“Norm Subsidiarity” or “Norm Diffusion”? A Cross-Regional Examination of Norms in Asean-GCC Cybersecurity Governance

Cybercrime has been a contentious issue among security actors, vis-à-vis the extent to which international cooperation may be fostered to respond to the accelerating incidence of cyber-attacks. This paper contrasts between the cyber- governance approaches adopted by two non-Western regional organizations, the Association of Southeast Asian Nations and the Gulf Cooperation Council, over the past decade. Considering their similar institutional origins, Most Similar Systems Design methodology was employed to assess how ASEAN and GCC have distinctly responded to cybercrime. It considers the dynamics of the digital divide — a divide which is exacerbated by the COVID-19 pandemic — and in which ASEAN and the GCC are challenged to bolster their cyber-capabilities. Findings reveal that GCC increasingly diffuses norms of international cooperation to tackle cybercrime. By contrast, ASEAN embodies cyber norms which regulate behavior along the lines of intra-regional cooperation, wherein norms of international cooperation are rendered subsidiary to norms of regional autonomy.