The United States defined its preferred cyberspace norms—Internet openness, security, liberty, free speech, and with minimal government oversight and surveillance—in its 2011 International Strategy for Cyberspace. Although the United States has had little success so far in establishing norms against commercial espionage in cyberspace, it has had some early gains with the recognition that international law applies to state activity in cyberspace and that human rights protections that apply offline also apply online.
These efforts to define shared norms have been accompanied by a process of norm promotion that suffered a significant setback in the summer of 2013 with the Snowden disclosures. The U.S. government should reinvigorate its efforts to spread and encourage the adoption of its preferred norms with the following steps:
-reform U.S. intelligence activities to make them more consistent with the publicly expressed norms of Internet openness that the United States is trying to establish;
-disclose more convincing evidence when trying to shame actors that do not abide by cybersecurity norms; and
-encourage other states and civil society actors to take a leading role in norm promotion—even when this cuts against U.S. interests.
Background: Why Norms?
-The United States’ weakness to cyberattacks is difficult to address using conventional tools of military statecraft.
U.S. policymakers argue that the United States and others need to build norms to mitigate cybersecurity problems. Admiral Michael S. Rogers, head of the National Security Agency (NSA) and Cyber Command, has argued that shared norms are a basic building block for cybersecurity. He has called on actors in academia and civil society to help design them and to assist in their spread.
It may seem strange that Pentagon officials are arguing for soft tools rather than hard military options, but there are four good reasons why norms are the best option available. First, the United States is vulnerable to cyberattacks and this weakness is difficult to address using conventional tools of military statecraft. Second, it is difficult to ensure that complex information systems are fully defended, since they may have subtle technical weaknesses. Third, classical deterrence is not easy in a world where it is often challenging to identify sophisticated attackers, or even to know when an attack has taken place. Lastly, treaties are hard to enforce because it is so difficult to verify compliance—particularly in cyberspace, where weapons are software, not missiles.