The era of the global internet is over. Washington has worked closely over the last three decades with the private sector and allies to promote a vision of a global, open, secure, and interoperable internet, but the reality of cyberspace is now starkly different. The internet is more fragmented, less free, and more dangerous. Moreover, U.S. policymakers have long assumed that the global, open internet served American strategic, economic, political, and foreign policy interests. They believed that authoritarian, closed systems would struggle to hold back the challenges, both domestic and international, that a global network would present. This has not proved to be the case.
The early advantages the United States and its allies held in cyberspace have largely disappeared. The United States is asymmetrically vulnerable because of high levels of digitization and strong protections for free speech. Adversaries have adapted more rapidly than anticipated. They have a clear vision of their goals in cyberspace, developing and implementing strategies in pursuit of their interests, and have made it more difficult for the United States to operate unchallenged in this domain.
Around the world, states of every regime type are forcing the localization of data, as well as blocking and moderating content. The United States’ early lead in internet technologies motivated many countries to promote data residency and other regulations to protect national companies. China has long blocked access to foreign websites, created trade barriers to U.S. technology companies, and given preference to domestic incumbents, which now operate across the globe. European policymakers are increasingly focused on the need for presumptive digital self-sufficiency and data privacy. Beijing and Moscow, in particular, have used the United Nations and other international organizations to promulgate a vision of cyber sovereignty centered on state control over the internet.
The international competition for power is accelerating the fragmentation of technology spheres. Policymakers in the United States and China worry about intelligence agencies introducing backdoors in software and hardware, interdicting products along the supply chain, and using both legal and extralegal means to access data held by technology firms. As a result, both countries have recently introduced new rules and measures designed to secure supply chains, exclude foreign suppliers and products, and control the flow of data.
The war between Russia and Ukraine has furthered the fracturing, with Moscow throttling American social media, including banning Facebook, Instagram, and Twitter. Apple, Cisco, Microsoft, Oracle, and others ended sales to or shut down services in Russia. Two American ISPs, Cogent and Lumen, disconnected from Russian networks.1
Internet freedom, as defined by qualitative and quantitative analyses, has been in decline for more than a decade (see figure below). The advocacy group Freedom House, which tracks internet freedom across the world, has seen sustained declines in empirical measures of internet freedom, especially in Asia and the Middle East.2 More states are launching political influence campaigns, hacking the accounts of activists and dissidents, and sometimes targeting vulnerable minority populations. A growing number of states choose to disconnect entirely from the global internet. According to the digital human rights group Access Now, at least 182 internet shutdowns across 34 countries occurred in 2021, compared with 196 cases across 25 countries in 2018.3
Threats in cyberspace continue to grow in both number and severity. Security has never been a feature of the internet; indeed, its original design prioritized openness and interoperability over security. Only recently have concepts such as zero trust—a framework requiring all users to be authenticated, authorized, and continuously validated for security—become widely accepted and practiced. Competitiveness in cyberspace will therefore be determined by the ability to operate effectively in an inherently insecure and compromised environment.
