Recently, Jack Goldsmith wrote at Lawfare what he termed a “contrarian” U.S. response to Russia's involvement in the U.S. presidential election. He holds that his prescribed negotiations with Russia are contrarian because he assumes those negotiations whereby “...the United States agrees to restrain itself...in exchange for restraint from our adversaries…” would inherently constitute a weakening of America’s strategic posture. Goldsmith’s prescription is correct, but by thinking in legalistic—instead of grand strategic—terms, he mistakes calculated aggression for weak appeasement. In reality, American negotiations to normalize cyber-war would be one of the best maneuvers the U.S. could make against a revisionist Russia.
Goldsmith proposes an admittedly simplified set of policy prescriptions. He writes, “...when a nation is vulnerable to a foreign threat it has three courses of action to improve its situation: (1) It can raise its defenses; (2) it can credibly threaten greater consequences for the attacker, thereby deterring the attacker from action; or (3) it can cut a deal in which it pledges to forego certain actions in exchange for relief from the threat by the adversary.” He then argues, “...the U.S. government focuses too much on (1) and (2) and not enough on (3).”
Goldsmith never explains why he feels option 3 is so subversive except to state that he fears accusations of “Russophilia,” but it probably stems from the reasonable fear that people will assume that negotiations and concessions are a natural weakening of American strength. If we logically assume that within the U.S.’ option set there must be at least one retrenching policy, and since options 1 and 2 are clearly combative, option 3 must be acquiescent. It is not necessarily so in International Relations.
When faced with a rising power, states essentially have two options: balancing (resisting the rising power), and bandwagoning (accepting the rising power, or even helping it). Balancing comes in two forms: internal and external. Internal balancing means strengthening oneself in order to pursue or resist deterrence or coercion. In other words, one builds one’s own military or government capacity. By building internal capacity, one hopes to be able to either deter other states from doing something, or resist their attempts to coerce you into doing something. In this case we are concerned with deterring Russian intervention.
Deterrence can be broken into two categories: deterrence by denial and deterrence by punishment. Deterrence by denial makes a course of action so unlikely to succeed a state will not pursue it. Deterring an invasion through denial means having a military so strong that either: 1) the invasion would either surely fail, or 2) it would ruin the invader even in unlikely victory. Deterrence by denial in cyber-security is Goldsmith's option 1.
Deterrence by punishment occurs by threatening to inflict pain in response to a course of action. The pain need not result from the exact action the state is attempting to deter. Threats of retaliatory strikes and sanctions are a form of deterrence by punishment. Goldsmith's option 2 is an example of deterrence by punishment.
It is only when we move over to external balancing as an option that we see where Goldsmith goes right. When a state cannot deter a threat alone, it often seeks allies. “Seeking allies” is called external balancing.
External balancing is not ideal for a variety of reasons. For powerful countries—or countries for whom the threat is more immediate—there is the risk other countries will let them pay the costs for deterring the aggressive state (or pass the buck). Donald Trump is accusing some members of NATO of this right now.
It is not a given that all states would want to work with the status quo power to balance against the revisionist power, even for states that prefer the status quo. After all, in most cases the status quo power and the revisionist power both greatly overpower the other states in the system. In the case with Russia and the U.S., while most European powers prefer the system the U.S. has in place, they fear America’s power almost as much as Russia’s and America has given them plenty of reason for that fear.
Currently all states have an unlimited license in the cyber-domain. There are no international agreements whatsoever governing "cyberwar." The only thing that states can hope to do is to catch individuals who are in violation of domestic laws and arrest them or try them if they happen into a jurisdiction which will extradite them. That is why the U.S. indicted Chinese officials rather than seeking redress in an International Organization or at the International Court of Justice.
As Goldsmith recognizes, this U.S. really likes this arrangement, because it gives them a free hand to operate as they see fit in the cyber-domain. On the other hand, the limitless operating space makes cooperation with the U.S.—the most powerful state—fraught with risk. Since the current online domain is nearly a perfect example of war of “all against all,” other states have little incentive to aid the U.S. because every asset the U.S. is using to counter the Russians is an asset they are not using against other states. Supporting the U.S. under such a system only frees the U.S. to threaten more states online, or at least that is what rational states will fear.
Carving out the space for legitimate cyberwar will reduce the risk of cooperating with the U.S. to potential allies because it reigns in U.S. power and begins to impose order on a chaotic system. First, as long as the U.S. credibly and consistently adheres to agreements it removes that type of threat from other states. For example, currently Sweden is likely concerned about both American and Russian breaches of their medical patient data, but if the U.S. consistently adheres to an agreement to not target that kind of data, Sweden can discount that concern somewhat in their strategic calculus. It focuses their concerns on the Russians.
Second, it changes American cybersecurity operations from being totally focused on American security into operations that are at least partially supportive of a system which benefits third-parties. When a violation of treaty obligations occurs, the U.S. will move to support the treaty, in a variety of ways, and third parties have an interest in the U.S. succeeding in that effort, will not want the U.S. to be distracted from it, and may even respond itself. In the case of Sweden above, should Russia be caught stealing patient data in Austria, Sweden will not want the U.S. to be distracted from its response, and if the U.S. is incapable of responding at that time, it is in Sweden’s best interest to aid Austria because neither Sweden nor Austria want the treaty to lose value, collapse and renew concerns about American behavior.
