3 April 2017

The Rules of the Brave New Cyberworld

William Burns

Donald Trump’s election is the latest and most dramatic manifestation of a moment of staggering global transformation and volatility. The diffusion and fragmentation of power, capital, and politics are fueling profound forces that are shaking the underpinnings of international order: the return of great power rivalry and the rise of conflict after many years of decline; the emergence of new powers; the shift of economic dynamism from West to East and destabilizing economic stagnation and dislocation; and the rejection by societies in many regions of globalization and the embrace of an angry, fortress-like nationalism.

Technology — broadly speaking, the internet, mobile platforms, social media, and computing power — is among the most powerful of these forces, for good and ill.

Technological innovation has contributed to the most significant period of economic growth and poverty alleviation in modern history, increased life expectancies, expanded productivity, ushered in a new era of clean energy, and reshaped global communications and commerce. In half a century, the world has gone from zero digital wireless devices to more than 4 billion, and one-third of the world’s population is now on the internet. An additional 2 billion to 3 billion people will come online in the next three years, marking what will be the fastest period of internet adoption in history.

While the internet has become a critical lifeblood for economies and societies, this also makes it an increasingly contested and volatile global commons. Advanced economies lose billions of dollars and hundreds of thousands of jobs a year as a result of malicious cyberactivity, while nearly half of all internet users around the world are chained by government restrictions on internet content, access, and communication. Malign forces prey on the vulnerability of technologically dependent and interconnected societies, recruiting foot soldiers, targeting critical infrastructure, and meddling in politics.

The question facing the Trump administration — and its counterparts around the world — is how to adapt traditional concepts and tools of statecraft to the digital age. We’ve entered a new era, and we lack the shared vocabulary and political doctrines to make sense of it. Perhaps more importantly, the generation of leaders who can seamlessly integrate policies in the physical and digital worlds is still emerging.

Meeting this challenge requires doing away with the habit of separating — analytically, organizationally, and strategically — the physical and digital domains of international politics. The temptation to separate these dimensions is driven in part by the lack of technological expertise among the foreign-policy community and the prevailing idea that technology companies have a limited or nonexistent role to play in diplomacy. The post-Snowden environment has exacerbated this by seeding mistrust between the two communities and eroding previously held mutual respect for each other’s expertise.

During our years in government, we witnessed the negative effects of this dynamic firsthand. But we also saw this compelling shift, in large part because both communities recognize that there is an opportunity and a mutual benefit to shaping the doctrines, norms, rules, and institutions that can protect our interests and values in cyberspace. Both communities appreciate the central role that governments play when it comes to rule-making in the cyberdomain, and both understand that for these rules to be effective and equitable, they have to apply internationally.

This reality is precisely why diplomacy still matters. And it’s precisely why it must evolve. This is not a simple exercise, and we don’t pretend to have identified all the right questions, let alone the right answers. We cannot predict the direction and pace of innovation, nor how actors will adjust and respond. Nevertheless, we think it’s useful to begin by examining four core components of statecraft — power, coercive diplomacy, alliances, and foreign assistance.

1. POWER: HOW CRITICAL IS CYBERCAPACITY FOR GETTING ONE’S WAY IN THE WORLD?

Cybercapacity is an aggregate of a number of factors, from the quality and strength of a country’s digital infrastructure (access to electricity, internet quality, and internet penetration) to its innovation environment (ease of founding start-ups, access to venture capital funding, and population of talented engineers), political space (governed by laws on freedom of expression), and soft power (how much other actors desire products of its technology industry).

Cybercapacity has served as a force multiplier for rising powers like China while their traditional military hardware lags behind. At the same time, investments in cybercapacity have allowed declining states, like Russia, to remain heavy hitters, while giving a diverse range of smaller states — like Israel, Singapore, Estonia, and Iran — an opportunity to enhance their geopolitical potential.

While cybervariables affect national power, they do not define it. Pakistan’s development of nuclear capacity 30 years ago gave it significant leverage, but did not catapult it to the table of great powers or allow it to behave as it pleased on the international stage. The same dynamic will likely hold for cybercapable states.

However, when it comes to non-state actors, cybercapacity may prove more significant. Building cybercapacity doesn’t require natural resources, nor does it require the enormous capital investments that nuclear states had to make. As a result, non-state actors face minimal barriers to entering cyberspace, wielding political influence, or carrying out significant cyberoperations independent of, or on behalf of, states. Furthermore, states’ reliance on sophisticated digital networks, which invariably contain vulnerabilities, gives non-state actors a disproportionate advantage.

The most obvious example of a non-state actor benefiting from the asymmetrical advantage of cybercapacity is the Islamic State. Although the Islamic State relies predominantly on its physical capabilities to achieve its objectives, it creates professional-quality content optimized for the internet and social media, and engages in precise targeting of people online who might be susceptible to its message. This harnessing of online tools and media has allowed the Islamic State to achieve disproportionate influence and reach online — even though, at this stage, it lacks the capacity to conduct meaningful cyberattacks. In the future, a more sophisticated terrorist group would likely adopt many of the same tactics, but might manage to go a step further and develop, or otherwise acquire, cyberattack capabilities. These capabilities could set the stage for a catastrophe — imagine a cyberattack that brought down the Manhattan electric grid coordinated with physical attacks on multiple targets. We must prepare for these sorts of scenarios.

While the Islamic State conducts most of its operations in the physical realm, hacking networks like Anonymous rely predominantly on digital capabilities. Despite Anonymous having little, if any, centralized command structure, the group (or individuals claiming to be affiliated with the group) has successfully attacked government agencies, major international corporations, and political figures.

Anonymous and the Islamic State both demonstrate a central feature of the digital age: Even decentralized non-state actors can wield considerable power through the acquisition and deployment of cybercapacity. We should expect this trend to intensify quickly.

2. COERCIVE DIPLOMACY: TO WHAT EXTENT ARE TRADITIONAL CONCEPTS OF DETERRENCE AND LEVERAGE RELEVANT IN THE DIGITAL AGE?

Theorists and policymakers have developed views about the key ingredients for successful deterrence (making clear and credible threats that persuade a country not to take a specific action) and the even more challenging task of compellence (exacting costs to force a country to change its behavior) in the physical realm. But recent cyberattacks like North Korea’s hack of Sony Pictures, China’s stealing of 18 million security clearance records from the U.S. Office of Personnel Management, and Russia’s brazen interference in the U.S. presidential election have called into question whether those views apply to actions taken in cyberspace.

Deterrence and compellence in cyberspace are complicated by a number of factors — the near absence of advance warning, the challenges of attribution, the uncertainty about the immediate as well as second- and third-order consequences of any action, the nonexistence of doctrines of proportional response, the dearth of communication hotlines for cybercrises, the paucity of legal precedent, and the lack of established credibility and technical capability regarding retaliation.

Because the scale and nature of the challenge are still unclear, it’s critical that we move quickly to create avenues for communication between cybercapable states to identify areas of mutual self-restraint, minimize miscommunication, and manage crises. We also need to develop and test doctrines of cyberdeterrence and compellence now — just as we didn’t wait for nuclear Armageddon to develop new doctrines during the Cold War.

We need to take a close look at our use of sanctions, an increasingly important tool in our coercive diplomacy toolkit, and have been a key element of our responses to cyberattacks from Pyongyang to Moscow. As we further refine the scale and scope of sanctions for cyberactivity, we must heed former Secretary of the Treasury Jack Lew’s warning of the risks of overreliance on sanctions and of forgetting their purpose: building leverage to change state behavior — not long-term harm. In the absence of satisfying policy options, we risk deploying sanctions that bark more than they bite, undermine the desired deterrent effect, disadvantage U.S. companies, unnecessarily anger our partners, and expose our economy to retribution.

Beyond using sanctions to punish offensive cyberoperations, we should consider expanding their use to support human rights. One way to do so is by punishing companies and states that provide repressive regimes potentially harmful technology, such as spyware, censorship tools, and surveillance systems. This is a worthy, if complicated, endeavor, since some of these tools can be put to legitimate use.

The reverse approach — making available virtual private networks, secure browsers, and operating systems hardened against surveillance to peaceful activist groups — is equally tricky. The relatively easy part of the challenge is incentivizing private companies to build more of these tools and disseminate them in the right places. This requires enhanced cooperation between the American government and the tech industry. In some cases, like during the 2009 Green Movement in Iran, it requires removing legal restrictions that prevent companies from making their products available in countries under sanctions. The much more difficult challenge is ensuring that newly opened space for discourse doesn’t open up space for violent extremists.

3. ALLIANCES: WHAT IS THE RIGHT ARCHITECTURE OF PARTNERSHIPS TO SECURE OUR INTERESTS AND VALUES IN CYBERSPACE?

One of the great assets available to the United States is its network of alliances and partnerships and its leadership position in a number of regional and international organizations. Through these institutions, we have been able to protect our interests and values and benefit the community of nations that share our worldview. This architecture of partnerships was not designed for the digital age — but it is critical to defining its rules and norms.

The internet should remain a safe and secure global common that makes us stronger, not more vulnerable. We’ve seen how formal alliances like NATO, regional organizations like the European Union, and partnerships like the Community of Democracies have come together to define common approaches to cyberspace. These efforts have promise, but clear norms of acceptable behavior and mechanisms to arbitrate disputes are not yet established and long overdue. There is more work to be done, including with some of our closest friends and partners who don’t always share our views about behavior online. It’s critical for the United States to lead by example and work energetically in extant and emerging forums to broaden the coalition of actors that share its commitment to a free and secure cyberspace.

Our strategy for leveraging partnerships and alliances in the digital dimension should center on three elements: First, we should rely chiefly on less formal, more flexible structures; second, we should start with our allies, close partners, and other like-minded states to set new foundations and then build from these; and third, we should take the initiative to adjust institutions to accommodate new players, and especially to engage rising powers.

The United States should lead a sustained top-level effort to establish a broader framework of rules around these issues. As an urgent starting point, we should build global consensus around both the need to protect the integrity of financial data and systems on which the global economy relies and the illegality of cyber-enabled commercial espionage, making a clear distinction between traditional spying and wholesale commercial theft. We can draw on the experience of remarkable American leadership in building the global nuclear order more than half a century ago as we reach out to partners and begin laying down blueprints for a new digital order.

4. FOREIGN ASSISTANCE: WHAT ADJUSTMENTS SHOULD WE MAKE TO OUR FOREIGN ASSISTANCE PORTFOLIO TO REALIZE THE PROMISE OF THE INTERNET TO ACCELERATE ECONOMIC DEVELOPMENT, IMPROVE GOVERNANCE, AND EMPOWER CITIZENS?

In our view, U.S. foreign assistance remains one of the smartest investments we can make in our security and prosperity. Our investment portfolio, however, like other aspects of American foreign policy, does not adequately account for the digital dimension, the opportunities it presents, and our unique strengths — especially our technological expertise and entrepreneurial spirit.

The U.S. government should place a higher premium on building out and protecting the technological infrastructure of partner countries. Foreign assistance, perhaps in the form of loan guarantees or matching funds to fast-moving private sector actors, provides a quick way to address this gap, as well as an opportunity to tightly align national security goals with impactful foreign aid decisions. The U.S. private sector is a significant asset, and we should deploy it purposefully.

Foreign aid also gives us the chance to influence which model of connectivity developing countries choose: the global model championed by the United States or the autarkic model championed by China. We should condition laying fiber-optic cable and installing telecommunications infrastructure on countries’ policies in cyberspace, and provide more aid to countries that uphold the rules and international frameworks that protect our connectivity model. But investing in technological infrastructure is not just about laying the cable; it is also about protecting the existing connectivity. Patching national cybersecurity vulnerabilities in today’s world is often just as important as border security. U.S. leadership can ensure that this shift is coordinated with, and amplified by, our partners and other donor agencies.

STAYING AHEAD OF THE CYBERCURVE

Anyone skeptical of the growing role cybercapacity plays in the conduct of foreign affairs just needs to look at the most recent presidential election, in which cyberespionage, leaks, and data security were central issues. This wasn’t an anomaly. We should expect that future elections and political events here and around the world will increasingly involve aspects of cybercapacity, and we have to ask ourselves whether we will be prepared to rise to these challenges, or whether we will remain a step behind the state of the art.

Today’s world can seem disorienting and overwhelming. For many, emerging challenges in cyberspace only add to their disillusion, despair, and sense of disorder. This is understandable, but shortsighted. There remains tremendous potential for technology, if we harness it wisely, to promote peace and prosperity.

The most important thing that the United States can do to meet the demands of this new age is to cultivate a workforce of young people who combine expertise in both foreign affairs and technology. In previous generations, young people who wanted to be relevant in the foreign-policy establishment studied Russian or learned about nuclear disarmament. After 9/11, Arabic language skills, as well as expertise on the Middle East, offered an entrée into foreign policy. Today, students of foreign affairs should understand how the internet works on a technical level and study the varied threats that fall under the broad umbrella of so-called cyber issues.

For the United States, it will be critical to update our posture toward cybercapable actors by ensuring that the tools we bring to bear reflect our adversaries’ increasing reliance on cyberspace. It will be equally important to make the critical investments necessary to sustain our geopolitical edge in the 21st century. The good news is that cybercapacity is, for the most part, a product of policy choices, not geographic destiny. To remain on top, we must invest in cybercapacity by devoting more resources to technical and computer science education; adopt coercive diplomacy strategies that utilize new technological capabilities; shape and leverage our alliances to create positive norms for cyberbehavior; and reimagine our foreign assistance portfolio to take full advantage of the opportunities afforded by the digital age.

The diplomatic tools and strategies we have refined over many years must adapt to keep pace with an evolving international landscape. If we intensify efforts to bring technologists and diplomats together, if we continue to adapt and stay ahead of the curve, and if we remain actively engaged in defining and shaping the rules that animate cyberspace, we will be infinitely better prepared to meet the foreign-policy challenges of the next century.

No comments: