This working paper shows ways in which binding rules under international law can be developed in the area of cybersecurity. Non-binding norms can be important milestones; preventive duties of protection for states (e.g., “due diligence”) can also be derived from customary international law – especially requirements regarding cooperation. States must fulfil these preventive protection obligations by taking joint action to enhance cyber security. In order to create long-term legal certainty and to holistically promote cybersecurity, a binding convention on cyber security is necessary.