Confronting Reality in Cyberspace

Confronting Reality in Cyberspace:
CFR.org
Independent Task Force Report No. 80
Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet
Updated July 2022
Findings
Download PDF

A Divided Internet

From the earliest days of the ARPANET through the 1990s, the United States shaped the development of the internet to conform with both its national interests and its unique global image. For the last two decades, the United States continued to promote its vision of a single, open, interoperable, secure, and reliable global network, even as much of the world began to push back against this ideal. In theory, the internet, known in the 1990s as “the information superhighway,” should have had a liberalizing effect on world politics as countries around the world connected to the network and Western ideas flowed without the filter of government control.12

U.S. officials and technologists often presented the internet as a take-it-or-leave-it proposition: governments would either plug in, allow the free flow of data, and enjoy the growth and prosperity of the digital age, or opt out and disadvantage themselves economically and politically. U.S. Secretary of State Hillary Clinton warned in a 2010 speech that “countries that restrict free access to information or violate the basic rights of internet users risk walling themselves off from the progress of the next century.”13 
 

The era of the global internet is over.
 

Yet from the beginning, many governments—including Washington’s close allies—rejected this vision of a benign internet. Owing to their histories with antisemitism and different approaches to freedom of speech and the press, France and Germany, for example, demanded that U.S. platforms censor Nazi speech and refrain from selling or displaying banned materials such as Adolf Hitler’s infamous autobiographical work Mein Kampf. Those early demands produced the geo-located internet in operation today, in which the content seen and the products offered are determined by where an IP address is physically located on the globe.

The 2013 disclosures of U.S. intelligence collection by National Security Agency (NSA) contractor Edward Snowden raised suspicion in many European countries about the risks of dependence on American information and communication technologies. In 2016, the EU adopted the General Data Protection Regulation, which enhanced individual control over private data. The regulation has become a model for data privacy laws in Brazil, Japan, South Africa, South Korea, and other countries. Two rulings by the Court of Justice of the European Union (CJEU), Schrems I and Schrems II, invalidated the EU-U.S. Privacy Shield framework, an agreement that allowed U.S. firms to transfer the data of European citizens, stating that it did not adequately protect EU citizen data from the potential surveillance of U.S. law enforcement and intelligence agencies (see figure below).14

 

Although the GDPR allows Europe to influence the global debate over data governance, some European leaders also have argued for greater technological autonomy from Chinese hardware and U.S. software and infrastructure. In September 2021, for example, the European Commission announced plans to introduce legislation to promote semiconductor self-sufficiency. Europe is working to promote alternatives to Amazon, Google, Meta, and Microsoft through projects such as Gaia-X, a European shared cloud infrastructure.15 In early 2022, while holding its six-month rotating presidency of the EU Council, France identified EU digital sovereignty as one of three priorities. Privacy and security regulations could be used to require organizations to work with EU-controlled companies favored by the EU digital sovereignty policies. The war in Ukraine is an impetus for closer transatlantic cooperation, but it has also reinforced the arguments for European tech sovereignty, with the European Council declaring in March 2022 the need to “take further decisive steps towards building our European sovereignty, reducing our dependencies, and designing a new growth and investment model.”16

China and other authoritarian regimes deployed alternatives to the U.S. model even more forcefully. They see the open internet and U.S. tech companies as instruments of regime change. Over time, the Chinese government developed the technical and regulatory capabilities to actively censor the internet traffic that enters and leaves its country, rapidly take down information and block collective action, and tightly surveil, harass, and, when necessary, detain users. Platforms operating in China are legally responsible for content on their sites and employ legions of monitors to block and report activity of which the state disapproves.17

Russia’s internet was once more open and freewheeling. But after street protests in Moscow in 2012, the government began more actively blacklisting, censoring, and blocking content. Russia’s internet regulator, Roskomnadzor, ramped up its demands on Apple, Twitter, and other American companies to remove online content it deems illegal or to restore pro-Kremlin material that has been blocked. Russian President Vladimir Putin is also looking to decouple the domestic internet, Runet, from the global internet, moving users from American platforms to Russian social media and search engines.

