In advance of Chinese Premier Xi Jinping's visit to the United States, reports were surfacing that an unprecedented, first-of-its-kind arms control agreement for cyberspace was in the offing. Among other things, the agreement was expected seek to eliminate first attacks against either nation's critical infrastructure. While such an agreement would represent an important first start, it also highlights long-standing shortfalls in U.S. preparedness and response capabilities in cyberspace beginning with a lack of well understood doctrine for cybersecurity.
On Friday, President Barack Obama announced that he and Xi had agreed not to conduct or support cybertheft of business secrets. Obama called the agreement “a work in progress,” while Xi agreed that the countries would abide by “norms of behavior” in cyberspace, according to news reports.
Today, no such official doctrine guides international, or for that matter, U.S. cybersecurity policy. No comprehensive framework exists for thinking about cyberspace issues, managing concerns or even responding to crises. There are no set limitations on potentially destabilizing behavior. There's not even an internationally accepted glossary of terminology to guide creation of cyber norms.
A much needed approach would be to establish a framework of international norms, laws and arms control treaties that would enhance the cybersecurity of signatory nations while at the same time allowing them to defend their own networks and to take unilateral action to protect these assets. Models for managing activities across sectors do exist in areas such as transportation and countering weapons of mass destruction.
For example, in the WMD model, multilateral treaties such as the nuclear Non-Proliferation Treaty, Biological and Toxin Weapons Convention, and the Chemical Weapons Convention seek to limit activity on nuclear, biological and chemical capabilities, respectively. Coalitions of the willing have banded together through regimes such as the Australia Group for chemical and biological weapons precursors, the Missile Technology Control Regime and the Wassenaar Arrangement to limit proliferation of technologies by limiting international exports by member nations. In some cases, bilateral agreements such as those between the United States and Russia (formerly also with the Soviet Union) concerning nuclear weapons are employed to limit weapons holdings and destabilizing activities.
Of course, the differences between WMD and cyber would mandate a greater focus on managing behavior rather than controlling technology. While many international WMD agreements focus on things — precursor materials, processing equipment and technology for example — an international cyber structure would need to focus on governing behavioral norms. Such norms would need to be codified in national policies, regulations and laws, and accompanied by capabilities for attribution and enforcement.
Developing a cybersecurity framework would begin by defining the limits or boundary conditions. What is acceptable behavior in cyberspace? What does deterrence in cyberspace look like? What activities are part of “normal” relations between nations? Do principles from military operations apply in cyberspace? What critical cyber capabilities must be defended? How should the nation respond to the range of cyber incidents it faces? These critical questions come at a time when the Internet grants equal network access and capabilities to individual users, critical infrastructure providers, national governments and, now, billions of next-generation devices that are part the “Internet of Things.”
Yet international control measures and regimes are virtually non-existent in the cyber world and those that do exist tend to focus on mundane technical controls, like overseeing Internet Protocol naming conventions. This complaint is not new. In 2013, an international group of experts developed the Tallinn Manual to examine many of the unanswered international legal questions that dot the cyber landscape.
To reinforce concerns about this lack of a cyber doctrine, during a recent briefing by a senior administration official, the speaker discussed holding individual meetings to manage each of the more than 70 specific cyber-events that had occurred during his tenure. Rather than examining the broader range of behaviors that potentially threaten U.S. national security, this national coordinating agency treated each event in isolation. Simply put, a broader approach is needed.
Even as it backs the development of international cyberspace norms, laws and treaties, the United States should be doing more to defend its networks and the vital national interests they support. While the United States has foundations for governing cyberspace issues, much work remains to be done. Denial of service attacks directed against banks, the Office of Personnel Management breach resulting in the loss of personal data of more than 22 million people and demonstrations of hacking directed against transportation systems including cars are just some of the consequences of the vulnerabilities that have recently been revealed.
Meanwhile, Department of Homeland Security systems designed to protect federal networks are taking too long to deploy as the vulnerabilities continue to grow. Two examples are EINSTEIN 3A, which provides sensors at Web access points and employs signatures to identify cyber-attacks, and Continuous Diagnostics and Mitigation, which allows network administrators to monitor their respective networks to identify and mitigate against current threats at network speed. Even modest proposals such as those contained in information sharing legislation that has been included in several congressional bills over the past three years have not passed, despite the backing of the administration. These shortfalls should be remediated as a matter of the utmost urgency.
So while a U.S.-China agreement is a welcome step, it also underscores the greater issues facing the United States, and indeed the international community, in this largely ungoverned space. It further highlights that a precondition for securing U.S. networks should be the development of an overarching cyber doctrine that defines the limits of acceptable behavior and allows the U.S. to defend its networks against current and future threats.
Daniel M. Gerstein works at the nonprofit, nonpartisan RAND Corporation. He was the undersecretary (acting) and deputy undersecretary in the Science and Technology Directorate of the Department of Homeland Security from 2011 to 2014.
This commentary originally appeared on U.S. News & World Report on September 26, 2015. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.