On January 8, 2020, New Center Policy Analyst Laurin Schwab interviewed William Carter, former Deputy Director and Fellow of the Technology Policy Program at the Center for Strategic and International Studies (CSIS), on the role of the U.S. in cyber norm-setting internationally. Mr. Carter previously worked as a quantitative economist in the financial industry in the fields of technology, telecommunications, international relations, and political risk before returning to the policy world as a lead researcher at CSIS. In his role there, he focuses on both domestic cybersecurity and global cyberspace and covers topics such as artificial intelligence, surveillance and privacy, cyber deterrence, cybersecurity in the financial sector, and encryption. 

LS: You mentioned in your testimony before the Senate Judiciary Subcommittee on Crime and Terrorism that you think the U.S. should play a leading role in defining cybercrime in international law. How do you think the U.S. should best play that role? 

WC: It’s tricky in the current environment, and I think one thing that makes it difficult for the U.S. to play this role in shaping the cyber landscape, and a reason it’s important for us to do so, is that the U.S. is one of the main operators in cyberspace. We define not only through our words, but also through our actions what is and isn’t okay for nation states to do in cyberspace, and how we operate and what the values are that define how countries operate in cyberspace. It gets a little bit complicated when you factor in the fact that we have to walk this fine line of separating things that we want to denormalize as general practice in cyberspace from things that we don’t want countries to do to us. There are things that we do to other countries and that we accept as nation-state behavior, such as espionage, but that doesn’t mean we necessarily have to accept them being done to us or that we can’t impose consequences on adversaries that do them to us. So I think that’s one of the really difficult cleavages, but we can’t cede this space, and I think that’s really important in the current environment. Other countries, particularly some of our adversaries like Russia and China, want to define these norms in cyberspace, and I think it’s really dangerous to let them do that.

LS: In 2018, there was tension between the U.S., Russia, and China surrounding the Paris Call. Do you think it’s a binary choice, internationally speaking, between a free American internet and a restricted Chinese one?

WC: The fact that people believe it to be binary is certainly one of the challenges. I don’t think it is binary at the end of the day. For one thing, these issues are way too complicated. For another, we tend to demonize the Russian and Chinese conception of the internet to a greater extent than is warranted. At the end of the day, the Russian and the Chinese are not some devious mastermind trying to build an evil internet. They subscribe to a vision of a controlled internet that we often fail to recognize is often the preference of much of the world. 

The idea of a completely free and open internet is attractive to the U.S., but that’s partly because we are accustomed to a lifestyle in which we don’t face the prospect of large scale violence, we don’t face the prospect of political instability, we have a well-established democracy, a strong economy that’s very competitive, and all of that influences the way that we perceive the internet. One of the reasons why the Chinese internet model has gained so much traction, particularly in the developing world, is because for countries that don’t have a lot of our advantages, a more controlled internet and information space has a lot of appeal. It offers stability and control, which is something that both governments and populations in a lot of those countries are looking for.

LS: How do you balance the idea of countries needing more internet control for stability with serious internet and AI repression surrounding, for example, the Chinese government’s repression of Muslims?

WC: It’s a big problem. What you really need to do is start thinking not in binary terms about the free internet and the evil Chinese internet, but instead think: what are appropriate governance mechanisms for cyberspace that can prevent malicious behavior but also enable the kinds of protections a lot of countries are looking for right now? The other thing we need to do is better define what we will and will not accept in terms of state behavior in cyberspace and ensure that what we say is consistent with the way that we behave, and that we can message why we take certain actions in cyberspace that may at first flush appear to be inconsistent with the values that we are espousing in cyberspace.

LS: Do you think it’s possible for the U.S. to set strict standards internationally but also have a bit of a double standard in terms of its own actions, like cyber espionage?

WC: It’s certainly possible. I think one of our biggest failings across the board is very weak messaging internationally. Explaining the difference between a behavior that we do not think is a legitimate behavior for states in cyberspace at all and behavior that we accept is part of international affairs but we will not allow to be done against us with impunity—that’s not inconsistent. In war, you accept that your adversary is going to shoot at you, but that doesn’t mean that you don’t try to shoot back. You can still have things like the Geneva Convention defining what is and is not appropriate behavior for nation states at war. That’s the type of thinking we need to get to—it’s a much more nuanced conversation, and one in which we can better define what is behavior that we want to completely delegitimize and denormalize, and what is behavior that is an accepted part of the international game, but not behavior we’re willing to have used against us with impunity.

