A New U.S. Foreign Policy for Cyberspace

The era of the global internet is over. For the last thirty years, the United States has worked with its allies and the private sector to promote a vision of the internet that is open, interoperable, global, and secure, but the reality is starkly different. The internet is more fragmented, less free, and more dangerous, and it is likely to be even more so in the future.  

This is the central finding of a new CFR Independent Task Force, chaired by Nathaniel Fick and Jami Miscik (read the report here). U.S. policymakers assumed that the global, open internet served American strategic, economic, political, and foreign policy interests. They believed that authoritarian, closed systems would struggle to hold back the challenges, both domestic and international, that a global network would present. But this has not proved to be the case, and in some instances, the opposite holds to be true. The United States is asymmetrically vulnerable because of high levels of digitization and strong protections for free speech. Adversaries have adapted more rapidly than anticipated. They have a clear vision of their goals in cyberspace, developing and implementing strategies in pursuit of their interests, and have made it more difficult for the United States to operate in this domain.

Around the world, states of every regime type are forcing the localization of data, as well as blocking and moderating content. The United States’ early lead in internet technologies motivated many countries to promote data residency and other regulations to protect national companies. China has long blocked access to foreign websites, created trade barriers to U.S. technology companies, and given preference to domestic incumbents, which now operate across the globe. European policymakers are increasingly focused on the need for presumptive digital self-sufficiency and data privacy. The war between Russia and Ukraine has furthered the fracturing, with Moscow first throttling and then banning American social media, and U.S. hardware and software companies withdrawing from the Russian market. 

Internet freedom has been in decline for more than a decade (see figure). Freedom House, which tracks internet freedom across the world, has seen sustained declines in empirical measures of internet freedom, especially in Asia and the Middle East. More states are launching political influence campaigns, hacking the accounts of activists and dissidents, and sometimes targeting vulnerable minority populations. A growing number of states choose to disconnect entirely from the global internet. According to Access Now, at least 182 internet shutdowns across 34 countries occurred in 2021, compared with 196 cases across 25 countries in 2018

Security threats continues to grow in cyberspace. While the vast majority of state-backed cyber operations remain related to espionage, cyberattacks are also weapons of sabotage and disinformation, and the number of disruptive attacks is growing. In the weeks before the Russian invasion of Ukraine, wiper malware that can erase hard drives was found in Ukrainian government networks. Russian hackers disrupted ViaSat, a provider of broadband satellite internet services, in the early hours of the invasion. In early April, Ukrainian defenders prevented a destructive attack on Ukraine’s power grid.

Cybercrime on its own has become a threat to national security. Attacks on hospitals, schools, and local governments have disrupted thousands of lives. A ransomware attack on Colonial Pipeline by a criminal group known as Darkside resulted in the shutdown of a 5,500-mile pipeline and gas shortages on the U.S. eastern seaboard. In May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack by the Conti gang crippled the Finance and Labor Ministry as well as the customs agency.

So what it to be done? I go into more details in three following posts, but the Task Force proposes three pillars to a foreign policy to guide policy makers in cyberspace. First, Washington should consolidate a coalition of allies and friends around a vision of the internet that preserves—to the greatest degree possible—a trusted, protected international communication platform. Second, the United States should balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets agreed to among U.S. allies. Third, the United States needs to put its own proverbial house in order, and more closely link its policy for digital competition with the broader enterprise of national security strategy.

A free, global, and open internet was a worthy aspiration for the internet's first thirty years. The internet as it exists today, however, demands a reconsideration of U.S. cyber and foreign policies to confront these new realities.