Nine years ago, a Council on Foreign Relations-sponsored independent task force published a report on U.S. cyber policy entitled Defending an Open, Global, Secure, and Resilient Internet. Last month, CFR issued the report of a new task force, Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet. (I was project director for both reports.) The 2013 report was CFRs first attempt to introduce those in the foreign policy community who were unfamiliar with the politics of cyberspace to the most pressing issues. It explained how the increasing fragmentation of the internet and the rising threat of cyberattacks negatively affected U.S. interests, and it covered many of the concepts that have shaped U.S. cyber policy for the past two decades: deterrence, norm building, cyber alliances, digital trade agreements, information sharing, and public-private partnerships. Conversely, the 2022 report moved past the prior discussions around the importance of digital technologies, instead aiming to shift the debate on what the United States should try to accomplish in cyberspace. The 2022 reports focus is narrower, highlighting foreign policy tools and spending less time on areas like domestic authorities or workforce training. Reading the two in tandem is a reminder of how high public expectations were for what Washington could accomplish in cyberspace. It also illustrates how significantly the United States position in cyberspace has worsened over the past decade.
The new reports headline finding immediately tells the story: The era of the global internet is over. The internet is more fragmented, less free, and more dangerous. U.S. policymakers have long assumed that the global, open internet served American strategic, economic, political, and foreign policy interests. They believed that authoritarian, closed systems would struggle to hold back the challenges, both domestic and international, that a global network would present. This has not proved to be the case. Freedom House, which tracks internet freedom across the world, has seen sustained declines in empirical measures of internet freedom, especially in Asia and the Middle East, for over a decade. More states are launching political influence campaigns, hacking the accounts of activists and dissidents, and sometimes targeting vulnerable minority populations. A growing number of states choose to disconnect entirely from the global internet. According to Access Now, at least 182 internet shutdowns across 34 countries occurred in 2021, compared with 196 cases across 25 countries in 2018
In addition, the early advantages in technology, cyber operations, and diplomatic engagement the United States and its allies held in cyberspace over their adversaries have largely disappeared. The United States is asymmetrically vulnerable because of high levels of digitization and strong protections for free speech. U.S. adversaries, especially China, have adapted more rapidly than anticipated. These rivals have a clear vision of their goals in cyberspace, developing and implementing strategies in pursuit of their interests, and have made it more difficult for the United States to operate unchallenged in this domain.
The optimism of the earlier task forcein both the benefits of the open internet and the United States ability to shape cyberspaceis notable. While the 2013 CFR report flags the increasing fragmentation of the internet, it stated that the United States has benefited immensely from a digital infrastructure that is relatively open, global, secure, and resilient. The report highlighted the global strengths of the U.S. information and communications technology sector, and listed the many political, economic, social, and personal benefits it sees as flowing from an open internet. The report relays many examples of digital technologies supporting entrepreneurship in developing economies, expanding new forms of social and political activism, and empowering marginalized communities. It is, however, blind to the threats to democracies and social cohesion posed by hostile, state-backed information operations and the spread of disinformation.
The 2013 task force was also more confident of the positive impact of public-private partnerships on U.S. cyber policy. The reportwritten before Edward Snowden revealed that the National Security Agency was collecting data from American technology firmscalls for collaboration with the private sector and nongovernmental organizations on a wide range of initiatives, including developing principles for a global security framework, promoting online freedom, increasing cyber resilience, and creating guidelines for the export of dual use technologies. In the wake of the Snowden disclosures, American firmsmotivated by a sense of betrayal, a commitment to an open internet, and economic interestresponded by increasingly portraying themselves as global actors. They also tried to make it more difficult for U.S. agencies to collect data through legal challenges and the introduction of end-to-end encryption on smartphone operating systems and messaging apps.The bad feelings of that era have largely dissipated, with the private sector in many instances working very closely with the government on threat intel sharing and cyber defense. Still, that history, and the possibility that Congress could pass new legislation to constrain the power of the tech companies, is reflected in the 2022 reports hesitation to tie too many U.S. foreign policy goals directly to the private sector.
