Truman National Security Project

4 Ways US Can Boost Cyber Security


The Obama administration has repeatedly and publicly named China as America’s principal cyber-espionage enemy, highlighting China’s aggressive economic cyberspying against American businesses and critical infrastructure. President Obama himself mentioned cybersecurity concerns during his congratulatory phone call with new Chinese President Xi Jinping.

Deciding to name and shame China openly is a significant step in US cybersecurity policy and has international repercussions: It forces the two countries to address the issue publicly, and shines a spotlight on the cyberactivity of other countries, including the United States. This may increase pressure on governments and companies to act more forcefully against cyber-espionage attacks.

Of course, China is not the only country that has committed, or will commit, cyber-espionage. Indeed, China has accused the US of cyberattacks and recently described itself as a leading victim of hacking attacks. The full scope of international cyberattacks is hard to define because of the challenge of identifying who launched an attack, and the absence of a coordinated, global effort to find out who the hostile cyberactors are.

To navigate this new diplomatic landscape and successfully protect its own cybersecurity interests, the US needs a proactive cyber foreign policy that goes beyond naming and shaming. Here are four steps the US can take to bolster its diplomatic efforts to address cybersecurity threats.

1. Start where countries agree

International rules governing cybersecurity are unclear, particularly when it comes to cyber-espionage. That’s because technology is changing rapidly and countries disagree over principles on issues like privacy rights and Internet freedom. Countries are also unwilling to sacrifice their own right to act unilaterally in cyberspace.

One step to start holding countries accountable for cyberattacks is to solidify norms that are already implicitly agreed on. For example, it seems that countries, for the most part, have not hacked into each other’s financial institutions nor disrupted predominantly civilian critical infrastructure. The US should explore past norms in areas such as arms control to derive lessons for cybernorms.

Washington must also engage the private sector in this dialogue, even though some business interests have opposed the administration’s legislative efforts to improve cybersecurity standards.

The private sector owns and operates the majority of the critical infrastructure that the government wants to protect. US-based multinationals have a vested interest in secure, stable cyberspace and can be useful partners in advocating for norms internationally.

2. Enlist the support of allies

Help from friends and countries with common interests is critical to the success of Washington’s new cyberpolicy, just as it is with any other national security policy. It is even more important in this instance, however, because cyberspace transcends borders and is not controlled by any single state. The US should encourage allies to name and shame China, which has undoubtedly hacked networks in their territory, too, and to do the same with other cyber-espionage aggressors.

A coalition could begin with just a handful of countries such as BritainAustraliaGermany,CanadaSouth Korea, and Japan. It could issue a public statement announcing agreed-upon principles. These allies could put in place a set of voluntary accountability and verification mechanisms to build trust and ensure compliance with the group’s basic principles.

The group could attract more members by offering expanded technical assistance to enhance countries’ cybersecurity. Creating such a group would lend US cyberefforts greater international legitimacy and motivate countries to work together against threats.

3. Be more proactive

Assembling friendly states and developing a set of global norms would give the US more leverage over ChinaRussiaIran, and other cyberoffenders that regularly hijack international Internet governance meetings. For example, at the December 2012 World Conference on International Telecommunications, the US and other like-minded nations struggled to defeat the myriad troubling proposals offered by Russia that empowered states to clamp down on Internet freedoms. Eventually, 55 countries, led by the US, refused to sign the agreement.

This tense dynamic is not sustainable. Instead of being on defense, the US must be at the forefront of setting the international agenda. The US could focus positively on common ground, and put those who oppose Internet freedom on defense.

4. Communicate clearly

Washington needs to be transparent about its policy decisions so that it can communicate clearly to allies and adversaries alike.

Specifically, the US must consider these questions: What constitutes an attack? What kinds of economic espionage or attacks against the private sector will trigger government intervention? Will the US pursue a policy of deterrence, which requires specifying credible countermeasures – or leave itself more room to maneuver as conflicts in cyberspace evolve?

The administration took a significant step last September, when the State Department described central tenets of US policy on cyberconflict. The Department of Defense recently announced it is creating offensive and defensive cyberteams to protect the US. But officials from both departments acknowledge unresolved questions.

The US should advocate for global rules for cyberconduct, convince friends to embrace them, and push these rules as part of a more proactive cyber-agenda. This approach will solidify American leadership in cyberspace, foster international cooperation, and discourage cyberattacks.

Eli Sugarman is a Truman Security Fellow. This article originally appeared on Christian Science Monitor.