32 ! " # $ % & ' ( ! ! ( % # )
The End of Cyber-Anarchy?How to Build a New Digital Order
Joseph S. Nye, Jr.
Ransomware attacks, election interference, corporate espio-nage, threats to the electric grid: based on the drumbeat o* current headlines, there seems to be little hope o+ bringing a measure o* order to the anarchy o* cyberspace. The relentless bad news stories paint a picture o* an ungoverned online world that is grow-ing more dangerous by the day—with grim implications not just for cyber-space itsel+ but also for economies, geopolitics, democratic societies, and basic questions o* war and peace.
Given this distressing reality, any suggestion that it is possible to craft rules o* the road in cyberspace tends to be met with skepticism: core attributes o* cyberspace, the thinking goes, make it all but impossible to enforce any norms or even to know whether they are being violated in the ,rst place. States that declare their support for cybernorms simultaneously conduct large-scale cyber-operations against their adversaries. In December 2015, for example, the -' General Assembly for
JOSEPH S. NYE, JR., is University Distin-guished Service Professor Emeritus at and former Dean of the Harvard Kennedy School. He is the author of Do Morals Matter? Presidents and Foreign Policy From FDR to Trump.
the ,rst time endorsed a set o* 11 volun-tary, nonbinding international cyber-norms. Russia had helped craft these norms and later signed o. on their publication. That same month, it conducted a cyberattack against Ukraine’s power grid, leaving roughly 225,000 people without electricity for several hours, and was also ramping up its e.orts to interfere in the 2016 U.S. presidential election. For skeptics, this served as yet further evidence that establishing norms for responsible state behavior in cyberspace is a pipe dream.
Yet that skepticism reveals a misun-derstanding about how norms work and are strengthened over time. Violations, i* not addressed, can weaken norms, but they do not render them irrelevant. Norms create expectations about behavior that make it possible to hold other states accountable. Norms also help legitimize o/cial actions and help states recruit allies when they decide to respond to a violation. And norms don’t appear suddenly or start working overnight. History shows that societies take time to learn how to respond to major disruptive technological changes and to put in place rules that make the world safer from new dangers. It took two decades after the United States dropped nuclear bombs on Japan for countries to reach agreement on the Limited Test Ban Treaty and the Nuclear Nonproliferation Treaty.
Although cybertechnology presents unique challenges, international norms to govern its use appear to be developing in the usual way: slowly but steadily, over the course o* decades. As they take hold, such norms will be increasingly critical to reducing the risk that cybertechnology advances could pose to the international
DIG
ITA
L D
ISO
RD
ER
Joseph S. Nye, Jr.
34 ! " # $ % & ' ( ! ! ( % # )
In the realm o* global military con0ict, computer networks have become a ,fth domain, in addition to the traditional four o+ land, sea, air, and space, and the U.S. military recognized this with the creation o* U.S. Cyber Command in 2010. Among the special characteristics o* the new cyber-domain are the erosion o* distance (oceans no longer provide protection), the speed o* interaction (much faster than rockets in space), the low cost (which reduces barriers to entry), and the di/culty o* attribution (which promotes deniability and slows responses). Still, skeptics sometimes describe cyberattacks as more o* a nuisance than a major strate-gic problem. They argue that the cyber-domain is ideal for espionage and other forms o* covert action and disrup-tion but that it remains far less impor-tant than the traditional domains o* warfare; no one has died because o* a cyberattack. That, however, is becoming an increasingly di/cult position to take. The 2017 WannaCry ransomware attack damaged the British National Health Service by leaving computers encrypted and unusable, forcing thousands o* patients’ appointments to be canceled, and hospitals and vaccine producers have been directly targeted by ransom-ware attacks and hackers during the 1"2%3-19 pandemic.
