From the Desk of Greg Francis: Pen Testing the US Cyber StrategyPosted on 10th October 2018
If it’s not an era of intense faith in the multilateral system, somewhere among the Trump Administration’s anonymous adults in the room there is a believer, and the Internet might be the better for it. Evidence for the existence of this fifth columnist lies in the US National Cyber Strategy, launched last month under the commander-in-chief’s unprepossessing signature, which looks to provide security for America’s connected economy. No matter that the strategy begins with the assertion that the United States is “the world’s lone superpower,” a status it links to “the rise of the Internet,” because where it stumbles over little vanities its intentions are appropriately ambitious. The risks to its success lie in the places it chooses to execute, and here the Administration may be its own worst enemy.
Hadrian Caesar & Brad Smith
Under some comforting old headings such as Peace Through Strength and the American Way of Life, the strategy starts with a plan to improve the security and readiness of the federal government. It enlists the work of appropriate US entities and the Intelligence Community, seeks to promote national investment in cybersecurity, and promotes a modernised legal framework as a deterrent. But the US is not a cyber island, and what starts to come through is the (unexpected) extent to which the strategy will see the US lean on the United Nations and other multilateral forums for action. It names various institutions and frameworks as being integral to the strategy’s success: the United Nations, the Internet Governance Forum, the International Telecommunication Union, the Budapest Convention, the UN Convention Against Transnational Organised Crime and the G7’s 24/7 Network Points of Contact. It goes on to call for something that sounds a lot like Microsoft’s Digital Geneva Convention: “a framework of responsible state behaviour in cyberspace built upon international law,” but then seems to lose heart later in the same sentence, downgrading the call to a mere “adherence to voluntary non-binding norms of responsible state behaviour that apply during peacetime.” If it is equivocal here and there, this is nonetheless a strategy that promises to be meted out in crowds of representatives from organisations and governments with highly divergent views.
The Strategy may set itself up to fail, therefore, in two ways: first by its inability to see that America’s competitors in cyber security matters can be partners also. Second, it fails to explain how the multilateralism that underpins its success is going to be managed.
The first failure is a predictable product of the Trump Administration’s zero-sum-winners-and-losers bluster about the international environment, which doesn’t recognise that losers may take their time to ebb away but can still be useful partners in their decline, or that who loses is not always obvious (it might sometimes be the US). The second failure is less to do with the strategy itself than with its reliance on a well-ordered international system. If there is to be anything like a “framework for responsible state behaviour” or “universal adherence to cyber norms” still less an “international Cyber Deterrence Initiative [sic]” it will need to be developed in the forums that provide vehicles for such all-encompassing solutions. It is one thing to try and “ensure that [the US] approach to an open Internet is the international standard,” it’s quite another thing to get broad and consistent buy-in to that international standard. The latter requires negotiation.
The Trump Administration’s now-familiar approach to bilateral engagement — howling about the brokenness of a thing, threatening to abandon it unilaterally, and then moving back from the edge — is not one that translates well into the multilstakeholder environment that governs the Internet (in large part by US design). There, control of the debate does not remain with the one who howls loudest or threatens exit, but shifts instead towards agglomerations of stakeholders with economic influence, citizen-consumers, engineering prowess, and concrete proposals around which a consensus can be built. If those tasked with delivering on the US Cyber Strategy can engage with entities of all stripes, even those perceived as marginally villainous by the Trump Administration, it has a good chance. If those tasked with its delivery concoct initiatives and ask others to sign up without any space for compromise — on vulnerability standards, indemnification, information sharing — chances for success become much smaller. Either way, the challenge to America’s interlocutors will be to engage or to leave the US to negotiate high standards with itself while enduring structures of international cyber interaction are designed, discussed, and solemnly agreed elsewhere.
Author: Greg Francis, Managing Director, Access Partnership
This article was originally published on Circle ID on 8 October 2018.Back to document archive