Strategic narratives and the multilateral governance of cyberspace: The cases of European Union, Russia, and India

ABSTRACT

The last few years have seen the emergence of a cybersecurity regime complex divided into specialized forums discussing different sub-issues. But how do the main actors in cyberspace make sense of its fragmented governance, and how does that translate to their broader strategic narratives? Furthermore, to what extent are these in line with the predominant macro-narratives in the cyber-domain? To answer these questions, this article explores the strategic narratives of the European Union, Russia, and India in two of these specialized forums: one related to responsible state behavior in cyberspace, the other to cyber-crime. Through the study of narrative fragments — a new approach to the study of strategic narratives in multilateral settings — it concludes that these actors largely include these two issues within their broader strategic narratives. This highlights the importance of cross-issue analysis in the study of multilateral arrangements, particularly in the context of emerging regime complexes.

KEYWORDS:

• Cyber-diplomacy
• strategic narratives
• multilateral governance
• cyber-crime
• cybersecurity
• regime-complex

The governance of cyberspace is still rather incipient (Raymond, 2016; Stadnik, 2017) and spread across a multiplicity of sub-issue areas. For many, it is a regime complex¹, that is, “loosely coupled sets of specific regimes” (Keohane & Victor, 2011, p. 7), in which inter-related issues, such as crime and international cybersecurity², are seen as part of separate regimes (Nye, 2014; Pawlak, 2019). Its relative novelty means it is still very much open to being shaped, making the “discursive battlefields” (Pawlak, 2019, p. 170) that happen within each regime, and across them, particularly pertinent. This article explores how cyberspace’s main actors make sense of its multilateral compartmentalization. This will be done through the analysis of their strategic narratives.

The study of multilateralism tends to focus on dynamics of cooperation and contestation (Morse & Keohane, 2014). We propose a different starting point, that of narratives. Narrative is a “loose term,” which is “used to describe a wide range of phenomena broadly related to storytelling and communications” (Liveley, 2022, p. 4). According to Miskimmon et al. (2017a, p. 7), a narrative contains five main components: characters or actors (agents); a setting, environment or space (scene); some sort of conflict or action (act); the identification of some form of behavior (agency); and, finally, a purpose that may lead to the resolution of the story. Narratives are also about time, about creating a logic sequence between the past, the present, and the future (Miskimmon et al., 2017a); they can offer a collective “sense of space and a sense of place” (Subotic, 2016, p. 611), one that needs to interact with other collective stories.

We start from the perspective that multilateral institutions are first and foremost a form of narrative-interaction, in which states project their interests through storytelling. Contrary to most materialist positions in International Relations, there is a significant consensus across the discipline that words matter in world politics, particularly since the “narrative turn” in the discipline (Miskimmon et al., 2017a, p. 5). Within this context, storytelling and rhetoric are seen as important tools in statecraft. They are often the basis for the articulation of narratives where worldviews are declared, and interests defined. Miskimmon et al. (2017a) argue that narratives can have concrete policy impacts, particularly strategic narratives, “means by which political actors attempt to construct a shared meaning of the past, present, and future of international politics to shape the behavior of domestic and international actors” (p. 6). According to these authors, strategic narratives can be of three different types: system, identity, and policy. System narratives tell stories of how the international system works, including who its main actors are, and which of those “pose a challenge to the system” (Roselle, 2017, p. 57), whereas identity narratives “shape perceptions of what is appropriate for a state to do in any given context” (Miskimmon & O’Loughlin, 2017, p. 112). Finally, policy narratives “outline how an actor views the appropriate response to address a political challenge or crisis and articulates a position based on material interest, and/or, what is/might be a normatively desirable outcome” (Miskimmon & O’Loughlin, 2017, p. 112).

Obviously, this does not apply equally to all states. Either for a lack of interest, capacity or incompetence, states are not always able to articulate clear and consistent strategic narratives in all the areas in which they are asked to participate. But the main actors of each regime certainly are (or are expected to do so³).

However, they constrain and are constrained by macro-narratives—simplified worldviews which shape the dynamics of each regime or regime complex. In the cyber-regime complex, these tend to be articulated along three groups, each associated to a different macro-narrative⁴: the liberals, the sovereigntists and the non-aligned.⁵ The first group includes the gatekeepers of cyberspace, those that set the rules and protocols that dictate how the internet works and that gave it its foundational ethos. The United States, the United Kingdom, the European Union (EU) and “like-minded” countries such as Japan and Australia are part of this group. The second group, led by China and Russia, have since the late 1990s been articulating a sovereigntist narrative that promotes a more state-centric approach to cyberspace, and its regulation along more territorialized lines.⁶ Finally, the non-aligned group includes a broad range of states which tend to have a position that oscillates between the other two depending on the issue—what Maurer and Morgus (2014) labeled as “swing states,” or what Kim (2022) considers to be the “open multilateral” group. Conceiving the multilateral governance of cyberspace along these lines is helpful for analytically positioning the words and actions of these actors in the cyber-domain.⁷ But how do the main actors in cyberspace make sense of its fragmented governance, and how does that translate to their broader strategic narratives? Also, to what extent do they offer an accurate correspondence to what states say in these international forums, and how much do they shape their positions and actions?

This article will answer these questions by comparatively analyzing the participation of three actors — the EU, Russia, and India — in three institutions that are part of what Sukumar et al. (2024) labeled as the informality of the international cybersecurity regime complex: the Open-Ended Working Group (OEWG) on Information and Communications Technology (ICT) in International Security, and the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of ICT for Criminal Purposes⁸ each of which represents one of the three above-mentioned groups.⁹

The OEWG was created in 2018 to amplify discussions around state responsibility in cyberspace that were taking place within the UN since the late 1990s, but until then limited to a very narrow group of states, mostly within the context of the United Nations Group of Governmental Experts (GGE) on Advancing Responsible State Behavior in Cyberspace in the Context of International Security.¹⁰ In December 2019, a few months after the start of the OEWG, and of a new GGE, both under the aegis of the UN General Assembly (UNGA) First Committee (responsible for Disarmament and International Security), resolution 74/247 led to the creation of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (AHC), this time within the UNGA Third Committee (responsible for Social, Humanitarian and Cultural issues). Three separate cybersecurity-related processes under two different UN Committees with different remits were now set to run in parallel. Whereas the simultaneous running of the OEWG and the GGE can be understood within the context of diplomatic tensions and UN institutional politics (see Raymond, 2021)—whose co-habitation ended up leading to complimentary discussions and final reports—the creation of the AHC under a different UNGA Committee was based on the assumption (often repeated by member states during the first OEWG) that discussions around responsible state behavior were separate from those focused on cyber-crime matters.¹¹

This will allow us to understand whether these actors articulate distinct stories depending on the forum—OEWG and AHC—or whether they offer a constant set of narratives regardless of it. If the former, then we would be able to conclude that the existence of processes in two parallel UN committees is more than just the result of bureaucratic politics; if the latter, then the conclusion would be that the institutional separation of the two processes should not detract us from the continuities of purpose of the main actors in the cyber-domain.

