Cyber confidence-building measures (cyber CBMs) adapt a Cold War-era diplomatic concept to the digital domain. The original CBM logic, codified in instruments like the 1975 Helsinki Final Act, sought to prevent armed conflict by making state behavior more predictable. Cyber CBMs apply the same reasoning to a domain where attribution is hard, intent is ambiguous, and a misread incident could spiral into kinetic conflict.
In practice, cyber CBMs fall into several overlapping categories:
- Transparency measures: publishing national cyber strategies, military cyber doctrine, or organizational structures of cyber agencies.
- Cooperative measures: establishing points of contact (PoCs) for crisis communication, joint exercises, and information sharing on threats and vulnerabilities.
- Stability measures: commitments not to attack critical infrastructure or CERTs in peacetime, and pledges to assist states whose infrastructure is used in malicious activity.
- Capacity-building measures: helping less-resourced states develop incident response and legal frameworks.
The two main multilateral tracks at the UN have advanced this agenda: the Group of Governmental Experts (GGE), which produced consensus reports in 2010, 2013, 2015, and 2021, and the more inclusive Open-Ended Working Group (OEWG), established in 2018 and renewed for 2021–2025. Both have endorsed voluntary, non-binding norms and CBMs as the near-term path forward, given the lack of consensus on a binding cyber treaty.
Regionally, the OSCE has been the most active body, adopting an initial set of 11 cyber CBMs in 2013 (Decision 1106) and expanding to 16 in 2016 (Decision 1202). The ASEAN Regional Forum and the Organization of American States have pursued similar tracks.
Limitations are significant. CBMs depend on good-faith implementation, and major cyber powers — including the United States, Russia, and China — have continued offensive operations even while endorsing CBM language. Designating PoCs does not guarantee they will be staffed or used during a crisis, as observers noted during incidents involving Russia and Ukraine.
Example
In 2013, the OSCE adopted Decision 1106, agreeing on an initial set of 11 voluntary cyber confidence-building measures among its 57 participating states, including the designation of national points of contact.
Frequently asked questions
No. They are voluntary political commitments, not treaty obligations, though states are expected to implement them in good faith.
Keep learning