In 2019, Russia adopted the Sovereign Internet Law, which seeks to shield its Runet from foreign attacks and mandates annual tests of telecommunications ability to disconnect the domestic internet from global cyberspace. During the Russian invasion of Ukraine, after Facebook announced that it would fact check claims from state media, Moscow entirely blocked the social media platform. It went on to block other sites as well, forcing Russians who wanted access to information not censored by Moscow to rely on virtual private networks (VPNs).18

Authoritarian regimes are not alone in seeking to tame the online world. Domestic and foreign actors’ use of social media to spread disinformation, misinformation, hate speech, and violent and extremist content has made policymakers in many democracies increasingly wary of an unregulated internet. For example, Germany’s NetzDG, or the Network Enforcement Act, levies fines of up to €50 million for failure to take down “evidently criminal” content within twenty-four hours. Singapore’s Protection From Online Falsehoods and Manipulation Act requires online platforms to issue corrections or remove content that the government deems false.19

When they cannot filter content at scale, countries can simply decide to disconnect briefly from the internet. Sixty nations have temporarily turned off the internet more than nine hundred times altogether over the last seven years.20 India, the world’s largest democracy, is also the world leader in internet shutdowns. In 2019 and 2020, Indian officials suspended the internet as many as 164 times for over 13,000 hours.21 Over the last three years, Ethiopia, Niger, Nigeria, and Uganda have also used shutdowns to control information and influence elections.

Despite the continued splintering of the internet, hundreds of millions of users of the network regard it as indispensable to their daily lives and to the operations of their geographically dispersed businesses. These needs and expectations of the internet as a connective platform have only increased since the beginning of COVID-19.

In addition, advanced economies are at the cusp of a new wave of digital innovation. Proponents of blockchain technology argue that Web 3.0 will be more secure, inclusive, and resilient, giving users greater control of their data and privacy. Blockchain technologies are expected to contribute $1.76 trillion to the global economy by 2030.22 The metaverse, as some describe it, is a linked virtual world that is an extension of the physical world, which could become a persistent, immersive, three-dimensional (3-D) reality in which people play, work, and socialize. The Internet of Things, which envisions tens of billions of internet-connected devices, is becoming the backbone of smart homes and cities that increase safety, improve health, and conserve energy. The consulting company McKinsey & Company estimates that IoT devices could enable $5.5 trillion to $12.6 trillion in value globally by 2030.23

If networks are built and operated for the needs of national sovereignty rather than to achieve global scale, then policymakers will need to understand and address the accompanying unavailability of information required to make business or personal decisions, the impaired ability to scale innovation at the lowest possible cost, and the ripple effects of digital fragmentation across other aspects of bilateral and multilateral relationships.
 

U.S. policies promoting an open, global internet have failed.
 

From the George W. Bush administration through the end of Donald Trump’s presidency, the United States promoted what is broadly known as the “internet freedom agenda.” This mandate was both economic, calling for a relatively laissez faire approach to regulation, and political, promoting an American ideal of free speech on the internet. In 2006, for example, the Bush administration established the Global Internet Freedom Task Force to maximize the free flow of data and funded grants for circumventing censorship. The Barack Obama administration had its own NetFreedom Task Force and spent over $100 million on encryption and anti-censorship technologies.24

Yet the United States has been unable to counter the persistent advance of the concept of cyber sovereignty. Beijing is sharing its technology and experience with other countries, holding meetings and seminars on its model of internet control with at least thirty countries and providing technical assistance to more than a dozen. In 2015, for example, Tanzania passed cybersecurity laws that resembled China’s. Egypt, Laos, Pakistan, Uganda, Vietnam, and Zimbabwe have proposed or passed legislation that mimics the blocking of websites, real name registration, data sharing, and content takedowns that characterize Chinese regulations. Early in 2021, Cambodia adopted Chinese-style internet controls and created an internet gateway through which all web traffic is routed and monitored.25

Beijing and Moscow are collaborating to reshape the global internet and reduce U.S. influence. In 2015, Chinese President Xi Jinping and Putin signed an agreement “on cooperation in ensuring international information security.” In the years after its signing, the majority of exchanges appear to be designed to share technologies, information, and processes on the control of the internet. The two countries have also promoted cyber sovereignty through the United Nations, International Telecommunication Union, Shanghai Cooperation Organization, and the BRICS group (Brazil, Russia, India, China, and South Africa).26

Even as the free and open internet loses ground, the United States and Europe remain divided over the legitimate role of privacy, antitrust, industry promotion, and data localization regulations. Despite a shared assessment of the threat of Chinese and Russian cyber operations and a commitment to the protection of human rights online, these unresolved issues have made it difficult to present a common front. Moreover, a number of democracies and more open societies have pursued new rules for technology companies on content, data, and competition, which has often resulted in limits of free expression and greater access to private data by government agencies.

In an effort to turn this tide, in April 2022 the Biden administration along with sixty-one countries issued a Declaration for the Future of the Internet.27 The signatories committed themselves to supporting “a future for the Internet that is an [sic] open, free, global, interoperable, reliable, and secure,” as well as to protecting human rights online, securing individuals’ privacy, and maintaining secure and reliable connectivity. The declaration reaffirms a positive vision of a “single interconnected communications system for all of humanity” that fosters innovation and economic growth, promotes creativity, reinforces democratic governance, and provides unfettered access to knowledge.

