Home / Blogs

Pen Testing the US Cyber Strategy

If it’s not an era of intense faith in the multilateral system, somewhere among the Trump Administration’s anonymous adults in the room there is a believer, and the Internet might be the better for it. Evidence for the existence of this fifth columnist lies in the US National Cyber Strategy, launched last month under the commander-in-chief’s unprepossessing signature, which looks to provide security for America’s connected economy. No matter that the strategy begins with the assertion that the United States is “the world’s lone superpower,” a status it links to “the rise of the Internet,” because where it stumbles over little vanities its intentions are appropriately ambitious. The risks to its success lie in the places it chooses to execute, and here the Administration may be its own worst enemy.

Hadrian Caesar & Brad Smith

Under some comforting old headings such as Peace Through Strength and the American Way of Life, the strategy starts with a plan to improve the security and readiness of the federal government. It enlists the work of appropriate US entities and the Intelligence Community, seeks to promote national investment in cybersecurity, and promotes a modernized legal framework as a deterrent. But the US is not a cyber island, and what starts to come through is the (unexpected) extent to which the strategy will see the US lean on the United Nations and other multilateral forums for action. It names various institutions and frameworks as being integral to the strategy’s success: the United Nations, the Internet Governance Forum, the International Telecommunication Union, the Budapest Convention, the UN Convention Against Transnational Organized Crime and the G7’s 24/7 Network Points of Contact. It goes on to call for something that sounds a lot like Microsoft’s Digital Geneva Convention: “a framework of responsible state behavior in cyberspace built upon international law,” but then seems to lose heart later in the same sentence, downgrading the call to a mere “adherence to voluntary non-binding norms of responsible state behaviour that apply during peacetime.” If it is equivocal here and there, this is nonetheless a strategy that promises to be meted out in crowds of representatives from organizations and governments with highly divergent views.

Losers Walk

The Strategy may set itself up to fail, therefore, in two ways: first by its inability to see that America’s competitors in cyber security matters can be partners also. Second, it fails to explain how the multilateralism that underpins its success is going to be managed.

The first failure is a predictable product of the Trump Administration’s zero-sum-winners-and-losers bluster about the international environment, which doesn’t recognize that losers may take their time to ebb away but can still be useful partners in their decline, or that who loses is not always obvious (it might sometimes be the US). The second failure is less to do with the strategy itself than with its reliance on a well-ordered international system. If there is to be anything like a “framework for responsible state behavior” or “universal adherence to cyber norms” still less an “international Cyber Deterrence Initiative [sic]” it will need to be developed in the forums that provide vehicles for such all-encompassing solutions. It is one thing to try and “ensure that [the US] approach to an open Internet is the international standard,” it’s quite another thing to get broad and consistent buy-in to that international standard. The latter requires negotiation.

Winners Talk

The Trump Administration’s now-familiar approach to bilateral engagement—howling about the brokenness of a thing, threatening to abandon it unilaterally, and then moving back from the edge—is not one that translates well into the multilstakeholder environment that governs the Internet (in large part by US design). There, control of the debate does not remain with the one who howls loudest or threatens exit, but shifts instead towards agglomerations of stakeholders with economic influence, citizen-consumers, engineering prowess, and concrete proposals around which a consensus can be built. If those tasked with delivering on the US Cyber Strategy can engage with entities of all stripes, even those perceived as marginally villainous by the Trump Administration, it has a good chance. If those tasked with its delivery concoct initiatives and ask others to sign up without any space for compromise—on vulnerability standards, indemnification, information sharing—chances for success become much smaller. Either way, the challenge to America’s interlocutors will be to engage or to leave the US to negotiate high standards with itself while enduring structures of international cyber interaction are designed, discussed, and solemnly agreed elsewhere.

By Gregory Francis, Managing Director at Access Partnership

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign