Cyberspace Governance: The Next Step
Policy Innovation Memorandum from Asia Program and International Institutions and Global Governance Program
Policy Innovation Memorandum from Asia Program and International Institutions and Global Governance Program

Cyberspace Governance: The Next Step

March 2011

Policy Innovation Memorandum
Policy Innovation Memoranda target critical global problems where new, creative thinking is needed.

Introduction

After years of dismissing the utility of international negotiations on cyberspace, U.S. officials now say that they will participate in talks to develop rules for the virtual world. But which norms should be pursued first and through which venues? As a start, the United States should issue two "cyber declaratory statements," one about the thresholds of attacks that constitute an act of war and a second that promotes "digital safe havens"--civilian targets that the United States will consider off-limits when it conducts offensive operations. These substantive statements should emerge from a process of informal multilateralism rather than formal negotiations. Washington should engage allies and close partners such as India first and then reach out to other powers such as China and Russia with the goal that they also issue similar statements. Washington should also reach out to the private corporations that operate the Internet and nongovernmental organizations responsible for its maintenance and security.

No one agency, either national or multilateral, exerts authority over all parts of the Web.

Declaratory statements play an important role in the definition, diffusion, and adoption of international norms. The discussions that precede the statements encourage actors to identify desirable and realistically attainable norms; the statements themselves set the behaviors that states will be held to. They are also likely to increase strategic stability. Explicit statements give potential attackers a more concrete picture of what type of attacks the United States will respond to and how, making signaling easier and improving stability.

The Problem

Adam Segal

Ira A. Lipman Chair in Emerging Technologies and National Security and Director of the Digital and Cyberspace Policy Program

Increased U.S. receptivity to international negotiations reflects a growing sense that domestic efforts to secure cyberspace are inadequate and that the United States has hurt itself by sitting on the sidelines. There is real fear that a cyberattack--the use of computer power to attack computer, communication, transportation, and energy networks--could disrupt the economy, destroy critical infrastructure, or degrade military capabilities. The Internet was originally designed for the use and convenience of a small group of researchers in the United States; security was an afterthought. Now the network is global and there has been a proliferation of devices from laptops to smartphones connecting to it. No one agency, either national or multilateral, exerts authority over all parts of the Web.

More on:

Cybersecurity

Digital Policy

Global Governance

As the United States has focused on domestic efforts to make cyberspace more secure--appointing a cyber coordinator, standing up Cyber Command, and deploying Einstein 2, an intrusion detection system--other states have challenged the U.S. conception of the web as a global commons open to commerce and the free exchange of information. Moreover, the United States' refusal to enter into negotiations reinforced the sense that it intended to dominate cyberspace and limit the ability of other countries to maneuver in this new domain.

The Obama administration's May 2009 Cyberspace Policy Review revealed a shift in U.S. attitudes. "International norms are critical to establishing a secure and thriving digital infrastructure," the report concluded. In December 2009 the United States agreed to talk with Russia and a United Nations arms control committee about Internet security.

International cooperation is necessary, but some fundamental characteristics of cyberspace make traditional arms control agreements unlikely. The technologies used in most attacks are commercial and widely available. Attacks can be masked and routed across several networks, obscuring whether they are the work of independently operating "patriotic hackers," criminal groups, an official security agency, bored teenagers, or some combination of all four. This problem of attribution undermines verification; signatories to any agreement would have little confidence they could identify violators.

Moreover, there is no consensus about what constitutes a cyberattack. The United States talks primarily about defending critical infrastructure like the power grid or financial systems; China, Russia, and others worry about these vulnerabilities but also see the free flow of information as a threat to domestic stability. As a result, in any negotiations, Beijing and Moscow are likely to demand that the United States limit its support for "digital activists" in return for China and Russia controlling "patriotic hackers," a requirement Washington is unlikely to meet.

The Rules of Cyberspace

While a more formal agreement may never be reachable, the United States has a clear interest in defining the rules of interstate behavior in cyberspace. It has a particular interest in identifying the point at which a cyberattack becomes the equivalent of an "armed attack" in international law as well as in defining what constitutes a legitimate target of cyberattack. In the physical world, for example, states are expected to abide by the principle of distinction which requires attacks only be made on legitimate military targets and permits attacks on civilian targets only when "demanded by the necessities of war." This norm was developed through several centuries of war and formalized after World War II in the Geneva Protocols.

More on:

Cybersecurity

Digital Policy

Global Governance

The United States should develop methods to mark its digital safe havens.

At this point, most countries would accept that a cyberattack with "kinetic effects" equivalent to those of a conventional armed attack should be treated in the same manner, allowing for individual and collective self-defense as well as cyber and kinetic responses. But what about attacks below this threshold that nonetheless threaten critical interests, say, by destroying public data or disrupting financial markets? After consulting with its allies and friends, the United States should issue a public "cyber declaratory statement" that reserves the right to respond either through a conventional or computer network attack, but leaves some room for maneuver. Attacks on data and financial markets could both be covered by this statement as long as the consequences of an attack resulted in real suffering, not simply inconvenience.

The United States will not renounce the development and use of offensive weapons, but it should still work to develop "digital safe havens" and then in a separate initiative declare these targets off limits. Again, there is likely to be relatively easy consensus around some areas--hospitals and medical data--and much less agreement around others such as financial systems, power grids, and Internet infrastructure. The United States should also develop methods to mark its digital safe havens. It may have to separate its own network and data systems--data, for example, from the Department of Health and Human Services and the Pentagon should not sit on the same servers. U.S. policy makers should also work with companies and NGOs to address what are likely to be significant technical challenges in disentangling protected and non-protected spaces.

Building International Support

Since communication networks are global and primarily in private hands, an informal multilateralism is a more appropriate approach than a more formal multilateralism. U.S. officials should continue to show flexibility about venue, engaging through bilateral and multilateral meetings such as the United Nations, the G20, and regional groupings. There have been several moves to limit the role of nongovernmental groups in Internet governance--most recently in a December 2010 decision to involve only member states and exclude the Internet Governance Caucus and other organizations from a UN working group. By insisting on their participation in the relevant forum, the United States can continue to strengthen the authority of these groups.

In the case of thresholds and digital safe havens, the United States should conduct discussions with close allies, friends, private companies, and NGOs over a twelve-to-eighteen month period. The discussions about thresholds are particularly important for the United States to have with its allies; the large scale distributed denial of service attacks on Estonia in 2007 raised the question of whether the country should, or could, have invoked Article 5 of the NATO charter, in which members agree that an "armed attack against one or more of them . . . shall be considered an attack against them all." At the time and as is still the case today, NATO and international law lacked an accepted definition of what constitutes a cyberattack. These discussions should then be expanded to include other partners such as India and then to potential adversaries. After all of these consultations, the United States should issue substantive statements about thresholds and response. Although these statements will be unilateral, the goal of the consultative process should be to spur others to issue similar commitments.

This decentralized strategy is particularly important after Stuxnet, the malware that appears to target the Iranian nuclear program. It is now widely assumed that the United States, along with Israel, was behind the code. As a result, many countries will remain skeptical about Washington's intentions. Rules that appear to be the work of the United States alone will have little chance of gaining international support. But building a coalition of states who will gain from and are willing to push for new rules may give these norms greater legitimacy.

There has been in the United States' international engagement, however, a tendency to substitute process for strategy. While the decentralized approach to cyberconflict is the right one, it does not help in identifying strategic goals. The White House will have to become actively involved in order to push the process forward. The National Security Council's Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) subcommittee on international cyberspace policy efforts should drive action, not just coordinate and share information about what other agencies are doing.

An informal multilateralism is best suited to cyberspace, and by focusing on some of the norms of interstate cyberconflict, and on thresholds and legitimate targets in particular, the United States will be better able to begin shaping international norms.

Top Stories on CFR

Daily News Brief

Welcome to the Daily News Brief, CFR’s flagship morning newsletter summarizing the top global news and analysis of the day.  Subscribe to the Daily News Brief to receive it every weekday morning. Top of the Agenda U.S. and Iranian negotiators are meeting in Rome today for their fifth round of nuclear talks. The two sides have clashed in public comments about uranium enrichment in recent days, but a U.S. State Department spokesperson said yesterday that the meeting “would not be happening if we didn’t think that there was potential for it.” The U.S. is being represented by Middle East envoy Steve Witkoff and the State Department’s Policy Planning Director Michael Anton, and Iran by Foreign Minister Abbas Araghchi. What the parties are saying. The most recent friction was triggered by Witkoff describing a U.S. “red line” last Sunday that Iran should not be able to have “even 1 percent of an enrichment capability.” In prior weeks, some U.S. officials had suggested they might be able to accept a low level of enrichment.  Multiple Iranian officials publicly rejected the zero-enrichment position. The strict anti-enrichment comments from U.S. officials intensified after more than two hundred Republican lawmakers wrote a letter on May 14 calling for such a stance. Araghchi posted on social media yesterday that “zero nuclear weapons” meant there was a deal, while “zero enrichment” meant no deal. U.S. President Donald Trump “wants to see a deal with Iran struck, if one can be struck,” White House Press Secretary Karoline Leavitt said yesterday. The regional backdrop. Israel is considering striking Iran militarily, multiple news outlets have reported. Trump discussed Iran with Israeli Prime Minister Benjamin Netanyahu on a call yesterday, Leavitt said, adding that Trump asserted Washington seeks a deal with Iran. Araghchi wrote in a letter publicized by Iran’s mission to the United Nations yesterday that if Israel strikes Iran’s nuclear facilities, Iran would consider the United States responsible. If Israel continues to threaten Iran, he wrote, Iran would take unspecified steps to protect its nuclear materials. Trump has also threatened U.S. military strikes on Iran if talks fail.  “On a macro level, the two important Iranian objectives in these talks are they want to avert another military attack on their nuclear facilities, [and] they want to avert another maximum pressure economic campaign…I think an interim deal or a smaller deal is going to be a much easier political lift in both Washington and in Tehran.” The Carnegie Endowment’s Karim Sadjadpour tells The President’s Inbox Across the Globe Ban on Harvard international students. The U.S. Department of Homeland Security (DHS) revoked Harvard’s permission to enroll international students, saying the school did not provide the government requested records of student conduct. DHS said the school had created a “hostile” environment for Jewish students. Harvard called the action “unlawful.” Foreign students make up around 27 percent of the student body; the university’s director of media relations say they “enrich the university—and this nation—immeasurably.” Charges in DC shooting. The U.S. Justice Department filed federal murder charges against the suspect in Wednesday’s killings of two Israeli embassy staffers in Washington, D.C. Elias Rodriguez confessed to the killings, police said. Investigators are also considering hate crime and terrorism charges. Representatives of Jewish organizations called for more government funding for their safety in the wake of the attack, which comes amid a rise of antisemitic incidents in the United States and around the world following the outbreak of the Israel-Hamas war in 2023.  Tracking the great tech race. A new study by European research center Bruegel examined patents to measure the relative progress of China, the European Union (EU), and the United States on the research frontier of three critical technologies: quantum computing, semiconductors, and artificial intelligence (AI). It concluded that U.S. actors dominate innovation in quantum computing and, to a lesser extent, AI, while Chinese actors are ahead in semiconductors, and the EU lags in all three. U.S. weighs troops in South Korea. The Trump administration is consideringpulling thousands of troops out of South Korea, unnamed sources told the Wall Street Journal. In one reported scenario, roughly 4,500 troops would depart for other parts of the Indo-Pacific, including Guam. A Pentagon spokesperson said there were no policy announcements to make, South Korea’s defense ministry declined to comment, and South Korea’s military said it had not discussed a troop reduction with Washington. U.S. sanctions on Sudan. The United States determined the Sudanese army used chemical weapons in the country’s civil war last year and will impose new sanctions on Sudan beginning on or around June 6, the State Department said yesterday. Sudan’s government responded that the measure “lacks any moral or legal basis.” The announcement did not specify which weapons were used or where; unnamed U.S. officials told the New York Times in January that Sudan’s army appeared to have used chlorine gas in remote parts of the country.   North Korea warship damaged. In an unusual acknowledgement of a military malfunction, North Korean state media reported yesterday that the country’s second naval destroyer was damaged during its launch event. Seawater flowed into the ship, state media said today. Satellites showed that North Korea placed a cover over the partially submerged ship, which Pyongyang had reportedly rushed to complete. Aid distributed in Gaza. Humanitarian aid reached warehouses inside Gaza for the first time in eleven weeks, UN agencies said yesterday. The aid included flour and baby food. Twenty-nine children and elderly people in the territory died from “starvation-related” causes in the last few days, the Palestinian Authority health minister stated yesterday. Israel said 107 aid trucks crossed the border into Gaza yesterday, while UN agencies say an estimated 600 per day are needed to address the territory’s humanitarian crisis.  UK deal on Chagos Islands base. The United Kingdom (UK) reached a deal with Mauritius—its former colony—to give up its claim over the disputed Chagos Islands and pay Mauritius some $136 million per year to lease the area that houses a U.S.-UK military base. The UK separated the Chagos Islands from Mauritius in 1965, shortly before Mauritius gained independence. What’s Next Today, India’s foreign minister is visiting Germany. On Sunday, French President Emmanuel Macron begins a visit to Vietnam, Indonesia, and Singapore. On Sunday, Suriname holds a general election and Venezuela holds legislative and regional elections. On Monday, an Association of Southeast Asian Nations (ASEAN) leaders summit begins in Malaysia. On Monday, the African Development Bank begins its annual meetings in Ivory Coast.

South Africa

Senior Fellow for Africa Policy Studies and former ambassador Michelle Gavin breaks down the tense U.S.-South Africa meeting at the White House. 

Ukraine

President Trump suggested after the call that the United States could “back away” if Russia and Ukraine peace talks don’t advance. That could leave it to Europe to keep Ukraine in the fight.