The majority of state-backed cyber operations remain related to espionage, but cyberattacks are also weapons of sabotage and disinformation, and the number of disruptive attacks is growing (see figure below). Russia-based hackers are alleged to be responsible for attacks on the power grid in Kyiv in 2015 and 2016, and the Russian-sponsored 2017 NotPetya attack wiped data from the computers of banks, power companies, gas stations, and government agencies, reportedly costing companies more than $10 billion worldwide.4
In the weeks before the Russian invasion of Ukraine, malware that can erase hard drives was found in Ukrainian government networks; hackers conducted spear-phishing campaigns against Ukraine’s defense partners; threat actors pre-positioned themselves in supply chains for future attacks on Ukraine and the North Atlantic Treaty Organization (NATO); and distributed denial of service attacks briefly rendered the websites of banks and government organizations inaccessible. Russian hackers disrupted ViaSat, a provider of broadband satellite internet services, in the early hours of the invasion, and the effects spread from Ukraine to Germany and other parts of Europe. In early April, Ukrainian defenders prevented a destructive attack on Ukraine’s power grid.5 According to research from Microsoft, six groups linked to the Russian government conducted hundreds of operations designed to degrade Ukrainian institutions and disrupt access to information and critical services. In some instances, Russia’s cyberattacks were “strongly correlated and sometimes directly timed with its kinetic military operations.”6
Cybercrime on its own has become a threat to national security. Attacks on hospitals, schools, and local governments have disrupted thousands of lives. The Conti ransomware group shut down the administrative body in Ireland charged with managing the national health-care system, disrupting critical health treatments. A ransomware attack on Colonial Pipeline by a criminal group known as Darkside resulted in the shutdown of a 5,500-mile pipeline and gas shortages on the U.S. eastern seaboard. Another group, REvil, was reportedly the sponsor of an attack on U.S. meat supplier JBS that disrupted one-fifth of the nation’s meat supply. This sharp rise in the volume and cost of ransomware incidents has had a dramatic effect on the cyber insurance markets, driving premiums up in excess of 100 percent.7
The digital battlefield is a complex space, and nonstate actors play a powerful role in cyber conflict: some state actors moonlight with criminal action; some criminals are leveraged for state goals. China, Iran, North Korea, and Russia often rely on criminals, technology firms, or other nonstate proxies to conduct attacks. During the war between Russia and Ukraine, criminal groups, hacktivists, and a group of Ukrainian citizens calling themselves the IT Army conducted distributed denial of service, ransomware, and data breach hacks in support of both sides. Hacktivists dumped Russian emails, passwords, and other sensitive data on public websites. The Ukrainian government used Twitter to share a list of Russian and Belarusian targets.8 Criminal hacking could be preparing for, or transitioning to, more destructive attacks. Therefore, a state’s willingness to manage cyber activity emanating from its territory will be a significant marker of its commitment to international efforts to secure cyberspace.
In addition, private companies are creating spyware that enables states that cannot create their own cyber capabilities to conduct high-end cyberattacks. Countries can thus not only conduct nation-state- level attacks, but also—if their commitment to the rule of law is weak—target journalists, activists, dissidents, and opposition politicians. An Israeli company, NSO Group Technologies, created malware known as Pegasus that illustrates the multiple uses of these capabilities. Pegasus was reportedly used by law enforcement agencies to capture drug lords, thwart terrorist plots, and fight organized crime. It was allegedly also deployed against civil rights activists in the United Arab Emirates, journalists in Hungary and Poland, and politicians in India and Spain.9
Much of the response to these threats has justifiably focused on domestic policy and improving the defense and resilience of government and private-sector networks. Since the Bill Clinton administration, policymakers and legislators have attempted to improve information sharing between the public and private sectors, define authorities and build cyber capacity in the federal government, and raise security standards in critical infrastructure networks. The Cyberspace Solarium Commission, established by the 2019 National Defense Authorization Act (NDAA), offered more than eighty recommendations as part of a strategy of “layered cyber deterrence.” Twenty-five of the commission’s recommendations have been codified into law, including the establishment of a Senate-confirmed national cyber director within the Executive Office of the President.10 In March 2022, President Joe Biden signed legislation mandating critical infrastructure owners to report within seventy-two hours if they were hacked or within twenty-four hours if they made a ransomware payment.11
Less attention has been paid to rethinking a vision of U.S. foreign policy for cyberspace that contends with a fragmented, insecure internet and its accelerating weaponization. The United States has tried to set the rules of the road using a combination of international norms, “naming and shaming,” indictments, and sanctions. Despite agreement at the United Nations on some of the norms of responsible state behavior, these efforts have so far had little influence on Chinese, Iranian, North Korean, or Russian cyber operations. Deterrence of cyberattacks below the threshold of use of force or armed attack— most attacks—has failed. As a result, the United States has adopted a doctrine of persistent engagement and forward defense, based on disrupting attackers before they reach U.S. networks.