China is an important challenger in both reports, but the threat is framed more narrowly in the earlier report. The first task force was concerned primarily with Chinese cyber industrial espionage and Beijings use of the Great Firewall to censor information and regulatory barriers to limit the competitiveness of American technology companies in the domestic economy. At the time of the 2013 report, China had not yet become a global supplier of 5G telecommunications hardware or developed TikTok, one of the worlds most popular social media platforms; nor was it a competitor in emerging technologies such as artificial intelligence and quantum information sciences. Beijing was proclaiming the right to cyber sovereignty, but it had not yet developed an overlapping matrix of domestic data regulations, started to export its model of internet control to the global south, or increased its participation in international standard organizations in order to shape the next generation of technical standards.
In the decade since the first report, a destructive attack on critical infrastructure has become a more realistic threat. But the 2022 report, like its predecessor, is clear that the predominant risk of cyberattacks is not a potential cyber Pearl Harbor. Rather, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack. These breaches are used for political advantage, espionage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.
Moreover, in the wake of the Colonial Pipeline attack, the 2022 report argues that cybercrime has become a standalone threat to national security. Ransomware attacks on hospitals, schools, and local governments have disrupted thousands of lives. The Conti ransomware group shut down the administrative body in Ireland charged with managing the national health-care system, disrupting critical health treatments. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours, and in May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack crippled the Finance and Labor Ministry as well as the customs agency.
The reports offer a similar set of policy recommendations but drastically different expectations on outcomes. The 2013 report argues that [n]ow is the time for the United States, with its friends and allies, to ensure the Internet remains an open, global, secure, and resilient environment for users. The 2022 report also envisions a cyber foreign policy of the like-minded but contends that the utopian vision of an open, reliable, and secure global network has not been achieved and is unlikely ever to be realized. Instead of pursuing that goal, the United States should consolidate a coalition of allies and friends around a vision of the internet that preservesto the greatest degree possiblea trusted, protected international communication platform. Members of the coalition would develop a common understanding of the legitimate use of government surveillance, law enforcement access to data, and industrial policies; share best practices on technology regulation; work to forge a trusted supply chain for digital goods and services; and coordinate on international standards.
Digital trade agreements would be central to the coalition. There are several models that can be built upon, including the Economic Partnership Agreement between Japan and the European Union and the Digital Economy Partnership Agreement between Chile, New Zealand, and Singapore. Broadly these agreements remove tariffs on digital goods and eliminate nontariff barriers to digital trade. They also prohibit the localization requirements for computing facilities, cloud services, or data analysis motivated by anti-competitive or protectionist purposes; and they ban requirements to turn over to the government source code, algorithms, or related intellectual property rights. Moving forward, new provisions should address the concerns of workers and consumers, including those that promote digital inclusiveness, strengthen consumer confidence and trust, and protect personal information.
Both reports focus on the development of norms of responsible state behavior in cyberspace. The 2013 report calls for the leading nations to agree on a set of norms for activity and engagement in cyberspace. The 2022 reportlooking back at the development of norms at the United Nations, the 2015 agreement on cyber industrial espionage between China and the United States, and the growing use of attribution, criminal indictments, and sanctions against Russian, Chinese, North Korean, and Iranian hackerscontends that norms are more useful in binding friends together than in constraining adversaries. Major actors have flouted the norms endorsed by the U.N., and China returned to cyber industrial espionage after a year-long hiatus.
The 2022 report does not eschew norm development completely. Rather, it suggests three norms that states may adopt out of self-interest because they could help prevent unintended and catastrophic outcomes. After consultation with allies and friends, Washington would announce an initial set of standards for self-restraint in cyberspace. Along with repeating commitments to abide by international lawincluding international humanitarian law and the laws of armed conflictofficials should state that the United States will refrain from destructive attacks on election infrastructure and the international financial system. And while promoting these norms, the United States and its partners should prepare for a violation of these standards by increasing the resilience and redundancy of these critical systems.
In addition, the United States has a strong shared interest in working with potential adversaries to prevent cyberattacks from worsening or creating a nuclear crisis. During a conventional conflict, states could be tempted to use cyberattacks to try to neutralize nuclear threats. These actions, however, would be highly destabilizing. Cyberattacks on nuclear command, control, and communication (NC3) systems could lead to incentives for states to launch nuclear weapons preemptively if they feared that they could lose their second-strike capability. Intelligence gathering could be interpreted by the defender as an effort to degrade nuclear capabilities. These risks are rising as modern NC3 systems come to depend more heavily on digital infrastructure.
The United States should enter into discussions with China and Russia about limiting all types of cyber operations against NC3 systems on land and in space. In the wake of the Russian invasion of Ukraine and the growing geopolitical competition between the United States and China, the spaces for cooperation between Washington and Moscow and Washington and Beijing are extremely narrow. Declarations of self-restraint can function as confidence-building measures, perhaps bridging the trust gap. U.S. policymakers should make clear that they are entering discussions with their Chinese and Russian counterparts because understandings on cyber operations and nuclear command and control are a shared interest among the three powers in preventing catastrophic outcomes.
Both reports agree that the United States cannot lead in cyberspace without addressing outstanding issues at home. While there are diverse prioritiesthe earlier report was written as the Obama administration was considering legislation on threat information sharing, and the latter argues for the necessity of national privacy lawsboth reports stress the role congressional action has in shaping and amplifying U.S. influence on global cyberspace. Both call for digital and cyber policies to be better integrated into national strategies; to clean up domestic cyberspace through new authorities and regulations; and to establish a cyber bureau in the State Department, overseen by a Senate-confirmed cyber ambassador. (A week before the 2022 report was published, Nate Fick, the task force co-chair, was nominated by President Biden to serve as ambassador at large for cyberspace and digital policy.)
Not surprisingly, the conclusions of the two reports hit divergent notes. The 2013 report, assuming that the United States still retains significant will and capabilities to shape global cyberspace, focuses on the trade-offs among privacy, security, openness, innovation, and the protection of intellectual property inherent in any digital policy. As long as policymakers are proactive, the United States can exert a positive influence on cyberspace by working to convince the next wave of users that an open and global internet is in all of our interests. The 2022 report is more circumspect. The goals are, in the language of the report, more limited and more realistic. Moreover, there is real doubt that the United States can and will move resolutely and quickly enough, especially on domestic legislation.
Perhaps the biggest takeaway from reading the two reports is a sense of lost possibility and influence. Just a decade ago, the United States seemed uniquely positioned to exploit the openness of the internet for political, economic, and strategic gain. Today, the United States position is much more precarious. Adversaries benefit from a more fragmented, more dangerous cyberspace, and the United States must work actively to preserve the benefits of the open internet among a smaller number of like-minded countries.
- NSA surveillance exposed by Snowden ruled unlawful - BBC - May 25th, 2024
- Can Edward Snowden Become the Next CEO of Twitter? Elon Musk is Ready to Give Up - Analytics Insight - May 15th, 2024
- Edward Snowden Weighs In On Boeing Whistleblower's Death With Cryptic Message: 'If I Die, It Wasn't Suicide' - TradingView - March 21st, 2024
- Edward Snowden Calls Bitcoin 'Most Significant Monetary Advance Since the Creation of Coinage' Featured Bitcoin ... - Bitcoin.com News - February 25th, 2024
- Edward Snowden: Bitcoin 'Most Significant Monetary Advance Since the Creation of Coinage' - Decrypt - February 25th, 2024
- Edward Snowden's Ominous Warning to the World - Newsweek - January 15th, 2024
- Edward Snowden Says Institutions 'Burning The Public's Faith' At Time When AI Can Replace Them: 'A Revolu - Benzinga - January 15th, 2024
- Edward Snowden: Bitcoin Safeguard for Pensions and Retirement - CoinGape - January 15th, 2024
- Edward Snowden and Jack Dorsey Are Both Asking the Same Question: What Happened in 1971? - Foundation for Economic Education - December 11th, 2023
- Edward Snowden - Simple English Wikipedia, the free encyclopedia - October 27th, 2023
- Edward Snowden On The NSA, His Book 'Permanent Record' And Life In ... - April 17th, 2023
- 209-359-17.. located in Merced.. Find Info before it disappears... - April 17th, 2023
- Edward Snowden gets Russian passport after swearing oath of allegiance ... - April 8th, 2023
- Edward Snowden - Education, Movie & Documentary - Biography - March 5th, 2023
- Before sending a voice message, ask if you could say it in writing: How to stop the avalanche of WhatsApp audios - EL PAS USA - February 25th, 2023
- Entertainment News Roundup: Sean Penn film 'Superpower' catches Zelenskiy at moment of Russian invasion; And the winner is... London rolls out red... - February 25th, 2023
- Edward Snowden Reacts To Elon Musk's 'Pardon' Poll: 'That's A Very Big ... - January 6th, 2023
- NSA files decoded: Edward Snowden's surveillance revelations explained ... - December 20th, 2022
- Edward Snowden says he feels itch to scale back in to $16.5K Bitcoin - December 20th, 2022
- Edward Snowden Offers to Take Over as Twitter CEO for Salary in ... - Investing.com - December 20th, 2022
- Where is Edward Snowden? | The Sun - November 25th, 2022
- Edward Snowden, Elon Musk Optimistic About Bitcoin Despite FTX Collapse - Crypto Briefing - November 17th, 2022
- Snowden's newfound Russian citizenship reignites the debate of privacy versus safety in the US - Tufts Daily - October 15th, 2022
- Whistleblower behind Luanda Leaks, Malta Files and Football Leaks on trial - The Shift News - October 15th, 2022
- 'All The Beauty And The Bloodshed' Trailer: Laura Poitras' Golden Lion Winner Hits US Theaters Later This Fall - The Playlist - October 15th, 2022
- NYFF 2022: No Bears, R.M.N., All the Beauty and the Bloodshed | Festivals & Awards - Roger Ebert - October 15th, 2022
- From Bin Laden to Al Zawahiri: The evolution of Americas Targeted Killing Strategy - Indian Defence Review - October 15th, 2022
- Arundhati Roy on Things that Can and Cannot Be Said: The Dismantling of the World as We Know It - LiveWire - October 7th, 2022
- Billion Dollar Harvest: TikTok's Threat to National and Personal Security MARIST CIRCLE - Marist College The Circle - October 7th, 2022
- 'All the Beauty and the Bloodshed' Review: Politics of the Personal - slantmagazine - September 21st, 2022
- Congressional inquiry reveals secret Customs and Border Protection database of U.S. phone records - CyberScoop - September 21st, 2022
- The Most Controversial Biopics - IndieWire - September 21st, 2022
- VIDEO: Priyanka Chopra celebrated her husband Nick Jonas' birthday like this at the golf course, wrote - News84Media.com - September 21st, 2022
- From Bin Laden to Al Zawahiri: The evolution of Americas targeted killing strategy - MyVoice - September 21st, 2022
- At German artist Thomas Demands MOCA exhibit, finding the material in the ephemeral - Toronto Star - September 21st, 2022
- This is the jungle: Law enforcement slowly waking up to the threat of DeFi exploits - Fortune - September 13th, 2022
- Icarus: The Aftermath Review: A Tense and Affecting Real-Life Sequel - Hollywood Reporter - September 13th, 2022
- Fourth Amendment: The right to be left alone - Minot Daily News - September 13th, 2022
- Opinion | It Is Time to Throw the Monarchies of the World Into the Dustbin of History - Common Dreams - September 13th, 2022
- Do the FBI monitor peoples social media activity and online posts? Is it legal? - AS USA - September 5th, 2022
- Is Trump the Rosenbergs? - JNS.org - JNS.org - September 5th, 2022
- The Patriot Act: Mass Surveillance Before and After 9/11 - Privacy News Online - September 5th, 2022
- Can code just be 'disappeared' from the internet? - POLITICO - August 28th, 2022
- The Tech Industry Is in Its Whistleblower Era - The Atlantic - August 28th, 2022
- History As It Happens: The Espionage Act's sordid origins - Washington Times - August 28th, 2022
- The inside story of the CIA vs Russia - Asia Times - August 28th, 2022
- 'The rebels were sent to a lunatic asylum': These films end differently in China - Euronews - August 28th, 2022
- Erik Prince wants to sell you a secure smartphone thats too good to be true - MIT Technology Review - August 20th, 2022
- Judge orders DoJ to produce redacted version of affidavit in state secrets investigation of Trump - WSWS - August 20th, 2022
- How to Use the Signal App: Tips & Tricks - Online Tech Tips - August 20th, 2022
- Ruling Class Turns On Conservative Americans - The American Conservative - August 20th, 2022
- Signal Reveals Over 1900 Users Were Affected in a Recent Phishing Attack - Appuals - August 20th, 2022
- Despite resistance, WikiLeaks continues its fight for the truth - Independent Australia - August 20th, 2022
- The Republican party has reason to fear the midterms - The Guardian - August 20th, 2022
- Government pays arms firm that spied on activists to snoop on all our internet records - The Canary - August 20th, 2022
- Why is Australia risking conflict with China? - Asia Times - August 20th, 2022
- Edward Snowden, Russia's 'Disinformation Campaign' Drive 'Downhill' Narrative, Says 'Black Swan' Author - Benzinga - August 12th, 2022
- What Does All This TV Talk on Big Ten Do for Big 12 and Oklahoma State? - Pokes Report - August 12th, 2022
- US Vows To "aggressively Pursue" Cryptocurrency Mixers - Nation World News - August 12th, 2022
- After cryptos crash and NFTs collapse, Web3 idealists race to prove that the dream of decentralization isnt dead - Fortune - August 12th, 2022
- Prescribing a New Paradigm for Cyber Competition - War on the Rocks - August 12th, 2022
- What is Monero (XMR) Crypto? Is Edward Snowden Behind This Project too? - CryptoTicker.io - Bitcoin Price, Ethereum Price & Crypto News - August 4th, 2022
- Russian hackers get the headlines. But China is the bigger threat to many US enterprises. - Protocol - August 4th, 2022
- Why Is July 30th National Whistleblower Day? - Privacy News Online - August 4th, 2022
- I may have to wait until I'm on my deathbed Panama Papers whistleblower - Namibian - August 4th, 2022
- Whatever Happened to the Transhumanists? - Gizmodo Australia - August 4th, 2022
- Julian Assange? Heres why I am not a fan of his - The Citizen - August 4th, 2022
- Who Is Edward Snowden, the Man Who Spilled the NSA's Secrets? - July 26th, 2022
- Why so silent? Edward Snowden has gone underground since Russia's ... - July 26th, 2022
- Kids spend the summer in STEM camp - Marketplace - July 26th, 2022
- Thomas Demand: The Stutter of History - Announcements - E-Flux - July 26th, 2022
- Empire of Hacking: U.S. is the Biggest Threat to Cyber Security - Xinhua - July 26th, 2022
- Edward Snowden Says 'We Are All Going To Be Billionaires' But... - Benzinga - Benzinga - July 18th, 2022
- Joshua Schulte convicted on all counts in second trial over 2017 leak of Vault 7 cyberwarfare trove published by WikiLeaks - WSWS - July 18th, 2022
- SMITHEREENS: Reflections on Bits & Pieces:SMITHERMATAZ. Category: Public Comment from The Berkeley Daily Planet - Berkeley Daily Planet - July 18th, 2022
- Full Text of All Articles The Berkeley Daily Planet - Berkeley Daily Planet - July 18th, 2022
- As Bear Market Turns All Eyes to Utility, Privacy Stands Poised To Lead Next Crypto Breakout - The Daily Hodl - July 18th, 2022
- Yes, data centers use a lot of water. But a Utah company shows it doesn't have to be that way. - Salt Lake Tribune - July 18th, 2022
- Edward Snowden - National Whistleblower Center - July 9th, 2022
- Commentary: The fight against excessive surveillance continues in Maine and across the country - Press Herald - July 9th, 2022