Your humble blogger has been busy at the U.S. Army War College's annual conference on The Future of American Landpower ... at which he's heard a lot about cyberattacks. So at the risk of violating one of my own maxims, I want to write one post about this whole cyber business. Because the more I apply my monkey brain to this, the more dubious I get about how it's being talked about, and I want to try to work my way through this.
First, if we're living in a world where the director of national intelligence thinks it's the number-one threat out there ... well, let's face it, then it's not a very scary world, is it? I mean, if industrial espionage has replaced terrorism as the biggest national security threat facing the United States ... meh. I don't want there to be industrial espionage, but let's face it, this ain't the kind of Cold War-level threat that I hear bandied about so frequently.
But, to be fair, I think concerns about "cyber" aren't just about the industrial stuff -- it's attacks on critical infrastructure and so forth. Except now we need to step back and ask under what circumstances such attacks would occur. There are terrorists of course -- which means that this is a old threat in a new domain. There are state actors -- which means that this is an even older threat in a new domain. Terrorists will most likely attempt such attacks when the opportunity arises. State actors presumably would not attempt such actions on a full-bore scale unless there were actual military hostilities. Cases like Stuxnet fall in between ... into espionage and covert action.
So, can international norms about cyberattacks be negotiated? I know NATO is trying something like this with the Tallinn Manual, and I know the United States is insisting that the laws of war apply to cyberdomains. I suspect that this has a chance of working in regulating real world interstate military conflicts, because, with any shadow of the future, most states are prepared to obey most regimes most of the time.
But let's face it -- most of the concerns about cyber aren't about what happens if a war breaks out. The concerns are about regulating such attacks during peacetime, which means this is about regulating intelligence-gathering, espionage, and covert actions. Now, let me just list below the number of international regimes that establish the rules, norms and procedures for regulating these kind of activities:
Nada. Zip. Nothing. Or, as one journal article more delicately put it, "espionage is curiously ill-defined under international law."
That's because espionage can't really be regulated. For any agreement to function, violators have to be detected and punishment has to be enforced. In the world of espionage, however, revealing your ability to detect is in and of itself an intelligence reveal that states are deeply reluctant to do.
So I don't think negotiations will work, and I sure as hell don't think smart sanctions will work either. Most of what concerns us about cyber falls under the espionage and covert action category, and that's never been regulated at the global level.
What am I missing? Seriously, what -- because what I just blogged is highly subject to change.
Daniel W. Drezner is professor of international politics at the Fletcher School of Law and Diplomacy at Tufts University.