Editors’ NoteThe following post is the latest installment of our weekly feature, “Monday Reflections,” in which a different Just Security editor will take an in-depth look at the big stories from the previous week and/or a look ahead to key developments on the horizon.

In May 2011, the United States released its first “International Strategy for Cyberspace.” Two of the pillars of the strategy were supporting multistakeholder governance and establishing “norms of responsible behavior” for states’ actions. Since then, progress on both issues has ebbed and flowed. Now, at the end of 2014, multistakeholder governance seems to be faring well, but norm development lags far behind.

As we approach the four-year anniversary of the initial International Strategy, it’s time for the United States to issue a new strategy to account for the developments of the past few years and either reaffirm and expand upon the goals laid out in the 2011 Strategy or articulate new goals and a strategy for achieving them. 

Multistakeholder Governance

The International Strategy advocates for a governance model that includes all relevant stakeholders in Internet security, such as governments, civil society, the private sector, and academia. The strategy pledged to “[p]romote and enhance multi-stakeholder venues for the discussion of Internet governance issues,” and explained:

The very architecture of the Internet embodies a mode of social and technical organization which is decentralized, cooperative, and layered. Each of these characteristics is fundamental to the benefits the Internet has brought. … The United States stands firm in our conviction that when the international community meets to discuss the range of Internet governance issues, these conversations must take place in a multi-stakeholder manner; we will continue to support successful venues like the Internet Governance Forum, which embodies the open and inclusive nature of the Internet itself by allowing nongovernment stakeholders to contribute to the discussion on equal footing with governments.

In 2012, the multistakeholder model came under serious challenge from the multilateral (i.e., governments-only) governance model pushed by China and Russia. Russia proposed that the International Telecommunications Union (ITU)—a UN agency—be given authority to regulate the Internet, including the domain name system. In December 2012, Russia pushed its proposal to add the Internet to the ITU’s purview at the World Conference on International Telecommunications—an international conference convened to revise the ITU’s International Telecommunications Regulations (ITRs), which govern international communications, primarily by telephone.

In the end, the United States and its allies succeeded in keeping the Russian proposal out of the text of the revised ITRs, but in a move away from the multistakeholder governance model, a version of the Russian proposal was nonetheless adopted in a separate resolution. The resolution highlighted the role of governments, declaring that “all governments should have an equal role and responsibility for international Internet governance and for ensuring the stability, security and continuity of the existing Internet and its future development.” Eighty-nine countries, including China, Russia, and Brazil, signed the revised ITRs, but the United States and a number of other key countries, such as France, Germany, and the United Kingdom, refused, citing the governance resolution among other issues.

Looking back, the 2012 ITU conference may have been the high water mark for threats to the multistakeholder system. Although China and Russia have continued their push for multilateral governance, they may be losing ground internationally. In an ironic turn, this may be due at least in part to the revelations by Edward Snowden about US government surveillance. The Snowden revelations made some countries and other stakeholders more concerned about the role of governments (particularly, but not exclusively, the US government) in cyberspace, and therefore increased opposition to the multilateral governance model that would have strengthened governments’ role. In other words, opposition to US surveillance via cyberspace spurred support for the very multistakeholder model that the United States has championed.

This shift was in evidence at “NETmundial,” a “Global Multistakeholder Meeting on the Future of Internet Governance,” held in Brazil in April 2014. Brazil, which had previously supported the China/Russia multilateral model and strongly protested US surveillance of Brazilian President Dilma Rousseff, shifted position to support the multistakeholder governance model. NETmundial produced an outcome document that addressed the surveillance revelations that spurred the meeting, noting that “[m]ass and arbitrary surveillance undermines trust in the Internet and trust in the Internet governance ecosystem” and recognizing that more discussions of surveillance and human rights should continue at the international level. But the document also strongly endorsed the multistakeholder model:

Internet governance should be built on democratic, multistakeholder processes, ensuring the meaningful and accountable participation of all stakeholders, including governments, the private sector, civil society, the technical community, the academic community and users.

The State Department has touted the success of NETmundial. In a recent press briefing, the US Coordinator for International Communications and Information Policy, Amb. Daniel Sepulveda explained:

So where we are now is that Brazil, in the global south, has hosted a major conference which was an exercise in the multistakeholder process, and did so successfully, and we have the movement of not just Mexico but a number of other countries like Nigeria, Rwanda, Kenya; and in Latin America – throughout Latin America – Colombia, Chile; and in Southeast Asia, Korea and others who have really committed to participation in the system and are working well through it. That isn’t to say that there isn’t debate and discussion and deliberation, but there is a growing commitment to the idea that the multistakeholder process can work, it can work for everyone, and it can be inclusive – and should be. We’re committed to that goal as well.

Multistakeholder governance advocates, including the United States, claimed another victory earlier this month at the ITU Plenipotentiary Conference in Busan, South Korea. In sharp contrast to the December 2012 ITU conference, this time around proposals to expand the ITU’s role regarding the Internet and cybersecurity were removed from the final resolutions. (Additional details are available from the Open Technology Institute and the State Department.)

Despite the ongoing opposition to the multistakeholder model from China and Russia, among others, multistakeholder governance is ending 2014 on a high note. Whether despite or in some ways because of the Snowden revelations, the multistakeholder model that the International Strategy championed has picked up steam and should continue as a pillar of future US Strategies.

International Norms

For international norms, the picture is far less positive.

In 2011, the International Strategy noted that society’s reliance on the Internet and networked technologies has “not been matched by clearly agreed-upon norms for acceptable state behavior in cyberspace” and committed the United States to “work to build a consensus on what constitutes acceptable behavior” in order to foster “[s]tability [t]hrough [n]orms.” The Strategy explained:

The development of norms for state conduct in cyberspace does not require a reinvention of customary international law, nor does it render existing international norms obsolete. Long-standing international norms guiding state behavior—in times of peace and conflict—also apply in cyberspace. Nonetheless, unique attributes of networked technology require additional work to clarify how these norms apply and what additional understandings might be necessary to supplement them. We will continue to work internationally to forge consensus regarding how norms of behavior apply to cyberspace ….

More specifically, the Strategy declared that “certain aggressive acts in cyberspace” can trigger a state’s right to self-defense pursuant to the U.N. Charter, and that “[w]hen warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”

In 2013, there appeared to be some progress on norm development, including with China and Russia, which had previously proposed addressing cyberspace with a new agreement as opposed to norms. In June 2013, U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security—a group that includes China, India, Russia, and the United States—achieved consensus on the general principle that “[i]nternational law, and in particular the Charter of the United Nations,” applies in cyberspace. This marked the first time that China in particular had agreed that international law applies to cyberspace.

Also in June 2013, the United States and Russia signed an agreement that increased communications about cybersecurity, created a direct communications channel to deal with cyber incidents, and established a working group to discuss cybersecurity issues. And in July 2013, the United States and China held the first meeting of a bilateral working group on cybersecurity in conjunction with the Strategic and Economic Dialogue between the two countries.

However, progress with China appears to have halted in 2014. In May, the United States indicted five Chinese military officials for hacking US companies and committing economic espionage and trade secret theft. In a predictable response, China suspended the cybersecurity working group. Moreover, as the US-China Economic and Security Review Commission noted in its annual report to Congress on November 20 (p. 263 n.†):

Although US Secretary of State John Kerry noted that conversations about cybersecurity at the 2014 US-China Strategic and Economic Dialogue were “frank,” it appears the United States made little progress convincing China to change its approach to cyberspace or deter Chinese cyber theft of US intellectual property. In fact, the word “cyber” does not even appear on a 116-item list of “outcomes” of the Strategic and Economic Dialogue’s Strategic Track discussions.

At the Asia-Pacific Economic Cooperation (APEC) summit in Beijing earlier this month, the United States and China also “made little if any progress on cybersecurity,” despite reaching a climate change deal.

At the end of 2014, despite promising developments in 2013, the US project of norm development appears stalled—at least with respect China, which occupies a hugely important role on cyberspace issues.

Where does the United States go from here? As my post on Friday noted, Congressman Jim Himes (D-Conn.) asked Adm. Michael Rogers, the Commander of US Cyber Command and Director of the National Security Agency, essentially this question in a House Intelligence Committee hearing last Thursday. In particular, Himes asked Rogers how agreement on international norms could come about, as well as what the “key principles” should be for such norms. On the process issue, Rogers’ answer was not encouraging, as captured by this exchange (beginning around 25:30 on the C-SPAN video):

Rep. Himes: As you … look at the discussion internationally happening here, do you have any have confidence that this debate … is going to advance? And in particular, are we going to be able to draw in bad actors like China and Iran? Or is it going to in fact take some demonstration of capability against them to get them to the table?

Admiral Rogers: I don’t know is the short answer. I’m hoping it’s not the latter. Clearly there’s ongoing dialogue.

On the substance of the international norms, Rogers was somewhat more definitive, but still not very detailed. As I noted on Friday,

He identified one possible norm of treating countries’ Computer Emergency Readiness Teams (“CERTs”) “as hospitals” (that is, prohibiting attacks on CERTs), but then simply identified the need to define “what’s an act of war” without proposing a definition. In response to further questions from Himes, Adm. Rogers suggested that the US government is also discussing whether, for example, to push for norms against attacking critical infrastructure and stealing intellectual property.

A New International Strategy for Cyberspace

In recent years, US presidential administrations have issued National Security Strategies roughly every four years (20022006, and 2010), and much has happened since the United States issued its International Strategy for Cyberspace in 2011. It’s time for a new Strategy to clarify US policy going forward and set out the country’s goals in more detail.

A new Strategy should do several things with respect to governance and norms.

  1. The new Strategy should reaffirm the US commitment to the multistakeholder governance model and set out a strategy for continuing to solidify support for multistakeholder governance around the world. In particular, building on the statement from Amb. Sepulveda quoted above, the Strategy should explain how the United States plans to engage the “global South” to facilitate true international participation in multistakeholder governance.
  2. The new Strategy should confirm that the United States still seeks to develop norms for behavior in cyberspace. Reaffirming the US position on this issue is important because the US commitment to discussions with China in particular could be questioned: the United States chose to issue“unenforceable indictments”against Chinese officials for hacking US companies, at the expense of Chinese participation in the US-China cybersecurity working group.
  3. The new Strategy should also set out the substance of the norms the United States seeks. The United States is missing opportunities to foster development of norms by failing to specify not just that it seeks norms, butwhat norms it seeks. Rogers on Thursday stated that a norm is needed regarding “what’s an act of war,” but it would have been more helpful to articulate what the United States believesshould be the definition of an act of war in cyberspace. Rogers’ suggestion of prohibiting attacks on CERTs is more along the lines of what the new Strategy should set out.
  4. The new International Strategy should emphasize and, through its publication, demonstrate the value of transparency. The United States may already have a list of desired norms, and it may be sharing those in bilateral discussions. But in the spirit of multistakeholder engagement, it should publicize proposed norms and subject them to discussion among civil society, academia, and the private sector, as well as with other governments.

Non-governmental actors are already engaged in similar discussions and would surely have much to add about proposed norms. For example, the Tallinn Manual on the International Law Applicable to Cyber Warfare, which was drafted by a group of independent experts under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence, sets out 95 black-letter rules regarding how existing international laws of armed conflict apply to cyberspace. In what may be a preview of broader international debates over proposed norms, the Tallinn Manual also candidly acknowledges disagreement on some issues and articulates the experts’ competing positions. (Disagreements internationally may be even more numerous and profound than those among the Tallinn Manual drafters, who shared relatively similar backgrounds. According to an article by Adam Segal of the Council on Foreign Relations, the Chinese People’s Liberation Army Daily recently criticized the Tallinn Manual on a variety of grounds.)

*          *          *

In calling for a new International Strategy, I am not suggesting that the United States announce unilateral commitments, for example, to not attacking CERTs or critical infrastructure. But if in fact the United States seeks international consensus (or even just the agreement of a few countries) on particular norms, it should seize the initiative in proposing them and subject its proposals to public scrutiny. A new International Strategy would do just that.