Confronting Reality in Cyberspace

Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet
Updated July 2022

The internet today is more fragmented, less free, and more dangerous than it was at its emergence. The threats in cyberspace continue to grow, and cybercriminals and other proxy actors are a rising challenge to national security. Adversaries are developing comprehensive strategies for cyberspace and making it more difficult for the United States to navigate in a domain of shadows and fierce threats. The United States needs the strategy, the structures, the talent, and the policies for sustained cooperation among the full array of bilateral and multilateral relationships, where digital issues are increasingly important.

A successful marrying of the United States’ foreign and cybersecurity policies should be built on three pillars: building a trusted internet coalition based on the free flow of data, balancing more pressure on adversaries with limited norms of restraint on cyber operations, and building capabilities at home.

The first step for the United States is to develop and sustain a coalition of states committed to the trusted flow of data. This will require Washington to reenter regional digital trade negotiations, negotiate with Brussels and others on privacy and government access to data, and offer incentives to other states to join the coalition through an international cybercrime center and cyber development assistance. In support of these efforts, the United States will also need to develop a coalition to promote the security of open-source software and work jointly to retain leadership in technologies critical to cyber strategy, such as AI, semiconductors, and quantum information sciences.

    AI: artificial intelligence

    Build a Trusted, Protected Internet Coalition

    The United States can do little to prevent authoritarian regimes from creating a separate network that reflects their values. It can, however, preserve and extend the economic and political values of an open internet among a self-selecting coalition. In addition, the United States and its allies will need to address security threats and provide economic and political inducements for states ambivalent about the costs and benefits of allowing a relatively free flow of data.

    Although many efforts are underway to bring together a consortium of partners that value preserving a trusted internet, they lack a cohesive center and incentives to move from words to action. Monitoring internet freedom through disparate approaches, promoting tools to avoid censorship, supporting the development of law enforcement capabilities, and creating mechanisms to address cross-border cybercrime have yielded marginal results but do not provide a larger architecture for U.S. policy.

    The United States has an opportunity to lead a cohort of nations committed to a shared concept of the internet. Many have argued that the organizing principle of this grouping should be a coalition of democracies that comes together to preserve and extend the value of an open internet.87 Though the signatories of the 2022 Declaration of the Future of the Internet say they will “work toward an environment that reinforces our democratic systems and promotes active participation of every citizen in democratic processes,” the alliance is not explicitly a democratic one. Still in its early stage, the declaration appears too exclusive to form a counterweight to China and Russia, and many important potential partners appear reluctant to join. Most of the signers are in Europe; significant holdouts include Brazil, India, Indonesia, and South Africa.

    Making digital trade central to a cyber coalition—instead of a vague definition of democracy or the promotion of unachievable aspiration— would draw more states into the partnership. Being part of a digital trade bloc that includes, for example, the United States, Japan, South Korea, and Europe, could be enough incentive to draw Brazil and India into the fold, particularly if it also includes hardware and outsourced information technology (IT) services. Jointly, the coalition could develop common understanding on the legitimate use of government surveillance, law enforcement access to data, and industrial policies; share best practices on technology regulation; work to forge a trusted supply chain for digital goods and services; and coordinate on international standards.

    Joining the coalition does not presuppose an absolute alignment on data privacy or localization policies. Rather, the grouping would build on shared data privacy values while recognizing the differences in domestic approaches to protecting data privacy. Coalition members would be required to develop and implement internet regulations guided by the rule of law, transparency, and accountability. Partners would agree to work cooperatively to address malicious cyber activity and refrain from carrying out malicious acts themselves. As former Japanese Prime Minister Shinzo Abe put it, the goal should be to establish “data flows with trust,” not to promote Western-style democracy.88 A confederated model of internet connectivity and trusted data flow could preserve for its members many of the same values and benefits of the World Wide Web.

    Build a digital trade agreement.

    The nations that build the next era of digital trade agreements will have a disproportionately significant influence on the future of the world economy. The United States and its partners need to seize this opportunity. The groundwork for this approach has been laid with the USMCA and with the revised KORUS agreement, which together provide a strong model for digital trade chapters and standalone digital trade agreements. In April 2022, the United States, along with Canada, Japan, the Philippines, Singapore, South Korea, and Taiwan, announced the creation of a Global Cross-Border Privacy Rules Forum to promote interoperability and bridge different regulatory approaches to data protection and privacy. The group, which is in principle open to the entry of other countries, will create an international certification system for private businesses transferring data based on privacy protection standards developed by the AsiaPacific Economic Cooperation.89 Beyond the United States, Japan, Singapore, and the United Kingdom are leaders in promoting trusted cross-border data flows.

    Several agreements can serve as models, including the Economic Partnership Agreement between Japan and the European Union, as well as agreements between Japan and the United Kingdom, Singapore and the United Kingdom, and among Chile, New Zealand, and Singapore.90 These agreements broadly cover both the removal of tariffs on digital goods and the elimination of nontariff barriers to digital trade. Important shared attributes include

    • ensuring the free flow of data across borders;

    • prohibiting localization requirements for computing facilities, cloud services, or data analysis motivated by anticompetitive or protectionist purposes; and

    • banning requirements to turn over source code, algorithms, or related intellectual property rights.

    New or expanded provisions should address concerns of workers and consumers, including those that promote digital inclusiveness, strengthen consumer confidence and trust, and protect personal information.

    The United States should lead the effort to build a digital agreement, perhaps using the Digital Economy Partnership Agreement among Chile, New Zealand, and Singapore as a starting point. A regional initiative that includes Australia, Chile, Japan, New Zealand, Singapore, and South Korea, among others, would be a market large enough to influence U.S. firms and a good place to start. It would signal a comprehensive approach rather than a piecemeal, bilateral one. And it would be large enough to draw important states such as India, Indonesia, and Malaysia.91

    Agree to and adopt a shared policy on digital privacy that is interoperable with Europe’s General Data Protection Regulation.

    Sparked by a steady stream of revelations of how technology platforms collect information and a deeper understanding of the dynamics of advertising and the internet economy, consumers around the world are more demanding of regulations that preserve and protect personal data. The United States, the European Union, and like-minded nations should forge a clear consensus on privacy goals.

    Efforts to pass comprehensive national domestic privacy legislation have been fitful and spanned more than twenty years. As of May 2022, California, Colorado, Connecticut, Utah, and Virginia have passed state privacy laws. These laws borrow terms, definitions, and procedures from the GDPR, which is increasingly a de facto global standard on the security and incident notification requirements for the storage of personal data. Australia, Brazil, Japan, and South Korea all modeled their privacy legislation on the GDPR.

    The GDPR is not perfect, however. Since it took effect in 2018, little action has been taken against Big Tech on their data collection practices. Compliance costs, especially for small businesses, can be burdensome. Endless pop-ups have created “consent fatigue” among users. It has also resulted in unintended restrictions on AI and blockchain use by businesses. Washington can learn from these detriments to make context-specific modifications.

    Washington should work with other members of the coalition to develop common privacy principles that are interoperable with the GDPR but require some compromises from Brussels. European policymakers have cloaked their actions in the language of privacy, but recent data localization requirements appear to be motivated by a desire for access to private information by local law enforcement authorities as well as economic protectionism against U.S. technology companies. The United States should offer a quid pro quo: in exchange for formally promoting GDPR-like principles by member states, European states would drop efforts to force data localization or to grant cybersecurity certifications only to European-owned organizations.

    Resolve outstanding issues on U.S.-EU data transfers.

    Another issue preventing closer coordination between the United States and Europe is access to data by law enforcement or national security agencies. U.S. officials have tried both to reassure Europeans that U.S. intelligence agencies are unlikely to collect data on ordinary citizens and to note that European intelligence and law enforcement agencies’ access to private data is often less constrained than that in the United States. The Court of Justice of the European Union has been unconvinced, and in the 2020 Schrems II decision, it invalidated the previously negotiated Privacy Shield agreement on necessary protections for transatlantic data transfers. The CJEU found that the protections offered by the United States were not “essentially equivalent” to those of the GDPR, and individuals in EU territory whose transferred personal data was obtained by U.S. intelligence agencies still did not enjoy “effective legal remedies” before an “independent and impartial court.” The CJEU also claimed U.S. surveillance laws lacked proportionality given that bulk collections could not ensure that surveillance occurred only when necessary to meet legitimate security interests.92 The two sides need to finalize a data transfer agreement.

    In March 2022, President Biden and European Commission President Ursula von der Leyen announced that the two sides had reached a new agreement on data flows. Washington would limit disproportionate signals intelligence collection, and European citizens would be able to appeal to an “independent Data Protection Review Court” if they felt their privacy had been violated. The U.S. commitment to the agreement will come through an executive order, which could be reversed by the next administration and is likely to face legal challenges from European privacy groups. The future of transatlantic data flows remains on uncertain legal ground.93

    As part of this coalition, member countries should agree to a set of practices for providing law enforcement access to the data of their citizens when it is held by another member government and for providing broad, robust, and transparent protections of the data of citizens from coalition partners. These regulations need both be agreed to in treaty form and implemented in national laws. The U.S.- Cloud Act, under which the United States has signed agreements with Australia and the United Kingdom, could be a model for this purpose.94

    Passing a comprehensive privacy law would significantly respond to the EU’s concerns. The United States is already a participant in a discussion at the Organization of Economic Cooperation and Development (OECD) on comparative practices for law enforcement’s access to data. While signaling that their preference is a shared understanding with Brussels, U.S. policymakers should remind their European counterparts Washington could take more assertive steps. If the two sides cannot agree on a new regime for data transfer, then the United States could suspend or revoke the measures it already put in place to address EU concerns. The United States could also look to form common cause with Australia, Canada, and the United Kingdom, which also face the threat of inadequacy determination from the European Union.95

    Create an international cybercrime center.

    To both expand digital trade and address malicious cyber activity, future digital trade agreements should require institutions that monitor for violations and coordinate action to punish transgressors. Such agreements should also include binding mechanisms for dispute resolution. Under this approach, standalone institutions could be created to fulfill these functions and then incorporated by reference into any new digital trade chapters or standalone trade agreements. An international crime center could both play this role and promote capacity-building measures among coalition partners.

    Operational cooperation between national law enforcement agencies is fragmented and immature, whereas cybercrime is globalized. To improve coordination on cybercrime, the coalition should develop a joint international cybercrime center with a clear focus on crime, not domestic intelligence. Mechanisms exist to coordinate action on law enforcement investigations and information sharing, such as Interpol and the European Cybercrime Centre, but no central, global clearinghouse is in place for requesting law enforcement assistance or supporting coordinated takedown activity for botnets, a network of computers infected with malware and controlled as a group without the owners’ knowledge. Currently, coordinated takedown actions require continual resourcing, and a new coalition is formed for each effort. 

    In 2014, for example, the Gameover Zeus botnet takedown was made possible by FBI cooperation with law enforcement from Australia, Canada, France, Germany, Italy, Japan, the Netherlands, Ukraine, and others, as well as numerous companies including Dell SecureWorks, CrowdStrike, Microsoft F-Secure, Level 3 Communications, McAfee, Symantec, Sophos, and Trend Micro. The 2021 takedown of the Emotet botnet involved similar partnerships.96 The operational effectiveness of these past ad hoc efforts needs to be institutionalized and routinized, and existing efforts coordinated by the National Cyber Forensics Training Alliance as well as bilateral efforts like the recently announced U.S.-Israeli task force on ransomware should be shifted to this center.97

    A new international cybercrime center would serve as a platform for continually pressuring cybercriminals and undermining the infrastructure they use to operate, including tracking and reclaiming cryptocurrency that funds criminal activity. It would be closely tied to financial regulators and host law enforcement agencies, civilian computer emergency response teams, internet service providers, cloud platforms, nongovernmental organizations, academia, and cybersecurity firms. Each member would be expected to provide support to the center, including analysis and planning capabilities. Nonmember states would be invited to provide a liaison to the center to coordinate law enforcement and takedown activities within their jurisdiction. The center should publicly have ties to offensive cyber units within member states to coordinate offensive action against criminal platforms when voluntary action, law enforcement, and diplomacy fail.

    Create a focused program for cyber aid and infrastructure development.

    A growing part of China’s ambitious Belt and Road Initiative (BRI) is focused on digital infrastructure. Beijing has identified 5G technology, smart cities, utilization of the Beidou satellite system, communication infrastructure, network connectivity, and telecommunications services as central areas of focus. It often offers BRI countries complete technology packages, including cloud services, mobile payments, smart cities, and social media applications from a combination of Chinese companies.98 The United States and its partners also need to address global demands for technology infrastructure.

    During the Trump administration, U.S. officials warned of the cybersecurity risks of relying on Chinese tech infrastructure, stressing the potential threats of data collection and disruption. Washington was less successful in providing alternatives to countries attracted by the cheaper prices and reliability of Chinese technology or developing a cybersecurity roadmap for those likely to adopt a mix of U.S. and Chinese hardware, software, and services. The United States and its coalition partners need to create funding mechanisms for the development of digital infrastructure. Congress should consolidate the State Department’s foreign assistance funding and add a new line for cyber capacity building in the State, Foreign Operations, and Related Programs appropriations legislation.99 This effort, however, needs to do more than provide an alternative source of funding. Business, government, and civil society groups should also partner to demonstrate how these technologies can be deployed to protect privacy and individual liberties.

    The coalition should be a competitor in the race to link the remaining 2.9 billion people without connectivity to the global internet. Special emphasis should be placed on the continued expansion of undersea cables, which can both blunt growing Chinese investments in this infrastructure and provide a more diverse network with fewer single points of failure for global internet communications. Planned investments by the United States, Australia, and Japan to connect a series of Pacific islands are a model of the actions the coalition should take.100 Australia has also invested in cables to connect to other island nations in the Indian Ocean. These investments, however, pale in comparison to those made by private-sector actors, notably Google, which has committed $1 billion to an undersea cable to connect several African nations to Europe.101 Private companies should take the lead in these initiatives, with the coalition providing support only when investments do not make financial sense to the private sector.

    The coalition and its private-sector partners should build, along with infrastructure projects, the capacity to counter malicious cyber activity. Efforts should not only target traditional areas of technical assistance, such as the development of laws to govern digital activity and law enforcement capability, but also build military and intelligence capabilities among allied states. These should include defensive and attribution tools, but potentially also offensive tools to act as a deterrent and raise the cost of interference for adversary states.

    Build a coalition for open-source software.

    Open-source software (i.e., software that is free and open to anyone to inspect and modify) is widely used and deployed in commercial as well as critical infrastructure and national security networks. Outside of major curated and supported projects, the code is often maintained by a small group of volunteers, with ad hoc, under-resourced efforts to sustain software security. Coalition partners should work together to develop and maintain open-source code, as well as ensure its security.

    In December 2021, a Chinese security researcher notified the Apache Software Foundation of a vulnerability in Log4J, widely used code that records and communicates diagnostic messages to system administrators and users. Log4J is almost everywhere in the software ecosystem. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called the vulnerability the most serious she had seen in her career.102 A large number of hackers scanned the internet to exploit the flaw, and the cybersecurity firm Mandiant found APT41, a group associated with the MSS, using Log4J to target U.S. state governments.103

    In response to Log4J, the White House quickly convened a group to discuss how to prevent security defects in open-source codes, improve the process for finding defects and fixing them, and shorten the response time for distributing and implementing solutions.104 Opensource software is not inherently less secure than proprietary software. In fact, well-supported open-source products could be even more secure than their proprietary counterparts, given the participation of large communities of developers. Well-supported is the crucial factor. Two important elements of well-supported open-source products are incentives, such as bug bounties, for developers to find flaws and investment by the affected companies to accelerate the remediation of those flaws.

    The United States and its international partners should promote the adoption and promulgation of open standards among users, particularly by major technology providers. They should also work together to make the open standards process international, transparent, and fully aligned with cybersecurity objectives. The Linux Foundation, Cloud Native Compute Foundation, and Open Titan are all examples of standards bodies with transparent and consensus-driven processes. In addition, the coalition partners should support improvements in security of open-source software through consortia such as the Open Source Security Foundation, a cross-industry collaboration that is developing security tools, best practices, and a software ecosystem for vulnerability disclosures.

    Work jointly across partners to retain technology superiority.

    Technology advantages that accrue over several years can ultimately prove evanescent. The United States and its allies need to increase investment in research in sectors that will be critical to cyber competition in the coming decade. Semiconductors, AI, quantum information, and data sciences are fields in which the United States cannot afford to fall behind. Congress should pass the Innovation and Competition Act/America Competes Act, which would increase investment in science and technology, provide $50 billion for semiconductor research and manufacturing, and invest in U.S. leadership in international standards organizations.

    It will not be enough to remain ahead in basic research. The United States and its allies will also need to lead in the identification, application, and evaluation of artificial intelligence and quantum computing to cyber and other national security challenges. As the final National Security Commission on Artificial Intelligence report recommends, the United States needs to establish trusted sources of materials and components for quantum computers, invest in the development of hybrid quantum-classical algorithms, and focus on the fielding of national security applications. Washington should also incentivize the private sector to invest in national security applications by announcing specific government-use cases of quantum computers.105

    Although most of the media attention paid to AUKUS, the trilateral security agreement among Australia, the United Kingdom, and the United States announced in September 2021, was on sharing nuclear submarine technology, the group will also focus on cyber capabilities, quantum technologies, and artificial intelligence.106 The Pentagon should also coordinate with its Australian and British counterparts on developing shared test, evaluation, validation, and verification infrastructure for artificial intelligence.

    The United States should announce a cybersecurity “grand challenge” for universities and private companies in its Quad partners (Australia, India, and Japan). In 2016, a powerful machine called Mayhem designed by a Pittsburgh company won the Cyber Grand Challenge, a cybersecurity competition held by the U.S. Defense Advanced Research Projects Agency. Mayhem won by automatically detecting, patching, and exploiting software security vulnerabilities, and the Pentagon now uses the technology in all military branches. The Quad announced in September 2021 initiatives to drive the adoption and implementation of shared cyber standards, develop secure software, and grow the tech workforce, but the group should also catalyze technological breakthroughs.

    In addition, Washington should build on its bilateral science and technology relationships. In April 2021, President Biden and former Japanese Prime Minister Yoshihide Suga launched the Competitiveness and Resilience Partnership and committed $4.5 billion to R&D on 5G, quantum computing, and artificial intelligence. Washington should similarly deepen funding pools on shared strategic priorities with Brussels, Canberra, London, and Seoul.

    5G: fifth generation AI: artificial intelligence MSS: Ministry of State Security of China BRI: Belt and Road Initiative 5G: fifth generation EU: European Union CJEU: The Court of Justice of the European Union GDPR: General Data Protection Regulation CJEU: The Court of Justice of the European Union GDPR: General Data Protection Regulation GDPR: General Data Protection Regulation AI: artificial intelligence GDPR: General Data Protection Regulation GDPR: General Data Protection Regulation GDPR: General Data Protection Regulation KORUS: U.S.-Korea Free Trade Agreement USMCA: U.S.-Mexico-Canada Agreement

    Balance Targeted Pressure, Disruptive Cyber Operations, and Pragmatic Norms

    Norms are difficult to perpetuate and easily abandoned. Nonetheless, as this American-driven coalition develops, Washington and its partners should declare a set of norms that they will allow to constrain their cyber operations. The United States should also discuss a set of understandings with potential adversaries, China and Russia in particular. These restraints are motivated in part by self-interest, as they could help prevent unintended and catastrophic outcomes. U.S. policymakers should, however, make clear that this self-restraint will guide U.S. operations above the threshold for the use of force or armed attack, and that for operations below the threshold, the United States will continue to adopt a more proactive, initiative-seizing posture.

    The United States should declare norms against destructive attacks on election and financial systems.

    After consultation with allies and friends, Washington should announce an initial set of standards for self-restraint in cyberspace. Along with repeating commitments to abide by international law— including international humanitarian law and the laws of armed conflict—officials should state that the United States will refrain from destructive attacks on election infrastructure and the international financial system.

