Brian M. Mazanec is an adjunct professor at George Mason University. His book, The Evolution of Cyber War: International Norms for Emerging-Technology Weapons, will be published by Potomac Books next month.
The U.S. government has put the promotion of its cyber norms at the forefront of its cyber diplomacy with the hopes that it will constrain pervasive cyberattacks. Past experience with norm promotion efforts provide insight on whether the United States is likely to be successful. Unfortunately, the future is bleak.
As a general rule, states develop norms to promote their interests and a norm will only spread if other states perceive it to be in their interest to abide by it. Historical examples of this are plentiful. In the late 19th century, Russia pursued constraining norms against the possession and use of chemical and biological weapons as well as strategic bombing at the First Hague Conference. Russia had failed to master these new weapons and wanted to constrain potential adversaries. Britain, on the other hand, opposed a norm restricting strategic bombing because it saw bombing as a tool to offset the relatively small size of its ground forces. As a result, the conference agreed to prohibit the “discharge of projectiles and explosives from balloons or by other new analogous methods” for a temporary period of five years while prohibiting chemical and biological weapons indefinitely. These bans lasted until the powers of the day determined it was not in their self-interest to maintain them. Britain and Germany both used chemical weapons in World War I and strategic bombing was used throughout World War II by all parties.
The requirement that states perceive a norm to be in their self-interest means that norms containing offensive cyber activity are unlikely to work. Unlike other forms of weaponry, cyber weapons are stealthy, making it difficult for planners to determine whether cyber weapons will be useful in the future. Furthermore, some states rely more on cyberspace than others, making states that are less dependent on the Internet less vulnerable to an attack. These relatively immune states will struggle to determine if constraining norms are in their interest as many states did with strategic bombing and will want to keep their options open.
Chinese, Russian, and U.S. cyber activities appear to indicate that these states believe they have more to gain from embracing cyberattack capabilities than constraining norms:
- China has been unconstrained in its cyber espionage, as demonstrated by the recent OPM breach, but it is also preparing to use cyber weapons to cause economic harm, damage critical infrastructure, and influence armed conflict. The U.S. Department of Defense has pointed out that China is “looking at ways to use cyber for offensive operations” and Beijing appears to be developing and fielding advanced capabilities in cyberspace with strategic objectives in mind.
- Russia’s early cyberattacks on Estonia, Georgia, and Ukraine indicate that it is largely unconstrained by restrictive cyber norms. Although Russia has diplomatically advocated for a ban on cyber weapons and an International Code of Conduct for Information Security, its efforts are analogous to the Soviet Union’s early advocacy for a prohibition on nuclear weapons while simultaneously pursuing such weapons or its support for a ban on biological weapons while simultaneously developing them in secret. Russian military doctrine proclaims that any future war will involve the “early implementation of measures of information warfare to achieve political objectives.”
- The United States is significantly expanding its cyberattack capabilities at U.S. Cyber Command and engages in offensive cyber operations. However, unlike Russian attacks, the United States appears to avoid targeting nonmilitary assets yet this restraint is likely negated by its perceived general “militarization” of cyberspace by adversaries such as China. The United States has articulated few limits on cyberattacks. For example, the International Strategy for Cyberspace states that the United States reserves “the right to use all necessary means” consistent with the application of international law to defend itself and its allies and partners.
There are other reasons beyond self-interest that make containing cyber norms less likely to emerge. For example, unlike when the United States was briefly the only nuclear power after World War II and was able to establish a precedent of restraint in post-World War conflicts, it is too late to have a state establish a precedent through restraint or establish a prohibition on cyberattacks.
While policymakers are fixated on the development of constraining rules of the road for cyberspace, history shows that U.S. efforts to promote norms to constrain offensive cyber activities are unlikely to succeed.