The Council on Foreign Relations is launching a new set of Policy Briefs on cybersecurity policy – it published my contribution today. My brief responds to recent suggestions that the U.S. should promote norms to better secure cyberspace. This is a laudable objective. However, my brief uses findings from political science to argue that it will be hard for the U.S. to shape norms without making major changes to other aspects of their policy.
Why would the U.S. want to create norms to foster cybersecurity?
There are two plausible reasons. First, as Admiral Michael Rogers, the head of the NSA and Cyber Command has argued, norms create a basic structure for international political relations. If, for example, the U.S. is to deter cyberattack from other countries, and vice versa, all the countries involved need to reach a common agreement on basic questions such as what cyberattacks are, when they are acceptable and when not acceptable, and so on. Creating this kind of common understanding takes a lot of hard work building common norms of acceptable and unacceptable behavior, as Emanuel Adler’s research on arms control during the Cold War demonstrates.
Second, sufficiently strong norms can delegitimize certain kinds of attacks. It would be unthinkable today for the U.S. to use nuclear weapons except in a truly dire situation where national survival was threatened. This wasn’t always the case, as Nina Tannenwald has argued. Nuclear weapons initially seemed like a more powerful version of traditional weapons, until a normative “taboo” began to spring up around them. The reason why the U.S. would like to promote norms is that norms can determine both the acceptable limits of conflict, and the specific ways in which conflicts are conducted. Hence, norms can be incredibly powerful.
So how does one build norms if they’re so important?
Therein lies the problem. Norms work best when they are not the simple product of actors’ material self interest. Persuading people to accept norms involves getting them to accept the values that the norms imply. When actors have many shared values, norm building is easier. When actors have few shared values, then norm building is hard. Furthermore, if you want to persuade others to accept norms, you will have a hard time unless you are obviously and sincerely committed to those norms yourself.
This creates two linked problems for the U.S. First – many other important countries do not share U.S. values regarding cybersecurity. For example, the U.S. has sought to promote an open and robust Internet. Authoritarian and semi-authoritarian countries may view an open and robust Internet as a threat to the stability of their governments. They would prefer an Internet that was not open, and that can be easily compromised if necessary to shore up their regimes. As Jack Goldsmith and Tim Wu have argued, this makes it hard to build treaties on cyber-related questions. It also makes it hard to build norms – there are not many common values that the U.S. can appeal to.
Second – the U.S.’s own commitment to many of its values has been called into question. The Snowden revelations appear to show, for example, that the NSA has tried to compromise basic cryptographic standards that are required for an open and robust Internet to work. This makes it hard for the U.S. to be an effective advocate for its norms. Some degree of hypocrisy is tolerable in international politics when others can turn a blind eye to it. However, when one’s secrets have been leaked, other states may neither want to, nor be able to, ignore the difference between the U.S.’s lofty normative aspirations, and its self-interested behavior.
The result, all too often, is battles over norms where neither side is likely to persuade the other. For example, the U.S. and China are facing off over commercial cyber-espionage aimed to grab the trade secrets of firms located in other countries, and pass them on to one’s own businesses. The U.S. regards this as normatively unjustified, while other states regard it as an unexceptionable form of spying. The problem is that both sides’ position obviously stems from self interest. As Goldsmith says:
It is not surprising that the United States would seek to craft a nuanced rule about economic espionage that serves its interests. This happens all the time in international affairs. Nor is it surprising that so many nations are unimpressed with the United States’ attempt to limit the one form of economic espionage (theft of foreign corporate trade secrets to give to a local firm) that so obviously harms U.S. interests, especially since the United States engages in other forms of economic espionage.
So what options does the U.S. have?
In the brief, I argue that the U.S. needs to change its modus operandi if it wants to get serious about building norms in cyberspace. First, it has to internalize the norms that it wants to promote, so that, for example, it doesn’t itself engage in actions that might undermine an open and secure Internet. As Martha Finnemore and I have argued, the easiness of leaks means that hypocrisy is more costly than it used to be. If the U.S. wants to be taken seriously as a promoter of norms, it has to visibly abide by those norms too, even (and especially) in circumstances where abiding by the norms goes against its narrow self interest.
Second, it needs to rebuild bridges with other actors who are maybe better able to promote norms than the U.S. itself – activists and businesses. Activists for Internet openness have much higher credibility than the U.S., as matters stand today. Businesses’ commitment to Internet openness is more opportunistic – but they too have great power to shape norms, by shaping people’s everyday habits and understanding of what is possible and not possible in cyberspace. Building these bridges is very hard – activists and businesses distrust the U.S. administration, and especially distrust the parts of the administration most directly engaged in cybersecurity. Cybersecurity officials, for their part, feel angry at what they perceive as the trashing of norms that are basic and essential to national security. Getting these two sides even to talk to each other is hard. But if the U.S. is seriously committed to building norms in cyberspace, it’s going to have to start thinking about how to do this.