Cybersecurity Beyond U.S. Borders: Engaging Allies and Deterring Aggressors in Cyberspace

Report Cybersecurity

Cybersecurity Beyond U.S. Borders: Engaging Allies and Deterring Aggressors in Cyberspace

July 14, 2017 About an hour read Download Report
Inserra
Policy Analyst, Homeland Security and Cyber Policy, Douglas and Sarah Allison Center for Foreign Policy
David Inserra specializes in homeland security issues, including cyber and immigration policy as well as critical infrastructure.

Summary

Cyberspace is a unique realm that challenges the U.S. in multiple ways. These challenges include the cyber domain’s reach, speed, anonymous nature, and offense-dominated conflict. Given that cyberspace is an environment defined by ubiquity and anonymity and that cyberspace also has physical components and people located in different places around the world, international cybersecurity efforts are both important and difficult. Working together on cyber issues includes military cooperation with allies as well as working together to strengthen civilian cyber defenses to make hacking more difficult and less lucrative. Beyond cyber defense and offense, pushing and working with nations around the world to combat cybercrime and punish those who engage in aggressive cyber behavior themselves can help reduce the number of cyber attacks.

Key Takeaways

It is time that the U.S. build deeper ties and take greater action with nations that truly want to counter crime and economic espionage in cyberspace.

When faced with a particularly aggressive bad actor, the U.S. should raise the costs of hacking through various types of retaliation.

The U.S. needs to articulate a bolder strategy for how it will operate in the cyber domain.

Cyberspace is a domain that has revolutionized the world. Massive amounts of data can be communicated from device to device from the other side of the room or the other side of the world. The number of services that are now available to the average consumer through a personal computer, smartphone, or other device are truly mindboggling. Banking, ride or apartment sharing, dissemination of information and media, video sharing and conferencing, social media, entertainment and gaming, buying and selling of goods, and countless other online activities are now second nature to most Americans, not to mention billions of individuals elsewhere.

With such leaps in productivity and convenience has come the opportunity for hackers and certain nation states to abuse this domain to steal, undermine, destroy, or manipulate these systems and masses of data for their own purposes. Since this domain is spread across the world, bad actors in cyberspace can accomplish their goals from thousands of miles away. As a result, when considering cybersecurity policies, the U.S. cannot just think about its own laws, resources, and systems but must also consider what is occurring outside its territory. Indeed, the U.S. must engage with its allies and partners to craft solutions that cross borders, while using traditional tools of national power to retaliate against nations that harbor or engage in malicious cyber activity. Only through such U.S. leadership will cyberspace continue to be a domain that is sufficiently secure to continue to promote prosperity and liberty.

The Nature of Cyberspace

Cyberspace is a unique realm that challenges the U.S in multiple ways. Specifically, these challenges include the cyber domain’s reach, speed, anonymous nature, and offense-dominated conflict. Understanding the nature and challenges of this realm is important to understanding where and how the U.S. can take international action on cyber threats.

Cyberspace can be defined as “the manmade domain and information environment we create when we connect together all computers, wires, switches, routers, wireless devices, satellites, and other components that allow us to move large amounts of data at very fast speeds.”[REF] Cyberspace is distinguished by three unique features that not only support productive activities, but also can be used against the United States: Cyberspace is (1) ubiquitous, (2) anonymous, and (3) offense dominated.

1. Ubiquitous. Cyberspace is defined largely by its vast reach and the ability of an individual computer to communicate with any computer in the world.[REF] There were an estimated 2.6 billion smartphone users in 2014, and an estimated total of 6.4 billion cyberspace-connected devices known as the “Internet of things.”[REF] Each of these devices has the ability to access information and send or receive commands across the Internet, interacting with any number of other devices. As the most technologically advanced military in the world, the U.S. military makes use of cyberspace in numerous ways, profoundly changing the way the military operates. In addition to U.S. military capabilities, the U.S. homeland depends on 16 sectors of interdependent critical infrastructure, most of which are reliant on cyberspace. The Department of Homeland Security, together with other government agencies, is responsible for protecting them. Beyond military and critical infrastructure systems, hundreds of millions of individuals in the U.S., not to mention billions across the world, take advantage of cyberspace for social, political, financial, and business reasons.

2. Anonymous. Perhaps the most-remarked feature of cyberspace is its anonymity. It is difficult to discern the exact origin of a cyberspace attack. First, an attack must be noticed, which is not always immediate. Then, forensic analysis of the attack mechanism must be undertaken to pinpoint the source of the intrusion. Depending on the complexity or type of attack, this process could take a significant amount of time, and, even if the geographic origin of the attack is confirmed, it may be difficult to determine who is responsible. This problem is exacerbated by the ability of hackers to redirect their attacks through other locations. Yet, for all the difficulty ascribed to attributing cyber attacks, the “attribution problem” may be overstated. The ability to break through the anonymity of cyber attacks and hacks is improving as evidenced by multiple notable private-sector attribution reports.[REF] In some cases, a devastating cyber attack could be sourced by placing the attack in the context of other global affairs. Additionally, while any one hacking incident may be difficult to attribute, a series or campaign of hacks gives more data points with which to identify the attacker. Still, the attribution challenge and anonymous nature of cyberspace do complicate U.S. responses to cyber incidents.

3. Offense-Dominated. For multiple reasons, cyberspace is currently considered an offense-dominated domain. It is easier, cheaper, and generally more effective to engage in offense than in defense. Cyber action, though, which sometimes takes months to prepare, takes place at the blink of an eye, and the types of attacks are constantly changing. There are also millions of potential targets vulnerable to exploitation. The attacker has to find just one hole to exploit, making cyber aggression an appealing and cheap form of asymmetric warfare. This attracts a whole range of bad actors, from cybercriminals looking to get rich quick to nation-states looking for top secret information or vulnerabilities in another nation’s critical infrastructure or warfighting capabilities.[REF]

U.S. International Efforts on Cybersecurity

Given that cyberspace is an environment defined by ubiquity, anonymity, and offense-dominance and that cyberspace also has physical components and people located in different places around the world, international efforts on cybersecurity are both important and difficult. They are important because passive or even active defense cannot always stop hackers, who see low-risk, high-reward opportunities everywhere. Working together on cyber issues includes military cooperation with allies as well as working together to strengthen civilian cyber defenses to make hacking more difficult and less lucrative.

Beyond cyber defense and offense, pushing and working with nations around the world to combat cybercrime and punish those who engage in aggressive cyber behavior themselves can help reduce the number of cyber attacks. Of course, relative anonymity and nations’ geopolitical goals that run counter to U.S. interests make such efforts more difficult. Additionally, differing approaches to privacy can also pose a stumbling block to U.S. collaboration with other nations.

U.S. efforts on international cybersecurity were first and most notably articulated in the U.S.’s International Strategy for Cyberspace. Released in 2011, this strategy’s express goal is to

work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation. To achieve that goal, we will build and sustain an environment in which norms of responsible behavior guide states’ actions, sustain partnerships, and support the rule of law in cyberspace.[REF]

Such a goal is laudable, but the question is: How can the U.S. achieve this “open, interoperable, secure and reliable” cyberspace? The Obama Administration called for the development of norms that are based on freedom, privacy, property rights, the right to self-defense, and other principles.[REF] While the principles are excellent, they are limited in effectiveness since other nations do not necessarily hold these same values. It is unlikely that China or Russia will agree to a set of norms that include key protections of individual privacy, freedom to access the full Internet, or respect for property rights. Even among allies, differences over norms such as privacy may complicate meaningful cooperation.

The limits of norm setting is best displayed by the Budapest Convention on Cybercrime. As “the only binding international instrument” on cybercrime, the convention seeks to help nations in the development and implementation of counter-cybercrime programs.[REF] While this is a positive step in getting some countries to affirm their commitment to combatting cybercrime and promoting a free and secure Internet, arguably the largest sources of cyber threats, Russia and China, have not signed this convention.[REF] Furthermore, even some of the nations that have adopted the convention are not committed to or capable of fully implementing these norms. Ukraine is a prime example of a nation that has adopted the Budapest Convention but is a known haven for cybercriminals.[REF] Similarly, former Secretary of State John Kerry and National Security Agency head Admiral Michael Rogers advocated for international law for cyberspace.[REF] More specifically, Rogers advocated an Internet subject to global rules similar to the U.N. Convention on the Law of the Sea (UNCLOS), which provides a clear example of the challenges of multinational treaties.[REF]

While there are a myriad of potential problems with UNCLOS,[REF] the one most relevant to cybersecurity deals with how nations are supposed to settle disagreements through an arbitration panel. Quite tellingly, China has rejected the ruling of UNCLOS arbitration that the Philippines initiated against China over territorial claims in the South China Sea.[REF] If China will not submit to a law to which it is a signatory in the physical world, there is no reason to believe that China, or other aggressive cyber nations, will comply with nebulous international law in cyberspace.

Thus, while norms may establish some baseline for some nations to agree on certain aspects of cybercrime, norms development is not enough. The International Strategy for Cybersecurity seems to recognize this, as it also mentions the need for dissuading and deterring enemies. Even the strategy, however, depends on the Budapest Convention and international law enforcement cooperation for combatting cybercrime.[REF] Cyber deterrence must extend beyond just Budapest Convention signatories if it is to be truly effective at countering hackers.

