Why does the Pentagon get all the cyber money?
- By Tim Maurer <p> Tim Maurer is a research associate in the technology and public policy program at the Center for Strategic and International Studies and a non-resident fellow at the Global Public Policy Institute in Berlin. David Weinstein is a graduate student at Georgetown University's School of Foreign Service in its Security Studies Program. </p>
At his confirmation hearing, John Kerry, the new secretary of state, said that cyber threats were "the 21st century nuclear weapons equivalent." The Obama administration is certainly acting as though he’s right. Last week, the Washington Post reported that the Pentagon plans to grow U.S. Cyber Command by a factor of five — from 900 to 4,900 personnel. Apparently, cybersecurity is one of the few areas not only exempt from the current budget cuts, but one that is actually growing significantly. What’s more, the New York Times revealed on Monday that, according to a secret legal review, the president has broad power to order a pre-emptive strike in case of a pending cyberattack from abroad. But as cyber warriors accumulate more funds and more authority, little has been said about the cyber diplomats, even though they are going to play a key role in shaping the future of cyberspace — and the norms of the cyber battlefield.
For foreign policy to be successful, diplomacy and the use of force must go hand in hand. The cyber domain is no different. Yet the State Department has far fewer staff and resources focusing on Internet policy than the Pentagon. It is difficult to nail down exactly how much funding and personnel each department has — it depends in no small part on the definition of "cyber." (In the State Department, cyber staff range from those in the Office of the Coordinator for Cyber Issues to those who deal with Internet freedom and governance.) However, the number of diplomats clearly pales in comparison to the number of warriors at Cybercom and other arms of the Pentagon, to say nothing of the cybersecurity elements at the Department of Homeland Security.
What’s more, list of issues requiring engagement with allies, partners, and friends, as well as conflicts to solve with less friendly countries, keeps getting longer and longer. For example, the number of international organizations trying to tackle cyber issues has exploded in recent years — from global institutions like the U.N. Human Rights Council, the G8, the OECD, the World Trade Organization, and the U.N. General Assembly, to regional bodies such as the ASEAN Regional Forum, the Organization for Security and Cooperation in Europe, the Organization of American States, and one-off summits like the World Conference on International Telecommunications. The number of diplomats well versed in technology issues must keep up with this rapid expansion of attention and weight in international negotiations in order to monitor developments and seize windows of opportunities.
One of those issues is translating existing international law to cyberspace. A milestone was achieved last year when the international community affirmed that "the same rights that people have offline must also be protected online, in particular freedom of expression." Confirming that international humanitarian law also applies to cyberspace is a similar exercise. The International Committee of the Red Cross states that "International Humanitarian Law clearly anticipated advances in weapons’ technology and the development of new means and methods of waging war. There can be no doubt, therefore, that international humanitarian law cover cyber warfare" — a view shared by the United States. Yet, according to Harold Koh, the State Department’s chief lawyer, "At least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the Internet." Finding a consensus requires significant diplomatic craftsmanship.
Another example for the role of diplomacy is highlighted in a study published by the University of Cambridge last year titled "Measuring the Cost of Cybercrime." The authors make the intriguing argument "that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response — that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail." Doing that requires international law enforcement cooperation like the recent success the FBI had in breaking a cybercrime ring after working with colleagues in Finland, Germany, Latvia, Moldova, the Netherlands, Romania, Switzerland, and the United Kingdom. However, this work depends on mutual legal assistance treaties and a diplomatic framework such as the Convention on Cybercrime, which has a mere 38 ratifying members even though it has been around for 12 years. Diplomats, including American diplomats, need to work hard to increase participation and make it harder for non-state actors to threaten nation-states and their citizens.
The military’s increasing role regarding cyberspace is not surprising. Cyberspace has become a new domain for human interaction and has therefore become a new arena for all kinds of players. Estonia, Georgia, and Stuxnet were wake-up calls how the Internet can be used for military purposes. But it is unclear how these changes will affect international affairs in the long run. That is why it is important to not only focus on military power but to also create a robust capacity to address these issues diplomatically. As Kerry argued when asked about cybersecurity during his confirmation hearing, "We are going to have to engage in cyber diplomacy and cyber negotiations and try to establish rules of the road that help us to be able to cope with this challenge."
As more and more people around the world gain access to the Internet, the political and economic stakes will grow and those using the technology with malicious intent can pose a bigger threat. Diplomats will be needed to address, for example, the concerns from developing countries about providing affordable access and universal service to their people, following the development of international standards and protocols and their potential effects on Internet governance such as the new IPv6 infrastructure, or Deep Packet Inspection. Cyber diplomats will be needed to put into place confidence-building measures and institutional crisis management mechanisms to limit the escalation of inter-state conflict.
The good news is that the Internet’s expansion will also create greater interdependence among its users — individuals, companies, and states alike. A sustained diplomatic effort can identify areas of mutual interest and build alliances to maintain an open and free Internet. That is why the State Department’s ability to address cyber challenges and conflicts must be enhanced. Having spent 27 years in government, Nicholas Burns, the former undersecretary of state, reminds us, "Diplomacy does require a fair degree of patience in our restless political culture. In the end, however, it can promise progress and sometimes even peace if we believe in our power to pressure, cajole, and persuade rather than just fight." Let’s start by growing our cyber diplomatic effort by at least a factor of five. It certainly cannot hurt trying to preempt a preemptive strike.