In this Edition:
Change Edition

The Normative Bait and Switch

How Russia’s electoral hacking might push forward its agenda for the internet.

Photo: United Nations Photo / CC2.0

Earlier this month, Admiral Michael Rogers, the Director of the National Security Agency, called the systematic leaks and spread of disinformation during the U.S. election season a “conscious effort by a nation-state to attempt to achieve a specific effect.” Later in the same conversation, he highlighted United States efforts to engage with nation-states around the world with regard to “what’s acceptable from our perspective, and what is not.” The process he’s referring to in the latter statement is a series of ongoing conversations that have played out over the past several years attempting to negotiate and normalize a set of norms that help govern and guide state behavior in cyberspace.

Those two threads—electoral hacking and wonkier treaty negotiations—are now on an unexpected collision course. And Russia looks likely to be the beneficiary if the U.S. doesn’t rethink its strategies.

Russia and, to a certain extent, China have a very different picture of what is and is not acceptable use of cyberspace than the United States—a difference of opinion reflected in everything from their use of language around the issues, to the tactics they have chosen to take with regards to the construction of an international governance regime. They have privileged a notion of information security, holding that they should be able to control the kinds of information that move through the internet in their territories. Meanwhile, for the last several years, the United States and other liberal democracies have pursued a cybersecurity governance regime underpinned predominantly by a series of international norms focused primarily on ensuring the free flow of information and protecting critical infrastructure sectors from cyber attacks.

The west has worked hard to differentiate its cybersecurity values from the Russian and Chinese notion of information security. While both sides agree on issues such as the protection of critical infrastructure systems during peacetime, they disagree on the treatment of information. Russia and China have adopted stances that suggest resisting threats to political stability online—like protests and attempts to expose political corruption—is just as important as protecting the power grid. In essence, Russia and China want sovereign control over both their cyberspace (the physical infrastructure that underpins and relies on the internet) and their information space (the content that traverses that infrastructure).

In 2009, Russia, China, and a group of like minded states began work on a proposal for a broad international treaty on information security. In their view, the set of norms that governed state behavior before the rise of the internet did not translate to state behavior in an internet age. In a 2011 letter to the United Nations General Assembly outlining a proposal for an “International Code of Conduct for Information Security,” the Russian coalition proposed a codification of this concept, stipulating that states subscribing to the code pledge to “not use information and communications technologies and other information and communications networks to interfere with the internal affairs of other states or with the aim of undermining their political, economic and social stability.” In parallel, Russia and others have pushed to further solidify this and other proposed norms in treaty form. In short, the Russian approach advocated that a new digital age required new norms.

By contrast, the U.S. and other liberal democracies have held that older norms and laws, many of which predate the internet, dictate the acceptable behavior of states in cyberspace. Among other things, they’ve argued that we don’t need to formally codify rules for non-interference online.

It may be time for the west to consider a change of tack. Refusing to engage or ignoring portions of Moscow’s and Beijing’s agendas, because we find their beliefs and approaches wrong or incorrect, left the United States without normative or international legal cover when faced with the challenge of Moscow’s information operation. This is not to say that the United States and other like-minded countries should adopt policies of appeasement. Instead, it is time for the United States to consider using initiatives outside of broad, multilateral diplomatic talks to begin to shape the behavior of states whose actions they find disagreeable. This could mean a wide range of activities from engaging more directly with Russia and China in bilateral and trilateral talks to stepping up transnational law enforcement efforts and levying sanctions on key individuals.

To understand what’s going on here, we need a clearer sense of what we’re talking about when we talk about international norms. As Carnegie Endowment scholar, Tim Maurer put it to me in a recent conversation, there are really two types of norms:

The first type is what he calls “actual norms”—the norms that describe the predictable (or normative) behavior of states—which is to say, how they’re likely to act in actual circumstances. For example, although it’s not expressly prohibited by any international law, a norm against the use of nuclear weapons in war appears to have emerged and taken hold.

The second type of norms are “aspirational.” These rules of the road are what Admiral Rogers is referring to when he says the U.S. is engaging nation-states around the world. They describe the behaviors that the U.S. and many of its partners would like to see standardized, but that aren’t universally accepted yet.

So what does all this have to do with Russia interfering with America’s democratic process, you ask? Among the norms that the west argues apply both online and off is the expectation of non-interference in the domestic affairs of other states—the concept that underpins sovereignty. Whether or not this is an actual norm or an aspirational one remains up for debate, though I’d argue that anecdotal data suggests it is not actually a norm, as the behavior of several prominent nation-states does not comport with it. To put it bluntly, the U.S., Russia, and others have a long track record of attempting to manipulate other countries’ domestic affairs—from electioneering to economic warfare.

Given that Russia has publicly called for non-interference, or at least increased sovereignty over their information space, its westward expansion arguably comes as a surprise. Ironically, though, the success of its operations during the election may actually support its earlier attempt to normalize a non-interference code of conduct.

Many in the west suggest that Russia’s push for sovereignty is an attempt to stifle free speech. Thus, the in order for such a proposal to succeed, Russia would need to create a world in which most great powers, agree that the norm’s positive qualities outweigh those risks. To create this level of international political capital, they would need to make it difficult for the United States to argue against institutionally solidifying non-interference. By messing with the U.S. electoral process, they may have done just that. Although the Russian influence operation was probably not carried to create this bargaining chip for Russian diplomats, Moscow did manage to create the favorable conditions.

So now what? Some circles have advocated for the U.S. to hit back at the Russian state that exerted influence on our election. Escalation, in this context seems foolhardy—especially if the counterpunch were to emulate Russia’s initial haymaker. Russian society and media simply do not have the same holes to exploit that liberal democracies in the west do. The Kremlin’s ability to control information and shape public opinion—a direct product of Putin’s system—would dampen the impact of any attempt to turn Russian hacking back on Russia.

Others have called for a revamp of Cold War-style deterrence around constructed normative behaviors—essentially a continuation of the policy the U.S. has pursued for the last decade. This seems to be a more measured response with a lower probability for escalation, but the unfortunate reality is that the U.S.’ approach to building these aspirational norms has not been working. It is time for the U.S. to adapt its approach to the present reality. In complement to the drawn-out conversations around norms, the U.S. must recommit to policies that more actively shape state behavior.

The U.S. and their partners have a clear idea of the actions that they find ideal. However, if the U.S. and its partners are truly committed to normative governance structure for cyberspace, they must change their approach. Instead of focusing all of their energy on crafting language for norms that all states find agreeable, the time has come to start investing in initiatives that will begin to shape the behavior of those who would be less prone to follow them. This can be done either retroactively by imposing costs on willing defectors or proactively by taking measures that constrain the capability of states and non-state actors that would willingly break them.

Further reading:


Robert Morgus is a policy analyst with New America’s Cybersecurity Initiative, where he researches and writes at the intersection of cybersecurity and international affairs.