For the past decade, the U.S. has generally preferred non-confrontational tactics, such as trying to cooperate with nations like China, despite their likely bad faith. General Martin Dempsey as Chairman of the Joint Chiefs of Staff and Hillary Clinton as Secretary of State both called for increased cooperation with China as the U.S. and China were, in the words of Secretary Clinton, both “victims of cyberattacks,” drawing a moral equivalence between the robber and robbed.[REF] However, after a long series of significant and publicized hacks by the Chinese government, the U.S. government came to recognize the need for more aggressive deterrent action against bad cyber actors. In 2013, the Obama Administration began to openly blame China for campaigns of cyber espionage directed at U.S. companies and government agencies, and in May 2014, it indicted five members of the Chinese People’s Liberation Army on charges of cyber theft, the first time the U.S. has taken legal action against a foreign government for cybercrimes.[REF]

Following the 2015 cyber breach of the Office of Personnel Management and at least 21.5 million personal records that included background investigations and security clearance data—believed to be the work of China—the Obama Administration laid the groundwork for firmer actions against malicious cyber actors. It promulgated Executive Order (EO) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” which made clear the Administration’s ability to sanction major hackers, their sponsors and supporters, and any beneficiaries of hacking who know the hacked material to be stolen.[REF] Instead of using this authority against any number of Chinese activities, the U.S. and China came to an agreement to stop cyber economic espionage and work together to stop cybercrime. This agreement represents a return toward the Obama Administration’s early policy of seeing both the U.S. and China as victims, misunderstanding China’s interests and strategy.[REF]

In the 2016 American election cycle, the Russian government undertook a series of hacks on U.S. election and political organizations, most notably the Democratic National Committee.[REF] The intelligence community identified the Russian government as the responsible party,[REF] and the Obama Administration expelled a number of Russian diplomats and intelligence officials living in the U.S. The Administration also, for the first time, used EO 13694 to sanction four Russian individuals and five organizations.

While the Obama Administration did take some (uneven) steps to advance the U.S. international cybersecurity agenda, the overall policy of the U.S. was defined by hesitance to respond firmly to cyber aggression.

Policy Options for Combatting Cybercrime and Espionage

If the U.S. is to take a more active role in combatting cybercrime and espionage, a more comprehensive set of policies is needed from across all elements of national power. Conceptually, many experts use diplomacy, information, military, economics (DIME) and MIDLIFE (military, intelligence, diplomacy, legal, information, finance, economic) to refer to categories of tools available to policymakers.[REF] In cyberspace, applying the all-tools-of-national-power approach means that the U.S. should consider the following policy areas as options for dealing with cyber aggression:

  • Preparing for and defending against cyber aggression:
    • Improving global cooperation in combatting cybercrime, and
    • Greater collaboration with allies and partners on cybersecurity.
  • Responding to cyber aggression:
    • Diplomatic responses,
    • Legal and economic responses, and
    • Strategic responses.

BG3223 Textbox 1

Preparing for and Defending Against Cyber Aggression

The U.S. is engaging with like-minded nations on cybersecurity through the Budapest Convention, NATO, and bilateral relations. The results of such relationships include the sharing of best practices to combat cybercrime, enabling information sharing on cyber threats and crimes, expanding and improving cybercrime legislation, enhanced law enforcement, and judicial cooperation including the extradition of cybercriminals, cybersecurity exercises, and military-to-military cooperation and training.[REF] It is time for the U.S. to build deeper ties and take greater action with nations that truly want to counter crime and economic espionage in cyberspace. The U.S. should strive to make existing cyber relationships more robust and meaningful by committing to more cooperation and defensive cyber measures.

Improving Global Cooperation in Combatting Cybercrime. Given the international nature of cybercrime, combatting it requires international cooperation. As mentioned, the Budapest Convention on Cybercrime is the primary mechanism for nations to cooperate on cybercrime investigations. Unfortunately, expansion of the convention to additional countries has ground to a crawl, and key centers of cyber criminality, such as Russia and China, as well as Brazil and India, will not join the convention. Russia and China directly benefit from a great deal of the hacking that occurs and have no incentive to participate in the convention. India and Brazil refuse to join on principle, as the convention was originally developed by Europe and select other countries without their input.[REF] While 52 nations have ratified the convention,[REF] significantly more ratifications are unlikely.

Thus, the U.S. is seemingly left with two options—pushing for deeper cooperation with those who have ratified the convention or pursuing expansion of the convention. These two alternatives are not necessarily mutually exclusive, but given that the pace of accessions to the treaty has slowed down, the U.S. would be better served working to deepen the commitment and collaboration among those countries that are party to the convention now. This means taking tangible steps that expand how law enforcement organizations work together to fight cybercrime.

