I feel that international law currently is not a strong method for handling global cybercrime. Many grey areas still exist with how loose cyberspace is as a form of sending and receiving attacks that may or may not cause serious harm to a country. Furthermore, as was stated in the World Economic Forum article, the most difficult part lies in proving that a state was involved in an attack and that the utility of non-state actors only further clouds who is behind a cyber-attack that could be from anywhere. Countermeasures and international law stepping in are also hindered by cyberspace and cyberattacks needing to meet a certain damage threshold to receive attention.

However, international law can improve, but it will be difficult. This requires there to be a unified idea of laws pertaining to cyberspace between all collaborating countries. This can then build the groundwork for forming a unified plan to combat the difficult aspects of cybercrime, such as the definition of attacks, their constituted threshold, and non-state actors.

Global cybercrime can also be tackled by other measures. The NATO Cooperative Cyber Defense Centre of Excellence (CCD COE) is a significant start in improving international law and cyberspace with the Tallinn Manual 2.0, which covers the application of international law on “below the threshold” cyber operations. Countries, on an individual level, can also improve by investing more in their national cybersecurity structure to crack down on global cybercrime. International organizations such as NATO or the UN can also bring more attention to the poor efficiency of international law on cybercrime and propose possible solutions.

In short, the efficiency of international law in addressing cybercrime is poor. It is held back by the fast rate of cyber-attacks, their ability to be from anywhere, the involvement of non-state actors, and the threshold of a majority of cyber-attacks being low enough not to involve international law. However, by establishing a unified understanding of law within cyberspace, international organizations collaborating on a new approach, and individual countries putting in their effort to mitigate cybercrime, the issue will not only begin to shrink but also have a new structure that is directly applied to solving it.

https://www.weforum.org/agenda/2019/02/why-international-law-is-failing-to-keep-pace-with-technology-in-preventing-cyber-attacks/

https://ccdcoe.org/uploads/2018/10/Art-09-Is-the-International-Law-of-Cyber-Security-in-Crisis.pdf

What should the role of the United States be in Internet Governance? Do you think International Institutions can be helpful in global cybersecurity?

https://www.cfr.org/report/increasing-international-cooperation-cybersecurity-and-adapting-cyber-norms

I believe the role of the United States regarding internet governance is to stay relatively consistent with its current model by continuing to be an advocate for change. The consistencies include advocating for a free internet for everyone, collaborating with other like-minded countries to spread that same message, and working hard to mitigate cybercrime globally.

However, something to recognize is that while the U.S. can interfere with countries like China or Russia that have different forms of Internet Governance, they still are limited in reach. While I feel it is fine to try and push for countries with more controlling structures on the internet to change, another factor to recognize is differing internet norms. An important point from the article “Cybersecurity and the Concept of Norms” was how norms are not forced but fluctuate over time due to different factors. This includes things like laws, principles, cultures, and locations that influence common beliefs to be altered. So, while the U.S. can push for internet governance to focus on freedom, for countries that have a different structure, the factors around their norms will be the trigger for that change, and it cannot force that change.

I also understand the positive value that international institutions can have in supporting global cybersecurity. With not only the collaboration of other countries but also the financial power that comes with that, it presents an opportunity for two major groups to benefit from a unified effort to improve cybersecurity. A unified institution can create a solidified version of cybersecurity concepts that can be both broad and/or defined, clearing up potential misunderstandings that cause difficulty for countries in global cybersecurity. Due to the reach of the institution, the people of all countries included benefit from more secure systems and potentially an improved understanding of how to digitally protect themselves.

In conclusion, the U.S. should largely stay the same regarding its strategy on Internet governance. There should be a focus on collaboration and spreading a message of a free internet, but a just as important factor is not to overstep the boundaries of other countries due to differing norms and cyber norms. Also, an international institution has the potential to be a valuable pillar for global cybersecurity by providing clarity on cybersecurity for countries and giving cybersecurity resources to the people who need it.

https://carnegieendowment.org/research/2017/11/cybersecurity-and-the-concept-of-norms?lang=en&center=global

Do you think there has been a basic difference between the U.S. and Europe in their approach to cybersecurity. If there has been, do you think this difference is staying same, growing or waning?  

https://www.gmfus.org/sites/default/files/2021-10/Cyber-Agora-20page-web-02.pdf

There is a difference in how the U.S. and the countries of Europe approach cybersecurity. The difference is growing and waning in different ways. The U.S. approach focuses on offensive and defensive cyber operations. The country’s significantly higher budget gives it the capability of having incredibly complex offensive cyber operations and a strong defense that is continuing to grow. However, improvements still need to be made to its foundation for security.

