How Can Nations Curb Cyberattacks?
Global agreements plus these 4 tactics are part of the solution
In mid-December, the Council one Foreign Relations sponsored a virtual roundtable with Joseph Nye, former dean of Harvard’s Kennedy School of Government, to discuss his recent Foreign Affairs article The End of Anarchy?: How to Build a New Digital Order. Professor Nye has long been regarded as one of America’s preeminent strategic thinkers and political scientists. In the 1970s, he chaired the National Security Council Group on Nonproliferation of Nuclear Weapons and over the past decade he’s brought his expertise to the study of conflict and deterrence in cyberspace.
Cybersecurity is an increasingly important aspect of the of U.S. national security strategy, including global trade and the protection of our critical infrastructures. In June of 2021, FBI Director Christopher Wray compared the danger of ransomware attacks on U.S. firms by Russian criminal groups to the September 11 terrorist attacks. And, in a July editorial, The NY Times said that ransomware attacks have emerged as “a formidable potential threat to national security,” given “their ability to seriously disrupt economies and to breach strategically critical enterprises or agencies.” The message to governments: “It is a war that needs to be fought and won.”
At an MIT conference in February of 2019, former U.S. Secretary of State Henry Kissinger was asked if we need cybersecurity control agreements with Russia, China, and other nations similar to the nuclear arms control agreements that he spent so much time negotiating during the Cold War. Dr. Kissinger replied that for arms control to be effective, the two sides needed to share information and agree to inspections. But such mechanisms are harder to apply in the digital world because the transparency essential for arms control would be very hard to establish for cyber threats. In addition, while controls of physical arms are relatively explicable and negotiable,
the variety and speed of cyberattacks make it much harder to develop adequate control agreements.
Is the Cyberworld Ungoverned?
“Ransomware attacks, election interference, corporate espionage, threats to the electric grid: based on the drumbeat of current headlines, there seems to be little hope of bringing a measure of order to the anarchy of cyberspace,” Nye wrote in The End of Anarchy. “The relentless bad news stories paint a picture of an ungoverned online world that is growing more dangerous by the day — with grim implications not just for cyberspace itself, but also for economies, geopolitics, democratic societies, and basic questions of war and peace.”
Cyberattacks are a new kind of conflict. Private sector defenses can significantly impact national security but unlike conventional or nuclear weapons, the military doesn’t control corporate IT systems. Beyond regulated industries like finance and health care, it’s up to companies to make decision regarding their cybersecurity investments and controls.
“Deterrence must be part of the approach, but cyber-deterrence will look different from the more traditional and familiar forms of nuclear deterrence that Washington has practiced for decades. A nuclear attack is a singular event, and the goal of nuclear deterrence is to prevent its occurrence. In contrast,
cyberattacks are numerous and constant; deterring them is more like deterring ordinary crime: the goal is to keep it within limits.
Authorities deter crime not only by arresting and punishing people, but also through the educational effect of laws and norms, by patrolling neighborhoods, and through community policing. Deterring crime does not require the threat of a mushroom cloud.”
The Case for Cyber-norms
Given these realities, “any suggestion that it is possible to craft rules of the road in cyberspace tends to be met with skepticism: core attributes of cyberspace, the thinking goes, make it all but impossible to enforce any norms or even to know whether they are being violated in the first place,” said Nye. “States that declare their support for cyber-norms simultaneously conduct large-scale cyber-operations against their adversaries.” For skeptics, this is evidence that “establishing norms for responsible state behavior in cyberspace is a pipe dream. Yet, that skepticism reveals a misunderstanding about how norms work and how they are strengthened over time.”
Social norms are the unwritten, informal understandings that govern the behavior of members of a group or culture. Even if not explicitly codified into rules or laws, social norms provide order and predictability.
Is it possible to establish norms for responsible state behavior? Yes, argues Nye. “Norms create expectations about behavior that make it possible to hold other states accountable. Norms also help legitimize social actions and help states recruit allies when they decide to respond to a violation. And norms don’t appear suddenly or start working overnight.
History shows that societies take time to learn how to respond to major disruptive technological changes and to put in place rules that make the world safer from new dangers.”
The article cites several examples of state behavior throughout history: For instance, after many decades, Europe and the U.S. developed norms against slavery in the 19th Century. In 1963, the Partial Nuclear Test Ban Treaty banned nuclear weapon tests in the atmosphere, under water, and in outer space; and in 1975, the Biological Weapons Convention banned the development, production, and use of biological weapons.
“Although cybertechnology presents unique challenges, international norms to govern its use appear to be developing in the usual way — slowly but steadily, over the course of decades. As they take hold, such norms will be increasingly critical to reducing the risk that cybertechnology advances could pose to the international order, especially if Washington and its allies and partners reinforce those norms with other methods of deterrence. Although some analysts argue that deterrence does not work in cyberspace, that conclusion is simplistic: it works in different ways than in the nuclear domain.”
Four Reasons to Adopt Standards
Why would states embrace such norms of behavior? Nye cites four reasons: coordination, prudence, reputational costs, and peer pressure.
- Coordination. “Common expectations inscribed in laws, norms, and principles help states coordinate their efforts.” For example, even though not universally ratified, just about all states treat the UN Convention on the Law of the Sea as customary international law to settle disputes about international waters. The benefits of cooperation in cyberspace have been evident given the very few occasions that ICANN — the Internet’s domain name system — has been hacked.
While states may control access to the Internet within their boundaries, they’ve refrained from putting the basic stability of the global Internet at risk.
- Prudence. “Prudence results from the fear of creating unintended consequences in unpredictable systems.” For example, the 1962 Cuban missile crisis, which brought the world to the brink of nuclear war, was a major factor in the 1963 Partial Nuclear Test Ban Treaty.
- Reputational costs. “Concerns about damage to a country’s reputation and soft power can also produce voluntary restraint… and increase the costs of using or even possessing a weapon that can inflict massive damage.” We’ve seen this with the widespread condemnations of the regimes of Iraq’s Saddam Hussein, Syria’s Bashar a-Assad, and North Korea’s Kim Jong-un. “It is hard to imagine the emergence of a similar blanket taboo against the use of cyberweapons. … A more likely taboo is one that would prohibit the use of cyberweapons against particular targets, such as hospitals or health-care systems,” similar to existing taboos against the use of conventional weapons on civilians.
- Peer pressure. “After a certain gestation period, some norms reach a tipping point, when cascades of acceptance translate into a widespread belief and leaders find that they would pay a steep price for rejecting it.” Nye cites the spread of concern for universal human rights after 1945, which although not always successful, put pressure on authoritarian states to reduce their human rights violations. Similarly, over the past two decades, peer pressure has led to the increased acceptance of marriage equality around the world.
What should be done when cyber-norm red lines are crossed? Agreements on where to draw red lines and what to do when they’re crossed are hard to achieve. “Rather than make it a yes or no question, critics argue that the focus (and any ensuing warning against such actions) should be on the amount of damage done, not the precise lines that were crossed or how the violations were carried out.”
“In cyberspace, one size does not fit all,” Nye concludes. “Democracies can set a higher standard for themselves by agreeing on norms related to privacy, surveillance, and free expression, and enforcing them through special trade agreements that would give preference to those that meet the higher standards. Diplomacy among democracies on these issues will not be easy, but it will be an important part of U.S. strategy. … Such a strategy must also include developing norms with the long-term goal of protecting the old glass house of American democracy from the new stones of the Internet age.”
