8 September 2022

From Defending the Open Internet to Confronting the Reality of a Fragmented Cyberspace:

Adam Segal

Nine years ago, a Council on Foreign Relations-sponsored independent task force published a report on U.S. cyber policy entitled “Defending an Open, Global, Secure, and Resilient Internet.” Last month, CFR issued the report of a new task force, “Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet.” (I was project director for both reports.) The 2013 report was CFR’s first attempt to introduce those in the foreign policy community who were unfamiliar with the politics of cyberspace to the most pressing issues. It explained how the increasing fragmentation of the internet and the rising threat of cyberattacks negatively affected U.S. interests, and it covered many of the concepts that have shaped U.S. cyber policy for the past two decades: deterrence, norm building, cyber alliances, digital trade agreements, information sharing, and public-private partnerships. Conversely, the 2022 report moved past the prior discussions around the importance of digital technologies, instead aiming to shift the debate on what the United States should try to accomplish in cyberspace. The 2022 report’s focus is narrower, highlighting foreign policy tools and spending less time on areas like domestic authorities or workforce training. Reading the two in tandem is a reminder of how high public expectations were for what Washington could accomplish in cyberspace. It also illustrates how significantly the United States’ position in cyberspace has worsened over the past decade.

The new report’s headline finding immediately tells the story: The era of the global internet is over. The internet is more fragmented, less free, and more dangerous. U.S. policymakers have long assumed that the global, open internet served American strategic, economic, political, and foreign policy interests. They believed that authoritarian, closed systems would struggle to hold back the challenges, both domestic and international, that a global network would present. This has not proved to be the case. Freedom House, which tracks internet freedom across the world, has seen sustained declines in empirical measures of internet freedom, especially in Asia and the Middle East, for over a decade. More states are launching political influence campaigns, hacking the accounts of activists and dissidents, and sometimes targeting vulnerable minority populations. A growing number of states choose to disconnect entirely from the global internet. According to Access Now, at least 182 internet shutdowns across 34 countries occurred in 2021, compared with 196 cases across 25 countries in 2018

In addition, the early advantages in technology, cyber operations, and diplomatic engagement the United States and its allies held in cyberspace over their adversaries have largely disappeared. The United States is asymmetrically vulnerable because of high levels of digitization and strong protections for free speech. U.S. adversaries, especially China, have adapted more rapidly than anticipated. These rivals have a clear vision of their goals in cyberspace, developing and implementing strategies in pursuit of their interests, and have made it more difficult for the United States to operate unchallenged in this domain.

The optimism of the earlier task force—in both the benefits of the open internet and the United States’ ability to shape cyberspace—is notable. While the 2013 CFR report flags the increasing fragmentation of the internet, it stated that the United States has “benefited immensely from a digital infrastructure that is relatively open, global, secure, and resilient.” The report highlighted the global strengths of the U.S. information and communications technology sector, and listed the many political, economic, social, and personal benefits it sees as flowing from an open internet. The report relays many examples of digital technologies supporting entrepreneurship in developing economies, expanding new forms of social and political activism, and empowering marginalized communities. It is, however, blind to the threats to democracies and social cohesion posed by hostile, state-backed information operations and the spread of disinformation.

The 2013 task force was also more confident of the positive impact of public-private partnerships on U.S. cyber policy. The report—written before Edward Snowden revealed that the National Security Agency was collecting data from American technology firms—calls for collaboration with the private sector and nongovernmental organizations on a wide range of initiatives, including developing principles for a global security framework, promoting online freedom, increasing cyber resilience, and creating guidelines for the export of dual use technologies. In the wake of the Snowden disclosures, American firms—motivated by a sense of betrayal, a commitment to an open internet, and economic interest—responded by increasingly portraying themselves as global actors. They also tried to make it more difficult for U.S. agencies to collect data through legal challenges and the introduction of end-to-end encryption on smartphone operating systems and messaging apps.The bad feelings of that era have largely dissipated, with the private sector in many instances working very closely with the government on threat intel sharing and cyber defense. Still, that history, and the possibility that Congress could pass new legislation to constrain the power of the tech companies, is reflected in the 2022 report’s hesitation to tie too many U.S. foreign policy goals directly to the private sector.

China is an important challenger in both reports, but the threat is framed more narrowly in the earlier report. The first task force was concerned primarily with Chinese cyber industrial espionage and Beijing’s use of the Great Firewall to censor information and regulatory barriers to limit the competitiveness of American technology companies in the domestic economy. At the time of the 2013 report, China had not yet become a global supplier of 5G telecommunications hardware or developed TikTok, one of the world’s most popular social media platforms; nor was it a competitor in emerging technologies such as artificial intelligence and quantum information sciences. Beijing was proclaiming the right to cyber sovereignty, but it had not yet developed an overlapping matrix of domestic data regulations, started to export its model of internet control to the global south, or increased its participation in international standard organizations in order to shape the next generation of technical standards.

In the decade since the first report, a destructive attack on critical infrastructure has become a more realistic threat. But the 2022 report, like its predecessor, is clear that the predominant risk of cyberattacks is not a potential “cyber Pearl Harbor.” Rather, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack. These breaches are used for political advantage, espionage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.

Moreover, in the wake of the Colonial Pipeline attack, the 2022 report argues that cybercrime has become a standalone threat to national security. Ransomware attacks on hospitals, schools, and local governments have disrupted thousands of lives. The Conti ransomware group shut down the administrative body in Ireland charged with managing the national health-care system, disrupting critical health treatments. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours, and in May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack crippled the Finance and Labor Ministry as well as the customs agency.

