Fresh thinking and new approaches are needed on diplomacy’s newest frontier.
BY EMILY O. GOLDMAN
Cyber diplomacy is the use of diplomatic tools to address issues arising in and through cyberspace. Those issues span a range of security, economic and human rights topics including international cybersecurity standards, internet access, privacy, internet freedom, intellectual property, cybercrime, state-sponsored cyber conflict and competition, the ethical use of digital technologies and trade.
Cyberspace now undergirds the prosperity, security and future of America and its allies in ways impossible to fathom only a few years ago. It is central to the ability to transport commodities and information, to generate and store wealth, and to coordinate and carry out functions essential to the order and operations of modern economies, societies and governments. This is why cyberspace—and the broader digital environment—has become a major arena for strategic competition.
For this reason, new thinking on cyber diplomacy is necessary. The diplomatic focus on cooperation among like-minded states to reduce the risk of conflict and to respond collectively after the fact is valuable; but it misses where the strategically consequential cyber action has been occurring for the past decade—in the competitive arena outside of armed conflict.
The time has come to up the diplomatic game for cyber competition. But that cannot occur unless and until core assumptions about the evolution of norms and the applicability of a strategy of deterrence to competition in cyberspace are set aside.
Over the past decade, adversaries have been bypassing territorial boundaries by operating in and through cyberspace to gain strategic advantage against America and its allies without risking armed conflict. Sophisticated campaigns of disinformation and propaganda undermine trust and confidence in economic institutions and create doubts about the authority, competency and integrity of democratic processes. Exploiting cyber vulnerabilities enables theft of wealth, intellectual property and personal information. Emplacing malware into critical infrastructure demonstrates our vulnerabilities and holds us at-risk for potential future coercive actions. Penetrating defense networks distracts and impairs U.S. governmental and military operations, requiring time and resources to respond and recover.
The competition is not just about power, however; it is also about values. Cyberspace has emerged as a major arena of conflict between liberal and illiberal forces across the globe. The internet arose in America under mixed public-private governance and grew alongside an ideology of personal freedom. For this very reason, autocratic regimes feared that digital-age capabilities would empower civil society and undermine their hold on power. The Arab Spring confirmed these fears and demonstrated the existential threat posed by information freedom. Those regimes responded by proliferating tools, ideas and technologies to undermine the values and rules-based international order that democratic countries have sought to establish.
Regimes in China and Russia oppose an open internet and protections against state interference with individual liberties. Secretary of State Hillary Rodham Clinton warned a decade ago that they are creating censored networks that erode civil society and imposing authoritarian rules of information exchange and exploitation. Beijing is determined to bring technology ecosystems in line with the Chinese Communist Party’s authoritarian values, shaping mandates and agendas in standards bodies and international organizations; employing economic tactics that undermine competitors to their technology companies; and redefining cybersecurity as protection from unwelcome news and views. Meanwhile, both Russia and China exploit open networks and platforms to erode democratic institutions in the West.
Over the past decade, adversaries have been bypassing territorial boundaries by operating in and through cyberspace to gain strategic advantage.
These challenges will only grow as emerging digital technologies—sensors, information and communication technologies, artificial intelligence tools and quantum tools—become new focal points for strategic competition. That competition pits against each other two models of world order (democracy and authoritarianism) and two competing visions of the digital space (information freedom and information control). Competition to shape the strategic environment and gain relative advantage is continuous, persistent and dynamic. It is calibrated to remain below the level of armed conflict.
U.S. cyber diplomacy needs the organizational structure, resources and mindset to ensure the diplomatic tools of national power are fully leveraged for strategic cyber competition.
There has been much discussion about the State Department’s organizational and resource gaps in addressing cyber issues. Congress recently reintroduced the Cyber Diplomacy Act, originally passed in 2019, calling on the State Department to establish a cyber bureau led by an ambassador with the rank and status of an assistant secretary of State. A similar recommendation was made last year by the bipartisan Cyberspace Solarium Commission. The global interconnected domain of cyberspace, according to the commission’s final report, requires an integrated, whole-of-nation approach, assisted by the State Department’s focusing on cyber issues in a single bureau.
Cyber issues will continue to pervade the interests of every State Department bureau, of course; but the distinctive technological, economic, legal and military features of cyberspace demand dedicated expertise and resources over and above the efforts currently underway in State offices. A strongly integrated organization can serve as a focal point for cyber issues at the department and a resource for all the bureaus as particular matters arise.
New form without new substance is not enough, however. What stands out most in recent legislation (as well as in the commission’s recommendations) is an emphasis on approaches that have not garnered success. Indeed, we should be concerned about a dearth of new thinking on critical issues that the new cyber bureau will address.
For example, the State Department has long led U.S. outreach to promote an open, interoperable, secure and reliable information and communications infrastructure. State has worked in international fora for decades to build consensus around a framework of responsible state behavior in cyberspace, principally through the voluntary, nonbinding norms recommended by the United Nations Group of Governmental Experts (GGE).
State has developed and advocated a “cyber deterrence initiative” to promote collective attribution of cyberattacks and collaboration among a like-minded coalition of governments to impose swift, costly and appropriate consequences for misbehavior by bad actors. Unfortunately, well-intentioned efforts to respond to significant incidents and to “establish” norms by outlining broad, voluntary rules (with no enforcement attached to them) have stalled. Collective attribution and post facto cost imposition, chiefly through sanctions and indictments, have not deterred state-sponsored actors from harming their neighbors and rivals in and through cyberspace. A renewed commitment to the same approaches will not produce different outcomes.
The current environment of strategic competition need not alter America’s vision for cyberspace (i.e., a global, open, interoperable arena for discourse and trade that supports democratic values and protects privacy). Yet the global competition nevertheless demands we change our approach to achieve that vision.
A diplomatic strategy for the future must adopt a competitive mindset because the vision of a free, open and resilient cyberspace now faces a rival (and well-resourced) techno-authoritarianism. Dictators are defending their virtual borders by reaching into the societies of their rivals to intimidate opposition and weaken democratic institutions with diplomacy, development programs, and military and intelligence operations.
The more anticipatory we can get, the more we can inoculate our systems and thwart adversary aggression before it compromises U.S., allied and partner networks.
The United States must leverage diplomacy more effectively to compete and set favorable conditions for security in cyberspace, transforming what has been a permissive environment for our adversaries into one in which the U.S. is actively and persistently competing on behalf of that vision of a global and open cyberspace.
Cyber diplomacy must reinvent itself to gain the initiative. This requires: (1) an active, rather than a reactive, mindset; (2) a focus on setting security conditions rather than changing adversary motivations; and (3) on-the-ground efforts with partners to construct norms by persistently contesting adversary cyber campaigns of disinformation, sabotage, propaganda, political interference and theft.
The focus on deterrence and response is deeply ingrained in national security thinking. It is telling that the Cyber Diplomacy Act in its current iteration calls on the State Department to “lead United States Government efforts to establish a global deterrence framework for malicious cyber activity; … to develop and execute adversary-specific strategies to influence adversary decision-making through the imposition of costs and deterrence strategies; … [and] promote the building of foreign capacity to protect the global network with the goal of enabling like-minded participation in deterrence frameworks.”
While applicable to the physical domains of conflict and to imposing proportional costs for potential cyberattacks that cause death and destruction, deterrence as a strategic approach has not stemmed the onslaught of cyber aggression below the level of armed conflict. Adversaries continue to design their intrusions and disruptions around the “redlines” that we define only after we have endured earlier incidents. Such redlines are notoriously difficult to define in cyberspace, and relying on them leaves us one step behind and always reacting while opponents set the timing, tempo and terms of competition.
This does not mean we should not respond to costly cyber incursions into our society and economy. Rather, it suggests that partnership for developing “response options” must be pursued in tandem with collective efforts that thwart cyberspace aggression before it harms our nations. Being proactive does not mean being aggressive. Inaction, however, is unwise and even provocative, for it cedes the initiative to those who wish us ill.
What is destabilizing is restraint in the face of continuous probes and intrusions that might be individually trivial, but cumulatively are shifting the global distribution of power and influence, creating new norms antithetical to our interests. Cyber diplomacy should mobilize partners not only for response, but to preclude and contest adversary cyber misbehavior before it breaches U.S., allied and partner networks.
Entwined with the deterrence mindset is the belief that we can quash the adversary’s interest in cyber aggression by imposing costs through consequences for misbehavior. Such costs typically involve sanctions, indictments and naming and shaming or “attribution diplomacy.” Yet response per se does not deter; only responses that outweigh benefits can change a motivated actor.
Cyberspace is replete with vulnerabilities that adversaries can exploit for strategic gain without ever crossing a threshold that calls for a self-defense response under international law. Sanctions and indictments for bad behavior are useful, of course, because they constrain an adversary’s freedom of maneuver. Nonetheless, by themselves such responses do not deter. Cyber diplomacy, thus, will be more effective if it aims at changing the conditions for exploitation rather than trying to change adversary motivations. That means focusing less on imposing costs and more on working with partners to preclude opportunities for exploitation before they occur.
Cyberspace has emerged as a major arena of conflict between liberal and illiberal forces across the globe.
This is an area where diplomacy and development can complement ongoing initiatives in other departments. One example is the Department of Defense’s Defend Forward strategy with its operational approach of persistent engagement. DOD recently pivoted away from restraint and response to action during day-to-day competition in order to disrupt or halt malicious cyber activity close to its source. The Cyberspace Solarium Commission applauded this step, urging its application across the federal government.
A key element of persistent engagement is partnering with other countries to discover adversary activity on their networks and neutralize the tools that adversaries use to harm our partners. By going where adversaries are operating, cyber teams can “hunt forward” to discover intrusions, alert foreign partners, help secure their networks and share information with the global cybersecurity industry to develop mitigations.
The more anticipatory we can get, the more we can inoculate our systems and thwart adversary aggression before it compromises U.S., allied and partner networks. The State Department can build partnerships with other countries and help set the conditions for persistent engagement and hunt-forward operations. Diplomatic priorities must lean more toward building coalitions that can expose, contest and defend against adversary cyberspace campaigns.
Congressional leaders have called on the executive branch to establish cyber norms—what is acceptable and unacceptable in cyberspace. But policymakers must accept that we are currently in a phase of “norm construction” in that realm, and the United States is not in a dominant position to establish norms through political discussions alone. Moreover, U.N. GGE reports offer voluntary and nonbinding recommendations. Although the U.S. can try to enforce them unilaterally, they are not subject to U.N. sanctions unless nonadherence violates international law.
Meanwhile, multilateral bargaining at the United Nations to establish norms has stalled, and arguably backtracked, with China working to promote “cyber sovereignty” as the organizing principle of cyber governance and Russia organizing an alternative norms-establishing forum to the U.N. GGE process, the so-called U.N. Open-Ended Working Group.
Why this is happening is not difficult to discern. Much of the behavior that we consider unacceptable is producing benefits for its sponsors that far outweigh the costs they incur. Norms emerge through practice, and they mature through political and legal discourse. To achieve a convergence of expectations around the behaviors we deem advantageous, we must engage in this norm-construction competition. This requires explicitly linking the promotion of norms of responsible behavior with cyberspace diplomacy and operations that expose and contest behavior inconsistent with such norms.
Forging a coalition of partners for agile collaboration and continuous pressure against authoritarian adversaries has the best chance of producing a convergence of expectations on acceptable behavior. Only then can we define a framework of responsible state behavior and consequences for irresponsible acts.
The State Department and the Foreign Service should watch the developing debates over cyberspace policy, strategy and norms with a few thoughts in mind:
• The cyberspace strategic environment is one characterized by strategic competition; its norms are contested. That’s why cyberspace has evolved away from the laudable vision of an open, worldwide internet that promotes global civil society.
• Competition is occurring along ideological fault lines between liberal democracies and techno-authoritarian regimes that do not share that earlier vision.
• Cyberspace operations have become a standard tool of diplomacy and competition, with continuous campaigns of nonviolent operations in and through cyberspace calculated to avoid provoking armed responses.
• What works to deter catastrophic cyberattacks will not dissuade adversaries from routinely operating in and through cyberspace for strategic gain.
• Adversaries are adaptive at exploiting the seams in our laws and institutions, and in international law, achieving strategic gains without the risks of war.
• We should expect states and even nonstates to continue experimenting in cyberspace, whether we respond or not.
• We need not be passive; we have demonstrated that we can preclude and disrupt state-sponsored cyber intrusions and interference without escalating to armed conflict.
• Relying on redlines and responding to incidents after the fact have not stemmed malicious cyberspace activity, and there is no reason to believe such measures will suddenly dissuade authoritarian sponsors of cyberattacks.
• In cyberspace the rewards for misbehavior are cumulative. Thus, it is insufficient to concentrate on stopping individual incidents or deterring catastrophic attacks that produce “significant” consequences.
We need to operate at the speed and scale commensurate with the cyberspace challenges we face. This requires a coordinated and sustained focus of energy and resources—across the U.S. government and with allies and partners—to achieve unity of effort and a whole-of-nation-plus (with allies) approach.