Editor's Note: Adam Segal is the Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies at the Council on Foreign Relations. Matthew Waxman, also a fellow at the Council on Foreign Relations, is Associate Professor at Columbia Law School and member of the Hoover Institution Task Force on National Security and Law.
With companies and governments seemingly incapable of defending themselves from sophisticated cyber attacks and infiltration, there is almost universal belief that any durable cybersecurity solution must be transnational. The hacker – a government, a lone individual, a non-state group – stealing valuable intellectual property or exploring infrastructure control systems could be sitting in Romania, China, or Nigeria, and the assault could transit networks across several continents. Calls are therefore growing for a global treaty to help protect against cyber threats.
As a step in that direction, the British government is convening next week the London Conference on Cyberspace to promote new norms of cybersecurity and the free flow of information via digital networks. International diplomacy like this among states and private stakeholders is important and will bring needed attention to these issues. But the London summit is also likely to expose major fault lines, not consensus, on the hardest and most significant problems. The idea of ultimately negotiating a worldwide, comprehensive cybersecurity treaty is a pipe dream.
Different interests among powerful states – stemming from different strategic priorities, internal politics, public-private relationships and vulnerabilities – will continue to pull them apart on how cyberspace should be used, regulated, and secured. With the United States and European democracies at one end and China and Russia at another, states disagree sharply over such issues as whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance. Many emerging Internet powers and developing states lie between these poles, while others are choosing sides.
One of the most contentious divergences concerns the definition of cybersecurity itself. While the United States, United Kingdom and their like-minded allies emphasize the protection of computer networks from damage and theft, Russia, China and their partners emphasize information security, which to them means controlling content and communication or social networking tools that may threaten regime stability. Last month, as delegates prepared to discuss Internet freedom at the London Conference, representatives of China, Russia, Tajikistan, and Uzbekistan proposed to the U.N. Secretary-General an International Code of Conduct for Information Security, which addresses cyber security but also calls on states to curb the dissemination of information which “undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment.”
Although the United States should participate actively in forums like the London Conference, it should not expect a global consensus or worldwide treaties on the toughest issues to emerge from them. The United States should prepare instead for deep international divides over cyber-security norms, emphasizing four components of its strategy.
First, Washington must continue to cultivate allies and like-minded partners through joint policy declarations, recognizing that Beijing and Moscow are doing likewise. In June 2011, NATO defense ministers agreed to a collective vision of cyber defense, and the United States and Australia recently announced that their mutual defense treaty extends to cyberspace. Moving forward, it will be especially important to engage growing Internet powers like Brazil, South Africa and India as they move between the poles of cyber and information security.
Second, the United States should accept that it will be operating in some legal gray zones. The United States and some allies believe that they may have the right to respond militarily in self-defense under the laws of war to sufficiently severe cyber-attacks, whereas other powerful states want to legally separate cyber-security from traditional security concerns. Meanwhile, the distinctions in cyber-space between espionage (traditionally tolerated under international law) and offensive “attacks” are muddied. Planners need to think about how they will defend their actions diplomatically, especially when facts may be hard to prove or disclose.
Third, dialogue with China, Russia and others should focus not on reaching legal agreement but on communicating redlines and developing confidence-building measures, recognizing that it may be difficult to determine immediately the source of attacks. States should be willing to exchange ideas about the offensive and defensive use of cyber-weapons as well as how to develop points of contact and hotlines that can be used in the midst of a cyber crisis.
Fourth, success in shaping international norms depends in part on cultivating technical partnerships with developing states, both as a means of aligning their interests with the United States' and countering similar efforts by China to secure their loyalty. Cyber security expertise is lacking in Latin America, Africa and Southeast Asia and governments will turn to whoever can provide it.
Diplomatic summitry like the upcoming London Conference is important for promoting a vision of cyber security and freedom. For the foreseeable future, progress toward that vision will be incremental, though, and achieved through multiple arrangements hammered out with a wide array of state and private actors rather than through a global accord.
The views expressed in this article are solely those of Adam Segal and Matthew Waxman.
This article appears in full on CFR.org by permission of its original publisher. It was originally available here.