Report Watch Vol. V: Tracking Digital and Cyber Scholarship So You Don’t Have To

Lucas Ashbaugh is an intern with the Digital and Cyberspace Policy program at the Council on Foreign Relations. 

Every quarter, Net Politics publishes Report Watch, which distills the most relevant digital and cyber scholarship to bring you the highlights. In this edition: Iran's cyber threat, integrating AI into foreign policy, and the benefits of multistakeholder governance.

Iran’s Cyber Threat: Espionage, Sabotage, and Revenge, by Collin Anderson, Karim Sadjadpour

Iran has been the target of multiple highly sophisticated cyber operations over the past ten years, and has increasingly turned toward launching its own cyberattacks. Anderson and Sadjadpour walk through Iran’s internet history, analyze Iran’s perceived threats and offensive operations, and discuss options the United States could pursue in response to Iran’s growing capabilities.

Iranian operations have so far been successful but technically simple, using off-the-shelf tools and aimed at soft targets such as human rights activists and poorly defended critical infrastructure. Although these operations have become a regular tool of statecraft for Iran, they are modestly funded and often disorganized. Offensive operations are primarily overseen by the Iranian Revolutionary Guard Corps (IRGC), and are not subject to oversight from civilian officials. The IRGC hires independent contractors, many of whom have a history of criminal activity which gives the IRGC plausible deniability if caught.

Operations aimed at external targets range from espionage and sabotage and are directed at regional adversaries like Saudi Arabia (e.g. the Shamoon incident) and Israel, or U.S. and European government personnel who work with Iran policy or in Persian language media (e.g. BBC Persia). Domestically, Iranian operations are aimed at human rights activists, reformist politicians, and media professionals. The authors also found evidence of IRGC-affiliated threat actors targeting Iranian diplomats, including Foreign Minister Javad Zarif, during Iran’s negotiations with the West over its nuclear program to monitor the negotiations.

Anderson and Sadjadpour argue the United States should respond to Iranian operations by securing state and local networks, as well as critical infrastructure sectors that have not been targeted in the past like transportation. They are likely targets given Iran’s limited capabilities and propensity to attack targets that pose the least resistance. Targeted sanctions should also be used in response to Iranian activity, but they should not impede ordinary Iranians’ access to the internet as has happened with Adobe, Android, and Google Cloud. Finally, the United States should continue to publicly prosecute hackers to in an effort to dissuade other potential hackers.

Artificial Intelligence and Foreign Policy, a report from Stiftung Neue Verantwortung by Ben Scott, Stefan Heumann, Philippe Lorenz

Scott, Heumann, and Lorenz argue that artificial intelligence (AI) will change the world. They note that “value chains will be turned upside down, labor markets will be disrupted and economic power will shift to those who control this new technology.” Moreover, AI could alter the existing balance of power as countries race to invest in AI to gain a strategic advantage over rivals.  

The authors point out that foreign ministries have adapted to the previous technological revolution in international affairs. In response to the internet, for example, foreign ministries set up cyber offices to coordinate activities, adapted public diplomacy for the social media age, looked outside the conventional foreign policy pipeline for talent, and experimented with new multistakeholder approaches to policymaking. Given that the AI revolution will be similarly disruptive to the international system, the authors argue that foreign ministries should prepare to do the same as they tackle three important AI trends: labor disruption, autonomous weapons systems, and threats to democratic principles.

• Labor Distribution: Given the AI’s potential to disrupt existing centers of economic power and upend labor markets, diplomats should monitor the impact that AI is having on local economies as part of their regular reporting duties. The authors argue that this, along with a means to measure the impact automation has on labor markets, will allow foreign ministries to make better assessments of regime stability, migration patterns, and trade trends. They also argue the need for better data governance to ensure that the data that underpins the AI revolution is not concentrated in a select few firms, increasing their market power.
   
• Autonomous Weapons: Foreign and defense ministries are already well aware of the challenge posed by lethal autonomous weapons (LAWS), but the authors argue that states should focus their foreign policy efforts on two areas: ensuring that major powers set out red lines as to what is and what is not acceptable use of LAWS, and keeping them out of the hands of terrorists.
   
• Democratic Values: The last ten years have demonstrated that the internet has been a liberation technology (e.g. Tunisia’s experience post-Arab Spring) and a repressive one (e.g. increased censorship in Gulf countries post Arab Spring) at the same time. The authors argue that AI is likely to also be a double-edged sword given its potential for “deepening existing social discrimination.” As a result, foreign ministries should use existing tools at their disposal, such as grant-making and outreach, to ensure that a positive and rights-based agenda for AI prevails.
   

Multistakeholder Internet Governance: successes and opportunities, by Larry Strickling and Jonah Force Hill

Strickling and Hill provide an overview of the 2016 transition of the Internet Assigned Numbers Authority and make the case for the multistakeholder approach to internet governance based on Strickling’s experience as head of the U.S. government organization in charge of the transition. The transition is seen as a milestone in the history of the internet given that the U.S. government relinquished its contractual control over the domain name system (DNS), a longstanding irritant between the United States and countries like China and Russia who wanted to exert control over the DNS through the multilateral system.

Instead of handing over control to a UN-like body, Washington handed control over the DNS to the Internet Corporation for Assigned Names and Numbers (ICANN) and a collection of engineers, civil society and private sector organizations. They argue that this multistakeholder approach produces inherently open and transparent results. Additionally, they explain that a multistakeholder approach aligns with the core principles of the internet, which include: decentralization, heterogeneity of devices and their ability to communicate (known as interoperability), freedom of expression, resilience, and openness.

Strickling and Hill outline at least four benefits that multistakeholderism has over traditional forms of governance:

• All stakeholders determine the decision-making process instead of one stakeholder group setting the rules for everyone else to follow;
• Non-governmental entities, such as the private sector or civil society organizations, have decision-making authority;
• Decision-making processes, while slow, are less financially burdensome than others, like legislation or litigation; and
• Participants are incentivized to arrive at consensus solutions instead of making maximalist demands.

Although the authors acknowledge that mutlistakeholder governance has its challenges, namely ensuring fair representation, finding consensus between stakeholders, and building process legitimacy, these issues also exist in multilateral governance mechanisms, undermining the idea that multilateralism is inherently better than multistakeholderism.