by norm entrepreneurs in attempts to promote new norms (Finnemore&Hollis 2016). Through persuasion, norm the entrepreneur attempts to change the beliefs and behavior of other actors,

by providing arguments and supporting evidence about the value of a norm (Finnemore&Hollis 2016). In that regard, disseminating new information is crucial part for persuasion and norm entrepreneurs can use different channels for communication such as social media public speeches and reports. The third instrument available at the toolbox is socialization which refers to the process where “newcomers become incorporated into the organized patterns of social interaction” (Finnemore and Hollis 2016 p 28). Socialization may take the form of mimicry, where actors adopt the behavior of others for their own benefits. In the context of cybersecurity, examples of socialization are providing technical assistance, professional training, codes of conduct (Finnemore&Hollis 2016).

1.4 Approaches to corporate norm entrepreneurship effort and groups in norm-entrepreneurship interactions: governments, industry and civil society

The previous section elaborated upon the concept of norm entrepreneurship and delineated the scope of actors capable of taking the role of norm entrepreneurs. Additionally, the section defined incentives, persuasion, and socialization as the tools available to norm entrepreneurs to convince actors about the necessity of a norm. To complete the framework for corporate norm emergence, the following section elaborates on the types of actors relevant for corporate cyber norm entrepreneurship efforts. The following section studies the relevance of government, industry, and civil society actors for corporate cyber norm entrepreneurship. The section also defines the processes and organizational platforms through which private companies cloud use to promote cyber norms to one or several types of actors.

Governments

Cyberattacks and cyber conflicts initiated and executed by states have been a source of distress for actors whose businesses depend upon the stability of the network (Charney et.al 2016). Although technological solutions are pivotal component of cybersecurity, norms and cyber norm emergence processes and discussions aim to set constraints on the behavior of governments and companies active in the cyber domain. These processes, triggered by the practices and interaction of different actors such as governments, security experts, IT communities and markets aim to address the interests and concerns of all parties involved. (Hurel&Lobato 2018). In the context of the cyber domain, largely driven by market forces the role of government is to authorize and recognize market practices through using the services

of private companies or sharing the responsibility in issue management (Hurel&Lobato 2018). However, this does not imply that governments need to renounce their participation in the field, especially in the context of security governance. In early 2000s Schneier echoed the message” security is a process not a product”, which in the context of 2000s suggests that private companies (such as software and hardware producers) need to engage in multiple dimensions regarding the governance and management of cybersecurity issues(Schneier 2000 p.?). Additionally, Schneier’s consideration on security point out that “security does not have to be perfect, but the risk has to be manageable and that products can’t solve all security problems” (Schneier 2000). In this context, this suggests that the input of private companies in cybersecurity should not be limited to delivering higher levels of protection, but also need to materialize through the participation in discussions over cyber norms (Scheier 2000)

Scholars in International Relations have sought to address normative developments in international system for the regulation of cyberspace and the engagement of governmental and non-state actors in these processes (Risse&Sikkink 1999; Hall&Bieersteker 2002). However, most multilateral norm emergence processes are discriminatory and non-state actors are excluded from making contributions and proposals about the emergence of international cyber norms. For example, the UN Group of Governmental Experts (UN GGE), comprised by 25 member states represents a government-led effort for developing and promoting international norms applicable in cyberspace. The mandate of GGE allows limited number of regional intergovernmental organizations (IGOs) to participate in consultations on the subject of cybersecurity. The five organizations include the European Union, African Union, the Organization of American States, OSCE and ASEAN Regional Forum (UN GGE). The main objective of UNGGE is to discuss norms for responsible state behavior in cyberspace, and more recent deliberations consider the applicability of international law in cyberspace(Broeders&van den Berg 2020). However, the political differences among GGE member states so far have represented a serious obstacle in the diplomatic efforts to achieve consensus for the adopting resolution framing the scope of acceptable behavior, where the latest failed round dates from 2017(Broeder&van den Berg 2020). Joseph Nye highlights the absence of public involvement as key reason for the slow progress of the GGE processes and the low levels of norm internalization among states (Nye 2018).

On the other hand, Hurel and Lobato pointed out that recent developments in multilateral cyber norm emergence processes, enabled more technology companies to take the role cyber norm

entrepreneurs (Hurel&Lobato 2018).The UN Open-Ended Working Group(OEWG) represents a multilateral norm emergence process, open to all UN member states and unlike UNGGE allows non-state actors to submit proposals for cyber norms. The OEWG process had its first session in 2019 and is expected to produce resolution containing rules, norms, and principles for strengthening the stability and security in cyberspace (OEWG). Unlike the GGE process, OEWG process enables the possibility of intersessional consultations with members of the technology industry, academia and non-governmental organizations. Until 2020, only the two companies Microsoft and Kaspersky have provided comments on the pre-draft of the OEWG report (OEWG)

Hurel and Lobato explore the tension between academic literature on cyber norms and the role of companies as cybersecurity norm entrepreneurs. By looking at the role of Microsoft, Hurel&Lobato argue that companies engage norm entrepreneurship through practices such as lobbying and corporate diplomacy. This implies that through such practices, technology companies seek to influence governance of cybersecurity and international politics and most significantly advocate for changes in state behavior (Hurel&Lobato 2018). Furthermore, Hurel and Lobato argue that companies engaged in promoting cyber norm are not only focused on setting constraints for state behavior in cyber space but also stretch their legitimacy beyond technical expertise and attempt to influence international diplomatic efforts for global cybersecurity (Hurel&Lobato 2018). This implies that companies could propose norms for responsible behavior relevant for states, but also attempt to influence the outcome of negotiations over international norms

Market-share of the company plays important factor for companies to enjoy legitimacy to engage in norm entrepreneurship efforts seeking to regulate government policies in cyber space. Additional factors that increase legitimacy of private actors include characteristics such as capacity to sustain innovation over prolonged period (Fairbank 2018). On organizational level, companies promote cyber norms through corporate diplomacy and lobbying (Asquer 2012). More specifically, corporate diplomacy is driven by diplomatic and policy branches withing their organizations, responsible for matters related to international affairs and regulations. Illustrative examples of attempts to change state behavior through corporate diplomacy and lobbying could include policy papers and statements, white papers, regulatory proposals and other documents and statements seeking to impact state behavior (Fairbank 2018). Additionally, companies could promote norm proposals and statements through

national, regional, and international organizations. Meaning that efforts could promote collaboration with national authorities and agencies, regional and international governmental organizations such as the European Union, United Nations, and other governmental forums (Hurel& Lobato 2018).

Industry

The 2010 UNGGE report on the Developments in the Field of Information and Telecommunications stated that” existing and potential threats in the sphere of information security are among the most serious challenges of the twenty first century” (UNGGE 2010). A decade later, the use of digital and information technology to conduct espionage, sabotage represent a defining component in contemporary international affairs (Gorwa&Peez 2020) The poor state of government led discussions on issues on how to enforce change of state behavior in cyberspace have resulted into private companies to seek alliances with tech industry actors in their effort to refrain from collaborating with governments in cyber-attacks (Gorwa&Peez 2020). Such attempts have materialized through Microsoft’s proposal for Digital Geneva Convention and the subsequent Cybersecurity Tech Accord, bringing more than 100 industry members into a single alliance, that has the potential to inflict normative change in global cyber security issues (Gorwa&Peez 2020).

On theoretical level, scholars have attempted to systematically theorize the mechanisms and reasons for companies to become norm entrepreneur, by promoting principles of behavior applicable to industry members. Flohr’s study argues that the vulnerability of a company to suffer reputation loss, results in increased likelihood that the company will engage in norm entrepreneurship. The empirical findings of Flohr’s research further indicate, that companies with significant business- to-business transactions, have higher likelihood to engage in norm entrepreneurship (Flohr 2010). This implies, that companies with revenue derived from transactions with other companies, rather with other customers is a condition for a company to engage in norm entrepreneurship. The work of Deitelhoff and Wolf echoes that companies form alliances or other types of institutions in order to develop principles of responsible behavior and codes of conduct in poorly regulated domains, as it is the case with cyberspace Deitelhoff&Wolf 2013).Additionally, their work suggest that industry norm entrepreneurs are guided by “ rationalist calculations regarding the re-definition of fundamental business interests” (Deitelhoff&Wolf 2013).Respectively, norm applicable to the tech industry would

aim to minimize financial losses and level up the playing field by introducing new rules and standards for protection and risk management. Additionally, In the context of cyber governance, proposals for industry norms means that companies could attempt to bring competitors to their own standards and preferences, regarding software protection standards, cooperation with governments to conduct cyber-attacks, information security and other issues (Finnemore&Hollis 2016)

On the other hand, Gorwa and Peez argue that participation of private companies in industry-led cybersecurity initiatives has little to do with the objective of developing cyber norms, rather the focus is to polish the public image and improve legitimacy of the organization. Although such claims may be relevant for, there are other reasons for companies to engage in industry-wide initiatives for cyber norms. Respectively, motivations such as leveling-up the playfield by proposing more stringent security measures, could be seen not as altruistic action. Rather, norm entrepreneurship could be considered as an attempt of companies to gain competitive advantage over competing firms and seek financial benefits and improved public image(Gorwa&Peez 2020)

There are several available ways for companies to take the role norm entrepreneur role and develop industry-wide norms. Mechanisms for corporate actors seeking to shape industry cyber norms could be achieved through alliances with other members in the industry. The objective of such alliances is to change the ways in which companies respond to cybersecurity vulnerabilities and provide guidance for improving resilience. However, normative industry alliances could result-into norm spill over to parties outside of the normative alliance. For instance, this could be achieved by normative clauses aimed at strengthening the prection and limit security vulnerabilities on all levels of the supply chain (Ibid).

Civil Society

Recent body in the corporate norm entrepreneurship literature has pointed about the necessity to broaden the scope of non-state actors other than industry. For addressing the issue, Fairbank suggests a three-pronged approach to study corporate cyber norm emergence by looking at interactions with industry, government, and citizens. Fairbank’s study on corporate norm entrepreneurship adds upon existing theoretical knowledge by looking at the dynamics between industry actors and citizens when studying the role of cyber norm entrepreneurs (Fairbank

2018). Fairbank argues that incorporating the role of citizens in research enables research that sketches the broader picture of corporate engagement and helps better understand corporate entrepreneurship (Fairbank 2018). Reason for the necessity to study the role of citizens is that domestic factors, including elections a nd public opinion are considered by governments (Putman 1998). Brantly argues that the unique character of cyberspace, enables individuals and interest groups to interact directly with national authorities, instead of legislative representatives (Brantly 2014). Hurwitz study on the national authorities in some democratic states are highly responsive to public demands on various issues, including cybersecurity (Hurwitz 2012).

The “three-pronged” approached to study corporate cyber norm entrepreneurship proposed by Fairbank has its merits, as it suggests studies on corporate norm entrepreneurship need to study larger number of actors and interactions. Despite citizens are integral part corporate cyber norm initiatives such as the Microsoft’s Digital Peace Now, citizens and individuals are rarely the exclusive focus of norm initiatives launched by other companies. Considering Fairbank’s argumentation as citizens have important role for social change through the adoption of cyber norms, this group of actors appears to be too limited to grasp the entire scope of dynamics in cyber norm emergence. In that regard, this paper refines the “three prongs” model suggested by Fairbanks and frames the third prong to be composed by citizens and non-governmental organizations and civil society.

The traditional definition of non-state actor comprises a broad range of organizations and actors other than national government (Bianchi 2011). According to Wagner, non-state actors are composed by individuals, non-governmental organizations, lobby groups, think tanks and international organizations (Wagner 2009). However, civil society is all encompassing concept that includes all the listed non-state actors which could be engaged in the norm emergence process. In the context of cyber security, civil society is actively engaged in promoting cyber norms for appropriate and responsible behavior and is often engaged in platforms calling for action to address issues such as privacy (Eggenschwiler&Kulesza 2020). Mechanisms utilized by civil society organizations to exert pressure for the development of new norms could be achieved through their traditional type of agency and traditional authority through participation in political discussions (Eggenschwiler&Kulesza 2020). Additionally. Kingsbury, Kirsch and Steward argue that civil society actors could contribute for the governance of cyberspace through participation in hybrid intergovernmental arrangements or private institutions with

regulatory functions (Kingsbury, Kirsch&Steward 2005). Another mechanism to influence norm emergence available to civil society is to associate with efforts to shape global practices and culture in cyber space. The wide adoption of such practices by other actors could eventually result into the development of international custom (Andjelkovic 2006).

