On Friday, the President’s Commission on Enhancing National Cybersecurity published its final report, making 16 recommendations and identifying 53 action items to improve cybersecurity in the United States. Established by Executive Order 13,718 last February, the nonpartisan Commission included 12 experts, some recommended by Democratic and Republican leaders in Congress and others selected by the Obama Administration.
The Commission drew on the Executive Order to identify particular topics of study, including, for example, federal governance, cybersecurity research and development, and the cybersecurity workforce, but on its own initiative (and as permitted by the Executive Order), the Commission also studied international issues. Many of the Commission’s recommendations should be uncontroversial, and its recommendation to continue international coordination efforts on cybersecurity issues should be one of them.
In Recommendation 6.1, the Commission counsels, “The Administration should encourage and actively coordinate with the international community in creating and harmonizing cybersecurity policies and practices and common international agreements on cybersecurity law and global norms of behavior.” To operationalize this recommendation, the Commission identifies several action items, including appointing an “Ambassador for Cybersecurity” at the State Department, continued promotion of peacetime norms of behavior, and assistance to other states for cybersecurity capacity building. The Commission separately notes the need for “continued progress toward international consensus on applying international law to cyberspace” (p.47).
There are many possible arguments in favor of these recommendations, but it’s important to understand the Commission’s argument for them. The Commission styled its final product as a “Report on Securing and Growing the Digital Economy,” and its justification for international engagement is an economic one. The Commission highlights the inefficiencies caused by the current lack of harmonization of standards and regulatory requirements—disparities that “force companies to devote resources to multiple compliance regimes rather than to innovation” (p.47)—and also the lack of effective international mechanisms to halt malicious activity by state and non-state actors in cyberspace.
Even for those who may be skeptical of international engagement and international law or norms in general, the Commission’s perception that international coordination is crucial should be persuasive. Many of the commissioners currently work for companies that are suffering the effects of the lack of international harmonization and instability caused by frequent cybersecurity incidents. In other words, they know whereof they speak.
While focusing on primarily business concerns, the Commission’s recommendations are broadly supportive of the Obama Administration’s goal of “cyber stability.” In the U.N. Group of Governmental Experts and other fora, the administration has made important progress in pushing forward agreement on the applicability of international law to cyberspace and on the establishment of peacetime norms of responsible behavior in cyberspace. Other countries have taken up the mantle as well. Just last month, the United Kingdom released its National Cyber Strategy 2016-2021, which recognizes that “[i]nternational cooperation on cyber issues has become an essential part of wider global economic and security debates.” The Strategy commits the United Kingdom to seek agreement on norms of responsible state behavior, the applicability of international law, and confidence- and capacity-building measures, among other international initiatives (pp. 63-64).
Progress at the international level may be slow and uneven. There are now and will continue to be serious questions about, for example, states’ compliance with norms and international law in cyberspace and the ability of even well-coordinated law enforcement efforts to deter cybercrime. Nonetheless, for all the reasons the nonpartisan, expert Commission explains (and some others besides), international coordination on cybersecurity is an effort well worth continuing.