Expansion of active cyber defenses that identify hackers is an example of such cooperation. Many countries currently outlaw any unauthorized access to computers in their country. This means that certain types of active defenses are technically illegal even though they may greatly help identify hackers. One such active defense is a beacon that is attached to a company’s files, similar to the way a LoJack tracker can be installed in cars, or dye packs attached to clothing or bags of money. When the files are stolen, a beacon is capable of reporting data back to the home network about where it is or who has stolen it. Such data would be extremely helpful to give to law enforcement but is likely illegal since the beacon accesses the hacker’s computer without his authorization. Essentially, laws meant to outlaw hacking are actually protecting hackers from counter actions by responsible, law-abiding organizations. The U.S. should revise the way in which such active defense measures are viewed, both informally and statutorily with our allies. Allowing U.S. and German companies to locate, but not destroy, a hacker’s computer, is in both the U.S. and Germany’s interests and would truly deepen international cooperation in stopping cybercrime.

Another way the U.S. can deepen cooperation on combatting cybercrime with partner nations is to expand tools used in combatting transnational criminal organizations (TCO) to cybercrime organizations. While individual hackers and hacktivists certainly pose a problem, many sophisticated cybercriminals are part of larger criminal syndicates that often are spread across multiple different countries. In 2011, the Obama Administration released a “Strategy to Combat Transnational Organized Crime,” including cybercrime as one of the areas that must be tackled. In part, this means having the domestic and international resources to investigate and find such organizations. It also means applying tools like the Racketeer Influenced and Corrupt Organizations (RICO) Act to cybercrime, and working with foreign governments to expand the use of RICO-equivalent laws against cyber criminals. In 2011, the Obama Administration requested that 18 U.S. Code § 1030—the Computer Fraud and Abuse Act—be added as one of the predicate offenses that can be used in a RICO case. Not only is RICO a useful tool in combatting criminal enterprises, it also opens guilty parties to further civil damages.[REF]

Another idea, proposed by a bipartisan set of policymakers and experts at the Center for Strategic International Studies suggested punishing nations that refuse to cooperate in combatting cybercrime. They suggest that “penalties for the noncooperative could mirror the Financial Action Task Force (FATF) ‘blacklist’ of noncooperative countries,”[REF] which applies to countries that are unable or refuse to help in combatting money laundering and terrorist financing efforts.[REF] The signatories of the Budapest Convention could move to create a FATF-like organization that monitors the cooperation that other nations provide in combatting cybercrime, espionage, and attacks. Nations may not sign the Budapest Convention, but they can be encouraged to take additional steps to combat cybercrime and assist other nations or otherwise face negative consequences.

Greater Collaboration with Allies and Partners. In addition to combatting cybercrime, nations must also work together to decrease their vulnerability to attack and reduce the consequences of a successful attack. Collaboration on cybersecurity defenses, technology, organizations, training, and exercises across both military and civilian portions of the network is an essential step toward cybersecurity. While no defense is perfect in cyberspace, more can be done to improve upon the status quo.

On the civilian side, constant and regular engagement among U.S. and foreign Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) is a necessity.[REF] Such engagement must not only occur when there is a cyber incident, but must take place regularly to ensure that all sides know their counterparts and have developed formal as well as informal relationships. This requires that the U.S. and partner CERTs/CSRITs have the resources to deal not only with the technical and information-sharing aspects of cybersecurity, but also to build relationships with cybersecurity experts in other countries. The U.S. should encourage allies to expand cyber capabilities and expand cross-border training and exercises to prepare for cyber incidents.

Beyond the response aspects, the U.S. must also seek greater cooperation with allies on cybersecurity policies and strategies. While improved technical capabilities, trust, and relationships between those in the trenches on cybersecurity are critically important, policymakers and strategists are necessary to ensure that such capabilities and relationships are advancing U.S. and allied interests and objectives. The Russians and Chinese have each developed their own ways of integrating cyber weapons and tools into their hybrid or information warfare strategies. Indeed, they do not just have strategies on paper, but are putting them to work in Ukraine, the U.S. political arena, the South China Sea, and elsewhere.

The U.S. must have a fully formed cyber strategy that includes both civilian and military components. U.S. military planners and their international partners must consider how allied forces will fight in cyberspace. In 2016, NATO declared cyberspace to be a domain of warfare in the same way that the air or the seas are.[REF] Such a declaration is overdue, and preparations to fight in this domain must now play catch up. NATO members and other allies must make investments in cyber capabilities that will protect and advance military objectives, in addition to much-needed investments in traditional tools of warfare. The U.S. should push for expanded partner preparation and capabilities in the domain, offering assistance where it can. Similarly, training in cyberspace and hybrid conflicts are necessary to enable the U.S. and allies to be prepared for future conflicts.