What’s more, there remains much that even experts do not understand about how the use o* cybertools could escalate to physical con0ict. Consider, for example, the fact that the U.S. military depends heavily on civilian infrastructure and that cyber-penetrations could seriously degrade U.S. defen-sive capabilities in a crisis situation. And in economic terms, the scale and
order, especially i+ Washington and its allies and partners reinforce those norms with other methods o* deterrence. Although some analysts argue that deterrence does not work in cyberspace, that conclusion is simplistic: it works in di.erent ways than in the nuclear domain. And alternative strategies have proved equally or more de,cient. As targets continue to proliferate, the United States must pursue a strategy that combines deterrence and diplomacy to strengthen the guardrails in this new and dangerous world. The record o* establishing norms in other areas o.ers a useful place to start—and should dispel the notion that this issue and this time are di.erent.
A NEW FACT OF LIFE !AND WAR"As cyberattacks become more costly, U.S. strategy to defend against them remains inadequate. A good strategy has to begin at home but simultaneously recognize the inseparability o* cyber-space’s domestic and international aspects—the domain o* cyberspace is inherently transnational. Furthermore, cybersecurity involves a blurring o* public and private vulnerabilities. The Internet is a network o* networks, most o* which are privately owned. Unlike nuclear or conventional weapons, the government does not control them. Accordingly, companies make their own tradeo.s between investing in security and maximizing short-term pro,t. Yet inadequate corporate defense can have huge external costs for national secu-rity: witness the recent Russian cyber-attack on SolarWinds software, which allowed access to computers across the U.S. government and the private sector. And unlike with military security, the Pentagon plays only a partial role.
The End of Cyber-Anarchy?
Ja n u a r y / Fe b r u a r y 2 0 2 2 35
cyberattacks with weapons o* its choice and with force proportional to the harm in0icted on its interests. Despite a decade o* warnings, thus far, a “cyber–Pearl Harbor” has not happened. Whether the United States treats a cyberattack as an armed attack depends on its consequences, but this makes it di/cult to deter actions that are more ambiguous. Russia’s disruption o* the 2016 U.S. presidential election fell into such a gray area. And although some recent Chinese and Russian cyberattacks appear to have been conducted primarily for the purposes o* espionage, the Biden administration has complained that their scale and duration moved them beyond normal spying. This is why deterrence in cyberspace requires not just the threat o* punishment but also denial by defense (building systems resilient enough and hard enough to break into that would-be attackers won’t bother to try) and entanglement (creating links to potential adversaries so that any attack they launch will likely harm their own interests, too). Each o* these approaches has limits when used on its own. En-tanglement has more o* an e.ect when used against China, because o* a high degree o* economic interdependence, than it does against North Korea, with whom there is none. Denial by defense is e.ective in deterring nonstate actors and second-tier states but less likely to prevent attacks by more powerful and pro,cient actors. But the combination o* a threat o* punishment and an e.ective defense can in0uence these powers’ calculations o* costs and bene,ts.
In addition to improving the defense o* networks inside the United States, in recent years, Washington has adopted doctrines that U.S. Cyber Command
cost o* cyber-incidents have been increasing. According to some estimates, the Russian-sponsored 2017 NotPetya attack on Ukraine, which wiped data from the computers o+ banks, power companies, gas stations, and govern-ment agencies, cost companies more than $10 billion in collateral damage. The number o* targets is also expanding rapidly. With the rise o+ big data, arti,cial intelligence, advanced robotics, and the Internet o+ Things, experts estimate that the number o4 Internet connections will approach a trillion by 2030. The world has experienced cyberattacks since the 1980s, but the attack surface has expanded dramati-cally; it now includes everything from industrial control systems to automo-biles to personal digital assistants.
It is clear that the threat is mounting. Less clear is how U.S. strategy can adapt to face it. Deterrence must be part o* the approach, but cyber-deterrence will look di.erent from the more traditional and familiar forms o* nuclear deterrence that Washington has prac-ticed for decades. A nuclear attack is a singular event, and the goal o* nuclear deterrence is to prevent its occurrence. In contrast, cyberattacks are numerous and constant, and deterring them is more like deterring ordinary crime: the goal is to keep it within limits. Authori-ties deter crime not only by arresting and punishing people but also through the educational e.ect o+ laws and norms, by patrolling neighborhoods, and through community policing. Deterring crime does not require the threat o* a mushroom cloud.