A mechanism through which this can be achieved is by framing the issue and convincing the public that both actors share similar interests in cyberspace and cyber-governance is mutually beneficial (Fairbank 2019). For instance, both corporations and citizens consider cyberattacks as undesirable and harmful (Charney et al. 2016). Like the corporate-state relations, the legitimacy of corporations in their relations with the public, depends on factors such as the size of the company and company’s image. Respectively, the larger the company and the better the image, the greater the likelihood that citizens become convinced by the necessity of a norm. As a result, citizens become additional leverage mechanisms for companies to push governments to accept demands for a new norm (Fairbank 2019). In that regard, Nye argues that the exclusion of the public in the cyber norm and cybersecurity in discussions, has been a key factor for the failure of internalizing UN GGE cyber norm proposals (Nye 2014).

1.5 Corporate Motivations and Organizational Platforms to promote cyber norms

Shared responsibility, trust in the cyber domain and software protection represent the three

key reasons explaining why private companies are interested in developing norms that change state behavior in the digital realm. (Fairbank 2020). Fairbank identifies that reasons for private technology companies engage in cyber norm entrepreneurship are related to the necessity of shared responsibility in providing cybersecurity. Private companies own and operate approximately 80% of the technical assets and infrastructure for providing digital services and hardware. This includes underwater sea cables, data centers, antennas, and other types of ICT infrastructure. On the other hand, Cyberattacks and cyber conflicts initiated and executed by states, has been as source of distress for actors whose business depends on the stability of the network (Charney et.al. 2016). However, there is no clearly demarcated line regarding the responsibilities of private and public actors concerning the protection of critical infrastructure (Fairbank 2018). The clearly delineated responsibilities of both types of actors would also result in more accountability in case of cyber-attacks. In that regard, norm development efforts supported by dialogue between public and private actors could help creating a transparent set of shared expectations and responsibilities concerning cybersecurity. The awareness about the

scope of accountability, could help tech companies to identify where to focus their cybersecurity effort and avoid being blamed for security breaches, where the cybersecurity protection might be responsibility of national authorities (Fairbank 2018).

Public and consumer trust in the ICT technology and the company providing hardware, software or digital services is another factor determining the success of a company. In that regard maintaining trust in the company and the technology alike represents another source of companies to engage in cyber norm entrepreneurship. However, Dashwood argues that companies engage in norm development to improve its own reputation which could have positive implications for their financial balance sheets (Dashwood 2005). There are no doubt companies are profit-maximizers, but looking only at financial interests of a company, would fail to draw more nuanced picture of why companies develop norms aiming to regain public trust. Gorwa and Peez’s argue that corporate norm effort is driven by the interest to regain trust in the company and some norm entrepreneurship efforts may arise in the aftermath of a crisis. Company’s strategical positioning as contributing to the common good of cybersecurity and defending consumers from cyber-attacks. Respectively norm entrepreneurship efforts serve the purpose of corporate social responsibility effort that contributes to improving the public image of a company. Study conducted by Stanaland has revealed that CSR initiatives could influence consumers perception concerning the trustworthiness of a company and result in higher levels of perceived security in company’s products. In that regard, company engages in corporate norm-entrepreneurship is also to boost its own image and restore trust in digital technology and cyber domain (Stanaland 2011)

Being tightly interwoven with the necessity the previous objective to maintain trust in the cyber domain, the third objective is software protection. Although ICT companies are non-political actors and operate larger extent of the infrastructure, they are not immune from harmful cyber-attacks. As a result of cyber-attacks, companies suffer from significant financial losses and damage to their infrastructure and in this regard software protection is particularly relevant for companies producing software and hardware(Hurel&Lobato 2018).Through developing cyber norms that set constrains on the behavior of actors capable to conducting cyber-attacks on privately developed software the initiation of joint cyber defense initiatives would have positive implications for the protection of ICT and stability in cyberspace. Additionally, calls for norms for deepening the public-private relationship could also contribute to software protection. By using their well-developed technical expertise in identifying cyber-attacks,

private companies could attribute cyber-attacks to actors that have conducted the offence. Respectively, by resolving the challenges related with anonymity would likely discourage governmental agencies to conduct attacks. Additionally, corporate engagement in cyber-attack attribution would provide more details about the flaws in digital systems which could be used to create more secure technology (Fairbank 2018).

Indications for collaboration between corporate cyber norm entrepreneurs and the three group of actors materializes through different forms. Norm entrepreneurs may use large array of organizational platforms to promote cyber norms and this could be achieved through cybersecurity accords, forums, initiatives, company alliances, norm-emergence processes, international standards, capacity building and digital conferences. However, this list does not provide exhaustive illustration of the types of organizational platforms used by corporate norm entrepreneurs. The decision concerning the type of platform to be utilized in such processes is strictly corporate decision and policy and varies across companies. Nevertheless, to initiate norm emergence process, the norm entrepreneur should enjoy minimal level of legitimacy. The source of legitimacy is measured based on factors such as relative market share, diversity of products and services and the ability to sustain innovation capacity over a longer period (Hensitz 2014). In that sense, the larger the international presence of a company, the higher is its legitimacy.

1.6 Literature Review

Finnemore and Sikkink life-cycle model, more concretely the phase of norm emergence and the role of norm entrepreneurs has been well examined in the academic literature. Mauer research on the emergence of cyber norms studies the process in the context of the United Nations. The analysis looks at the politico-military and economic concerns that shape the diplomatic negotiations in the First Committee of the General Assembly and organizational platforms such as the International Telecommunications Union. Maurer argues that international norms emergence is highly dependent on factors such as the relations between the parties involved in the negotiations and exogenous factors such as recent cyber incidents which can alter the perception of policymakers (Maurer 2011). Crandall and Allan study how small states, which have limited defense cyber capabilities and are regular subjects of cyber-attacks, form alliances with like-minded small states for the promotion of cyber norms to reregulate behavior in cyberspace (Crandall&Allan 2015). On the other hand, the cyber capabilities

developed by national intelligence agencies for conducting cyber-attacks or detecting possibly harmful activities in cyberspace, has turned them into important actors in the cyber domain. Trough implementation of novel cyber intelligence techniques has enabled intelligence agencies to signal to other actors about the boundaries of acceptable behavior in cyberspace. In that regard, Georgieva argues that national intelligence agencies can also be “cyber norm settlers” (Georgieva 2020). Homburger’s research argues that cybersecurity capacity building in recipient states can be seen another form norm-entrepreneurship (Homburger 2019). Donor states supporting the development of cybersecurity capacity in recipient countries, can in fact result in exporting views and values to recipients. Thus, contributing for the emergence of cyber norms which may have been absent earlier. Despite the literature adopts various approaches to study the emergence of cyber-norms it appears that the focus has been predominantly on the role of states led initiatives. Eggenschwiler points out that the increasing involvement of non-state actors in the emergence of cyber norms signals the necessity to reconsider the role of states in cyber-norm development. However, Eggenschwiler argues that state are still critical actors for the development of cyber norms (Eggenschwiler 2019).

Cybersecurity literature and more specifically the sub-field cyber governance, provides in-depth evidence of the utility of applying Finnemore and Sikkink model to study norm emergence and the functions of norm entrepreneurs (Finnemore&Sikkink 1998). The research has predominantly focused on the role of national governments as cyber norm entrepreneurs, through engaging in bilateral and multilateral or other diplomatic efforts aiming to result in norm emergence. On the other hand, other Georgieva’s study looks at how domestic agencies can in fact indirectly become norm entrepreneurs (Georgieva 2020). Thus, cyber governance literature has focused on how nation states shape the framework of acceptable behavior for other states and domestic institutions. Nevertheless, such state-centric approach in the literature appears to be problematic as it fails short of drawing the full picture of actors active in the cyber domain (Hurel&Lobato 2018).