The driving idea behind the declaration is correct. Simply opposing the Chinese and Russian models of the internet is not enough. The United States needs to mobilize partners around a proactive vision of what it desires to accomplish in cyberspace, but the declaration has no binding commitments or new policy initiatives. Nothing suggests that this time is different and that a statement of strong principles will be able to stop or reverse the trend toward fragmentation. The United States needs to develop a path forward based on the reality of the internet today.
 

Data is a source of geopolitical power and competition.
 

Data is an indisputable source of national power. It fuels innovation, economic growth, and national security. It is at the center of global trade, with cross-border data flows growing roughly 112 times over from 2008 to 2020.28 The rapid expansion of fifth-generation (5G) wireless networks, cloud computing, and the Internet of Things means an explosion of data. The total data generated by 2025 is set to accelerate exponentially to 175 zettabytes; and this data will generate innovations in agriculture, logistics, manufacturing, pharmaceuticals, and other critical sectors.29 The World Economic Forum projects that 70 percent of new value created in the economy over the next decade will be based on digitally enabled platform business models.30 Technology companies that collect, analyze, and commercialize data, such as Alibaba, Alphabet, Amazon, Meta, and Tencent, have replaced oil and gas producers, consumer goods, and financial institutions at the top of the list of the world’s most valuable firms.

Data is also central to national security. Advances in machine learning, data analytics, and other digital technologies have a significant effect on military and intelligence capabilities. The National Security Commission on Artificial Intelligence warned that the U.S. military’s technical advantage could be lost within the next decade without an accelerated adoption of artificial intelligence, warning that “AI-enhanced capabilities will be the tools of first resort in a new era of conflict as strategic competitors develop AI concepts and technologies for military and other malign uses and cheap and commercially available AI applications ranging from ‘deepfakes’ to lethal drones become available to rogue states, terrorists, and criminals.”31  National intelligence agencies can collect and analyze data at scale, but new technologies also enable nonstate actors and individuals to execute the same tasks, sometimes more quickly than governments.32

U.S. adversaries increasingly see data as central to their economic and national security and are developing national strategies for its collection, application, and protection. China hosts the world’s largest e-commerce market, boasting 40 percent of global sales, and introduced the world’s first state-sponsored digital currency.33 In April 2020, China’s State Council formally designated data as a factor of production, joining land, labor, capital, and technology. In a 2021 speech to a Chinese Communist Party Politburo study session, Xi declared the digital economy to be a “critical force in reorganizing global factor resources, reshaping global economic structures, and changing global competition structures.”34 National Security Advisor Jake Sullivan remarked, “Strategic competitors see big data as a strategic asset.”35 So should the United States.
 

The United States has taken itself out of the game on digital trade.
 

Deep domestic political divides limit the United States’ ability to lead internationally. Despite countless congressional hearings on the benefits and drawbacks of regulating data markets and technology companies, the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s argument that it has a model worth emulating. The United States is highly polarized on issues of free speech and the threats of market consolidation and as a result has been unable to decide on which values to optimize. This sense of inefficacy is heightened in contrast to the speed with which China has rolled out a matrix of regulations that includes the national cybersecurity law, data security law, and personal information protection law.36 Nowhere has domestic policy harmed the U.S. ability to lead more than in the arena of digital trade, the cross-border flow of data and digital services that now accounts for nearly $3 trillion in global wealth.

The U.S. withdrawal from the Trans-Pacific Partnership and continued aversion to multilateral trade agreements severely limit its ability to shape the rules guiding digital trade. Although the digital chapters of the U.S.-Korea Free Trade Agreement (KORUS) and the U.S.-Mexico-Canada Agreement (USMCA), as well as the U.S.-Japan Digital Trade Agreement, have strong protections for cross-border data flows, the United States has been sidelined as other trade groups come together. The Regional Comprehensive Economic Partnership (RCEP), an agreement among fifteen countries in the Asia-Pacific, for example, represents 30 percent of global gross domestic product (GDP) and entered into force without the United States on January 1, 2022. RCEP’s provisions regarding data localization, restrictions on cross-border data flows, and policies that champion domestic industry are, however, weak.37

Beijing has recently submitted its application to accede to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and to join the Digital Economy Partnership Agreement. The Biden administration has announced that it is developing an Indo-Pacific framework that will address digital technology, along with other issues, but no further details have been released.38

