The internet today is more fragmented, less free, and more dangerous than it was at its emergence. The threats in cyberspace continue to grow, and cybercriminals and other proxy actors are a rising challenge to national security. Adversaries are developing comprehensive strategies for cyberspace and making it more difficult for the United States to navigate in a domain of shadows and fierce threats. The United States needs the strategy, the structures, the talent, and the policies for sustained cooperation among the full array of bilateral and multilateral relationships, where digital issues are increasingly important.
A successful marrying of the United States’ foreign and cybersecurity policies should be built on three pillars: building a trusted internet coalition based on the free flow of data, balancing more pressure on adversaries with limited norms of restraint on cyber operations, and building capabilities at home.
The first step for the United States is to develop and sustain a coalition of states committed to the trusted flow of data. This will require Washington to reenter regional digital trade negotiations, negotiate with Brussels and others on privacy and government access to data, and offer incentives to other states to join the coalition through an international cybercrime center and cyber development assistance. In support of these efforts, the United States will also need to develop a coalition to promote the security of open-source software and work jointly to retain leadership in technologies critical to cyber strategy, such as
Build a Trusted, Protected Internet Coalition
The United States can do little to prevent authoritarian regimes from creating a separate network that reflects their values. It can, however, preserve and extend the economic and political values of an open internet among a self-selecting coalition. In addition, the United States and its allies will need to address security threats and provide economic and political inducements for states ambivalent about the costs and benefits of allowing a relatively free flow of data.
Although many efforts are underway to bring together a consortium of partners that value preserving a trusted internet, they lack a cohesive center and incentives to move from words to action. Monitoring internet freedom through disparate approaches, promoting tools to avoid censorship, supporting the development of law enforcement capabilities, and creating mechanisms to address cross-border cybercrime have yielded marginal results but do not provide a larger architecture for U.S. policy.
The United States has an opportunity to lead a cohort of nations committed to a shared concept of the internet. Many have argued that the organizing principle of this grouping should be a coalition of democracies that comes together to preserve and extend the value of an open internet.87 Though the signatories of the 2022 Declaration of the Future of the Internet say they will “work toward an environment that reinforces our democratic systems and promotes active participation of every citizen in democratic processes,” the alliance is not explicitly a democratic one. Still in its early stage, the declaration appears too exclusive to form a counterweight to China and Russia, and many important potential partners appear reluctant to join. Most of the signers are in Europe; significant holdouts include Brazil, India, Indonesia, and South Africa.
Making digital trade central to a cyber coalition—instead of a vague definition of democracy or the promotion of unachievable aspiration— would draw more states into the partnership. Being part of a digital trade bloc that includes, for example, the United States, Japan, South Korea, and Europe, could be enough incentive to draw Brazil and India into the fold, particularly if it also includes hardware and outsourced information technology (IT) services. Jointly, the coalition could develop common understanding on the legitimate use of government surveillance, law enforcement access to data, and industrial policies; share best practices on technology regulation; work to forge a trusted supply chain for digital goods and services; and coordinate on international standards.
Joining the coalition does not presuppose an absolute alignment on data privacy or localization policies. Rather, the grouping would build on shared data privacy values while recognizing the differences in domestic approaches to protecting data privacy. Coalition members would be required to develop and implement internet regulations guided by the rule of law, transparency, and accountability. Partners would agree to work cooperatively to address malicious cyber activity and refrain from carrying out malicious acts themselves. As former Japanese Prime Minister Shinzo Abe put it, the goal should be to establish “data flows with trust,” not to promote Western-style democracy.88 A confederated model of internet connectivity and trusted data flow could preserve for its members many of the same values and benefits of the World Wide Web.
Build a digital trade agreement.
The nations that build the next era of digital trade agreements will have a disproportionately significant influence on the future of the world economy. The United States and its partners need to seize this opportunity. The groundwork for this approach has been laid with the
Several agreements can serve as models, including the Economic Partnership Agreement between Japan and the European Union, as well as agreements between Japan and the United Kingdom, Singapore and the United Kingdom, and among Chile, New Zealand, and Singapore.90 These agreements broadly cover both the removal of tariffs on digital goods and the elimination of nontariff barriers to digital trade. Important shared attributes include
• ensuring the free flow of data across borders;
• prohibiting localization requirements for computing facilities, cloud services, or data analysis motivated by anticompetitive or protectionist purposes; and
• banning requirements to turn over source code, algorithms, or related intellectual property rights.
New or expanded provisions should address concerns of workers and consumers, including those that promote digital inclusiveness, strengthen consumer confidence and trust, and protect personal information.
The United States should lead the effort to build a digital agreement, perhaps using the Digital Economy Partnership Agreement among Chile, New Zealand, and Singapore as a starting point. A regional initiative that includes Australia, Chile, Japan, New Zealand, Singapore, and South Korea, among others, would be a market large enough to influence U.S. firms and a good place to start. It would signal a comprehensive approach rather than a piecemeal, bilateral one. And it would be large enough to draw important states such as India, Indonesia, and Malaysia.91
Agree to and adopt a shared policy on digital privacy that is interoperable with Europe’s General Data Protection Regulation.
Sparked by a steady stream of revelations of how technology platforms collect information and a deeper understanding of the dynamics of advertising and the internet economy, consumers around the world are more demanding of regulations that preserve and protect personal data. The United States, the European Union, and like-minded nations should forge a clear consensus on privacy goals.
Efforts to pass comprehensive national domestic privacy legislation have been fitful and spanned more than twenty years. As of May 2022, California, Colorado, Connecticut, Utah, and Virginia have passed state privacy laws. These laws borrow terms, definitions, and procedures from the
The
Washington should work with other members of the coalition to develop common privacy principles that are interoperable with the
Resolve outstanding issues on U.S.-EU data transfers.
Another issue preventing closer coordination between the United States and Europe is access to data by law enforcement or national security agencies. U.S. officials have tried both to reassure Europeans that U.S. intelligence agencies are unlikely to collect data on ordinary citizens and to note that European intelligence and law enforcement agencies’ access to private data is often less constrained than that in the United States. The Court of Justice of the European Union has been unconvinced, and in the 2020 Schrems II decision, it invalidated the previously negotiated Privacy Shield agreement on necessary protections for transatlantic data transfers. The
In March 2022, President Biden and European Commission President Ursula von der Leyen announced that the two sides had reached a new agreement on data flows. Washington would limit disproportionate signals intelligence collection, and European citizens would be able to appeal to an “independent Data Protection Review Court” if they felt their privacy had been violated. The U.S. commitment to the agreement will come through an executive order, which could be reversed by the next administration and is likely to face legal challenges from European privacy groups. The future of transatlantic data flows remains on uncertain legal ground.93
As part of this coalition, member countries should agree to a set of practices for providing law enforcement access to the data of their citizens when it is held by another member government and for providing broad, robust, and transparent protections of the data of citizens from coalition partners. These regulations need both be agreed to in treaty form and implemented in national laws. The U.S.- Cloud Act, under which the United States has signed agreements with Australia and the United Kingdom, could be a model for this purpose.94
Passing a comprehensive privacy law would significantly respond to the
Create an international cybercrime center.
To both expand digital trade and address malicious cyber activity, future digital trade agreements should require institutions that monitor for violations and coordinate action to punish transgressors. Such agreements should also include binding mechanisms for dispute resolution. Under this approach, standalone institutions could be created to fulfill these functions and then incorporated by reference into any new digital trade chapters or standalone trade agreements. An international crime center could both play this role and promote capacity-building measures among coalition partners.
Operational cooperation between national law enforcement agencies is fragmented and immature, whereas cybercrime is globalized. To improve coordination on cybercrime, the coalition should develop a joint international cybercrime center with a clear focus on crime, not domestic intelligence. Mechanisms exist to coordinate action on law enforcement investigations and information sharing, such as Interpol and the European Cybercrime Centre, but no central, global clearinghouse is in place for requesting law enforcement assistance or supporting coordinated takedown activity for botnets, a network of computers infected with malware and controlled as a group without the owners’ knowledge. Currently, coordinated takedown actions require continual resourcing, and a new coalition is formed for each effort.
In 2014, for example, the Gameover Zeus botnet takedown was made possible by FBI cooperation with law enforcement from Australia, Canada, France, Germany, Italy, Japan, the Netherlands, Ukraine, and others, as well as numerous companies including Dell SecureWorks, CrowdStrike, Microsoft F-Secure, Level 3 Communications, McAfee, Symantec, Sophos, and Trend Micro. The 2021 takedown of the Emotet botnet involved similar partnerships.96 The operational effectiveness of these past ad hoc efforts needs to be institutionalized and routinized, and existing efforts coordinated by the National Cyber Forensics Training Alliance as well as bilateral efforts like the recently announced U.S.-Israeli task force on ransomware should be shifted to this center.97
A new international cybercrime center would serve as a platform for continually pressuring cybercriminals and undermining the infrastructure they use to operate, including tracking and reclaiming cryptocurrency that funds criminal activity. It would be closely tied to financial regulators and host law enforcement agencies, civilian computer emergency response teams, internet service providers, cloud platforms, nongovernmental organizations, academia, and cybersecurity firms. Each member would be expected to provide support to the center, including analysis and planning capabilities. Nonmember states would be invited to provide a liaison to the center to coordinate law enforcement and takedown activities within their jurisdiction. The center should publicly have ties to offensive cyber units within member states to coordinate offensive action against criminal platforms when voluntary action, law enforcement, and diplomacy fail.
Create a focused program for cyber aid and infrastructure development.
A growing part of China’s ambitious Belt and Road Initiative (BRI) is focused on digital infrastructure. Beijing has identified
During the Trump administration, U.S. officials warned of the cybersecurity risks of relying on Chinese tech infrastructure, stressing the potential threats of data collection and disruption. Washington was less successful in providing alternatives to countries attracted by the cheaper prices and reliability of Chinese technology or developing a cybersecurity roadmap for those likely to adopt a mix of U.S. and Chinese hardware, software, and services. The United States and its coalition partners need to create funding mechanisms for the development of digital infrastructure. Congress should consolidate the State Department’s foreign assistance funding and add a new line for cyber capacity building in the State, Foreign Operations, and Related Programs appropriations legislation.99 This effort, however, needs to do more than provide an alternative source of funding. Business, government, and civil society groups should also partner to demonstrate how these technologies can be deployed to protect privacy and individual liberties.
The coalition should be a competitor in the race to link the remaining 2.9 billion people without connectivity to the global internet. Special emphasis should be placed on the continued expansion of undersea cables, which can both blunt growing Chinese investments in this infrastructure and provide a more diverse network with fewer single points of failure for global internet communications. Planned investments by the United States, Australia, and Japan to connect a series of Pacific islands are a model of the actions the coalition should take.100 Australia has also invested in cables to connect to other island nations in the Indian Ocean. These investments, however, pale in comparison to those made by private-sector actors, notably Google, which has committed $1 billion to an undersea cable to connect several African nations to Europe.101 Private companies should take the lead in these initiatives, with the coalition providing support only when investments do not make financial sense to the private sector.
The coalition and its private-sector partners should build, along with infrastructure projects, the capacity to counter malicious cyber activity. Efforts should not only target traditional areas of technical assistance, such as the development of laws to govern digital activity and law enforcement capability, but also build military and intelligence capabilities among allied states. These should include defensive and attribution tools, but potentially also offensive tools to act as a deterrent and raise the cost of interference for adversary states.
Build a coalition for open-source software.