The idea of non-state actor’s advocacy for norm emergence is neither new, nor unresearched in the literature. As Finnemore and Hollis argue, actors such as private companies, citizens and NGOs may have active role in the norm emergence process (Finnemore&Hollis 2016). Scholarly literature has pointed out that, non-state actors play active role in altering state behavior (Hurel&Lobato 2018). Non-state actors have acted upon influencing national behavior on various issue areas such as women’s rights, international trade and relatively

recently in cybersecurity (Finnemore&Hollis 2016). Unlike other security issues, Dunn Cavelty argues that the dynamics in cyberspace pose a set of difficulties, such as struggle to establish authority in domain which has been predominantly shaped by individuals and companies (Dunn Cavelty 2016). As the process of cyber norm development is far from settled, enables companies to use their expertise and authority in the field to take a more active role in cyber governance. Charney points the stability of the internet and the protection of corporate operations and customers from malicious cyber-operations provide additional incentive for companies to engage in the development of norms (Charney et all.2016)

More recent and limited body of cyber governance literature has examined and attempted to theorize corporate cyber norm entrepreneurship. Hurel and Lobato seminal contribution to the literature, focuses on the international norm entrepreneurship effort of Microsoft (Hurel&Lobato 2018). The paper explores how Microsoft has engaged in the promotion of international cyber norms and the strategies adopted by the company to promote cybersecurity through cyber norms. Their research reveals that Microsoft has adopted multi-layer strategy to cybersecurity by applying corporate diplomacy (i.e., Norm entrepreneurship) on national, regional, and global level. Instead of influencing the behavior of “peers” in the tech industry, Microsoft approached the issue by attempting to influence the behavior of states and national policies. Hurel and Lobato argue that this strategy has allowed Microsoft to become relevant stakeholder in international cyber policy debates (Hurel&Lobato 2018). The work of Gorwa and Peez, looks at the motivations and mechanisms behind Microsoft norm-entrepreneurship effort to develop industry-wide norms through the Cybersecurity Tech Accord. Gorwa and Peez argue that through CTA, Microsoft has attempted to contribute for the development of industry-wide cyber norms by addressing key issues such as privacy and data protection (Gorwa&Peez 2018).

Fairbank work studies Microsoft attempts to engage in international cybersecurity by applying a “three pronged” approach to study the company’s role as norm entrepreneurship. Fairbank argues that study aiming to understand the entire picture of corporate norm entrepreneurship shouldn’t be focused only on states and industry as target groups. Rather, scholarship should also consider the relations between industry and citizens. Fairbank analyses the different tactics of Microsoft engagement with citizens such as social media campaigns and calls citizens to consider cyber norms and cybersecurity while voting (Global Citizen and Microsoft 2018, Microsoft 2019. Respectively, convincing citizens about the importance of proposed norms,

serve both as goal but also as a path to pressure governments to engage in cyber norm development. In that way, the role of companies as norm entrepreneurs can be better understood (Fairbank 2019).

Literature gap and relevance of the study

The review of the academic literature on international norms has identified shortcomings of applying traditional approaches for studying norms and their relation to the governance of cybersecurity. This approach puts more emphasis on the studying the norms as such and addressing their practical implications for addressing the issues in cybersecurity. This pitfall is important, as the approach fails to address the dynamics behind the development of new norms and the role of different actors. Alternatively, Finnemore and Sikkink’s provide valuable approach to study the processes behind the development of a norm through the norm-life cycle. More concretely, the first stage concerning the role of norm entrepreneurship in the process for the emergence of norms. The subsequent build-up on the earlier work, Finnemore and Hollis, identify that actors such as states, private companies, citizens, and NGOs can have the function cyber norm entrepreneurs, but can also be persuaded by such about the relevance of a norm. This is particularly relevant as not only states, but as the literature has identified tech industry is becoming more active in the governance of cybersecurity as companies take the role of cyber norm entrepreneurs.