Rising Risks in Cyberspace

Much of the early concern around cyberspace focused on disruptive and destructive attacks on critical infrastructure. In 2007, Russia-based hackers mounted a high-intensity, low-sophistication attack on Estonia over a dispute about the movement of a statue of a Russian soldier commemorating World War II. That campaign, which some dubbed Web War I, severely disrupted banking, media, and public services. In 2012, General Keith Alexander, director of the National Security Agency, said in congressional testimony that it was only a matter of time before hackers destroyed elements of critical infrastructure in the United States. The same year, in a speech to business executives, then U.S. Secretary of Defense and former CIA Director Leon Panetta cautioned that the country could face a “cyber Pearl Harbor” and warned that a terrorist group or enemy state could gain control of “critical switches” to “derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals.”39

In a joint operation, the United States and Israel appeared to be the first to cross the Rubicon, launching the first known cyber campaign to cause physical damage. “Olympic Games” was designed to set Iran’s nuclear program back by destroying centrifuges at its enrichment facility in Natanz. In response, Iranian hackers knocked offline the websites of a number of American banks, including Wells Fargo, JPMorgan Chase, and Bank of America. In 2012, Iran wiped the data on thirty thousand computers at oil producer Saudi Aramco, and a follow-on attack damaged Rasgas, a joint venture between Qatar Petroleum and ExxonMobil that is the second-biggest producer of liquefied natural gas in the world. North Korean hackers disrupted South Korean banks and telecommunications and, in anger over a film that mocked North Korean leader Kim Jong-un, stole one hundred terabytes of internal data from Sony and damaged two-thirds of the company’s servers and computers.40

These types of attacks were, however, the exceptions. Over the last decade, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack (see figure below). These breaches are used for political advantage, espionage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.41

Russian operatives skilled in cyber espionage interfered in the Ukrainian election of 2014 through a combination of hacking, disinformation, and denial of service attacks. Moscow used a similar playbook in the 2016 U.S. elections, breaking into the email accounts of the Democratic National Committee and Clinton campaign chairman John Podesta and posting the documents publicly. These documents, as well as disinformation and misinformation that exacerbated social, cultural, and political divisions, were amplified on social media through bots and fake accounts. Russia continues to develop and evolve these methods, posing challenges to the cohesion of the United States and its allies.42

China-backed hackers deployed widespread political and military espionage as well as a massive campaign of cyber-enabled intellectual property theft from the private sector. Chinese operatives targeted the State Department, U.S. Department of Defense, White House, and defense contractors and, in 2015, were behind the theft of twenty-two million records of federal employees, including their security background checks, from the Office of Personnel Management. Cyber espionage has also been central to Beijing’s attempt to make the Chinese economy more competitive and less dependent on foreign suppliers for critical technologies. The Office of the National Counterintelligence Executive declared that “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.”43 Chinese operators have become adept at targeting and exploiting big data, which can be used for intelligence and counterintelligence as well as driving advancements in machine learning.

Over the last few years, Chinese and Russian operations have become more brazen and proficient. Chinese hackers exploited a so-called zero-day vulnerability—a software weakness unknown to its vendor—in Microsoft Exchange email servers, allowing them to gain access to thousands of sensitive networks. Moreover, knowing that Microsoft was pushing out a protective patch for the vulnerability, the hackers scanned almost the entire internet to find exposed servers to be compromised.44 The breach of the software firm SolarWinds allowed Russian hackers to access the networks of major government agencies and over one hundred companies (see figure below). The SolarWinds campaign was exposed because the cybersecurity firm FireEye discovered hackers in their networks, stealing “Red Team” tools, a collection of malware and exploits used to test customers’ vulnerabilities.

 

The trend line thus far is clear: increased digitization goes hand in hand with increased vulnerability, given that nearly every aspect of business and statecraft becomes exposed to disruption, theft, or manipulation.
 

Cybercrime is a national security risk.
 

COVID-19 has accelerated global dependence on digital infrastructure. Public health measures and stay-at-home orders led to a massive shift in teleworking. By the end of 2020, 71 percent of workers in the United States had switched in whole or in part to working from remote locations outside their offices. COVID related cyber operations surged, with hackers targeting vaccine research and development (R&D) efforts. The swell of online activities increased the incentives for malicious actors to exploit vulnerabilities in all sectors of economic and political activity.45

Over the last three years, the risk of ransomware has ballooned (see figure below). The risk is not just financial. Ransomware attacks have paralyzed local governments, school districts, and hospitals. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for thirty hours, and the University of Vermont Medical Center furloughed or reassigned about three hundred employees after an attack on the hospital’s networks. Homeland Security officials worried that ransomware attacks on voter registration systems could disrupt the 2020 elections. In May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack by the Conti gang crippled the Finance and Labor Ministry as well as the customs agency. The group also posted stolen files to the dark web to extort the government to pay the ransom.46

