The Foreign Service Journal, June 2018

28 JUNE 2018 | THE FOREIGN SERVICE JOURNAL botnet targeted U.S. financial institutions. This collective action, where each country used its authorities and tools to help address a shared threat, proved very effective in mitigating the malicious activity. Longer-term, high-level diplomatic pressure played a key role in addressing widespread trade secret and intellectual property theft by China. We worked with other countries that were victim- ized while also leading a sustained campaign of direct diplomatic engagement with Beijing. This diplomatic campaign, coupled with potential use of other instruments of national power, led to the negotiation of a landmark agreement with China that made clear that no country should use cyber means to steal the intellec- tual property of another to benefit its own commercial sector. The State Department also has a vital role in facilitating law enforcement and technical cooperation. Part of this facilitation is incident-specific, while part involves working with countries to enhance their capabilities and laws so that they can better work to combat international threats. Capacity building also is important in both enabling better cooperation and persuading other countries that our vision of cyberspace benefits and should be endorsed by them. For this rea- son, the Office of the Coordinator for Cyber Issues worked to create ambitious, cost-effective, capacity-building initiatives. These initia- tives helped developing countries to enhance cybercrime-fighting capacity, create national cyber strategies and create institutional and other mechanisms to protect against cyberthreats. Given the global nature of cyberthreats, helping developing countries protect their own networks also increased the security of our networks. We also worked with countries as they developed their cybersecurity policies to ensure that they properly accounted for human rights and economic access concerns. Advancing Strategic Policy and Building a Consensus for Global Cyber Stability. U.S. cyber diplomacy promotes and protects our core values of openness, internet freedom and multi- stakeholder internet governance—all of which have been threat- ened over the last several years. The United States is a founding member of the FreedomOnline Coalition and has raised internet freedom and internet governance issues in virtually every diplo- matic engagement. Diplomacy must also be used to push back on flawed regulatory regimes or policies that serve to fragment the inter- net, undermining its social and economic potential. We have used diplomatic channels to challenge forced data localization regimes, ill-conceived cyber regulatory approaches and market access restrictions. Diplomacy also plays a vital role in ensuring the long-term stability of cyberspace itself in the face of increas- ing threats from nation-states and others, so that everyone can enjoy the benefits of cyberspace and no state has an incentive to engage in disruptive behavior. As countries around the globe are developing, and in some cases using, offensive and other cyber capabilities, the lack of any clear consensus on acceptable state behavior in cyberspace poses substantial risks. To address this, the United States has led the development and promotion of a strategic framework of cyber stability that includes: (1) global affirmation of the applicability of international law to state activity in cyberspace; (2) the development of voluntary, nonbinding peacetime norms of acceptable state behavior; and (3) the development and use of practical confidence-building measures (CBMs) that serve to reduce the risk of misperception and escalation in cyber- space. The United States has had great success in promoting and achieving acceptance of this framework in forums around the world, including in the United Nations Group of Governmental Experts (UN GGE) on international cyber security (a series of expert forums), the North Atlantic Treaty Organization and the Organization for Security and Cooperation in Europe. In 2013 several countries, including the United States, China and Russia, reached a landmark consensus that inter- national law, including the U.N. Charter, applies in cyber- space. This means that cyberspace is not a “free fire” zone where no rules apply; rather, it is grounded in the same rules as the physical world. In 2015 the UN GGE recommended non-binding, voluntary norms of responsible state behavior. Under these peacetime norms, no state should attack the critical infrastructure of another state or its computer security incident response teams. States should also cooperate with requests for assistance in certain cyberattacks. The United States and China reached agreement on a theft-of-trade-secret norm that was later adopted by the G-20 and by other country bilateral agreements with China. The United States also made substantial progress within the OSCE in taking forward and implementing cyber CBMs. Longer-term, high-level diplomatic pressure played a key role in addressing widespread trade secret and intellectual property theft by China.