International rules governing cybersecurity are unclear, particularly when it comes to cyber-espionage. That’s because technology is changing rapidly and countries disagree over principles on issues like privacy rights and Internet freedom. Countries are also unwilling to sacrifice their own right to act unilaterally in cyberspace.
One step to start holding countries accountable for cyberattacks is to solidify norms that are already implicitly agreed on. For example, it seems that countries, for the most part, have not hacked into each other’s financial institutions nor disrupted predominantly civilian critical infrastructure. The US should explore past norms in areas such as arms control to derive lessons for cybernorms.
Washington must also engage the private sector in this dialogue, even though some business interests have opposed the administration’s legislative efforts to improve cybersecurity standards.
The private sector owns and operates the majority of the critical infrastructure that the government wants to protect. US-based multinationals have a vested interest in secure, stable cyberspace and can be useful partners in advocating for norms internationally.
Emilian Papadopoulos is chief of staff at Good Harbor, a cyberrisk consulting firm. He previously worked at Canada’s Department of Foreign Affairs. Eli Sugarman is a Truman fellow and senior director of Gryphon Partners. He previously worked at the State Department.