Ransomware groups are professionalizing and marketing in ways reminiscent of Silicon Valley startups. Highly capable groups have become “initial access brokers” that specialize in gaining a foothold on target networks and then selling that access to ransomware operators who can rent a payload—a separate encryption malware—from a “ransomware-as-a-service” provider.47 Zero days are expensive to buy and develop. They have historically been deployed by state-backed groups, yet in 2021 one-third of all hacking groups exploiting zero days were financially motivated criminals.48 With greater ransom payments, criminal hacking groups can recruit and pay for technical talent. The most elite groups are developing skills previously reserved for a small number of military and intelligence agencies, but “crime-as-a-service” providers offer a wide range of attacks with a significant economic effect.

The emergence of cryptocurrencies has enabled this explosive growth in cybercrime. Ransomware preexisted cryptocurrencies, yet criminals struggled to extract significant payments through the traditional financial system. Cryptocurrencies make it easier to monetize breaches in network security; as a result, more groups are forming to launch ransomware. According to Chainalysis, a cryptocurrency tracking and analytics firm, in 2021 more than $400 million worth of cryptocurrency payments went to groups “highly likely to be affiliated with Russia.”49 The United States has passed “know-your-customer” provisions for cryptocurrency exchanges and sanctioned Russian exchanges, and in June 2021 the FBI tracked and “clawed back” a portion of the payment made in bitcoin to the Darkside ransomware group that extorted Colonial Pipeline. Whether these efforts are sustainable or can change the economics of ransomware is unclear.50

In addition, authoritarian states have increasingly blurred the line between state and nonstate actors in cyberspace. The United States has alleged that China, Iran, North Korea, and Russia at times rely on private technology firms, organized crime and hacker groups, and civil militias to conduct operations. During the Russia-Ukraine war, the Conti group published a statement declaring their loyalty to Moscow and threatening retaliation against countries that supported Ukraine.51 As Mieke Eoyang, the U.S. deputy assistant secretary of defense for cyber policy, told the House Armed Services Committee, “The line between nation state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cybercrime perpetrated by the same malicious actors.”52 
 

The United States can no longer treat cyber and information operations as two separate domains.
 

Although disinformation, misinformation, and the abuse of social media are outside the scope of this Task Force, the Russia-Ukraine war demonstrates how tightly intertwined cyber and information operations are. Ukraine, with the assistance of the United States and its European partners, was able in the first months of the conflict to defend its critical infrastructure from disruptive cyberattacks. Continued access to communication and internet networks proved crucial to Ukrainian President Volodymyr Zelensky and other officials’ mobilizing domestic and international support for Ukraine, controlling the narrative of the war, and countering Russian propaganda. On the other side, Russian hackers planted a fake message in the livestream of a broadcast announcing a surrender and broke into the Facebook accounts of high-profile Ukrainian military leaders and politicians, then used their access to post false messages that Ukrainian forces were laying down their arms.53 
 

The United States has historically separated cyber and information security, but American adversaries have traditionally not distinguished between the two. In their view, the confidentiality, integrity, and assurance of computer networks are integral—and in some sense subordinate—to the battle over information spaces, and cyberattacks enabled significant capabilities in information operations. Numerous Russian documents and strategies describe cyber operations as integral to information security. After the creation of U.S. Cyber Command (CYBERCOM), at a meeting of Russian and U.S. defense officials, one Russian officer reportedly derided the lack of information warfare in Cyber Command’s mission. General Nikolai Makarov told his counterparts, “One uses information to destroy nations, not networks.”54

 

Although the United States has struggled both to counter information operations at home and to find the right authorities and institutions to promote its efforts to shape narratives in cyberspace, the Russia-Ukraine war has clearly demonstrated how cyber capabilities, defensive and offensive, are essential enablers of successful information operations. Remarking on the conflict, Lieutenant General Charles Moore, CYBERCOM deputy commander, noted, “Without a doubt, what we have learned is that cyber-effects operations in conjunction—in more of a combined arms approach—with what we call traditionally information operations, is an extremely powerful tool.”55 
 

AI and other new technologies will increase strategic instability.
 

