Arbitrating cyberspace has been a marginal issue in the onslaught of recent foreign policy snafus. Our nation’s top leaders are confused by it, and that confusion has led to a free for all — arguably the true definition of the U.S. “persistent engagement” strategy.
Little has been done to mitigate the potential for callous misinterpretation, escalation, or unintended consequences of exploiting vulnerabilities in countries’ critical and interdependent systems and networks. Norms etched out by the multilateral agreements would be great if all hackers were conscripted, law abiding citizens in neatly defined territories, but that would require living in an alternate reality.
Cyber “war” should be seen an extension of group politics, rather than state politics. Nation state interests are only sometimes represented. The vast majority of those on the Powerful Black and White Color Scheme of hackers are more often than not civilians, rather than uniform servicemembers reporting for duty. Individuals behind the advanced persistent threat (APT) groups are informed, trained, and provided rules more in line with the ways that militias or paramilitaries are – armed groups which operate alongside regular security forces OR work independently of the state – to shield the ‘local’ (in-group) populations from insurgents (out-group populations).
If one ascribes to the notion that cyberspace is effectively borderless, we’re actually in an ongoing intrastate cyber conflict – between organized groups operating for dominance of one domain with many asymmetrically defended territories. Cyber-attacks have a disproportionately large impact on civilian targets in the same way as intrastate conflicts do, and those civilian targets have no legal means for retaliation or reparation. There are four main takeaways from that literature that we should glean for cyberspace for any real negotiations to be successful.
Hacking is not actually as easy as people make it out to be. You couldn’t create Stuxnet in your basement with the average download of Kali Linux.
First, a group must come to the realization that its principal objectives cannot be met through cyber warfare. Classic cost/benefit analysis.
Second, the broader international community must be willing to talk to real threat actors in this space, to identify group leaders who are ready to negotiate a peace in cyberspace. AKA, invite actual hackers to the table without fear of reprimand or incarceration, not just the old guard who can’t remember their email passwords.
Third, no group can be required to “give up arms” in order to be involved in conversations. You cannot mandate an end to malicious activity with no change in conditions for the group.
Fourth, a group cannot be forced to recognize the will of another without tangible concessions. Where consensus-building fails, gift basket diplomacy, technology exchanges, and soft power can provide inroads for cooperation.
Hacking is not actually as easy as people make it out to be. You couldn’t create Stuxnet in your basement with the average download of Kali Linux. And attribution is not as difficult as projected — often the ability to name and shame is a political decision, rather than technical. But the learning curve is diminishing, the playing field leveling, and the result is hemorrhaging risks for national security and the economy.
Top-down deterrence in this domain is never going to happen in the traditional “my bombs are better than yours” sense, and sanctions against cyber-attacks amount to smoke and mirrors. There is not a single type of existential weapon in cyberspace, only a bounded range of coordinated and sophisticated attacks.
Negotiating peace in cyberspace is unlikely to end in a treaty wrapped in a bow, however, thinking differently about how we negotiate in this space can help to build principles for off-limits targeting — starting with hospitals, energy facilities, and satellites. Agreements honored in peacetime create foundations for what is and isn’t acceptable, adding rungs to the rung-less cyber escalation ladder. Put those glasses on.
The world needs new bargaining chips to make progress in cyberspace. Information operations, while important, are a distraction and amplify preexisting issues in systems of governance. Allowing increasingly well-organized exploitation in cyberspace to continue without sustained dialogue or pressure feeds directly into the polarization of information, and signals apathy to other countries. A nation unwilling to address underlying objectives, while reserving the right to respond by any political, military, or economic means necessary, will never make progress.
Danielle Jablanski is the Cyber Policy Program Manager at the Stanford Cyber Policy Center at Stanford’s Freeman Spogli Institute.