The Digital Domain’s Inconvenient Truth: Norms are Not the Answer

To say the last week has been a worrisome one for any current or former federal government employees is a vast understatement. Now, with this weekend’s revelations that the data stolen in the OPM breach potentially included SF-86 forms as well—the extraordinarily detailed forms required to obtain a security clearance—almost every American is in fact indirectly impacted, whether they realize it or not.  As China’s repository of data on United States citizens continues to grow, it’s time that the United States adjusts its foreign digital policy to reflect modern realities. Despite this latest massive digital espionage, the United States continues to pursue a policy based largely on installing global norms of appropriate behavior in cyberspace, the success of which depends on all actors playing by the same rules. Norms only work when all relevant actors adhere to and commit to them, and the OPM breach, as well as other recent breaches by Russia, North Korea, and Iran, confirms that each state is playing by their own playbook for appropriate behavior in the digital domain. The U.S. needs to adopt a new approach to digital policy, or else this collective-action problem will continue to plague us for the foreseeable future. Global norms are not the silver bullet that many claim.

The Problem with Norms in a Multi-Polar International System

In recent testimony before Congress, the State Department Coordinator for Cyber Policy, Christopher Painter, outlined the key tenets of US foreign policy in the cyber domain. During this testimony, he highlighted security and cybercrime, with norms as a key approach to tackling that issue. He explicated the following four key tenets (abridged) on which global norms should be based:

1. States cannot conduct online activity that damages critical infrastructure.

2. States cannot prevent CSIRTs from responding to cyber incidents.

3. States should cooperate in investigations of online criminal activity by non-state actors.

4. States should not support the theft of IP information, including that which provides competitive advantage to commercial entities.

While these are all valid pursuits, the OPM breach confirms the age-old tenet that states are self-interested, and therefore are quite simply not going to adhere to the set of norms that the United States seeks to instill. The United States government is not the only one calling for “norms of responsible behavior to achieve global strategic stability”. Microsoft recently released a report entitled International Cybersecurity Norms, while one of the most prominent international relations academics has written about Cultivating International Cyber Norms. Rather than focusing on norms, policy for the digital domain must reflect economic, political, military and diplomatic realities of international relations. It should not be viewed as a stove-piped arena for cooperation and conflict across state and non-state actors. For example, the omnipresent tensions in the South China Sea are indicative of China’s larger, cross-domain global strategy. Russian rhetoric and activities in Eastern Europe similarly are a source of great consternation, with the digital espionage a key aspect of Russia’s foreign policy behavior. These cross-domain issues absolutely spill over into the digital domain and therefore hinder the chance that norms will be successful. These tensions are exacerbated by completely orthogonal perspectives on the desired digital end-state of many authoritarian regimes, which focuses on the notion of cyber sovereignty. These issues are further confounded when these states continue to maintain an economic system predicated on state-owned enterprises, which are essentially an extension of the state, meaning that IP theft directly supports the government and their favorite quasi-commercial entities. Finally, the notion of credible commitments is again an essential factor in norm distribution. Because of the surveillance revelations of recent years, other states remain cautious and dubious that the United States will also adhere to these norms. This lack of trust only exacerbates distrust against the set of norms that the United States is advocating.

Towards a New Approach: Change the Risk Calculus for the Adversary

Instead of a norms-based approach, formal, multi-actor models that focus on calculating the risks and opportunities of actions from an adversary’sperspective could greatly contribute to more creative (and potentially deterrent) policies. Thomas Schelling’s research on bargaining and strategy is emblematic of this approach, expanding on the interdependence and the strategic interplay that occurs between actors. Mancur Olson’s work on collective action similarly remains especially applicable when pursuing policies that require adherence by all actors within a group. These frameworks account for the preferences of multiple actors in a decision-making process and help identify the probability of preferences across a spectrum of options. If done well, incorporating multi-actor preferences not only provides insights into why some actors pursue policies or activities that seem irrational to others, but it also forces the analyst or policymaker to view the range of preferred outcomes from the adversary’s perspective. Multi-actor models advocate for a strong understanding of activities that can favorably impact the expected utility and risk calculus of adversaries. The United States has taken some steps in this direction, and it should increasingly rely on policies that raise the costs of a breach for the adversary. For example, the indictment of the five PLA officers last year is a positive signal that digital intrusions will incur punishment. In addition to punitive legal responses targeted at adversaries, greater technical capabilities that hunt the adversaries within the network can also raise the cost of an intrusion. If the cost of entry outweighs the benefits, adversaries will be much less likely to attack at will. Until then, attackers will steal information without any fear of retribution or retaliation and the digital domain will remain anarchic. Finally, instead of focusing on global norms that give the competitive advantage to those who do not cooperate, digital cooperation should be geared toward allies, encouraging the synchronization of similar punitive legislation and responses in light of an attack. In this regard, cooperation can reinforce collective security, and focus on enabling the capabilities of allied states, not limiting those capabilities to allow adversaries the upper hand.

The United States continues to pursue policies that require global support and commitment in order to be effective, rather than focusing on changing the risk calculus for the adversary. The OPM breach—one that affects almost all former and current federal employees and their contacts and colleagues throughout their lives—is evidence that other states play by a different playbook. While the U.S. should continue its efforts to shape the digital domain as one that fosters economic development, transparency, equality and democracy, the reality is that those views are not shared by some of the most powerful states in the global community. Until that inconvenient truth is integrated into policy, states and state-affiliated groups will continue to compile an ever-expanding database of U.S. personnel and trade secrets, which not only impacts national security, but also the economic competitiveness on which that security is built.