Confronting Reality in Cyberspace

The global internet—a vast matrix of telecommunications, fiber optics, and satellite networks—is in large part a creation of the United States. The technologies that underpin the internet grew out of federal research projects, and U.S. companies innovated, commercialized, and globalized the technology. The internet’s basic structure—a reliance on the private sector and the technical community, relatively light regulatory oversight, and the protection of speech and the promotion of the free flow of information—reflected American values.

Moreover, U.S. strategic, economic, political, and foreign policy interests were served by the global, open internet. Washington long believed that its vision of the internet would ultimately prevail and that other countries would be forced to adjust to or miss out on the benefits of a global and open internet.

The United States now confronts a starkly different reality. The utopian vision of an open, reliable, and secure global network has not been achieved and is unlikely ever to be realized. Today, the internet is less free, more fragmented, and less secure.

Countries around the world now exert a greater degree of control over the internet, localizing data, blocking and moderating content, and launching political influence campaigns. Nation-states conduct massive cyber campaigns, and the number of disruptive attacks is growing. Adversaries are making it more difficult for the United States to operate in cyberspace. Parts of the internet are dark marketplaces for vandalism, crime, theft, and extortion.

Malicious actors have exploited social media platforms, spread disinformation and misinformation, incited disparate forms of political participation that can sway elections, engendered fierce violence, and promoted toxic forms of civic division.

At the same time, the modern internet remains a backbone for critical civilian infrastructure around the world. It is the main artery of global digital trade. It has broken barriers for sharing information, supports grassroots organization and marginalized communities, and can still act as a means of dissent under repressive government regimes.

As the Internet of Things (IoT) expands in coming years, the next iteration of the network will connect tens of billions of devices, digitally binding every aspect of day-to-day life, from heart monitors and refrigerators to traffic lights and agricultural methane emissions.

The United States, however, cannot capture the gains of future innovation by continuing to pursue failed policies based on an unrealistic and dated vision of the internet.

The United States needs a new strategy that responds to what is now a fragmented and dangerous internet. The Task Force believes it is time for a new foreign policy for cyberspace.

The major findings of the Task Force are as follows:

• The era of the global internet is over.
• U.S. policies promoting an open, global internet have failed, and Washington will be unable to stop or reverse the trend toward fragmentation.
• Data is a source of geopolitical power and competition and is seen as central to economic and national security.
• The United States has taken itself out of the game on digital trade, and the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s ability to lead abroad.
• Increased digitization increases vulnerability, given that nearly every aspect of business and statecraft is exposed to disruption, theft, or manipulation.
• Most cyberattacks that violate sovereignty remain below the threshold for the use of force or armed attack. These breaches are generally used for espionage, political advantage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.
• Cybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such.
• The United States can no longer treat cyber and information operations as two separate domains.
• Artificial intelligence (AI) and other new technologies will increase strategic instability.
• The United States has failed to impose sufficient costs on attackers.
• Norms are more useful in binding friends together than in constraining adversaries.
• Indictments and sanctions have been ineffective in stopping state-backed hackers.

The Task Force proposes three pillars to a foreign policy that should guide Washington’s adaptation to today’s more complex, variegated, and dangerous cyber realm.

First, Washington should confront reality and consolidate a coalition of allies and friends around a vision of the internet that preserves—to the greatest degree possible—a trusted, protected international communication platform.

Second, the United States should balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets agreed to among U.S. allies.

Third, the United States needs to put its own proverbial house in order. That requirement calls for Washington to link more cohesively its policy for digital competition with the broader enterprise of national security strategy.

The major recommendations of the Task Force are as follows:

• Build a digital trade agreement among trusted partners.
• Agree to and adopt a shared policy on digital privacy that is interoperable with Europe’s General Data Protection Regulation (GDPR).
• Resolve outstanding issues on U.S.-European Union (EU) data transfers.
• Create an international cybercrime center.
• Launch a focused program for cyber aid and infrastructure development.
• Work jointly across partners to retain technology superiority.
• Declare norms against destructive attacks on election and financial systems.
• Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communications (NC3) systems.
• Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).
• Adopt greater transparency about defend forward actions.
• Hold states accountable for malicious activity emanating from their territories.
• Make digital competition a pillar of the national security strategy.
• Clean up U.S. cyberspace by offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure.
• Address the domestic intelligence gap.
• Promote the exchange of and collaboration among talent from trusted partners.
• Develop the expertise for cyber foreign policy.

A free, global, and open internet was a worthy aspiration that helped guide U.S. policymakers for the internet’s first thirty years. The internet as it exists today, however, demands a reconsideration of U.S. cyber and foreign policies to confront these new realities. The Task Force believes that U.S. goals moving forward will be more limited and thus more attainable, but the United States needs to act quickly to design strategies and tactics that can ameliorate an urgent threat.