Much effort has been expended on developing international cybersecurity norms that provide guardrails for responsible state behavior — indicating what actors should and shouldn’t do in cyberspace.
With capability spreading beyond solely responsible nation-state actors, in order to maintain global and regional stability as well as national security, we must find ways to bind what actors — including, but not limited to states — can and cannot do.
Future international efforts must focus on countering the proliferation of this capability by increasing the cost of developing offensive capability, diminishing its utility once spread, and exploring ways to increase barriers to spreading it.
– Robert Morgus, Deputy Director, FIU-New America Cybersecurity Policy Partnership