Image by Helpameout, licensed under CC BY-SA 3.0.
Cybersecurity in international relations refers to the disputes, rules and capabilities connected with protecting the digital systems used by states and societies. The field begins with ordinary computer security, yet it becomes international when a digital operation changes political leverage. A paralyzed hospital, stolen diplomatic traffic or a manipulated election can force governments to treat the incident as more than a technical failure. At that point, the problem no longer belongs only to technicians. It affects sovereignty, national security, public trust and the stability of relations between states.
The agenda has expanded as state functions moved onto connected infrastructure. Government offices, financial authorities, military systems and essential-service providers now depend on networks that cross borders. A software vulnerability, a stolen credential or a compromised supplier can create political effects far from the territory where the intrusion began. Cybersecurity changes international security by turning digital dependence into strategic exposure. The same network can support public service and intelligence collection, then become a channel for criminal profit, coercion or military preparation.
Summary
- Cybersecurity entered the international agenda as digital operations began to affect public services, state secrets and elections without territorial occupation.
- Attribution is difficult when attackers hide behind intermediary infrastructure, proxy actors and deliberately misleading technical traces.
- Deterrence in cyberspace combines resilience, defense and punishment to reduce the expected benefit of a hostile operation.
- United Nations norms define responsible state behavior, although they do not create a single treaty for every interstate cyber operation.
- International cooperation is indispensable in investigations that depend on electronic evidence and service providers across borders.
Cyberspace as a Domain of Conflict
Cyberspace is often described as a fifth domain of conflict, alongside the older military domains. The comparison is useful: digital networks can carry military orders, intelligence collection and strategic pressure. The analogy requires caution. Cyberspace rests on a civilian base of private infrastructure, commercial software and everyday devices that cross legal and political borders.
For that reason, a cyber operation rarely belongs to one category alone. A denial-of-service attack may look like temporary disruption. During a crisis, the same technique acquires strategic weight if it disables banks, public portals or emergency services. An intrusion into a government network may gather intelligence today and prepare sabotage later. An information operation supported by hacked emails can affect public debate without destroying physical equipment.
This ambiguity connects cybersecurity with digital diplomacy and hard power. When a state uses digital tools to communicate, provide services or negotiate technical rules, it operates in the diplomatic field. When it uses a cyber operation to raise the cost of another state’s resistance, the mechanism moves toward coercive power. The same technological environment can support cooperation and influence. In a political dispute, it can quickly shift into espionage or pressure.
Types of Attacks and Incidents
Cyber operations differ by objective. Espionage seeks access to valuable information, from diplomatic messages to military planning. Sabotage tries to make a system unreliable or unusable, especially when the target is part of an electricity grid, industrial process or public service. Ransomware blocks access for payment. It becomes a national-security problem when the victim is a hospital, pipeline, court or public administration. Digital influence campaigns use stolen material, coordinated accounts and targeted messaging to affect trust or elections.
Several episodes show how the problem evolved. The attacks on Estonia in 2007 took down websites and digital services during a political dispute with Russia, making the vulnerability of a highly connected state visible. Stuxnet, discovered in 2010, showed that malicious code could affect industrial equipment linked to Iran’s nuclear program. Edward Snowden’s 2013 disclosures exposed the scale of U.S. electronic surveillance and produced diplomatic crises with allies and partners. Russian interference in the 2016 U.S. presidential election showed how intrusion, leaks and information manipulation could operate inside the domestic politics of a major power.
Other incidents reveal how digital harm becomes economic and social harm. WannaCry, in 2017, affected computers in many countries and disrupted parts of the British health system. NotPetya began the same year in connection with Ukraine, then caused losses for global companies. The SolarWinds intrusion, disclosed in 2020, compromised a software supply chain and reached both government agencies and firms. The 2021 Colonial Pipeline attack forced the shutdown of a major U.S. fuel pipeline and showed how private ransomware can produce public consequences.
Taken together, these episodes show that cyber harm gains international meaning when it changes state capacity: service delivery, secrecy, public trust and bargaining room. Technical incidents become strategic when they alter the political conditions under which states act. Estonia made visible the dependence of government services on networked systems. Stuxnet moved the debate toward industrial equipment. The Snowden disclosures damaged trust among allies. Colonial Pipeline connected private crime, critical infrastructure and energy security.
Why Attribution Is Difficult
Attribution is the process of identifying who carried out a cyber operation and who ordered, sponsored or tolerated it. It combines technical analysis with political judgment. Evidence matters, and so does the moment when a government is willing to attach diplomatic consequences to that evidence. Analysts examine technical traces, compare methods and study the targets. A public accusation comes later, once officials decide that available evidence, classified intelligence and diplomatic cost justify naming another state.
The difficulty begins with concealment. Attackers can route operations through third-party systems, reuse stolen tools or plant misleading clues. In addition, the fact that an operation uses infrastructure located in a country does not by itself prove that the government of that country directed it. That distinction appears in Tallinn Manual debates and in United Nations reports on responsible state behavior. Context, consequences, technical capacity and links with state actors have to be assessed together.
Public attribution can function as pressure. When governments expose an operator, impose sanctions or issue criminal indictments, they try to reduce impunity and signal that the operation will carry costs. Exposure alone rarely stops further intrusions. In many cases, the public response reaches operators and intermediary entities; the state structure that benefits from the operation preserves room for denial.
Attribution works best when it is connected to a response policy. A public accusation can prepare sanctions, justify police cooperation, warn vulnerable companies or create a diplomatic basis for allied action. If the accusation remains isolated, the attacker can absorb the reputational cost and continue through new channels. The central question is what political, legal or operational cost attribution can produce after the attacker is identified, and whether that cost changes the attacker’s future calculation.
Deterrence: Denial, Punishment and Resilience
Cyber deterrence seeks to convince an adversary that an attack will not produce enough benefit. In cyberspace, deterrence rarely rests on one threat. Denial makes the operation harder or less useful. Punishment makes the attacker expect costs. Resilience keeps essential services running and helps systems recover quickly.
Deterrence by denial starts with practical defense. It closes vulnerabilities, separates sensitive networks, hardens authentication and prepares recovery before an incident occurs. Its political effect is direct: if the attacker cannot produce meaningful harm, the operation loses strategic value. This form of deterrence is less visible than a military threat. For essential-service providers, it is often more decisive because it denies the attacker a usable crisis.
Deterrence by punishment may involve sanctions, diplomatic expulsions, criminal proceedings, public exposure or responsive operations. It is harder to calibrate since many cyberattacks remain below the threshold of armed force. An excessive response can escalate the crisis; a weak response can reinforce the perception of impunity. Many governments build a response ladder that links legal action, alliance coordination, intelligence and public diplomacy.
This logic distinguishes cyber deterrence from classical nuclear deterrence. In the nuclear field, the main threat is usually exceptional, visible and concentrated among a small number of actors. In cyberspace, hostile activity can be continuous and cheap, with intermediaries giving the sponsor room to step back. Everyday defense, system redundancy and rapid recovery become part of deterrence itself because they reduce the political gain of an intrusion before punishment becomes necessary. Resilience becomes a diplomatic asset.
International Norms and Cooperation
The United Nations has discussed information and communications technologies in the context of international security since the late 1990s. The 2019-2021 Group of Governmental Experts, chaired by Brazilian diplomat Guilherme Patriota, reaffirmed that digital threats had become broader and more sophisticated. Its report consolidated the view that international law applies to state behavior in cyberspace and that voluntary norms can reduce risks.
These norms point states toward practical restraint. They emphasize cooperation, critical-infrastructure protection, assistance on request, respect for rights and safeguards for emergency response teams. They ask states to prevent malicious use of their territory where they can act. The practical point is clear: no world authority can police every network. Stability depends on minimum conduct, contact channels, confidence-building measures and national capacity, not on the fantasy that a single global police force can secure the internet.
The UN Open-ended Working Group on ICTs, mandated from 2021 to 2025, broadened state participation and discussed a permanent mechanism to continue the process. In parallel, the Budapest Convention, in force since 2004, provides a legal basis for cybercrime and cooperation on electronic evidence. The United Nations Convention against Cybercrime, adopted in 2024 and opened for signature in Hanoi in 2025, seeks to create a global framework for criminal cooperation, electronic-evidence sharing and technical assistance. Its effect will still depend on ratifications, national laws and rights safeguards.
The difference between these instruments matters. UN reports on state behavior mainly address strategic stability: what states should avoid and how they should reduce crisis risks. The Budapest Convention and the new UN convention address the criminal-law track, especially offenses, investigations, evidence and mutual assistance. The two agendas meet when an operation looks criminal, crosses borders and at the same time benefits a government or pressures another state.
Sovereignty, Rights and the Private Sector
Cybersecurity creates a permanent tension between sovereignty and interdependence. States want to protect national networks, sensitive data and critical infrastructure. At the same time, the internet operates through cross-border protocols, companies and services. A government may require local data control to protect citizens. The same language of security can justify surveillance, censorship or technological isolation.
The private sector makes this tension more complex. Essential infrastructure is controlled by software firms, cloud providers, telecom operators, digital platforms and cybersecurity companies. States depend on those companies to prevent attacks, detect intrusions, preserve evidence and restore systems. International cybersecurity is a bargaining field among governments, security agencies, regulators, technical communities and firms whose incentives do not always align.
This dependence changes crisis diplomacy. A government may need technical logs held by a foreign company, an emergency update from a private supplier or platform cooperation to contain an influence campaign. When those companies are based abroad, the response involves domestic law, mutual legal-assistance treaties, diplomatic relations and trust among regulators. Digital sovereignty means the capacity to negotiate, regulate and protect cross-border dependencies.
Brazil in the Cyber Agenda
Brazil entered this agenda through several channels. Domestically, the 2014 Marco Civil da Internet established a rights-based framework for internet use, including privacy and net neutrality. The 2018 General Data Protection Law strengthened the personal-data dimension. In defense, the army took a central role through the Cyber Defense Center and the Cyber Defense Command.
Internationally, Brazil defends a balance between security, human rights, privacy, an open internet and multistakeholder governance. Brazil’s accession to the Budapest Convention in 2022 expanded legal cooperation tools for cybercrime. At the United Nations, Brazilian diplomats have played relevant roles in expert groups on responsible state behavior. This reflects a recurring position: fight digital crime and attacks without turning cybersecurity into a license for political control of the network.
Brazil’s experience shows why national capacity and external cooperation move together. Defense institutions, CTIR Gov and CERT.br help organize prevention, alert and response inside the country. Data leaks, attacks on public agencies and ransomware investigations may still involve servers, payments, perpetrators and victims in different jurisdictions. Without rapid cooperation on electronic evidence, domestic capacity remains incomplete.
Limits of Cyber Deterrence
Cybersecurity does not eliminate international conflict. It reduces risks when it improves defense, creates communication channels, raises costs for attackers and offers legal cooperation mechanisms. Cyberspace still favors operations below the threshold of open war. Espionage, data theft, limited sabotage and information influence remain attractive because they allow gains without public admission of responsibility.
The international cybersecurity agenda combines technology and politics. Firewalls, encryption and response teams are indispensable. By themselves, they cannot define lawful conduct, build trust or manage escalation. States need norms, responsible attribution, police cooperation, critical-infrastructure protection, rights debates and diplomatic channels for crises. Cyber stability depends on that combination: the capacity to defend systems, the willingness to cooperate and clarity about which digital uses make international coexistence more dangerous. Cyber stability is a political way of managing digital interdependence. It does not promise to eliminate intrusions. It seeks to prevent technical incidents from becoming diplomatic crises, essential-service failures or military escalation.