The United States should strengthen cooperation with its allies and partners while recognizing that cybersecurity is inextricably linked to tackling shared threats, according to recommendations made in two recent State Department reports.
The reports, published by the State Department on May 31, come in response to US President Donald J. Trump’s May 2017 Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”
According to the first report—Recommendations to the President on Protecting American Cyber Interests through International Engagement, the United States has five primary objectives: reducing the risk of international conflict; responding to cyber threats posed by malicious actors; maintaining an open Internet; promoting non-governmental stakeholder governance in cyberspace; and advancing an innovation-oriented regulatory environment.
Notably, the report links cyber goals and actions with broader strategic and non-cyber elements, highlighting the overlap between traditional security challenges and their cyber consequences.
The report recognizes a wide spectrum of actions that the US government can employ to achieve these objectives. These actions range from foreign assistance to international standard setting and capacity building. However, as outlined in the report, increasing demands are paired with limited resources—hence the pursuit of a “comprehensive, yet strategic, approach” to international cooperation in cyberspace will take its final shape during the implementation phase.
The second report, Recommendations to the President on Deterring Adversaries and Better Protecting the American People From Cyber Threats, outlines a US vision for deterring malicious actors in cyberspace, recommends follow-up actions, and notes the “fundamental rethinking” of deterrence strategies that is required in cyberspace.
While traditional US tools of deterrence are considered efficient in the event of cyberattacks that constitute a use of force, malicious state-sponsored efforts occurring below that threshold are flagged as one of the main policy challenges.
To address this gray zone, the recommendations propose a consequence-oriented approach that is meant to reinforce the US strategic deterrence options by denial and undertake new efforts of deterrence, such as cost imposition. This framework will be developed over several steps, including the creation of a policy that outlines the criteria for imposing “swift, costly, and transparent consequences,” preparing a range of possible consequences, as well as conducting interagency policy planning and partnership-building.
“The Department of State recommendations on international engagement build upon and are consistent with what the US government has been doing and that is a good thing,” said Chris Painter, commissioner on the Global Commission for the Stability of Cyberspace and former US State Department Coordinator for Cyber Issues. “The big question, though, is whether these efforts, including capacity building, will be appropriately prioritized and resourced.
“The recommendations on deterrence in cyberspace appropriately focus on stepping up our game, including ensuring there are timely and meaningful consequences for bad actors, a piece of deterrence that has been lacking. Significantly, it also highlights collective action with other countries. Again, the question remains whether actions and priority will match these important recommendations,” he added.
Pete Cooper, a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and an independent cyber security adviser based in London, noted: “These reports are right to focus on the value of international and interagency cooperation, without which many initiatives don’t achieve enough critical mass to be effective.”
“But such cooperation, often on the most sensitive of topics, requires a foundation of openness and trust between partners. If openness and trust are absent or fragile, it risks stalled initiatives and creates opportunities for adversaries to drive wedges between partners,” he added.
Such trust and cooperation is essential in addressing the deterrence challenge, said Cooper. “Within the current international order, some states now see cyber-enabled effects as almost ‘consequence free’ and unattributable. With the lack of effective international norms of behavior, deterrence by the threat of imposing consequential costs can be a highly effective methodology. But it would be difficult for a single state, even one such as the United States, to be able to impose enough costs quickly enough,” he said.
To deter and drive a change in the behavior of an adversarial nation state requires the ability to rapidly impose costs of such a magnitude that it can only be done effectively within an established coalition of trusted partners, said Cooper.
“This permits a ‘whole of government’ approach from all partners and opens up opportunity for robust, broad, asymmetric measures through economic and diplomatic means,” he said, adding, “Many nations, including the United Kingdom, understand and desire such an approach, but this will only be possible within the context of strong, collaborative international partnerships.”
Megan Stifel, a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative who formerly served as director for international cyber policy in the National Security Council at the White House, noted: “The Department of State Recommendations on Protecting American Interests through International Engagement reinforces longstanding US policy on the importance of the rule of law on and offline; multistakeholder Internet governance; smart regulations that support innovation; and responsible collective action in pursuit of these and other priority values.”
“The identified objectives and actions reflect operational reality by recognizing the need to strengthen both domestic and international capacity to achieve the desired end states and to buttress against ongoing efforts to erode the open and interoperable Internet,” she added.
Klara Jordan is director of the Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security. Follow her on Twitter @JordanKlara.
Anca Ioana Agachi is an intern at the Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security.