The consensus in the cybersecurity community is that the offense has the advantage over the defense, but this is less true for complex, destructive attacks. Only the most sophisticated attackers can maintain an undetected presence on networks over an extended period. It is difficult for the attacker to create widespread, long-lasting effects, and sophisticated attacks require a significant investment of resources and talent.56

The relationship between attackers and defenders could shift, however, as new technologies come online. The rapid rise of artificial intelligence and, eventually, quantum computing could make the work of cyber defenders more difficult over time, with faster and faster computers enabling increasingly complex attacks and more rapid network intrusion. AI-enabled state cyberattacks would be more precise and tailored; the rise of sophisticated natural language processing models is likely to improve spear-phishing abilities. Malware could mutate into thousands of forms once it is in a network. For the defender, AI could accelerate the detection of attackers inside a network. Machine learning could help automate vulnerability discovery, deception, and attack disruption.57

The eventual effect of such developments on the dynamic between offense and defense is uncertain. One outcome that appears likely is that both attackers and defenders will rely on a greater degree of automation, which could have an adverse effect on strategic stability. The United States now exerts tight political control over state-sponsored cyber operations. A reliance on a higher degree of automation could lead to unintended consequences.

A Failure to Impose Costs

The United States has failed to impose sufficient costs on attackers.
 

Scholars and policymakers have long debated whether deterrence is possible in cyberspace. Early works argued that several characteristics of cyberspace made it nearly impossible to dissuade a potential adversary from taking a hostile action with the threat of retaliation or a response that imposes unacceptable costs.58 One of the central problems with deterring computer attacks is retaliating in a timely, accurate, and proportional manner. As noted earlier, most attacks appear to be below the threshold for meaningful military retaliation. Deterrence by denial, which would raise the cost to attackers by improving defense, is equally difficult, as the defender seems to be at a perpetual disadvantage.

In addition, skeptics of deterrence highlight the interconnected nature of cyberspace, technological changes that shift the battlespace, and the near constant contact between adversaries to argue that cyber actors will constantly seek advantages in cyberspace.59  Skeptics argue that, rather than holding on to the hope of deterring actions, the United States should adopt a posture that encompasses resilience, active defense, and more aggressive disruption of attackers.

The proponents of cyber deterrence agree with critics that Cold War or classical nuclear deterrence does not cohere in cyberspace. Cyber deterrence in their view is less an attempt to prevent one clear catastrophic event, such as a nuclear strike, and more a series of efforts to shape behavior along a spectrum of possible attacks.60 In this view, deterrence could fend off destructive attacks on the U.S. transportation, energy, or electrical networks. Few actors are capable of launching such attacks, these actions are clearly above the threshold for an armed attack, and the United States would likely be able to determine who is responsible and launch a punishing reprisal.

For other types of attacks, such as cybercrime or espionage, the supporters of cyber deterrence argue that the United States cannot expect a complete cessation of activity. Instead, it will have to adopt a layered approach that blends threats of punishment, denial, sanctions, diplomatic efforts, economic entanglement, and norms, as well as the disruption of persistent engagement.61 A layered approach could allow the United States to achieve pauses, cessations, or restraints on certain classes of cyberattacks.

Both strains of thought have influenced U.S. cyber strategy. In 2018, U.S. Cyber Command released a strategic vision announcing the concept of persistent engagement.62 Cyber Command would maintain “the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” Or, as General Paul Nakasone, commander of CYBERCOM, wrote about the implementation of the strategy, “To protect our most critical public and private institutions from threats that continue to evolve in cyberspace, we cannot operate episodically. While we cannot ignore vital cyber defense missions, we must take this fight to the enemy, just as we do in other aspects of conflict.”63 

To enable this strategy, the Trump administration relaxed restrictions on offensive cyber actions. National Security Presidential Memorandum 13 reportedly allowed Cyber Command to undertake actions that fall below the use of force or that would not cause death, destruction, or significant economic upheaval without a lengthy approval process.64 Provisions in the John McCain Act (2019 NDAA) preauthorize CYBERCOM to take “appropriate and proportional” action in foreign cyberspace to “disrupt, defeat, and deter” an “active, systematic, and ongoing” campaign of attacks on government or private networks by China, Iran, North Korea, or Russia.65 The Trump administration also reportedly issued a presidential finding allowing the CIA more freedom to conduct offensive cyber operations.66 

Since the announcement of the strategy, Cyber Command, working with the NSA, actively protected the 2018 election, disrupting the Internet Research Agency and other Russian actors. CYBERCOM has also deployed personnel to launch “hunt forward” missions in sixteen countries, including Estonia, Lithuania, Montenegro, and North Macedonia, as well as countries in Asia and the Middle East, to monitor adversary activities and identify malware and share it with U.S. partners.67 Cyber Command worked with an unnamed foreign government in 2021 to interrupt the operation of the ransomware gang REvil, allegedly blocking its website by hijacking traffic.68 In January 2022, the United States posted tools used by MuddyWater, a group with suspected ties to the Iranian Ministry of Intelligence and Security, to VirusTotal, a public repository of malware. It had previously posted samples of malware used by North Korean and Russian cyber actors.69 Months before the invasion of Ukraine, cyber mission forces from CYBERCOM deployed to the country to search for Russian malware implanted in critical infrastructure.70 