LS: What form should that norm-setting take? An international treaty?

WC: It has to be an international process. Part of that has to do with our challenges with credibility right now. Part of that has to do with the fact that U.S. law is not binding internationally. If we can get other countries to sign onto formal mechanisms to govern state behavior in cyberspace, that’s a lot more powerful and a lot more lasting. Long term, treaties are extremely difficult and extremely slow, and that’s not going to change and it’s not unique to cyberspace. The first step, I think, is to develop norms with like-minded countries and norms that reflect the way that we currently operate in cyberspace and what we think are the natural incentives for others in cyberspace, particularly the other major cyber powers. The reason that that’s really important is because if you can start to define the natural norms that already exist, it makes it easier for countries that are new to the game, particularly countries that are new to cyberspace and cyber operations to comply. From there, you can start to try to outline norms that may not be natural to a lot of countries but are still extremely important.

LS: What do you think are the main factors right now keeping the U.S. from taking a leadership role setting standards internationally?

WC: One of the big problems for us is credibility. Internationally, U.S. credibility is very low. People don’t believe our commitments. They don’t believe when we try to set norms and standards we’re doing it in good faith. They don’t believe that we will follow the rules we set. That’s a problem when you’re trying to get everyone to agree to a common baseline of rules and standards. Another big issue is just the general lack of trust internationally that’s not an entirely U.S. phenomenon. That makes it difficult to make any agreement at scale. Finally, you have the fact that you have fundamentally different equities among countries around the world. In the developing world, some of their core interests in the internet are their ability to develop their economies, to generate political stability, to use technology to combat violence and extremism, all of which run counter to the U.S.’s major goals. For many countries, they want to use protectionist policies to advance their own economic champions. That’s something that runs contrary to the U.S.’s interest because many U.S. companies are the established global hegemons that are currently exporting goods and services to these countries. Getting to a place where we can establish rules that are beneficial for everyone and that balance the equities of different parties effectively is incredibly difficult.

LS: On the American leadership side, what are some barriers keeping us from taking a more proactive stand in cyber norm-setting?

WC: I wouldn’t say that Congress and the president don’t want to take a leadership role and participate in norm-setting, but for one thing, there’s entirely justified skepticism on the part of the administration and others about whether our adversaries will honor norms that we set together. Basically, we are concerned that we will agree to a norm that will then constrain our behavior, and our adversaries will flaunt that norm and continue to do the bad things we don’t like. That’s a pattern that we’ve seen with a lot of the agreements we’ve had particularly with the Russians, but also something we’ve seen with the Chinese, for example on intellectual property. That is going to remain an issue. The fact that the U.S. distrusts the main parties that we’re interested in establishing norms with when it comes to enforcement and compliance, that’s going to be a huge challenge.

LS: What do you think the U.S. has to gain from playing a leadership role?

WC: At the end of the day, we benefit from establishing a common understanding for how states should operate in cyberspace. We tend to exercise restraint of our own volition, which is not necessarily true of a lot of other countries. So if we can establish a common baseline of what we consider to be inappropriate behavior, hopefully it will prevent uncontrolled escalation dynamics, provide some degree of transparency, and help us to establish international coalitions to impose consequences on malicious actors who engage in bad behavior in cyberspace—all of that is to our benefit.

LS: You mentioned that some countries impose internet restrictions for different purposes. Do you think that in the U.S., there’s a demand for creating a more restrictive internet, such as with law enforcement as it faces the increasingly challenging task of cracking encrypted devices?

WC: The law enforcement issue is a complex one, but I will say as a general statement, I think there is room for the U.S. to allow some reasonable degree of control of certain parts of internet in the technology ecosystem without compromising our fundamental values. That’s something that some of my friends in the civil liberties world would shout down in a heartbeat, but the fact is, a lot of the arguments against that come from people who don’t necessarily disagree with that statement in principle; they just don’t trust governments to follow the rules and act in good faith. To me, those are fundamentally different problems. You’re essentially restricting capability in lieu of developing effective governance because you don’t believe effective governance is possible. I think we have to hold ourselves to a higher standard and at least try to develop effective governance, because you get to a better balance of the relevant equities because you can have both effective enforcement of the laws and prevention of crime and freedom and the ability to express U.S. values through the internet if you’re willing to work through the challenges to governance and develop effective accountability mechanisms instead of just withholding capabilities.

LS: So there’s ICANN, which is a nonprofit that regulates the internet globally through a multi-stakeholder process but which some say is still U.S.-focused. Should the American government play a role in governing internet in the U.S., and should it play that role globally? Should cyberspace fall under that purview?

WC: I think U.S. government should certainly play a role. To me, it’s not a question of should the government play a role, it’s should the U.S. government play a unique role. The short answer is, is it advantageous to me partly because I’m an American, partly because I value freedom on the internet, to have the U.S. government play a greater role to protect a set of values that appeals to me. But I also understand that for folks who are not American, the idea that the U.S. would have a disproportionate role in the internet, and that the internet should follow relatively uniquely-U.S. values feels unfair or imbalanced, and other countries want to play a similar role in the internet because the internet is fundamentally global. It’s not a simple question. Ultimately, it comes down to where you sit. The long-term answer is: I don’t think the U.S. playing a unique role in the internet is sustainable because other countries simply will no longer accept it.

LS: Are there any harmful policies surrounding cyberspace that have resulted from the lack of U.S. leadership in the arena?

WC: Data localization is a huge problem, less so in the sense of requirements that data be stored in certain jurisdictions which is annoying but manageable. But in the sense of restrictions on data flows, it’s extremely disruptive to trade and the global economy. Another critical issue is of data retention  mandates, which basically require data to be stored which could otherwise be deleted and are therefore vulnerable to all sorts of malicious use and exploitation. Another set of policies that are really worrisome is unhelpful restrictions on content. I think a more robust governance regime for online content is pretty obviously needed with everything that we’ve seen in terms of disinformation and abuse of content, but that doesn’t mean that we need to allow the free-reign censorship and content manipulation we see in a lot of countries. 

Another key issue is malicious surveillance and malicious data collection. That’s an obvious place where better governance is needed in how governments do it, individuals do it, and companies do it. The use of authentic cyber operations needs to be better defined, and we need to have a better international understanding of what the limitations are. Right now, there is an explicit norm, although a norm people are often skeptical of, of not attacking civilian infrastructure in peace time. We need to make sure that that remains very strongly enforced, but we also need to lower the bar. Right now, low-grade attacks and exploitation of civilian networks are widely practiced and widely accepted, and that creates a lot of risks to life and limb and to economic progress. So there are many, many pieces, but the overall theme is that there’s room for much better governance of the internet, cyber capabilities and operations, and nation state behavior in cyberspace. 

Another huge one: we need a working model for combating cybercrime, which means transnational law enforcement and digital evidence—some sort of ability to get meaningful cross-border investigations, extradition regimes to combat cybercrime, consistent definitions of crimes in cyberspace, and consistent penalties. So there’s a whole lot there. 

LS: Do you think there’s a place for punitive measures the U.S. could enact for violated cyber norms, and how would or should those be formed?

WC: Imposing consequences on malicious actors is part of life, always will be, and always should be. The question is, how do we establish a common understanding of what are proportional responses to certain malicious acts? What are the types of malicious acts that justify some sort of consequence imposition? These are questions that I don’t think we have good answers to right now, but we’ll need to develop answers to.

LS: Even if we have a clear punitive policy in place, do you think it’s feasible to enforce it when it can be challenging to identify which state committed the cybercrime?

WC: First off, I think the challenge of attribution is one of the great myths of the modern cyber world. We’re very good at attribution now. We’re not necessarily good at communicating or justifying our attribution to allies and partners, which is a huge problem, but that doesn’t mean that we don’t know who’s launching malicious attacks against us, which is the threshold that we need to hold ourselves to to take punitive actions. We do need to figure out a better way of communicating our attribution because the U.S. operates in coalition, and we want to be operating based on a common understanding of appropriate and inappropriate behavior in cyberspace. But that doesn’t mean attribution itself is impossible—attribution itself is difficult. It is far from impossible. 

The real problem—the real thing that’s actually difficult in cyberspace—is figuring out what proportional responses are. In conventional warfare, it’s often that you launch a missile, I launch a missile. It’s tit-for-tat. In cyberspace, often launching the same kind of attack back against adversaries that they launched against you isn’t effective either because they experience less costs from it than you do, or they are more willing to absorb that cost. So figuring out what proportionality looks like and how it can be effectively applied in cyberspace is a real challenge.

LS: Right, and I’m excited to see how our cybersecurity policy develops in that capacity, and whether we do end up playing more of a leading role in setting standards internationally. Thanks for your time today!

WC: Absolutely!

[This transcript was edited for clarity.]

On December 12th of 2019, New Center Policy Analyst Laurin Schwab interviewed Dr. Paul Rosenzweig of the R Street Institute on federal regulation in cybersecurity. On top of serving as a Senior Fellow with the R Street Institute, Dr. Rosenzweig manages his own cybersecurity company, Red Bridge Consulting, and teaches cybersecurity at the George Washington School of Law. Dr. Rosenzweig has also authored Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World on top of numerous cyber-related online courses. 

LS: You have such a unique vantage point having worked for the Department of Homeland Security in the public sector as well as managing your own cybersecurity company in the private sector. What kind of cybersecurity issues did you work on at DHS?

PR: The most significant was the development of the very first set of cybersecurity policies and initiatives for the U.S. government. In 2005 or 2006, I think it’s fair to say the government was relatively unaware of the nature of the cyber threats. And then we got some very bad tests done that showed pervasive vulnerabilities in the industrial control systems of the electric grid, and that started a government-wide project that eventually resulted in something known as the Comprehensive National Cybersecurity Initiative, the CNCI. It was initially classified top secret, but President Obama subsequently declassified major portions of it, and that was the first effort to the U.S. government to define what cyberspace is and why it’s important, and what the government’s role in it should be. So that was a major part of my initial effort.

LS: You’ve been around, then, since the inception to watch government policy on cybersecurity come into existence and then develop since 2005. Since then, what would you say are the biggest changes in government regulations or shifts in policy?

PR: That’s a very big question. I would say that the initial phase of deep concern and panic over infrastructure protection has given way to a moderately effective steady state of review that has seen the government figure out that in this domain, directive regulatory results are not so good, and it has decided to lean into the idea of standard-setting and suggestions, best practices sort of thing, which have proven to be relatively effective. So the biggest change is that the government has been humbled a bit, and has realized it doesn’t have all the answers, and that the private sector has more answers than it does itself, generally.

LS: I can see how it would simmer down as people understand the scope of the problem. I’m curious about your ideas surrounding what the role of the Department of Homeland Security should be in cybersecurity policy. What should it be able to do, and what should it not be able to do?

PR: Where I think government does best is where it has a unique capability. Some of those are simple things like enabling information-sharing and convening experts for standards setting. The government’s most important value here is cyber on the international stage, trying to find levers that might not be cyber levers for modifying Chinese behavior in stealing intellectual property, or modifying Russian behavior in interfering with our elections. Those are not issues that a private sector company can resolve. That is clearly the highest, best value for government: international norms and behavior-setting. By contrast, selling the newest security widget is something the private market does pretty well. We don’t need government to set the best widget. We need government to figure out how to rate widgets so you can decide which one is best. Measuring cybersecurity is something government might have a better role in.

LS: With respect to cybersecurity standards, should the DHS play a role in compelling companies to follow them?

PR: I don’t think the government is nimble enough to pick the right standards. A friend of mine in the industry once told me, “The attackers are a year ahead of the defenders, the defenders are two years ahead of the legislators, and the legislators are two years ahead of the regulators.” That’s just the way it works. Our government is a slow-moving, hierarchical system. The cyber domain is a distributed, fast-moving system. Another friend of mine once said, “The government is a Ford Edsel, and cybersecurity is a Tesla.” And I actually think that understates the difference.

LS: That makes sense in such a rapidly evolving field. If the government can’t pick the right standards, do you think there’s an opportunity in the private sector for a private organization to develop standards and encourage companies to adhere to them?

PR: Yes, that’s evidently plausible. I don’t know the government has to be the standard-setter. It has advantages in being the standard-setter mainly because it doesn’t have a parochial interest, whereas if industry gets together, there’s a fight going on between you and me; my standard helps my product, your standard helps your product. 

LS: So there’s the federal government, the private sector, and then there are state and local governments. Do you think that the federal government should coordinate with the states to create standards?

PR: I think everybody who is a stakeholder is appropriately included in the discussion, and so that includes state and local. They bring a unique perspective and are probably closer to the people, so that makes some sense that they would participate. I don’t think the Department of Homeland Security should have any role in compelling the states any more than I think that they should have one in compelling the private sector. I don’t see them as having that successful expertise.

LS: I can see how it’d be difficult to coordinate cybersecurity while also protecting states from forced compliance, which could stifle innovation and limit the laboratories of democracy in the U.S. What are your thoughts on that?

PR: I’m not anti-regulation generally, I just think that regulations work best in systems that are slow to change. We can do environmental regulation readily because what’s good for the environment doesn’t change that much over time. Maybe the new science tomorrow tells us we should reduce the benzene levels 10%, but fundamentally, science is science; with respect to the environment, there are no great new discoveries. Whereas I don’t see that being the case in the cyber realm.

LS: I’m also curious about your thoughts on cyber information-sharing. There was a bill passed in 2015 called the Cybersecurity Information Sharing Act for companies to share information with the government. I’m wondering what your thoughts were on whether this was a positive or negative development, and what its effects were in the cyberspace policy community.

PR: It’s a good thing but not a great thing. It didn’t really change too much. It didn’t hurt.

LS: Some groups were concerned about the security and privacy of individual users’ information, and how companies could share personal information with the government. There was a letter written by a few companies to Paul Ryan in 2015 about how they wanted to establish the DHS as the only portal for information-sharing and make sure that no other national security agency in law enforcement, like the FBI or the NSA, could automatically have the information shared by the DHS. What are your thoughts on that concern?

PR: I thought that was a tempest in a teapot, it didn’t matter too much one way or another.

LS: I’m curious about any promising developments in private or public sector cybersecurity that are game-changers for protecting critical infrastructure or cyber infrastructure in the U.S. today. Is there anything you’re excited about right now?

PR: First off, there are no game-changers. Everybody’s looking for silver bullets, but there are no silver bullets; it just is what it is, that’s all of it and there’s nothing more to it than that. So that’s number one. Number two, to the extent that I’m excited about anything at all, it is really the growing trend of cybersecurity to stop being an art and start being a science. Right now, everything in cybersecurity is qualitative, and I think that the most important changes that are happening in the near term are that they’re becoming quantitative, that we’re beginning to measure cybersecurity effectively. And if we do that, we’ll be in good shape, if we can actually turn it into a science. That would be effective, I think.

LS: What do you think is missing in what we’re focusing on right now in cybersecurity? Do you look at developments in the public and private sector and think, “Wow, we should really be focusing more on this”?

PR: I mentioned one, the idea of metrics, the idea of numbers—that deserves more focus. We’ve talked about another, which is the weakness in state and local governments, and the necessity of doing that. I think right now, the DHS is pretty distracted by environmental and immigration matters, and I think as a result we haven’t been putting as much effort into cybersecurity as we have the last few years. That’s the nature of a president being a president; he gets to choose.

LS: Another issue in the cybersecurity space is personnel—that there are so few people working in the government space. Do you think that’s significant?

PR: Personnel is a biggie, but that’s a perennial. I don’t know that the government can do too much about it unless it quadruples the salary of everyone who works for the government. That’s going to be a much harder nut to crack.

LS: Looking forward, do you think cybersecurity will be even more of an issue than it is right now?

