Militarizing the Internet?

How can the United States protect itself in cyberspace without provoking international fears?

Following a recent speech, Chairman of the Joint Chiefs of Staff General Martin Dempsey dismissed concerns about the U.S. militarization of cyberspace. “We have a Navy, but we are not being accused of militarizing the ocean,” he said. As the world reflects on and responds to the actions of former National Security Agency contractor Edward Snowden, and as the investigation of possible leaks by former Joint Chiefs vice chairman General James Cartwright unfolds, it is difficult to avoid wondering if General Dempsey’s answer is the best the administration can muster. An increasing number of adversaries and even allies are coming to believe that the United States is militarizing cyberspace—and that impression of hubris and irresponsibility is beginning to have a real-world impact.

So what needs to be done? New thinking is required, in at least three ways: First, the administration needs to acknowledge that this is a problem. Second, a more holistic approach is required when making national-security decisions that affect the internet. Third, the government needs to learn to respond to these types of leaks in a way that does not make the situation worse.

Acknowledging the Problem

The Snowden leaks have brought Stuxnet, the U.S.-Israeli program allegedly used to attack Iranian computer systems, back into public debate—and reminded us that the real damage of the Snowden revelations will be international. President Obama looks set to weather the domestic storm, and after a round of outrage—some real, some feigned—the diplomatic fallout from the various spying allegations will eventually subside. Susan Rice, the new national-security adviser, might have been a little optimistic when she said, “I don’t think the diplomatic consequences, at least in the foreseeable future, are that significant.” She will have some difficult conversations with European leaders, annoyed at the reigniting of previous domestic controversies about the privacy implications of U.S. counterterrorism policy. But other priorities, including the economy, will ensure that U.S.-European relations remain firm. So it is difficult to imagine she will lose much sleep over Chinese complaints on the subject of cyber espionage.

Yet the perception that the United States has become a danger to the global internet is a cause for concern. In their understandable anger at the considerable damage Snowden has done (in the near term at the very least) to the operations of NSA and their allies, U.S. security officials should not lose sight of this fact. Snowden’s claims build on the Stuxnet revelations. In doing so, they reinforce an impression of overbearing U.S. cyberpower (military and commercial) being used irresponsibly. That is strikingly at odds with the U.S. self-image as a standard bearer of internet freedom and “borderless” exchange, but it is a view that resonates around the world.

At the most basic level, that sense of double standards legitimizes bad behavior directed back at the United States. Many in the U.S. private sector believe that the distributed denial of service attacks that they are suffering from Iranian-backed groups are a response to Stuxnet. So you can imagine how little sympathy such attacks elicit in parts of the world where there are already high levels of anti-U.S. sentiment. More practically, Stuxnet demonstrated the ways in which critical infrastructure can be attacked and removed any taboo that existed that might have prevented it. Not surprisingly, many researchers fear that it is only a matter of time before this country suffers a taste of its own medicine.

But a more subtle and damaging effect relates to how the internet operates. The United States and its allies are currently engaged in a low-profile but highly consequential tussle for the future of the internet. Although out of day-to-day public view, this matters, as the internet now underpins the global economy. While it is self-evident to us that minimizing government involvement is precisely what ensures the success of the internet, it is equally clear to authoritarian states like Russia and China that the internet (including the content it carries) must to be controlled. This latter view is exemplified by the desire of Russia, China and others to see the International Telecommunications Union, an adopted member of the United Nations family, expand its role into setting international rules for the internet.

Despite alarmist concerns to the contrary, there is no practical way in which the United Nations (or any other organization) could “take over” the internet. But if the United States starts to be seen as a danger to others, new barriers will emerge and everyone will lose.

It is probably now unrealistic to expect the most authoritarian states to buy into the current manifestation of the so-called “multistakeholder” governance model. That is especially true for weaker states who believe they have reason to fear Washington or its allies (think the Middle East), but the fact that emerging powers like India and Brazil still flirt with a more statist approach to internet governance is a worrying portent of trouble ahead. Such positions cannot be blamed solely on Stuxnet and Snowden’s disclosures, but they certainly don’t help. Likewise, involvement of U.S. brands Google, Facebook, Microsoft and others in spying operations only plays to the paranoia of those who see such firms—Washington’s true cyber power—as extensions of the American state.

Balancing Cyber Reward and Internet Risk