project-syndicate.

org
http://www.project-syndicate.org/commentary/international-norms-cyberspace-by-joseph-s--nye-2015-05

International Norms in Cyberspace

CAMBRIDGE Last month, the Netherlands hosted the Global Conference on Cyberspace 2015, which brought
together nearly 2,000 government officials, academics, industry representatives, and others. I chaired a panel on
cyber peace and security that included a Microsoft vice president and two foreign ministers. This multi-
stakeholder conference was the latest in a series of efforts to establish rules of the road to avoid cyber conflict.

The capacity to use the Internet to inflict damage is now well established. Many observers believe the American
and Israeli governments were behind an earlier attack that destroyed centrifuges at an Iranian nuclear facility.
Some say an Iranian government attack destroyed thousands of Saudi Aramco computers. Russia is blamed for
denial-of-service attacks on Estonia and Georgia. And just last December, US President Barack Obama attributed
an attack on Sony Pictures to the North Korean government.

Until recently, cyber security was largely the domain of a small community of computer experts. When the Internet
was created in the 1970s, its members formed a virtual village; everyone knew one another, and together they
designed an open system, paying little attention to security.

Then, in the early 1990s, the World Wide Web emerged, growing from a few million users then to more than three
billion today. In little more than a generation, the Internet has become the substrate of the global economy and
governance worldwide. Several billion more human users will be added in the next decade, as will tens of billions
of devices, ranging from thermostats to industrial control systems (the Internet of Things).

All of this burgeoning interdependence implies vulnerabilities that governments and non-governmental actors can
exploit. At the same time, we are only beginning to come to terms with the national-security implications of this.
Strategic studies of the cyber domain resemble nuclear strategy in the 1950s: analysts are still not clear about the
meaning of offense, defense, deterrence, escalation, norms, and arms control.

The term cyber war is used very loosely for a wide range of behaviors, ranging from simple probes, website
defacement, and denial of service to espionage and destruction. In this, it reflects dictionary definitions of war,
which include any organized effort to stop or defeat something that is viewed as dangerous or bad (for example,
war on drugs).

A more useful definition of cyber war is any hostile action in cyberspace that amplifies or is equivalent in effect to
major physical violence. Determining whether an action meets that criterion is a decision that only a countrys
political leaders can make.

There are four major categories of cyber threats to national security, each with a different time horizon and (in
principle) different solutions: cyber war and economic espionage, which are largely associated with states, and
cyber crime and cyber terrorism, which are mostly associated with non-state actors. The highest costs currently
stem from espionage and crime, but the other two may become greater threats over the next decade than they
are today. Moreover, as alliances and tactics evolve, the categories may increasingly overlap.

During the Cold War, ideological competition limited US-Soviet cooperation, but both sides awareness of nuclear
destructiveness led them to develop a crude code of conduct to avoid military confrontation. These basic rules of
prudence included no direct fighting, no first use of nuclear weapons, and crisis communication, such as the
Moscow-Washington hotline and the Accidents Measures and Incidents at Sea agreements.

The first formal arms-control agreement was the 1963 Limited Test Ban Treaty, which can be considered mainly
an environmental treaty. The second major agreement was the 1968 Nuclear Non-Proliferation Treaty, which
aimed at limiting the spread of nuclear weapons. The US and the Soviet Union perceived both agreements as
positive-sum games, because they involved nature or third parties.
Similarly, the most promising areas for early international cooperation on securing cyberspace are problems
posed by third parties such as criminals and terrorists. Russia and China have sought a treaty for broad United
Nations oversight of the Internet. Though their vision of information security could legitimize authoritarian
governments censorship, and is therefore unacceptable to democratic governments, it may be possible to identify
and target behaviors that are illegal everywhere. Limiting all intrusions would be impossible, but one could start
with cyber crime and cyber terrorism. Major states would have an interest in limiting damage by agreeing to
cooperate on forensics and controls.

Of course, historical analogies are imperfect. Obviously, cyber technology is very different from nuclear
technology, particularly because non-governmental actors can exploit it much more easily.

Nonetheless, some institutions, both formal and informal, already govern the basic functioning of the Internet. The
US wisely plans to strengthen the non-governmental Internet Corporation for Assigned Names and Numbers
(ICANN) by having it supervise the Internet address book. There is also the Council of Europes 2001
Convention on Cybercrime , with Interpol and Europol facilitating cooperation among national police forces. And a
UN Group of Government Experts has been analyzing how international law relates to cyber security.

It is likely to take longer to conclude agreements on contentious issues such as cyber intrusions for purposes like
espionage and preparing the battlefield. Nonetheless, the inability to envisage an overall cyber arms-control
agreement need not prevent progress on some issues now. International norms tend to develop slowly. It took two
decades in the case of nuclear technology. The most important message of the recent Dutch conference was that
massive cyber vulnerability is now nearing that point.