The reports offer a similar set of policy recommendations but drastically different expectations on outcomes. The 2013 report argues that “[n]ow is the time for the United States, with its friends and allies, to ensure the Internet remains an open, global, secure, and resilient environment for users.” The 2022 report also envisions a cyber foreign policy of the “like-minded” but contends that the “utopian vision of an open, reliable, and secure global network has not been achieved and is unlikely ever to be realized.” Instead of pursuing that goal, the United States should “consolidate a coalition of allies and friends around a vision of the internet that preserves—to the greatest degree possible—a trusted, protected international communication platform.” Members of the coalition would develop a common understanding of the legitimate use of government surveillance, law enforcement access to data, and industrial policies; share best practices on technology regulation; work to forge a trusted supply chain for digital goods and services; and coordinate on international standards.

Digital trade agreements would be central to the coalition. There are several models that can be built upon, including the Economic Partnership Agreement between Japan and the European Union and the Digital Economy Partnership Agreement between Chile, New Zealand, and Singapore. Broadly these agreements remove tariffs on digital goods and eliminate nontariff barriers to digital trade. They also prohibit the localization requirements for computing facilities, cloud services, or data analysis motivated by anti-competitive or protectionist purposes; and they ban requirements to turn over to the government source code, algorithms, or related intellectual property rights. Moving forward, new provisions should address the concerns of workers and consumers, including those that promote digital inclusiveness, strengthen consumer confidence and trust, and protect personal information.

Both reports focus on the development of norms of responsible state behavior in cyberspace. The 2013 report calls for “the leading nations to agree on a set of norms for activity and engagement in cyberspace.” The 2022 report—looking back at the development of norms at the United Nations, the 2015 agreement on cyber industrial espionage between China and the United States, and the growing use of attribution, criminal indictments, and sanctions against Russian, Chinese, North Korean, and Iranian hackers—contends that norms are more useful in binding friends together than in constraining adversaries. Major actors have flouted the norms endorsed by the U.N., and China returned to cyber industrial espionage after a year-long hiatus.

The 2022 report does not eschew norm development completely. Rather, it suggests three norms that states may adopt out of self-interest because they could help prevent unintended and catastrophic outcomes. After consultation with allies and friends, Washington would announce an initial set of standards for self-restraint in cyberspace. Along with repeating commitments to abide by international law—including international humanitarian law and the laws of armed conflict—officials should state that the United States will refrain from destructive attacks on election infrastructure and the international financial system. And while promoting these norms, the United States and its partners should prepare for a violation of these standards by increasing the resilience and redundancy of these critical systems.

In addition, the United States has a strong shared interest in working with potential adversaries to prevent cyberattacks from worsening or creating a nuclear crisis. During a conventional conflict, states could be tempted to use cyberattacks to try to neutralize nuclear threats. These actions, however, would be highly destabilizing. Cyberattacks on nuclear command, control, and communication (NC3) systems could lead to incentives for states to launch nuclear weapons preemptively if they feared that they could lose their second-strike capability. Intelligence gathering could be interpreted by the defender as an effort to degrade nuclear capabilities. These risks are rising as modern NC3 systems come to depend more heavily on digital infrastructure.

The United States should enter into discussions with China and Russia about limiting all types of cyber operations against NC3 systems on land and in space. In the wake of the Russian invasion of Ukraine and the growing geopolitical competition between the United States and China, the spaces for cooperation between Washington and Moscow and Washington and Beijing are extremely narrow. Declarations of self-restraint can function as confidence-building measures, perhaps bridging the trust gap. U.S. policymakers should make clear that they are entering discussions with their Chinese and Russian counterparts because understandings on cyber operations and nuclear command and control are a shared interest among the three powers in preventing catastrophic outcomes.

Both reports agree that the United States cannot lead in cyberspace without addressing outstanding issues at home. While there are diverse priorities—the earlier report was written as the Obama administration was considering legislation on threat information sharing, and the latter argues for the necessity of national privacy laws—both reports stress the role congressional action has in shaping and amplifying U.S. influence on global cyberspace. Both call for digital and cyber policies to be better integrated into national strategies; to clean up domestic cyberspace through new authorities and regulations; and to establish a cyber bureau in the State Department, overseen by a Senate-confirmed “cyber ambassador.” (A week before the 2022 report was published, Nate Fick, the task force co-chair, was nominated by President Biden to serve as ambassador at large for cyberspace and digital policy.)

Not surprisingly, the conclusions of the two reports hit divergent notes. The 2013 report, assuming that the United States still retains significant will and capabilities to shape global cyberspace, focuses on the trade-offs among privacy, security, openness, innovation, and the protection of intellectual property inherent in any digital policy. As long as policymakers are proactive, the United States “can exert a positive influence on cyberspace by working to convince the next wave of users that an open and global internet is in all of our interests.” The 2022 report is more circumspect. The goals are, in the language of the report, “more limited” and “more realistic.” Moreover, there is real doubt that the United States can and will move resolutely and quickly enough, especially on domestic legislation.

Perhaps the biggest takeaway from reading the two reports is a sense of lost possibility and influence. Just a decade ago, the United States seemed uniquely positioned to exploit the openness of the internet for political, economic, and strategic gain. Today, the United States’ position is much more precarious. Adversaries benefit from a more fragmented, more dangerous cyberspace, and the United States must work actively to preserve the benefits of the open internet among a smaller number of like-minded countries.

No comments: