The Council on Foreign Relations has just released a new Task Force Report on Defending an Open, Global, Secure, and Resilient Internet. The Task Force was co-chaired by former DNI John Negroponte and former head of IBM Samuel Palmisano, and it was directed by CFR's Adam Segal. The Task Force itself comprises experts from government (former officials), private industry, NGOs, academia, and other sectors.
This wide-reaching report deals with many facets of U.S. cyber policy, including security, trade and innovation, and internet freedom. The report emphasizes four policy pillars -- alliances, trade, governance, and security -- and one of its strengths is that it thinks through how they fit together (and, in some cases, where there may be some difficult tradeoffs). Of particular interest to some Lawfare readers will be the discussion of international norms for cyberspace.
So much discussion these days of creating cyberspace norms or codes of conduct focuses on bilateral diplomacy with China (as a key power, partner, competitor, and threat in this area) or global diplomacy to create worldwide rules. Those are important, but I think this report correctly places emphasis on working with coalitions of like-minded allies -- and not just states but NGOs and private sector actors -- to build support for a common agenda with respect to international norms. Like Jack, I'm skeptical that effective international cyber-security treaties are attainable, and we're not going to reach agreement on matters of internet freedom anytime soon with states whose views diverge substantially with ours about freedom generally. As Adam Segal and I previously wrote, however, there's a lot that the U.S. can do with like-minded partners to develop norms and promote diplomatically and through technical partnerships.
There are parts of the report where I'd have liked to hear more detail. For example, it calls (pp. 38-39) for diplomatic efforts to ban large-scale commercial espionage and offers some brief thoughts about how the United States might launch dialogues, but it offers few specific recommendations about what such norms would look like and how they would be enforced. I hope also to write more about some other important parts of the report, including its discussion of possible cybersecurity legislation.