The Foreign Service Journal, June 2021

24 JUNE 2021 | THE FOREIGN SERVICE JOURNAL sary decision-making through the imposition of costs and deterrence strategies; … [and] promote the building of foreign capacity to protect the global network with the goal of enabling like-minded participation in deterrence frameworks.” While applicable to the physical domains of conflict and to imposing proportional costs for potential cyberattacks that cause death and destruction, deterrence as a strategic approach has not stemmed the onslaught of cyber aggression below the level of armed conflict. Adversaries continue to design their intrusions and disruptions around the “redlines” that we define only after we have endured earlier incidents. Such redlines are notoriously difficult to define in cyberspace, and relying on them leaves us one step behind and always reacting while opponents set the timing, tempo and terms of competition. This does not mean we should not respond to costly cyber incursions into our society and economy. Rather, it suggests that partnership for developing “response options” must be pursued in tandem with collective efforts that thwart cyber- space aggression before it harms our nations. Being proactive does not mean being aggressive. Inaction, however, is unwise and even provocative, for it cedes the initiative to those who wish us ill. What is destabilizing is restraint in the face of continu- ous probes and intrusions that might be individually trivial, but cumulatively are shifting the global distribution of power and influence, creating new norms antithetical to our inter- ests. Cyber diplomacy should mobilize partners not only for response, but to preclude and contest adversary cyber misbe- havior before it breaches U.S., allied and partner networks. Change Conditions, Not Adversary Motivations Entwined with the deterrence mindset is the belief that we can quash the adversary’s interest in cyber aggression by imposing costs through consequences for misbehavior. Such costs typically involve sanctions, indictments and naming and shaming or “attribution diplomacy.” Yet response per se does not deter; only responses that outweigh benefits can change a motivated actor. Cyberspace is replete with vulnerabilities that adversaries can exploit for strategic gain without ever crossing a thresh- old that calls for a self-defense response under international law. Sanctions and indictments for bad behavior are useful, of course, because they constrain an adversary’s freedom of maneuver. Nonetheless, by themselves such responses do not deter. Cyber diplomacy, thus, will be more effective if it aims at changing the conditions for exploitation rather than trying to change adversary motivations. That means focusing less on imposing costs and more on working with partners to preclude opportunities for exploitation before they occur. This is an area where diplomacy and development can com- plement ongoing initiatives in other departments. One example is the Department of Defense’s Defend Forward strategy with its operational approach of persistent engagement. DOD recently pivoted away from restraint and response to action during day- to-day competition in order to disrupt or halt malicious cyber activity close to its source. The Cyberspace Solarium Com- mission applauded this step, urging its application across the federal government. A key element of persistent engagement is partnering with other countries to discover adversary activity on their net- works and neutralize the tools that adversaries use to harm our partners. By going where adversaries are operating, cyber teams can “hunt forward” to discover intrusions, alert foreign part- ners, help secure their networks and share information with the global cybersecurity industry to develop mitigations. The more anticipatory we can get, the more we can inoculate our systems and thwart adversary aggression before it compro- mises U.S., allied and partner networks. The State Department can build partnerships with other countries and help set the conditions for persistent engagement and hunt-forward opera- tions. Diplomatic priorities must lean more toward building coalitions that can expose, contest and defend against adversary cyberspace campaigns. Construct Norms Through Action Congressional leaders have called on the executive branch to establish cyber norms—what is acceptable and unacceptable in cyberspace. But policymakers must accept that we are currently in a phase of “norm construction” in that realm, and the United States is not in a dominant position to establish norms through The more anticipatory we can get, the more we can inoculate our systems and thwart adversary aggression before it compromises U.S., allied and partner networks.