As the focus of this thesis is on corporate norm entrepreneurship, the work of Hurel and Lobato (2018), Gorwa and Peez (2019) and Fairbank (2019) is particularly relevant. The contribution of the authors provides insights about Microsoft’s norm entrepreneur strategies, to promote the importance of cyber norms states, tech industry and citizens. Although, the literature has discussed industry’s growing cyber-norm entrepreneurship efforts, with particular focus on Microsoft, there are still elements which remain missing or not studied at all. Deriving from Finnemore and Hollis model and relevant actors in norm-entrepreneurship, studies have not yet addressed the engagement of the tech industry with civil society regarding cyber norms. This is particularly relevant, considering the role of NGOs in the promotion and dissemination of norms in other issues such as international conflicts and human rights. Additionally, despite Gorwa and Peez touch upon other companies in their discussion, existing research has focused only on Microsoft which results in difficulties in drawing the entire picture and thus making concrete inferences about corporate cyber norm entrepreneurship. In that regard, this thesis

aims to address these gaps in the literature by examining larger number of companies and besides the already researched relationship with government, industry and citizens, NGOs will be included in the analysis.

Chapter II Methodology and Research Design

Research design

The aim of this thesis is to explore the corporate cyber norm entrepreneur effort of technology companies in the process of cyber norm emergence. To achieve this objective, this paper takes corporate norm emergence as dependent variable. The review of existing body of academic literature on norm emergence has distilled norm entrepreneurship as a fundamental component for this outcome. Considering the context of cybersecurity of this research, the independent variable is corporate cyber norm entrepreneurship. Norm-entrepreneurship is excellent component to study the process of norm emergence as it enables to focus only on the actors involved in the processes for norm development (Finnemore&Hollis 2016). Moreover, corporate cyber norm entrepreneurship is recent phenomena in studies on the governance of cyberspace and currently there isn’t sufficient number of studies on the role of private actors in norm emergence (Fairbank 2018).

To deconstruct the relationship between cyber norm emergence and corporate cyber norm entrepreneurship, the thesis uses explorative small N case study design that analyzes the motivations, mechanisms and tools utilized by companies to develop cyber norms in the years between 2016 and late 2020.The year of 2016 is taken as starting point of departure, based on Finnemore and Hollis’s seminal work on the development of cyber norms that enables to study the role of corporate cyber norm entrepreneurs. Microsoft’s 2017 pioneer proposal for Digital Geneva Convention lays the foundations for empirical studies on corporate cyber norm emergence and norm entrepreneurship.

The literature reviews distilled legitimacy, as a key factor for the success of corporate cyber norm entrepreneurship. More concretely, factors predisposing high level of legitimacy include market-share, public image, ability to sustain innovation over prolonged period of time and

diversity of products, meaning that the company is providing both software and hardware (Hurel&Lobato 2018, Hensitz 2014, Fairbank 2018). The four companies IBM, Google, Huawei, and Siemens are selected based on the most similar design principle, where all companies are leaders in the technology sector, but specialize in different domains. Currently, Alphabet, the mother company of Google and IBM share the fourth and sixth position as world largest technology companies and are leading producers of both software and hardware (Woods 2020). Additionally, Google and IBM are ranked as the two most admired companies, meaning that the two companies enjoy high corporate reputation (Forbes 2019). Similarly, Siemens AG and Huawei are also actively involved in the production of software and hardware services such as clouds, IoT technologies and electronic devices. Siemens is considered to be the 62nd most valuable company for 2020, whereas Huawei is placed on 49 position (Swant 2020). The company has nearly 15% market-share in the production of smartphones and the company is leading actor in the development and production of 5G infrastructure(Pham 2020, Reuters 2020). For 2020 all four companies are considered to be among the 25 most innovative in the tech sector with Google being second and Siemens 21st_{. Huawei occupies 6}th _{place whereas}

IBM is placed as the 8th _{most innovative company(Wood 2020) Other companies such as}

Microsoft and Kaspersky which are also known to have made contributions for the emergence of cyber norms are excluded from this study. Microsoft’s norm entrepreneurship efforts has enjoyed significant research attention as part of Hurel and Lobato, Gorwa and Peez, and Fairbank’s research and excluding the company would enable to draw a more nuanced and complete picture of corporate cyber norm emergence. Although Kaspersky has made contributions to OEWG, the company is specialized only in providing software protection services and is ranked and has relatively lower size compared to the four companies included in the study.

Methodology

The choice to focus on small number of cases and the objective to study in depth corporate norm entrepreneurship predisposes the use of qualitative research method (Toshkov 2016). To explain the role of corporate norm entrepreneurs in cyber norm emergence, this paper uses qualitative content analysis answer the research question. To do so, the paper uses four categories for analysis, based on the theoretical framework: multilateral processes, norm entrepreneurship and engagement with governments, industry process and civil society and hybrid initiatives. The first part in the analytical chapter, analyses the norm entrepreneurship effort of each company individually and in the discussion section of the chapter the individual

choices, motivations and tools of each company are considered within the three categories of analysis.

