Cyber War Has Rules — Here's Who Is Writing Them and Why It Matters
Explore the key international frameworks shaping cyber warfare rules — from UN GGE norms to GDPR. Learn how global diplomacy is defining the boundaries of digital conflict.
The internet was never built for war. It was designed for sharing research, not launching missiles. Yet here we are, decades later, watching nations spy on each other’s power grids, disrupt elections, and hold hospitals hostage — all through a keyboard. The question that keeps defense ministers and diplomats awake at night is simple: what are the rules?
Here is the uncomfortable truth — there aren’t many. And the ones that exist are largely voluntary. But that doesn’t mean they’re useless. The frameworks shaping how nations behave online are quietly doing some of the most important diplomatic work of our time, even if most people have never heard of them.
Think of it this way. Before the Geneva Conventions, armies could do almost anything to prisoners of war. After those conventions, behavior changed — not perfectly, not always, but measurably. Cyberspace is going through something similar right now, just messier and much faster.
“Cyber war is not a distant possibility — it’s happening every day, and the rules of engagement are still being written.”
Start with the United Nations Group of Governmental Experts, usually called the UN GGE. This group has been meeting since 2004, which surprises most people. They assume international cyber diplomacy is a recent idea. It isn’t. What the UN GGE produced — after years of difficult negotiations — is a set of voluntary norms. One of the most significant: states should not intentionally attack civilian infrastructure like hospitals, power grids, and water systems.
Now, you might be thinking — voluntary? What’s the point of a rule nobody has to follow?
That’s actually the right question. Here’s what most people miss: voluntary norms work because they create political cost. When Russia attacked Ukraine’s power grid in 2015, or when NotPetya malware spread globally in 2017, these actions were measured against something. Governments, journalists, and security researchers could point to a standard and say — this violates it. That matters for reputation, alliances, and sanctions conversations. Without the norm, there’s no baseline to violate.
The UN GGE also confirmed that existing international law applies in cyberspace. This sounds obvious, but it was genuinely contested. Some countries argued cyberspace was a new domain outside traditional legal frameworks. Getting major powers to agree otherwise was a diplomatic achievement most headlines ignored.
The Paris Call for Trust and Security in Cyberspace, launched in 2018 by France, took a different approach. Instead of just governments talking to governments, it brought in private companies, civil society groups, and tech firms. Microsoft signed it. So did hundreds of other organizations. The idea was to build a broad coalition around shared principles — protecting the open internet, preventing interference in elections, and stopping the spread of malicious code.
What makes the Paris Call unusual is who didn’t sign. The United States, Russia, and China — the three biggest players in state-sponsored cyber operations — were absent from the original agreement. You could read that as a failure. Or you could read it as the rest of the world deciding to move without them, which creates its own kind of pressure.
“In international relations, norms without enforcement still shape behavior — because states care about how they are perceived.”
Ask yourself this: why would a country follow a rule that has no punishment attached? The answer is that states are not purely rational actors chasing only short-term gains. They want trading partners, diplomatic relationships, and to be seen as responsible members of the international community. That reputational logic is exactly what frameworks like the Paris Call are built on.
NATO’s Cooperative Cyber Defence Centre of Excellence, based in Tallinn, Estonia, operates differently. It’s less about setting norms and more about building military capability. After Estonia suffered devastating cyberattacks in 2007 — attacks widely attributed to Russian actors — the country became one of the world’s most serious voices on cyber defense. The Tallinn Manual, produced by the Center, is the most detailed legal analysis of how international law applies to cyber operations. It’s not binding law, but military lawyers and policymakers around the world use it as a reference.
The Center also runs Locked Shields, the world’s largest live-fire cyber defense exercise. Teams from NATO member countries practice defending fictional national systems from real simulated attacks. Think of it as a cyber war game with actual stakes, because the lessons feed directly into national defense strategies.
What’s fascinating about Tallinn’s approach is the emphasis on collective defense. Article 5 of the NATO treaty — the “an attack on one is an attack on all” clause — has been formally extended to cyberspace. That is not a symbolic gesture. It means a cyberattack on a NATO member could theoretically trigger a military response. The threshold for that response remains deliberately vague, but the possibility changes how adversaries calculate risk.
The Budapest Convention on Cybercrime, opened for signature in 2001, is the oldest of these frameworks and the most legally concrete. It creates shared definitions of cybercrime — unauthorized access, data interference, computer fraud — and requires member states to align their domestic laws with these definitions. More practically, it creates mechanisms for countries to cooperate on investigations and share evidence across borders.
Here’s something that rarely gets discussed: the Budapest Convention has been adopted by countries far outside Europe, including the United States, Japan, Australia, and several African nations. Russia, China, and Brazil have declined to join, arguing the convention allows foreign governments too much access to their citizens’ data. That tension — sovereignty versus cooperation — runs through every cybersecurity framework on this list.
When a ransomware gang based in one country attacks a hospital in another country, and the investigators need logs from servers in a third country, the Budapest Convention is often the only legal tool that makes cooperation possible. Without it, evidence disappears into jurisdictional gaps.
“Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet.” — Alyssa Milano
The European Union’s General Data Protection Regulation, known as GDPR, entered into force in 2018 and immediately became the most globally influential data protection law ever written. That wasn’t the plan. The EU wrote it for European citizens. But because any company doing business with Europeans has to comply, it effectively set a global standard.
A tech company in Brazil, a retailer in South Korea, a social media platform in the United States — all of them adjusted their data handling practices because of a European law. That’s a remarkable example of regulatory influence without direct authority. Economists call this the Brussels Effect: when a major market sets a standard, the world often follows because building separate systems for different rules costs too much.
GDPR doesn’t just protect privacy. It changes the incentive structure for how companies store and handle data. When a breach can result in fines of up to four percent of global annual revenue, companies invest more in security. That has a spillover effect on national security — better-protected corporate systems mean fewer entry points for state-sponsored hackers.
So where does all of this leave us?
Five frameworks, each imperfect, each partial, each missing key signatories. The UN GGE norms are voluntary. The Paris Call lacks its most powerful members. NATO’s deterrence posture remains deliberately ambiguous. The Budapest Convention has significant holdouts. GDPR enforcement is uneven.
And yet — cyberspace is not in complete chaos. States do restrain themselves sometimes, and not just because they fear retaliation. They do it because they’ve signed things, or because their allies signed things, or because they want to maintain the appearance of operating within accepted norms.
“A rules-based international order is not maintained by wishes — it is maintained by states choosing, repeatedly and visibly, to follow the rules.”
The real danger isn’t that these frameworks are weak. It’s that cyberattacks are outpacing diplomacy. Ransomware attacks on critical infrastructure, interference in democratic elections, the theft of vaccine research during a global pandemic — these events are pushing governments toward harder positions and less cooperation.
When countries start responding to cyberattacks with sanctions, public attribution, and offensive operations of their own, the conversation changes. Deterrence through punishment is replacing deterrence through norms. That shift makes miscalculation more likely.
The frameworks described here represent something worth protecting — the idea that even in conflict, there are lines. The work of expanding, enforcing, and updating those lines is not glamorous. It happens in conference rooms in Geneva and Tallinn and Brussels, mostly away from public attention. But it may be the most consequential diplomatic work of the next decade. Because the alternative — a cyberspace with no agreed rules at all — is something nobody, not even the most powerful states, actually wants to live in.
