What’s in the New US International Cyber Strategy?
At the RSA Conference on May 6, the US unveiled a strategy for building a stronger, more secure digital ecosystem across the world. The United States International Cyberspace & Digital Policy Strategy (ICDPS)’s underlying ethos is “digital solidarity” in the face of increased threats from Russia, China, North Korea and Iran.
But what impact if any will it have on ordinary businesses? At the very least, it should be another reminder of the need for good digital governance.
Diving Deeper
This document doesn’t appear in a vacuum. It builds directly on the US’s National Cybersecurity Strategy from last year, which had a whole pillar of its own dedicated to international collaboration and consensus. Diplomacy is one of three principles underpinning the latest document, which says it will apply “international statecraft” across a slew of different areas ranging from application software to undersea cables.
The other two foundational principles for the ICDPS are a reliance on positive action to spread the benefits of technology, and a focus on cybersecurity and resilience.
The strategy will execute these principles in four key action areas. The first revolves around building an open, secure digital ecosystem. This ecosystem is grounded in telecommunication networks, which get their own subsection in the document, addressing 5G and forthcoming 6G telecommunications explicitly. Another area of focus is the cloud and datacenters. Undersea cables (which have a nasty habit of being cut or snooped upon) and satellites (the US government was recently alarmed to discover that Russia was planning a space-based anti-satellite system) are also areas of interest.
The second action area calls for agreements on data governance with international partners that respect human rights. The ICDPS calls for free data flows between countries, and outlines work that the US has already done to craft cross-border privacy rules with other countries. It also had a sideways dig at Europe: “The rise of a growing digital sovereignty narrative that has been embraced by some of our close partners and allies has the potential to undermine key digital economy and cybersecurity objectives,” it said.
Other focal points in this action area are the development of open, impartial standards. Here, the document takes an explicit swipe at China, which it says pushes a “top down approaches to standards development” and uses its economic influence to push support for its standards proposals. The State Department has a point, as China has been pushing its own internet standards at the ITU, and has been helping build infrastructure for authoritarian regimes using its own equipment.
The document also highlights the need to expand the participation of civil participation in technology decisions, the promotion of civil rights online, and the establishment of a rights-respecting cybercrime treaty. Its to-do list also covers the promotion of trustworthy AI and the fight against disinformation.
Holding Bad Actors Accountable
The third action area focuses on building consensus among state actors for responsible behavior in cyberspace. It specifically focuses on counting threats to critical infrastructure. Perhaps unsurprisingly, the document calls out Russia, China, North Korea and Iran as key agitators.
This pillar of activity includes hardening critical infrastructure to cyber-attacks by other states through international cooperation and isolating bad actors on the world stage. This includes reaffirming mutual defence treaties with other nations as they apply to cyberspace. Article Five of NATO’s Washington Treaty – which allows members to come to each others’ aid in the event of an attack – springs to mind here given ongoing tensions between Russia and alliance countries over Ukraine.
Curbing criminal activity – especially ransomware – gets its own section in the third pillar, resonating with the call for a cybercrime treaty in pillar two. The strategy calls out “some states” (they’re talking about you, Russia) that “use ransomware actors as proxies or turning a blind eye to their activities and the significant impact of their cyber-attacks on critical infrastructure”.
Interestingly, there’s also a dedicated section for spyware. In March, the US added six countries to an original 10 that signed a commitment from the White House to counter the proliferation of this attack tool category. Israel, home to the infamous NSO spyware group, is notably absent.
Finally, the fourth area of the strategy focuses on strengthening digital policy and cyber capacity internationally. In this area, the US vows to work with other states to help them bolster their cyber-resilience, including creating new tools and strong collaborative networks to help them face emerging challenges such as attacks on infrastructure.
A Private Sector Role?
What should the private sector take away from all this? The strategy specifically calls for a multi-stakeholder approach to its digital solidarity goals, which includes companies, not just governments. While these are high-level policy discussions with outcomes that will hopefully trickle down over time, companies that adhere to good digital governance practices – ranging from cybersecurity hygiene though to the responsible use of new technologies – will be moving in the same general direction as the strategy.
It’s a sticky problem, this international cyber-diplomacy business. At this level, the US is playing in a field where there are precious few laws and where intelligence agencies often work behind closed doors, saying one thing and doing another.
On the one hand, the US must move to exert the same kind of influence over global policy in cyberspace that it has done in the physical world for so long, especially as the digital realm has become a critical theater for covert warfare of all kinds; infrastructural, economic and informational.
This ambitious effort takes a lot of credibility and clout. Yet this is the same nation that digitally spied on its own citizens en masse, allegedly hacked foreign companies, bugged its own allies at the highest levels, and undermined encryption standards to introduce technical weaknesses. Among many other escapades.
And of course, in less than six months everything could once again change as the political coin in the US spins once more. If a new, infamously isolationist administration takes power, what then? In the heady world of global policy, nothing is certain and everything is up for grabs.