In terms of structure, this article will now briefly discuss the importance of narratives in multilateral settings, followed by a note on methodology that will then open the door for the exploration of the three cases mentioned above. It will then proceed with an analysis of the main narrative features identified for each actor, the continuities and discontinuities across forums, and the potential points of contact between them.

Narratives matter

Strategic narratives are an integral part of world politics and, when employed as an analytical tool, can offer a valuable insight into multilateral processes by unveiling the underlying ideologies woven into the stories of world actors, as well as the broader cultural contexts and experiences that give rise to these narratives (Stokes, 2012). In comparison to other qualitative methods—like content analysis which has a more reductive nature, or discourse analysis which is primarily interested in how ideas, meanings and practices are expressed in textual form (Bischoping & Gazso, 2015)—narrative analysis goes beyond linguistic considerations to also account for the cultural, historical and ideological influences that shape narratives. In this context, narrative analysis allows us to gain a holistic understanding of the complexities of multilateral cybersecurity and cybercrime discussions, and how storytelling is played within it.

It is through stories that “we make sense of the world” (Ashworth, 2015, p. 321) they are fundamental to create any form of international order (Miskimmon & O’Loughlin, 2017, p. 113). The term “strategic narrative” was introduced in the IR lexicon by Freedman, who in 2006 talked about the strategic deployment of “compelling storylines” (as cited in Schmitt, 2018, p. 489) to challenge the enemy (Miskimmon & O’Loughlin, 2017). A few years later, in his work Strategy: A History, Freedman (2013) would argue that the value of narratives was “not only their inherent quality but [also in] the resources behind them, reflected in the capacity for an organization to propagate its own myths and censor or counter contrary claims” (p. 618). In short, that there is a material component inherent to narratives and their dissemination.

Freedman’s view is on the more instrumental side of the spectrum when it comes to the understanding of narratives. As a concept, strategic narrative sits comfortably with multiple theoretical backgrounds, from rationalists like Freedman to “discourse inspired” approaches such as those of Michel Foucault or Judith Butler (Miskimmon et al., 2015, p. 342). Our approach is somewhere between what Miskimmon et al. (2017b, p. 42) define as “thin” and “very thick” analyses, as we acknowledge states’ agency in the process of forming and projecting their narratives, but also that those narratives can then develop a “life of their own” and be framed or reframed in processes that can move away from the authors’ initial intention. We side with Freedman (2013) when he argues that narratives are “not precise strategic instruments because they can convey a range of messages, not all of which may be understood” (p. 618). Ultimately, despite the direct intention of influencing an audience (Schmitt, 2018, p. 488), strategic narratives’ effectiveness can be hard if not almost impossible to fully grasp.

Effectiveness can also be impacted by the internal coherence of each narrative. As Subotic (2016) argues, “even the most dominant narratives contain inherent contradictions that different political actors exploit” (p. 611). It is perfectly possible for identity or policy narratives to “undermine new system narratives” (Roselle, 2017, pp. 57–58). When that is the case, the overall strategic narrative of that actor is weakened, and its international actorness compromised.

Whereas Roselle et al.’s (2014) tripartite conception of strategic narratives makes sense conceptually, the analysis of its deployment in multilateral settings addressing specific global governance issues is certainly blurrier and less structured than what the model anticipates. They argue that each of these types of narratives corresponds to a different level, going from the more generic (system narratives) to the more specific (policy narratives), but they can be deployed independently of each other. Although “strategic narratives employed at one level may affect narratives at other levels, and thus constrain future policy choices and behavior” (2014, p. 77) that is not a given, which leaves open the possibility for these different narrative levels to operate autonomously from each other.

When looking from a multilateral governance perspective—and the context in which states deploy their narratives within specific institutional forums—these levels are not necessarily autonomous but can be incorporated in the lowest of the three (policy). An actor’s view of the world (system narrative) and of itself (identity narrative) is included in any articulation of a specific policy narrative, but such inclusion is fragmented. Communication in multilateral settings, such as specialized UN forums, is organized around the agenda of each meeting, which can cover different topics in different sessions. Within the context of the OEWG, for example, one session could be about the role of international law in cyberspace, and the next about cyber capacity building. Actors need to articulate key ideas central to their system and identity narratives within their policy narratives. In that regard, studying the deployment of strategic narratives in practice is about rescuing those fragments in a reconstitution exercise of strategic narratives in a multilateral environment.

Strategic narratives can diverge but also converge, or what Miskimmon et al. call “narrative alignment” (Miskimmon et al., 2015; Miskimmon & O’Loughlin, 2017). Narrative alignment happens when sides with different interests are able “to form a common identity and resolve conflict” (Miskimmon et al., 2015, p. 341). As mentioned earlier, part of the aim of this article is to see whether such an alignment exists between the actors under analysis.

To study these narratives, we propose a bottom-up approach, in which the statements and verbal contributions presented to these two forums—OEWG and AHC—will serve as the starting point for our analysis. From here, we will then see how they can be articulated as policy narratives and see what from those fragments can be linked to structure and identity. These fragments not only help us identify the key parts of these actors’ narratives that trickle down to the cyber-domain, but also how they work across the two sub-domains (international cybersecurity and cyber-crime). As an additional analytical layer, it will also be possible to link these fragments across different actors.

This exercise involves some previous knowledge of the actors’ broader strategic narratives. In that sense, for each of the actors under analysis, we have analyzed at least one strategic document and from there attempted to extract, whenever possible, narratives around system, identity and policy, or at least key themes that could work as enablers of such narratives. All data was publicly available and sourced from the UN website, or national ministries in the case of the strategic documents.

It should be pointed out that our analysis takes place at the level of projection only; it considers neither the formation nor the reception of those narratives (Roselle et al., 2014, p. 78). In that regard, it is also not about the effectiveness of narratives (Schmitt, 2018); it is about their consistency across regimes within the same complex and overlapping points between actors situated along distinct macro-narratives. The fact that one process is now concluded (the first OEWG) whereas the other is still ongoing (AHC) should not constitute a major methodological hurdle. On the contrary, the chronological disparity will help us reinforce the point on continuity (or not) between narratives, whereas the ongoing status of the AHC means we will limit our analysis to the statements issued up to the third session (September 2022). The high level of activism from all those involved in the process will give us a sufficiently broad sample from which we can infer the narratives put forward by each of these actors.

Our analysis was conducted in Nvivo 1.6.1. Using Miskimmon et al.’s (2017a) model as an initial coding framework, a deductive approach was first applied to identify where each state applied fragments of their 1) identity or 2) system narratives, and 3) the main policy issues in which they were incorporated. Three further phases were carried out.

The first phase included identifying key themes and topics that emerged from the data. Under identity, these key themes were notions of self-perception, social values (particularly in terms of human rights and privacy rights) and political ideology. The main themes under system were sovereignty, governance model, and approach to international law and norms. Development, cooperation, and crime and security were the core themes under policy. The second phase involved identifying what strategic narratives (or fragments of narratives) were constructed by each actor around each theme. Finally, narrative (dis)continuities were identified by finding patterns and relationships within the categorized data between the two forums and each state. What now follows is a presentation of the results of our analysis.

Talking cyber(-narratives)

This section will look at the statements from the EU, Russia, and India in the OEWG and AHC. Each actor was analyzed according to the fragments of identity and structure narratives present in their most relevant policy narratives projected in these two forums.

