Cyberspace is the old American wild west with no real sheriff.
Three quarters of a century ago, a new technology with multiple uses, benign and malign, literally burst on the world scene. The question was how governments could encourage what was viewed as desirable and discourage what was not. This meant trying to limit the number of countries possessing nuclear weapons, negotiating quantitative and qualitative limits on the arsenals of those countries that did, and allowing countries to develop nuclear energy programs for peaceful purposes under conditions meant to provide confidence that they were not a stealth means of producing weapons.
It turns out the challenge has proven to be at least partly manageable. The number of countries with nuclear weapons has been limited to nine and no weapon has been detonated. Building and operating nuclear weapons and nuclear power plants are demanding undertakings that require significant resources, access to technology, advanced manufacturing skills, and space. Only a few governments are capable of doing such things on their own; most require assistance from another government. Nuclear programs (or indications of them) tend to be observable. Confidence is high that attacks using nuclear weapons could be traced back to their origin, something that would invite retaliation and, as a result, discourage an attack in the first place.
Managing the challenge posed by this era’s new technology, cyber, promises to be more difficult. There are now billions of actors, as it takes no more than access to a cell phone or tablet or computer connected to the Internet. The Internet plays an incomparably larger global role in the civilian or commercial economy than does nuclear energy, a reality that make restricting the spread of technologies all but impossible. Not just governments but groups of a few talented individuals can have real impact. Attacks can often be carried out in a manner that disguises those responsible, which makes retaliation and hence deterrence far more difficult.
Against this complex backdrop, some arrangements for operating cyberspace have emerged, largely from the bottom up, by the efforts of and interactions among individuals, civil society, corporations, and governments. This “multistakeholder” process is the closest thing there is to a governing example of Adam Smith’s “invisible hand.”
This era seems to have run its course, or at least run into strong headwinds. Cyberspace increasingly resembles nothing so much as the old American Wild West with no real sheriff. There are few if any rules preventing or even limiting disruptive operations, the theft of intellectual property, violations of privacy, and government censorship—and even when there are rules, there are few means for enforcing them.
This is not to suggest a total absence of multilateral arrangements. ICANN, the Internet Corporation for Assigned Names and Numbers, was established in 1998 and has acted as the Internet’s coordinator. There have been international gatherings and some agreements to combat cybercrime, facilitate commerce, advance human rights, and protect privacy over the Internet. China and the United States agreed in September 2015 not to steal intellectual property, something China had been doing extensively.
But there were at least as many steps backward as forward. Attacks to deny service and disrupt specific activities and operations have been carried out with increasing frequency. North Korea, unhappy with a movie, attacked SONY; Russia, unhappy with the prospect that Hillary Clinton could be elected president, did what it could to access and release confidential communications that would weaken her prospects.
The goal should be to create international arrangements—a “regime” in academic jargon—that would encourage certain uses of cyberspace and discourage others. Governments should be persuaded or pressured to accept the obligation to act consistently with this regime and to do all in their power to stop those acting from its territory who do not. Needed are agreements in practice, not just in principle.
Ideally, there would be a single, integrated linked system. It would limit what governments could do to stop the free flow of information and communication, prohibit commercial espionage and theft of intellectual property, and severely constrain what could be done over cyberspace in peacetime to interfere with or disrupt either civilian or military systems that depend on cyberspace, as virtually all systems now do. Exceptions would need to allow for cyberattacks to frustrate both proliferation and terrorism. The aim would also be to establish the cyber equivalent of the terrorism standard: governments would be expected not just to live up to agreed-upon behaviors but also to make sure that no third party carried out prohibited actions from their territory and that any party discovered to be so doing would be stopped and penalized.
Forging even limited consensus on these principles would take enormous effort, as would garnering agreement on what, if any, exceptions ought to be allowed and what should be done if and when the principles were violated. Achieving an Internet that is “open, interoperable, secure, and reliable,” as the United States announced in 2011, is a long ways off.
What could add to the challenge is that resistance to establishing global rules may not just come from Russia, China, and other relatively closed countries; indeed, it may also come from the United States. Indeed, just where and how “America First” and cyberspace intersect remains to be seen. In the meantime, this country will need policies and programs to increase deterrence, reduce its vulnerability, and bolster its resilience.
Richard Haass is the president of the Council on Foreign Relations and author of A World in Disarray: American Foreign Policy and the Crisis of the Old Order.