The increased instability of cyberspace presents a grave challenge. Compared with its adversaries, the United States stands largely alone, the most connected society but with the most vulnerable data. Washington needs a comprehensive digital, cyber, and foreign policy strategy that confronts the reality of the end of the global internet. Moving slowly will result in not only the continued deterioration of U.S. security and economic interests but also a failure to capture fully the benefits of the next wave of digital innovation.
The United States is at an inflection point: the risks in cyberspace are growing, and incumbent strategies are not working. A cyber policy grounded in reality has three pillars.
First, Washington should consolidate a coalition of allies and friends around a vision of the internet that preserves—to the greatest degree possible—a trusted, protected international communication platform. This would not be an alliance of democracies, but rather a digital architecture that promotes the trusted flow of data and transparent international standards. The United States should work with allies and partners to develop international rules and agreements governing how the public and private sectors collect, use, protect, store, and share data. Washington should promote regional digital trade negotiations and adopt a shared policy on digital privacy that is interoperable with Europe’s GDPR. This coalition of trusted states should build an international cybercrime center, support capacity development in developing economies, and cooperate on technological innovation in sectors critical to offensive and defensive cyber operations.
Second, the United States should balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets agreed to among U.S. allies. Such statements would include limitations on destructive and disruptive attacks on state financial and electoral systems, as well as negotiations with Beijing and Moscow on the threats to strategic stability caused by cyberattacks on NC3 systems. By limiting the risk of misperception and miscalculation among nuclear powers, these restraints are in the United States’ interest because they would reduce the likelihood of catastrophic outcomes. The United States and its partners should also develop coalition-wide practices for disclosing vulnerabilities and applying pressure on states that deliberately provide cybercriminal safe havens.
Third, the United States needs to get its domestic house in order. Digital competition is essential to future strategic and economic interests and should be prioritized in national security strategies. Intelligence agencies should be tasked for cybersecurity risks, and the dangers in domestic cyberspace diminished by incentivizing ISPs to identify and reduce malicious activities occurring on or through their infrastructure. Washington should promote the flow of cybersecurity talent among coalition partners and develop the expertise needed to conduct U.S. cyber foreign policy.
The United States needs to move urgently on cyber and digital competition. Failing to act will significantly harm U.S. security and economic interests in the future.
- Adam Satariano and Valerie Hopkins, “<a href="https://www.nytimes.com/2022/03/07/technology/russia-ukraine-internet-isolation.html">Russia, Blocked From the Global Internet, Plunges Into Digital Isolation</a>,” <em>New York Times</em>, March 7, 2022; Joseph Menn, Ellen Nakashima, and Craig Timberg, “<a href="https://www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut">Lumen, a Second Major American Internet Carrier, Pulling Out of Russia</a>,” <em>Washington Post</em>, March 8, 2022.
- Adrian Shahbaz and Allie Funk, “<a href="https://freedomhouse.org/report/freedom-net/2021/global-drive-control-big-tech">Freedom on the Net 2021: The Global Drive to Control Big Tech</a>,” Freedom House, September 21, 2021.
- Gian M. Volpicelli, “<a href="https://www.wired.co.uk/article/internet-shutdowns">The Draconian Rise of Internet Shutdowns</a>,” <em>Wired</em>, February 9, 2021; Access Now, <a href="https://www.accessnow.org/cms/assets/uploads/2022/04/2021-KeepItOn-Report-1.pdf"><em>The Return of Digital Authoritarianism: Internet Shutdowns in 2021</em></a>, April 2022.