European union

Although the EU has historically defined itself as a “paragon of international virtues” (Drent et al., 2018, p. 54), many authors have questioned such an interpretation, highlighting instead the multiplicity of divisions and incoherences inside the EU (see Garcia, 2017; Gilbert, 2008; Manners & Murray, 2015). In cyberspace the EU argues it has developed “a coherent and holistic international cyber policy” (EU, 2020l), which is in line with this article’s findings. In the OEWG and AHC, this is articulated through two main narratives: the EU as a force for good (identity) and as a defender of a rules-based liberal order (system) that is open to active participation of non-state actors through multistakeholderism (see Raymond & DeNardis, 2015).

In the 2016 Global Strategy, the EU claims to be “leading by example” in numerous areas (from sustainable development and climate change to global governance), identifying itself as “an agenda-shaper, a connector, coordinator and facilitator” (2016, p. 43). After its positioning at the center of several developments for international ICT governance and security, the EU also began curating a narrative around responsible and liberal leadership in cyberspace. This is evident from the 2014 proposal on Internet policy and governance (European Commission, 2014) as well as the 2020 Cybersecurity Strategy for the Digital Decade which “sets out how the EU will […] advance international cooperation and lead in securing a global and open Internet” (EU, 2020l, p. 4), and contains a dedicated section on how the EU will continue to lead global developments on standards, norms and frameworks in cyberspace (EU, 2020l, p. 20).

Our analysis finds a continuation of the leadership narrative in both the OEWG and AHC, most notably through articulating the EU as an international cyber capacity building (CCB) leader. In the OEWG, the EU emphasized the broad geographical scope of its CCB programs, implemented across the world (EU, n.d., p. 2). Committing over €100 million a year to finance CCB programs in developing countries and being the only actor to submit an additional non-paper on advancing CCB, the EU insinuates it is a, if not the, global leader in this area (n.d., p. 2; 2020j). A similar story is laid out in the AHC: “the EU and its Member States already have a track record in funding and providing capacity building measures, in partnership with the Council of Europe and UNODC, to a large number of countries across the globe, and will continue to do so” (EU, 2022b, p. 3). As the EU expresses its future (as well as historical) commitment to CCB across both forums (EU, n.d., p. 2, 2022h), it can be ascertained that the EU intends to continue projecting its global normative power (Manners, 2002) in cyberspace through CCB initiatives.

The EU’s overarching “force for good” narrative was also embedded within references to the EU’s value-driven nature. In the OEWG, the EU alluded to gender equality, diversity, sustainability, and climate change (OEWG, 2022b, p. 1, 8, n.d., p. 1). However, the most strategic use of the EU’s narrative around values was observed in the AHC. Here, significant emphasis was put on safeguarding human rights, one of its five fundamental values. Among the 13 written statements provided by the EU to the AHC, human rights were explicitly referred to 159 times. The issue has become particularly prominent when discussing the scope of cyber-crime, with actors such as Russia and China advocating the extension of the concept to cyber-enabled crimes (Hakmeh, 2022), whereas the EU encouraged the committee to “avoid including broadly or vaguely defined criminal acts, since such vague definitions would risk leading to legal uncertainty [and] to unduly and disproportionately interfering with human rights and fundamental freedoms” such as online privacy, freedom of speech and the right to a fair trial (EU, 2022d, p. 3).

As well as projecting a consistent “force for good” identity narrative, the EU has adopted a system narrative centered around the benefits of a rules-based liberal order, which it considers instrumental in maintaining international peace and prosperity (EU, 2016). The EU also considers rules-based multilateralism a tool for combatting global challenges, cybersecurity being chief amongst them, as exemplified in the 2016 Global Strategy within which the EU commits to “support[ing] multilateral digital governance and a global cooperation framework on cybersecurity, respecting the free flow of information” (EU, 2016, p. 42).

An analysis of the EU’s contributions to the OEWG shows that its rules-based order narrative directly translates into diplomatic discussions surrounding responsible state behavior in cyberspace. All three of its written statements to the OEWG reaffirm that “a universal cyber security framework can only be grounded in existing international law, including the Charter of the United Nations in its entirety, international humanitarian law, and international human rights law,” containing the normative principles of humanity, necessity, proportionality and distinction (EU, 2020a, pp. 3–4, 2021a, pp. 1–2, n.d., p. 1-2, 2020e, 2020l). The EU also supported the development and implementation of pre-existing non-binding norms—particularly those established in the 2015 GGE (EU, 2020a, p. 6, 2021a, p. 1)—and called for support from regional organizations that share normative values, such as the OSCE and OAS (EU, 2019b, 2020i).

Although one could argue that the EU’s engagement in a forum (AHC) with the aim of drafting an internationally binding agreement in the cyber-domain was a de facto difference from its position in the OEWG (also in line with the other “like-minded” states), there was a continuation of its rules-based order narrative. For example, the EU strongly supported using pre-existing legal principles from the Budapest Convention (EU, 2022a, p. 4, 2022d, pp. 3–4), the UN Convention against Transnational Organized Crime, and the UN Convention against Corruption (EU, 2020k, p. 1, 2022a, p. 4) as models, rejecting proposals of other countries wanting to create an entirely new convention from scratch that could skirt around pre-existing laws and/or create legal loopholes.

A narrative around the benefits of “a democratic and efficient multi-stakeholder internet governance model” also remained consistent throughout the OEWG and AHC, with emphasis put on how insight from industry, academia and civil society would ensure “democracy,” “inclusiveness” and “transparency” throughout negotiations (EU, 2020k, p. 1). The tactical use of language reinforces and substantiates the EU’s value-driven identity; an example of how strategic narratives can converge. However, the multistakeholder narrative can perhaps most importantly be viewed as a means by which the EU sought to challenge the adversarial policy goals of other states and maintain the multistakeholder status quo (see Pawlak, 2019).

The assumption that “sovereign government-led, multilateral cyber governance will challenge the existing pattern of multi-stakeholder governance” (Rosenbach & Chong, 2019, para. 4) is a concern for the EU, as well as for other “like-minded” states, civil society groups and institutions which consider participation from non-state actors fundamental to maintaining a global, open, free, stable, and secure cyberspace that guarantees human rights protection (Azelmat & Ferrari, 2021; Human Rights Watch, 2022). Debates about the future role of multistakeholder engagement comprised a core dimension of negotiations in both forums, and to swing deliberations in favor of inclusive governance, the EU shed light on several areas where participation from non-state actors could, and should, be better incorporated (EU, 2020a, p. 2, 2020h).

Overall, the EU has adopted a fairly coherent approach across the two forums, highlighting its liberal credentials, and offering to lead in the promotion of an open, free and democratic cyberspace. As is often the case in strategic narratives, the narrator is also the main character, if not the hero (responsible, global, lawful). From the setting out of its positions—be it regarding its opposition to an international treaty regulating responsible state behavior in cyberspace or a broad definition of cyber-crime—we understand both the issue (act), and the implicit actors. From a strategic narratives’ perspective, it also becomes clear that the EU is fundamentally a status quo actor in this domain, as the resolution of each story mostly revolves around keeping things as they are (implementation of cyber-norms, rejection of a broad definition of cyber-crime), or reinforcing what it already does (capacity building, cooperation).

