During the Cold War era, there was an adage that arms controllers hated but proved prophetic, “When relations are bad, you don’t want arms control; when relations are good, you don’t need arms control.”
Cyberspace today is a mess: what some US policymakers thought would happen – that the internet would prove an unstoppable information wedge that would pry open totalitarian and authoritarian states – proved largely the opposite. Cyberspace tools have allowed such states to control information, steal Western proprietary information and wealth, enable cybercrime, and place weapons on our critical infrastructure to serve as disabling capabilities and deterrents against us in times of crisis or war.
The Obama State Department thought the internet should be treated as a Global Commons – like a public library for the world, where states would take a hands-off approach for the greater good. This was naive in the extreme. It was the equivalent of thinking that states would leave ‘airspace’ an un-militarized global commons, once the advent of aeronautics allowed intercontinental air travel within hours.
Cyber norms are especially naïve. The Obama White House proposed: “A state should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public.” (White House 29 October 2014.)
According to the former Director of National Intelligence, James Clapper, adversaries are putting cyberspace weapons and capabilities on our networks and threatening our critical infrastructure and key resources. A 2017 Pentagon Defense Science Board noted the same emerging world.
Norms are created through customary international law — specifically the practices mutually conducted and accepted by states. Such norms became the basis of the Law of the Sea, our conduct in space, and our treatment of warships at sea.
But if the Russians and other malign cyber actors are emplacing weapons on our critical infrastructure and we can’t discern or disable all of them, unlike the norms practiced at sea or in the air — which are transparent, cyber norms will have the effect of limiting the United States but not malign actors. Unlike the air and sea domains, cyberspace is marked by stealth and ambiguity.
Who would believe that Putin would abide by a norm (really it’s an arms control ‘pledge’ – not a norm, since it is not mutually practiced today) *not* to do something that he can do covertly and largely get away with? And who thinks such a pledge would not limit the legalistic United States in return? Such a norm would have the effect of greenlighting adversaries and limiting the United States.
Further, the ‘norm’ is really bad arms control: in many cases, the United States would not demarche states that violate the norm (since you don’t want to burn the cyber forensic method used to discern the weapon) or be capable of discerning all violations. And no forensic or confidence building method is going to be perfect, let alone shared, which means the United States will likely suffer ongoing Russian and other malign efforts to emplace weapons on our infrastructure and yet be constrained from doing the same back by the very arms control method we advocated.
There is history to back this fear: when the United States identified Russia in the past for its bots targeting US critical infrastructure, Russia yawned. Why, then, if the norm is formalized, would things be any different?
But let’s say the norm is successfully advocated and the United States were to demarche Russia or other malign actors if/or when we discern some Russian malware on our infrastructure. And what if such states took a ‘who me?’ attitude back, denying the act? There aren’t red hammers and sickles attached to these weapons platforms (its code). And even if the US State Department were convinced that Russia were behind such violations, what would it be prepared to do in response? Break the very norm it advocated?
And what about cyberspace espionage – a practice conducted today by the United States. Will the State Department complain about US capabilities devised for espionage that *could* be used for cyberspace attack and therefore veto them for the US Intelligence Community? The difference between an espionage and an attack capability is pretty much one of intent and perspective. The norm very likely will have the perverse effect of neutering US offensive cyberspace capabilities as well as cyber espionage, which serves as a stabilizing function by discerning adversary capability, indications and warning, and in some cases intent.
Should Russia find US espionage cyber tools on its networks and demarche the United States after signing up to the US cyber norms accord, would State dismiss the demarche and claim such tools are not the same as attack tools and are therefore permitted?
Fat chance. State will demand US ‘compliance’ with our norms.
If the intent of the norm – advocated principally by the US Department of State — is to advance the obvious, “States should not destroy things in peacetime,” then it is a typical State Department nonsense statement. Of course states should not damage things in peacetime. That is already a norm: it’s called peacetime. Damaging critical infrastructure in peacetime is already illegal! No state has a ‘right’ to damage anything in peacetime – nor do they have any interest to do so. What is the political effect of advancing a ‘norm’ that is already illegal (and already followed)? But when warfare erupts, these norms default to the law of armed conflict, and the norm goes out the window. At least we ought to assume the norm will not necessarily be followed in wartime.
The ‘norm’ that states should not damage critical infrastructure is a pledge – a promise, but in warfare no party would necessarily follow the pledge. And since cyberspace capabilities need to be emplaced on adversary systems in advance of a crisis, the pledge will serve adversary interests beautifully by limiting us but very likely not them.
If the United States falls further behind in a relationship with Russia or other malign cyberspace actors where they can threaten US critical infrastructure with cyberspace tools and we cannot, we advance instability by making the cyberspace world more predictable for adversaries and less understood and predictable for us – pretty much the textbook definition of strategic foolishness.
The history of arms control suggests that it is always a bad idea to advance meaningless agreements. The history of arms control also suggests that State often naively thinks it can change behavior by signing states up to regimes and legalisms.
The United States risks falling behind some adversaries in a new era of ‘Mutually Assurance Disruption.’ If we don’t move to a relationship that is indeed mutually threatening (and thus mutually restraining), we may very well create the very instability we want to avoid. It would be akin to thinking that in order to deter nuclear war with the former Soviet Union, the United States should pledge to never build nuclear weapons.
We understand well today how Russia’s strategy against the United States is to complicate our foreign policy with disinformation, ambiguity, self-doubt, and internal strife. Those who advance cyber norms are tools of the Russian playbook since they advance Russian cyberspace goals and limit the United States.
James Van de Velde is Associate Professor at the National Intelligence University as well as Adjunct Faculty at Johns Hopkins and Georgetown University. He served in the George H.W. Bush Administration on the START and SDI Negotiating teams. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the US Government, the Department of Defense, or the National Intelligence University.