WASHINGTON: The Trump administration is wooing a broad coalition of “like-minded” nations to join a US-led “deterrence initiative” that includes collective response to malicious cyber activities by China, Russia, Iran and North Korea, says Robert Strayer, deputy assistant secretary of state for cyber and international communications and information policy.
“If we don’t stand together to defend our vision and values online, they will continue to be undermined,” he told the Atlantic Council’s annual cyber engagement conference yesterday.
This may be harder to do than Washington thinks, however. While most of the so-called Five Eyes allies (those with which the US shares high-level intelligence) express support for the idea of cooperation on “norms enforcement,” other countries are more skeptical.
For example, Singapore cyber czar David Koh instead called for the major powers to work harder to reach consensus about how to implement norms and the “rule of law” in cyberspace. He chided: “A world where right makes right spells disaster for us and other small countries, maybe even middle powers.” He added, “We have a saying in Asia: when the elephants fight, the ants get smashed.”
Strayer explained that Washington wants to “build coalition of like-minded nations not just to impose attribution” (that is, name and shame bad actors) but also to ‘do’ consequences together. He noted that sanctions imposed on bad actors are much stronger if there is a large coalition behind them, rather than if imposed by a single country.
In the September 2018 National Cyber Strategy, the Trump administration recognized that it’s “not enough just to have norms,” Strayer said, but that nations need to be held accountable for actions that violate those norms. The administration is trying to convince allies and friendly nations to engage in collective response in order to “establish the legitimacy” of those norms.
Christopher Painter, cyber czar at the State Department under Obama, agrees on the need for states to respond to norms violations. “I agree we need to do it, or we embolden (bad actors) to do more — creating a norm, if you will, of inaction,” he told me. “I also think it is better to do this collectively with other countries. It’s more powerful and has more legitimacy despite the difficulties getting coalitions of countries to act.”
Strayer and his Western colleagues speaking at the conference panel on “Enforcing Norms” agreed that the set of norms agreed in 2015 by the UN Group of Governmental Experts on cybersecurity issues form a baseline normative regime that can, and should, be enforced. The problem, they said, is that certain nations (read Strayer’s list) are now “walking back” from those commitments.
Timo Koster, Netherlands ambassador-at-large for security policy & cyber, said his country had come to the conclusion that “soft tools are not enough to influence state behavior.” Rather, he said, some framework is needed to “both overtly and covertly react to malicious behavior by attribution and naming and shaming.” That said, he cautioned that the strong US focus on deterrence “is a little bit premature.” He stressed that there needs to be a continuum of response to malicious cyber intrusions that includes everything from ensuring resiliency to diplomacy. Koster’s remarks reflect the fact that NATO has yet to really nail down its agreed response to even serious cyber attacks, as colleague Sydney has reported in detail.
Manon Le Blanc, senior policy officer for cyber at the European External Action Service (the EU’s foreign service), likewise said that the European Union’s response framework includes a broad array of potential reactions to negative cyber behavior. Thus, she explained, the EU would not always seek to “impose costs” on norm breakers; rather the “diplomatic toolkit” includes “talks about normative behavior” with violators in hopes of changing minds.
Koh, however, veered from the Western consensus slightly to suggest that the high-level norms agreed so far are simply not detailed enough, and called for more work at the UN to establish a global understanding of the “rule of law” for the cybersphere. However, he acknowledged that the application of international law to the cyber domain is controversial — so he recommended that nations need to work together to “build common understanding” of the rules of the road and then build the “technical capacity to implement them.”
As an aside, discerning readers might ponder the US call to arms for publicly chastising norm breakers in the cyber domain in the light of Washington’s conspicuous silence following India’s norm-busting March 27 anti-satellite weapons test. Is the Trump administration signaling that there should to be one ‘likeminded’ reaction to norms violations by US adversaries, and another for allies and friends? Maybe the cyber and space policy gurus aren’t communicating? Or perhaps consistency is just the hobgoblin of little minds.