A Divided Internet
From the earliest days of the ARPANET through the 1990s, the United States shaped the development of the internet to conform with both its national interests and its unique global image. For the last two decades, the United States continued to promote its vision of a single, open, interoperable, secure, and reliable global network, even as much of the world began to push back against this ideal. In theory, the internet, known in the 1990s as “the information superhighway,” should have had a liberalizing effect on world politics as countries around the world connected to the network and Western ideas flowed without the filter of government control.12
U.S. officials and technologists often presented the internet as a take-it-or-leave-it proposition: governments would either plug in, allow the free flow of data, and enjoy the growth and prosperity of the digital age, or opt out and disadvantage themselves economically and politically. U.S. Secretary of State Hillary Clinton warned in a 2010 speech that “countries that restrict free access to information or violate the basic rights of internet users risk walling themselves off from the progress of the next century.”13
The era of the global internet is over.
Yet from the beginning, many governments—including Washington’s close allies—rejected this vision of a benign internet. Owing to their histories with antisemitism and different approaches to freedom of speech and the press, France and Germany, for example, demanded that U.S. platforms censor Nazi speech and refrain from selling or displaying banned materials such as Adolf Hitler’s infamous autobiographical work Mein Kampf. Those early demands produced the geo-located internet in operation today, in which the content seen and the products offered are determined by where an IP address is physically located on the globe.
The 2013 disclosures of U.S. intelligence collection by National Security Agency (NSA) contractor Edward Snowden raised suspicion in many European countries about the risks of dependence on American information and communication technologies. In 2016, the EU adopted the General Data Protection Regulation, which enhanced individual control over private data. The regulation has become a model for data privacy laws in Brazil, Japan, South Africa, South Korea, and other countries. Two rulings by the Court of Justice of the European Union (CJEU), Schrems I and Schrems II, invalidated the EU-U.S. Privacy Shield framework, an agreement that allowed U.S. firms to transfer the data of European citizens, stating that it did not adequately protect EU citizen data from the potential surveillance of U.S. law enforcement and intelligence agencies (see figure below).14
Although the GDPR allows Europe to influence the global debate over data governance, some European leaders also have argued for greater technological autonomy from Chinese hardware and U.S. software and infrastructure. In September 2021, for example, the European Commission announced plans to introduce legislation to promote semiconductor self-sufficiency. Europe is working to promote alternatives to Amazon, Google, Meta, and Microsoft through projects such as Gaia-X, a European shared cloud infrastructure.15 In early 2022, while holding its six-month rotating presidency of the EU Council, France identified EU digital sovereignty as one of three priorities. Privacy and security regulations could be used to require organizations to work with EU-controlled companies favored by the EU digital sovereignty policies. The war in Ukraine is an impetus for closer transatlantic cooperation, but it has also reinforced the arguments for European tech sovereignty, with the European Council declaring in March 2022 the need to “take further decisive steps towards building our European sovereignty, reducing our dependencies, and designing a new growth and investment model.”16
China and other authoritarian regimes deployed alternatives to the U.S. model even more forcefully. They see the open internet and U.S. tech companies as instruments of regime change. Over time, the Chinese government developed the technical and regulatory capabilities to actively censor the internet traffic that enters and leaves its country, rapidly take down information and block collective action, and tightly surveil, harass, and, when necessary, detain users. Platforms operating in China are legally responsible for content on their sites and employ legions of monitors to block and report activity of which the state disapproves.17
Russia’s internet was once more open and freewheeling. But after street protests in Moscow in 2012, the government began more actively blacklisting, censoring, and blocking content. Russia’s internet regulator, Roskomnadzor, ramped up its demands on Apple, Twitter, and other American companies to remove online content it deems illegal or to restore pro-Kremlin material that has been blocked. Russian President Vladimir Putin is also looking to decouple the domestic internet, Runet, from the global internet, moving users from American platforms to Russian social media and search engines.
In 2019, Russia adopted the Sovereign Internet Law, which seeks to shield its Runet from foreign attacks and mandates annual tests of telecommunications ability to disconnect the domestic internet from global cyberspace. During the Russian invasion of Ukraine, after Facebook announced that it would fact check claims from state media, Moscow entirely blocked the social media platform. It went on to block other sites as well, forcing Russians who wanted access to information not censored by Moscow to rely on virtual private networks (VPNs).18
Authoritarian regimes are not alone in seeking to tame the online world. Domestic and foreign actors’ use of social media to spread disinformation, misinformation, hate speech, and violent and extremist content has made policymakers in many democracies increasingly wary of an unregulated internet. For example, Germany’s NetzDG, or the Network Enforcement Act, levies fines of up to €50 million for failure to take down “evidently criminal” content within twenty-four hours. Singapore’s Protection From Online Falsehoods and Manipulation Act requires online platforms to issue corrections or remove content that the government deems false.19
When they cannot filter content at scale, countries can simply decide to disconnect briefly from the internet. Sixty nations have temporarily turned off the internet more than nine hundred times altogether over the last seven years.20 India, the world’s largest democracy, is also the world leader in internet shutdowns. In 2019 and 2020, Indian officials suspended the internet as many as 164 times for over 13,000 hours.21 Over the last three years, Ethiopia, Niger, Nigeria, and Uganda have also used shutdowns to control information and influence elections.
Despite the continued splintering of the internet, hundreds of millions of users of the network regard it as indispensable to their daily lives and to the operations of their geographically dispersed businesses. These needs and expectations of the internet as a connective platform have only increased since the beginning of COVID-19.
In addition, advanced economies are at the cusp of a new wave of digital innovation. Proponents of blockchain technology argue that Web 3.0 will be more secure, inclusive, and resilient, giving users greater control of their data and privacy. Blockchain technologies are expected to contribute $1.76 trillion to the global economy by 2030.22 The metaverse, as some describe it, is a linked virtual world that is an extension of the physical world, which could become a persistent, immersive, three-dimensional (3-D) reality in which people play, work, and socialize. The Internet of Things, which envisions tens of billions of internet-connected devices, is becoming the backbone of smart homes and cities that increase safety, improve health, and conserve energy. The consulting company McKinsey & Company estimates that IoT devices could enable $5.5 trillion to $12.6 trillion in value globally by 2030.23
If networks are built and operated for the needs of national sovereignty rather than to achieve global scale, then policymakers will need to understand and address the accompanying unavailability of information required to make business or personal decisions, the impaired ability to scale innovation at the lowest possible cost, and the ripple effects of digital fragmentation across other aspects of bilateral and multilateral relationships.
U.S. policies promoting an open, global internet have failed.
From the George W. Bush administration through the end of Donald Trump’s presidency, the United States promoted what is broadly known as the “internet freedom agenda.” This mandate was both economic, calling for a relatively laissez faire approach to regulation, and political, promoting an American ideal of free speech on the internet. In 2006, for example, the Bush administration established the Global Internet Freedom Task Force to maximize the free flow of data and funded grants for circumventing censorship. The Barack Obama administration had its own NetFreedom Task Force and spent over $100 million on encryption and anti-censorship technologies.24
Yet the United States has been unable to counter the persistent advance of the concept of cyber sovereignty. Beijing is sharing its technology and experience with other countries, holding meetings and seminars on its model of internet control with at least thirty countries and providing technical assistance to more than a dozen. In 2015, for example, Tanzania passed cybersecurity laws that resembled China’s. Egypt, Laos, Pakistan, Uganda, Vietnam, and Zimbabwe have proposed or passed legislation that mimics the blocking of websites, real name registration, data sharing, and content takedowns that characterize Chinese regulations. Early in 2021, Cambodia adopted Chinese-style internet controls and created an internet gateway through which all web traffic is routed and monitored.25
Beijing and Moscow are collaborating to reshape the global internet and reduce U.S. influence. In 2015, Chinese President Xi Jinping and Putin signed an agreement “on cooperation in ensuring international information security.” In the years after its signing, the majority of exchanges appear to be designed to share technologies, information, and processes on the control of the internet. The two countries have also promoted cyber sovereignty through the United Nations, International Telecommunication Union, Shanghai Cooperation Organization, and the BRICS group (Brazil, Russia, India, China, and South Africa).26
Even as the free and open internet loses ground, the United States and Europe remain divided over the legitimate role of privacy, antitrust, industry promotion, and data localization regulations. Despite a shared assessment of the threat of Chinese and Russian cyber operations and a commitment to the protection of human rights online, these unresolved issues have made it difficult to present a common front. Moreover, a number of democracies and more open societies have pursued new rules for technology companies on content, data, and competition, which has often resulted in limits of free expression and greater access to private data by government agencies.
