Published by The Lawfare Institute
in Cooperation With
I believe the recent disclosures of a large portion of our intelligence and military operational history may provide us with opportunity to engage both the American public and our international partners in discussion of the balance of offense and defense, the nature of cyber warfare, norms of accepted and unacceptable behavior in cyberspace, and so forth (my emphasis).This seems to refer to the Snowden disclosures, but it’s not clear what he has in mind with regard to norms. The U.S. government talks a lot about norms as part of its overall cyber strategy, but with few exceptions (like the Koh remarks) it hasn’t been forthcoming about what norms it wants to advance. Maybe this is because it prefers to work this very quietly through private diplomacy, but I suspect that it’s at least partly because the U.S. government hasn’t yet decided what rules it wants with regard to, for example, penetrating other states’ networks or distinguishing legitimate from illegitimate targets. The Snowden disclosures could prompt more open and specific international legal discussion about offensive and defensive cyber practices, and it could prompt the U.S. government to clarify its legal positions or decide which ones are worth defending vigorously. This has occurred to some extent with respect to revealed surveillance of individuals and the public (at home and abroad), but we don’t yet know much about what might yet be revealed about cyber-attacks. It’s especially interesting that Admiral Rogers talks about Snowden revelations and their impact on norm development in positive, optimistic terms, because the general mood so far has been that the disclosures are damaging to American efforts on cyber norms. For example, disclosures of major U.S. internet surveillance programs, including penetration of the internet backbone, undermines the credibility of American commitment to protecting an open, global web. Disclosures of U.S. government spying on foreign companies like Brazil’s Petrobras has clouded American efforts to distinguish “legitimate” espionage from illegitimate commercial espionage. But Rogers talks about all this as an “opportunity” to advance the U.S. agenda on norms. He may be right, but it will require a concerted, proactive campaign rather than scrambling to respond to specific leaks. As a related aside, secrecy of capabilities complicates deterrence (see Dr. Strangelove). Admiral Rogers also suggests in his written answers that the Snowden disclosures might inadvertently contribute to American deterrence of cyber-attacks by revealing U.S. defensive and retaliatory capabilities in this area. In fact, his brief allusion to international norms comes in his answer to a question about how to strengthen deterrence.