The Liberal Cyber Order
This month the Biden administration released its National Cybersecurity Strategy, ending months of speculation about its contents. The document focuses on public-private collaboration, which is unsurprising given that the private sector owns and operates most of the internet. Because it calls for stronger regulations, the issue of public-private relations has already received a lot of attention.
But the document also reveals something about the administration’s grand strategy. President Joe Biden’s approach to national security has always blended liberal ideals with realist restraint. He has promoted democracy and pledged his support for international institutions, to be sure, but he also has a long record of resisting calls for military action. Biden’s instincts have been most fully on display in Ukraine. The president describes the war as a clash of democracy and authoritarianism upon which the West depends, yet he has refused to send U.S. troops to fight the Russian invaders, and he has tailored military assistance to avoid provoking Russian escalation.
The administration’s approach to cyberspace is different. It is liberalism unbounded. The White House strategy treats cyberspace as the venue for ideological competition among great-power rivals. The United States and its democratic allies are fighting to sustain a free internet and a “cyber ecosystem” that encourages trade and protects human rights. Russia and China, by contrast, are fighting to dismantle that system, replacing liberal norms with a conception of cyber sovereignty that justifies political oppression at home and political manipulation abroad.
Biden welcomes the fight. He shows no inclination to restrain American cyber power in the service of liberal ideals. His strategy does not dwell on deterrence, a word that does not appear anywhere in the document. Nor does it express any concern for escalation — that term doesn’t appear either. The military restraint that tempers White House political idealism disappears in cyberspace. The president is a realist in the real world, but a liberal champion online.
Liberal Ideals and American Grand Strategy
Grand strategy is a theory of security, a logical story about how states use the instruments of national power to make themselves safe. The military instrument has long occupied scholars, but intelligence, economic, and diplomatic tools can also play an important role. In addition, practical grand strategies should pay attention to allies abroad, politics at home, available resources, technology, and geography. These factors may enable or constrain policymakers’ choices.
States can choose from a variety of grand strategies. Two are particularly important to the current U.S. debate: restraint and liberal internationalism. Restraint starts from the premise that the United States, by virtue of history and geography, is remarkably secure. It enjoys the natural protection of two oceans and sits atop vast natural resources. It has not faced a serious great-power competitor in the western hemisphere for two centuries. For these reasons, the United States does not have to spend lavishly on defense or undertake high-risk military campaigns. Provocative actions are unnecessary and dangerous.
Restraint treats international politics as a story about power, not ideas. Restraint does not dwell on regime type or ideological differences among different states. Indeed, it is skeptical about arguments that connect national security with ideological intangibles. Restraint also assumes that international markets are largely self-sustaining, and do not need the guidance and protection of America or any other state. Corporations will trade internationally because profit beckons, and they will pay the cost to do business abroad.
A liberal grand strategy is based on different assumptions about world politics. The first is that the spread of liberal values — especially democracy and free trade — will be good for national security. Democracies do not fight other democracies, according to this logic, so the expansion of democracy reduces the risk of conflict. Similarly, trading states have less reason to go to war with each other because the economic consequences would be calamitous. A world of trading democracies would be a world of peace, so the United States should strive to make that world a reality.
Liberal internationalism believes in trade, to be sure, but the theory doubts that commercial markets are self-sustaining. States need to backstop trade in order to see it flourish, providing military protection for international traders. Strong states can deal with pirates who would steal cargo, as well as rogue regimes who would demand exorbitant fees for transiting geographic choke points and visiting foreign ports. Wealthy states can backstop the international economy by acting as lender of last resort and by enacting laws that serve as de facto promises that firms will honor their commitments. International commerce will prove fragile in the absence of state intervention.
Institutions are also essential for coordinating state actions and encouraging cooperation. International institutions provide forums for coordination, dispute resolution, and sharing. They serve as incubators for norms, and they reduce transaction costs. All of this creates a virtuous cycle: States join institutions to solve practical problems, and they stay in them once they discover the material and normative benefits. Institutions outlast the political conditions that caused their creation in the first place, because members come to realize the value of keeping them and the costs of leaving. They provide order and predictability, and they foster collective norms. An international order underwritten by strong institutions is prosperous and calm.
For liberal internationalists, cooperation is essential because “security is indivisible.” Threats to one country tend to ripple outwards, putting everyone at risk. As states become increasingly interdependent, they also become more vulnerable to dangers abroad. The upshot is that states cannot secure themselves by closing their eyes to others’ misfortunes. Contemporary international politics do not allow states to make themselves safe by remaining inconspicuous and hoping that trouble doesn’t come their way.
America Online
The foundations of liberal internationalism are on full display in the National Cybersecurity Strategy. Building on earlier efforts to rally like-minded countries in common cause, it presents a “democratic vision for an open, free, global, interoperable, reliable, and secure digital future.” From the administration’s perspective, robust cybersecurity is essential to bolstering global democracy because a secure internet is the foundation of free speech across borders. But while democracies benefit from the open exchange, the White House warns that illiberal regimes seek to stifle the free flow of ideas and to use the internet for repression and political manipulation. The strategy describes the competition in cyberspace in Manichean terms, a struggle pitting democracies against “autocratic states with revisionist intent” whose “reckless disregard” for liberal norms is a clear threat to national security.
The strategy repeatedly emphasizes the importance of protecting digital trade, which it describes as another element in the broader effort to push back against authoritarianism. It sees cybersecurity and trade as mutually reinforcing. Strengthening encryption, for example, will protect commerce, giving commercial actors a reason to collaborate with the government. Such collaboration is key to the administration’s vision of an internet in which security and prosperity go hand in hand.
Tighter links between public and private cybersecurity efforts, however, speak to the belief that the market is not enough. Indeed, the administration argues that market forces have removed incentives for private firms to invest in cybersecurity, especially in software development. Low-cost and high-speed solutions are appealing to buyers and sellers alike, creating a cyberspace ecosystem where security vulnerabilities abound. Fixing this mess requires a program to “realign incentives to favor long-term investments in security, resilience, and promising new technologies,” and the strategy includes strong language about holding the private sector to account through new regulations. All of this is consistent with a liberal internationalist grand strategy, which is founded on the idea that trade is vital but that markets need guidance and protection.
The administration extends the idea of collaboration to include partnerships with foreign states under the auspices of international institutions, using language that will be very familiar to liberal theorists. It builds on decades of work in the United Nations to develop norms that guide internet governance and set the boundaries of acceptable behavior in cyberspace. But the administration goes further in its campaign to situate cybersecurity in a web of overlapping international institutions. The document discusses a hodgepodge of institutions, formal and informal, that will create “a world where responsible state behavior in cyberspace is expected and rewarded and where irresponsible behavior is isolating and costly.”
Incidentally, this language is strikingly familiar to the British diplomat Shaun Riordan, who argues that cyberspace diplomacy aims to “reduce tensions and negotiate norms of behavior which … provide constraints on states which, wanting to appear virtuous citizens of the international community in physical space, self-impose limitations on their behavior in cyberspace.” I suspect that this is no accident. Instead, the similar constructions reflect an underlying belief among diplomats in the power of institutions to shape national incentives, based on the notion that states understand the benefits of institutional cooperation and don’t want to be left out.
The desire for inclusion also reveals the belief that security is indivisible in cyberspace, more so than in the physical world. The global internet is interdependent by design, a network of networks that only exists because of voluntary cooperation. Open channels of communication enable a remarkable platform for exchanging data, but they also create the danger that cyber attacks against one state will end up damaging others. According to the White House, recent history underscores the problem:
The Internet continues to connect individuals, businesses, communities, and countries on shared platforms that enable scaled business solutions and international exchange. But this accelerating global interconnectivity also introduces risks. An attack on one organization, sector, or state can rapidly spill over to other sectors and regions, as happened during Russia’s 2017 “NotPetya” cyberattack on Ukraine, which spread across Europe, Asia, and the Americas, causing billions of dollars in damage. The potential cost of attacks like this will only grow as interdependencies increase.
Moreover, the specific effects of malware are sometimes hard to predict, creating additional uncertainty about system effects in the digital domain. Malware can spread to unintended targets, causing unintended harm. The administration takes all this as proof that vulnerability anywhere is insecurity everywhere, and it seeks to mitigate threats quickly rather than letting them grow and metastasize. From its perspective, there is no substitute for daily coordination among states under the auspices of international institutions. The security of free-trading democracies depends on it.
Measuring Results
The administration promises to measure the results of its strategy. This promise is laudable, though the process will be difficult. Organizations are not objective about their own work, and savvy bureaucrats may be forgiven for believing that the “self-evaluating organization” is a contradiction in terms. Nonetheless, the administration pledges to assess its cybersecurity strategy in annual reports from the National Cyber Director, and through lessons-learned analyses by the Cyber Safety Review Board. Most of the assessment process will focus on public-private collaboration, given its emphasis in the document and the intensity of debates over regulation. But the administration should also evaluate the broader results of its liberal grand strategy in cyberspace.
In the physical world, Biden balances his liberal preferences with concerns about escalation. Confronted by the reality of war, he has been willing to set aside ideology rather than risk new conflicts. In cyberspace, by contrast, the president has declared an unambiguous and unrestrained approach. The White House strategy applauds the Department of Defense’s commitment to Defend Forward, an assertive approach based on the idea that the best way to improve cybersecurity is to mitigate threats as close as possible to their point of origin. Advocates of defending forward are confident that they can operate aggressively without triggering a security dilemma with rivals. The president seems to share their confidence.
What explains the difference between Biden’s cyberspace activism and his real-world restraint? Perhaps administration officials agree with academic research showing that individuals and states are more tolerant of cyberspace operations than violent attacks. Perhaps they are persuaded by arguments that fights over bytes do not escalate like fights over territory. Or maybe they just take comfort from the dogs that haven’t barked. Years of intense cyberspace competition have not led to disaster. If anything, there is some evidence that cyberspace operations have defused crises, not caused them.
Bolstered by this sanguine view, the administration has plans for an aggressively liberal internationalist grand strategy in cyberspace. It will invest in digital trade and internet governance, and help other democracies secure themselves against illiberal attacks. Its goal is an internet that “remains open, free, global, interoperable, reliable, and secure — anchored in universal values that respect human rights and fundamental freedoms. Digital connectivity should be a tool that uplifts and empowers people everywhere, not one used for repression and coercion.”
It is not clear how the administration will assess progress towards these lofty goals, but a number of measures might help. Simple quantitative exercises would include tracking the number of significant cyberspace operations relative to the volume of online communications. The administration’s strategy highlights a few key problems: ransomware, infrastructure attacks, and influence operations. All of these should decline over time as adversaries realize that such efforts will probably fail. The administration believes that a coordinated defense among liberal states, international institutions, and private-sector partners will make it obvious that cyberspace operations are futile. Open-source information can help to put that proposition to the test. Secret intelligence, meanwhile, may look for evidence that foreign adversaries are losing confidence.
Success should mean that more individuals and firms are willing to interact online. Faith in an open and secure internet should encourage more participation. Usage data and public surveys might attest to the success of the liberal approach — though such evidence is not dispositive, given the variety of other factors that affect personal and organizational choices. At a minimum, however, we ought to see broad enthusiasm among users in the community of liberal states, and growing faith in the security of the underlying technology that they use.
Other measures might focus on response times in the aftermath of security breaches. Deeper institutional coordination should make it easier to mitigate threats as soon as they are spotted; accelerate joint law enforcement operations leading to noticeably quicker arrests and indictments; and reduce the time to restore functionality to affected systems and machines.
Political measures are somewhat less tangible but no less important. States ought to become more comfortable with regulatory harmonization over time, even if they are not entirely enthusiastic. States should welcome political discourse online and resist the urge to censor divisive topics. Indeed, if the liberal grand strategy is successful, then foreign influence campaigns should become less frequent and less impactful over time. States will stop worrying about trolls on social media, given evidence that foreign rivals are becoming discouraged about the value of such meddling.
How will the administration know if it is failing? The easiest method is looking for opposite evidence of the indicators above. If the liberal approach is not working, for example, then we ought to see a reduction in cyberspace activity relative to population. Individuals who are not convinced that the domain is secure will use it less often. They will be less willing to engage in political speech, share financial information with vendors, or otherwise participate. States will push back against regulatory harmonization and cooperation will become superficial. Firms will also reduce their online presence and revert to older methods of doing business, sacrificing efficiency for reliability.
One other problem bears attention. The administration believes that foreign assistance will lead its partners to improve their capabilities and improve everyone’s cybersecurity. Deeper ties will include sharing threat information and technologies and cooperating in joint law enforcement efforts. In some cases, it will require honoring requests to support partners in the aftermath of an offensive cyberspace operation. “Close cooperation with an affected ally or partner demonstrates solidarity in the face of adversary activity,” the administration argues, “and can accelerate efforts to expose counternormative state behavior and impose consequences.”
Despite these benefits, however, the administration does not promise to respond to all such requests. Instead, it promises to “establish policies for determining when it is in the national interest to provide such support.” The strategy suggests that the default answer is yes, but the administration has left itself some wiggle room. Perhaps officials are concerned that foreign partners will outsource their cybersecurity response to the United States rather than build their own capability. If so, then the administration has also suggested a way of measuring the success or failure of its approach to foreign assistance. Careful investigations can assess whether the target country had taken its own cybersecurity seriously in the period before the breach — and whether it was taking serious efforts in the aftermath. Affirmative findings would tend to support the administration’s approach. More critical findings would not.
The ability to measure progress is important, and the administration deserves credit for making the case for self-assessment. Equally important is the willingness to look for signs of failure. The administration is taking a big bet on a liberal grand strategy in cyberspace. We need to know if the bet is paying off.
Joshua Rovner is an associate professor in the School of International Service at American University.
Image: U.S. Air Force photo by Airman 1st Class Jared Lovett