Open-source software (i.e., software that is free and open to anyone to inspect and modify) is widely used and deployed in commercial as well as critical infrastructure and national security networks. Outside of major curated and supported projects, the code is often maintained by a small group of volunteers, with ad hoc, under-resourced efforts to sustain software security. Coalition partners should work together to develop and maintain open-source code, as well as ensure its security.
In December 2021, a Chinese security researcher notified the Apache Software Foundation of a vulnerability in Log4J, widely used code that records and communicates diagnostic messages to system administrators and users. Log4J is almost everywhere in the software ecosystem. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called the vulnerability the most serious she had seen in her career.102 A large number of hackers scanned the internet to exploit the flaw, and the cybersecurity firm Mandiant found APT41, a group associated with the
In response to Log4J, the White House quickly convened a group to discuss how to prevent security defects in open-source codes, improve the process for finding defects and fixing them, and shorten the response time for distributing and implementing solutions.104 Opensource software is not inherently less secure than proprietary software. In fact, well-supported open-source products could be even more secure than their proprietary counterparts, given the participation of large communities of developers. Well-supported is the crucial factor. Two important elements of well-supported open-source products are incentives, such as bug bounties, for developers to find flaws and investment by the affected companies to accelerate the remediation of those flaws.
The United States and its international partners should promote the adoption and promulgation of open standards among users, particularly by major technology providers. They should also work together to make the open standards process international, transparent, and fully aligned with cybersecurity objectives. The Linux Foundation, Cloud Native Compute Foundation, and Open Titan are all examples of standards bodies with transparent and consensus-driven processes. In addition, the coalition partners should support improvements in security of open-source software through consortia such as the Open Source Security Foundation, a cross-industry collaboration that is developing security tools, best practices, and a software ecosystem for vulnerability disclosures.
Work jointly across partners to retain technology superiority.
Technology advantages that accrue over several years can ultimately prove evanescent. The United States and its allies need to increase investment in research in sectors that will be critical to cyber competition in the coming decade. Semiconductors,
It will not be enough to remain ahead in basic research. The United States and its allies will also need to lead in the identification, application, and evaluation of artificial intelligence and quantum computing to cyber and other national security challenges. As the final National Security Commission on Artificial Intelligence report recommends, the United States needs to establish trusted sources of materials and components for quantum computers, invest in the development of hybrid quantum-classical algorithms, and focus on the fielding of national security applications. Washington should also incentivize the private sector to invest in national security applications by announcing specific government-use cases of quantum computers.105
Although most of the media attention paid to AUKUS, the trilateral security agreement among Australia, the United Kingdom, and the United States announced in September 2021, was on sharing nuclear submarine technology, the group will also focus on cyber capabilities, quantum technologies, and artificial intelligence.106 The Pentagon should also coordinate with its Australian and British counterparts on developing shared test, evaluation, validation, and verification infrastructure for artificial intelligence.
The United States should announce a cybersecurity “grand challenge” for universities and private companies in its Quad partners (Australia, India, and Japan). In 2016, a powerful machine called Mayhem designed by a Pittsburgh company won the Cyber Grand Challenge, a cybersecurity competition held by the U.S. Defense Advanced Research Projects Agency. Mayhem won by automatically detecting, patching, and exploiting software security vulnerabilities, and the Pentagon now uses the technology in all military branches. The Quad announced in September 2021 initiatives to drive the adoption and implementation of shared cyber standards, develop secure software, and grow the tech workforce, but the group should also catalyze technological breakthroughs.
In addition, Washington should build on its bilateral science and technology relationships. In April 2021, President Biden and former Japanese Prime Minister Yoshihide Suga launched the Competitiveness and Resilience Partnership and committed $4.5 billion to R&D on
- 87Jared Cohen and Richard Fontaine, “<a href="https://www.foreignaffairs.com/articles/united-states/2020-10-13/uniting-techno-democracies">Uniting the Techno-Democracies: How to Build Digital Cooperation</a>,” <em>Foreign Affairs</em>, October 13, 2020; Martijin Rasser, “<a href="https://www.orfonline.org/expert-speak/the-case-for-an-alliance-of-techno-democracies.">The Case for an Alliance of Techno-Democracies</a>,” Observer Research Foundation, October 19, 2021.
- 88Shinzo Abe, “<a href="https://www.weforum.org/agenda/2019/01/abe-speech-transcript">Defeatism About Japan Is Now Defeated</a>,” speech delivered at WEF, January 23, 2019.
- 89U.S. Department of Commerce, “<a href="https://www.commerce.gov/global-cross-border-privacy-rules-declaration">Global Cross-Border Privacy Rules Declaration</a>,” accessed May 19, 2022.
- 90Jay Heisler, “<a href="https://www.voanews.com/a/economy-business_smallereconomies- see-big-opportunities-digital-trade-pact/6204836.html">Smaller Economies See Big Opportunities in Digital Trade Pact</a>,” Voice of America, April 21, 2021.
- 91Nigel Cory, “<a href="https://itif.org/publications/2022/02/08/us-options-engage-digital-trade-and-economic-issues-asia-pacific/">U.S. Options to Engage on Digital Trade and Economic Issues in the Asia-Pacific</a>,” Information Technology and Innovation Foundation, February 8, 2022.
- 92Joshua P. Meltzer, “<a href="https://www.brookings.edu/techstream/why-schrems-ii-requires-us-eu-agreement-on-surveillance-and-privacy">Why Schrems II Requires US-EU Agreement on Surveillance and Privacy</a>,” Brookings TechStream, December 8, 2020; Kenneth Propp, “<a href="https://www.cfr.org/report/transatlantic-data-transfers">Transatlanic Data Transfers: The Slow Motion Crisis</a>,” Council on Foreign Relations, January 13, 2021;<br /> Matt Burgess, “<a href="https://www.wired.com/story/google-analytics-europe-austria-privacy-shield/?bxid=5bea07d724c17c6adf15204d&cndid=31936551">Europe’s Move Against Google Analytics Is Just the<br /> Beginning</a>,” <em>Wired</em>, January 19, 2022.