Furthermore, policymakers need to devise ways of ensuring that the private sector is also playing a leading role in cybersecurity. Government-to-government cooperation on cybersecurity must ultimately be built on private-sector expertise and control. In many countries, including the U.S., critical infrastructure is primarily owned and operated by the private sector. Even in countries where this is not true, the private sector still provides the vast majority of the goods and services, faces countless cyber attacks, and serves as the greatest repository of expertise on cybersecurity. So, any government policies on cybersecurity require true partnership with, and reliance on, the private sector. This reality should not be lost in efforts to increase cooperation between governments but should inform the way policy cooperation occurs.

Responding to Cyber Aggression

While there is much the U.S. can and should do to defend against cyber aggression both independently and in conjunction with allies and partners, the U.S. should also go beyond just defending its systems. Given the nature of cyberspace as described earlier, defense will not always succeed. When faced with an offensive-dominated domain, the U.S. can instead seek to raise the costs of hacking through various types of retaliation. These forms of retaliation should be viewed as a toolbox that can be used and tweaked depending on the aggressor to which the U.S. is responding.

Diplomatic Responses. The simplest forms of retaliation are diplomatic protests.

Naming and Shaming Bad Actors. The first step that the U.S. and all likeminded nations should take to counter nations that engage in malicious cyber behavior is naming and shaming those nations. Quite simply, the U.S. can call out nations that engage in cyber aggression and demand they stop. While unlikely to change anything on its own, when done in concert with other allies and used as a signal for further actions, diplomatic shaming is an important first step toward raising the costs of cyber aggression.

Stopping Cooperation with Bad Actors. The U.S. and its allies should also cease all forms of cyber cooperation with nations that continue to engage in blatant and widespread cyber aggression. While engagement and cooperation is valuable among friendly nations and even those that are willing to do more to combat cybercrime but simply lack the resources, cooperating with unrepentant bad actors only ignores and rewards bad behavior.

Legal and Economic Responses. Travel and Commercial Restrictions. For individuals and organizations that are known to be connected to the beneficiaries of malicious cyber activity, the U.S. and its allies do not need to provide them with the privilege of entering their nations on business or pleasure. The U.S. has the right to deny a visa to individuals for a variety of criminal and security reasons under section 212 of the Immigration and Nationality Act (INA).[REF] For example, § 212 (f) allows the President to suspend the entry of “any alien or class of alien…[who] would be detrimental to the interests of the United States…as he may deem to be appropriate.” Using §212 (f) to restrict the travel or immigration of officials or businessmen involved with or benefiting from cyber aggression would clearly be within the President’s constitutional and statutory authority.[REF]

Additionally, the U.S. has the right to seek commercial restrictions against businesses that represent a clear danger to critical U.S. systems or those that have a close relationship with state-sponsored hackers. For example, Huawei and ZTE are major Chinese telecommunications companies that exist and operate at the pleasure of the Chinese government, since the regime considers telecommunications to be an industry of absolute state control.[REF] Given that both Huawei and ZTE have been accused of stealing intellectual property and exist within a sensitive sector that could be exploited by the Chinese government, Huawei and ZTE should be restricted from operating in the U.S. at least in areas that are deemed vital to U.S. security.[REF] Given that many allies, such as the United Kingdom, have conducted a substantial amount of business with these companies already, the U.S. should also investigate the risk that Chinese telecoms pose to its allies, and indirectly to the United States. This warning must not be used as a broad excuse for protectionism in other sectors where security concerns are not significant. Similarly, access to U.S. financial markets can and should exclude companies and individuals who participate in or are beneficiaries of state-sponsored cyber espionage.

Sanctions. When the U.S. has evidence that a nation-state, enterprise, or person is responsible for or involved in cyber attacks or espionage, the U.S. can pursue formal sanctions against that individual or entity. President Barack Obama, via EO 13694, created a framework for sanctions against such entities that are deemed to be

responsible for or complicit in, or to have engaged in, directly or indirectly, cyberenabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.[REF]

As is well known to many by now, President Obama expanded the scope of his original EO from incidents that harm U.S. critical infrastructure and economy to include tampering with or interfering in election processes. In December 2016, President Obama used this EO for the first time to sanction two Russian intelligence agencies and three companies, as well as four individuals connected to Russian intelligence. The EO freezes the assets of these nine entities and individuals in the U.S. and prevents them from engaging in future transactions and from visiting the U.S. Such sanctions were the right move, but were too little, too late—the U.S. should have been responding more aggressively to cyber attacks for years.[REF] But now that the U.S. has finally started to use sanctions as a tool against cyber adversaries, it must build a clear record that the U.S. will respond to cyber aggression.

