Last week, the White House released its new strategy document for cyberspace, called “International Strategy for Cyberspace: Prosperity, Security and Openness in a Networked World.” Yes, I know. Another strategy document from the Obama administration. How exciting! For those skeptical about the utility (not to mention entertainment value) of a document that purports to sketch out a vague strategy for a rather vague topic, your fears are not entirely unwarranted. It has its fair share of platitudes and meaningless language; yet sifting through these weeds you find some interesting bits and pieces.
The first thing that struck me is how remarkably ‘soft’ the document is. There is less than a page explicitly dedicated to the military side of cyberspace. Though the Pentagon is expected to issue its own cyberstrategy document soon, the White House is signaling a move away from a very military approach to cyberspace. The establishment of USCYBERCOM in 2010, in addition to a lot of resources and energy spent on other parts of cyberdefense, made it clear that the Obama administration was looking at the new domain primarily through a military lens.
This seems to have changed. The strategic approach of the United States will be to “lead by example” and “pursue an international cyberspace policy that empowers the innovation that drives our economy and improves lives here and abroad.” Threats in cyberspace are acknowledged, but cyberspace itself is not a threat. Instead, the threats—or challenges, as the White House puts it—are merely old threats manifesting themselves in the new domain. Gone is the talk of a “digital Pearl Harbor” where a Bond-esque villain shuts off the entire U.S. power grid with the push of a single button. A more nuanced thinking has entered the White House:
These challenges come in a variety of forms. Natural disasters, accidents, or sabotage can disrupt cables, servers, and wireless networks on U S soil and beyond. Technical challenges can be equally disruptive, as one country’s method for blocking a website can cascade into a much larger, international network disruption. Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety. The theft of intellectual property threatens national competitiveness and the innovation that drives it. These challenges transcend national borders; low costs of entry to cyberspace and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge. Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.
The language marks an almost a complete turnaround tonally and substantively, making the document the closest thing we have so far to a liberal internationalist manifesto on cyberspace. All of the essential parts are present: International cooperation and agreements, norms, promotion of stake holding, development and aid, capacity building, and so forth. The Obama administration has actually put development as one of its top policy priorities. In practical terms, this means that the United States will “[p]rovide the necessary knowledge, training, and other resources to countries seeking to build technical and cybersecurity capacity.”
While the usefulness of development and institution building can sometimes be exaggerated, at least if you ask us realists, there is clearly a need for more normative structures in cyberspace. One of the fundamental challenges in cyberspace is the lack of norms and general understanding of actions taken within and against the domain. For instance, there is no agreement on what constitutes an attack in cyberspace. Lawmakers, and even analysts, lazily use ‘attack’ as a catch-all phrase for all security incidents. The problem then is you lump everything from vandalism (hacking and defacing websites) to espionage (extracting information from closed or semi-closed networks) along with incursions aimed at disrupting access to networks, or in some cases even attempting to cause physical harm.
Unfortunately, the “International Strategy for Cyberspace” offers very little insight into how the White House looks at the military aspect of cybespace. This is not to say that the document is pacifistic. The White House recognizes threats and reserves the right to respond in the event of an attack in or from cyberspace, yet the wording is—intentionally, perhaps—vague. Listing the various existing principles that should support cyberspace norms, the strategy states that, “[c]onsistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace.” Even though it may be by design, the lack of a definition of “certain aggressive acts” is a gaping hole in the strategy, offering no indication of what the United States would respond to and how it would respond. The United States has some responsibilities here, because its dominant position in the international community gives it definitional and political power.
This lack of understanding could lead to serious unintended consequences as two countries might have wildly different notions of what constitutes an attack. While Country A might think planting a worm in Country B’s defense network is nothing more than espionage, similar to turning an official of Country B into an intelligence asset, Country B could interpret the breach of security as an act of war. That could then lead to actual, kinetic conflict.
Some set of norms could help mitigate the risk of reckless behavior, which could in turn lead to accountability. With states agreeing, at least roughly, on what constitutes responsible and irresponsible behaviors in cyberspace, the next step would be to establish incentives for good behavior, or disincentives for bad behavior. The Obama administration’s solution to this is, at least in part, to encourage cooperation.
The United States will work to create incentives for, and build consensus around, an international environment in which states—recognizing the intrinsic value of an open, interoperable, secure, and reliable cyberspace—work together and act as responsible stakeholders.
This is all well and good, but interdependencies and non-binding regimes are not necessarily sufficient deterrents. Economic sanctions (possibly through the World Trade Organization) is one alternative, though that would be difficult to implement. Political sanctions and other types of diplomatic punishment could successfully discredit irresponsible states, but that would depend on the states caring about international standing. Another option is simply the threat of retaliation. While I have stressed that incursions are usually cases of espionage, and should not be treated as acts of war, states could set different standards through precedent. If the United States decides that cyberintrusions are substantially different than old school espionage, then cyberintrusions are by default different than old school espionage. Academic or philosophical musings about the nature of cyberspace are pointless if policymakers hold a radically different view on such matters.
This is the main reason for reading the “International Strategy for Cyberspace.” It offers a peek into the thinking of the Obama administration, and this is what will help shape the international system in cyberspace. Perceptions and actions will eventually, and incrementally, build a system of norms, agreements and understanding. If we could just get a similar document from China and Russia, we would be better able to identify points of conflict and concurrent interests. Then we could approximate where the system is headed.
As a final apropos, I need to recommend an excellent report put out by Chatham House last fall, titled “On Cyber-Warfare.” It’s written by Paul Cornish and others and might be the best effort so far in coming up with a structure for understanding and debating cyberware.