Cybersecurity and Deterrence

A Proliferation Security Initiative for Cyber Cooperation?

By Duncan B. Hollis, Matthew Waxman
Monday, June 4, 2018, 7:00 AM

National security adviser John Bolton is often caricatured as a unilateralist. One of his legacies during the George W. Bush administration, however, was a significant new multilateral effort: the Proliferation Security Initiative (PSI).

In a forthcoming symposium essay we suggest that PSI might offer a useful model for promoting cybersecurity cooperation. As the United States and others look to improve international rules for combating global cyber threats—whether through interpretation of existing legal frameworks, cultivation of new norms, or creation of new treaties or international bodies—PSI’s special architecture may be adaptable to some of the more notable challenges.

Bolton championed PSI in the early 2000s to improve interdiction of weapons of mass destruction, especially at sea where the absence of clear counterproliferation law and weak capacity of some states left holes for proliferators to slip through. The United States and a small group of like-minded states signed on to a set of common principles and committed to a set of joint activities to strengthen WMD interdiction efforts. There was no new binding treaty or bulky international organization. Instead, each country agreed to do what it regarded as authorized under international law and consistent with a common declaration of PSI political commitments. Though it started among just a small group of participants, other states were invited to join the PSI, and as of today, 105 states have endorsed the common pledges and support PSI-related interdiction efforts.

To be clear, our essay does not suggest that the United States should pursue a similar multilateral policy approach of interdicting cyberweapons. Rather, we highlight how PSI’s cooperative mechanisms may be a model for future cybersecurity cooperation. Its advantages, compared to many global treaties or new intergovernmental bodies, include low entry costs, accommodation of varying capabilities, flexibility, and evolution through experimentation. This approach also has limits, to be sure. On the one hand, it would leave in place significant gaps or uncertainties in international law that certain states are looking to fill. On the other hand, it may be perceived by some states as heavy-handed or designed to exclude and isolate them. And, of course, it is worth emphasizing that cybersecurity is not a unified problem set—it involves a complicated suite of different problems that emerge in a wide array of different contexts.

Nonetheless, there are several areas of cybersecurity cooperation for which the PSI model might be a possible fit. These could include multilateral efforts to remediate effects of cyberattacks, to assist in attributing them to perpetrators, or to impose sanctions against such bad actors. (Note that just last week, the State Department proposed to the president a cyber deterrence strategy recommending that “Partner states could, on a voluntary basis, support each other’s responses to significant malicious cyber incidents, including through intelligence sharing, buttressing of attribution claims, public statements of support for responsive actions taken following an incident, and/or actual participation in the imposition of consequences against perpetrator governments.”)

The merits of a PSI-like approach depend a lot, of course, on the substance and details of the commitments and activities. But the point of our essay is that PSI’s architecture is worth further consideration among the menu of ways to improve international cybersecurity cooperation and cultivate norms.