- 93White House, “<a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data…">Fact Sheet: United States and European Commission Announce Trans-Atlantic Data Privacy Framework</a>,” March 25, 2022.
- 94Paul Karp, “<a href="https://www.theguardian.com/technology/2021/dec/16/australia-and-us-sign-cloud-act-deal-to-help-law-enforcement-agencies-demand-data-from-tech-giants">Australia and US Sign Cloud Act Deal to Help Law Enforcement Agencies Demand Data From Tech Giants</a>,” <em>The Guardian</em>, December 15, 2021.
- 95Stewart Baker, “<a href="https://www.lawfareblog.com/how-can-us-respond-schrems-ii">How Can the U.S. Respond to Schrems II?</a>” <em>Lawfare</em> (blog), July 21, 2020.
- 96Department of Justice, Office of Public Affairs, “<a href="https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware">U.S. Leads Multi-National Action Against ‘Gameover Zeus’ Botnet and ‘Cryptolocker’ Ransomware, Charges Botnet Administrator</a>,” press release no. 14-584, June 2, 2014; Andy Greenberg, “<a href="https://www.wired.com/story/emotet-botnet-takedown/">Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware,’</a>” <em>Wired</em>, January 27, 2021.
- 97U.S. Department of Treasury, “<a href="https://home.treasury.gov/news/press-releases/jy0479">U.S. Department of the Treasury Announces Partnership With Israel to Combat Ransomware</a>,” press release, November 14, 2021.
- 98
Jonathan Hillman, The Digital Silk Road: China’s Quest to Wire the World and Win the Future (New York: HarperCollins, 2021); Council on Foreign Relations, China’s Belt and Road: Implications for the United States (New York: Council on Foreign Relations, 2021).
- 99
U.S. Cyberspace Solarium Commission, A Warning From Tomorrow.
- 100“<a href="https://www.voanews.com/a/us-australia-and-japan-to-fund-undersea-cable-in-the-pacific/6350792.html">US, Australia and Japan to Fund Undersea Cable in the Pacific</a>,” Reuters, December 11, 2021.
- 101Annie Njanja, “<a href="https://techcrunch.com/2021/10/06/google-confirms-1b-investment-into-africa-including-subsea-cable-for-faster-internet">Google Confirms $1B Investment Into Africa, Including Subsea Cable for Faster Internet</a>,” <em>TechCrunch</em>, October 6, 2021.
- 102“<a href="https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security-flaw-is-the-most-serious-shes-seen-in-her-career.html">CISA Director Says the LOG4J Security Flaw Is the ‘Most Serious’ She’s Seen in Her Career</a>,” CNBC, December 16, 2021.
- 103Derek Johnson, “<a href="https://www.scmagazine.com/analysis/apt/chinese-apt-leveraged-zero-days-including-log4j-to-compromise-u-s-state-governments">Chinese APT Leveraged Zero Days—Including Log4j—to Compromise U.S. State Governments</a>,” <em>SC Magazine</em>, March 8, 2022.
- 104White House, “<a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13/readout-of-white-house-meeting-on-software-security">Readout of White House Meeting on Software Security</a>,” January 13, 2022.
- 105
Schmidt, Work, et al., Final Report.
- 106White House, “<a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/17/readout-of-aukus-joint-steering-group-meetings">Readout of AUKUS Joint Steering Group Meetings</a>,” December 17, 2021.
Balance Targeted Pressure, Disruptive Cyber Operations, and Pragmatic Norms
Norms are difficult to perpetuate and easily abandoned. Nonetheless, as this American-driven coalition develops, Washington and its partners should declare a set of norms that they will allow to constrain their cyber operations. The United States should also discuss a set of understandings with potential adversaries, China and Russia in particular. These restraints are motivated in part by self-interest, as they could help prevent unintended and catastrophic outcomes. U.S. policymakers should, however, make clear that this self-restraint will guide U.S. operations above the threshold for the use of force or armed attack, and that for operations below the threshold, the United States will continue to adopt a more proactive, initiative-seizing posture.
The United States should declare norms against destructive attacks on election and financial systems.
After consultation with allies and friends, Washington should announce an initial set of standards for self-restraint in cyberspace. Along with repeating commitments to abide by international law— including international humanitarian law and the laws of armed conflict—officials should state that the United States will refrain from destructive attacks on election infrastructure and the international financial system.
Across the world, more countries are relying on digital infrastructure to manage elections. During the 2016 election, according to U.S. intelligence reports, the Russian government directed cyber activity targeted at state election infrastructure, though there was no evidence that any votes were changed. Scanning election infrastructure was the most widespread activity, and Russian hackers successfully gained access to and removed data from infrastructure in two states. Russian operators also conducted operations against a widely used vendor of election systems. In January 2017, the U.S. Department of Homeland Security designated election systems as critical infrastructure, bringing them under the protection of the federal government.107
The United States and its partners should promote a norm regarding disruptive attacks against election infrastructure, banning efforts to disrupt voter registration, voting machines, vote counting, and election announcements. It should work with coalition partners to prevent, mitigate, and, when necessary, respond to destructive attacks on election infrastructure.
The global financial system is highly interconnected and depends on trust. Cyber operations directed at the integrity of any one part of the system could cascade into others, threatening the entire system and international stability. Washington should declare that it will not conduct operations against the integrity of the data of financial institutions and the availability of critical financial systems.108
Given that norms exert a weak limit on state actions in cyberspace, the United States and its partners should be prepared for their violation by increasing the resilience and redundancy of these critical systems. Financial institutions should regularly run exercises to restore the integrity of data after a cyberattack. The declaration of these norms, however, signals that these types of attacks will be considered off limits and mobilize coalition partners quickly to respond if the norm is violated.
Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communication systems.
Although bilateral and multilateral discussion on norms have so far been of limited use, the United States has a strong shared interest in working with potential adversaries to prevent cyberattacks from worsening or creating a nuclear crisis.
During a conventional conflict, states could be tempted to use cyberattacks to try to neutralize nuclear threats. These actions, however, would be highly destabilizing. Cyberattacks on
These risks are rising as modern
The United States should enter into discussions with China and Russia about limiting all types of cyber operations against
In the wake of the Russian invasion of Ukraine and the growing geopolitical competition between the United States and China, the spaces for cooperation between Washington and Moscow and Washington and Beijing are extremely narrow. Declarations of self-restraint can function as confidence-building measures, perhaps bridging the trust gap. However, previous instances of cooperation in cyberspace—the 2015 U.S.-China cyber espionage agreement or the joint Russian-U.S. investigations of online credit card theft in the mid-1990s—coincided with more amicable periods in the larger bilateral relationship.111 U.S. policymakers should make clear that they are entering discussions with their Chinese and Russian counterparts because understandings on cyber operations and nuclear command and control are a shared interest among the three powers in preventing catastrophic outcomes.
U.S. policymakers should also be prepared to fail in bilateral negotiations and to continue unilateral measures of risk reduction. These include making
Develop coalition-wide practices for the Vulnerabilities Equities Process.
When the U.S. intelligence community, law enforcement agencies, or other government actors discover a zero-day vulnerability, they face a decision of whether to disclose the vulnerability to the private sector or keep the vulnerability secret to facilitate future offensive capabilities. In addition, zero days can be bought and sold in certain markets, some legal, others underground.113 Disclosing to industry can result in timely patching and bolster national and personal security. Retaining and using the vulnerabilities can benefit national security through intelligence gathering and disrupted adversary operations.
The
A 2008 presidential directive established what became the Vulnerabilities Equities Process, an interagency procedure the U.S. government uses to decide whether to disclose vulnerabilities or hold them for potential offensive operations. A U.S. official stated that the government’s bias is toward disclosure and explained that the process attempts to determine the extent to which the vulnerability is in use, how useful it is, how likely it is to be discovered, how damaging it would be in adversarial hands, whether another government has access to it, and whether it can be patched.115
The
The
As its adversaries rely more heavily on zero-day attacks, the United States should reprioritize cyber defense and encourage partners to develop similar processes.117 As a result of American leadership, Australia, Canada, and the United Kingdom released publicly their equities processes. The Netherlands announced that it has put a
Adopt greater transparency about defend forward actions.
U.S. and partner statements about self-restraint around a set of targets should be part of a more proactive strategy to disrupt and mitigate adversarial cyber operations below the level of armed conflict. This strategy includes Cyber Command’s persistent engagement as well as diplomatic, economic, and intelligence operations aiming to seize the initiative in cyberspace. In effect, the United States should develop a broad effort to erode adversarial capabilities, making them less effective by taking out infrastructure; exposing tools; and creating political, diplomatic, and economic pressure on finances, authorities, and leadership.
Proactive measures can take different forms. In October 2020, Cyber Command hacked the command and control servers to cut off TrickBot, the world’s largest criminal botnet, briefly slowing its operations. This activity was followed by efforts to disrupt TrickBot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies.119
U.S. policymakers should consider not only deploying cyber capabilities in advance of, and even during, future conflicts but also messaging clearly and publicly that those forces are active. One of the reasons cyber operations appear not to have influenced the beginning stages of the Russia-Ukraine war could be the preemptive deployment of
Washington’s strategy of proactive transparency and information sharing in the early days of the Russia-Ukraine war, even with tightly held intelligence, is another successful example of seizing the initiative. In the days before the invasion, Washington provided specific information about possible false flag operations, troop positions, and coup attempts. These efforts not only gave the United States first-mover advantages in the information space but also forced Russia to react to and consider its own intelligence weaknesses.121
Hold states accountable for malicious activity emanating from their territory.
The power of nonstate actors seeking to antagonize the U.S. government and private sector has grown dramatically in recent decades. Much as states across the globe cracked down on foreign safe havens for terrorists, yet recognizing some important differences, the United States and its partners should take a tough stance against states that deliberately provide cybercriminal safe havens.
Many states agree that turning a blind eye to highly damaging cybercriminal activity emanating from its territory would breach an international legal duty, such that proportionate countermeasures could be allowable.122 To address the problem of states that actively harbor cybercriminals or ignore third parties using their digital infrastructure in offensive and criminal campaigns, the United States and its coalition partners could set a policy similar to the response to international terrorism that they will hold accountable any states that provide safe havens or do not cooperate in the takedown of criminal infrastructure or in law enforcement investigations, arrests, and extradition. Washington should exert diplomatic and economic pressure, but under certain circumstances could also reserve the right to take action against infrastructure used by these groups if the countries hosting it will not do so.
- 107Director of National Intelligence, “<a href="https://www.dni.gov/files/documents/ICA_2017_01. pdf">Assessing Russian Activities and Intentions in Recent US Elections</a>,” January 6, 2017; Select Comm. on Intelligence, <a href="https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf">Russian Active Measures Campaigns and Interference in the 2016 U.S. Election</a>, S. Rep. No. 116-XX, vol. 1 (2019); Department of Homeland Security, “<a href="https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical">Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector</a>,” January 6, 2017.