Russia

In part due to the ideological and identity crisis experienced in Russia after the collapse of the Soviet Union (see Prizel, 2013), narratives have assumed a crucial role in Russian politics, diplomacy, and foreign policy. The main objective of Russian narrative projection is to “convince its citizens and the whole world of Russia’s indomitable greatness and power, as well as to demonstrate the degradation of Europe and the West in general” (Karpchuk, 2021, p. 27). In the cyber-domain, this objective is achieved through the projection of narratives around sovereignty (system); multilateralism (system); Russophobia and anti-westernism (identity), propelled by a policy narrative focused on Russia as a norm-entrepreneur.

Since the dawn of international concern over ICTs, their use and security, Russia has been a central player in multilateral cyberspace negotiations, acting as the driving force behind various alliances, treaties and initiatives and making great effort to embed cybersecurity into the core of the UN First Committee’s agenda (Remler, 2020). Norm-entrepreneurs not only “call attention to an issue,” but they frame it, that is, “use language that names, interprets and dramatizes the problem” (Finnemore & Hollis, 2016, p. 447). Additionally, they “create organizational platforms from which to do the difficult work of promoting and embedding norms” (Finnemore & Hollis, 2016, p. 448, italic in the original). In Russia’s articulation of itself as a norm-entrepreneur, the 2016 Information Security Doctrine (ISD) outlined Russia’s orchestration of establishing new international frameworks and legal mechanisms, and fundamental role in shaping and coordinating the agenda of international organizations (Russian Federation, 2016).

This narrative remains central to Russia’s participation in the OEWG (also see Hansel, 2023). Russia reminds its audience that it was amongst the first to put ICT security on the international agenda and “attract the attention of the global community to the very sphere of international or cyber security” (Russian Federation, 2021d, p. 1). Using its self-defined status as the historical initiator of the GGE and OEWG as leverage, Russia attempts to garner recognition and appreciation for its leadership in cyber diplomacy,¹² arguing that without its endeavors “the international community would be left with total uncertainty regarding the continuation of an inclusive and democratic negotiation process on ICT-security” (Russian Federation, 2021c, p. 5). In a subsequent written statement, Russia insinuates that its status as the “initiator of the OEWG” entitles it to greater decision-making authority (Russian Federation, 2021g, p. 1). Furthermore, despite recognizing that “to attribute this format solely to Russia would be fundamentally wrong,” Moscow continues to assert itself as the “penholder of the respective resolution” throughout (Russian Federation, 2021d, p. 1).

The norm-entrepreneur narrative was also championed in Russia’s contributions to the First Session of the AHC. It was emphasized that “Russia was the first to raise the question about the development, under the UN auspices, of a comprehensive convention to counter [ICT] crimes” (Russian Federation, 2022i, pp. 1–2) and, in a similar vein to the OEWG, Russia utilized its self-proclaimed status as “the initiator of the whole process” (Russian Federation, 2022o, p. 2) to advance its own policy objectives (Russian Federation, 2022h, p. 14).

Narratives that can generate emotional arousal amongst its recipients are often the most successful (Paul & Matthews, 2016), and Russia has often expressed emotive narratives of victimhood or “Russophobia”—the idea that that there is unjustified and systemic Western prejudice against Russian power and culture¹³ (Oates et al., 2018). In the ISD, the West was condoned for “blatant discrimination,” promoting “extremist ideology” [and] “spread[ing] xenophobia and ideas of national exceptionalism for the purposes of undermining the sovereignty, political and social stability” of the Russian Federation and to “erode Russian traditional spiritual and moral values” (Russian Federation, 2016, para 12-23). This narrative is also articulated in the Russian National Security Strategy (NSS), with commentators reporting that methodical Western attacks on Russian values, culture and historical legacy now comprise “an epoch rather than an episode” (Trenin, 2021, para 2).

The defiant Russophobia narrative continued into the OEWG where it was strategically employed to support Moscow’s longstanding argument that the West does not treat Russia fairly or with political neutrality, but marginalizes it from negotiation processes (Russian Federation, 2021d, p. 1). Russia claimed that it had unfairly received negative attitudes purely because the OEWG was “a Russian initiative”, that “there are some countries strongly opposing anything that contains the word Russia” and who “are trying to create an impression that Russia, whatever it does, will not let others do the right thing” (Russian Federation, 2021d, pp. 2–3).¹⁴ Here Russia brings together, for greater dramatic effect, the two identity narratives—Russia as the norm-entrepreneur and Russia as the victim.

What is particularly noteworthy is that the Russophobia narrative did not emerge in Russia’s contributions to the Organizational, First or Second Sessions of the AHC, which were overshadowed by the Russian invasion of Ukraine. However, by the Third Session Russia argued that “the political situation should remain outside the doors of this hall” and left to the devices of other UN forums (Russian Federation, 2022a, p. 1). Fragments of the victimhood narrative began to re-emerge, such as when Russia complained of being “inappropriately” treated and excluded by the US: “[N]ot a single member of the official Russian delegation, with the exception of your obedient servant, has received an entry visa to the United States. This is another blatant violation by the United States of America of its obligations as the host of the UN headquarters” (Russian Federation, 2022a, p. 1).

As summarized by Ziegler (2016), anti-Western narratives have been an attribute of Russian political discourse since the 1990s. Although they have gone through phases of greater and lesser intensity, these narratives have been characterized by “a reaction to the West as Other, and by the Russian elite’s interpretation of the West’s efforts to contain, marginalize, and weaken Russia” (Ziegler, p. 564). The strategy behind Russian anti-Western narratives is to depict the West as attempting to “destabilize a given situation” (Gorenburg, 2019, para 15) whilst painting a favorable picture of itself as a good multilateralist and responsible, outcome-driven global leader.

Our analysis suggests the anti-Western narrative has trickled down into the cyber-domain, acting as a prime example of how narratives can be utilized to de-legitimize one’s opponents (Miskimmon et al., 2017a, p. 2). In the OEWG, Russia’s response to the Zero Draft criticized the West for being politically and ideologically discriminatory: “The way we see it, the zero draft Report is biased, does not include views and opinions of many countries. It does not reflect fundamental elements of Russia’s approach in this sphere” (Russian Federation, 2021c, p. 1). This bias was not just targeted against Russia, but also the wider group of states that align with Russia’s policy objectives including Belarus, Burundi, China, Nicaragua, and Tajikistan (Russian Federation, 2021c, p. 3). Nevertheless, Russia did express wanting to “concentrate on points of convergence rather than on objective differences in States’ positions,” showing there was still some willingness to compromise and cooperate, a point later reiterated by their head of delegation, Ambassador Andrei Krutskikh, in the final session of the first OEWG after the conclusions had been approved.

