New U.S. Cybersecurity Strategies
The United States was one of the first countries to treat cybersecurity as a matter of strategic importance. The terrorist attacks on September 11, 2001, as well as the growing threat to the economy, which was becoming increasingly dependent on ICT, forced the George W. Bush administration to reassess the task of securing critical infrastructure facilities. The required an integrated approach, which duly emerged with the publication of the National Strategy to Secure Cyberspace.
President Barack Obama announced cybersecurity as one of the most important tasks facing the U.S. government. Another task was to develop the new opportunities afforded by cyberspace and harness them for the purposes of serving national interests. The Cyber Space Policy Review was developed and presented in 2009. It contains an analysis of the existing cybersecurity system, as well as a plan for its transformation with a view to providing better cyber defence of the United States. In 2011, the United States published its International Strategy for Cyberspace, the goal of which is to create a unified platform for international cooperation in cyberspace on the basis of U.S. approaches to cybersecurity. The position of Senior Coordinator for Cyber Issues was created at the U.S. Department of State to promote the country’s cybersecurity policy. An interesting feature of the International Strategy for Cyberspace was the emphasis on so-called “capacity-building,” specifically on rendering assistance to developing countries through the provision of the necessary resources, knowledge and experts, including with a view to these countries developing their own national cybersecurity strategies.
In contrast to the George W. Bush era, U.S. representatives played an active role in preparing the report of the United Nations Groups of Governmental Experts in 2010. In 2011–2013, a number of summit-level bilateral negotiations on cybersecurity issues were held, primarily between Russia and China, during which there was an attempt to develop the “rules of the game” for leading powers in this new sphere of international relations. The high point in U.S.–Russia relations was the singing of the Joint Statement by the Presidents of the United States of America and the Russian Federation on a New Field of Cooperation in Confidence Building in 2013. The document also outlined cooperation measures in the protection of critical information systems and mechanisms for reducing cyberthreats. Unfortunately, all agreements were frozen following the outbreak of the Ukrainian crisis. And they cannot be considered tenable under current conditions, as all attempts to bring them back to life have failed.
Donald Trump: America First
The new Strategy is a logical continuation of the policy of recent years and is now enshrined at the doctrinal level. As we have already mentioned, it resembles the policy of George W. Bush more than that of Barack Obama, although it does borrow from and refine some points of the latter’s strategy to meet current needs. The first thing that catches the eye about the new Cyber Strategy is that is forms an image of an external threat to freedom and democracy and focuses on ensuring peace through strength. The Strategy repeatedly mentions the main opponents – Russia, China, Iran, North Korea and international terrorism.
The policy outlined in the document is based on four pillars: protecting the American people, the homeland and the American way of life; promoting American prosperity; preserving peace through strength; and advancing American influence. In some areas, you can find specific examples of recent events that formed the basis of a new policy that could affect both U.S. policy and international relations in ICT security in general.
The main objective of the first pillar of the new Strategy is to manage cybersecurity risks in order to improve the reliability and sustainability of information systems, including critical facilities. One of the new elements of domestic policy is the development of a risk management system in the Federal supply chain that would include, among other things, determining clear authority to exclude (in individual cases) supposedly risky vendors, products and services. These actions will be combined with efforts to manage risks in supply chains connected with the country’s infrastructure. The level of risk associated with using a specific vendor’s product should be determined on a case-by-case basis. At the same time, examples of similar policies allow us to state with confidence that, as far as the United States is concerned, the main unreliable vendors are located in Russia and China. Given the growing trade and economic standoff between the United States and China, the next logical step could be a ban on the use of Chinese components in government agency servers, just like what happened with Kaspersky Lab. This may very well be followed by an embargo of Chinese components by major companies and at critical infrastructure facilities. At the same time, the United States will promote the development of the internet and an open, compatible, reliable and secure communications infrastructure that will increase the competitiveness of American companies and help them counter the economic interference of other countries in areas of strategic competition.
The new Strategy focuses on improving cybersecurity in the transport and maritime infrastructure, as well as in space. The modernization of these sectors makes them more vulnerable to cyberattacks. The safety of maritime transport is particular concern, as transport delays or cancellations could disrupt the economy at strategic and lower dependent levels. The NotPetya malware attack that cost the logistics company Maersk a total of $300 million in 2017 as a result of a violation of its operating activities drew attention to the problems in this area. In response, the United States plans to establish the necessary roles and areas of responsibility, promote improved mechanisms of international cooperation and information exchange and help create a next-generation maritime infrastructure that is resistant to cyberthreats. It is possible that the maritime infrastructure of other states that participate in international maritime trade may, under the pretext of noncompliance with American standards, be deemed “unsafe” (for example, liquified natural gas terminals or ports along the Northern Sea Route).
Another important element of the policy outlined in the new Strategy is the modernization of legislation in electronic surveillance and computer crime. The United States is expected to update its legislation in these areas in order to expand the power of law enforcement agencies to legally collect evidence relating criminal activity and carry out further operational, investigative and judicial activities. Evidence may be collected outside the United States. In the past, these activities were carried out under so-called mutual legal assistance treaties, including the Budapest Convention on Cybercrime. However, the CLOUD Act adopted this year gives law enforcement agencies considerable powers to obtain information stored in the servers of U.S. companies operating outside the country. As a result, countries are no longer required to enter into mutual legal assistance treaties and inform other states that they are carrying out investigative activities in their territory. Interestingly, while the new Cyber Strategy contains statements about rejecting censorship on the internet and adhering to a free and open cyberspace, it also instructs law enforcement agencies to work with the private sector to overcome technological barriers, for example anonymization and encryption technologies, that are used to ensure this much-touted “freedom of the internet.”
The Strategy places considerable emphasis on actions aimed at expanding U.S. influence around the world. One of these areas is developing the capacities of partner countries to counter cybercrime. When U.S. law enforcement agencies issue a request for assistance, the country in question has to possess the appropriate technical capacity. Despite the fundamental problems of the Budapest Convention on Cybercrime (the lack of development and the threat of state sovereignty being violated), the U.S. Administration will work to increase the international consensus with regard to it. The UN draft resolution “On Cooperation in the Field of Countering Information Crime” put forward by Russia has not even been critically evaluated.
Peace through Strength
The United States is prepared to use all available tools of national power, including military force, to deter opponents from malicious acts in cyberspace that threaten its national interests, allies and partners.
The mechanism for determining the degree of “malicious intent” of actors in cyberspace will be based on the American interpretation of the provisions of international law and the voluntary non-binding norms of the responsible behaviour of states in cyberspace. These norms were developed by a UN Group of Governmental Experts in 2015 and were intended to define the limits of acceptable behaviour of all states and contribute to greater predictability and stability in cyberspace. The United States will encourage other countries to publicly adopt these principles and rules, which will form the basis for joint opposition to states that do not conform to them. In order to identify these states, the Executive Branch of the United States and the country’s key partners plan to share objective and relevant data obtained by their respective intelligence agencies. Obviously, in the context of the widespread use of public attribution, the unsubstantiated statements of a powerful state on the involvement of a given country in a cyber incident cannot lead to an escalation of tensions. There is no indication in any of the documents of the international legal mechanisms that may be created for the legitimate investigation and judicial examination of cyber incidents, including those that, in the opinion of the United States, may be considered an armed attack.
At the same time, work is under way on the establishment of possible consequences of irresponsible behaviour that causes damage to the United States and its partners. The United States expects to build strategic partner relations that will be crucial in terms of exerting influence on the “bad” actors in cyberspace. The Cyber Deterrence Initiative should be a key component of this: coordinating the general response of a broad coalition of likeminded states to serious malicious incidents in cyberspace, including through intelligence sharing, attribution, public statements of support and other joint actions. The United States Department of Defense will carry out similar work to consolidate and strengthen joint initiatives. In accordance with the Law on Budgetary Appropriations for National Defense, in 2018, the Department of Defense carried out a comprehensive review of military strategy in cyberspace and the possibilities for its implementation. The result was the publication of a new Department of Defense Cyber Strategy, many elements of which overlap with the National Cyber Strategy. In accordance with the provisions contained in the Department of Defense Cyber Strategy, the development of cyber capabilities intended for both military purposes and combatting malicious actors in cyberspace will be accelerated. The United States will be able to promote its interests through operations in cyberspace across the entire spectrum of conflict intensity, from daily operations to wartime, while cyber capabilities will be used proactively. This cannot but cause concern, especially considering the fact that Donald Trump has lifted many of the barriers to carrying out cyber operations and the Cyber Command has been given greater independence, becoming the Department of Defense’s 10th Unified Combatant Command
On the whole, the new cyber strategies are aimed at strengthening the power, increasing the influence and promoting the interests in the United States on the international stage. At the same time, Donald Trump’s pre-election campaign slogan of “America First” is being implemented on completely different levels – the promotion of American know-how and technologies and the rallying of allies and partners. Meanwhile, U.S. markets are closing themselves off under the pretext of national security to goods and services provided by companies from “unreliable” states. Similar steps by other states – for example, the requirement that personal information be stored on servers inside the country – are declared to be undermining the competitiveness of American companies.
As for the norms of behaviour in cyberspace developed by the UN Group of Governmental Experts, the United States will promote them and use them to its advantage. This will probably be done through public attribution without any serious evidence, which seems to be par for the course these days. This mechanism of marginalization will not lead to an increase in stability and security, given that it involves a coordinated response from the United States, not only by means of attribution, but also through (proactive) military action.
The Strategy does not outline plans for the creation of international legal mechanisms that could independently, objectively and with due competence carry out a legitimate investigation and make a court decision with regard to malicious acts in ICT. This means that the suspects are already known and there is no doubt as to their identity – Russia, China, Iran, North Korea and international terrorism. At the same time, the Strategy does not say anything about how we might overcome the current crisis situation. Instead, there is a clear signal that no mutually beneficial or mutually essential official contacts on information and cyber security have been planned for the near future. This means that the schism between the American and Russian–Chinese visions of the future ICT environment is only growing, which could lead to the eventual fragmentation of the ICT environment and the internet. Having said that, Russia and China do not want the situation to unfold in this way. This much is clear from the resolution submitted for consideration by the UN General Assembly entitled “Developments in the Field of Information and Telecommunications in the Context of International Security.” Traditionally, these resolutions serve to highlight current events in international information security and do not contain any significant declarations. However, this particular resolution calls on all states to follow the norms, rules and principles developed in 2015 and convene a meeting of the Group of Governmental Experts to address the issue of how to implement these norms.
Active work at the unofficial level (namely, track one and a half diplomacy) at various international forums and other platforms could also help overcome the current crisis. Restoring relations should start with steps to re-establish mutual trust, perhaps through participation in projects involving a number of international players. Moreover, given the political will, the sides could focus on solving problems in a manner that is in the interests of both states.
First published in our partner RIAC