In this way we would hope that these treaties would operate like the various treaties on the Law of the Sea. Until the 19th-century piratical predation and slave trafficking were common and accepted practices. Then the U.S. and Great Britain, joined bit-by-bit by other states, scoped those behaviors as illegal for states to engage in. Such limitations notably did not end warfare at sea, nor slavery on land, meaning that warfighting navies still had an important role to play, but they did make such behavior illegitimate. Some countries attempted to buck the developing law, but were unsuccessful because not only Great Britain and the U.S. became invested in the free navigation of the seas, but other countries contributed as they could ultimately resulting in German disregard of the rules of naval warfare being regarded as a cassus belli in the 20th-century.
One might reasonably wonder why Russia would sign such an agreement. After all, Russia has had great success with their digital incursions, and are unlikely to want to abandon that ability, but Russia may have no strategically viable alternatives to negotiating such an agreement. If the U.S. and most other countries do negotiate a normative boundary of cyberwarfare, as long as there is a substantial area for digital operations, and Russia does not join, several outcomes are likely. First, Russia has implicitly self-identified as a country which intends to violate any normative constraints, drawing the attention and ire of compliant states. Secondly, it leaves its own similar vulnerabilities uncovered, and has tacitly approved targeting of those vulnerabilities by states, greatly increasing its risk profile. Finally, it denies itself a seat at the table of those negotiations, meaning that any agreement that results will not necessarily reflect Russian concerns. Ultimately, while a negotiated normalization of cyberwarfare will hamper Russia, not participating or complying with such negotiations could be crippling. For Russia, consenting to such an agreement might be quite like the Japanese accession to the Washington Naval Treaty, where they were juridically limited to second-class naval status, but signing the accord was preferable to the alternatives.
For this “negotiated aggression" to succeed, it must meet several conditions. First, it must be something preferable to the most aggressive states to non-participation in the treaty, and all of the consequences described above. As Goldsmith rightly notes there is a lot of wishful thinking surrounding norms, which amounts to the unserious notion that normative opprobrium from the international community could constrain Russia to behave as the U.S. would like, even in the absence of consensus or enforcement and though the desired constraints would compromise Russian security—at least as Putin sees it. The negotiated solution must allow enough operating space for Russia that it is not giving up vital interests even as it compromises in other areas. If it does not, Russia will neither sign nor comply, and some third parties will likely be sympathetic to that decision, as they will rightly perceive the treaty as overly hostile to Russian, and potentially their own, national interest.
Second, it must be an agreement that the U.S. will adhere to. The reformation of international incentives hinges completely on the U.S. changing its behavior. As with Russia, the U.S. has substantial cyber-capability, and it does—and will continue to—want to leverage that cyber-capability in service of the national interest. If terms are included in the negotiations that the U.S. will eventually defect from, that treaty comes stamped with an expiration date no longer than the time American national interests override willingness to adhere to the treaty.
Finally, it must be only agreements that the U.S. can credibly signal to other countries that it will adhere to. Signaling can take many forms, and need not all occur at once, but if the U.S. cannot convince third-parties that it will actually abide by the negotiation, then third parties will not change their calculations, and any external balancing advantage will not accrue. Interestingly enough, this strongly implies that a more limited treaty is more likely to succeed in generating external balancing than an expansive one because of constraints created by U.S. interests.
Once we understand the strategic context of America's options for Grand Strategy in cyberspace, we can see that Goldsmiths general prescription is exactly right, and he is less contrarian than he knows. Goldsmith argues that we should negotiate a solution with Russia, which he fears places him in the “Russophile” category, because it would necessarily make concessions to Russia. In this case, however, limiting the digital battlespace constraining both the U.S. and Russia would be a powerful mechanism to rally allies to prevent further disruption in the digital domain. It is a testament to Jack Goldsmith's grand strategic instinct that he happened upon the best possible strategy to advance U.S. power, despite thinking he was ceding ground.
Nonetheless, it is important to reintroduce many of the well understood concepts of strategy to the cyber-security debate precisely because it adds clarity to an otherwise murky topic. While it is good to come to the right answer, it is also important that we understand the strategic relationships of different behaviors so that we can consistently prescribe proper policy. Understanding why negotiations are a good idea today will better help us determine if they are a good idea tomorrow, and hopefully forestall deleterious decisions based upon improper analogs.
David Benson is a Professor of Strategy and Security Studies at the School of Advanced Air and Space Studies (SAASS), part of Air University in Montgomery, AL. His area of focus includes online politics and international relations. David also publishes a newsletter, the OSIRIS Codex, summarizing each week's cybersecurity events from a strategic perspective.
Have a response or an idea for your own article? Follow the logo below, and you too can contribute to The Bridge:
Enjoy what you just read? Please help spread the word to new readers by sharing it on social media.
Header Image: Defining norms for cyberwar. (Ars Technica)