Interview with Cybersecurity Expert William Carter: America’s Role in Global Cyber Law

On January 8, 2020, New Center Policy Analyst Laurin Schwab interviewed William Carter, former Deputy Director and Fellow of the Technology Policy Program at the Center for Strategic and International Studies (CSIS), on the role of the U.S. in cyber norm-setting internationally. Mr. Carter previously worked as a quantitative economist in the financial industry in the fields of technology, telecommunications, international relations, and political risk before returning to the policy world as a lead researcher at CSIS. In his role there, he focuses on both domestic cybersecurity and global cyberspace and covers topics such as artificial intelligence, surveillance and privacy, cyber deterrence, cybersecurity in the financial sector, and encryption. 

LS: You mentioned in your testimony before the Senate Judiciary Subcommittee on Crime and Terrorism that you think the U.S. should play a leading role in defining cybercrime in international law. How do you think the U.S. should best play that role? 

WC: It’s tricky in the current environment, and I think one thing that makes it difficult for the U.S. to play this role in shaping the cyber landscape, and a reason it’s important for us to do so, is that the U.S. is one of the main operators in cyberspace. We define not only through our words, but also through our actions what is and isn’t okay for nation states to do in cyberspace, and how we operate and what the values are that define how countries operate in cyberspace. It gets a little bit complicated when you factor in the fact that we have to walk this fine line of separating things that we want to denormalize as general practice in cyberspace from things that we don’t want countries to do to us. There are things that we do to other countries and that we accept as nation-state behavior, such as espionage, but that doesn’t mean we necessarily have to accept them being done to us or that we can’t impose consequences on adversaries that do them to us. So I think that’s one of the really difficult cleavages, but we can’t cede this space, and I think that’s really important in the current environment. Other countries, particularly some of our adversaries like Russia and China, want to define these norms in cyberspace, and I think it’s really dangerous to let them do that.

LS: In 2018, there was tension between the U.S., Russia, and China surrounding the Paris Call. Do you think it’s a binary choice, internationally speaking, between a free American internet and a restricted Chinese one?

WC: The fact that people believe it to be binary is certainly one of the challenges. I don’t think it is binary at the end of the day. For one thing, these issues are way too complicated. For another, we tend to demonize the Russian and Chinese conception of the internet to a greater extent than is warranted. At the end of the day, the Russian and the Chinese are not some devious mastermind trying to build an evil internet. They subscribe to a vision of a controlled internet that we often fail to recognize is often the preference of much of the world. 

The idea of a completely free and open internet is attractive to the U.S., but that’s partly because we are accustomed to a lifestyle in which we don’t face the prospect of large scale violence, we don’t face the prospect of political instability, we have a well-established democracy, a strong economy that’s very competitive, and all of that influences the way that we perceive the internet. One of the reasons why the Chinese internet model has gained so much traction, particularly in the developing world, is because for countries that don’t have a lot of our advantages, a more controlled internet and information space has a lot of appeal. It offers stability and control, which is something that both governments and populations in a lot of those countries are looking for.

LS: How do you balance the idea of countries needing more internet control for stability with serious internet and AI repression surrounding, for example, the Chinese government’s repression of Muslims?

WC: It’s a big problem. What you really need to do is start thinking not in binary terms about the free internet and the evil Chinese internet, but instead think: what are appropriate governance mechanisms for cyberspace that can prevent malicious behavior but also enable the kinds of protections a lot of countries are looking for right now? The other thing we need to do is better define what we will and will not accept in terms of state behavior in cyberspace and ensure that what we say is consistent with the way that we behave, and that we can message why we take certain actions in cyberspace that may at first flush appear to be inconsistent with the values that we are espousing in cyberspace.

LS: Do you think it’s possible for the U.S. to set strict standards internationally but also have a bit of a double standard in terms of its own actions, like cyber espionage?

WC: It’s certainly possible. I think one of our biggest failings across the board is very weak messaging internationally. Explaining the difference between a behavior that we do not think is a legitimate behavior for states in cyberspace at all and behavior that we accept is part of international affairs but we will not allow to be done against us with impunity—that’s not inconsistent. In war, you accept that your adversary is going to shoot at you, but that doesn’t mean that you don’t try to shoot back. You can still have things like the Geneva Convention defining what is and is not appropriate behavior for nation states at war. That’s the type of thinking we need to get to—it’s a much more nuanced conversation, and one in which we can better define what is behavior that we want to completely delegitimize and denormalize, and what is behavior that is an accepted part of the international game, but not behavior we’re willing to have used against us with impunity.

LS: What form should that norm-setting take? An international treaty?

WC: It has to be an international process. Part of that has to do with our challenges with credibility right now. Part of that has to do with the fact that U.S. law is not binding internationally. If we can get other countries to sign onto formal mechanisms to govern state behavior in cyberspace, that’s a lot more powerful and a lot more lasting. Long term, treaties are extremely difficult and extremely slow, and that’s not going to change and it’s not unique to cyberspace. The first step, I think, is to develop norms with like-minded countries and norms that reflect the way that we currently operate in cyberspace and what we think are the natural incentives for others in cyberspace, particularly the other major cyber powers. The reason that that’s really important is because if you can start to define the natural norms that already exist, it makes it easier for countries that are new to the game, particularly countries that are new to cyberspace and cyber operations to comply. From there, you can start to try to outline norms that may not be natural to a lot of countries but are still extremely important.

LS: What do you think are the main factors right now keeping the U.S. from taking a leadership role setting standards internationally?

WC: One of the big problems for us is credibility. Internationally, U.S. credibility is very low. People don’t believe our commitments. They don’t believe when we try to set norms and standards we’re doing it in good faith. They don’t believe that we will follow the rules we set. That’s a problem when you’re trying to get everyone to agree to a common baseline of rules and standards. Another big issue is just the general lack of trust internationally that’s not an entirely U.S. phenomenon. That makes it difficult to make any agreement at scale. Finally, you have the fact that you have fundamentally different equities among countries around the world. In the developing world, some of their core interests in the internet are their ability to develop their economies, to generate political stability, to use technology to combat violence and extremism, all of which run counter to the U.S.’s major goals. For many countries, they want to use protectionist policies to advance their own economic champions. That’s something that runs contrary to the U.S.’s interest because many U.S. companies are the established global hegemons that are currently exporting goods and services to these countries. Getting to a place where we can establish rules that are beneficial for everyone and that balance the equities of different parties effectively is incredibly difficult.

LS: On the American leadership side, what are some barriers keeping us from taking a more proactive stand in cyber norm-setting?

WC: I wouldn’t say that Congress and the president don’t want to take a leadership role and participate in norm-setting, but for one thing, there’s entirely justified skepticism on the part of the administration and others about whether our adversaries will honor norms that we set together. Basically, we are concerned that we will agree to a norm that will then constrain our behavior, and our adversaries will flaunt that norm and continue to do the bad things we don’t like. That’s a pattern that we’ve seen with a lot of the agreements we’ve had particularly with the Russians, but also something we’ve seen with the Chinese, for example on intellectual property. That is going to remain an issue. The fact that the U.S. distrusts the main parties that we’re interested in establishing norms with when it comes to enforcement and compliance, that’s going to be a huge challenge.

LS: What do you think the U.S. has to gain from playing a leadership role?

WC: At the end of the day, we benefit from establishing a common understanding for how states should operate in cyberspace. We tend to exercise restraint of our own volition, which is not necessarily true of a lot of other countries. So if we can establish a common baseline of what we consider to be inappropriate behavior, hopefully it will prevent uncontrolled escalation dynamics, provide some degree of transparency, and help us to establish international coalitions to impose consequences on malicious actors who engage in bad behavior in cyberspace—all of that is to our benefit.

LS: You mentioned that some countries impose internet restrictions for different purposes. Do you think that in the U.S., there’s a demand for creating a more restrictive internet, such as with law enforcement as it faces the increasingly challenging task of cracking encrypted devices?

WC: The law enforcement issue is a complex one, but I will say as a general statement, I think there is room for the U.S. to allow some reasonable degree of control of certain parts of internet in the technology ecosystem without compromising our fundamental values. That’s something that some of my friends in the civil liberties world would shout down in a heartbeat, but the fact is, a lot of the arguments against that come from people who don’t necessarily disagree with that statement in principle; they just don’t trust governments to follow the rules and act in good faith. To me, those are fundamentally different problems. You’re essentially restricting capability in lieu of developing effective governance because you don’t believe effective governance is possible. I think we have to hold ourselves to a higher standard and at least try to develop effective governance, because you get to a better balance of the relevant equities because you can have both effective enforcement of the laws and prevention of crime and freedom and the ability to express U.S. values through the internet if you’re willing to work through the challenges to governance and develop effective accountability mechanisms instead of just withholding capabilities.

LS: So there’s ICANN, which is a nonprofit that regulates the internet globally through a multi-stakeholder process but which some say is still U.S.-focused. Should the American government play a role in governing internet in the U.S., and should it play that role globally? Should cyberspace fall under that purview?

WC: I think U.S. government should certainly play a role. To me, it’s not a question of should the government play a role, it’s should the U.S. government play a unique role. The short answer is, is it advantageous to me partly because I’m an American, partly because I value freedom on the internet, to have the U.S. government play a greater role to protect a set of values that appeals to me. But I also understand that for folks who are not American, the idea that the U.S. would have a disproportionate role in the internet, and that the internet should follow relatively uniquely-U.S. values feels unfair or imbalanced, and other countries want to play a similar role in the internet because the internet is fundamentally global. It’s not a simple question. Ultimately, it comes down to where you sit. The long-term answer is: I don’t think the U.S. playing a unique role in the internet is sustainable because other countries simply will no longer accept it.

LS: Are there any harmful policies surrounding cyberspace that have resulted from the lack of U.S. leadership in the arena?

WC: Data localization is a huge problem, less so in the sense of requirements that data be stored in certain jurisdictions which is annoying but manageable. But in the sense of restrictions on data flows, it’s extremely disruptive to trade and the global economy. Another critical issue is of data retention  mandates, which basically require data to be stored which could otherwise be deleted and are therefore vulnerable to all sorts of malicious use and exploitation. Another set of policies that are really worrisome is unhelpful restrictions on content. I think a more robust governance regime for online content is pretty obviously needed with everything that we’ve seen in terms of disinformation and abuse of content, but that doesn’t mean that we need to allow the free-reign censorship and content manipulation we see in a lot of countries. 

Another key issue is malicious surveillance and malicious data collection. That’s an obvious place where better governance is needed in how governments do it, individuals do it, and companies do it. The use of authentic cyber operations needs to be better defined, and we need to have a better international understanding of what the limitations are. Right now, there is an explicit norm, although a norm people are often skeptical of, of not attacking civilian infrastructure in peace time. We need to make sure that that remains very strongly enforced, but we also need to lower the bar. Right now, low-grade attacks and exploitation of civilian networks are widely practiced and widely accepted, and that creates a lot of risks to life and limb and to economic progress. So there are many, many pieces, but the overall theme is that there’s room for much better governance of the internet, cyber capabilities and operations, and nation state behavior in cyberspace. 

Another huge one: we need a working model for combating cybercrime, which means transnational law enforcement and digital evidence—some sort of ability to get meaningful cross-border investigations, extradition regimes to combat cybercrime, consistent definitions of crimes in cyberspace, and consistent penalties. So there’s a whole lot there. 

LS: Do you think there’s a place for punitive measures the U.S. could enact for violated cyber norms, and how would or should those be formed?

WC: Imposing consequences on malicious actors is part of life, always will be, and always should be. The question is, how do we establish a common understanding of what are proportional responses to certain malicious acts? What are the types of malicious acts that justify some sort of consequence imposition? These are questions that I don’t think we have good answers to right now, but we’ll need to develop answers to.

LS: Even if we have a clear punitive policy in place, do you think it’s feasible to enforce it when it can be challenging to identify which state committed the cybercrime?

WC: First off, I think the challenge of attribution is one of the great myths of the modern cyber world. We’re very good at attribution now. We’re not necessarily good at communicating or justifying our attribution to allies and partners, which is a huge problem, but that doesn’t mean that we don’t know who’s launching malicious attacks against us, which is the threshold that we need to hold ourselves to to take punitive actions. We do need to figure out a better way of communicating our attribution because the U.S. operates in coalition, and we want to be operating based on a common understanding of appropriate and inappropriate behavior in cyberspace. But that doesn’t mean attribution itself is impossible—attribution itself is difficult. It is far from impossible. 

The real problem—the real thing that’s actually difficult in cyberspace—is figuring out what proportional responses are. In conventional warfare, it’s often that you launch a missile, I launch a missile. It’s tit-for-tat. In cyberspace, often launching the same kind of attack back against adversaries that they launched against you isn’t effective either because they experience less costs from it than you do, or they are more willing to absorb that cost. So figuring out what proportionality looks like and how it can be effectively applied in cyberspace is a real challenge.

LS: Right, and I’m excited to see how our cybersecurity policy develops in that capacity, and whether we do end up playing more of a leading role in setting standards internationally. Thanks for your time today!

WC: Absolutely!

[This transcript was edited for clarity.]