- <p>BBC, “<a href="https://www.bbc. com/news/technology-38573074">Ukraine Power Cut Was Cyber-Attack</a>,” January 11, 2017; Andy Greenberg, “<a href="https://www. wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world">The Untold Story of NotPetya, the Most Devastating Cyberattack in History,</a>” <em>Wired</em>, August 22, 2018. </p>
- <p>Kate Conger, “<a href="https://www.nytimes.com/2022/04/12/ us/politics/ukraine-russian-cyberattack.html">Ukraine Says It Thwarted a Sophisticated Russian Cyberattack on Its Power Grid</a>,” <em>New York Times</em>, April 12, 2022; James Pearson, Raphael Satter, Christopher Bing, and Joel Schectman, “<a href="https:// www.reuters.com/world/europe/exclusive-us-spy-agency-probes-sabotage-satellite-internet-during-russian-2022-03-11/">U.S. Spy Agency Probes Sabotage of Satellite Internet During Russian Invasion, Sources Say</a>,” Reuters, March 11, 2022; CISA, FBI, Joint Cyber Adversary, “<a href="https://www.cisa. gov/uscert/ncas/alerts/aa22-057a">Destructive Malware Targeting Organizations in Ukraine</a>,” CISA, March 1, 2022; Gordon Corera, “<a href="https://www.bbc.com/ news/technology-60796079">Russia Hacked Ukrainian Satellite Communications, Officials Believe</a>,” BBC, March 25, 2022.</p>
- <p>Tom Burt, “<a href="https://blogs.microsoft.com/on-the-issues/2022/04/27/hybrid-war-ukraine-russia-cyberattacks">The Hybrid War in Ukraine</a>,” <em>Microsoft on the Issues </em>(blog), April 27, 2022. </p>
- <p>Alex Scroxton, “<a href="https://www.computerweekly.com/news/252500905/ Conti-ransomware-syndicate-behind-attack-on-Irish-health-service">Conti Ransomware Syndicate Behind Attack on Irish Health Service</a>,” <em>Computer Weekly</em>, May 17, 2021; Congressional Research Services, <a href="https://crsreports.congress.gov/product/pdf/IN/IN11667"><em>Colonial Pipeline</em>: <em>The DarkSide Strikes</em></a>, May 11, 2021; Jacob Bunge, “<a href="https://www.wsj. com/articles/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781? mod=hp_lead_pos2">JBS Paid 11 Million to Resolve Ransomware Attack</a>,” <em>Wall Street Journal, </em>June 9, 2021; “<a href="https://www.marsh.com/us/services/cyber-risk/insights/ cyber-insurance-market-overview-q4-2021.html">Cyber Insurance Market Overview: Fourth Quarter 2021</a>,” Marsh McLennan, 2021. </p>
- <p>IT Army of Ukraine (@ITarmyUA), “<a href="https://twitter.com/ ITarmyUA/status/1498287273581944843?s=20&t=fybBWPvIlxlNEnCm7ZD2ZA">Hackers all around the world: target #Belarus in the name of #Anonymous</a>,” Twitter, February 28, 2022; Cyberknow, “<a href="https://cyberknow.medium.com/2022-russia-ukraine-war-cyber-group-tracker-6e08ef31c533">2022 Russia-Ukraine War—Cyber Group Tracker,</a>” Medium, February 27, 2022. </p>
- <p>Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert, <a href="https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries"><em>Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries</em></a>, Citizens Lab, September 18, 2018; Washington Post Staff, “<a href="https://www.washingtonpost.com/investigations/2021/07/18/ takeaways-nso-pegasus-project">Takeaways From the Pegasus Project</a>,” <em>Washington Post</em>, August 2, 2021. </p>
- <p>U.S. Cyberspace Solarium Commission, <a href="https://www.solarium.gov"><em>A Warning From Tomorrow: Final Report</em></a>, March 11, 2020. </p>
- <p>Martin Matishak, “<a href="https://therecord.media/biden-signs-cyber-incident-reporting-bill-into-law">Biden Signs Cyber Incident Reporting Bill Into Law,</a>” <em>The Record</em>, March 15, 2022.</p>