Response to “Responsible Cyber Offense” by Peri Adams et. al. in Lawfare

In 1972, when a Republican US President flew halfway around the world to establish relations with a Communist, both leaders openly recognized the irony of the moment. In the subsequent Shanghai Communique, President Nixon and Chairman Mao began by honestly outlining areas of inflexible disagreement between the two nations. The Communique then focused intently on opportunities for mutual cooperation, an approach that led to a more contained Soviet Union and a predictable relationship with China for nearly half a century. Finding opportunities for diplomatic agreement in cyberspace will require a similarly self-aware commitment to the art of the possible.

In their Lawfare article “Responsible Cyber Offense,” Peri Adams et. al. recognize that, given the ubiquity of state-sponsored cyber espionage, cyber diplomacy will require “a certain hardheadedness and even cynicism.” Akin to the Shanghai Communique, the article recommends recognizing the hypocrisy of an effort to limit cyber conflict and then focusing on areas of mutual interest. Specifically, the article proposes “drawing lines between responsible and irresponsible operations in cyberspace.” It will be difficult to foster this level of honest dialogue among cyber-capable nations for whom deniability is a default setting. However, history demonstrates that diplomacy, when transparent and mutually beneficial, can penetrate such barriers. Therefore, as a theoretical exercise in the practice of cyber diplomacy as realpolitik, the article’s strategy is reasonable, as it approaches the topic honestly and provides a logical foundation for a discussion of mutually beneficial norms.

The article’s overarching diplomatic framework is sound. However, the authors’ specific recommendations may not be implementable as they are currently written. The article details six opportunities for multilateral agreement that, if agreed to, would certainly lead to more stable and predictable operations in cyberspace, even while accepting the reality of ongoing cyber espionage. The article’s six proposals are:

• Test Tools Before Use

• Avoid Indiscriminate Targeting

• Prohibit Targets Throughout the Operational Life Cycle

• Constrain Automation

• Prevent Criminal and Third-Party Access to Backdoors

• Responsible Operational Design, Engineering and Oversight

When seeking opportunities for broad international cyber agreement, it helps to be specific. The authors recognize that if norms are too broad, they can be “technically ambiguous and impossible to enforce.” The article’s recommendations are appropriately specific. Therefore, the authors’ vision, if implemented, would significantly improve the global stability of cyberspace. However, most of the article’s recommendations are likely not achievable.

An agreement to “test tools before use” is the most realistic recommendation. Testing is already a critical step in the design and implementation of malware. Even among nations with vastly different geopolitical goals, an agreement to test malware for security and stability before deployment is reasonable. Similarly, agreement regarding “responsible operational design, engineering, and oversight” may also be achievable, with the caveat that countries, such as Russia, that operate cyber capabilities in a decentralized manner will struggle to implement strong oversight. These two opportunities for cooperation exist because rigorous testing and responsible design deliver benefits without constraining the cyber capabilities of nations. However, the remaining recommendations do not meet this standard and fail to account for the priorities of relevant nation-state cyber actors.

The key shortcoming of the article’s recommendations is the western perspective from which they are crafted. The authors assert that nation-states have “no good reason to resist” their proposed rules of the road. From the perspective of the US and its allies, nations that rely on offensive cyber operations primarily as a precision tool for espionage and clandestine influence, there is indeed no reason to resist. But some cyber capable adversaries have reasons to resist. For example, when Russia launched the NotPetya cyberattack in 2017, the malware employed both “automation” and “indiscriminate targeting,” two practices that the article recommends banning. It is likely that the Kremlin views NotPetya as a highly successful operation. Therefore, it would be difficult to convince Moscow to forgo the use of such tools in the future. In addition, the article recognizes that Russia may be unwilling to “prevent criminal and third-party access to backdoors” due to its support of private domestic hacking groups. North Korea offers an even more striking example of this effect, given the government’s direct perpetration of ransomware attacks to help keep the lights on in Pyongyang. It is unlikely that these governments would commit to eliminating irresponsible cyber activities as defined in the Lawfare article, and any international cyber agreement that does not include Russia or North Korea would be largely symbolic.

To address the obvious diplomatic impasse, the article suggests that, even in the absence of an agreement, the US should publicly articulate what it “considers to be an irresponsible activity… [in order to] gain international political leverage.” This recommendation is out of step with the authors’ goals. Although clarifying its singular position publicly may carry some domestic political benefits, a soapbox declaration from the US would do little to sway the views of adversaries overseas, and may even harden opposition. If the goal of the article’s strategy is meaningful multilateral agreement on responsible cyber activities, the US would be wise to focus on the negotiating table rather than the bully pulpit.

The “Responsible Cyber Offense” Lawfare article provides a helpful starting point with several recommendations that are worthy of further exploration. By drawing a dividing line between responsible and irresponsible cyber activities, the authors offer a reasonable diplomatic approach. However, in their specific recommendations, the authors do not adequately account for the starkly different geopolitical priorities that exist in the capitals of key nation-state cyber actors. Although it is unlikely that the article can stimulate international agreement as written, the authors articulate a valid framework that can help build towards a more predictable long-term operating rhythm in cyberspace.