    Across the world, more countries are relying on digital infrastructure to manage elections. During the 2016 election, according to U.S. intelligence reports, the Russian government directed cyber activity targeted at state election infrastructure, though there was no evidence that any votes were changed. Scanning election infrastructure was the most widespread activity, and Russian hackers successfully gained access to and removed data from infrastructure in two states. Russian operators also conducted operations against a widely used vendor of election systems. In January 2017, the U.S. Department of Homeland Security designated election systems as critical infrastructure, bringing them under the protection of the federal government.107

    The United States and its partners should promote a norm regarding disruptive attacks against election infrastructure, banning efforts to disrupt voter registration, voting machines, vote counting, and election announcements. It should work with coalition partners to prevent, mitigate, and, when necessary, respond to destructive attacks on election infrastructure.

    The global financial system is highly interconnected and depends on trust. Cyber operations directed at the integrity of any one part of the system could cascade into others, threatening the entire system and international stability. Washington should declare that it will not conduct operations against the integrity of the data of financial institutions and the availability of critical financial systems.108

    Given that norms exert a weak limit on state actions in cyberspace, the United States and its partners should be prepared for their violation by increasing the resilience and redundancy of these critical systems. Financial institutions should regularly run exercises to restore the integrity of data after a cyberattack. The declaration of these norms, however, signals that these types of attacks will be considered off limits and mobilize coalition partners quickly to respond if the norm is violated.

    Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communication systems.

    Although bilateral and multilateral discussion on norms have so far been of limited use, the United States has a strong shared interest in working with potential adversaries to prevent cyberattacks from worsening or creating a nuclear crisis.

    During a conventional conflict, states could be tempted to use cyberattacks to try to neutralize nuclear threats. These actions, however, would be highly destabilizing. Cyberattacks on NC3 systems could lead to incentives for states to launch nuclear weapons preemptively if they feared that they could lose their second-strike capability. Intelligence gathering could be interpreted by the defender as efforts to degrade nuclear capabilities. Cyberattacks on nuclear systems could produce false warnings or miscalculations, interfere with communications or access to information vital to decisions about the use of nuclear weapons, and increase the risk of unauthorized use of a weapon.109 Cyberattacks on space assets involved in command and control would be equally destabilizing because of their close connections to assured second-strike capabilities.

    These risks are rising as modern NC3 systems come to depend more heavily on digital infrastructure. In a 2020 report, the Nuclear Threat Initiative found that “almost 9 out of 10 planned nuclear modernization programs involve at least some new digital components or upgrades.”110

    The United States should enter into discussions with China and Russia about limiting all types of cyber operations against NC3 systems on land and in space. In addition, participants in these discussions should commit to separating conventional from nuclear command and control systems as much as possible. Given that a cyber intrusion designed for espionage could look identical to an offensive operation, all sides have a strong interest in prohibiting all types of operations to prevent miscalculation that could lead to a nuclear strike.

    In the wake of the Russian invasion of Ukraine and the growing geopolitical competition between the United States and China, the spaces for cooperation between Washington and Moscow and Washington and Beijing are extremely narrow. Declarations of self-restraint can function as confidence-building measures, perhaps bridging the trust gap. However, previous instances of cooperation in cyberspace—the 2015 U.S.-China cyber espionage agreement or the joint Russian-U.S. investigations of online credit card theft in the mid-1990s—coincided with more amicable periods in the larger bilateral relationship.111 U.S. policymakers should make clear that they are entering discussions with their Chinese and Russian counterparts because understandings on cyber operations and nuclear command and control are a shared interest among the three powers in preventing catastrophic outcomes. 

    U.S. policymakers should also be prepared to fail in bilateral negotiations and to continue unilateral measures of risk reduction. These include making NC3 structures less subject to incidental cyberattacks and more resilient if they are attacked, as well as preparing NC3 systems for information warfare and the authentication of good information. Policymakers will also need to ensure that the internal processes to decide whether to proceed with a potentially escalatory cyber operation are robust enough to clearly weigh the strategic risks against the intelligence and military benefits.112

    Develop coalition-wide practices for the Vulnerabilities Equities Process.

    When the U.S. intelligence community, law enforcement agencies, or other government actors discover a zero-day vulnerability, they face a decision of whether to disclose the vulnerability to the private sector or keep the vulnerability secret to facilitate future offensive capabilities. In addition, zero days can be bought and sold in certain markets, some legal, others underground.113 Disclosing to industry can result in timely patching and bolster national and personal security. Retaining and using the vulnerabilities can benefit national security through intelligence gathering and disrupted adversary operations.

    The NSA, for example, reportedly developed a hacking tool known as EternalBlue that exploited a vulnerability in Microsoft. Even though some U.S. officials allegedly wanted to reveal the vulnerability to the company, the NSA used the tool for more than five years.114 The tool, however, was eventually stolen and repackaged by cybercriminals to become the basis of WannaCry, the North Korean ransomware attack that spread across the globe, and NotPetya, a Russian cyberattack against Ukraine that boomeranged around the world, hitting conglomerates such as Maersk, Merck, Mondelez, and Pfizer, and became the most costly cyberattack to date. Washington has led in the development of the process to evaluate when to share vulnerabilities with the private sector, and it should help expand the process to its coalition partners.

    A 2008 presidential directive established what became the Vulnerabilities Equities Process, an interagency procedure the U.S. government uses to decide whether to disclose vulnerabilities or hold them for potential offensive operations. A U.S. official stated that the government’s bias is toward disclosure and explained that the process attempts to determine the extent to which the vulnerability is in use, how useful it is, how likely it is to be discovered, how damaging it would be in adversarial hands, whether another government has access to it, and whether it can be patched.115

    The VEP periodically revisits undisclosed zero-day vulnerabilities to assess whether conditions have shifted toward disclosure. Over the last few years, the NSA has steadily increased the number of public disclosures and advisories. This should be further supported and will require additional funding.

    The VEP stands in sharp contrast to recent developments in China. Beijing banned Chinese security researchers from attending international hacking events and competitions (which they regularly won), and new regulations require all software security vulnerabilities to be reported to the government first. These regulations appear to have significantly improved Chinese offensive capabilities as Chinese government hackers have moved from simpler methods to more powerful zero-day vulnerabilities. Aggressive Chinese assaults on American computer networks in 2021, for example, used zero-day vulnerabilities in Microsoft Exchange systems and Pulse Security VPNs. A Chinese researcher at Alibaba did report the Log4J vulnerability to Apache, but the Ministry of Industry and Information Technology suspended cooperation with Alibaba Cloud for six months for not reporting in China first.116

    As its adversaries rely more heavily on zero-day attacks, the United States should reprioritize cyber defense and encourage partners to develop similar processes.117 As a result of American leadership, Australia, Canada, and the United Kingdom released publicly their equities processes. The Netherlands announced that it has put a VEP in place but has not released any details on the process.118 The three countries should work together to help other coalition partners implement VEPs. In the past, intelligence agencies have not taken credit for zero-day disclosures to software makers. They stand to gain greater credibility with the private sector by claiming credit for these public disclosures. The United States and its allies should also conduct national awareness campaigns around the urgency of patching, given that critical systems still remain unpatched months—even years—after a patch becomes available.

    Adopt greater transparency about defend forward actions.

    U.S. and partner statements about self-restraint around a set of targets should be part of a more proactive strategy to disrupt and mitigate adversarial cyber operations below the level of armed conflict. This strategy includes Cyber Command’s persistent engagement as well as diplomatic, economic, and intelligence operations aiming to seize the initiative in cyberspace. In effect, the United States should develop a broad effort to erode adversarial capabilities, making them less effective by taking out infrastructure; exposing tools; and creating political, diplomatic, and economic pressure on finances, authorities, and leadership.

    Proactive measures can take different forms. In October 2020, Cyber Command hacked the command and control servers to cut off TrickBot, the world’s largest criminal botnet, briefly slowing its operations. This activity was followed by efforts to disrupt TrickBot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies.119

    U.S. policymakers should consider not only deploying cyber capabilities in advance of, and even during, future conflicts but also messaging clearly and publicly that those forces are active. One of the reasons cyber operations appear not to have influenced the beginning stages of the Russia-Ukraine war could be the preemptive deployment of CYBERCOM mission forces and EU cyber rapid response team experts to Ukraine to “hunt forward,” or to look for active cyber threats on critical infrastructure networks.120

    Washington’s strategy of proactive transparency and information sharing in the early days of the Russia-Ukraine war, even with tightly held intelligence, is another successful example of seizing the initiative. In the days before the invasion, Washington provided specific information about possible false flag operations, troop positions, and coup attempts. These efforts not only gave the United States first-mover advantages in the information space but also forced Russia to react to and consider its own intelligence weaknesses.121

    Hold states accountable for malicious activity emanating from their territory.

    The power of nonstate actors seeking to antagonize the U.S. government and private sector has grown dramatically in recent decades. Much as states across the globe cracked down on foreign safe havens for terrorists, yet recognizing some important differences, the United States and its partners should take a tough stance against states that deliberately provide cybercriminal safe havens.

    Many states agree that turning a blind eye to highly damaging cybercriminal activity emanating from its territory would breach an international legal duty, such that proportionate countermeasures could be allowable.122 To address the problem of states that actively harbor cybercriminals or ignore third parties using their digital infrastructure in offensive and criminal campaigns, the United States and its coalition partners could set a policy similar to the response to international terrorism that they will hold accountable any states that provide safe havens or do not cooperate in the takedown of criminal infrastructure or in law enforcement investigations, arrests, and extradition. Washington should exert diplomatic and economic pressure, but under certain circumstances could also reserve the right to take action against infrastructure used by these groups if the countries hosting it will not do so.

    CYBERCOM: U.S. Cyber Command VEP: Vulnerabilities Equities Process VEP: Vulnerabilities Equities Process VPN: virtual private network VEP: Vulnerabilities Equities Process NSA: National Security Agency VEP: Vulnerabilities Equities Process NSA: National Security Agency NSA: National Security Agency NC3: nuclear command, control, and communications NC3: nuclear command, control, and communications NC3: nuclear command, control, and communications NC3: nuclear command, control, and communications NC3: nuclear command, control, and communications

    Get the U.S. House In Order

    The third pillar of a realistic cyber policy is focused on actions the United States should take at home. As noted earlier, a range of domestic policies would improve U.S. cyber defenses, such as reporting laws and information sharing that are beyond the scope of this Task Force. However, given the integral relationship of these measures to U.S. foreign policy, the report highlights the need to make digital competition part of national security strategy, to clean up the U.S. internet, to address the intelligence gap, and to bolster cyber and technical talent.

    Make digital competition a pillar of the national security strategy.

    The last three published White House national security strategies have addressed cybersecurity matters. The Biden administration’s forthcoming recommendations should go further by recognizing that cyberspace is now one of the indisputably central domains in which the United States competes with its adversaries. This competition is taking place on multiple levels: intelligence collection, disinformation, criminal activity, military action, and, most important, economics.

    The national security strategy should include digital competition as one of its main pillars. It should acknowledge that the leverage the United States has to punish bad actors will often lie outside the cyber domain. Cybersecurity challenges, offensive and defensive, will never be addressed solely in the digital realm; they will require nontechnical, political, diplomatic, military, and economic measures.123 Any successful cyber strategy will therefore necessarily mirror a successful foreign policy. The United States should build coalitions and lead by example as it attempts to reinforce a rules-based international order. It should develop the tools and capabilities needed for dealing with inevitable failures and setback. In effect, the National Security Council should coordinate a cross-domain, mutually reinforcing strategy that disrupts, discloses, and contests malicious cyberspace behavior. On the other side of the ledger, cyber capabilities should be added to the list of tools the United States can bring to bear in the international arena. Cyber should be part of the diplomatic, intelligence, military, and economic paradigm.

    The national security strategy would prompt subordinate strategy documents on how the U.S. government will address various aspects of cybersecurity. These documents, however, are no substitute for making cyber central to the national security strategy. The importance of the national security strategy for setting budget and agency priorities cannot be overstated.

    Clean up U.S. cyberspace by offering incentives for ISPs and cloud providers to reduce malicious activity within their infrastructure.

    A doctrine of holding other states accountable could invite other countries to target U.S. infrastructure. In most offensive campaigns, the intermediate infrastructure is often U.S. infrastructure that has either been compromised or purchased. At present, U.S. internet service providers are considered common carriers that are simply passing along bits regardless of whether their network traffic is malicious. ISPs have few incentives to clean up traffic and face significant risks if they choose to do so. Similarly, cloud providers today are routinely used to stage attacks and are treated as intermediate victims to the ultimate crime. They lack incentives and liability structures to reduce the weaponization of their technology. ISPs and cloud providers should be incentivized and encouraged to identify and reduce malicious activities occurring on or through their infrastructure.

    Despite examples of the FBI deleting malware from infected U.S. systems, such as a recent effort to remove malware developed by China’s Ministry of State Security, this capability is not regularly used.124 Additional updates to the Federal Rules of Criminal Procedures would allow for stronger, faster mechanisms for notice and takedown of malicious activity. The United States should improve its ability to detect malicious foreign activity overseas and increase the speed with which that information is shared with targeted companies and federal law enforcement. Further, Washington should strengthen “know your customer” requirements. 

    Address the domestic intelligence gap.

    This report focuses on American global interests in cyberspace, but a comprehensive U.S. government response to alleviate the threat from a multitude of actors has a domestic component as well. The NSA has the capability to detect many threats from overseas, but adversaries’ using U.S. infrastructure creates a blind spot in U.S. defenses. Adversaries take advantage of the slow and bureaucratic processes for handing off NSA intelligence for follow-up by the FBI and other federal law enforcement agencies. The Department of Justice and Congress should work together to reform the process for seeking warrants to allow for “hot pursuit” in cyberspace.

    These reforms are necessary, but U.S. policy should be unequivocal that the government is not seeking the authority for the NSA or any other agency to have broad surveillance powers on the domestic internet. The U.S. government should not take over the protection of private-sector enterprise networks. Strengthening voluntary information sharing and incident reporting is likely the best approach to addressing the domestic intelligence gap.

    Promote the exchange of and collaboration among talent from trusted partners.

    The United States and its partners face a severe shortage of cyber and technical expertise. According to the National Institute of Standards and Technology, the global shortage of cybersecurity professionals is estimated to be 2.72 million.125 Washington has much to do at home to address the talent gap, including new programs to attract and retain talent in the public sector with competitive salaries, efforts to recruit from minority-serving institutions and military associations, the revision of immigration rules, and the promotion of a welcoming environment for foreign students and researchers in the United States. Nevertheless, Washington should also use talent exchanges and development programs to draw coalition partners more closely together. The United States will need to invest in the next generation of people-to-people connections.

    As part of its Indo-Pacific strategy, for example, the Biden administration announced a new Quad fellowship program that will support graduate studies of American, Australian, Indian, and Japanese students in STEM (science, technology, engineering, and mathematics) fields.126 A new Quad cybersecurity fellowship, funded by the participating governments and the private sector, will not only bring fellows together twice a year to address “wicked problems” in information security, but also place fellows in short-term postings in the public or private sector outside of their home countries.

    Washington should also facilitate talent exchanges and research collaboration among a larger number of trusted partners by convening workshops among information security researchers, fostering networks of cybersecurity experts, and coordinating with the private sector on cybersecurity workforce training. A U.S. Cybersecurity Training Institute, modeled on the U.S. Telecommunication Training Institute, could bring officials from developing countries to the United States for tuition-free training in cybersecurity technologies and best practices.

    Develop expertise for cyber foreign policy.

    Over the last five years, the military and intelligence agencies have often, with understandable reason, taken leadership roles in cyberspace. Washington needs now to strengthen its diplomatic influence in cyberspace. The United States was initially the leader in cyber diplomacy, establishing the office of the cyber coordinator in 2011. Other countries quickly followed suit, institutionalizing and expanding the role, while the cyber coordinator office was eliminated in a 2017 State Department reorganization. The idea for a new office in the State Department had bipartisan support on the Hill but did not come to fruition until April 2022, when Secretary of State Antony Blinken announced the creation of the Bureau of Cyberspace and Digital Policy.127

    Establishing a State Department cyber bureau as well as appointing a cyber ambassador and special envoy for emerging technology are important first steps in placing State back in the lead in tech diplomacy, strengthening the department in the interagency process, and ensuring that the United States has the technical competencies needed to supplement the traditional methods and processes of diplomacy and trade. The Biden administration is reportedly considering allowing the State Department greater ability to monitor and weigh in on third-party notifications, decisions on when and how the U.S. government notifies others if the United States plans to enter their cyberspace to disrupt adversaries.128 Such a move would clearly strengthen the bureau’s role in the interagency process as well as in its interaction with diplomatic partners.

    Within the State Department, familiarity and experience with digital and cyber issues should be considered central to career development. Just as joint-service education and experience are now required for promotion in the military, all Foreign Service officers, not just those in the cyber bureau, should spend time working on digital and cyber topics. Career Foreign Service officers up for an ambassadorial appointment should have done a tour in one of several tech roles at the department or across the U.S. government. The State Department should work with the private sector and academia to develop training programs for government officials to build expertise and understanding in cyber-related topics. The department should also look to personnel loans from tech firms or academic institutions who can join a cyber diplomacy team for a short period and support its mission.

    Cyber diplomacy requires a government-wide approach. The government, business, and academia, therefore, need to do more to build expertise on cyber-related issues across the public and private sectors. Higher education institutions should provide cybersecurity students with more real-world experience through internships, capstones, and co-ops. Universities should require computer science majors to take at least one class in cybersecurity and broaden cybersecurity programs beyond one department, facilitating inclusion from multiple departments. This would expose cybersecurity students to domain-specific knowledge required in the workplace and business, law, engineering, and political science students to how cybersecurity is relevant to their fields.

    In addition, colleges and universities, as well as high schools, should add introductory computer science as a requirement for graduation. Some states already are making this change for high schools. The objective is to spur interest and basic understanding in the technological language that is reshaping the world and to expand the talent pool. In 2020, the Senate had just three engineers. The policymakers of tomorrow cannot make good cyber policy if they have no understanding of the basics of computer science. Business, academia, and the government should also cooperate to create and fund a White House fellowship for tech talent. Each cohort would tie business and the tech sector closer together as the fellows move along their careers.129

    NSA: National Security Agency NSA: National Security Agency NSA: National Security Agency ISP: internet service provider ISP: internet service provider


    A modified U.S. cyber strategy will be more limited, more realistic, and more likely to succeed in achieving critical but finite goals. It would not seek for other countries to embrace an American definition of democracy or free speech, but rather secure a commitment to build the domestic capacities to ensure the trusted flow of data. Although a modified strategy assumes that the United States will more proactively use cyber and non-cyber tools to disrupt cyberattacks and that norms are more useful in binding friends and allies together than in constraining adversaries, the strategy also takes into account that the major cyber powers share some interests in preventing certain types of destructive and disruptive attacks.

    A modified U.S. strategy needs to overcome two major challenges.

    First is the failure to bridge the cybersecurity and commercial divide with Europe. Policymakers in Washington and Brussels increasingly see the need for a strong transatlantic partnership in response to Beijing’s and Moscow’s assertiveness in cyberspace. The drive for technological autonomy and data localization in Europe, however, could make it difficult to convert a shared perception of the rising threat of cyberspace into expeditious action. A more realistic cyber policy would allow the United States more flexibility. If it fails to make progress with Europe, Washington could pivot to other digital powers such as India, Japan, Singapore, and South Korea in pursuit of the same policy goals.

    Second is domestic inaction. The United States needs to move quickly on many issues, particularly domestic privacy legislation and developing cyber expertise for foreign policy practitioners. Most important, policymakers need to recognize the urgency of cyber and digital action. Failing to act now will significantly threaten U.S. security and economic interests in the future.

    The policies of the last thirty years were rooted in American history and values. But that approach failed to prevent the internet from becoming a more fragmented and dangerous ecosystem. It is increasingly difficult for the United States to maneuver, while adversaries develop and implement comprehensive strategies for projecting power through, and exerting influence over, cyberspace. It is time for a more realistic U.S. cyber policy that consolidates a coalition of allies and friends around the principle of the trusted and secure flow of data, matches more assertive efforts to disrupt cyber operations with clear statements about self-imposed restraint, and prioritizes digital competition in national security strategies.

    Up next
    Other Views
    This site uses cookies to improve your user experience. By continuing to browse this site you accept the use of cookies as explained in our Privacy Policy.