Chapter 6: Strengthen Norms & Non-Military Tools

Layered cyber deterrence includes shaping the behavior of cyber actors through strengthened norms, which are collective expectations for the proper behavior of actors with a given identity. Although they already exist in cyberspace, they can be bolstered by building on the US’s network of international allies and partners.

While unilateral activity can provide the greatest short-term flexibility, norms-based multilateral engagement provides a more effective means to reduce the likelihood and effectiveness of cyberattacks for three reasons:

1. Norms change an adversary’s calculus: when malicious actors know that rule breaking will be met with a global community of allies and partners, they anticipate that bad behavior will be punished.
2. A system of norms enforced by multiple actors is a relatively cost-effective means of bringing greater stability to cyberspace because it reduces the burden on any one nation to reinforce the system of norms.
3. Once a pattern of behavior is set, it is difficult to dislodge, therefore the US and its allies would benefit from being the first to establish the norms agenda.

STRATEGIC OBJECTIVE: EXPAND EFFORTS THROUGH INTERNATIONAL ENGAGEMENT TO STRENGTHEN AND REINFORCE NORMS IN CYBERSPACE
After creating a broad like-minded community of allies and partners to maintain and reinforce norms that depict a favorable cyber landscape, the US must align this framework with its own interests and values.

Key Recommendation: Congress should create and adequately resource, within the US Department of State, the Bureau of Cyberspace Security and Emerging Technologies (CSET), led by an Assistant Secretary of State.
While there are already norms in cyberspace, they are not universally adhered to, thus eroding their effectiveness. Responses to bad behaviors are more effective when carried out by multiple governments working in concert. The US government has already begun to work on a force of like-minded partners, but these efforts should be adequately resourced to expand to the largest scale possible. In addition to the CSET guiding the formation of allies, the bureau should be responsible for a range of mission sets required to implement layered cyber deterrence.

Enabling Recommendations:
Strengthen Norms of Responsible State Behavior in Cyberspace

• Led by CSET, the US government should take a sector-by-sector approach to norms implementation, discuss norms at head-of-state level, and engage in both inclusive and exclusive forums.

Engage Actively and Effectively in Forums Setting International Information and Communications Technology (ICT) Standards

• US values, interests, and security are strengthened when ICT standards are developed and set with active American participation, but compared to adversaries, the US isn’t participating as much as they should, creating a notable disadvantage.
• Congress should empower and resource the National Institute of Standards and Technology (NIST) to facilitate robust and integrated US participation from the federal government, academia, professional societies, and the industry in forums setting ICT standards.

Improve Cyber Capacity Building and Consolidate the Funding of Cyber Foreign Assistance

• The US government should facilitate additional partnerships with foreign law enforcement agencies and better incorporate interagency investigative teams within the overall US strategic approach.
• Additionally, a new funding line in the State, Foreign Operations, and Related Programs (SFOPS) appropriations legislation should be created specifically dedicated to building cyber capacity.

Improve International Tools for Law Enforcement Activities in Cyberspace

• Law enforcement tools (i.e. criminal indictments and international extraditions) aid in layered cyber deterrence by signaling the difference between responsible and unacceptable behavior in cyberspace, thus reinforcing norms.

Leverage Sanctions and Trade Enforcement Actions

• The US should join the international community in strengthening its dedication to using economic sanctions, when possible and appropriate, against those who conduct cyberattacks on the US electoral process and infrastructure.

Improve Attribution Analysis and the Attribution-Decision Rubric

• Accurate and timely attribution of a cyber incident enables US leaders to make the most informed decisions to protect the country through considerations of appropriate response actions in order to enforce norms of accountability in cyberspace.
• The National Security Council and the NCD should develop an attribution-decision rubric, which will be used to clarify available responses that should be made based on attribution at some minimally required level of confidence. Even when a cyber incident lacks high-confidence attribution, the rubric will enable the US government to reduce vulnerabilities and take appropriate actions by matching attribution levels to deliverable non-military instruments of state power.

Reinvigorate Efforts to Develop Cyber Confidence-Building Measures (CBMs)

• Cyber CBMs are non binding, cooperative arrangements and actions that reassure allies, signal adversaries, and demonstrate intent. They can and should be implemented in tandem with the updated National Cyber Strategy. Over time, CBMs can be used as a foundation for the future development of arms control regimes, as well as help bolster the development of norms.