Conflict and Negotiation in Cyberspace

This report looks at the political-military aspects of cybersecurity and attempts to place it in the larger context of international security. Networks are embedded in our economies and our political and social life. They have become the central tool for human activity. These networks form cyberspace. They hold information of immense value, and they control the machinery that provides critical services. They create immense economic benefit, but they are also a major source of risk to nations. Governments have been hesitant to interfere with the golden economic machine, and the result is a weakly governed space, much like a failed state or contested terrain.

Because of the newness of technology, the lack of explicit agreement among states, and rampant cyber espionage and cybercrime, this unstable environment invites miscalculation, misinterpretation, and inadvertent escalation of conflict. Changing this requires identifying which instruments of statecraft are most effective and where we may need new institutions, norms, and laws. Progress in cybersecurity requires manipulating complex international processes to change what governments consider as acceptable national behavior in cyberspace.

Cybersecurity has been an issue for national security since the 1990s, but the U.S. response has been ad hoc and reactive, marked by uncertainty over how to deal with a major new problem for international security. This report identifies six principles that should guide the United States in developing a strategic approach:

1. Cyberspace is not a unique environment. States will behave in this environment as they would in any other.
2. We cannot “disarm” in cyberspace, and there will be no “global zero” for a cyberattack.
3. We have entered a period of sustained, low-level competition for influence where opponents’ miscalculations and misperceptions are a source of risk to the United States.
4. U.S. interests are best served by embedding cyberattack and cyber espionage in the existing framework of international law, and long-term U.S. interests are best served by winning international agreement to this.
5. America’s immediate goal in negotiation should be to increase the risks of launching a cyberattack or engaging in malicious cyber activity for both state and nonstate opponents.
6. There is a limit to what negotiation can achieve in reducing risk; there will always be risk. The U.S. goal should be to decrease and bound this risk as part of its larger efforts to strengthen international security.