The Council on Foreign Relations recently launched their new Cyber Briefs series through the Digital and Cyberspace Policy Program. The Cyber Briefs are short memos that offer concrete recommendations on topics such as cybersecurity, Internet governance, and online privacy that will be published bimonthly on the CFR website.
The first brief in the series titled ‘Promoting Norms for Cyberspace‘ is written by Henry Farrell, associate professor of political science and international affairs at George Washington University. Mr. Farrell has also provided some additional thoughts on the topic at the Washington Post.
Mr. Farrell makes the case that norms matter for (US) cybersecurity due to four reasons:
- The US is vulnerable to cyberattacks and this weakness is difficult to address using conventional tools of military statecraft.
- It is difficult to ensure that complex information systems are fully defended, since they may have subtle technical weaknesses.
- Classical deterrence is not easy in a world where it is often challenging to identify sophisticated attackers, or even to know when an attack has taken place.
- Treaties are hard to enforce because it is so difficult to verify compliance – particularly in cyberspace, where weapons are software, not missiles.
He further argues that it will be difficult for the U.S. to shape norms without making major changes to other aspects of their policy. His main recommendations for this policy alignment are to:
- Reform U.S. intelligence activities to make them more consistent with the publicly expressed norms of Internet openness that the United States is trying to establish.
- Disclose more convincing evidence when trying to shame actors that do not abide by cybersecurity norms.
- Encourage other states and civil society actors to take a leading role in norm promotion—even when this cuts against U.S. interests. To develop legitimate norms, the U.S. should let some of its partners take the lead. New norms will not be seen as legitimate if they are perceived to be solely a projection of U.S. interests.
Overall, Mr. Farell provides some important points in his brief but I think his comments in the Washington Post most succinctly summarises the challenges ahead:
When actors have many shared values, norm building is easier. When actors have few shared values, then norm building is hard. Furthermore, if you want to persuade others to accept norms, you will have a hard time unless you are obviously and sincerely committed to those norms yourself.
It is clear that the Snowden revelations have tarnished the U.S. reputation as a proponent for a free, open, and democratic Internet but perhaps more importantly it has also tarnished its reputation with key allies such as Germany and other European countries. Mr. Farrell correctly highlights that the US needs to work both on aligning its intelligence activities to its Internet policy and include other non-government actors such as the EFF in its norm advocacy. However, as with many policy suggestions in the cybersecurity arena they are easier said than done.
As long as the creation of common global cybersecurity norms will be challenging to develop, and they will be for a long time, the US will be faced with the decision of what will be most rewarding between NSA intelligence operations and their alignment with open Internet norms. My guess is that wide scale intelligence gathering will continue to hold the upper hand for some time to come.
Further, rebuilding the US reputation with key cybersecurity allies has and will continue to be a policy priority for the White House moving forward but the main challenge will be to build common norms with countries outside the American sphere of influence. In the Washington Post Mr. Farrell notes while the US has promoted an open and robust Internet, other important (authoritarian and semi-authoritarian) countries may view this as a threat to the stability of their governments.
There is a significant divide between the position for a free and open Internet, typically led by the US and the EU, and a more restricted, nation-state controlled, Internet, typically led by Russia, China, and supported by a majority of developing countries. For the creation of common Internet norms that will have a significant impact on the global level of cybersecurity, I believe this to be a fundamental challenge. The main challenges and cybersecurity threats that the US faces do not originate from its allies but from countries like Russia and China and it will be imperative that the US will be able to reach a common understanding about what is acceptable behaviour in cyberspace in order to reduce these risks.
And while there has been significant development in the last ten years with ICANN reform and dialogues like NetMundial there is still a huge divide to overcome, a divide that will be incredibly complex and difficult to solve. But I agree with Mr. Farrell that if the US is seriously committed to building norms in cyberspace, it is going to have to start thinking about how to do this.