The first category “multilateral processes” refer to a limited number intergovernmental which aim to develop cyber norms that regulate behavior of states in cyberspace. Currently, only the UN GGE and UN OEWG represent examples for multilateral processes aiming to develop cyber norms. The UN GGE is composed only by 25 member states and the process does provide a mandate to non-state actors to participate and submit proposals for cyber norms. In this regard, this process is not considered in the analysis (UNGGE). On the other hand, UN OEWG allows the participation of all UN Member States and also gives mandate to non-state actors such as companies and NGOs to participate in the discussions and submit proposals for cyber norms (UN OEWG). For this category, the analysis considers direct or indirect contributions made by the four companies. Direct contributions refer to proposals made by a company during one of the UN OEWG sessions so far, whereas indirect contributions consider the involvement and participation of private companies through other platforms which are tightly connected to the OEWG process. More specifically, the analysis will look at examples such as company’s participation in events such as the 2019 UNIDIR Cybersecurity and Stability Conference and the Geneva Dialogue on Responsible Behavior in Cyberspace which provide or aim to provide consultations to OEWG. The second category “norm entrepreneurship and engagement with governments” refers to company’s effort to influence international norms where their aim is to change state behavior in cyberspace. For this part the study looks at corporate proposals that have clauses promoting certain types of norms to government actors. For this category, the paper uses documents such as Google’s New Legal Framework, IBM Precision Regulation for AI, Huawei Cybersecurity Policy and Paris Call. The third category of analysis examines the company’s norm entrepreneurship effort aimed to develop cybersecurity norms that aim to influence and change the behavior of industry members. In this category of analysis, the study considers corporate industry initiatives, alliances and charters that are targeted only at members of the technology industry. For this category, the paper uses documents such as Siemens Charter of Trust, Google Privacy Sandbox, IBM Cybersecurity Alliance. The fourth category civil society and hybrid initiatives, the analysis considers corporate norm entrepreneurship efforts aimed at citizens, non-governmental organizations, and technology users. The analysis looks at corporate documents and proposals that aim to raise awareness among users and professionals about cybersecurity risks, provide training to employees and support for non-governmental organizations to promote cyber norms. For each category the analysis will also

consider motivations of the company including maintaining trust in the cyber domain, shared responsibility, and software protection. Additionally, based on Finnemore and Hollis model, the analysis on multilateral processes will consider the tools used by corporate actors to promote the cyber norms. The available tools include persuasion, incentives, and socialization.

Data and Limitations

The thesis had used academic articles, policy documents, newspaper articles and NGO reports for the body of knowledge. There is ample amount of literature available on norm emergence and norm entrepreneurship which is utilized to build the theoretical framework and contextualize corporate cyber norm emergence. To analyze corporate norm entrepreneurship this study adopts qualitative content analysis approach. As the objective of content analysis is to “provide understanding about the phenomena under study” (Downe-Wamboldt 1992 p.314). Additionally, content analysis is suitable for this study because it allows to use only text documents in the analysis. The analysis uses data obtained by peer reviewed articles, documents and statements published by companies and newspaper articles. Additionally, the codes used to develop the organizational platforms categories are combination of the work on corporate norm entrepreneurship by Hurel&Lobato, Gorwa&Peez and Faribank.

Limitation concerning the validity of the study is the relatively short time framework used to observe cyber norm entrepreneurship, starting as of 2017 until late 2020. Over time more companies may engage in cyber norm entrepreneurship and may lead to different conclusion. This has consequences for both the data but also for the number of case studies. To address this obstacle, the study uses data from most of the companies actively engaged in norm entrepreneurship only in the period of 2017-2020. The lack of in person interviews with employees from the companies represents a limitation in the data used. Private interviews could have provided additional data and specific details concerning the norm entrepreneurship efforts of their employers. However, to address this obstacle, the study has attempted to use speeches and statements made by highly ranked officials of the companies available online