Why cyberattacks will never really be regulated

Your humble blogger has been busy at the U.S. Army War College’s annual conference on The Future of American Landpower … at which he’s heard a lot about cyberattacks. So at the risk of violating one of my own maxims, I want to write one post about this whole cyber business. Because the more I apply ...

By , a professor of international politics at the Fletcher School of Law and Diplomacy at Tufts University.

Your humble blogger has been busy at the U.S. Army War College's annual conference on The Future of American Landpower ... at which he's heard a lot about cyberattacks. So at the risk of violating one of my own maxims, I want to write one post about this whole cyber business. Because the more I apply my monkey brain to this, the more dubious I get about how it's being talked about, and I want to try to work my way through this. 

First, if we're living in a world where the director of national intelligence thinks it's the number-one threat out there ... well, let's face it, then it's not a very scary world, is it? I mean, if industrial espionage has replaced terrorism as the biggest national security threat facing the United States ... meh. I don't want there to be industrial espionage, but let's face it, this ain't the kind of Cold War-level threat that I hear bandied about so frequently. 

But, to be fair, I think concerns about "cyber" aren't just about the industrial stuff -- it's attacks on critical infrastructure and so forth. Except now we need to step back and ask under what circumstances such attacks would occur. There are terrorists of course -- which means that this is a old threat in a new domain. There are state actors -- which means that this is an even older threat in a new domain. Terrorists will most likely attempt such attacks when the opportunity arises. State actors presumably would not attempt such actions on a full-bore scale unless there were actual military hostilities. Cases like Stuxnet fall in between ... into espionage and covert action. 

Your humble blogger has been busy at the U.S. Army War College’s annual conference on The Future of American Landpower … at which he’s heard a lot about cyberattacks. So at the risk of violating one of my own maxims, I want to write one post about this whole cyber business. Because the more I apply my monkey brain to this, the more dubious I get about how it’s being talked about, and I want to try to work my way through this. 

First, if we’re living in a world where the director of national intelligence thinks it’s the number-one threat out there … well, let’s face it, then it’s not a very scary world, is it? I mean, if industrial espionage has replaced terrorism as the biggest national security threat facing the United States … meh. I don’t want there to be industrial espionage, but let’s face it, this ain’t the kind of Cold War-level threat that I hear bandied about so frequently. 

But, to be fair, I think concerns about "cyber" aren’t just about the industrial stuff — it’s attacks on critical infrastructure and so forth. Except now we need to step back and ask under what circumstances such attacks would occur. There are terrorists of course — which means that this is a old threat in a new domain. There are state actors — which means that this is an even older threat in a new domain. Terrorists will most likely attempt such attacks when the opportunity arises. State actors presumably would not attempt such actions on a full-bore scale unless there were actual military hostilities. Cases like Stuxnet fall in between … into espionage and covert action. 

So, can international norms about cyberattacks be negotiated? I know NATO is trying something like this with the Tallinn Manual, and I know the United States is insisting that the laws of war apply to cyberdomains. I suspect that this has a chance of working in regulating real world interstate military conflicts, because, with any shadow of the future, most states are prepared to obey most regimes most of the time. 

But let’s face it — most of the concerns about cyber aren’t about what happens if a war breaks out. The concerns are about regulating such attacks during peacetime, which means this is about regulating intelligence-gathering, espionage, and covert actions. Now, let me just list below the number of international regimes that establish the rules, norms and procedures for regulating these kind of activities:

Nada. Zip. Nothing. Or, as one journal article more delicately put it, "espionage is curiously ill-defined under international law." 

That’s because espionage can’t really be regulated. For any agreement to function, violators have to be detected and punishment has to be enforced. In the world of espionage, however, revealing your ability to detect is in and of itself an intelligence reveal that states are deeply reluctant to do. 

So I don’t think negotiations will work, and I sure as hell don’t think smart sanctions will work either. Most of what concerns us about cyber falls under the espionage and covert action category, and that’s never been regulated at the global level. 

What am I missing? Seriously, what — because what I just blogged is highly subject to change. 

Daniel W. Drezner is a professor of international politics at the Fletcher School of Law and Diplomacy at Tufts University, where he is the co-director of the Russia and Eurasia Program. Twitter: @dandrezner

More from Foreign Policy

A closeup of Russian President Vladimir Putin
A closeup of Russian President Vladimir Putin

What Russia’s Elites Think of Putin Now

The president successfully preserved the status quo for two decades. Suddenly, he’s turned into a destroyer.

A member of the Zimbabwe Republic Police is seen in front of an electoral poster of President Emmerson Mnangagwa
A member of the Zimbabwe Republic Police is seen in front of an electoral poster of President Emmerson Mnangagwa

Cafe Meeting Turns Into Tense Car Chase for U.S. Senate Aides in Zimbabwe

Leading lawmaker calls on Biden to address Zimbabwe’s “dire” authoritarian turn after the incident.

Steam rises from cooling towers at the Niederaussem coal-fired power plant during the coronavirus pandemic near Bergheim, Germany, on Feb. 11, 2021.
Steam rises from cooling towers at the Niederaussem coal-fired power plant during the coronavirus pandemic near Bergheim, Germany, on Feb. 11, 2021.

Putin’s Energy War Is Crushing Europe

The big question is whether it ends up undermining support for Ukraine.

U.N. Secretary-General António Guterres attends a press conference.
U.N. Secretary-General António Guterres attends a press conference.

A Crisis of Faith Shakes the United Nations in Its Big Week

From its failure to stop Russia’s war in Ukraine to its inaction on Myanmar and climate change, the institution is under fire from all sides.