Legal and Criminal Charges. In cases with a significant amount of evidence pointing to individuals or organizations being directly involved in cybercrime and espionage, the U.S. can take legal action. Criminal cases based on various espionage and computer crime laws can and should be used to prosecute individuals responsible for the theft of intellectual property, proprietary information, and classified government information. The U.S. first used this tool against other nations in the cyber domain in May 2014, when it charged five members of the Chinese People’s Liberation Army with stealing business secrets from U.S. corporations. While these five individuals will never see a U.S. trial, it sets a critical precedent for the U.S. to treat state-sponsored economic espionage as a crime, punishable by law. This precedent could be applied in the future to other individuals or companies that are not in China but are found across the world and in the U.S. If a company assists with and receives information and tangible benefits from a state-sponsored campaign of economic espionage, the U.S. can pursue cases to seize that company’s assets or jail its executives that are within the reach of U.S. or allied authorities.

Such cases also show malicious cyber nations that the U.S. will not sit idly by, but will protect its companies and interests. This not only acts as a warning to bad actors, it also sends a positive message to U.S. businesses that the U.S. government is willing to support and defend them. Having other nations join the U.S. in this effort would place a great deal of pressure on individuals and companies that are connected to state-sponsored cyber economic espionage.

World Trade Organization (WTO) Action. For states that systematically support or engage in espionage or cybercrime against other nation’s businesses, the U.S. and its allies may have grounds to seek WTO relief.

In the cybersecurity, trade, and legal communities, there are different opinions over whether hacking and economic espionage by nation-states, such as China, break WTO rules.[REF] Specifically, the issue in many debates seems to be that “WTO rules create obligations for WTO members to fulfill within their territories and do not generally impose duties that apply outside those limits,” such that China only has an obligation to stop economic espionage on U.S. companies in China, not espionage that occurs in the U.S.[REF]

There are, however, other provisions of trade law and convention to which most countries, including the main cyber antagonists, China and Russia, are signatories.[REF] Specifically, as a member of the WTO, a nation is a signatory to the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), which requires each nation to uphold certain basic principles regarding the protection of intellectual property.[REF] The TRIPS agreement has two articles that could be used by the U.S. and other nations to retaliate against nations like China or Russia for their cyber aggression:

  1. The TRIPS Article 73, “Security Exceptions.” The last provision of TRIPS allows a nation to take any action that it feels is “necessary for the protection of its essential security interests,” or for the “maintenance of international peace and security.” Using such a provision, however, would set a dangerous precedent that other nations could use as well, thus likely starting tit-for-tat trade wars.
  2. TRIPS Article 2, “Unfair Competition.” According to Article 2 of TRIPS, all signatories of TRIPS are required to uphold various articles of the Paris Convention including Article 10, which reads:

Unfair Competition

(1) The countries of the Union are bound to assure to nationals of such countries effective protection against unfair competition.

(2) Any act of competition contrary to honest practices in industrial or commercial matters constitutes an act of unfair competition.

This text specifies a treaty obligation that many state sponsors of economic espionage are not keeping. After all, stealing trade information, whether through traditional economic espionage or cyber espionage, and then giving this information to domestic companies for their use appears to neatly fit the definition provided in (2) above. Furthermore, to counter the arguments that WTO rules do not apply here, it would seem that such a standard, even if only “creat[ing] obligations for WTO members to fulfill within their territory,” still presents an obligation to stop state-sponsored hackers from engaging in widespread campaigns to steal business and trade secrets and profit from them, which would be unfair competition.

If a nation is not meeting its obligations under TRIPS and the Paris Convention, the U.S. can pursue legal action per Part 5 of TRIPS, which refers to Articles 22 and 23 of the 1994 General Agreement on Tariffs and Trade and the dispute-settlement procedures it established.[REF] Of course, this may require the U.S., other countries, and businesses to publicly disclose information that may reveal sources and methods of intelligence and security. This process is already beginning with private-sector cybersecurity agencies revealing technical security details in order to incriminate advanced persistent threats (APT) as seen in the Mandiant Report about APT 1 in early 2013 and many subsequent reports.[REF] Additionally, with the U.S. charging Chinese military officers with hacking in May 2014, the government has shown itself willing to lay out its technical and legal case against bad actors.

Of course, being able to legally prove in the WTO dispute-settlement process that any specific hacking event was part of a campaign of economic espionage would be difficult. But attribution, as mentioned, is not impossible, and a consistent and coordinated effort by the U.S. government and other nations that are victims of economic espionage could yield a strong, united WTO case against the Chinese, Russians, and other bad actors.

Before entering into a WTO dispute and preparing its case, the U.S. should also understand its objective. Should the U.S. win its case (and assuming the bad actor does not immediately take legitimate action to fix its transgressions), there are at least two outcomes the U.S. could seek through the WTO.

First, the U.S. could simply seek the moral high ground and diplomatic victory accompanying a verdict that a nation’s systematic economic hacking is contrary to it legal obligations through the WTO. Perhaps one of the strongest forms of naming and shaming, a collection of nations winning a WTO case against a nation engaging in economic espionage would be a major diplomatic victory. This decision could unite other nations against the offending nation and be used to leverage broader and more robust punitive measures.