PR: Right now is the calm before the storm. We are likely to see bad things happening soon, but at the same time, it is the case that so far they haven’t been that bad. More people have died from squirrels the past year than cybersecurity problems.

LS: It does seem to suffer from that issue—the potential is so great, but it’s so hard to talk about it without metrics.

PR: Right; I can’t measure it, so I can’t tell you if we’re better or worse today. I have a sense that we’re better off but haven’t done enough, but maybe I’m wrong.

LS: Thanks so much for your time today; I appreciate it!

This transcript was loosely edited for clarity.

In November 2019, New York City approved a massive overhaul to the city’s election system. New Yorkers’ answer to Ballot Question 1 switched the city’s elections over to a ranked-choice voting or “instant runoff” model, thereby nixing the need for successive elections to cull candidate pools. Passing with 73% support, the measure will add New York City to a small but growing group of ranked-choice-using nations, states, and cities such as Australia, New Zealand, Maine, San Francisco, and Oakland. The Big Apple’s new model will debut in 2021 and apply to primary and special elections for mayor, comptroller, borough president, public advocate, and the City Council.

Under their new ranked-choice voting system, New Yorkers head once to voting booths, where they rank up to five candidates in their order of preference. (The system doesn’t toss ballots with only one candidate marked.) If a candidate wins more than 50% of the first-choice votes, that candidate wins. But if not, the last-place candidate is eliminated, and their votes are redistributed to the four remaining contenders per voters’ next-up preferences. The process continues again and again through successive “rounds” until one candidate wins a majority. 

Proponents of RCV claim it will disincentivize candidates from catering to the extremes or campaigning negatively, since negative campaigning against a voter’s favorite candidate could dash their chance to win second-choice votes. Though the topic isn’t well-studied, surveys taken by FairVote and the Rutgers-Eagleton Poll in 2013 and 2015 found that likely voters in typical plurality-voting cities were more likely to perceive negative campaigning than likely voters in surveyed RCV-voting cities. 

RCV advocates also say it will bolster voter turnout, compel candidates to campaign to more people, lower election costs by nixing the need for runoffs, ensure wins from majority-preferred candidates, and eliminate political spoiler effects. But many of these claims are theoretical, with little empirical research to decisively support them. According to one study on San Francisco’s 2005 municipal election, for example, RCV did increase voter turnout by 2.7 times, and did appear to stop weaker candidates from siphoning off votes from stronger ones. But there is no reliable research on whether candidates in RCV systems aim spending at broader voter coalitions. Regarding election costs, a surprising 2018 study by the MIT Election Lab found that costs in RCV-implementing cities were actually no lower than costs in cities without it. And as for the attractive idea that RCV ensures a win from the majority-preferred candidate, it’s technically untrue. A clever 2014 study by Craig Burnett and Vladimir Kogan found that some candidates in RCV systems do win without a majority of total ballots cast, because many ballots are silent on finalists and therefore don’t factor into the last round. If a voter ranks only a few candidates who are all eliminated quickly, their ballot becomes “exhausted,” meaning it’s thrown out of the final round for failing to rank the finalists.       

Opponents of RCV fear the system will bring negative unintended effects. According to Burnett and Kogan, exhausted ballots⁠—or those that don’t factor into the last round—made up at least 9.6% of ballots in the four American elections they studied. Critics point out that ranked-choice might not matter in cases where popular candidates win by large margins, like when 90% of Australian constituencies elected the candidate with the most first-preference votes in 2013. But the opposite problem could appear too, when RCV lends the win to candidates who fail to muster the plurality of first-choice votes. Burnett and Kogan argue that compelling voters to rank candidates gives them a more laborious and time-consuming cognitive task, which benefits people who have more free time and who’ve mastered the platforms of even obscure candidates. In other words, RCV could disempower voters with lower education or income. For those who know little about the smaller players, RCV still encourages them to rank multiple people, thus privileging highly-informed voters over less-informed ones.

In short, it’s tricky to say with any certainty whether ranked-choice voting will deliver the benefits its supporters promise. But with New York City embracing the system, we now have one more local laboratory of democracy to put these claims to the test in the coming years.