Why Germany Should Practice the Cyber Norms It Preaches: The Case of a Vulnerabilities Equities Process

The year 2021 has seen new momentum in the global debate about cyber norms, that is, rules for appropriate and inappropriate state conduct related to the use of information and communication technologies (ICTs). Commonly, academic and policy debates focus on the diplomatic forums where these norms are negotiated. However, states also shape cyber norms through their actions. This means that states that want to promote cyber norms should also act accordingly. Germany figures among the avid supporters of cyber norms. Yet, does the German government practice what it preaches? To answer this question, I focus on a cyber norm according to which it is desirable for states to establish a vulnerabilities equities process (VEP), also known as government disclosure decision process (GDDP).