In an effort to turn this tide, in April 2022 the Biden administration along with sixty-one countries issued a Declaration for the Future of the Internet.27 The signatories committed themselves to supporting “a future for the Internet that is an [sic] open, free, global, interoperable, reliable, and secure,” as well as to protecting human rights online, securing individuals’ privacy, and maintaining secure and reliable connectivity. The declaration reaffirms a positive vision of a “single interconnected communications system for all of humanity” that fosters innovation and economic growth, promotes creativity, reinforces democratic governance, and provides unfettered access to knowledge.
The driving idea behind the declaration is correct. Simply opposing the Chinese and Russian models of the internet is not enough. The United States needs to mobilize partners around a proactive vision of what it desires to accomplish in cyberspace, but the declaration has no binding commitments or new policy initiatives. Nothing suggests that this time is different and that a statement of strong principles will be able to stop or reverse the trend toward fragmentation. The United States needs to develop a path forward based on the reality of the internet today.
Data is a source of geopolitical power and competition.
Data is an indisputable source of national power. It fuels innovation, economic growth, and national security. It is at the center of global trade, with cross-border data flows growing roughly 112 times over from 2008 to 2020.28 The rapid expansion of fifth-generation (5G) wireless networks, cloud computing, and the Internet of Things means an explosion of data. The total data generated by 2025 is set to accelerate exponentially to 175 zettabytes; and this data will generate innovations in agriculture, logistics, manufacturing, pharmaceuticals, and other critical sectors.29 The World Economic Forum projects that 70 percent of new value created in the economy over the next decade will be based on digitally enabled platform business models.30 Technology companies that collect, analyze, and commercialize data, such as Alibaba, Alphabet, Amazon, Meta, and Tencent, have replaced oil and gas producers, consumer goods, and financial institutions at the top of the list of the world’s most valuable firms.
Data is also central to national security. Advances in machine learning, data analytics, and other digital technologies have a significant effect on military and intelligence capabilities. The National Security Commission on Artificial Intelligence warned that the U.S. military’s technical advantage could be lost within the next decade without an accelerated adoption of artificial intelligence, warning that “AI-enhanced capabilities will be the tools of first resort in a new era of conflict as strategic competitors develop AI concepts and technologies for military and other malign uses and cheap and commercially available AI applications ranging from ‘deepfakes’ to lethal drones become available to rogue states, terrorists, and criminals.”31 National intelligence agencies can collect and analyze data at scale, but new technologies also enable nonstate actors and individuals to execute the same tasks, sometimes more quickly than governments.32
U.S. adversaries increasingly see data as central to their economic and national security and are developing national strategies for its collection, application, and protection. China hosts the world’s largest e-commerce market, boasting 40 percent of global sales, and introduced the world’s first state-sponsored digital currency.33 In April 2020, China’s State Council formally designated data as a factor of production, joining land, labor, capital, and technology. In a 2021 speech to a Chinese Communist Party Politburo study session, Xi declared the digital economy to be a “critical force in reorganizing global factor resources, reshaping global economic structures, and changing global competition structures.”34 National Security Advisor Jake Sullivan remarked, “Strategic competitors see big data as a strategic asset.”35 So should the United States.
The United States has taken itself out of the game on digital trade.
Deep domestic political divides limit the United States’ ability to lead internationally. Despite countless congressional hearings on the benefits and drawbacks of regulating data markets and technology companies, the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s argument that it has a model worth emulating. The United States is highly polarized on issues of free speech and the threats of market consolidation and as a result has been unable to decide on which values to optimize. This sense of inefficacy is heightened in contrast to the speed with which China has rolled out a matrix of regulations that includes the national cybersecurity law, data security law, and personal information protection law.36 Nowhere has domestic policy harmed the U.S. ability to lead more than in the arena of digital trade, the cross-border flow of data and digital services that now accounts for nearly $3 trillion in global wealth.
The U.S. withdrawal from the Trans-Pacific Partnership and continued aversion to multilateral trade agreements severely limit its ability to shape the rules guiding digital trade. Although the digital chapters of the U.S.-Korea Free Trade Agreement (KORUS) and the U.S.-Mexico-Canada Agreement (USMCA), as well as the U.S.-Japan Digital Trade Agreement, have strong protections for cross-border data flows, the United States has been sidelined as other trade groups come together. The Regional Comprehensive Economic Partnership (RCEP), an agreement among fifteen countries in the Asia-Pacific, for example, represents 30 percent of global gross domestic product (GDP) and entered into force without the United States on January 1, 2022. RCEP’s provisions regarding data localization, restrictions on cross-border data flows, and policies that champion domestic industry are, however, weak.37
Beijing has recently submitted its application to accede to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and to join the Digital Economy Partnership Agreement. The Biden administration has announced that it is developing an Indo-Pacific framework that will address digital technology, along with other issues, but no further details have been released.38
- Richard Lei, “<a href="https://www.washingtonpost.com/archive/lifestyle/1994/01/14/al-gore-takes-aspin-on-the-info-highway/2fa7774b-0cb4-45e2-87dc-dfe254001093">Al Gore Takes a Spin on the Info Highway</a>,” <em>Washington Post</em>, January 14, 1994; Michael L. Best and Keegan W. Wade, “<a href="https://doi.org/10.1177/0270467609336304">The Internet and Democracy: Global Catalyst or Democratic Dud?</a>” <em>Bulletin of Science, Technology, and Society</em> 29, no. 4 (2009): 255–56.
- James A. Lewis, “<a href="https://www.csis.org/analysis/sovereignty-and-evolution-internet-ideology">Sovereignty and the Evolution of Internet Ideology</a>,” Center for Strategic and International Studies, October 30, 2020; “<a href="https://www.reuters.com/article/us-googlechina-clinton-highlights/highlights-of-clinton-speech-on-internet-freedomidUSTRE60K4R820100121">Highlights of Clinton Speech on Internet Freedom</a>,” Reuters, January 21, 2010.
- European Union Parliament and Council of the European Union, “<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679">General Data Protection Regulation</a>,” April 27, 2016; EY Americas, “<a href="https://www.ey.com/en_us/consulting/how-toprepare-for-global-data-compliance">How To Prepare for Global Data Compliance</a>,” EY, May 4, 2021; Madalina Murariu, <a href="https://www.belfercenter.org/publication/data-sharing-between-united-statesand-european-union"><em>Data Sharing Between the United States and European Union: Impact of the Schrems II Decision</em></a>, Belfer Center, July 2021.
- Foo Yun Chee, “<a href="https://www.reuters.com/world/europe/tech-is-make-or-break-issue-eu-chief-executive-says-2021-09-15/">EU Plans ‘Chip Act’ To Promote Semiconductor Self-Sufficiency,</a>” Reuters, September 15, 2021.
- “<a href="https://www.consilium.europa.eu/media/54773/20220311-versailles-declaration-en.pdf">Versailles Declaration: Strengthening European Sovereignty and Reducing Strategic Dependencies</a>,” March 11, 2022.
- Graham Webster, “<a href="https://logicmag.io/china/a-brief-history-of-the-chinese-internet">A Brief History of the Chinese Internet</a>,” <em>Logic</em>, May 1, 2019; Qijia Zhou, “<a href="https://hir.harvard.edu/building-the-fire-wall">Building the (Fire) Wall: Internet Censorship in the United States and China,</a>” <em>Harvard International Review</em>, December 28, 2020; Gary King, Jennifer Pan, and Margaret E. Roberts, “<a href="https://j.mp/2nxNUhk">How Censorship in China Allows Government Criticism but Silences Collective Expression</a>,” <em>American Political Science Review</em>, 107, no. 2 (2013): 1–18.
- Andrei Soldatov and Irina Borogan, <em>The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries</em> (New York: PublicAffairs, 2015); Nick Macfie and Alexander Marrow, “<a href="https://www.reuters.com/technology/russiadisconnected- global-internet-tests-rbc-daily-2021-07-22">Russia Disconnects From Internet in Tests as It Bolsters Security</a>,” Reuters, July 22, 2021; Merrit Kennedy, “<a href="https://www.npr.org/2019/11/01/775366588/russian-law-takeseffect-that-gives-government-sweeping-power-over-internet">Russia’s ‘Sovereign Internet’ Law Gives Government Sweeping Power Over Internet</a>,” NPR, November 1, 2019; Adam Satariano and Paul Mozur, “<a href="https://www.nytimes.com/2021/10/22/technology/russiainternet- censorship-putin.html">Russia Is Censoring the Internet, With Coercion and Black Boxes</a>,” <em>New York Times</em>, October 22, 2021; Craig Timberg, Cat Zakrzewski, and Joseph Menn, “<a href="https://www.washingtonpost.com/technology/2022/03/04/russia-ukraineinternet-cogent-cutoff">A New Iron Curtain Is Descending Across Russia’s Internet</a>,” <em>Washington Post</em>, March 4, 2022.
- Jacob Berntsson and Maygane Janin, “<a href="https://www.lawfareblog.com/onlineregulation-terrorist-and-harmful-content">Online Regulation of Terrorist and Harmful Content</a>,” <em>Lawfare</em> (blog), October 14, 2021; Janosch Delcker, “<a href="https:// www.politico.eu/article/germany-hate-speech-internet-netzdg-controversiallegislation">Germany’s Balancing Act: Fighting Online Hate While Protecting Free Speech</a>,” <em>Politico</em>, October 1, 2020; Ashley Westerman, “<a href="https://www.npr.org/2019/10/02/766399689/fake-news-law-goes-into-effect-in-singapore-worryingfree-speech-advocates">‘Fake News’ Law Goes Into Effect in Singapore, Worrying Free Speech Advocates</a>,” NPR, October 2, 2019.
- Marianne Diaz Hernandez, Rafael Nunes, Felicia Anthonio, and Sage Cheng, “<a href="https://www.accessnow.org/who-is-shutting-down-the-internet-in-2021">#KeepItOn Update: Who Is Shutting Down the Internet in 2021?</a>,” Accessnow, June 7, 2021; Peter Guest, “<a href="https://restofworld.org/2022/blackouts">In the Dark: Seven Years, 60 Countries, 935 Internet Shutdowns: How Authoritarian Regimes Found an Off Switch for Dissent</a>,” Rest of the World, April 26,<br /> 2022.
- Mehab Qureshi, “<a href="https://indianexpress.com/article/technology/tech-news-technology/india-ranks-highest-in-internet-suspensions-7654773">Decoding India’s Dubious Distinction as World’s ‘Internet Shutdown Capital</a>,’” <em>Indian Express</em>, December 4, 2021.
- “<a href="https://www.pwc.com/gx/en/news-room/press-releases/2020/blockchain-boostglobal-economy-track-trace-trust.html">Blockchain Technologies Could Boost the Global Economy U.S.$1.76 Trillion by 2030 Through Raising Levels of Tracking, Tracing and Trust</a>,” PwC, October 13, 2020.
- Michael Chui, Mark Collins, and Mark Patel, “<a href="https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/iot-value-set-to-accelerate-through-2030-where-and-how-to-capture-it">IoT Value Set to Accelerate Through 2030: Where and How to Capture It</a>,” McKinsey & Company, November 9, 2021.
- Jack Goldsmith, “<a href="https://knightcolumbia.org/content/failure-internetfreedom">The Failure of Internet Freedom</a>,” Knight Institute at Columbia University, June 13, 2018;<br /> Jack Goldsmith and Andrew Keane Woods, “<a href="https://www.theatlantic.com/ideas/archive/2020/04/what-covid-revealed-about-internet/610549">Internet Speech Will Never Go Back to Normal</a>,” <em>The Atlantic</em>, April 25, 2020.
- Adrian Shahbaz, “<a href="https://freedomhouse.org/report/freedom-net/2018/rise-digital-authoritarianism">Freedom on the Net 2018: The Rise of Digital Authoritarianism</a>,” Freedom House, October 2018; Jessica Chen Weiss, “<a href="https:// warontherocks.com/2020/02/understanding-and-rolling-back-digital-authoritarianism">Understanding and Rolling Back<br /> Digital Authoritarianism</a>,” <em>War on the Rocks</em>, February 17, 2020; Prak Chun Thul, “<a href="https://www.reuters.com/business/media-telecom/cambodia-adopts-china-style-internet-gateway-amid-oppositioncrackdown- 2021-02-17/">Cambodia Adopts China-style Internet Gateway Amid Opposition Crackdown</a>,” Reuters, February 17, 2021.
- Adam Segal, “<a href="https://warontherocks.com/2020/08/peering-intothe- future-of-sino-russian-cyber-security-cooperation">Peering Into the Future of Sino-Russian Cyber Security Cooperation</a>,” <em>War on the Rocks</em>, August 10, 2020; <a href="https://cyber-peace.org/wp-content/uploads/2013/05/RUS-CHN_CyberSecurityAgreement201504_InofficialTranslation. pdf">Sino-Russian Cybersecurity Agreement</a> art. 3, April 30, 2015, no. 788-p; Luca Belli, “<a href="https://directionsblog.eu/ cybersecurity-convergence-in-the-brics-countries">Cybersecurity Convergence in the BRICS Countries</a>,” <em>Directions</em>, September 17, 2021.
- “<a href="https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf">A Declaration for the Future of the Internet</a>,” April 28, 2022.
- Matthew Slaughter and David McCormick, “<a href="https://www.foreignaffairs.com/articles/united-states/2021-04-16/data-power-new-rules-digital-age">Data Is Power</a>,” <em>Foreign Affairs</em>, April 16, 2021.
- A zettabyte is one sextillion bytes or 1021 (1,000,000,000,000,000,000,000)
- WEF, “<a href="https://www.weforum.org/platforms/shaping-the-future-of-digitaleconomy-and-new-value-creation">Shaping the Future of Digital Economy and New Value Creation</a>,” accessed May 18, 2022.
- Eric Schmidt, Robert Work, et al., <em><a href="https://www.nscai.gov/2021-final-report/">Final Report: The Beginning of the Beginning</a></em> (Washington, D.C.: National Security Commission on Artificial Intelligence, 2021).
- Amy Zegart, “<a href="https://www.foreignaffairs.com/articles/united-states/2020-11-02/ intelligence-isnt-just-government-anymore">Intelligence Isn’t Just for Government Anymore</a>,” <em>Foreign Affairs</em>, November 2, 2020.
- Lizhi Liu, “<a href="https://doi.org/10.1007/s12116-021-09319-8">The Rise of Data Politics: Digital China and the World</a>,” <em>Studies in Comparative International Development</em> 56, no. 1 (2021): 45–67.
- “<a href="http://www.gov.cn/zhengce/2020-04/09/content_5500622.htm">Opinion of the Central Committee of the Communist Party of China and the State Council on Building a More Perfect Market-Based Allocation System and Mechanism for Factors of Production</a>,” April 9, 2020; Rogier Creemers, Johanna Costigan, and Graham Webster,<br /> “<a href="https://digichina.stanford.edu/work/translation-xi-jinpings-speech-to-the-politburo-study-session-onthe-digital-economy-oct-2021">Translation: Xi Jinping’s Speech to the Politburo Study Session on the Digital Economy—Oct. 2021</a>,” DigiChina, January 28, 2022.
- Jake Sullivan, “<a href="https://www.whitehouse.gov/nsc/briefing-room/2021/07/13/ remarks-by-national-security-advisor-jake-sullivan-at-the-national-securitycommission-on-artificial-intelligence-global-emerging-technology-summit">Remarks at the National Security Commission on Artificial Intelligence Global Emerging Technology Summit</a>,” White House press release, July 13, 2021.
- Matt Burgess, “<a href="https://www.wired.com/story/china-personal-data-law-pipl">Ignore China’s New Data Privacy Law at Your Peril</a>,” <em>Wired</em>, November 5, 2021; Jack Wagner, “<a href="https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know">China’s Cybersecurity Law: What You Need to Know,</a>” <em>The Diplomat</em>, June 1, 2017.
- Gary Clyde Hufbauer and Megan Hogan, “<a href="https://www.piie.com/reader/publications/policy-briefs/digital-agreementswhats-covered-whats-possible">Digital Agreements: What’s Covered, What’s Possible</a>,” Peterson Institute for International Economics policy brief, October 2021.
- White House, “<a href="https://www.whitehouse.gov/briefing-room/statementsreleases/ 2021/10/27/readout-of-president-bidens-participation-in-the-eastasia-summit">Readout of President Biden’s Participation in the East Asia Summit</a>,” October 27, 2021.
Rising Risks in Cyberspace
Much of the early concern around cyberspace focused on disruptive and destructive attacks on critical infrastructure. In 2007, Russia-based hackers mounted a high-intensity, low-sophistication attack on Estonia over a dispute about the movement of a statue of a Russian soldier commemorating World War II. That campaign, which some dubbed Web War I, severely disrupted banking, media, and public services. In 2012, General Keith Alexander, director of the National Security Agency, said in congressional testimony that it was only a matter of time before hackers destroyed elements of critical infrastructure in the United States. The same year, in a speech to business executives, then U.S. Secretary of Defense and former CIA Director Leon Panetta cautioned that the country could face a “cyber Pearl Harbor” and warned that a terrorist group or enemy state could gain control of “critical switches” to “derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals.”39
In a joint operation, the United States and Israel appeared to be the first to cross the Rubicon, launching the first known cyber campaign to cause physical damage. “Olympic Games” was designed to set Iran’s nuclear program back by destroying centrifuges at its enrichment facility in Natanz. In response, Iranian hackers knocked offline the websites of a number of American banks, including Wells Fargo, JPMorgan Chase, and Bank of America. In 2012, Iran wiped the data on thirty thousand computers at oil producer Saudi Aramco, and a follow-on attack damaged Rasgas, a joint venture between Qatar Petroleum and ExxonMobil that is the second-biggest producer of liquefied natural gas in the world. North Korean hackers disrupted South Korean banks and telecommunications and, in anger over a film that mocked North Korean leader Kim Jong-un, stole one hundred terabytes of internal data from Sony and damaged two-thirds of the company’s servers and computers.40
These types of attacks were, however, the exceptions. Over the last decade, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack (see figure below). These breaches are used for political advantage, espionage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.41
Russian operatives skilled in cyber espionage interfered in the Ukrainian election of 2014 through a combination of hacking, disinformation, and denial of service attacks. Moscow used a similar playbook in the 2016 U.S. elections, breaking into the email accounts of the Democratic National Committee and Clinton campaign chairman John Podesta and posting the documents publicly. These documents, as well as disinformation and misinformation that exacerbated social, cultural, and political divisions, were amplified on social media through bots and fake accounts. Russia continues to develop and evolve these methods, posing challenges to the cohesion of the United States and its allies.42
China-backed hackers deployed widespread political and military espionage as well as a massive campaign of cyber-enabled intellectual property theft from the private sector. Chinese operatives targeted the State Department, U.S. Department of Defense, White House, and defense contractors and, in 2015, were behind the theft of twenty-two million records of federal employees, including their security background checks, from the Office of Personnel Management. Cyber espionage has also been central to Beijing’s attempt to make the Chinese economy more competitive and less dependent on foreign suppliers for critical technologies. The Office of the National Counterintelligence Executive declared that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.”43 Chinese operators have become adept at targeting and exploiting big data, which can be used for intelligence and counterintelligence as well as driving advancements in machine learning.
Over the last few years, Chinese and Russian operations have become more brazen and proficient. Chinese hackers exploited a so-called zero-day vulnerability—a software weakness unknown to its vendor—in Microsoft Exchange email servers, allowing them to gain access to thousands of sensitive networks. Moreover, knowing that Microsoft was pushing out a protective patch for the vulnerability, the hackers scanned almost the entire internet to find exposed servers to be compromised.44 The breach of the software firm SolarWinds allowed Russian hackers to access the networks of major government agencies and over one hundred companies (see figure below). The SolarWinds campaign was exposed because the cybersecurity firm FireEye discovered hackers in their networks, stealing “Red Team” tools, a collection of malware and exploits used to test customers’ vulnerabilities.
The trend line thus far is clear: increased digitization goes hand in hand with increased vulnerability, given that nearly every aspect of business and statecraft becomes exposed to disruption, theft, or manipulation.
Cybercrime is a national security risk.
COVID-19 has accelerated global dependence on digital infrastructure. Public health measures and stay-at-home orders led to a massive shift in teleworking. By the end of 2020, 71 percent of workers in the United States had switched in whole or in part to working from remote locations outside their offices. COVID related cyber operations surged, with hackers targeting vaccine research and development (R&D) efforts. The swell of online activities increased the incentives for malicious actors to exploit vulnerabilities in all sectors of economic and political activity.45
Over the last three years, the risk of ransomware has ballooned (see figure below). The risk is not just financial. Ransomware attacks have paralyzed local governments, school districts, and hospitals. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for thirty hours, and the University of Vermont Medical Center furloughed or reassigned about three hundred employees after an attack on the hospital’s networks. Homeland Security officials worried that ransomware attacks on voter registration systems could disrupt the 2020 elections. In May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack by the Conti gang crippled the Finance and Labor Ministry as well as the customs agency. The group also posted stolen files to the dark web to extort the government to pay the ransom.46
Ransomware groups are professionalizing and marketing in ways reminiscent of Silicon Valley startups. Highly capable groups have become “initial access brokers” that specialize in gaining a foothold on target networks and then selling that access to ransomware operators who can rent a payload—a separate encryption malware—from a “ransomware-as-a-service” provider.47 Zero days are expensive to buy and develop. They have historically been deployed by state-backed groups, yet in 2021 one-third of all hacking groups exploiting zero days were financially motivated criminals.48 With greater ransom payments, criminal hacking groups can recruit and pay for technical talent. The most elite groups are developing skills previously reserved for a small number of military and intelligence agencies, but “crime-as-a-service” providers offer a wide range of attacks with a significant economic effect.
The emergence of cryptocurrencies has enabled this explosive growth in cybercrime. Ransomware preexisted cryptocurrencies, yet criminals struggled to extract significant payments through the traditional financial system. Cryptocurrencies make it easier to monetize breaches in network security; as a result, more groups are forming to launch ransomware. According to Chainalysis, a cryptocurrency tracking and analytics firm, in 2021 more than $400 million worth of cryptocurrency payments went to groups “highly likely to be affiliated with Russia.”49 The United States has passed “know-your-customer” provisions for cryptocurrency exchanges and sanctioned Russian exchanges, and in June 2021 the FBI tracked and “clawed back” a portion of the payment made in bitcoin to the Darkside ransomware group that extorted Colonial Pipeline. Whether these efforts are sustainable or can change the economics of ransomware is unclear.50
In addition, authoritarian states have increasingly blurred the line between state and nonstate actors in cyberspace. The United States has alleged that China, Iran, North Korea, and Russia at times rely on private technology firms, organized crime and hacker groups, and civil militias to conduct operations. During the Russia-Ukraine war, the Conti group published a statement declaring their loyalty to Moscow and threatening retaliation against countries that supported Ukraine.51 As Mieke Eoyang, the U.S. deputy assistant secretary of defense for cyber policy, told the House Armed Services Committee, “The line between nation state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cybercrime perpetrated by the same malicious actors.”52
The United States can no longer treat cyber and information operations as two separate domains.
Although disinformation, misinformation, and the abuse of social media are outside the scope of this Task Force, the Russia-Ukraine war demonstrates how tightly intertwined cyber and information operations are. Ukraine, with the assistance of the United States and its European partners, was able in the first months of the conflict to defend its critical infrastructure from disruptive cyberattacks. Continued access to communication and internet networks proved crucial to Ukrainian President Volodymyr Zelensky and other officials’ mobilizing domestic and international support for Ukraine, controlling the narrative of the war, and countering Russian propaganda. On the other side, Russian hackers planted a fake message in the livestream of a broadcast announcing a surrender and broke into the Facebook accounts of high-profile Ukrainian military leaders and politicians, then used their access to post false messages that Ukrainian forces were laying down their arms.53
Although the United States has struggled both to counter information operations at home and to find the right authorities and institutions to promote its efforts to shape narratives in cyberspace, the Russia-Ukraine war has clearly demonstrated how cyber capabilities, defensive and offensive, are essential enablers of successful information operations. Remarking on the conflict, Lieutenant General Charles Moore, CYBERCOM deputy commander, noted, “Without a doubt, what we have learned is that cyber-effects operations in conjunction—in more of a combined arms approach—with what we call traditionally information operations, is an extremely powerful tool.”55
AI and other new technologies will increase strategic instability.
The consensus in the cybersecurity community is that the offense has the advantage over the defense, but this is less true for complex, destructive attacks. Only the most sophisticated attackers can maintain an undetected presence on networks over an extended period. It is difficult for the attacker to create widespread, long-lasting effects, and sophisticated attacks require a significant investment of resources and talent.56
The relationship between attackers and defenders could shift, however, as new technologies come online. The rapid rise of artificial intelligence and, eventually, quantum computing could make the work of cyber defenders more difficult over time, with faster and faster computers enabling increasingly complex attacks and more rapid network intrusion. AI-enabled state cyberattacks would be more precise and tailored; the rise of sophisticated natural language processing models is likely to improve spear-phishing abilities. Malware could mutate into thousands of forms once it is in a network. For the defender, AI could accelerate the detection of attackers inside a network. Machine learning could help automate vulnerability discovery, deception, and attack disruption.57
The eventual effect of such developments on the dynamic between offense and defense is uncertain. One outcome that appears likely is that both attackers and defenders will rely on a greater degree of automation, which could have an adverse effect on strategic stability. The United States now exerts tight political control over state-sponsored cyber operations. A reliance on a higher degree of automation could lead to unintended consequences.
- Joshua David, “<a href="https://www.wired.com/2007/08/ff-estonia/">Hackers Take Down the Most Wired Country in Europe</a>,” <em>Wired</em>, August 21, 2007; Elisabeth Bumiller and Thom Shanker, “<a href="https://www.nytimes.com/2012/10/12/world/panetta-warns-ofdire- threat-of-cyberattack.html">Panetta Warns of Dire Threat of Cyberattack on U.S.</a>,” <em>New York Times</em>, October 11, 2012.
- David Sanger, “<a href="https://www.nytimes.com/2012/06/01/world/middleeast/obamaordered-wave-of-cyberattacks-against-iran.html">Obama Ordered Wave of Cyberattacks Against Iran</a>,” <em>New York Times</em>, June 1, 2012; Thom Shanker and David Sanger, “<a href="https://www.nytimes.com/2012/10/14/world/middleeast/us-suspects-iranianswere-behind-a-wave-of-cyberattacks.html">U.S. Suspects Iran Was Behind a Wave of Cyberattacks</a>,” <em>New York Times</em>, October 13, 2012; Peter Elkind, “Sony Pictures: Inside the Hack of the Century,” <em>Fortune</em>, June 25, 2016.
- Neal Pollard, Adam Segal, and Matthew Devost, “<a href="https://warontherocks.com/2018/01/trust-war-dangerous-trends-cyber-conflict">Trust War: Dangerous Trends in Cyber Conflict</a>,” <em>War on the Rocks</em>, January 16, 2018; Jacquelyn Schneider, “<a href="https://www.foreignaffairs.com/articles/world/2021-12-14/world-without-trust">A World Without Trust</a>,” <em>Foreign Affairs</em>, December 14, 2021.
- Director of National Intelligence, “<a href="https://www.dni.gov/files/documents/ICA_2017_01.pdf">Assessing Russian Activities and Intentions in Recent US Elections</a>,” January 6, 2017; U.S. Department of Justice, “<a href="https://www.justice.gov/archives/sco/file/1373816/download">Report on the Investigation Into Russian Interference in the 2016 Presidential Election</a>,” March 2019.
- Dustin Voltz, “<a href="https://www.wsj.com/articles/u-s-spyagency-warns-beijing-s-hackers-aiming-at-u-s-defense-industrymilitary-11603206459">U.S. Spy Agency Warns That Chinese Hackers Target Military, Defense Industry</a>,” <em>Wall Street Journal</em>, October 20, 2020; Brian Naylor, “<a href="https://www.npr.org/sections/ alltechconsidered/2016/06/06/480968999/one-year-after-opm-data-breach-what-hasthe-government-learned">One Year After OPM Data Breach, What Has the Government Learned?</a>,” NPR, June 6, 2016; Office of the National Counterintelligence Executive, “<a href="https://www.dni. gov/files/documents/Newsroom/Reports%20and%20Pubs/20111103_report_fecie.pdf">Foreign Spies Stealing U.S. Economic Secrets in Cyberspace</a>,” October 2011.
- Kevin Mandia, “<a href="https://www.fireeye.com/blog/products-andservices/ 2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protectcommunity.html">FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community</a>,” FireEye, December 8, 2020; Gordon Corera, “<a href="https://www.bbc.com/news/world-asia-china-57889981">China Accused of Cyber-Attack on Microsoft Exchange Servers</a>,” BBC, July 19, 2021.
- Kim Parker, Juliana Menasce Horowitz, and Rachel Minkin, “<a href="https://www.pewresearch.org/social-trends/2020/12/09/ how-the-coronavirus-outbreak-has-and-hasnt-changed-the-way-americans-work">How the Coronavirus Outbreak Has—and Hasn’t—Changed the Way Americans Work</a>,” Pew Research Center, December 9, 2020; Dan Patterson, “<a href="https://www.cbsnews.com/news/ransomware-phishing-cybercrime-pandemic">Cybercrime Is Thriving During the Pandemic, Driven by Surge in Phishing and Ransomware</a>,” CBS News, May 19, 2021.
- Ransomware Task Force, “<a href="https://securityandtechnology.org/wp-content/uploads/2021/09/IST-Ransomware-Task-Force-Report.pdf">Combatting Ransomware</a>,” Institute for Security and Technology, last updated September 23, 2021; Ellen Nakashima, “<a href="https://www.washingtonpost.com/national-security/cyber-command-trickbotdisrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html">Cyber Command Has Sought to Disrupt the World’s Largest Botnet, Hoping to Reduce Its Potential Impact on the Election</a>,” <em>Washington Post</em>, October 9, 2020; Javier Cordoba and Christopher Sherman, “<a href="https://apnews.com/article/ russia-ukraine-technology-business-gangs-costa-rica-9b2fe3c5a1fba7aa7010eade96a086ea">Cyber Attack Causes Chaos in Costa Rica Government Systems</a>,” Associated Press, April 22, 2022.
- Davis Hake and Vishaal Hariprasad, “<a href="https://www.cfr.org/blog/ransomwares-pathproductmarket- fit">Ransomware’s Path to Product/Market Fit</a>,” Net Politics (blog), September 2, 2021; Anthony M. Freed, “<a href="https://www.cybereason.com/blog/how-do-initial-access-brokers-enable-ransomware-attacks">How Do Initial Access Brokers Enable<br /> Ransomware Attacks?</a>” Cybereason, October 5, 2021.
- Patrick Howell O’Neill, “<a href="https://www.technologyreview.com/2022/04/21/1050747/cybercriminals-zero-day-hacks">Wealthy Cybercriminals Are Using Zero-Day Hacks More Than Ever</a>,” <em>Technology Review</em>, April 21, 2022.
- WION Web Team, “<a href="https://www.wionews.com/world/russia-responsible-for-74-of-ransomware-attacks-inworld-hackers-bagged-400mn-in-crypto-report-453867">Russia Responsible for 74% of Ransomware Attacks in World, Hackers Bagged $400mn in Crypto: Report</a>,” WION, last updated February 17, 2022.
- U.S. Department of the Treasury, “<a href="https://home.treasury.gov/news/press-releases/jy0364">Treasury Takes Robust Actions to Counter Ransomware</a>,” news release, September 21, 2021; Alexander Osipovich, “<a href="https://www.wsj.com/articles/global-regulators-back-tougher-rules-to-prevent-criminalsfrom-using-crypto-11635413402?reflink=desktopwebshare_permalink">Global Regulators Back Tougher Rules to Prevent Criminals From Using Crypto</a>,” <em>Wall Street Journal</em>, October 28, 2021; David Uberti, “<a href="https://www.wsj.com/articles/how-the-fbi-got-colonial-pipelinesransom-money-back-11623403981">How the FBI Got the Colonial Pipeline’s Ransom Money Back</a>,” <em>Wall Street Journal</em>, June 11, 2021.
- AJ Vicens, “<a href="https://www.cyberscoop.com/conti-ransomware-russia-ukraine-critical-infrastructure">Conti Ransomware Group Announces Support of Russia, Threatens Retaliatory Attacks</a>,” CyberScoop, February 25, 2022; Catalin Cimpanu, “<a href="https://therecord.media/conti-ransomware-gang-chats-leaked-by-proukraine-member">Conti Ransomware Gang Chats Leaked by Pro-Ukraine Member</a>,” <em>The Record</em>, February 27, 2022.
- C. Todd Lopez, “<a href="https://www.defense.gov/News/News- Stories/Article/Article/2618386/in-cyber-differentiating-between-state-actorscriminals-is-a-blur">In Cyber, Differentiating Between State Actors, Criminals Is a Blur</a>,” U.S. Department of Defense, May 14, 2021.
- Kate Conger, “<a href="https://www.nytimes.com/2022/04/05/us/politics/ukraine-russia-hackers.html">Hackers’ Fake Claims of Ukrainian Surrender Aren’t Fooling Anyone. So What’s Their Goal?</a>,” <em>New York Times</em>, April 5, 2022.
- Margarita Levin Jaitner, “<a href="https://ccdcoe.org/uploads/2018/10/Ch10_CyberWarinPerspective_Jaitner.pdf">Russian Information Warfare: Lessons From Ukraine</a>,” in <em>Cyber War in Perspective: Russian Aggression against Ukraine</em>, ed. Kenneth Geers (Tallinn:NATO CCD COE Publications, 2015), quoted in Eric Rosenbach and Sue Gordon, “<a href="https://www. foreignaffairs.com/articles/united-states/2021-12-14/americas-cyber-reckoning">America’s Cyber Reckoning</a>,” <em>Foreign Affairs</em>, December 14, 2021.
- Quoted in Alyza Sebinius, “<a href="https://www.lawfareblog.com/cyber-commands-annual-legalconference">Cyber Command’s Annual Legal Conference,</a>” <em>Lawfare</em> (blog), April 18, 2022.
- Rebecca Slayton, “<a href="https://doi.org/10.1162/ISEC_a_00267">What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment</a>,” <em>International Security</em> 41, no. 3(2017): 72–109; Brandon Valeriano, “<a href="https://www.cato.org/commentary/does-cyber-offense-have-advantage">Does the Cyber Offense Have the Advantage?</a>,” Cato Institute, December 20, 2021.
- Micah Musser and Ashton Garriott, “<a href="https://cset.georgetown.edu/publication/machine-learning-and-cybersecurity">Machine Learning and Cybersecurity: Hype and Reality,</a>” Center for Security and Emerging Technology, June 2021.
A Failure to Impose Costs
The United States has failed to impose sufficient costs on attackers.
Scholars and policymakers have long debated whether deterrence is possible in cyberspace. Early works argued that several characteristics of cyberspace made it nearly impossible to dissuade a potential adversary from taking a hostile action with the threat of retaliation or a response that imposes unacceptable costs.58 One of the central problems with deterring computer attacks is retaliating in a timely, accurate, and proportional manner. As noted earlier, most attacks appear to be below the threshold for meaningful military retaliation. Deterrence by denial, which would raise the cost to attackers by improving defense, is equally difficult, as the defender seems to be at a perpetual disadvantage.
In addition, skeptics of deterrence highlight the interconnected nature of cyberspace, technological changes that shift the battlespace, and the near constant contact between adversaries to argue that cyber actors will constantly seek advantages in cyberspace.59 Skeptics argue that, rather than holding on to the hope of deterring actions, the United States should adopt a posture that encompasses resilience, active defense, and more aggressive disruption of attackers.
The proponents of cyber deterrence agree with critics that Cold War or classical nuclear deterrence does not cohere in cyberspace. Cyber deterrence in their view is less an attempt to prevent one clear catastrophic event, such as a nuclear strike, and more a series of efforts to shape behavior along a spectrum of possible attacks.60 In this view, deterrence could fend off destructive attacks on the U.S. transportation, energy, or electrical networks. Few actors are capable of launching such attacks, these actions are clearly above the threshold for an armed attack, and the United States would likely be able to determine who is responsible and launch a punishing reprisal.
For other types of attacks, such as cybercrime or espionage, the supporters of cyber deterrence argue that the United States cannot expect a complete cessation of activity. Instead, it will have to adopt a layered approach that blends threats of punishment, denial, sanctions, diplomatic efforts, economic entanglement, and norms, as well as the disruption of persistent engagement.61 A layered approach could allow the United States to achieve pauses, cessations, or restraints on certain classes of cyberattacks.
Both strains of thought have influenced U.S. cyber strategy. In 2018, U.S. Cyber Command released a strategic vision announcing the concept of persistent engagement.62 Cyber Command would maintain “the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” Or, as General Paul Nakasone, commander of CYBERCOM, wrote about the implementation of the strategy, “To protect our most critical public and private institutions from threats that continue to evolve in cyberspace, we cannot operate episodically. While we cannot ignore vital cyber defense missions, we must take this fight to the enemy, just as we do in other aspects of conflict.”63
To enable this strategy, the Trump administration relaxed restrictions on offensive cyber actions. National Security Presidential Memorandum 13 reportedly allowed Cyber Command to undertake actions that fall below the use of force or that would not cause death, destruction, or significant economic upheaval without a lengthy approval process.64 Provisions in the John McCain Act (2019 NDAA) preauthorize CYBERCOM to take “appropriate and proportional” action in foreign cyberspace to “disrupt, defeat, and deter” an “active, systematic, and ongoing” campaign of attacks on government or private networks by China, Iran, North Korea, or Russia.65 The Trump administration also reportedly issued a presidential finding allowing the CIA more freedom to conduct offensive cyber operations.66
Since the announcement of the strategy, Cyber Command, working with the NSA, actively protected the 2018 election, disrupting the Internet Research Agency and other Russian actors. CYBERCOM has also deployed personnel to launch “hunt forward” missions in sixteen countries, including Estonia, Lithuania, Montenegro, and North Macedonia, as well as countries in Asia and the Middle East, to monitor adversary activities and identify malware and share it with U.S. partners.67 Cyber Command worked with an unnamed foreign government in 2021 to interrupt the operation of the ransomware gang REvil, allegedly blocking its website by hijacking traffic.68 In January 2022, the United States posted tools used by MuddyWater, a group with suspected ties to the Iranian Ministry of Intelligence and Security, to VirusTotal, a public repository of malware. It had previously posted samples of malware used by North Korean and Russian cyber actors.69 Months before the invasion of Ukraine, cyber mission forces from CYBERCOM deployed to the country to search for Russian malware implanted in critical infrastructure.70
Given the high degree of secrecy around cyber operations and the lack of public information on the number of attacks that Cyber Command disrupts, it is difficult to gauge the success of persistent engagement. Trump administration officials have argued that CYBERCOM successfully disrupted Russian information operations during the 2018 elections.71 These successes appear to be tactical, slowing adversaries for a time. The SolarWinds and Microsoft Exchange Server attacks suggest, however, that the United States continues to fail to impose significant costs on adversaries for cyber espionage operations. The United States’ high degree of digital dependency enforces restraint, preventing it from retaliating powerfully against harmful operations in cyberspace. Moving to more destructive attacks threatens an escalatory response by adversaries that could leave the United States more vulnerable. Mutual cyber offense alone is unlikely to function as a sufficiently clear deterrent to opponents.
Norms are more useful in binding friends together than in constraining adversaries.
While the United States has searched for more effective ways to impose costs on attackers, it has also worked to define the rules for responsible state behavior in cyberspace. These efforts have included multilateral and bilateral negotiations as well as public attribution of attacks, indictments, and sanctions.
The United States has pursued norms—expectations about behavior that make it possible to hold other states accountable—because arms control agreements, like those used to control conventional or nuclear weapons, will not prove viable in cyberspace. Nuclear arms agreements counted, monitored, and limited the range and number of air-, sea-, land-, and space-based weapons. In contrast, cyber exploits reflect vulnerabilities in computer code and lack transparency. The certainty of verification does not exist, and as a result, the composition of a stable system of arms control in cyberspace becomes a practical impossibility. Nuclear and conventional weapons take years to produce and deploy to national militaries; cyber weapons, in contrast, are developed more quickly and in relative secrecy. Moreover, only a handful of countries have nuclear weapons. Many more states, along with a handful of nonstate actors, are developing cyber doctrines and corresponding capabilities. Finally, over time nuclear weapons were governed by a norm of stable deterrence and nonuse, whereas cyber operations are difficult to deter and used extensively.72
The United States has enjoyed some success gaining consensus on norms through the UN Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (GGE).73 First established in 2004, the GGE now consists of experts representing twenty-five countries, including the United States, Australia, China, Russia, and the United Kingdom. In 2015, it issued a consensus report on a set of norms that largely reflected the U.S. delegation’s position on the application of international law in cyberspace.74 Eleven norms were formally adopted by the UN General Assembly, including those of state responsibility and the duty to assist, as well as a prohibition of intentionally damaging or impairing others’ critical infrastructures or targeting another state’s computer emergency response teams during peacetime.75
Follow-on meetings in 2017 failed to reach consensus because the group was divided over how to apply international law. In 2018 Washington and Moscow submitted proposals for parallel processes. The United States pushed for the continuation of the GGE; Russia advocated for an Open-Ended Working Group (OEWG) intended to run through 2025 in which all UN member states could participate. Despite fears that the two groups would diverge in their work, the OEWG issued a report that reaffirmed the 2015 GGE consensus.76 A joint resolution proposed by the United States and the Russian Federation endorsed both reports, but meetings in the wake of the Russian war on Ukraine have been contentious, with the United States and its allies calling out Russia for violating the norms against interfering with critical infrastructure.
During the Obama administration, in response to a massive cyber campaign by state-backed hackers from China, the United States worked to establish a norm against the cyber-enabled theft of intellectual property in pursuit of competitive economic advantage. This was not a norm shared by all partners. Some U.S. allies were known to conduct espionage on behalf of individual companies. Still, Washington argued that states could be expected to conduct espionage against political or military targets, but operations against the private sector for commercial gain should be off limits.
In an effort to change Chinese behavior, U.S. officials began “naming and shaming” China, warning the espionage threatened stability in the bilateral relationship. In May 2014, in a significant escalation of pressure, the U.S. Department of Justice indicted five People’s Liberation Army officers for stealing trade secrets from Westinghouse, U.S. Steel, and other companies. In the summer of 2015, before President Xi’s first planned state visit to Washington, officials suggested that the United States would sanction Chinese individuals or entities that benefited from cyber theft. Beijing responded by sending a high-level negotiator before the summit, and during Xi’s visit the two sides announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”77
In the first year after the visit, the Obama-Xi agreement appeared to be a success. The cybersecurity firm FireEye reported in June 2016 that the number of network compromises by the China-based hacking groups it tracks dropped from sixty in February 2013 to fewer than ten by May 2016. China went on to announce similar agreements with Australia and the United Kingdom, and the norm against intellectual property theft was included in statements from the Group of Twenty (including China, France, and Russia) and Group of Seven in 2015 and 2017.78
As in other domains, the process of creating norms in cyberspace is slow, uneven, and uncertain. Washington’s efforts with Beijing proved transitory. In December 2018, for example, the U.S. Justice Department indicted two Chinese hackers with ties to the Ministry of State Security (MSS) for breaching managed service providers and more than forty-five technology companies. The cyber campaign, known as Cloud Hopper, exploited vulnerabilities in cloud computing and targeted some of the world’s biggest technology firms. Following the indictment, Australia, Canada, Germany, New Zealand, the United Kingdom, and other allies all issued statements backing the U.S. allegations against China and attributing the attack to the MSS.79
The United Nations has affirmed the application of international law to cyberspace, but major actors have flouted the norms endorsed by the GGE and OEWG. Russia’s tolerance of ransomware gangs, for example, violates the norm of state responsibility, and operations against the power grid in Kyiv in 2015 and 2016 contravene the norm of noninterference with critical infrastructure during peacetime. Moreover, the norms process requires states to be transparent and provide legal justifications for the operations they undertake. Few states have done this, including the United States.
U.S. efforts to define norms around espionage have also suffered from inconsistent messaging. Many of the indictments and sanctions levied on Russia are for political-military espionage operations that Washington had previously suggested are legitimate and that all states would pursue. U.S. officials signaled that SolarWinds crossed a line because of the scope of the attack, the potential to move from espionage to disruption, the “unusual” burden placed on the private sector of mitigating the attack, the risk to the supply chain, and the theft of FireEye’s tools.80 The ultimate targets, however, are believed to have been some two hundred government and industrial entities, all reasonable subjects for intelligence collection. They are the kind of targets on which the United States intelligence community can and should collect intelligence in adversary nations.
Indictments and sanctions have been ineffective in stopping state-backed hackers.
The United States has used indictments and sanctions to reinforce norms and try to deter and impose costs on hackers (see figure below). Public attribution delineates which type of operations the United States considers illegitimate. Though the intent of an operation is difficult to determine, as is whether it is an intelligence, defensive, or offensive effort, the U.S. government and private sector actors in the cybersecurity industry have, with years of difficult experience, developed significant visibility into the identity and tradecraft of disparate cyber actors.
Once an attack is publicly attributed, the United States uses indictments and sanctions to impose costs and deter future attacks. The Department of Justice unsealed 24 indictments from 2014 to 2020, with 195 criminal counts against 93 foreign individuals accused of cyber operations at the behest of a state sponsor.81 Chinese, Iranian, North Korean, Russian, and Syrian hackers have been charged with a variety of crimes, from malicious destructive hacks to the theft of trade secrets and other intellectual property. The United States and its allies, for example, jointly attributed the NotPetya ransomware attack to Russia’s military intelligence, the Main Intelligence Directorate (GRU). In October 2020, a federal grand jury indicted six officers for the attacks.82
After the Sony hack of 2015, the Obama administration issued Executive Order 13694, which allows the U.S. Department of the Treasury to block the property of individuals and entities involved in cyber-enabled activities that are a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”83 The order was amended in December 2016 to allow for sanctions against cyber-enabled election interference. Until May 2021, the Treasury Department issued 311 cyber-related sanctions, most against Russia (141), Iran (112), and North Korea (18).84 In April 2021, the United States attributed SolarWinds to Russia’s Foreign Intelligence Service, and the White House issued an executive order blocking property connected to harmful Russian activities and imposed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.”85 Although U.S. partners joined in calling out irresponsible behavior, few followed through with indictments or sanctions.
The public attributions, indictments, and sanctions have not imposed significant costs on state-backed hackers. Attributing publicly but lacking either the capability or will to respond effectively makes the United States look hapless and risks inviting more cyberattacks. Few hackers have seen the inside of a U.S. courtroom. As of 2019, of more than fifty indictments since the Obama administration, only five individuals have been arrested for their crimes.86 Sanctions could have a greater chance of success because they can target individuals and entities of value to policymakers. But so far, Washington has either been unable to identify the right targets or to inflict substantial pain.
Indictments, sanctions, and norms dialogues have been more effective in building coalitions than in deterring or imposing costs on adversaries. These action —multilateral, explicit, declared, and aspirational—allow Washington to signal to friends and allies what it sees as responsible behavior.
- Richard A. Clarke and Robert K. Knake, <em>Cyber War: The Next Threat to National Security and What to Do About It </em>(New York: HarperCollins, 2013).
- Michael P. Fischerkeller and Richard Harknett, “<a href="https://doi.org/10.1016/j.orbis.2017.05.003">Deterrence Is Not a Credible Strategy for Cyberspace</a>,” <em>Orbis</em> 61, no. 3 (2017): 381–93.
- Joseph S. Nye Jr., “<a href="https://doi.org/10.1162/ISEC_a_00266">Deterrence and Dissuasion in Cyberspace</a>,” <em>International Security</em> 41, no. 3 (Winter 2016/2017): 44–71.
- U.S. Cyberspace Solarium Commission, <em>A Warning From Tomorrow</em>.
- U.S. Cyber Command, “<a href="https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf?ver=2018-06-14-152556-010">Achieve and Maintain Cyberspace Superiority</a>,” Cyber Command, 2018.
- Paul M. Nakasone, “<a href="https://ndupress.ndu.edu/Media/News/News-Article-View/ Article/1736950/a-cyber-force-for-persistent-operations">A Cyber Force for Persistent Operations</a>,” <em>Joint Force Quarterly</em> 92, no. 1 (2019): 10–14.
- Ellen Nakashima, “<a href="https://www.washingtonpost.com/world/national-security/trump-authorizes-offensive-cyber-operations-to-deter-foreign-adversaries-bolton-says/2018/09/2…">White House Authorizes Offensive Cyber Operations to Deter Foreign Adversaries</a>,” <em>Washington Post</em>, September 20, 2018.
- <a href="https://www.govinfo.gov/content/pkg/PLAW-115publ232/pdf/PLAW-115publ232.pdf">John S. McCain National Defense Authorization Act for Fiscal Year 2019</a>, Pub. L. No. 115-232, 132 Stat. 1636–2423 (2018).
- Zach Dorfman et al., “<a href="https://www.yahoo.com/video/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html">Exclusive: Secret Trump Order Gives CIA More Powers to Launch Cyberattacks</a>,” Yahoo News, July 15, 2020.
- Brad D. Williams, “<a href="https://breakingdefense.com/2021/11/cybercoms-no-2-discusses-hunt-forward-space-cybersecurity-china/#:~:text=WASHINGTON%3A%20US%20Cyber%20Command's%2….">CYBERCOM Has Conducted ‘Hunt-Forward’ Ops in 14 Countries, Deputy Says</a>,” <em>Breaking Defense</em>, November 10, 2021; Martin Matishak, “<a href="https://therecord.media/cyber-command-sent-a-hunt-forward-team-to-help-lithuania-harden-its-systems/">Cyber Command Sent a ‘Hunt Forward’ Team to Help Lithuania Harden Its Systems</a>,” <em>The Record</em>, May 4, 2022.
- Ellen Nakashima and Dalton Bennet, “<a href="https://www.washingtonpost.com/national-security/cyber-command-revil-ransomware/2021/11/03/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html">A Ransomware Gang Shut Down After Cybercom Hijacked Its Site and It Discovered It Had Been Hacked</a>,” <em>Washington Post</em>, November 3, 2021.
- AJ Vicens, “<a href="https://www.cyberscoop.com/u-s-cyber-command-iranian-hacking-malware-virustotal">U.S. Cyber Command Shares New Samples of Suspected Iranian Hacking Software</a>,” CyberScoop, January 12, 2022.
- Mehul Srivastava et al., “<a href="https://www.ft.com/content/1fb2f592-4806-42fd-a6d5-735578651471">The Secret U.S. Mission to Bolster Ukraine’s Cyber Defenses Ahead of Russia’s Invasion</a>,” <em>Financial Times</em>, March 9, 2022.
- Julian Barnes, “<a href="https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html">U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections</a>,” <em>New York Times</em>, October 23, 2018; Ellen Nakashima, “<a href="https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-m…">U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms</a>,” <em>Washington Post</em>, February 27, 2019.
- Christopher A. Ford “The Trouble With Cyber Arms Control,” <em>New Atlantis</em>, no. 29 (Fall 2010): 52–67; Herb Lin, “Arms Control in Cyberspace: Challenges and Opportunities,” <em>World Politics Review</em>, March 6, 2012.
- United Nations Office for Disarmament Affairs, “<a href="https://www.un.org/disarmament/group-of-governmental-experts">Group of Governmental Experts</a>,” United Nations, accessed May 19, 2022.
- Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, <a href="https://undocs.org/A/70/174">Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security</a>, A/70/174 (July 22, 2015).
- United Nations General Assembly, Resolution 70/237, <a href="https://undocs.org/A/RES/70/237">Developments in the Field of Information and Telecommunications in the Context of International Security</a>, A/RES/70/237 (December 23, 2015).
- Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, <a href="https://front.un-arm.org/wp-content/uploads/2021/08/A_76_135-2104030E-1.pdf">Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security</a>, A/76/135 (July 14, 2021); Josh Gold, “<a href="https://www.cfr.org/blog/unexpectedly-all-un-countries-agreed-cybersecurity-report-so-what">Unexpectedly, All UN Countries Agreed on a Cybersecurity Report. So What?</a>” <em>Net Politics </em>(blog), March 18, 2021.
- Department of Justice, Office of Public Affairs, “<a href="https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor">U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage</a>,” press release no. 14-528, May 19, 2014; Barack Obama and Xi Jinping, “<a href="https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/remarks-president-obama-and-president-xi-peoples-republic-china-joint">Remarks by President Obama and President Xi Jinping of the People’s Republic of China in Joint Press Conference</a>,” White House, September 25, 2015.
- FireEye, “<a href="https://www.mandiant.com/media/11416/download">Red Line Drawn: China Recalculates Its Use of Cyber Espionage</a>,” June 2016; Daniel Paltiel, “<a href="https://www.csis.org/blogs/strategic-technologies-blog/g20-communiqu%C3%A9-agrees-language-not-conduct-cyber-economic">G20 Communiqué Agrees on Language to Not Conduct Cyber Economic Espionage</a>,” Center for Strategic and International Studies, November 16, 2015; “<a href="https://ccdcoe.org/uploads/2018/11/G7-170411-LuccaDeclaration-1.pdf">G7 Declaration on Responsible States Behavior in Cyberspace</a>,” Group of Seven, April 11, 2017.
- Department of Justice, Office of Public Affairs, “<a href="https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion">Two Chinese Hackers Associated With the Ministry of State Security Charged With Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information</a>,” press release no. 18-1673, December 20, 2018; Christopher Bing, Joseph Menn, and Jack Stubbs, “<a href="https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper">Inside the West’s Failed Fight Against China’s ‘Cloud Hopper’ Hackers</a>,” Reuters, June 26, 2019; Lucian Constantin, “<a href="https://securityboulevard.com/2018/12/five-eyes-countries-attribute-apt10-attacks-to-chinese-intelligence-service">‘Five Eyes’ Countries Attribute APT10 Attacks to Chinese Intelligence Service</a>,” <em>Security Boulevard</em>, December 21, 2018.
- White House, “<a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-gover…">Imposing Costs for Harmful Foreign Activities by the Russian Government</a>,” April 15, 2021; U.S. Department of the Treasury, “<a href="https://home.treasury.gov/news/press-releases/jy0127">Treasury Sanctions Russia With Sweeping New Sanctions Authority</a>,” press release, April 15, 2021; Kristen Eichensehr, “<a href="https://www.justsecurity.org/75779/solarwinds-accountability-attribution-and-advancing-the-ball">SolarWinds: Accountability, Attribution, and Advancing the Ball</a>,” Just Security, April 16, 2021.
- Garret Hinck and Tim Maurer, “Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity,” <em>Journal of National Security Law & Policy</em> 10, no. 525 (2019–2020): 525–61, quoted in William Akoto, “<a href="https:// mwi.usma.edu/hackers-for-hire-proxy-warfare-in-the-cyber-realm/">Hackers for Hire: Proxy Warfare in the Cyber Realm</a>,” Modern War Institute, January 31, 2022.
- Department of Justice, Office of Public Affairs, “<a href="https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and">Six Russian GRU Officers Charged in Connection With Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace</a>,” press release no. 20-1117, October 19, 2020.
- Exec. Order No. 13694, “<a href="https://obamawhitehouse.archives.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-persons-engaging-significant-m">Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities</a>,” 3 C.F.R. 13694 (2015).
- Jason Bartlett and Megan Ophel, “<a href="https://www.cnas.org/publications/reports/sanctions-by-the-numbers-cyber">Sanctions by the Numbers: Spotlight on Cyber Sanctions</a>,” Center for a New American Security, May 4, 2021.
- Exec. Order No. 14024, “<a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-forei…">Blocking Property With Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation</a>,” 86 Fed. Reg. 73 (April 15, 2021).
- Trevor Logan, “<a href="https://www.fdd.org/analysis/2019/02/27/u-s-should-indict-and-sanction-cyber-adversaries">U.S. Should Indict and Sanction Cyber Adversaries</a>,” Foundation for Defense of Democracies, February 27, 2019.