- 108Michael Schmitt and Tim Maurer, “<a href="https://www.justsecurity.org/44411/protecting-financial-data-cyberspace-precedent-progress-cyber-norms/">Protecting Financial Data in Cyberspace: Precedent for Further Progress on Cyber Norms?</a>,” Just Security, August 24, 2017; Tim Maurer, Ariel Levite, and George Perkovich, “<a href="https://carnegieendowment.org/2017/03/27/toward-global-normagainst-manipulating-integrity-of-financial-data-pub-68403">Toward a Global Norm Against Manipulating the Integrity of Financial Data</a>,” Carnegie White Paper, March<br /> 27, 2021.
- 109
Sarah Kreps and Jacquelyn Schneider, “Escalation Firebreaks in the Cyber, Conventional, and Nuclear Domains: Moving Beyond Effects-Based Logics,” Journal of Cybersecurity 5, no. 1 (2019); Page O. Stoutland and Samantha Pitts-Kiefer, Nuclear Weapons in the New Cyber Age: Report of Cyber-Nuclear Weapons Study Group, Nuclear
Threat Initiative, September 2018; James M. Acton, “Cyber Warfare & Inadvertent Escalation,” Daedalus 149, no. 2 (2020): 133–49.
- 110Arms Control Association, “<a href="https://www.armscontrol.org/factsheets/USNuclearModernization">U.S. Nuclear Modernization Programs</a>,” last updated January 2022; Erin D. Dumbacher and Page O. Stoutland, “<a href="https://media.nti.org/documents/NTI_Modernization2020_FNL-web.pdf">U.S. Nuclear Weapons Modernization Security and Policy Implications of Integrating Digital Technology</a>,” Nuclear Threat Initiative, November 2020.
- 111Kim Zetter, “<a href="https://zetter.substack.com/p/when-russia-helped-the-us-nab-cybercriminals">When Russia Helped the U.S. Nab Cybercriminals</a>,” Zero Day, November 30, 2021.
- 112James M. Acton, “Cyber Warfare & Inadvertent Escalation”; Rebecca K.C. Hersman, Eric Brewer, and Suzanne Claeys, “<a href="https://www.csis.org/analysis/nc3-challenges-facing-future-system">NC3: Challenges Facing the Future System</a>,” Center for International and Strategic Studies, July 9, 2020; George Perkovich and Ariel Levite, “<a href="https://www.defenseone.com/ideas/2021/04/how-cyber-ops-increase-risk-accidental-nuclear-war/173523/">How Cyber<br /> Ops Increase the Risk of Accidental Nuclear War</a>,” <em>DefenseOne</em>, April 21, 2021.
- 113
Nicole Perlroth, This is How They Tell Me the World Ends: The Cyber Weapons Arms Race (New York: Bloomsbury, 2021).
- 114Ellen Nakashima and Craig Timberg, “<a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16…">NSA Officials Worried About the Day Its Potent Hacking Tool Would Get Loose. Then It Did</a>,” <em>Washington Post</em>, May 16, 2017.
- 115Ari Schwartz and Rob Knake, <em>Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerabilities Equities Process</em> (Cambridge, MA: Belfer Center, 2016); Michael Daniel, “<a href="https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">Heartbleed: Understanding When We Disclose Cyber Vulnerabilities</a>,” <em>White House Blog</em>, April 28, 2014.
- 116
China’s Capabilities for State-Sponsored Cyber Espionage: Testimony Before the U.S.-China Economic and Security Review Commission, 117th Cong. (February 17, 2022) (statement of Kelli Vanderlee, Senior Manager, Strategic Analysis, Mandiant Threat Intelligence); Zeyi Yang, “Beijing Punishes Alibaba for Not Reporting Log4j Loophole Fast Enough,” Protocol, December 22, 2021.
- 117Lily Hay Newman, “<a href="https://www.wired.com/story/zero-day-exploits-vulnerabilities-google-mandiant/">Hackers Are Getting Caught Exploiting New Bugs More Than Ever</a>,” <em>Wired</em>, April 21, 2022.
- 118Australian Signals Directorate, “<a href="https://www.asd.gov.au/responsible-release-principles-cyber-security-vulnerabilities">Responsible Release Principles for Cyber Security Vulnerabilities</a>,” accessed May 20, 2022; Communication Security Establishment,<br /> “<a href="https://cse-cst.gc.ca/en/information-and-resources/announcements/cses-equities-management-framework">CSE’s Equities Management Framework</a>,” last updated March 11, 2019; National Cyber Security Centre, “<a href="https://www.ncsc.gov.uk/blog-post/equities-process">Equities Process</a>,” November 29, 2018; Marietje Schaake, <a href="https://www.ceps.eu/ceps-publications/software-vulnerability-disclosure-europe-technology-policies-and-legal-challenges/"><em>Software Vulnerability Disclosure in Europe: Technology, Policies, and Legal Challenges</em></a> (Brussels: CEPS, 2018).
- 119Ellen Nakashima, “<a href="https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html">Cyber Command Has Sought To Disrupt the World’s Largest Botnet, Hoping To Reduce Its Potential Impact on the Election</a>,” <em>Washington Post</em>, October 9, 2020; Andy Greenberg, “<a href="https://www.wired.com/story/cyber-command-hackers-trickbot-botnet-precedent/">A Trickbot Assault Shows US Military Hackers’ Growing Reach</a>,” <em>Wired</em>, October 14, 2020.
- 120Ines Kagubare, “<a href="https://thehill.com/policy/technology/597921-us-eu-cyber-investments-in-ukraine-pay-off-amid-war/">U.S., EU Cyber Investments in Ukraine Pay Off Amid War</a>,” <em>The Hill</em>, March 13, 2022.
- 121Amy Zegart, “<a href="https://www.theatlantic.com/ideas/archive/2022/03/russia-ukraine-invasion-classifiedintelligence/626557">The Weapon the West Used Against Putin</a>,” <em>The Atlantic</em>, March 5, 2022.
- 122Michael Schmitt, “<a href="https://www.justsecurity.org/77402/three-international-law-rules-for-responding-effectively-to-hostile-cyber-operations">Three International Law Rules for Responding Effectively to Cyber Operations</a>,” Just Security, July 13, 2021.
Get the U.S. House In Order
The third pillar of a realistic cyber policy is focused on actions the United States should take at home. As noted earlier, a range of domestic policies would improve U.S. cyber defenses, such as reporting laws and information sharing that are beyond the scope of this Task Force. However, given the integral relationship of these measures to U.S. foreign policy, the report highlights the need to make digital competition part of national security strategy, to clean up the U.S. internet, to address the intelligence gap, and to bolster cyber and technical talent.
Make digital competition a pillar of the national security strategy.
The last three published White House national security strategies have addressed cybersecurity matters. The Biden administration’s forthcoming recommendations should go further by recognizing that cyberspace is now one of the indisputably central domains in which the United States competes with its adversaries. This competition is taking place on multiple levels: intelligence collection, disinformation, criminal activity, military action, and, most important, economics.
The national security strategy should include digital competition as one of its main pillars. It should acknowledge that the leverage the United States has to punish bad actors will often lie outside the cyber domain. Cybersecurity challenges, offensive and defensive, will never be addressed solely in the digital realm; they will require nontechnical, political, diplomatic, military, and economic measures.123 Any successful cyber strategy will therefore necessarily mirror a successful foreign policy. The United States should build coalitions and lead by example as it attempts to reinforce a rules-based international order. It should develop the tools and capabilities needed for dealing with inevitable failures and setback. In effect, the National Security Council should coordinate a cross-domain, mutually reinforcing strategy that disrupts, discloses, and contests malicious cyberspace behavior. On the other side of the ledger, cyber capabilities should be added to the list of tools the United States can bring to bear in the international arena. Cyber should be part of the diplomatic, intelligence, military, and economic paradigm.
The national security strategy would prompt subordinate strategy documents on how the U.S. government will address various aspects of cybersecurity. These documents, however, are no substitute for making cyber central to the national security strategy. The importance of the national security strategy for setting budget and agency priorities cannot be overstated.
Clean up U.S. cyberspace by offering incentives for ISPs and cloud providers to reduce malicious activity within their infrastructure.
A doctrine of holding other states accountable could invite other countries to target U.S. infrastructure. In most offensive campaigns, the intermediate infrastructure is often U.S. infrastructure that has either been compromised or purchased. At present, U.S. internet service providers are considered common carriers that are simply passing along bits regardless of whether their network traffic is malicious.
Despite examples of the FBI deleting malware from infected U.S. systems, such as a recent effort to remove malware developed by China’s Ministry of State Security, this capability is not regularly used.124 Additional updates to the Federal Rules of Criminal Procedures would allow for stronger, faster mechanisms for notice and takedown of malicious activity. The United States should improve its ability to detect malicious foreign activity overseas and increase the speed with which that information is shared with targeted companies and federal law enforcement. Further, Washington should strengthen “know your customer” requirements.
Address the domestic intelligence gap.
This report focuses on American global interests in cyberspace, but a comprehensive U.S. government response to alleviate the threat from a multitude of actors has a domestic component as well. The
These reforms are necessary, but U.S. policy should be unequivocal that the government is not seeking the authority for the
Promote the exchange of and collaboration among talent from trusted partners.
The United States and its partners face a severe shortage of cyber and technical expertise. According to the National Institute of Standards and Technology, the global shortage of cybersecurity professionals is estimated to be 2.72 million.125 Washington has much to do at home to address the talent gap, including new programs to attract and retain talent in the public sector with competitive salaries, efforts to recruit from minority-serving institutions and military associations, the revision of immigration rules, and the promotion of a welcoming environment for foreign students and researchers in the United States. Nevertheless, Washington should also use talent exchanges and development programs to draw coalition partners more closely together. The United States will need to invest in the next generation of people-to-people connections.
As part of its Indo-Pacific strategy, for example, the Biden administration announced a new Quad fellowship program that will support graduate studies of American, Australian, Indian, and Japanese students in STEM (science, technology, engineering, and mathematics) fields.126 A new Quad cybersecurity fellowship, funded by the participating governments and the private sector, will not only bring fellows together twice a year to address “wicked problems” in information security, but also place fellows in short-term postings in the public or private sector outside of their home countries.
Washington should also facilitate talent exchanges and research collaboration among a larger number of trusted partners by convening workshops among information security researchers, fostering networks of cybersecurity experts, and coordinating with the private sector on cybersecurity workforce training. A U.S. Cybersecurity Training Institute, modeled on the U.S. Telecommunication Training Institute, could bring officials from developing countries to the United States for tuition-free training in cybersecurity technologies and best practices.
Develop expertise for cyber foreign policy.
Over the last five years, the military and intelligence agencies have often, with understandable reason, taken leadership roles in cyberspace. Washington needs now to strengthen its diplomatic influence in cyberspace. The United States was initially the leader in cyber diplomacy, establishing the office of the cyber coordinator in 2011. Other countries quickly followed suit, institutionalizing and expanding the role, while the cyber coordinator office was eliminated in a 2017 State Department reorganization. The idea for a new office in the State Department had bipartisan support on the Hill but did not come to fruition until April 2022, when Secretary of State Antony Blinken announced the creation of the Bureau of Cyberspace and Digital Policy.127
Establishing a State Department cyber bureau as well as appointing a cyber ambassador and special envoy for emerging technology are important first steps in placing State back in the lead in tech diplomacy, strengthening the department in the interagency process, and ensuring that the United States has the technical competencies needed to supplement the traditional methods and processes of diplomacy and trade. The Biden administration is reportedly considering allowing the State Department greater ability to monitor and weigh in on third-party notifications, decisions on when and how the U.S. government notifies others if the United States plans to enter their cyberspace to disrupt adversaries.128 Such a move would clearly strengthen the bureau’s role in the interagency process as well as in its interaction with diplomatic partners.