Still, punishment plays a large role in cyber-deterrence. The U.S. government has publicly stated that it will respond to
Joseph S. Nye, Jr.
36 ! " # $ % & ' ( ! ! ( % # )
because whether a line o* code is a weapon or not can depend on the intent o* the user. Instead, the United States agreed that the -' secretary-general should appoint a group o* 15 (later expanded to 25) government experts to develop a set o* rules o* the road; they ,rst met in 2004.
Six such groups have convened since then, and they have issued four reports, creating a broad framework o* norms that was later endorsed by the -' General Assembly. The groups’ work has strengthened the consensus that international law applies to the domain o* cyberspace and is essential for maintaining peace and stability in it. In addition to grappling with complicated questions o* international law, the report that was issued in 2015 intro-duced 11 voluntary, nonbinding norms, the most important ones being a man-date to provide states with assistance when requested and prohibitions against attacking civilian infrastructure, inter-fering with computer emergency response teams, which respond after big cyberattacks, and allowing one’s terri-tory to be used for wrongful acts.
The report was viewed as a break-through, but progress slowed in 2017 when the expert group failed to agree on international legal issues and did not produce a consensus report. At Russia’s suggestion, the -' supplemented the existing process by forming the Open-Ended Working Group, which is open to all states and involves consultations with nongovernmental actors: dozens o* private companies, civil society organiza-tions, academics, and technical experts. Early in 2021, this new group issued a broad, i* somewhat anodyne, report that rea/rmed the 2015 norms, as well as the
has dubbed “defend forward” and “persistent engagement”—simply put, small-scale acts o* cybero.ense, such as the disruption, diversion, or takedown o* a network. Some press accounts credit these practices with reducing Russian interference in the 2018 and 2020 U.S. elections. But entering and disrupting an adversary’s network poses some danger o* escalation and must be carefully managed.
SET TING SOME RULESDespite its defensive and o.ensive capabilities, the United States remains highly vulnerable to cyberattacks and in0uence operations, owing to its free markets and open society. “I think it’s a good idea to at least think about the old saw about [how] people who live in glass houses shouldn’t throw rocks,” remarked James Clapper, then the director o* national intelligence, during 2015 congressional testimony on Washing-ton’s responses to cyberattacks. Clapper was stressing, rightly, that although Americans may be the best at throwing stones, they live in the glassiest o* houses. That reality gives the United States a particular interest in the devel-opment o* norms that reduce incentives to throw stones in cyberspace.
Negotiating cyber-arms-control treaties would be extremely di/cult, because they would not be veri,able. But diplomacy on cyberspace is hardly impossible. In fact, international coop-eration on developing cybernorms has been going on for more than two decades. In 1998, Russia ,rst proposed a -' treaty to ban electronic and infor-mation weapons. The United States rejected the idea, arguing that a treaty in this area would be unveri,able
Joseph S. Nye, Jr.
38 ! " # $ % & ' ( ! ! ( % # )
These e.orts are less 0ashy (and less expensive) than the development o* sophisticated cyberdefense systems, but they will play a crucial role in curbing malign activity online. Many further norms can be imagined and proposed for cyberspace, but the important question now is not whether more norms are needed but how they will be implemented and whether and when they will alter state behavior.
THE NEW PRIVATEERS Norms are not e.ective until they become common state practice, and that can take time. It took many decades for norms against slavery to develop in Europe and the United States in the nineteenth century. The key question is why states ever let norms constrain their behavior. There are at least four main reasons: coordination, prudence, reputational costs, and domestic pres-sures, including public opinion and economic changes.
Common expectations inscribed in laws, norms, and principles help states coordinate their e.orts. For example, although some states (including the United States) have not rati,ed the -' Convention on the Law o* the Sea, all states treat a 12-mile limit as customary international law when it comes to disputes about territorial waters. The bene,ts o* coordination—and the risks posed by its absence—have been evident in cyberspace on the few occasions when targets have been hacked through abuse o* the Internet’s domain name system, which is sometimes called “the telephone book o* the Internet” and is run by the nonpro,t Internet Corpora-tion for Assigned Names and Numbers, or %1(''. By corrupting the phone
relevance o* international law to cyber-space. Last June, the sixth expert group also completed its work and released a report that added important details to the 11 norms ,rst introduced in 2015. China and Russia are still pressing for a treaty, but what is more likely to happen is the gradual evolution o* these norms.
In addition to the -' process, there have been many other forums for discussion about cybernorms, including the Global Commission on the Stability o* Cyberspace. Initiated in 2017 by a Dutch think tank, with strong support from the Dutch government, the &1)1 (o* which I was a member) was co-chaired by Estonia, India, and the United States and included former government o/cials, experts from civil society, and academics from 16 countries. The &1)1 proposed eight norms to address gaps in the existing -' guid-ance. The most important were calls to protect the “public core” infrastructure o* the Internet from attack and to prohibit interference with electoral systems. The &1)1 also called on coun-tries not to use cybertools to interfere with supply chains; not to introduce botnets into others’ machines in order to control them without the host’s knowl-edge; to create transparent processes that states can follow in judging whether to disclose 0aws and vulnerabilities they discover in others’ coding; to encourage states to promptly patch cybersecurity vulnerabilities when discovered and not hoard them for possible use in the future; to improve “cyber hygiene,” including through law and regulations; and to discourage private vigilantism by making it illegal for private businesses to “hack back,” that is, to launch coun-terattacks against hackers.
The End of Cyber-Anarchy?
Ja n u a r y / Fe b r u a r y 2 0 2 2 39
for example, the Biological Weapons Convention, which came into force in 1975. Any country that wishes to de-velop biological weapons has to do so secretly and illegally and faces wide-spread international condemnation i* evidence o* its activities leaks, as the Iraqi leader Saddam Hussein discovered.
It is hard to imagine the emergence o* a similar blanket taboo against the use o* cyberweapons. For one thing, it is di/-cult to determine whether any particular line o* code is a weapon or not. A more likely taboo is one that would prohibit the use o* cyberweapons against particular targets, such as hospitals or health-care systems. Such prohibitions would have the bene,t o* piggybacking on the existing taboo against using conventional weapons on civilians. During the 1"2%3-19 pandemic, public revulsion against ransomware attacks on hospitals has helped reinforce that taboo and suggested how it might apply to other areas in the realm o* cyberspace. Some-thing similar might evolve i+ hackers were to cause an increase in fatal acci-dents from the use o* electric vehicles.
PEER PRESSURESome scholars have argued that norms have a natural life cycle. They often begin with “norm entrepreneurs”: individuals, organizations, social groups, and o/cial commissions that enjoy an outsize in0uence on public opinion. After a certain gestation period, some norms reach a tipping point, when cascades o* acceptance translate into a widespread belie* and leaders ,nd that they would pay a steep price for rejecting it.
Embryonic norms can arise from changing social attitudes, or they can be imported. Take, for example, the spread
book, such attacks put the basic stability o* the Internet at risk. Unless states refrain from interfering with the structure that makes it possible for private networks to connect, there is no Internet. And so, for the most part, states eschew these tactics.
Prudence results from the fear o* creating unintended consequences in unpredictable systems and can develop into a norm o* nonuse or limited use o* certain weapons or a norm o+ limiting targets. Something like this happened with nuclear weapons when the super-powers came close to the brink o* nuclear war in 1962, during the Cuban missile crisis. The Limited Test Ban Treaty followed a year later. A more distant but historical example o+ how prudence produced a norm against using certain tactics is the fate o* privateering. In the eighteenth century, national navies routinely employed private individuals or private ships to augment their power at sea. But in the following century, states turned away from privateers because their extracurricular pillaging became too costly. As governments struggled to control privateers, attitudes changed, and new norms o* prudence and restraint developed. One could imagine something similar occurring in the domain o* cyberspace as governments discover that using proxies and private actors to carry out cyberattacks produces negative economic e.ects and increases the risk o* escalation. A number o* states have outlawed “hacking back.”
Concerns about damage to a coun-try’s reputation and soft power can also produce voluntary restraint. Taboos develop over time and increase the costs o* using or even possessing a weapon that can in0ict massive damage. Take,
Joseph S. Nye, Jr.
40 ! " # $ % & ' ( ! ! ( % # )
a nuisance and begins to cost lives. I* fatalities increase, the Silicon Valley norm o* “build quickly and patch later” may gradually give way to norms and laws about liability that place more emphasis on security.
CYBER#RULES ARE MADE TO BE BROKENEven with international consensus that norms are needed, agreeing where to draw redlines and what to do when they’re crossed is another matter. And the question becomes, even i* authori-tarian states sign up for normative conventions, how likely are they to adhere to them? In 2015, Chinese President Xi Jinping and U.S. President Barack Obama agreed not to use cyber-espionage for commercial advantage, but private security companies reported that China adhered to this pledge for only a year or so before it returned to its old habit o+ hacking U.S. corporate and federal data, although that hap-pened in the context o* worsening economic relations marked by the rise o* tari. wars. Does this mean the agreement failed? Rather than make it a yes or no question, critics argue that the focus (and any ensuing warning against such actions) should be on the amount o* damage done, not the precise lines that were crossed or how the violations were carried out. An analogy is telling the hosts o* a drunken party that i* the noise gets too loud, you will call the police. The objective is not the impos-sible one o* stopping the music but the more practical one o+ lowering the volume to a more tolerable level.
There are other times when the United States will need to draw prin-cipled lines and defend them. It should
o* concern for universal human rights after 1945. Western countries took the lead in promoting the Universal Decla-ration o4 Human Rights in 1948, but many other states felt obliged to sign on because o* public opinion and subse-quently found themselves constrained by external pressure and by concern about their reputations. One might expect such constraints to be stronger in democracies than in authoritarian states. But the Helsinki process, a series o* meetings between the Soviet Union and Western countries in the early 1970s, successfully included human rights in discussions about political and economic issues during the Cold War.
Economic change can also foster a demand for new norms that might promote e/ciency and growth. Norms against privateering and slavery gath-ered support when these practices were economically in decline. A similar dynamic is at work today in the cyber-realm. Companies that ,nd themselves disadvantaged by con0icting national laws relating to privacy and the location o* data might press governments to develop common standards and norms. The cyber-insurance industry may put pressure on authorities to 0esh out standards and norms, especially in regard to the technology embedded in the myriad household devices (thermo-stats, refrigerators, home alarm systems) that are now online: the so-called Internet o+ Things. As more and more devices become connected to the Internet, they will soon become targets for cyberattacks, and the impact on citizens’ daily lives will increase and foster demand for domestic and interna-tional norms. Public concern will only accelerate i+ hacking becomes more than
The End of Cyber-Anarchy?
Ja n u a r y / Fe b r u a r y 2 0 2 2 41
di/cult, but even greater ideological di.erences did not prevent agreements that helped avoid escalation during the Cold War. Prudence can sometimes be more important than ideology.
This seems to have been the ap-proach explored by the Biden adminis-tration at a June summit with Russian President Vladimir Putin in Geneva, where cyberspace played a larger role on the agenda than nuclear weapons. According to press accounts, U.S. President Joe Biden handed Putin a list o* 16 areas o* critical infrastructure, including chemicals, communications, energy, ,nancial services, health care, and information technology, that should be, in Biden’s words, “o. limits to attack, period.” After the summit, Biden disclosed that he had asked Putin how he would feel i4 Russian pipelines were taken out by ransomware. “I pointed out to him that we have signi,cant cyber-capability, and he knows it,” Biden remarked at a press conference. “He does not know exactly what it is, but it is signi,cant. And i* in fact they violate these basic norms, we will respond with cyber. He knows.” Thus far, however, it is unclear to what extent Biden’s words have been e.ective.
One problem with specifying what needed to be protected might be that it implied that other areas were fair game—and that ransomware attacks from criminals in Russia would continue no matter what. In the cyber-realm, nonstate actors serve as state proxies to varying degrees, and rules should require their identi,cation and limita-tion. And because the rules o* the road will never be perfect, they must be accompanied by a consultative process that establishes a framework for warn-
acknowledge that it will continue to carry out intrusions in cyberspace for purposes it deems legitimate. And it will need to state precisely the norms and limits that Washington will up-hold—and call out countries that violate them. When China or Russia crosses a line, the United States will have to respond with targeted retaliation. This could involve public sanctions and also private actions, such as freezing the bank accounts o* some oligarchs or releasing embarrassing information about them. U.S. Cyber Command’s practices o* defend forward and persistent engage-ment can be useful here, although they would best be accompanied by a process o* quiet communication.
Treaties regarding cyberspace may be unworkable, but it might be possible to set limits on certain types o+ behavior and negotiate rough rules o* the road. During the Cold War, informal norms governed the treatment o* each side’s spies; expulsion, rather than execution, became the norm. In 1972, the Soviet Union and the United States negotiated the Incidents at Sea Agreement to limit naval behavior that might lead to escalation. Today, China, Russia, and the United States might negotiate limits on their behavior regarding the extent and type o* cyber-espionage they carry out, as Xi and Obama did in 2015. Or they might agree to set limits on their interventions in one another’s domestic political processes. Although such pledges would lack the precise language o4 formal treaties, the three countries could independently make unilateral statements about areas o* self-restraint and establish a consultative process to contain con0ict. Ideological di.erences would make a detailed agreement
Joseph S. Nye, Jr.
42 ! " # $ % & ' ( ! ! ( % # )
and sustainability o* U.S. threats to impose costs in response to violations.”
The Biden administration is wres-tling with the fact that the domain o* cyberspace has created important new opportunities and vulnerabilities in world politics. Reorganizing and reengi-neering at home must be at the heart o* the resulting strategy, but it also needs a strong international component based on deterrence and diplomacy. The diplomatic component must include alliances among democracies, capacity building in developing countries, and improved international institutions. Such a strategy must also include developing norms with the long-term goal o* protecting the old glass house o* American democracy from the new stones o* the Internet age.!
ing and negotiating. Such a process, together with strong deterrent threats, is unlikely to fully stop Chinese and Russian interference, but i* it reduces its frequency or intensity, it could enhance the defense o* U.S. democracy against such cyberattacks.
CHANGING BEHAVIORIn cyberspace, one size does not ,t all. There may be some norms related to coordination that can accommodate both authoritarian and democratic states. But others cannot, such as the “Internet freedom” agenda introduced by U.S. Secretary o* State Hillary Clinton in 2010. It proclaimed a free and open Internet. One can think o* norms organized in a set o* concentric circles with what Europeans call “vari-able geometry” o* obligations. Groups o* democracies can set a higher standard for themselves by agreeing on norms related to privacy, surveillance, and free expression and enforcing them through special trade agreements that would give preference to those that meet the higher standards, along the lines sug-gested by the cybersecurity expert Robert Knake. Such agreements could remain open to other states—so long as they are willing and able to meet the higher standards.
Diplomacy among democracies on these issues will not be easy, but it will be an important part o* U.S. strategy. As James Miller and Robert Butler, two former senior Pentagon o/cials, have argued, “I* U.S. allies and partners support cyber norms, they are likely to be more willing to support imposing costs on violators, thus substantially improving the credibility, severity (through multilateral cost imposition),