Given the high degree of secrecy around cyber operations and the lack of public information on the number of attacks that Cyber Command disrupts, it is difficult to gauge the success of persistent engagement. Trump administration officials have argued that CYBERCOM successfully disrupted Russian information operations during the 2018 elections.71 These successes appear to be tactical, slowing adversaries for a time. The SolarWinds and Microsoft Exchange Server attacks suggest, however, that the United States continues to fail to impose significant costs on adversaries for cyber espionage operations. The United States’ high degree of digital dependency enforces restraint, preventing it from retaliating powerfully against harmful operations in cyberspace. Moving to more destructive attacks threatens an escalatory response by adversaries that could leave the United States more vulnerable. Mutual cyber offense alone is unlikely to function as a sufficiently clear deterrent to opponents.

Norms are more useful in binding friends together than in constraining adversaries.
 

While the United States has searched for more effective ways to impose costs on attackers, it has also worked to define the rules for responsible state behavior in cyberspace. These efforts have included multilateral and bilateral negotiations as well as public attribution of attacks, indictments, and sanctions.

The United States has pursued norms—expectations about behavior that make it possible to hold other states accountable—because arms control agreements, like those used to control conventional or nuclear weapons, will not prove viable in cyberspace. Nuclear arms agreements counted, monitored, and limited the range and number of air-, sea-, land-, and space-based weapons. In contrast, cyber exploits reflect vulnerabilities in computer code and lack transparency. The certainty of verification does not exist, and as a result, the composition of a stable system of arms control in cyberspace becomes a practical impossibility. Nuclear and conventional weapons take years to produce and deploy to national militaries; cyber weapons, in contrast, are developed more quickly and in relative secrecy. Moreover, only a handful of countries have nuclear weapons. Many more states, along with a handful of nonstate actors, are developing cyber doctrines and corresponding capabilities. Finally, over time nuclear weapons were governed by a norm of stable deterrence and nonuse, whereas cyber operations are difficult to deter and used extensively.72

The United States has enjoyed some success gaining consensus on norms through the UN Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (GGE).73 First established in 2004, the GGE now consists of experts representing twenty-five countries, including the United States, Australia, China, Russia, and the United Kingdom. In 2015, it issued a consensus report on a set of norms that largely reflected the U.S. delegation’s position on the application of international law in cyberspace.74 Eleven norms were formally adopted by the UN General Assembly, including those of state responsibility and the duty to assist, as well as a prohibition of intentionally damaging or impairing others’ critical infrastructures or targeting another state’s computer emergency response teams during peacetime.75 

Follow-on meetings in 2017 failed to reach consensus because the group was divided over how to apply international law. In 2018 Washington and Moscow submitted proposals for parallel processes. The United States pushed for the continuation of the GGE; Russia advocated for an Open-Ended Working Group (OEWG) intended to run through 2025 in which all UN member states could participate. Despite fears that the two groups would diverge in their work, the OEWG issued a report that reaffirmed the 2015 GGE consensus.76 A joint resolution proposed by the United States and the Russian Federation endorsed both reports, but meetings in the wake of the Russian war on Ukraine have been contentious, with the United States and its allies calling out Russia for violating the norms against interfering with critical infrastructure.

During the Obama administration, in response to a massive cyber campaign by state-backed hackers from China, the United States worked to establish a norm against the cyber-enabled theft of intellectual property in pursuit of competitive economic advantage. This was not a norm shared by all partners. Some U.S. allies were known to conduct espionage on behalf of individual companies. Still, Washington argued that states could be expected to conduct espionage against political or military targets, but operations against the private sector for commercial gain should be off limits.

In an effort to change Chinese behavior, U.S. officials began “naming and shaming” China, warning the espionage threatened stability in the bilateral relationship. In May 2014, in a significant escalation of pressure, the U.S. Department of Justice indicted five People’s Liberation Army officers for stealing trade secrets from Westinghouse, U.S. Steel, and other companies. In the summer of 2015, before President Xi’s first planned state visit to Washington, officials suggested that the United States would sanction Chinese individuals or entities that benefited from cyber theft. Beijing responded by sending a high-level negotiator before the summit, and during Xi’s visit the two sides announced that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”77 

In the first year after the visit, the Obama-Xi agreement appeared to be a success. The cybersecurity firm FireEye reported in June 2016 that the number of network compromises by the China-based hacking groups it tracks dropped from sixty in February 2013 to fewer than ten by May 2016. China went on to announce similar agreements with Australia and the United Kingdom, and the norm against intellectual property theft was included in statements from the Group of Twenty (including China, France, and Russia) and Group of Seven in 2015 and 2017.78 

As in other domains, the process of creating norms in cyberspace is slow, uneven, and uncertain. Washington’s efforts with Beijing proved transitory. In December 2018, for example, the U.S. Justice Department indicted two Chinese hackers with ties to the Ministry of State Security (MSS) for breaching managed service providers and more than forty-five technology companies. The cyber campaign, known as Cloud Hopper, exploited vulnerabilities in cloud computing and targeted some of the world’s biggest technology firms. Following the indictment, Australia, Canada, Germany, New Zealand, the United Kingdom, and other allies all issued statements backing the U.S. allegations against China and attributing the attack to the MSS.79 

The United Nations has affirmed the application of international law to cyberspace, but major actors have flouted the norms endorsed by the GGE and OEWG. Russia’s tolerance of ransomware gangs, for example, violates the norm of state responsibility, and operations against the power grid in Kyiv in 2015 and 2016 contravene the norm of noninterference with critical infrastructure during peacetime. Moreover, the norms process requires states to be transparent and provide legal justifications for the operations they undertake. Few states have done this, including the United States.

U.S. efforts to define norms around espionage have also suffered from inconsistent messaging. Many of the indictments and sanctions levied on Russia are for political-military espionage operations that Washington had previously suggested are legitimate and that all states would pursue. U.S. officials signaled that SolarWinds crossed a line because of the scope of the attack, the potential to move from espionage to disruption, the “unusual” burden placed on the private sector of mitigating the attack, the risk to the supply chain, and the theft of FireEye’s tools.80 The ultimate targets, however, are believed to have been some two hundred government and industrial entities, all reasonable subjects for intelligence collection. They are the kind of targets on which the United States intelligence community can and should collect intelligence in adversary nations.

Indictments and sanctions have been ineffective in stopping state-backed hackers.
 

The United States has used indictments and sanctions to reinforce norms and try to deter and impose costs on hackers (see figure below). Public attribution delineates which type of operations the United States considers illegitimate. Though the intent of an operation is difficult to determine, as is whether it is an intelligence, defensive, or offensive effort, the U.S. government and private sector actors in the cybersecurity industry have, with years of difficult experience, developed significant visibility into the identity and tradecraft of disparate cyber actors.

Once an attack is publicly attributed, the United States uses indictments and sanctions to impose costs and deter future attacks. The Department of Justice unsealed 24 indictments from 2014 to 2020, with 195 criminal counts against 93 foreign individuals accused of cyber operations at the behest of a state sponsor.81 Chinese, Iranian, North Korean, Russian, and Syrian hackers have been charged with a variety of crimes, from malicious destructive hacks to the theft of trade secrets and other intellectual property. The United States and its allies, for example, jointly attributed the NotPetya ransomware attack to Russia’s military intelligence, the Main Intelligence Directorate (GRU). In October 2020, a federal grand jury indicted six officers for the attacks.82 

After the Sony hack of 2015, the Obama administration issued Executive Order 13694, which allows the U.S. Department of the Treasury to block the property of individuals and entities involved in cyber-enabled activities that are a “significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”83 The order was amended in December 2016 to allow for sanctions against cyber-enabled election interference. Until May 2021, the Treasury Department issued 311 cyber-related sanctions, most against Russia (141), Iran (112), and North Korea (18).84 In April 2021, the United States attributed SolarWinds to Russia’s Foreign Intelligence Service, and the White House issued an executive order blocking property connected to harmful Russian activities and imposed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.”85  Although U.S. partners joined in calling out irresponsible behavior, few followed through with indictments or sanctions.

The public attributions, indictments, and sanctions have not imposed significant costs on state-backed hackers. Attributing publicly but lacking either the capability or will to respond effectively makes the United States look hapless and risks inviting more cyberattacks. Few hackers have seen the inside of a U.S. courtroom. As of 2019, of more than fifty indictments since the Obama administration, only five individuals have been arrested for their crimes.86 Sanctions could have a greater chance of success because they can target individuals and entities of value to policymakers. But so far, Washington has either been unable to identify the right targets or to inflict substantial pain.

Indictments, sanctions, and norms dialogues have been more effective in building coalitions than in deterring or imposing costs on adversaries. These action —multilateral, explicit, declared, and aspirational—allow Washington to signal to friends and allies what it sees as responsible behavior.

Full list of endnotes
Up next
Recommendations
This site uses cookies to improve your user experience. By continuing to browse this site you accept the use of cookies as explained in our Privacy Policy.
Accept Decline