Within the State Department, familiarity and experience with digital and cyber issues should be considered central to career development. Just as joint-service education and experience are now required for promotion in the military, all Foreign Service officers, not just those in the cyber bureau, should spend time working on digital and cyber topics. Career Foreign Service officers up for an ambassadorial appointment should have done a tour in one of several tech roles at the department or across the U.S. government. The State Department should work with the private sector and academia to develop training programs for government officials to build expertise and understanding in cyber-related topics. The department should also look to personnel loans from tech firms or academic institutions who can join a cyber diplomacy team for a short period and support its mission.
Cyber diplomacy requires a government-wide approach. The government, business, and academia, therefore, need to do more to build expertise on cyber-related issues across the public and private sectors. Higher education institutions should provide cybersecurity students with more real-world experience through internships, capstones, and co-ops. Universities should require computer science majors to take at least one class in cybersecurity and broaden cybersecurity programs beyond one department, facilitating inclusion from multiple departments. This would expose cybersecurity students to domain-specific knowledge required in the workplace and business, law, engineering, and political science students to how cybersecurity is relevant to their fields.
In addition, colleges and universities, as well as high schools, should add introductory computer science as a requirement for graduation. Some states already are making this change for high schools. The objective is to spur interest and basic understanding in the technological language that is reshaping the world and to expand the talent pool. In 2020, the Senate had just three engineers. The policymakers of tomorrow cannot make good cyber policy if they have no understanding of the basics of computer science. Business, academia, and the government should also cooperate to create and fund a White House fellowship for tech talent. Each cohort would tie business and the tech sector closer together as the fellows move along their careers.129
- 123Dmitri Alperovitch, “<a href="https://www.foreignaffairs.com/articles/united-states/2021-12-14/case-cyber-realism">The Case for Cyber Realism</a>,” <em>Foreign Affairs</em>, December 14, 2021.
- 124Danny Palmer, “<a href="https://www.zdnet.com/article/the-fbi-removed-hacker-backdoors-from-vulnerable-microsoft-exchange-servers-not-everyone-likes-the-idea/">The FBI Removed Hacker Backdoors From Vulnerable Microsoft Exchange Servers. Not Everyone Likes the Idea</a>,” <em>ZDNet</em>, April 19, 2021.
- 125National Initiative for Cybersecurity Education, “<a href="https://www.nist.gov/document/workforcedemandonepager2021finalpdf">Cybersecurity Workforce Demand</a>,” accessed May 20, 2022.
- 126White House, “<a href="https://www.whitehouse.gov/wp-content/uploads/2022/02/U.S.-Indo-Pacific-Strategy.pdf">Indo-Pacific Strategy of the United States</a>,” February 2022.
- 127Patrick Howell O’Neill, “<a href="https://www.cyberscoop.com/state-department-cyber-office-eliminated-rex-tillerson/">Tillerson to Officially Eliminate Cyber Coordinator Office</a>,” CyberScoop, August 29, 2017; State Department, <a href="https://www.state.gov/establishment-of-the-bureau-of-cyberspace-and-digital-policy/">Establishment of the Bureau of Cyberspace and Digital Policy</a>, April 4, 2022.
- 128Suzanne Smalley, “<a href="https://www.cyberscoop.com/state-to-gain-authorities-to-monitor-dod-cyber-ops-under-new-white-house-agreement/">State to Gain More Ability to Monitor DOD Cyber Ops Under White House Agreement</a>,” CyberScoop, May 10, 2022.
- 129Kevin Childs and Amy Zegart, “<a href="https://www.theatlantic.com/ideas/archive/2018/12/growing-gulf-between-silicon-valley-andwashington/577963">The Divide Between Silicon Valley and Washington Is a National-Security Threat</a>,” <em>The Atlantic</em>, December 13, 2018.
Conclusion
A modified U.S. cyber strategy will be more limited, more realistic, and more likely to succeed in achieving critical but finite goals. It would not seek for other countries to embrace an American definition of democracy or free speech, but rather secure a commitment to build the domestic capacities to ensure the trusted flow of data. Although a modified strategy assumes that the United States will more proactively use cyber and non-cyber tools to disrupt cyberattacks and that norms are more useful in binding friends and allies together than in constraining adversaries, the strategy also takes into account that the major cyber powers share some interests in preventing certain types of destructive and disruptive attacks.
A modified U.S. strategy needs to overcome two major challenges.
First is the failure to bridge the cybersecurity and commercial divide with Europe. Policymakers in Washington and Brussels increasingly see the need for a strong transatlantic partnership in response to Beijing’s and Moscow’s assertiveness in cyberspace. The drive for technological autonomy and data localization in Europe, however, could make it difficult to convert a shared perception of the rising threat of cyberspace into expeditious action. A more realistic cyber policy would allow the United States more flexibility. If it fails to make progress with Europe, Washington could pivot to other digital powers such as India, Japan, Singapore, and South Korea in pursuit of the same policy goals.
Second is domestic inaction. The United States needs to move quickly on many issues, particularly domestic privacy legislation and developing cyber expertise for foreign policy practitioners. Most important, policymakers need to recognize the urgency of cyber and digital action. Failing to act now will significantly threaten U.S. security and economic interests in the future.
The policies of the last thirty years were rooted in American history and values. But that approach failed to prevent the internet from becoming a more fragmented and dangerous ecosystem. It is increasingly difficult for the United States to maneuver, while adversaries develop and implement comprehensive strategies for projecting power through, and exerting influence over, cyberspace. It is time for a more realistic U.S. cyber policy that consolidates a coalition of allies and friends around the principle of the trusted and secure flow of data, matches more assertive efforts to disrupt cyber operations with clear statements about self-imposed restraint, and prioritizes digital competition in national security strategies.