U.S. needs a foreign policy for cyberspace for what is now a 'fragmented and dangerous internet,' report says
A task force formed by The Council on Foreign Relations has recommendations on what steps the U.S. should take.
The utopian vision of the internet is to allow open, reliable and secure communication worldwide. That will likely never happen, according to a new report from an independent task force the Council on Foreign Relations created. It calls for the creation of a new foreign policy for cyberspace for what is now “a fragmented and dangerous internet.”
Tuesday, July 12, the task force released its findings. Here’s a video recording.
The report points to countries like Russia, China, Iran and North Korea who now “exert a greater degree of control over the internet, localizing data, blocking and moderating content and launching political influence campaigns.” It says, “Nation states conduct massive cyber campaigns, and the number of disruptive attacks is growing.”
All of this is making it more dangerous for the U.S. to operate in cyberspace. The dark web is a marketplace for vandalism, theft and extortion, according to the report. And the reason this is so critical is the modern internet is the main artery of global digital trade.
Here are the main findings:
- The era of the global internet is over.
- U.S. policies promoting an open, global internet have failed, and Washington will be unable to stop or reverse the trend toward fragmentation.
- Data is a source of geopolitical power and competition and is seen as central to economic and national security.
- The United States has taken itself out of the game on digital trade, and the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s ability to lead abroad.
- Increased digitization increases vulnerability, given that nearly every aspect of business and statecraft is exposed to disruption, theft or manipulation.
- Most cyberattacks that violate sovereignty remain below the threshold for the use of force or armed attack. These breaches are generally used for espionage, political advantage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political and economic institutions.
- Cybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses and local governments should be seen as such.
- The United States can no longer treat cyber and information operations as two separate domains.
- Artificial intelligence (AI) and other new technologies will increase strategic instability.
- The United States has failed to impose sufficient costs on attackers.
- Norms are more useful in binding friends together than in constraining adversaries.
- Indictments and sanctions have been ineffective in stopping state-backed hackers.
There is an urgency
Former U.S. Representative from Texas and CFR member Will Hurd served on the task force and says if we act on these recommendations now “the best-case scenario is we’re tied with China — and that’s the best case,” he says. “The only way we’re going to compete with a country that’s four times our size that has an industry policy focus on this is if we improve our collaboration in the public and private sectors.”
Hurd says private companies need to put their swords down and work together, so the U.S. is not left behind.
What can the U.S. do about it?
The task force proposes a three-pronged approach to a foreign policy that it says should guide Washington’s adaptation to today’s “more complex, variegated and dangerous cyber realm.”
- Consider a coalition of allies around a vision of the internet
- Balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations
- The U.S. needs to put its own proverbial house in order by linking more cohesively its policy for digital competition with the broader enterprise of national security strategy
Here are the major recommendations of the task force:
- Build a digital trade agreement among trusted partners.
- Agree to and adopt a shared policy on digital privacy that is interoperable with Europe’s General Data Protection Regulation (GDPR).
- Resolve outstanding issues on U.S.-European Union (EU) data transfers.
- Create an international cybercrime center.
- Launch a focused program for cyber aid and infrastructure development.
- Work jointly across partners to retain technology superiority.
- Declare norms against destructive attacks on election and financial systems.
- Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communications (NC3) systems.
- Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).
- Adopt greater transparency about defend forward actions.
- Hold states accountable for malicious activity emanating from their territories.
- Make digital competition a pillar of the national security strategy.
- Clean up U.S. cyberspace by offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure.
- Address the domestic intelligence gap.
- Promote the exchange of and collaboration among talent from trusted partners.
- Develop the expertise for cyber foreign policy.
According to task force Co-Chair Jami Miscik, the Russia-Ukraine issue has changed the equation for many countries who were sitting on the fence. “Do you want to side with the rule of law, trusted dataflows and the like?" she posits. "And I think you’re going to see more countries maybe leave the fence and go into what we talk about in the report which is this trusted coalition of like-minded countries based on standards and rules of law as apposed to forms of government.”
What could push the U.S. administration farther along may be public fear. Hurd says people are getting fed up with things like the Colonial Pipeline ransomware attack and attempts to kill people through water supply hacks, like what was done in South Florida.
“Somebody tried to poison the water and the dude that was eating his lunch at 2 a.m. saw the red flashing light and solved the problem," he says. "I think that made it real to people.”