Confronting Reality in Cyberspace

History shows that societies take time to learn how to respond to major disruptive technological change and to develop norms that stabilize expectations. It took two to three decades after the bombing of Hiroshima to develop agreements regarding nuclear weapons. Norms to govern the risks posed by cyber technology are likely to evolve slowly, not based on good will but from states’ self-interest in coordination, reputation, and prudence. Even at the height of the Cold War, the United States and its adversaries worked together to develop rules of the road based on such self-interest. Our report offers some useful recommendations about norms, but we could go further. For instance, the Global Commission on Stability in Cyberspace has suggested a norm to protect the core infrastructure of the internet from attack. The “open global internet” may be over, but self-interest in coordination and communication remains, even among adversaries.

—Joseph S. Nye Jr.
joined by Guillermo S. Christensen and Amy B. Zegart

I wish to qualify the finding that cybercrime is a national security threat. This is not meant to compare confronting cybercrime to the war on drugs of the late twentieth century, which viewed the global criminal narcotics trade as a national security threat. To be sure, the vast majority of current cybercrime, and many of the examples we cite in the report, do not yet truly represent a threat to the territorial or political integrity of the United States (an obvious exception being Russian interference in U.S. elections).

However, unlike the narcotics trade that provoked the war on drugs, it is the combination of cybercrime trends and the evolution of their enabling environment—a fragmented, less free, more dangerous internet—that drives the threat to such a level. A fragmented internet means adversarial governments can more easily refuse to cooperate with global standards and norms; trust will continue to be a precious commodity that is easy to degrade, difficult to defend, and even more difficult to restore; and the current, robust state-enabled industry of “CrimTech” or crime-as-a-service will escalate to conflict-as-a-service.

These qualities amount to a manifest threat to national security. An appropriate comparison is the evolution of international terrorism—and its enabling environment—from a largely criminal matter to a national security threat that eventually precipitated two decades of armed conflict; this comparison is reflected in our recommendation to hold states accountable for malicious activity in their borders.

—Neal A. Pollard
joined by Guillermo S. Christensen