| SCUSA 63
Thinking Beyond Boundaries:
Contemporary Challenges to U.S. Foreign Policy
To date, cyberspace is a domain where individuals, governments, the public sector, the private sector, and civil society interact beyond traditional boundaries. Information, data, commerce, and ideas flow freely between physical locations at light speed. Many take the fact that cyberspace is a global commons, or open access resource, for granted.1 Like the Wild West, risk-taking entrepreneurs—businessmen, thought leaders, and innovators—helped build this newly discovered space. And just as in the Wild West weak governance over nascent territories empowered cattle rustlers and outlaws, so in cyberspace the bad flourish alongside the good. High-tech criminals steal from individuals and large businesses, hacktivists vandalize cyberspace or disrupt the flow of information, and states lay claim to areas of cyber terrain that may lead to conflict in cyberspace as well as terrestrially.
To ensure that cyberspace continues to promote cooperation, communication, and prosperity among people of all nationalities, races, faiths, and ideologies, America has an interest in building international support for cyberspace governance.2 But what does governing cyberspace mean, and what role should America play in its governance? So far, efforts to achieve global consensus on regulating, taxing, and securing access to the Internet have proven unsuccessful. What, if anything, might make international consensus more achievable?
This paper explores the idea of governing cyberspace by developing norms that promote communication, security, and prosperity.
Before discussing these three focus areas for the United States’ international cyberspace strategy, it is necessary to understand what norms are. In general terms, norms are accepted standards of appropriate behavior. This definition can further include expectations of behavior for “actors with a given identity,” which allows for the existence of multiple norms—different norms for certain groups, such as governments, militaries, businesses, or individuals.3
Although norms establish accepted standards, norms do not institutionalize behavior. Institutionalization of norms occurs though legalization, especially within the realm of international law. The strength of international law lies along a continuum from “soft law,” which seeks to facilitate compromise and cooperation, to “hard law,” which enshrines pre- and pro-scripted behavior into precise legally binding obligations.4 One can measure this strength according to three dimensions: 1) precision, or the level of ambiguity in the definition of prescribed or proscribed behavior; 2) obligation, or variation in boundedness to a rule or commitment; and 3) delegation, or the level of authority granted to third parties to “implement, interpret, and apply rules; to resolve disputes; and (possibly) to make further rules.”5 Again, this institutionalization process starts with the existence of norms of accepted behavior.
The development of norms generally precedes the development of international law. However, norms develop at different rates. Norms develop quickly when they are clear, useful, and doable.6 Norms spread when they are simple and straightforward. Second, actors must see that following the norms yields more benefits than costs. Finally, enabling actors to comply with new norms increases the likelihood that they will follow the desired pre- or pro-scribed behavior.7 Even norms that have all three of these winning characteristics are not immediately accepted; instead, they follow an evolutionary adoption process that generally involves three stages of development: 1) norm emergence—norm entrepreneurs lead an organized movement, taking advantage of existing institutions when possible; 2) norm cascade—norm entrepreneurs embark on an international socialization process to persuade or coerce those not following the norms to do so; and 3) internalization—mainstreaming to ensure compliance with the norm.8
Given this background, policymakers must consider what the ideal norm evolution process should look like for governing cyberspace? What can the United States do to encourage norm emergence and cascade? How will other actors perceive a US effort to lead this process? And at what point should the international community focus on developing international legal standards for governing cyberspace as opposed to norms?
Individuals, governments, the private sector, and civil society recognize the benefits of the interaction that cyberspace enables, so each of these groups has a stake in maintaining an interoperable and open network. The issue area of communication within the realm of cyber governance divides into two domains, one technical (interoperability) and the other interpersonal.
What role do states have in ensuring global interoperability? Interoperability is promoted by developing technical standards that allow multiple actors to interact across platforms and boundaries. A further component of interoperability is network stability, which is respecting and enabling the free flow of information between internationally interconnected infrastructures across domestic networks.9 How should responsibility be shared between the public and private sectors to develop and promulgate technical standards that ensure the security and resiliency of the global infrastructure? How can the US promote the development of global standards?
In addition to ensuring interoperability and the technical flow of information across networks, supporting interpersonal openness maintains the freedom of cyberspace. Cyberspace enables people to share information, express opinions, expose malfeasance, and organize social and political movements, on- and offline. At the same time, current weaknesses in cybersecurity do not guarantee the protection of individual privacy, which may undermine the trust needed to sustain social and political, as well as economic, activity on the Internet.10 What can the US do to promote norms that support fundamental freedoms, such as expression and association, as well as privacy? How can the US work with civil society to develop safeguards that protect individuals from arbitrary state interference into their activities on, or deprivation of access to, the Internet? Extending existing human rights law as described in the Universal Declaration of Human Rights in order to protect fundamental freedoms and privacy is another potential extension of US efforts in cyber governance.11 How will other nations such as China and Russia react toward an expanding US role promoting interoperability and openness in cyberspace?
Security is another multifaceted realm related to cyberspace governance. The technical aspects of security encourage interoperability and openness, but security is also necessary to promote commerce and protect national security. Again, the public and private sectors should work together to develop technical standards to protect networks, ensuring their security, reliability, and resilience.
Strategically, cyberspace has joined land, sea, air, and space as the newest domain of warfighting. The US’s recognition of cyberspace as an operational domain allows for the Department of Defense (DoD) to organize, train, and equip the US Armed Forces to support national security interests specific to missions and challenges in cyberspace. The military now has the clear strategic task guidance to prevent adversaries from exploiting, disrupting, denying, or degrading the networks and systems upon which the Defense Department relies.12 The DoD’s cyber strategy supports the White House’s effort to develop a norm of cybersecurity—namely, that states have a responsibility “to protect information infrastructures and secure national systems from damage and misuse.”13
While states still maintain a right of self-defense in response to aggressive acts by others, consistent with Article 51 of the United Nations Charter, the rules for how to apply this principle to 21st century cyber security challenges are not clear.14 The White House’s strategy for national defense is based on the principles of dissuasion and deterrence. The US can dissuade adversaries from attacking by creating robust defenses, as well as mitigation plans to isolate and limit the damage of successful attacks. Deterrence demands that the US elevates the cost associated with executing an attack beyond the perceived benefit any adversary hopes to achieve.15 One challenge with cyber attacks, however, is attribution, or the ability to verify the source of an attack. Further, with ubiquitous information technology, it is challenging and expensive for defenders to increase an attacker’s cost beyond the perceived benefit.16 What would the US need to do to overcome these challenges to deterrence? How can the US promote norms that create taboos for certain behaviors by state or non-state actors in cyberspace?17 Are there alternative national security strategies the US can pursue besides dissuasion and deterrence, whether through diplomacy or by strengthening public and private partnerships?
Cyberspace generates vast wealth. The existing openness and interoperability of the Internet have enabled commerce at all levels, from small businesses to multinational corporations, and between individuals. Cyberspace is thus a potential tool to promote domestic and international economic development. Long-term investment in cyber infrastructure can provide access to new markets for goods and services. Should the US sustain and expand the current free-trade environment, institutionalized in the form of the World Trade Organization, in order to enable governance over economic activity in cyberspace? What responsibility does the US have to share technology with others in order to empower less-advantaged populations?
While cyberspace has created enormous wealth due to innovation, intellectual capital investments have also become the target of cyber theft, leading to unprecedented volumes of illegal wealth transfer.18 How can the US promulgate norms or international law that guarantees respect for property? What incentives will induce states to protect and enforce intellectual property rights—patents, trade secrets, trademarks, and copyrights—through their domestic laws and judicial systems?
Sustaining open and interoperable communication while providing security and spreading prosperity requires states and non-state actors to think about how to govern cyberspace. The White House has so far addressed this contemporary challenge to US foreign policy by promoting norms. Yet while norm development in each of these issue areas can be mutually supportive, the development of norms in one area might also threaten effectiveness or efficiency in another area. One of the major challenges in developing governance norms for cyberspace is determining how to balance competing interests. What are the necessary security compromises that must be made to ensure citizens are protected from unfettered surveillance? What necessary compromises in our civil liberties must be made to protect citizens from multifaceted threats, both criminal and national security related? What is the balance between encouraging private sector-driven prosperity and keeping the Internet open and secure? To address these vexing and still-emerging questions requires that policymakers think beyond the boundaries that divide norms from laws, the private from the public sectors, and nations from one another.
Finnemore, Martha. “Cultivating International Cyber Norms.” In America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis Sharp, 87-101. Center for a New American Security: Washington, 2011.
Finnemore, Martha and Kathryn Sikkink. “International Norm Dynamics and Political Change.” International Organization, vol. 52, no. 4 (1998): 887-917.
Lessig, Lawrence. “The Internet Under Siege.” Foreign Policy, November/December (2001), 56-65.
Lewis, James A. “Why Privacy and Cyber Security Clash.” In America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis Sharp, 123-142. Center for a New American Security: Washington, 2011.
Libicki, Martin C. Cyberdeterrence and Cyberwar. RAND Corporation: Santa Monica, 2009.
Obama, Barack H. International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World. The White House: Washington, 2011.
Abbott, Kenneth W., Robert O. Keohane, Andrew Moravcsik, Anne Marie-Slaughter, and Duncan Snidal. “The Concept of Legalization.” International Organization, 54, no. 3 (2000): 401-419.
Abbott, Kenneth W., and Duncan Snidal. “Hard and Soft Law in International Governance.” International Organization 54, no. 3 (2000): 421-456.
Alperovitch, Dmitri. “Revealed: Operation Shady RAT.” McAfee: Santa Clara, 2011.
Department of Defense. Department of Defense Strategy for Operating in Cyberspace. Department of Defense: Washington, 2011.
Fontaine, Richard and Will Rogers. Internet Freedom: A Foreign Policy Imperative in the Digital Age. Center for a New American Security: Washington, 2011.
Lord, Kristin M. and Travis Sharp, eds. America’s Cyber Future: Security and Prosperity in the Information Age. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20I_0.pdf [Vol. 1]
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf [Vol II]
Nye, Joseph S. Jr. “Power and National Security in Cyberspace.” In America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis Sharp, 5-24. Center for a New American Security: Washington, 2011.
Segal, Adam. “Cyberspace Governance: The Next Step.” In Policy Innovation Memorandum No. 2. Council on Foreign Relations: New York, 2011.
Singer, Peter W. and Noah Shactman. “The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive.” Brookings Institution: Washington, 2011.
Tannenwald, Nina. “Stigmatizing the Bomb: Origins of the Nuclear Taboo.” International Security 29, no. 4 (2005): 5-49.
United Nations. Charter of the United Nations and Statute of the International Court of Justice. United Nations: San Francisco, 1945.
United Nations. Universal Declaration of Human Rights. UN Department of Public Information: New York, 1948.
Share with your friends: