SCUSA 63
Thinking Beyond Boundaries:
Contemporary Challenges to U.S. Foreign Policy
Governing Cyberspace
To date, cyberspace is a domain where individuals, governments, the public sector, the
private sector, and civil society interact beyond traditional boundaries. Information, data,
commerce, and ideas flow freely between physical locations at light speed. Many take the fact
that cyberspace is a global commons, or open access resource, for granted.1 Like the Wild West,
risk-taking entrepreneurs—businessmen, thought leaders, and innovators—helped build this
newly discovered space. And just as in the Wild West weak governance over nascent territories
empowered cattle rustlers and outlaws, so in cyberspace the bad flourish alongside the good.
High-tech criminals steal from individuals and large businesses, hacktivists vandalize cyberspace
or disrupt the flow of information, and states lay claim to areas of cyber terrain that may lead to
conflict in cyberspace as well as terrestrially.
To ensure that cyberspace continues to promote cooperation, communication, and
prosperity among people of all nationalities, races, faiths, and ideologies, America has an interest
in building international support for cyberspace governance.2 But what does governing
cyberspace mean, and what role should America play in its governance? So far, efforts to
achieve global consensus on regulating, taxing, and securing access to the Internet have proven
unsuccessful. What, if anything, might make international consensus more achievable?
This paper explores the idea of governing cyberspace by developing norms that promote
communication, security, and prosperity.
Defining Norms
Before discussing these three focus areas for the United States’ international cyberspace
strategy, it is necessary to understand what norms are. In general terms, norms are accepted
standards of appropriate behavior. This definition can further include expectations of behavior
for “actors with a given identity,” which allows for the existence of multiple norms—different
norms for certain groups, such as governments, militaries, businesses, or individuals.3
Although norms establish accepted standards, norms do not institutionalize behavior.
Institutionalization of norms occurs though legalization, especially within the realm of
international law. The strength of international law lies along a continuum from “soft law,”
which seeks to facilitate compromise and cooperation, to “hard law,” which enshrines pre- and
Lawrence Lessig, “The Internet Under Siege,” Foreign Policy, November/December (2001), 56-65.
President Obama released his international strategy for cyberspace in May 2011, in which he emphasized the
importance of the U.S. leading the effort to develop international norms that will ensure the further promotion of
prosperity and civil liberties around the globe, while maintaining security in cyberspace. See Barack H. Obama,
International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (The White
House: Washington, 2011).
3
Martha Finnemore and Kathryn Sikkink, “International Norm Dynamics and Political Change,” International
Organization, vol. 52, no. 4 (1998): 891.
1
2
2
pro-scripted behavior into precise legally binding obligations.4 One can measure this strength
according to three dimensions: 1) precision, or the level of ambiguity in the definition of
prescribed or proscribed behavior; 2) obligation, or variation in boundedness to a rule or
commitment; and 3) delegation, or the level of authority granted to third parties to “implement,
interpret, and apply rules; to resolve disputes; and (possibly) to make further rules.”5 Again, this
institutionalization process starts with the existence of norms of accepted behavior.
The development of norms generally precedes the development of international law.
However, norms develop at different rates. Norms develop quickly when they are clear, useful,
and doable.6 Norms spread when they are simple and straightforward. Second, actors must see
that following the norms yields more benefits than costs. Finally, enabling actors to comply with
new norms increases the likelihood that they will follow the desired pre- or pro-scribed
behavior.7 Even norms that have all three of these winning characteristics are not immediately
accepted; instead, they follow an evolutionary adoption process that generally involves three
stages of development: 1) norm emergence—norm entrepreneurs lead an organized movement,
taking advantage of existing institutions when possible; 2) norm cascade—norm entrepreneurs
embark on an international socialization process to persuade or coerce those not following the
norms to do so; and 3) internalization—mainstreaming to ensure compliance with the norm.8
Given this background, policymakers must consider what the ideal norm evolution
process should look like for governing cyberspace? What can the United States do to encourage
norm emergence and cascade? How will other actors perceive a US effort to lead this process?
And at what point should the international community focus on developing international legal
standards for governing cyberspace as opposed to norms?
Communication
Individuals, governments, the private sector, and civil society recognize the benefits of
the interaction that cyberspace enables, so each of these groups has a stake in maintaining an
interoperable and open network. The issue area of communication within the realm of cyber
governance divides into two domains, one technical (interoperability) and the other
interpersonal.
What role do states have in ensuring global interoperability? Interoperability is promoted
by developing technical standards that allow multiple actors to interact across platforms and
boundaries. A further component of interoperability is network stability, which is respecting and
enabling the free flow of information between internationally interconnected infrastructures
across domestic networks.9 How should responsibility be shared between the public and private
sectors to develop and promulgate technical standards that ensure the security and resiliency of
the global infrastructure? How can the US promote the development of global standards?
Kenneth W. Abbott and Duncan Snidal, “Hard and Soft Law in International Governance,” International
Organization, vol. 54, no. 3 (2000): 421-424.
5
Kenneth W. Abbott, Robert O. Keohane, Andrew Moravcsik, Anne Marie-Slaughter, and Duncan Snidal, “The
Concept of Legalization,” International Organization, vol. 54, no. 3 (2000): 401.
6
Ibid, 401-404.
7
Martha Finnemore, “Cultivating International Cyber Norms,” in America’s Cyber Future: Security and Prosperity
in the Information Age, Vol. II, eds., Kristin M. Lord and Travis Sharp (Center for a New American Security:
Washington, 2011), 89-93.
8
Finnemore and Sikkink, 895-905. Finnemore, 93-99.
9
Barack H. Obama, 10 and 18.
4
3
In addition to ensuring interoperability and the technical flow of information across
networks, supporting interpersonal openness maintains the freedom of cyberspace. Cyberspace
enables people to share information, express opinions, expose malfeasance, and organize social
and political movements, on- and offline. At the same time, current weaknesses in cybersecurity
do not guarantee the protection of individual privacy, which may undermine the trust needed to
sustain social and political, as well as economic, activity on the Internet.10 What can the US do
to promote norms that support fundamental freedoms, such as expression and association, as well
as privacy? How can the US work with civil society to develop safeguards that protect
individuals from arbitrary state interference into their activities on, or deprivation of access to,
the Internet? Extending existing human rights law as described in the Universal Declaration of
Human Rights in order to protect fundamental freedoms and privacy is another potential
extension of US efforts in cyber governance.11 How will other nations such as China and Russia
react toward an expanding US role promoting interoperability and openness in cyberspace?
Security
Security is another multifaceted realm related to cyberspace governance. The technical
aspects of security encourage interoperability and openness, but security is also necessary to
promote commerce and protect national security. Again, the public and private sectors should
work together to develop technical standards to protect networks, ensuring their security,
reliability, and resilience.
Strategically, cyberspace has joined land, sea, air, and space as the newest domain of
warfighting. The US’s recognition of cyberspace as an operational domain allows for the
Department of Defense (DoD) to organize, train, and equip the US Armed Forces to support
national security interests specific to missions and challenges in cyberspace. The military now
has the clear strategic task guidance to prevent adversaries from exploiting, disrupting, denying,
or degrading the networks and systems upon which the Defense Department relies.12 The DoD’s
cyber strategy supports the White House’s effort to develop a norm of cybersecurity—namely,
that states have a responsibility “to protect information infrastructures and secure national
systems from damage and misuse.”13
While states still maintain a right of self-defense in response to aggressive acts by others,
consistent with Article 51 of the United Nations Charter, the rules for how to apply this principle
to 21st century cyber security challenges are not clear.14 The White House’s strategy for national
defense is based on the principles of dissuasion and deterrence. The US can dissuade adversaries
from attacking by creating robust defenses, as well as mitigation plans to isolate and limit the
damage of successful attacks. Deterrence demands that the US elevates the cost associated with
executing an attack beyond the perceived benefit any adversary hopes to achieve.15 One
challenge with cyber attacks, however, is attribution, or the ability to verify the source of an
attack. Further, with ubiquitous information technology, it is challenging and expensive for
10
Ibid, 23-24.
See United Nations, Universal Declaration of Human Rights (UN Department of Public Information: New York,
1948).
12
Department of Defense, Department of Defense Strategy for Operating in Cyberspace, (Department of Defense:
Washington, 2011), 1-6.
13
Barack H. Obama, 10.
14
United Nations, Charter of the United Nations and Statute of the International Court of Justice, (United Nations:
San Francisco, 1945).
15
Barack H. Obama, 12-14.
11
4
defenders to increase an attacker’s cost beyond the perceived benefit.16 What would the US need
to do to overcome these challenges to deterrence? How can the US promote norms that create
taboos for certain behaviors by state or non-state actors in cyberspace?17 Are there alternative
national security strategies the US can pursue besides dissuasion and deterrence, whether
through diplomacy or by strengthening public and private partnerships?
Prosperity
Cyberspace generates vast wealth. The existing openness and interoperability of the
Internet have enabled commerce at all levels, from small businesses to multinational
corporations, and between individuals. Cyberspace is thus a potential tool to promote domestic
and international economic development. Long-term investment in cyber infrastructure can
provide access to new markets for goods and services. Should the US sustain and expand the
current free-trade environment, institutionalized in the form of the World Trade Organization, in
order to enable governance over economic activity in cyberspace? What responsibility does the
US have to share technology with others in order to empower less-advantaged populations?
While cyberspace has created enormous wealth due to innovation, intellectual capital
investments have also become the target of cyber theft, leading to unprecedented volumes of
illegal wealth transfer.18 How can the US promulgate norms or international law that guarantees
respect for property? What incentives will induce states to protect and enforce intellectual
property rights—patents, trade secrets, trademarks, and copyrights—through their domestic laws
and judicial systems?
Conclusion
Sustaining open and interoperable communication while providing security and spreading
prosperity requires states and non-state actors to think about how to govern cyberspace. The
White House has so far addressed this contemporary challenge to US foreign policy by
promoting norms. Yet while norm development in each of these issue areas can be mutually
supportive, the development of norms in one area might also threaten effectiveness or efficiency
in another area. One of the major challenges in developing governance norms for cyberspace is
determining how to balance competing interests. What are the necessary security compromises
that must be made to ensure citizens are protected from unfettered surveillance? What necessary
compromises in our civil liberties must be made to protect citizens from multifaceted threats,
both criminal and national security related? What is the balance between encouraging private
sector-driven prosperity and keeping the Internet open and secure? To address these vexing and
still-emerging questions requires that policymakers think beyond the boundaries that divide
norms from laws, the private from the public sectors, and nations from one another.
16
Martin C. Libicki, Cyberdeterrence and Cyberwar, (RAND Corporation: Santa Monica, 2009).
Nina Tannenwald, “Stigmatizing the Bomb: Origins of the Nuclear Taboo,” International Security, vol. 29, no. 4
(2005): 5-49.
18
Dmitri Alperovitch, “Revealed: Operation Shady RAT,” (McAfee: Santa Clara, 2011), 2.
17
5
Recommended Readings
Finnemore, Martha. “Cultivating International Cyber Norms.” In America’s Cyber Future:
Security and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis
Sharp, 87-101. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf.
Finnemore, Martha and Kathryn Sikkink. “International Norm Dynamics and Political Change.”
International Organization, vol. 52, no. 4 (1998): 887-917.
http://graduateinstitute.ch/webdav/site/political_science/shared/political_science/Multilat
eral%20Governance%20Autumn%202010/finnemore%20and%20sikkink%201998.pdf
Lessig, Lawrence. “The Internet Under Siege.” Foreign Policy, November/December (2001),
56-65.
http://www.lessig.org/content/columns/foreignpolicy1.pdf.
Lewis, James A. “Why Privacy and Cyber Security Clash.” In America’s Cyber Future: Security
and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis Sharp, 123142. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf.
Libicki, Martin C. Cyberdeterrence and Cyberwar. RAND Corporation: Santa Monica, 2009.
http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG877.pdf.
Obama, Barack H. International Strategy for Cyberspace: Prosperity, Security, and Openness in
a Networked World. The White House: Washington, 2011.
http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cybe
rspace.pdf.
Additional Readings
Abbott, Kenneth W., Robert O. Keohane, Andrew Moravcsik, Anne Marie-Slaughter, and
Duncan Snidal. “The Concept of Legalization.” International Organization, 54, no. 3 (2000):
401-419.
http://www.princeton.edu/~amoravcs/library/concept.pdf.
6
Abbott, Kenneth W., and Duncan Snidal. “Hard and Soft Law in International Governance.”
International Organization 54, no. 3 (2000): 421-456.
http://web.efzg.hr/dok/pra/hhorak/Hard%20and%20soft%20law%20in%20international%
20governance.pdf.
Alperovitch, Dmitri. “Revealed: Operation Shady RAT.” McAfee: Santa Clara, 2011.
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.
Department of Defense. Department of Defense Strategy for Operating in Cyberspace.
Department of Defense: Washington, 2011.
http://www.defense.gov/news/d20110714cyber.pdf.
Fontaine, Richard and Will Rogers. Internet Freedom: A Foreign Policy Imperative in the
Digital Age. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_InternetFreedom_FontaineRog
ers_0.pdf.
Lord, Kristin M. and Travis Sharp, eds. America’s Cyber Future: Security and Prosperity in the
Information Age. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20I_0.pdf
[Vol. 1]
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf
[Vol II]
Nye, Joseph S. Jr. “Power and National Security in Cyberspace.” In America’s Cyber Future:
Security and Prosperity in the Information Age, Vol. II, edited by Kristin M. Lord and Travis
Sharp, 5-24. Center for a New American Security: Washington, 2011.
http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20II_2.pdf.
Segal, Adam. “Cyberspace Governance: The Next Step.” In Policy Innovation Memorandum No.
2. Council on Foreign Relations: New York, 2011.
http://www.cfr.org/cybersecurity/cyberspace-governance-next-step/p24397.
Singer, Peter W. and Noah Shactman. “The Wrong War: The Insistence on Applying Cold War
Metaphors to Cybersecurity Is Misplaced and Counterproductive.” Brookings Institution:
Washington, 2011.
http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_shachtman.aspx.
7
Tannenwald, Nina. “Stigmatizing the Bomb: Origins of the Nuclear Taboo.” International
Security 29, no. 4 (2005): 5-49.
http://www.mitpressjournals.org/doi/pdf/10.1162/isec.2005.29.4.5.
United Nations. Charter of the United Nations and Statute of the International Court of Justice.
United Nations: San Francisco, 1945.
http://treaties.un.org/doc/Publication/CTC/uncharter.pdf.
United Nations. Universal Declaration of Human Rights. UN Department of Public Information:
New York, 1948.
http://www.ohchr.org/en/udhr/pages/language.aspx?langid=eng.