France is becoming more similar to the U.S. cybersecurity approach, primarily utilizing more offensive cyber operations,  but has two key differences. The first difference is that their offensive and defensive security agencies are split apart and not with the intelligence community. The second difference comes with choosing a different tactic from the rest of their allies’ tactics of naming and shaming, instead opting to prioritize diplomacy to resolve issues.

The UK has fewer differences compared to the U.S., as they focus primarily on improving their cybersecurity from a general standpoint, implementing new systems for reporting incidents, and having the goal of reducing the amount of cybercrime in their country. Furthermore, Germany is also waning in differences by investing in offensive cyber operations as opposed to their previous focus on defense. However, their iteration of the vulnerabilities equities process differs from the U.S. by being more accessible to the public, and having parliament play a role in that process.

Scaling up to the EU, there are two growing differences. Their plan follows a multi-stakeholder approach, in which not only do the governmental and non-governmental sectors collaborate, but both parties play a factor in how cybersecurity is directed. In countries like Finland and Estonia, the significant difference between them and the U.S. is the utilization of cyberspace to gain influence. This also includes using more harmful techniques like “sharp power,” which focuses on piercing the information environments of different countries to gain influence.

Overall, Europe and the U.S. are different in how cybersecurity approaches, but those differences are both waning and growing. While the U.S. has the capital to focus on both offensive and defensive cybersecurity, countries like France, the UK, and Germany are investing generally in cybersecurity or having more of a focus on offensive operations. However, larger differences like the utilization of a multi-stakeholder approach for policy and tactics like using cyberspace for influence are what makes Europe unique along with the U.S.

Do you think defending forward is the right strategy in dealing with Iran? Why?

https://carnegie-production-assets.s3.amazonaws.com/static/files/Iran_Cyber_Final_Full_v2.pdf

I think that defending forward is an effective strategy for dealing with Iran’s cyber-attacks. Targeting the root of the cyber-attacks before sufficient damage can occur, can deter groups from trying those attacks again and prevent damage to societal aspects like critical infrastructure. The constant attacking also hinders the time to come up with new strategies, further weakening the opposing side. Defending forward can also be effective by cutting down on attacks stemming from Iran’s and associated offensive cyber operation entities like the Islamic Revolutionary Guard Corps (IRGC), the Cyber Defense Command, the Basij Cyber Council, and the Iranian Cyber Army. Furthermore, Iran has been significantly improving their cyber-attacks against not only the United States but also other countries in only fifteen years. With the removal of their sanctions due to the new nuclear deal, it is an even more pressing matter that strategies like defending forward are enforced to prevent cyber-attack damage from growing even larger if Iran continues to act upon them.

However, while defending forward can be a good strategy for Iran, it’s not fool-proof. Considering how Iran is known for retaliating against the many cyber-attacks they have been hit with, attacking them again may either not do much to deter them or possibly escalate attacks with their ability to now amass more resources. Therefore, the addition of actions such as improving defenses on our end and giving more power to the organizations within Iran that are against the government’s censorship and use of the Internet can be an extra addition to the strategy that can go a significant way in mitigating Iran’s opportunity for cyber-attacks.

In conclusion, defending forward is a reasonable strategy for dealing with Iran for several reasons. With an emphasis on mitigating threats as quickly as possible, it immediately reduces the capability of cyber-attacks and prevents Iran’s prominent offensive cyber operation-focused entities from being able to come up with new strategies in time due to the strategy being constant. Furthermore, the strategy has more utility now due to Iran’s capabilities for stronger attacks increasing. Still, the addition of stronger cyber defenses and the reduction of Iran’s censorship via supporting small organizations can create a more solid groundwork for the strategy to be effective as a whole.

I believe that utilizing other means of power against North Korea would be an effective foreign policy choice, except for immediate retaliation. Given that North Korea has amassed cyber capabilities and attacked the U.S. with quick cyber-attacks, strategies must be implemented to mitigate this behavior. These strategies take various forms, such as establishing a plan for cyber warfare, carrying out cyber law, and establishing cybercrime warnings. After these strategies, retaliation would be one of the last to consider if none of the others are effective.

First, introducing a solidified cybersecurity plan around cyber warfare would be a good foreign policy choice because it better defines the rights and wrongs of cyber warfare and clears potential confusion that may cause countries to have different conceptions of cyber warfare. This, in turn, will reduce the possible excuse of countries having different ideas of cyber compared to others and hold them more accountable to an established standard.

Next, action should be taken to enforce cyber law when it is shown that there is some form of international misconduct. Implementing laws to account for international cybercrime, such as North Korea’s fast cyber-attacks on countries and the cryptocurrency industry, will restrict their frequency and reachability.

After cyber law has been enforced, significant warnings should be given to countries that were involved. This will act as an additional consequence of participating in cybercrimes after having cyber law applied. It will also be an effective deterrent for countries in the future that may consider committing cybercrime for the country’s gain.

However, while retaliation will be a possible strategy in managing North Korea’s cyber-attacks, it should remain the last possible option due to how it could escalate into larger issues as opposed to de-escalating attacks. For example, if the U.S. were to retaliate with force against North Korea, that conflict could escalate and involve other allies, expanding the issue significantly.

In conclusion, there are means of foreign policy to handle North Korea’s situation without retaliation. A unified plan can clarify cyber war engagement as well as define cybercrimes. Implementing cyber law, when possible, mitigates cybercrimes. Warnings to countries about attacks will also be an effective deterrent. Even though retaliation can change conflict, it doesn’t fully address the issue nor account for the future. Instead, it only tackles immediate response, which is why other strategies can be a good utilization of foreign policy to tackle government-level issues.

While I don’t believe that the U.S. can fully prevent Russia’s aggression, there are ways to deter punishing cyber-criminal groups, imposing sanctions, and making cybersecurity improvements on U.S. infrastructure are far more efficient methods for deterring Russian cyber-attacks than using offensive cyber operations.

Due to disinformation campaigns being one of Russia’s most powerful cyberspace tools, they should be a primary target for minimizing their aggression. This can take the form of informing the public about disinformation campaigns and the methods used to manipulate beliefs. Another way could be to enforce terms of service policies on social media sites to remove blatant forms of disinformation.

Punishing cyber-criminal groups that have ties to Russia can be another way to mitigate aggression. It not only gets rid of groups targeting the U.S., but it can also deter Russia from using them as an avenue for offensive cyber operations. While there is difficulty in serving legal punishment due to different frameworks and security tools like VPNs hiding IP addresses, if groups continue to be caught, it can partially alleviate the problem.

Next, imposing sanctions on Russia can restrict aggression from multiple angles. From a financial perspective, it limits the amount of resources generated and strains the current resources available for offensive cyber operations. Furthermore, from an international perspective, it can force countries to alter their actions after breaking laws and taking offensive action, which can apply to their offensive cyber operations.

Finally, investing in cybersecurity practices for U.S. infrastructure can deter Russian aggression via difficulty. According to the article, since the U.S. houses a more digitized economy and structure, a powerful enough cyberattack makes the country vulnerable. However, if sufficient investments were made into that digitized economy to secure it, it would deter Russia’s aggression due to not being a feasible target.

Regarding the extent of U.S. offensive cyber operations, they should be utilized, but to a minimal degree and primarily in retaliation to attacks. Referring to the article, due to how the U.S. Cyber Command implemented malware into Russia’s power grid, the possibility of Russia interpreting that as an attack would have the U.S. be at fault by choosing to act first as opposed to waiting. While I think the U.S. has plans that can work, using offensive cyber operations should be one of the final measures to counteract aggression from other countries.

I don’t believe it’s justifiable for China to hack different businesses solely to gain a competitive advantage. One immediate problem is that if China were to hack a business that causes a ripple effect of problems, it could be seen as a major attack on a country. Furthermore, if it were considered an attack by the United States with that same sentiment, that could even lead to war.

Another reason could be that even if a specific business may be captivating, the attempt to hack specific businesses may not be worth it if sufficient security practices exist. While China has only continued to quickly grow in its cyber espionage potential in the past few years, a possibility to come from these operations is that a company may be a great target, but also a costly one that, in the end, would not be worthwhile for the information gained.

However, a prominent fact about China is that it is known for being one of the most powerful countries in the world, which can be proven through its economy and partnerships. Yet, this, in turn, presents little support for continuing with cyber espionage and harmful cyber operations if the power that China already has makes it nearly pointless.

To add to this, I believe that the United States should have done significantly more to respond to the hacks from China. This could take the form of making a response to China’s cyber espionage activities, saying that the United States knows what’s happening and intends to take great steps to mitigate and cut out this issue.

Another measure would be to invest in cybersecurity for businesses that are a part of critical infrastructure first and then spread that money across businesses country-wide to create a general improvement for businesses in the United States.

In conclusion, there is little reason for China to continue with cyber espionage for an advantage to Chinese companies due to the potential escalation it can lead to, unrewarding investment, and an attempt to gain power illegally when the country is a known superpower that could generate that power naturally over time. The United States also needs to put more effort into a response to these hacks by calling out China on its actions and taking a stand to mitigate what has been done and what could be done in the future.

The most challenging pillars to implement would be Pillar Three, which is about shaping market forces around cybersecurity, and Pillar Five, which focuses on having international partnerships for greater cybersecurity. My overall reasoning for both of these pillars is the difficulty of maintaining trust, holding parties accountable, and abrasiveness towards investing in something that will not grant visually immediate results, therefore leading to no investment.

Starting with Pillar Three, a significant issue is that organizations start investing in cybersecurity primarily after they have already been hit with a cyberattack, which wastes more money having to repair damages and then invest in cybersecurity. The challenge is that for that structure to change on a country-wide scale, it requires the government to make a massive change in the perception of cybersecurity within the context of organizations. This change would need to make organizations not see it as a hole they are dumping money into. The next issue is ensuring that organizations follow through with mandatory cybersecurity practices. It would require a form of surveillance all across the country to force organizations to acknowledge and maintain compliance with cybersecurity, which leads to another issue for the organizations themselves. Not all organizations are the same with the revenue that they have to invest in cybersecurity. With the inclusion of small businesses and non-profits that still need to invest in cybersecurity, an incredible amount of money is needed for this to function and be maintained at all levels for the future, even if the government is investing a significant amount of money into it.

Next, the biggest challenge with countries forming partnerships for cybersecurity is how that relationship forces a slight amount of openness and requires trust about how they utilize cybersecurity to collaborate better. While it would be valuable for countries to trust each other to improve overall cybersecurity, there is significant risk for those countries. In international partnerships, countries need to consider the possibility of their vulnerabilities being exploited or the potential for ulterior motives within the partnership. These kinds of risks may be too great for countries to get involved in international partnerships. Another issue is that there is no global standard for cybersecurity that all countries can fully agree on. While there are general frameworks that cover a lot of information and strategies, countries still have different perceptions of cybersecurity as a concept. This means that even if these international partnerships start to form, without a primary guide that all parties involved can look to for the same information, it will result in countries tackling the same issue without a sense of cohesion.

In conclusion, Pillar 3 and Pillar 5 of the National Cybersecurity Strategy present several challenges that I believe would have the most difficulties with implementation. For Pillar 3 to be implemented, it requires not only significant funding from the government and organizations but also a complete change in the perception of cybersecurity for the free market to be seen as a critical utility. Furthermore, maintaining the structure of the plan and ensuring every organization in the country is upholding compliance will be difficult. Pillar 5’s challenges require involved countries to be more open with cybersecurity, presenting risks that they may not be willing to take. A lack of a framework that all countries can look to and agree upon for cybersecurity also presents a difficult challenge to implement in the future.

First, read this article:  The Facebook and Cambridge Analytica scandal, explained with a simple diagramLinks to an external site. and watch Cambridge Analytica whistleblower: ‘We spent $1m harvesting millions of Facebook profiles’.

(If the embedded video doesn’t work, use this link instead.) 

Your question to answer is: Was Cambridge Analytica’s use of Facebook data to influence the vote an act of information warfare? Why or why not?