Second, the U.S. could seek a WTO remedy, retaliation that is meant to bring the offending nations into compliance. Such a remedy could take several forms, including a significant increase in U.S. and other nations’ tariffs on certain goods from the offending nation[REF] or suspension of certain intellectual property (IP) right protections for the offending nation’s goods. The U.S. must be careful with such tools, especially the use of tariffs, as the U.S. benefits from trade, and raising the price of goods would also be harmful to U.S. consumers. It is also unlikely that all the nations that stood with the U.S. in the WTO would agree to place tariffs on certain goods, lessening the force of such retaliation. Despite such realities, tariffs should remain on the table as long as they are used in a manner that seeks to correct offending behavior.

An alternative retaliation, suspending IP protections[REF] for certain goods provided by the offending nation, is in many ways the most reciprocal form of retaliation, since economic espionage is usually aimed at stealing IP. The offending nation’s affected goods and companies would suffer serious reputation and legal damage, risking long-term damage to the sale and use of its goods, as well as future innovation. As with tariffs, there could also be harm to U.S. consumers and producers that must then navigate a market with protected and non-protected goods. This damage could be somewhat offset by the fact that U.S. producers can use relevant IP for their own benefit. The IP of some nations might be limited, which also limits the effectiveness of an IP-protection suspension.

Regardless, should the U.S. and its partners win a WTO judgment, they should use the available tools judiciously to encourage a change in the offending nation’s behavior, while avoiding harmful side effects to consumers and producers.

Strategic Responses. Finally, some nations may only be deterred from cyber aggression if they feel pressure on more fundamental issues, which differ from country to country. Territorial disputes, invasions, or other threats to democratic rule, such as Ukraine and Georgia in the case of Russia, and Taiwan and Hong Kong in the case of China, provide examples of pressure points that the U.S. can use to retaliate against cyber aggression. Standing up for Taiwan, Hong Kong, Ukraine, Georgia, and other countries is not only a good response to unrepentant cyber aggressors, but also important to U.S. foreign policy in general. More specifically, an example of a strategic response in Russia’s case might be supporting Ukraine’s defense of its territory through arms sales. Not only is it a unique way of responding to Russian actions in cyberspace, it also provides the U.S. a specific response to Russian aggression in Eastern Europe. Using these pressure points appropriately, tailored to the aggressor, provides the U.S. with some of its most powerful tools to retaliate against nation-states.

Another example of a strategic response that hits close to home is Internet freedom. States like Russia and China also depend on repression and censorship to maintain control of their populations, albeit using different techniques. While “democracy promotion” may seem to be a relatively minor activity, and one that the U.S. should be engaged in regardless of the threat, this policy option more than passively, indirectly, or softly supports democratic movements in authoritarian nations. In this context, democracy promotion includes a substantial increase in public, diplomatic, financial, and legal support for organizations and individuals that seek dramatic democratic reforms and challenge governments that do not respect individual liberty, the rule of law, or the right to vote for an opposition government.

Such policies directly challenge these authoritarian regimes, striking at their monopoly on power and information. At its most basic form, this means using U.S. public diplomacy to counter the growing tide of Chinese and Russian propaganda. With China and Russia doing all they can to portray themselves and their actions as legitimate and positive, the U.S. needs to return its public diplomacy measures to where they were in the 1980s, when the U.S. discredited the Soviet Union with audiences across the world, including within the Soviet Union.[REF] Sadly, U.S. public diplomacy fell into disrepair after the Cold War, as peace dividends and reorganizations claimed the effectiveness of this great tool. On the other hand, Russia and China actively challenge U.S. policies and leadership through their propaganda forces. The Russian and Chinese efforts in this arena are met with limited or ineffective responses from the U.S.

This must change—the U.S. must actively counter such propaganda both around the world and within these countries. Public diplomacy programs, such as the Voice of America, allow the U.S. to effectively promote a better image of the United States while countering anti-U.S. campaigns. To be more effective in countering anti-U.S. propaganda, U.S. broadcasts should be reformed, with operations manned by individuals dedicated to the U.S. and her values and with broadcasts that do not merely provide news but also include staunch support of U.S. policies and values.[REF] The U.S. should not be in the business of merely paying for another source of news—it should actively promote U.S. policies and principles while sharing news about the world from the U.S. perspective. Research into, and collection of, best practices in public diplomacy should be jump-started. Embassy officials should receive uniform guidance on how to more directly challenge disinformation and spread the truth about U.S. policies, as well as the truth about repression within various regions.[REF]

