Next week’s London Conference on Cyberspace will include a closed session on international security. Some maintain that the session “could be an early step to some kind of ‘ultimate cyber arms control.’” But on CNN’s Global Public Square blog, Adam Segal and Matthew Waxman write that “a cybersecurity treaty is a pipe dream.” They argue that the United States “should prepare instead for deep international divides over cyber-security norms, emphasizing four components of its strategy”:
First, Washington must continue to cultivate allies and like-minded partners through joint policy declarations, recognizing that Beijing and Moscow are doing likewise. In June 2011, NATO defense ministers agreed to a collective vision of cyber defense, and the United States and Australia recently announced that their mutual defense treaty extends to cyberspace. Moving forward, it will be especially important to engage growing Internet powers like Brazil, South Africa and India as they move between the poles of cyber and information security.
Second, the United States should accept that it will be operating in some legal gray zones. The United States and some allies believe that they may have the right to respond militarily in self-defense under the laws of war to sufficiently severe cyber-attacks, whereas other powerful states want to legally separate cyber-security from traditional security concerns. Meanwhile, the distinctions in cyber-space between espionage (traditionally tolerated under international law) and offensive “attacks” are muddied. Planners need to think about how they will defend their actions diplomatically, especially when facts may be hard to prove or disclose.
Third, dialogue with China, Russia and others should focus not on reaching legal agreement but on communicating redlines and developing confidence-building measures, recognizing that it may be difficult to determine immediately the source of attacks. States should be willing to exchange ideas about the offensive and defensive use of cyber-weapons as well as how to develop points of contact and hotlines that can be used in the midst of a cyber crisis.
Fourth, success in shaping international norms depends in part on cultivating technical partnerships with developing states, both as a means of aligning their interests with the United States’ and countering similar efforts by China to secure their loyalty. Cyber security expertise is lacking in Latin America, Africa and Southeast Asia and governments will turn to whoever can provide it.