Editor’s Note: The Center for Strategic and International Studies (CSIS) report “Conflict and Negotiation in Cyberspace” by James A. Lewis is attached here. The following are CSIS report’s Principles and Conclusions:
We cannot avoid the conclusion that the use of cyberattack is unavoidable in military conflict and that advanced militaries will prepare the means for cyberattack. Use of cyberattack in conflict will follow the same decision-making processes as other weapons. For “strategic” use of cyberattacks, determining factors will be the long range, speed, the difficulty of defense and the possibility of in- creased surprise that cyberattack provides and that was previously only afforded by ballistic missiles.
The use of cyberattacks outside conflict, and the use of cyber espionage, will be shaped by an attacker’s belief in the likelihood of attribution and potential consequences if detected. The risk of cyberattack by nonstate actors is growing but may never match the capabilities of nation-state capabilities, given the disparity in resources. This nonstate risk is not amenable to the same tools that will mitigate the risk of military use. Cyber espionage and state-sponsored crime have become a normal part of online activity, in large part because of failures to establish bounds and coopera- tive measure on an international level, but the greatest risk from cybercrime and cyber espionage comes from miscalculation leading to escalation into more damaging military conflict.
Deterrence based on the threat of reprisal or the use of military force cannot be extended and does not work. It does not change opponents’ calculations on use either in conflict or outside conflict. The most important means to shape opponents’ calculations is to associate tangible con- sequences for malicious cyber actions. This is the only way to limit state-sponsored espionage and crime, which cannot be the subject of credible military threats.
Drawing on this discussion, the United States should base its approach to international cyber- security on six principles:
■ Cyberspace is not a unique environment. States will behave in this environment as they would in any other.
■ We cannot “disarm” in cyberspace, and there will be no “global zero” for a cyberattack.
■ We have entered a period of sustained, low-level competition for influence where opponents’ miscalculations and misperceptions are a source of risk to the United States.
■ U.S. interests are best served by embedding cyberattack and cyber espionage in the existing framework of international law, and long-term U.S. interests are best served by winning inter- national agreement to this.
■ America’s immediate goal in negotiation should be to increase the risks of launching a cyberattack or engaging in malicious cyber activity for both state and nonstate opponents.
■ There is a limit to what negotiation can achieve in reducing risk; there will always be risk. The U.S. goal should be to decrease and bound this risk as part of its larger efforts to strengthen international security.
Therefore, the United States should not accept any agreement to constrain a cyberattack. Instead, the goal for U.S. policy is to “normalize” the role and place of cyberspace in international relations and security, to create a more stable environment by reducing the chance of miscalculation, and by embedding the use of cyberattack and cyber espionage in existing framework of state relations.
Norms are an important part of this framework, but they are insufficient if not backed by ac- tion. The most important norms would establish state responsibility for actions in cyberspace that originate in their territory (whether state-sponsored or not—this is an extension of existing inter- national practice) and the application of existing international law to cyberspace, and in particular the application of the laws of armed conflict. The core of an approach to norms is that cyberspace is not sui generis; nor is it a unique environment for international security.
Nations do not rush into agreements, even nonbinding agreements, that might impinge upon their sovereign rights. The calculus of how cybersecurity would affect these rights is not well established (as is the case with other security and economic issues). Claims that cyberattack is like nuclear warfare are spurious, but they create uncertainty that makes nations cautious in moving toward an agreement. Competing political agendas—one authoritarian and the other democrat- ic—increase this caution. Agreement on norms will be difficult to achieve in the current inter- national political environment; the widely recognized intermediate step is to get agreement on confidence-building measures to lay the groundwork for future agreement on norms.39 The most important confidence-building measures involve transparency and the creation of internationally recognized “redlines.” These are the most valuable for reducing misperception and miscalculation.
Any exchange of information at first will be asymmetric, with the United States and other democratic nations providing more than authoritarian regimes. The United States should empha- size reciprocity but should not expect it. A number of interim measures can build the case for reci- procity (or create the effect of mutual transparency, even if some nations do not participate). These could include official statements on how the United States perceives other nations’ cyber doctrine and policies and what activities it considers to be problematic (as is done now with annual reports on human rights).
The core trade for international cybersecurity will involve a new model of governance in exchange for responsible behavior by states. The United States should link any change in governance to universal agreement on the acceptance of state responsibility. The old, multistakeholder model is inadequate and must be replaced (although not the by the overly governmental approaches suggested by authoritarian states). The United States and its partners can no longer treat Internet governance and cybersecurity as separate issues, that cyberspace is a unique domain not subject to the usual requirements of sovereignty. Technology has created a new domain for trade, discourse, and conflict. Millennial beliefs that existing “rules” could not apply to this domain have been tested and found wanting. A new approach to international security will recognize what is inevitable, extend international practice and law into cyberspace, and create a framework of goals, principles, and consequences that will create stability at a strategic level and best serve America.
39. James A. Lewis and Katrina Timlin, Cybersecurity and Cyberwarfare: Preliminary Assessment of National Doctrine and Organization (Geneva: UNIDIR, 2011), http://www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-J-en.pdf.
Leave a Reply