In the AHC, the anti-Western narrative targeted Western incompetence, and attempted to portray the West as having declining influence. A primary aspect of the narrative was to argue that the West was hindering the development and progress of the convention by blocking proposals and suggestions from non-Western countries. In relation to the West’s call for a limited convention scope only including cyber-dependent crime (and some, distinctly defined, cyber-enabled crime) Russia claimed: “resolution 75/282 […] was adopted by consensus, so Member States that are now advocating the reduction of the scope to only computer crimes [originally] agreed with such scope” (Russian Federation, 2022o, p. 2). Moreover, Russia criticized the Western approach to the AHC as a “puzzle” and argued that if requests for a narrow convention scope, along with a reluctance to hold the private sector accountable under international law and the use of technologically neutral terminology were accepted, the convention would be rendered an “impractical framework” and “go straight to the UN library just as an item” (Russian Federation, 2022o, p. 3). Russia was pushing for a more “responsive multilateralism,” a type of narrative it shares with other BRICS’ countries, as identified by Van Noort (2017).

Indeed, Russia has a multilateralist narrative which seeks a more statist and restrictionist international system (Allison, 2017; Raymond & Sherman, 2024). Russia claims to fervently uphold and respect the UN Charter, with emphasis placed on the fifth pillar (international law) of which Russia adopts a narrow interpretation, sometimes referred to as “traditional” or “hard” sovereignty (Allison, 2015). This narrative—repeatedly articulated in the ISD—was also strongly communicated in the discussions around the OEWG pre-draft conclusions, with Russia stressing that principles of sovereignty in cyberspace should be better incorporated into the report, whilst “redundant references to the problems of sustainable development, […] human rights and gender equality” should be excluded for not pertaining to international peace and security (Russian Federation, 2020a, p. 2). The Russian OEWG delegation also rejected the inclusion of “political attribution” and recommendations for greater cooperation through data repositories due to risks of being used as “leverage against States in order to expose their positions on sensitive issues related to their national security” (Russian Federation, 2020a, p. 3).

A similar narrative is present in the AHC, such as when it was declared that “the issue of protecting sovereignty must be closely interlinked with the issue of jurisdiction” and that “the convention should not confer on the competent authorities of one State Party the right to exercise in the territory of another State the jurisdiction and functions relating to the exclusive competence of that other State” (Russian Federation, 2022o, p. 2). Another narrative continuity is found in the prioritization of national interest over human rights, where Russia argues the AHC is “drawing up a specialized legal treaty, not a human rights convention.” Therefore, there should be a balance between human rights provisions and the view firmly expressed by dozens of delegations regarding national sovereignty, territorial integrity, and non-interference in internal affairs (Russian Federation, 2022o, p. 2). Speaking on behalf of others, Moscow reaffirms its norm-entrepreneur status through its sovereignty narrative.

Russia also projects a fragment of its system narrative around how cyberspace should be governed—privileging multilateralism over multistakeholderism. Moscow has previously taken a critical stance towards the multistakeholder model due to concerns that too much involvement from the private sector, civil society and academia would endanger its sovereignty and state-control over the internet. Russia’s public support of the International Telecommunication Union and the absence of any references to multistakeholder engagement in the ISD are cases in point (Strickling & Hill, 2017). This sentiment is continued into the OEWG where it argued, “The importance of [a] “multi-stakeholder approach’ with emphasis on the contribution of non-governmental sector, business and academia to ensuring responsible behavior in the information space is artificially exaggerated” (Russian Federation, 2020a, p. 2).

However, during the AHC, the narrative is of a slightly different nature, with Russia recognizing how external stakeholders can help “develop strategies and plans to combat crime in this area”, help create new principles and standards, and aid “cooperation between state parties on capacity building” (Russian Federation, AHC TS II, p. 2). In fact, Russia argues that the convention should emphasize “the positive impact of the state’s partnership with civil society, the private sector and the scientific community”, and the benefit states will gain from utilizing the experience and knowledge of stakeholders associated to the convention (pp. 1-6). Although not openly embracing multistakeholderism, Russia seems more willing to engage with non-state actors in the cyber-crime domain.

Russia’s position in both the OEWG and AHC has been, with a few nuances (such as regarding the role of non-state actors), marked by the combination of system and identity narratives that focus on the centrality of sovereignty (system), multilateralism (system), Russophobia and anti-westernism (identity). These have all fed into policy narratives that are particularly marked by Russia norm-entrepreneurship—visible in both forums—and very much in line with its role as a key custodian of multilateralism in cyberspace.

Examining strategic narratives according to Miskimmon et al.’s model (2017a), it is evident that the characters central to Moscow’s narrative projection are Russia and the West. Using its agency as a norm-entrepreneur, Moscow acts to challenge Western liberalism to establish a new set of legal and normative rules in cyberspace. Thus, the resolution of the Russian story is to create an alternative framework that aligns with its own interests and challenges the dominance of Western norms in the digital domain.

Overall, Russia’s narrative projection in the OEWG and AHC aligns with the conclusions of other scholars who find “remarkable consistency” between Russian narratives (Sakwa, 2011, pp. 958-959) and which have remained “essentially unchanged” from Soviet times (Karpchuk, 2021, p. 27). Collectively, such findings suggest Russian narratives are confined by strict historical and cultural boundaries, helping to connect the past, the present, and the future (Miskimmon et al., 2017a) and provide a collective “sense of space and a sense of place” (Subotic, 2016, p. 611).

India

As a postcolonial country with a complicated and turbulent political history, India has struggled to use unifying narratives, both at home and abroad. In fact, Rajil Malhotra claims there to be “an outright civil war of divisive narratives based on minorityism, casteism, religion and racism” (Malhotra, 2018, p. 14). This lack of unity clashes with India’s attempt to promote itself as “a prominent global power in the contemporary post-Cold war era” (Sullivan, 2015, p. 15). Withholding significant technological capabilities, resources and manpower, the cyber-domain has been anticipated to be an avenue through which this Indian grand narrative be reinforced and used to articulate India as a serious and committed forerunner in cyber-diplomacy (see Basu, 2023). India does project several narratives in cyberspace, our analysis finding emphasis on sovereignty (system), multilateralism (system), democracy (identity) and developing nation (identity), exercised through policy narratives around technological autonomy and national security (including the fight against cyber-terrorism).

India has previously articulated itself as a “norm-setter” and “innovator or inflector of particular forms of global knowledge and values” (Sullivan, p. 16). Considering its rapidly developing technological ability and self-promotion in the 2013 National Cyber Security Policy (NCSP)—which conveys India as a “global player” at the forefront of enhancing international cooperation in cyberspace and best practices for information security (India, 2013, p. 5)—it had been anticipated that India would harness its status as an influential cyber-diplomacy actor. However, in both the OEWG and AHC, the Indian delegations frequently fell back on a multi-alignment approach, supporting suggestions from both sides of the ideological divide.

India’s alignment with the West was evident in two primary themes, the first being that the OEWG and AHC should not be starting from scratch but develop on existing, relevant regional and UN processes. In the OEWG, India described the (mostly) European-led Program of Action as “a welcome development” (India, 2021d, p. 1). Furthermore, India claimed that the AHC would “benefit from the existing operating regional conventions against Cybercrimes” (India, 2021e, p. 1); this is perhaps surprising, given the most notable of existing cyber-crime conventions—the EU’s Budapest Convention—has been criticized by India for being “discriminatory, ineffective and detrimental to state sovereignty” (Ebert, 2020, p. 398), and for not having “a broader consultation mechanism during the drafting process, which deprived many countries of the opportunities to provide comments on the text” (Pawlak, 2019, p. 179).

Another way in which India, at least at the discursive level,¹⁵ had a “narrative alignment” (Miskimmon et al., 2015), with the West was through emphasizing its commitment to democratic values as the largest democracy in the world. In the OEWG, India stated that, “[a]s democracies, we are particularly vulnerable to these threats” (India, 2020e), in a sense distancing itself from non-democratic regimes. In the AHC, too, India emphasized its commitment to protecting democratic values and repeatedly committed itself to “maintaining an open, inclusive, free, fair, transparent, secure, stable and accessible process for all Member States to negotiate the International Convention on Cybercrimes on consensus basis” (India, 2021e, p. 1). Additionally, India shared how it was “heartening to note that a large number of countries have emphasized the issues of human rights, fundamental freedom, privacy of individual, protection of data and protection for victims of cybercrimes” (India, 2022b, p. 3).

However, in the OEWG India also showcased both its “developing nation” and sovereigntist narratives, praising itself for “contribut[ing] to the process in every way possible so that both the developing and developed countries voices are heard in right spirit” (India, 2021d, p. 1), and by supporting policy initiatives largely attributable to the “sovereigntist” group. In the OEWG, this was most apparent in India’s prioritization of international norms over law, and openness to the creation of new normative frameworks (India, 2021d, p. 1). Although India has previously acknowledged the applicability of international law to cyberspace (see Callanan et al., 2022, p. 15), in the OEWG India repeatedly calls for further deliberations on how to incorporate and define it, whilst refraining from outlining its own perspective (India, 2021d, p. 1; 2019b).

In the AHC, India sided with Russia, Iran and China by calling for a broad convention scope that included all crimes committed using ICTs, a key objective for authoritarian governments wanting stricter state control over online behavior, counter to the more narrowly defined scope put forth by most liberal states (India, 2022e, pp. 2–3; 2022g), and again in line with the responsive multilateralism advocated by the BRICS countries (Van Noort, 2017).

There is a partial misalignment between the narrative(s) India projected about the international system and how it should function. In the OEWG, the main insight into India’s view of the global order is through references to a top-down state approach to cyberspace (state-centrism) that privileges national security. For example, India was cautious of how cyber-activities could violate national sovereignty (India, 2019c) prioritizing instead its “national interest.” In the First Session of the AHC, India applied this same narrative to cyber-crime, arguing that UN Member States were the main actors in this domain and, although it “welcome[d] the participation of multi-stakeholders in giving their suggestions, feedbacks, etc. to UN Ad Hoc Committee on Cybercrime,” it was clearly outlined that decision-making and responsibility for the convention’s development lay primarily with states (India, 2021e, p. 1). By the Third Session of the AHC, the narrative changed slightly (akin to Russia), and became more in tune with that articulated in the NCSP which recognized the significance of private and corporate sector participation, the importance of public-private partnerships in cyberspace, and the need for creating a “consortium of government and private sector” (2013, p. 6).

India acknowledged that it was important to consult with both the private sector and civil society on cyber-crime matters (India, 2022j), and suggested using Interpol to better communicate between stakeholders (India, 2022c, p. 1). India is very much concerned with cyber-crime (see Ebert, 2020)—as demonstrated by the multiple references to it in the OEWG—and places the private sector at the center of its policy response (India, 2022j, p. 2). Nevertheless, the ambiguity of India’s position on inclusive governance substantiates the claim that India oscillates between multilateralism and “nuanced multilateralism”—where stakeholders are welcome to be part of the conversation but not of the decision-making, the latter remaining a state prerogative (Abraham et al., 2018)—in cyberspace.

In the context of its national security narrative—and despite little evidence to suggest that cyberspace has been used for terrorism purposes (Ebert, 2020)—India seems particularly focused on cyberterrorism as a major threat to be addressed, a point also mentioned in the OEWG (India, 2019a). India has experienced numerous terrorist attacks which investigations found were facilitated by ICTs, albeit to varying degrees (Ebert, 2020, p. 385), spurring the government to implement harsher content moderation policies. Whilst cyber-terrorism is not discussed in India’s 2013 NCSP, more recent actions to counter cyber-terrorist threats include securing bilateral agreements on security and defense with Russia (in 2013, 2016 and 2018), and strengthening anti-terrorism partnerships within the Shanghai Cooperation Organization.

In the AHC, it was clearly expressed by India that cyber-terrorism “must be one of the major objectives of the convention on cybercrime” (India, 2022a, p. 2). In the First Session, India described a broad but vague list of ways in which ICTs can be used for terrorist purposes (India, 2022a, p. 2). During the Second Session, India submitted an extended contribution on cyber-terrorism, which recognized that “freedom of speech and expression of individuals is of paramount importance and should be protected,” but that society can only continue to “enjoy their fundamental freedoms, human rights and privacy rights provided that the social order is not disturbed by the malicious use of ICTs to propagate terrorism” (India, 2022d, p. 1). Finally, in the Third Session of the convention, India warned of how social media was radicalizing youths and financing terrorist activity (India, 2022j, p. 1).

As mentioned earlier, and in keeping with Indian Prime Minister Narendra Modi’s Atmanirbhar Bharat (self-reliant India) concept, one of India’s dominant policy narratives is around autonomy. To become a more autonomous cyber-actor, India prioritizes cyber-capacity building, creating resilient infrastructures and a more sophisticated cybersecurity framework. Illustrated in the 2013 NCSP which made plans for developing and manufacturing “indigenous security technologies” and “indigenously manufactured ICT products,” India views technological autonomy as a mean to achieving a trustworthy and secure cyber-ecosystem (p. 3, 8).

In the OEWG, the autonomy policy narrative is constructed around creating trustworthy supply chains. The Indian delegation claimed, “the lack of integrity of supply chains and use of harmful hidden functions can affect the entire ICT systems and potentially threaten the security of a State” (India, 2021c, p. 1). As a result, India requested greater emphasis was put on the need for states to “use trusted products and recognize the need to establish national measures for acquiring such items from trusted suppliers” (India, 2021c, p. 1). This is consistent with the state’s domestic initiatives to strengthen testing and regulation requirements for telecommunications, and characteristic of the Trusted Telecom Portal introduced in the 2021 National Security Directive (Deb, 2021). It is also likely part of India’s plan to reduce its dependence on Chinese supply chains, seen as a potential threat to Indian national cybersecurity (Ebert, 2020).

Although multi-alignment (Tharoor, 2013) has proven useful to India for advancing national interests, maintaining sovereignty and independence, and pursuing a more flexible and dynamic foreign policy on other multilateral fronts (Hall, 2016), it has also contributed to conflicting narratives in the OEWG and AHC, including on the balance between online freedoms and state sovereignty. India’s unclear stance on how international law applies in cyberspace further complicates India’s narrative projection and discursive ability to shape negotiations.

Despite the ambiguity that comes with adopting this multi-alignment position, India’s narratives utilize its agency to portray itself as an alternative voice, of a via media, between the authoritarian and liberal camps. Whereas the EU and Russia’s narratives are mostly targeting an international audience, India’s narratives have a stronger domestic message, most notably by highlighting its ambition to become a secure and technologically autonomous nation. In that regard, the resolution to India’s storylines often involves a bipartite development of its internal digital apparatus and the external regulation of cyberspace (both regarding crime and international security) that combines some of the priorities of the authoritarian group (focus on sovereignty) with those of the developing nations (stronger investment in capacity building). This conclusion is line with Basu’s broader point that much of India’s diplomatic contribution has been focused on “shoring up domestic cybersecurity resilience and building capacity” (2023, p. 199). For how much longer India can straddle the competing interests of the liberals and sovereigntists on these issues without defining a clear vision of its own remains unclear, especially with no further update on the long-awaited Indian Cybersecurity Strategy.

Conclusion

The analysis of the EU, Russia, and India’s contributions to the OEWG and AHC offers us very significant insights into these actors’ positions vis-à-vis the multilateral governance of cyberspace. From a vertical perspective, we can assess the extent to which these actors’ system and identity narratives feed into their respective policy narratives around the two cyber-related issues. From a horizontal perspective, we can evaluate what the narrative continuities (or discontinuities) that have emerged between the two forums tell us about how cyber-crime is approached as part of a distinct regime from that of international cybersecurity. Additionally, we can draw conclusions as to whether each actor’s narratives align with the typical interests of their respective “grouping”—the liberals, the sovereigntists or the swing states, and what it means for the cyber-regime-complex more generally.

As presented in Table 1, the three actors analyzed in this article projected, with some nuance, their respective system and identity narratives to the international cybersecurity and cyber-crime domains. Our assumption was that these system and identity narratives would not be autonomous, but rather incorporated in the lowest of the three types—policy narratives. In all cases this assumption stands true. The EU’s force for good identity narrative and rules-based order system narrative directly facilitated its policy narratives around cooperation, development and capacity building; Russia’s identity narratives (Russophobia and anti-Westernism) and system narratives (sovereignty and multilateralism) served to justify Moscow’s policy narrative around norm-entrepreneurship; and even India, whose narratives were the most ambiguous of the three, managed to articulate its narratives around sovereignty (system), multilateralism (system), democracy (identity) and developing nation (identity) to support its policy narrative around technological autonomy and national security.

Table 1. EU, Russia, and India’s narratives, and the continuities and discontinuities between the OEWG and AHC.

	Continuities	Discontinuities
EU	A “force for good” committed to responsible leadership, democratic values and human rights’ promotion Defender of the rules-based liberal order that upholds existing legal and normative frameworks Supporter of multistakeholder governance Leading cyber-capacity-building actor	More open to a binding agreement in the AHC
Russia	Norm-entrepreneur Victim of Russophobia Sovereigntist Anti-Westernism Authoritarian multilateralism	More open to multistakeholder engagement in AHC
India	Developing Nation Sovereigntist Democracy National security priorities Technological autonomy Nuanced multilateralism	More open to multistakeholder engagement in AHC More pro-active position towards an international agreement in the AHC

Unlike other studies on the EU¹⁶, our research suggests that Brussels projects a coherent set of system and identity narratives in both the OEWG and AHC statements. The fact that the EU’s position in multilateral settings has to be agreed by its member states means its statements are more likely to stay close to its broader strategic narratives while also not deviating significantly between forums. Moreover, significant “similarities and synergies” have been found between the national cyber-strategies of EU member states and the cyber-policies of the EU itself, demonstrating that member-states take a generally unified approach to cybersecurity outside the confines of the Union (Štitilis et al., 2016, p. 1163).

The EU’s narratives seem to have two main goals: to counter threats to the status quo¹⁷ (rejection of international treaties to regulate responsible state behavior in cyberspace, refusal to expand the concept of cyber-crime) and to reinforce and promote the expansion of its liberal worldview¹⁸ (through a democratic-value narrative, capacity building proposals and the defense of multistakeholderism). Underpinning these narratives is a certain idea of Westlessness, a sense of a world increasingly less Western-centric (Chen & Yang, 2022).

Russia’s strategic narratives are also visibly projected through the articulation of Russia’s policy preferences both within the OEWG and the AHC. Although some minor discontinuities were identified between forums in how Russia depicted the West, both portrayals can still be viewed as fragments of Russia’s wider narratives that seek to counter and delegitimize the Western liberal order. In that regard, and apart from a slightly more accommodating role for non-state actors, there’s not much evidence from Russia’s strategic narratives to suggest it views cyber-crime much differently to international cybersecurity, supporting the general assumption that the creation of the AHC was primarily about countering existing legal and diplomatic structures that tend to liberal ideals and processes. These conclusions tie neatly into Raymond and Sherman’s discussion of “authoritarian multilateralism” (2024) and the role Russia plays alongside China in attempting to contest and transform the Western rules-based order, in cyberspace and beyond.

Our research also suggests that Russia actively uses the cyber-domain, regardless of the forum’s intended focus, to project its broader worldview, attempt to advance its position in the international system and influence policy to its advantage. Such a position is often warped around a narrative of being the voice of the majority, and, although we are not in a position to establish a causal link between its narratives and the effectiveness of Russia’s positions in this domain, the reality is that Russia’s proposals in both the OEWG and AHC have always found a strong supportive majority¹⁹ amongst UN member states, particularly in Africa, where Russia’s influence in the cyber-domain has been very significant in the recent past (Ifeanyi-Ajufo, 2023).

India, on the other hand, is still in the process of developing a grand narrative that reflects the structure of the current international order and India’s role within it. The impact of this is reflected in multi-alignment, with India band-wagoning on the back of both the liberals and sovereigntists where it suits, without defining its own clear vision. This results in relatively disjointed fragments of system, identity and issue narratives emerging in the cyber-domain that in some instances do not align, and thus are likely to be less influential (Miskimmon et al., 2017a, p. 3). Whilst India may not have articulated a consistent set of narratives, there was significantly more engagement from the Indian delegation in the AHC than there was in the OEWG, and it is clear that India has a few domestic issues it seeks to prioritize in the cyber-domain (technological autonomy, cyber-terrorism). Some of these idiosyncrasies—such as India’s concern with cyber-terrorism in both the OEWG and AHC, or its constant balancing act between security and human rights—could potentially be explained by studying the articulation between its strategic narratives and domestic political agendas.²⁰

A clearer willingness to engage in the AHC could thus be explained by the finding that “India’s attitudes toward multilateral agreements hinge on the latter’s ability to advance national interests” (Basu & Nachiappan, 2020, para 2). Nevertheless, India’s multi-alignment strategy is fundamentally symbolic of its status as a swing state. It could be argued that India is using strategic narratives at the UN neither to its full advantage, nor to show “a substantive or long-term commitment to advance an international agenda” in cyberspace (Deb, 2021).

As mentioned earlier, there’s a certain linearity to narratives as they help link the past, present and the future (Miskimmon et al., 2017a; Subotic, 2016). In a novel domain such as cyber, there is not much to dwell on when it comes to the past. The incorporation of (system and identity) narratives used elsewhere in cyberspace—be it a normative (EU), an anti-Western (Russian), or democratic (India) narrative—helps absorb the new into the old and therefore ensure a certain continuity of action for each actor.

In short, the existence of two different forums each on its own UNGA committee does not seem to impact significantly on the coherence of each of these actors’ strategic narratives, and it seems to fit within the macro-narratives in which they operate. The coherence issues identified in the Indian case are mostly related to the lack of clear—or potentially contradictory—identity and system narratives; they are not exclusive to cyberspace.

These conclusions have two implications for the study of both multilateralism and regime complexes, within cyberspace and beyond. First, despite the institutional separation of cyber-crime from international cybersecurity, all three actors understand there is a very strong continuum across the regime complex. In practice, this means that both issues—cyber-crime and international cybersecurity—benefit from being considered in a more holistic fashion. Second, the analysis of strategic narratives comes across as a highly valuable tool in understanding the overlaps and differences across different regimes of a complex in a multilateral setting.²¹ Starting from that point of interaction and moving backwards towards the strategic documents that frame an actor’s international behavior helps identify both the vertical dynamics mentioned earlier, but also the density of a regime complex measured in terms of how holistically its main actors treat the issue underpinning the complex, particularly in its early stages of formation as is the case with cyberspace.

Through the concept of narrative fragments, we have offered a new approach to the study of strategic narratives in multilateral settings, combining the analysis of broader strategic documents with the statements issued and uttered regarding specific issues in specific multilateral forums. In our view, this contributes to a more robust articulation between the three types of strategic narratives identified by Miskimmon et al. (2015, 2017a, 2017b). Further studies on the other components of the cyber-regime complex may help substantiate what, for now, is only an insightful but partial claim.

Acknowledgements

The authors would like to thank Arindrajit Basu, Mark Raymond, Cristina Del Real, Xymena Kurowska, the special issue and journal editors, and the two anonymous reviewers for their very useful comments and suggestions. The usual disclaimer applies.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by the Engineering and Physical Sciences Research Council [grant no EP/S022465/1] and by the Leverhulme Trust [grant no RF-2019-466].

Notes

1 By regimes, we adopt Krasner’s definition as “sets of implicit or explicit principles, norms, rules, and decision-making procedures around which actors' expectations converge in a given area of international relations” (1985, p. 2).

2 For instance, in Nye’s model (2014) crime is a standalone issue, whereas other security matters are divided into multiple issues such as war, sabotage, or espionage. Following a slightly different approach, Pawlak (2019) divides the cyber-regime complex into six types of regimes: cyber-crime, peace and stability, security, internet governance, development and growth, and human rights.

3 Segal (2016, p. 34) considers having the capacity to tell an attractive story about cyberspace as key to being a cyber-power. In his work on cyberspace as a metaphor, Branch (2021) also highlights the importance of words in institutionally shaping how cyberspace is treated as a policy issue.

4 In that sense, they should not be confused with macro level narratives (see Shanahan et al., 2018).

5 Or multi-aligned (Tharoor, 2013), as many of the members of this group tend to choose sides depending on the issue. We thank Arindrajit Basu for making this point.

6 For a comparative analysis of US and Russia’s international cybersecurity narratives see Hansel, 2023.

7 Following Joseph Nye’s definition, “the cyber domain includes the Internet of networked computers but also intranets, cellular technologies, fiber-optic cables, and space-based communications. Cyberspace has a physical infrastructure layer that follows the economic laws of rival resources and the political laws of sovereign justification and control” (2011, p. 19).

8 We do not include the GGE in the analysis as these were not public meetings.

9 Although the EU is not a nation-state, it operates in these two forums as an aggregator of its member states’ positions. Whenever the EU intervenes or issues a statement, its member states will generally start their own interventions by supporting the EU’s. It is therefore a particularly helpful actor to analyse in terms of narratives.

10 What was supposed to be a short-lived expert forum eventually became a decade and a half long process, culminating in four consensual reports (2009, 2013, 2015, and 2021), the recognition of the applicability of international law to cyberspace (2013), and the development of 11 norms of responsible state behavior in cyberspace (2015).

11 To learn more on cyber-crime, see Shires (2024).

12 In a piece co-authored by the Head of the Russian delegation, Andrei Krutskikh, argues that despite the early claims that the internet could be self-governed, it eventually “turned out that the warning of the Russian Federation about the possibility of threatening international peace and security through the malicious and hostile use of ICT on the Internet was well grounded” (Krutskikh & Streltsov, 2020, p. 261).

13 The Russian victimhood trope dates back to the Tsarist period that symbolizes “the rivalry of two cultural and civilizational models, as well as the conflict between two systems of values, those of the East and those of the West” (Darczewska & Żochowski, 2015, p. 6).

14 As pointed out by Krutskikh and Streltsov in a piece published during the first OEWG, Russia has frequently been at the receiving end of Western media’s “groundless accusations” (2020, p. 262), including those associated with the interference in the 2016 US Presidential election. During the Second Substantive Session of the 3rd OEWG Meeting (February 2020), Ambassador Krutskikh would return to this issue in an unscripted intervention where he asked: “if international law as everyone is saying right now is applicable then I would like to ask: what are we doing here? If we're praying, then good for us. We are all turning to God and saying that cyberlaw exists and it’s applicable, but if it's applicable then why are foreign hackers electing the president of the US?”

15 The alignment of words does not necessarily ensure an alignment of priorities or intentionality.

16 According to Miskimmon’s assessment, “[t]he formation, projection, and reception of the EU strategic narrative is complicated by the hybrid nature of the institution—reflecting both supranational and intergovernmental aspects, which frustrates efforts to speak with a single European voice in international affairs” (2017, p. 85). However, as recognized in a later work, the current European Commission has been pushing for a more “forceful EU role in the world” (Miskimmon & O’Loughlin, 2021, p. 38). This could ultimately result in more coherent narratives across other foreign and security policy domains. This is certainly an area that deserves further research.

17 Pawlak (2019) offers some useful insights on this when he says: “Given that most of the institutions and rules within the cyber regime complex were established in the 1990s and early 2000s, primarily under the European and American leadership, it is rather understandable why the positions adopted by the EU tend to favor status quo rather than support the emergence of new institutional and legal frameworks. It is clear, for instance, that any international negotiations for a new treaty for cyberspace would be more advantageous to the emerging economies and countries that did not fully participate in shaping the early days of the global cyber regime complex rather than to the EU. For this reason, the EU has also objected any attempts at regime shifting and contestation of existing institutions by China, India or Russia” (p. 186).

18 This is also in line with much of the literature, including Chen and Yang’s (2022) assessment of the EU’s actorness in this domain.

19 This does not seem to come at the expense of the EU and like-minded states as seen in the voting for the Program of Action to advance responsible State behavior in the use of information and communications technologies in the context of international security—a diplomatic priority for the West. In November 2022, the OEWG adopted resolution A/C.1/77/L.73 with 157 votes in favor, 6 against and 14 abstentions. This happened a week after a Russian-led resolution A/C.1/77/L.23/Rev.1 reaffirming the centrality of the OEWG, was adopted by a recorded vote of 112 to 52, with 10 abstentions.

20 We would like to thank one of the anonymous reviewers for making this point.

21 As suggested by one of the reviewers, at a more generic level, additional work could be done on the potential effectiveness of narratives within and across UN forums and processes.