Going further, the U.S. should take a more active role in supporting dissidents and democratic activists. Such action also requires that U.S. public diplomacy mechanisms be reinvigorated. By using a variety of mediums, including radio, television, and the Internet, the U.S. can provide dissidents in repressive states with information and support. Radio Free Asia and the Broadcasting Board of Governors can more aggressively spread information and broadcasts and supply dissidents with technology that allows them to communicate with others and protect themselves from the prying eyes of the Chinese censors and police. The U.S. can offer similar tools, information, and protections to critics of Vladimir Putin through Radio Free Europe/Radio Liberty.[REF] The U.S. must also use its foreign aid appropriately to support pro-democracy and civil society programs and organizations. The U.S. is already accused of interfering in these nations[REF]—it might as well take the blame and forcefully support those who desire freedom, the rule of law, and basic human rights.[REF]

While these policies may be among the most strategic the U.S. could undertake, the use of all other tools should also be considered strategically. Some countries may not care about diplomatic repercussions, while others may not be greatly affected by legal consequences, limiting the usefulness of such tools to counter cyber aggression. Responding to bad cyber actors requires moving beyond cyberspace, using the full range of national power to tailor responses that are most likely to deter or punish their cyber aggression.

All Tools of National Power Needed

These policy options are just that—options. Very few circumstances call for action at the WTO or the use of serious strategic responses. In fact, in most cases, cooperation with other nations on beefing up cybersecurity and the enforcement of cybercrime laws is the most appropriate answer. Indeed, the U.S. needs to do many things to improve its international cybersecurity. While most of the responsibility for these actions falls to the Administration, Congress can also demand that certain actions, such as sanctions, be taken against bad actors. To that end, Congress and the Administration should:

  • Deepen collaboration on cybercrime among like-minded nations. The U.S. should look to create an acceptance for active cyber defenses that are not harmful, but allow better attribution of, and intelligence on, cyber threats. Laws and tools from the organized crime arena, such as RICO, should be expanded to cover TCOs engaging in cybercrime.
  • Expand cybercrime cooperation beyond current signatories of the Budapest Convention. The U.S. should create a cyber form of the FATF that combats money laundering and financing of terrorism. While they need not abide by all the terms of the Budapest Convention, non-signatory countries should still be pressured to take reasonable actions against cybercrime. Nations that do not assist in international cybercrime investigations, or do little to stop cybercrime within their territories, should be considered non-cooperative and face repercussions from members of the new cyber task force.
  • Improve cooperation with foreign civilian cybersecurity defense and response organizations. Beyond defeating cybercrime, the U.S. must also establish more regular interactions and cooperation with CERTs and CSIRTs of partners and allies to bolster cyber defenses. This means increasing cross-border information sharing and joint training and exercises for civilian security organizations.
  • Prepare to fight in the cyber domain with allies. The U.S. and its allies also need to develop the tools and capabilities to fight in the cyber domain. While NATO has taken some steps in this direction, far more needs to be done. Any future conflict will require offensive and defensive cyber capabilities that are well integrated into U.S. and allied warfighting strategies. Creating such capabilities requires a political will to engage in this new domain as well as the resources to develop the means of engagement.
  • Develop a robust policy of deterrence that tailors a proportionate U.S. response to the bad actors. Deterrence is in the mind of the adversary—he chooses to alter his behavior because he believes the costs are too high. The only way to achieve deterrence in cyberspace is to establish a clear pattern of policy and action that leads an actor to rethink his plans. The U.S. has a whole host of tools it can use to retaliate against any sort of cyber aggression, including diplomatic naming and shaming, cutting off cooperation, visa restrictions, commercial and financial limitations, sanctions, legal action, trade enforcement tools, action on other military or foreign policy matters, support to dissidents in malicious cyber states, and other tools not considered here. These tools should be used in a way that is tailored to fit the adversary and proportionate to the scale and effects of his aggressive action.
  • Create a new strategy for international efforts in cyberspace. The U.S. needs to articulate a bolder strategy for how it will operate in the cyber domain. From deterring and retaliating against cyber aggressors to reinforcing cybercrime defense efforts with allies, the U.S. should craft a new strategy that will direct the whole of government to protect U.S. interests in cyberspace. This strategy must also consider the central role the private sector plays and make use of its expertise and skills.

Using the Right Tools at the Right Time

It is past time for the U.S. to take the lead on international cybersecurity. Cybercrime harms people around the globe, state-sponsored economic espionage harms the creative and innovative private sector, and state-led attacks on political organs undermine faith in institutions and the authenticity of news. While criminals and certain nation-states may benefit from this, the vast majority of nations, companies, and individuals lose. The U.S. must take action to defend itself in cyberspace through cooperation with like-minded partners while deterring those that benefit from cybercrime and warfare. Doing so will make the U.S. and its allies safer, more prosperous, and freer.

David Inserra is a Policy Analyst for Homeland Security and Cyber Security in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.

Authors

Inserra
David Inserra

Policy Analyst, Homeland Security and Cyber Policy, Douglas and Sarah Allison Center for Foreign Policy