The White House released its International Strategy for Cyberspace yesterday. Many of the ideas and objectives have been expressed before by various officials, but newness does not seem to be the point. Rather, the importance of the document rests in gathering all the United States’ goals for cyber in one place, signaling to both adversaries and friends what Washington is expecting from them and what it will do itself.
The strategy states that the United States will “work to promote an open, interoperable, secure, and reliable information and communications infrastructure.” As Jason Healey at The Atlantic Council notes, the phrasing of these goals is important. The strategy does not promise absolute security or reliability, which are unattainable, but says communications systems should be secure and reliable “enough” to ensure that users continue to have trust in them. Diplomacy, defense, and development are to be the tools through which the United States pursues these four goals, and U.S. officials will be concentrating their efforts in eight areas: international standards and open markets; network defense; law enforcement and extending the reach of the Budapest Convention; military alliance and cooperative security; Internet governance; international development and capacity building; and the support of Internet freedom and privacy.
Two other things worth noting. The strategy has a very heavy deterrence component, clearly stating that the United States “will respond to hostile acts in cyberspace as we would to any other threat to our country.” All means—diplomatic, informational, military, and economic—are on the table. Second, and this is pretty unscientific, but I count 27 uses of “innovation” versus 21 "freedoms" in the document. My memory of the speeches from Secretary Clinton, Secretary Locke, and the others also tilts toward “innovation.” This is in part driven by the importance of the Internet to the U.S. economy, but I wonder if it’s not also a strategy for building alliances and finding international partners. Freedom could alienate many, but everybody wants to be more innovative, and if the United States can convince the Chinese or the Indians that a more open Internet economy leads to a more innovative economy, then they may take up the strategy.
While I think there is much that is good in the strategy, I do wonder if it will get the United States any closer to its objectives. The strategy is very focused on how the United States should do things: “distributed systems require distributed action.” Much of what the strategy calls for, Washington is already doing. The problem with a process-oriented strategy is that it provides no guidelines for what the priorities should be—is it more important to work with countries such as India and Brazil on technology standards or to come to some agreement with Russia and China on cyberconflict? Yes, the United States should and can do both, but eventually decisions are going to have to be made about time, resources, and the inevitable trade-offs between competing goals. Luckily, Deputy National Security Advisor John Brennan said that one part of the process will be a review of the policy after 6 months, so we can revisit the issue.