The Shanghai Cooperation Organisation's Evolving Role in Shaping Cyber Norms
Cyberspace has become as much a domain of strategic competition as it is a source of economic opportunity, and the way different regions of the world approach its governance says a great deal about the broader contest over international order. The Shanghai Cooperation Organisation (SCO) offers one of the clearest windows into how a non-Western bloc, led by China and Russia, has tried to shape the rules of the digital domain — and how that effort has matured over the past two decades.
What the SCO Is
Founded in 2001, the SCO now counts India, Kazakhstan, China, Kyrgyzstan, Pakistan, Russia, Tajikistan, Uzbekistan, Iran, and Belarus among its full members, with Afghanistan and Mongolia holding observer status and a growing roster of dialogue partners stretching from Turkey to Sri Lanka. Iran and Belarus formally joined as full members in 2023 and 2024 respectively, expanding the bloc well beyond its original Central Asian core. The organisation's founding mandate centers on combating what it calls the "three evils" — terrorism, separatism, and extremism — and cybersecurity has increasingly become the arena where that mandate plays out.
At the 2025 summit in Tianjin, member states went further still: they adopted a new SCO Development Strategy for 2026–2035, launched dedicated centers addressing cybercrime and regional security, and welcomed additional partners into the fold, underscoring the bloc's shift from a narrowly regional security forum into a broader geopolitical platform.
The "Information Security" Framework
From early on, SCO members chose to frame their cyber agenda around "international information security" rather than "cybersecurity" — a distinction that is more than semantic. Where Western governments and much of the private sector emphasize protecting networks and infrastructure from technical intrusion, the SCO's framing folds in control over content and information flows themselves, treating certain online speech as a threat to political and social stability on par with malware or hacking.
That philosophy was formalized in a 2009 agreement among SCO governments on cooperation in ensuring international information security, and it has been carried into a series of proposals at the United Nations. Four SCO members put forward a draft International Code of Conduct for Information Security to the UN General Assembly in 2011; a revised version followed in 2015 with backing from six member states. Both documents call for a state-led, "multilateral" model of internet governance, explicit recognition of national sovereignty over domestic information space, and international cooperation against the use of ICT for what the drafters describe as hostile or destabilizing purposes.
Recent Developments
The SCO's institutional machinery on this front has kept moving. In early 2026, SCO experts met to chart a new Plan of Interaction on Ensuring International Information Security covering 2026–2028, and to coordinate positions ahead of upcoming international negotiations — including discussions on an additional protocol to the newly adopted UN Convention against Cybercrime and on mechanisms for advancing "responsible state behavior" language at the UN.
That UN Convention against Cybercrime is itself a significant recent milestone. Adopted by the General Assembly in December 2024, it opened for signature in Hanoi in October 2025, where more than seventy states signed on — with Russia and China, the treaty's principal architects, among the very first signatories, alongside Belarus and several other SCO-aligned states. The convention will remain open for signature at UN headquarters through the end of 2026 and enters into force ninety days after its fortieth ratification. Its passage is widely read as a partial win for the sovereignty-centered, state-led approach to cyber governance that Russia and China have pushed for years, though the negotiations were contentious: critics, including many Western governments and civil society groups, argue its broad scope and cross-border evidence-sharing provisions create real risks of abuse against journalists, dissidents, and security researchers.
A Framework of Coordinated Cyber Statecraft
Recent academic work on the SCO describes its cyber agenda less as a loose set of shared talking points and more as a deliberate, coordinated exercise of statecraft. Through mechanisms like the Regional Anti-Terrorism Structure, joint exercises, training programs, and policy harmonization, China and Russia in particular have worked to socialize other member states into a shared set of norms: state sovereignty over digital infrastructure and data, non-interference framed narrowly enough to still permit content control within a state's own borders, and collective management of cross-border digital threats. That said, scholars also point out real limits to this cohesion — the SCO's commitments remain largely non-binding, and members' domestic interests and capacities diverge enough that deeper, harder cooperation has proven difficult to achieve.
Where the Fault Lines Remain
The core disagreement between the SCO's approach and the Western, multi-stakeholder model hasn't gone away. SCO states continue to argue that unregulated content is itself a security threat and that states should have primary authority over their national information space. Governments and civil-society advocates aligned with the multi-stakeholder tradition continue to counter that this framing provides cover for censorship and surveillance, and that meaningful cyber governance requires the private sector, technical community, and civil society at the table — not just states.
That contest is far from settled. As more countries, particularly across the developing world, weigh which model of internet governance best serves their interests, the SCO's continued investment in norm-building — through UN proposals, treaty diplomacy, and institution-building at home — means it will remain one of the most consequential venues for that argument for years to come.
This article was independently researched and written using current, publicly available sources as of July 2026.
Member discussion