What if Russia, with its economy in its last throes and threatening the regime’s hold on power, chose to lash out with cyber attacks against its perceived tormentors, disrupting the West’s financial system? Is it possible that China, seeking to bolster its flagging growth, would accelerate theft of trade secrets from the United States? Could a terrorist group like the Islamic State finally develop and use cyber capabilities for terror, rather than mere recruitment? Might the United States, seeking to deter such attacks, engage in its own cyber espionage and attacks to the degree that it undermined the U.S. message of promoting a free and peaceful Internet?
Over the past decade, and perhaps never more so than during the current Administration, information and communication technologies have presented seemingly endless threats and opportunities for the United States. Interconnectivity has driven the reinvention of entire sectors and industries, powering innovation and economic growth. At the same time, cybersecurity—or perhaps more accurately, cyber-insecurity—has gone from a niche IT issue to a boardroom and government priority, an issue of the highest importance for political, economic, military, and intelligence leaders.
The next Administration will have to pull all of its levers of power in cyberspace—international engagement and diplomacy, military doctrine and action, economic policy tools, advanced cybersecurity technology, and law enforcement and intelligence gathering—to ensure the security and prosperity of the United States.
There is perhaps a surprisingly broad range where cyber issues overlap with U.S. foreign policy, with seven main families of issues. Three are aligned largely with somewhat traditional national or homeland security concerns: capacity development, international security, and terrorist use of the Internet. Three others are rooted in human rights, technology, or the economy: Internet governance, Internet freedom, and Internet and other information and communication technologies (ICTs) for economic growth. A final category, what the State Department calls “21st Century Statecraft,” involves using ICTs to help advance diplomacy in an increasingly connected world.
Capacity development. ICTs cover a wide range of technologies, from the networks that make up the global Internet, home computers, and mobile phones to the cars, power grids, and manufacturing systems that we are increasingly connecting to the Internet. All of these systems are vulnerable here in the United States, and even more so in less developed countries.
The United States has a longstanding series of projects to promote cybersecurity best practices, encouraging other nations to set up computer emergency response teams, to better protect networks and critical infrastructure, and to improve local law enforcement to deal with transnational cybercrimes. For example, the United States has been working with Singapore to develop confidence-building measures for cyberspace, helping to extend the reach of U.S. policy interests in the Asia-Pacific region. The United States has also been active in encouraging nations to sign on to the main cybercrime treaty—the Budapest Convention, which now has nearly 50 nations involved—so that digital criminals are less able to hide behind physical borders. Much of this bread-and-butter work is done bilaterally, but the State Department has been increasingly active with regional and international organizations, such as the Asia-Pacific Economic Cooperation forum and the Organization of American States.
International security. Mutual survival and the promotion of national interests have been the objectives of all international diplomatic maneuvering for centuries. In May 2015, Secretary of State John Kerry announced a set of norms that the United States would adhere to, such as not attacking another nation’s critical infrastructure in peacetime. Several of these have been accepted by a UN Group of Governmental Experts. One of the norms—that nations would not “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial gain”—surprisingly found agreement between President Obama and President Xi Jinping of China, which is notorious for such commercial cyber spying. Xi made similar agreements with Germany and the United Kingdom, and the G-20 followed shortly afterwards.
Projects for international security in cyberspace also include transparency and confidence-building measures such as emergency hotlines and the exchange of cyber-related strategies and doctrines, work with traditional military allies such as NATO, and recognition of how the UN Charter and Geneva Convention apply to cyber conflict.
Terrorist use of the Internet. After the Edward Snowden revelations, many U.S. technology companies understandably have been pulling back from cooperation with U.S. law enforcement and encrypting as much as technically possible. Unfortunately, this trend has run directly into governments wanting a strong ability to monitor terrorist and criminal communications, especially after the Paris and San Bernardino terrorist attacks, and this has played out as an important issue for U.S. diplomats. The United States has sought to lead the effort in finding the balance between the requirements of security and privacy, with President Obama meeting several times with technology executives. However, it might easily be France, voracious in its appetite for intelligence and happy to issue emergency orders to technology firms, that will dictate the global response. To ensure a resilient future Internet, U.S. diplomacy will have to strike a fine line between these competing demands.
Internet governance. One of the hottest foreign-policy topics in technology is the balance between states and nonstate actors in the governance of the Internet, in particular the Internet Corporation for Assigned Names and Numbers (ICANN). This organization, which is responsible for the management of domain names, Internet protocol addresses, and related functions we depend on to make the Internet work, has been a hotbed of tensions over Internet governance. The main rift in these debates is between the state-led model promoted by countries such as Russia and China, and the private-sector, multi-stakeholder model pushed for by the United States and other Western countries. In March 2014, the U.S. government announced its intent to further empower ICANN by transitioning key Internet domain name functions to the global multi-stakeholder community. This transition—covering issues from how .com is run or who gets the right to own .wine or .vin—to a community of nations, technologists, and civil society organizations is the most critically important moment for the Internet since it was first spun out of the U.S. Department of Defense.
A successful reform will ensure a more global propagation of the U.S. vision of the Internet as interoperable and open, with relatively thin government control, compared to the vision of Russia or China, in which the Internet has been designed to prioritize not freedom of speech but government control and censorship. At stake is the economic interdependence promoted by a single, global Internet.
Internet freedom. This relates directly to another stated priority of U.S. diplomacy: the continuation of an “open and secure Internet,” where people are able to interconnect freely within nations and across borders, per the Universal Declaration of Human Rights. Yet a great many nations (among them Russia, China, Egypt, Saudi Arabia, Pakistan, and Malaysia) see the issue differently. And while the U.S. position was undercut by the Snowden disclosures—appearing to show the United States pushing for freedom of speech only if it could be heavily monitored by the National Security Agency—there is actually significant overlap between the positions of the United States and the European Union, Japan, and other developed economies. American diplomats will have to work with counterparts from such like-minded governments to maintain and expand an Internet supportive of free expression and commerce.
ICTs for economic growth. A recent study by the Atlantic Council we helped author modeled that if an independent Internet continues to grow unimpeded, it would contribute $180 trillion to global GDP between 2015 and 2030, a staggering boost to national economies. If cybersecurity problems become significantly worse—what we call a “Clockwork Orange Internet” (a scenario discussed in the report)—then the result might be a loss to global GDP of $90 trillion. With such numbers in mind, it is accordingly no surprise that the United States has made it a priority to support ICT growth for economies. Most recently, this has centered on development of trans-Atlantic digital markets through the proposed Transatlantic Trade and Investment Partnership, as both sides of the Atlantic could boost growth and innovation from stronger e-commerce, easier trans-Atlantic data flows, and improved digital services. Unfortunately, such trans-Atlantic digital trade flows have been at risk since the Court of Justice of the European Union in October 2015 invalidated the “Safe Harbor” agreement, which declared that each side had roughly equivalent privacy provisions. U.S. and EU diplomats are continuing to work on a solution.
Twenty-first-century statecraft. Finally, there is the issue of how the United States uses ICT to advance its diplomatic goals—or, more specifically, how the U.S. State Department uses cyberspace technologies to revitalize the very practice of diplomacy. Such work has ranged from the obvious—ambassadors, embassies, and State officials communicating with the public on Twitter and Facebook—to the less heralded and more intense work of using new technologies to engage with other peoples or counter the messages of violent extremists.
In light of these issues, which relationships—or rivalries—should the United States pay special attention to in the immediate future? Four governments come to mind: the European Union, China, Russia, and Iran.
European protectionism and double standards on surveillance, along with continuing intrusive U.S. surveillance practices, will likely complicate the U.S.-EU relationship for years to come. However, relations with the EU have improved in the years since the Snowden revelations, thanks to the reinforcement of mutual values of Internet freedom and mutual concerns, not least the need to defeat terrorism. The United States and EU have similar interests in several areas discussed above, especially Internet freedom, capacity development, and Internet governance. Looking ahead, these should be pursued to reinforce mutual interests and pave the way for dealing with more contentious issues.
With China, the relationship is in a more precarious state, especially as Beijing and Washington butt heads over Taiwan and sovereignty disputes in the South China Sea. But in one critical area, the relationship has become more stable since early 2015, as China has nominally agreed to U.S. restrictions on commercial espionage, which costs the United States hundreds billions of dollars annually, in addition to posing a national security risk from stolen military designs. The threat of financial sanctions appears to have been very effective at pressuring the Chinese toward agreement, and Xi’s commitment, even if not fully realized, should leave U.S. diplomacy far stronger than before. In the unlikely event that Xi actually fully implements the deal, a global scourge (and a huge source of U.S.-Sino tension) will be removed. If Xi partially implements it, even a small reduction of Chinese espionage (say, 10 percent) would still be probably the single most effective U.S. countermeasure against the problem—and at little or no cost to the United States. And, in the event that Xi largely ignores the agreement, the President and secretary of state can then show how little Xi’s personal and public commitment means, greatly strengthening the U.S. diplomatic hand with the G-20 and China’s erstwhile partners.
Meanwhile, the cyber relationship with Russia has gone in the opposite direction from that of China. There has been some cooperation, such as in the UN Group of Governmental Experts, where American and Russian cyber diplomats (along with the Chinese and others) have agreed on important new norms for cyber conflict. But overall, Russian behavior online (as in the real world) has become far more aggressive, with extensive intrusions into the White House, Joint Chiefs of Staff, and Department of State. When discovered, the Russians have not carefully backed off to plan their next move, but fought tooth and nail to keep their access. The Russian government also seems to be behind some of the more dangerous campaigns of malicious software—BlackEnergy and Havex—which have gained access to Western energy targets and are suspected of taking down parts of the Ukrainian electricity grid.
Looking ahead, the United States and NATO should not be surprised if Russia chooses to use cyber means against the West, using intrusions or denial-of-service attacks in the same way it has used provocative Russian bomber flights or submarine intrusions into territorial waters: as a way to look threatening, to bully the West into backing down. More dangerously, President Putin may decide to use his advanced cyber capabilities for a just-deniable-enough major attack, perhaps on the Western financial firms implementing sanctions or against Western energy companies, as a complement to his other efforts to use Russian energy reserves as a potent political weapon.
Finally, there is Iran, long viewed as a third-tier cyber power—as a country using cyber means to control the population and suppress dissent. That perception has changed with the reported increase of investment in capabilities and manpower for cyber operations, as well as the rise in the number of reported campaigns originating in Iran, most notably against U.S. banks and Middle Eastern energy companies. More recently, after Iran’s nuclear deal with the West, its cyber operations have evolved from attacks as a means to retaliate for sanctions into espionage to further Tehran’s economic and foreign-policy objectives.
Looking ahead, the best predictor of disruptive Iranian attacks will be the progress implementing the nuclear deal. If Iran balks at future provisions—or if the West delays in withdrawing sanctions—then Iranian attacks are likely to switch from espionage back to the disruption of commercial entities and critical infrastructure.
The single most important item on the agenda of the incoming President should be to decide the larger American interest in cyberspace. Previous administrations have attempted, usually with only some success, to navigate all of the above issues with separate strategies or policies, rarely specifically prioritizing one over others. This has meant it has been difficult to decide among competing national priorities. For example, which is more important for the United States: the pursuit of extensive online espionage and law-enforcement access to cryptographic keys to defeat terrorists, or the securing of U.S. companies’ digital advantage and U.S. digital growth and innovation? The last two Presidents essentially wanted to balance the two without choosing a priority, and what resulted was a bit of policy chaos. The new President must decide: Does success mean a safe and secure Internet for U.S. commerce, with strong U.S. cyber companies or seizing digital hilltops to dominate cyberspace to keep Americans safe from enemies?
This decision will drive priorities to all the issue sets discussed above. If the President prefers the first path, that of economic and soft power, then the Administration will reinforce Internet freedom and governance, innovation and a digitally enabled economy, capacity development, and generally improved diplomatic relations, especially with other developed nations. If the President prioritizes keeping Americans safe, that likely means stronger Internet sovereign borders, with nation-states the leading force in governance. Terrorists would have fewer places to hide, but the global Internet would look more like it does in China or Russia, with tight government control over content and use.
Of course, the President will not have to make an all-or-nothing decision. Even with an overall policy to prioritize cyber defense, innovation, and the economy (all relatively “soft power” approaches), there must be exceptions. Vladimir Putin’s Russia may be emboldened, mistaking others’ restraint as weakness, so it may need to be met with relatively hard cyber force. With the European Union, China, and, for now, Iran, the new Administration might find that restraint leads to better national security outcomes.