National Security
Vol. 6 No. 1 | Summer 2019
For most of history, the domains of the global commons were unclaimed, largely because the technology to access and utilize them did not exist.[1] In areas such as the high seas and outer space, it was impossible for states to establish and maintain sovereign control. Even as the relevant technologies developed, costliness and controls kept them initially concentrated largely in the hands of just a few major powers such as the Unit- ed States and the Soviet Union. For the United States, “command of the commons” became the military foundation of its hegemony, granting it the ability to access much of the planet and to credibly threaten to deny the use of such spaces to others.[2] Bipolar competition between the United States and the Soviet Union strongly influenced developments in the maritime and outer space domains. In the case of cyberspace, a more recent addition to the traditional global commons, the United States was also initially dominant due to its role in pioneering associated technologies. However, over time and particularly since the end of the Cold War, continuing technological innovation and diffusion have made these domains accessible to a growing number of countries.
This technological progress was born of both cooperation and competition between states. While some states chose to develop certain technologies indigenously, many acquired knowledge and equipment from abroad. Globalization of industry has made it easier for states to obtain a variety of foreign technologies, even lowering the threshold for them to procure disruptive military capabilities. In addition, over the last two decades, American primacy has been increasingly challenged by the rise of China, which has impacted the dynamics of technological development and diffusion across multiple domains. As China has acquired the technology to become more active in the commons, it has prompted major regional powers, such as Japan and India, to accelerate their own technological advancement, and other mid-sized and smaller countries have also become increasingly engaged.[3]
The consequence of this multiplication of technologically sophisticated actors has been the erosion of American primacy in the global commons. Although the United States still remains the most dominant player, it is faced with a more densely populated field, and management of these spaces has become more difficult. This article examines this trend in the high seas, outer space, and cyberspace since the end of the Cold War, with attention to the ways in which the rise of China and the relative decline of the United States have catalyzed greater engagement with the commons, particularly among the countries in Asia that find themselves most affected by this power transition. I argue that advances in and diffusion of technology have transformed the global commons into increasingly crowded domains characterized by interstate competition and heightened tensions. Whether these tensions prevail depends on the creation and strengthening of regimes to manage interactions and promote shared rules and norms...
This piece is offered in PDF format for easier reading. Download the PDF to read more.
[1] As Vogler points out, “one shared characteristic of the global commons is their close association with scientific discovery and developing technological capability.” John Vogler, “Global Commons Revisited,” Global Policy 3, (1) (2012): 61–71.
[2] Barry Posen, “Command of the Commons: The Military Foundation of U.S. Hegemony,” International Security 28, (1) (2003): 5–46.
[3] For example, Japan has responded to increased Chinese activity across all three of the domains of the global commons addressed here. For an extended discussion, see Kristi Govella, “Securing the Global Commons? Japan in Outer Space, Cyberspace, and the High Seas” (Workshop on Conflict, Cooperation, and Interaction in the Global Commons, University of California, Berkeley, 2019).
Dr. Kristi Govella
Dr. Kristi Govella is an Assistant Professor in the Asian Studies Program at the University of Hawaiʻi at Mānoa, a National Asia Research Program Fellow, and an Adjunct Research Fellow at the East-West Center. Her work deals with the intersection of economics, politics, and security in Asia, with a particular focus on Asian regionalism and Japanese politics. She is currently working on a number of projects related to economics-security linkages, regional institutional architecture, trade agreements, multinational firms, recent Japanese security reforms, and the global commons. Her publications include Linking Trade and Security: Evolving Institutions and Strategies in Asia, Europe, and the United States (2013). Prior to joining the University of Hawaiʻi, Dr. Govella was a Postdoctoral Fellow at Harvard University and an Associate Professor at the Daniel K. Inouye Asia-Pacific Center for Security Studies. She holds a Ph.D. and an M.A. in Political Science from the University of California, Berkeley and a B.A. in Political Science and Japanese from the University of Washington.
In 2017, leaders of the U.S. Intelligence Community warned that “more than 30 nations are developing offensive cyberattack capabilities.”1 This means that more than 30 countries may be conducting hacking operations as a method for surveillance, disruption, or destruction. Unregulated cyber surveillance and cyberattacks by government actors can pose risks not only to a government’s foreign adversaries, but also to its own citizens. Thus, as the United States and other nations work to enhance their own offensive cyber capabilities, as well as to develop strategies to defend against potential attacks, it is critical that these countries establish legal regimes to govern such conduct in cyberspace. Although Germany has established a legal framework to regulate government hacking activities,[2] few countries have done so.[3]
To bring government hacking operations within the rule of law, a crucial step is to design rules regarding the management of vulnerabilities that governments discover or acquire. As with other cyber actors, when governments conduct hacking operations, this frequently involves exploiting vulnerabilities in computer hardware and software systems. But these same flaws can also be manipulated by a government’s foreign adversaries or other malicious actors. Therefore, when countries consider their abilities to rely on hacking as an investigative tool, as well as their interests in exploiting vulnerabilities for military and intelligence operations, they must also evaluate the capacity of information and communications technology providers to repair bugs and protect the cybersecurity of all users. Determining whether to exploit a vulnerability or disclose it to a vendor for patching involves balancing a variety of different security concerns against each other.
Some countries have made progress in formalizing the rules for making these decisions and in publicizing these rules to promote public accountability. In November 2017, the United States released a charter governing its Vulnerabilities Equities Process (VEP), which outlines how the U.S. government weighs the various competing equities.[4] The charter delineates which components of the government will participate in determinations regarding whether to disclose or retain each newly discovered vulnerability, and it sets forth the criteria to be used and the process to be followed in making such assessments. One year later, the United Kingdom (UK) announced its Equities Process, which follows a similar approach.5 Most recently, in March 2019, Australia released its “Responsible Release Principles for Cyber Security Vulnerabilities,”[6] and Germany is currently working to develop a VEP and is expected to make information about its process public in early 2019.[7] However, as described below, the VEP procedures revealed to date need further improvement,[8] and most of the nations with offensive cyber capabilities have not developed—or at least have not announced—any such framework...
This piece is offered in PDF format for easier reading. Download the PDF to read more.
[1] James R. Clapper, Marcel Lettre, and Michael S. Rogers, Joint Statement for the Record to the Senate Armed Services Committee: Foreign Cyber Threats to the United States, 115th Cong., 1st sess., January 5, 2017.
[2] The German Code of Criminal Procedure § 100 (2014).
[3] Alex Betschen, “We’re Suing the Government to Learn Its Rules for When It Hacks Into People’s Devices,” American Civil Liberties Union, December 21, 2018, <https://www.aclu.org/blog/privacy-technology/internet-privacy/were-suing-government-learn-its-rules-when-it-hacks-peoples>.
[4] Vulnerabilities Equities Policy and Process for the United States Government, White House document, November 15, 2017.
[5] “The Equities Process,” GCHQ, November 29, 2018, <https://www.gchq.gov.uk/ features/equities-process>.
[6] “Responsible Release Principles for Cyber Security Vulnerabilities,” Australian Signals Directorate, March 2019, <https://asd.gov.au/publications/Responsible-Re- lease-Principles-for-Cyber-Security-Vulnerabilities.pdf>.
7 Sven Herpig and Ari Schwartz, “The Future of Vulnerabilities Equities Processes Around the World,” Lawfare, January 4, 2019, <https://www.lawfareblog.com/ future-vulnerabilities-equities-processes-around-world>.
[8] Sharon Bradford Franklin and Andi Wilson, “Rules of the Road: The Need for Vulnerabilities Equities Legislation,” Lawfare, November 22, 2017, <https://www. lawfareblog.com/rules-road-need-vulnerabilities-equities-legislation>.
Sharon Bradford Franklin
Sharon Bradford Franklin is Director of Surveillance & Cybersecurity Policy at New America’s Open Technology Institute (OTI). She leads OTI’s work on issues involving government surveillance, encryption, cybersecurity, government access to data, transparency, and freedom of expression online. From 2013 to 2017, she served as Executive Director of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent federal agency that reviews counterterrorism pro- grams to ensure that they include appropriate safeguards for privacy and civil liberties. Previously, she served as Senior Counsel at the Constitution Project, a nonprofit legal watchdog group, working on a range of issues involving national security and privacy and civil liberties. Franklin is a graduate of Harvard College and Yale Law School.
Benjamin Franklin is famous, in part, for having said, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” Though historical evidence suggests Franklin’s quote has been misinterpreted,[1] the aphorism has come to stand for the proposition that privacy and security stand in opposition to each other, where every increase in security likely results in a commensurate decrease in privacy, and vice versa.
Couched in those terms, the privacy/security trade-off is a grim prospect. We naturally want both privacy and security to the greatest extent possible. But Franklin tells us this is impossible — that privacy and security are locked in a zero-sum game where the gain of one comes only at the loss of the other.
Of course, this characterization is assuredly flawed; it is certainly possible to adopt systems that maximize both privacy and security in a Pareto optimal way. That is one of the reasons why so many privacy and security experts simply revile the “balancing” metaphor — it obscures more than it illuminates...
This piece is offered in PDF format for easier reading. Download the PDF to read more.
[1] Benjamin Wittes, “What Ben Franklin Really Said,” Lawfare Blog, July 15, 2011, <https://www.lawfareblog.com/what-ben-franklin-really-said>.
Paul Rosenzweig
Paul Rosenzweig is a Senior Fellow at the R Street Institute and a Professorial Lecturer in Law at George Washington University. He served as the Deputy Assistant Secretary for Policy at the Department of Homeland Security from 2005 to 2009. He is also the Principal at Red Branch Consulting.
Fletcher Security Review: Thank you for taking the time to speak with us. Can you begin by telling me a bit about the work you're doing right now?
Nina Jankowicz: Sure. I am working on a book that tracks Russian influence in Central and Eastern Europe over the past decade. But rather than kind of looking at tactics and techniques, which we know a lot about already, it's looking at responses, which I think the West has yet to really observe. We tend to think that this is the first time this has ever happened to and we need to reinvent the wheel and our response. And I actually think there's a lot to learn from countries like Estonia and the Czech Republic in what they've done right, and what they've done wrong...
This piece is offered in PDF format for easier reading. Download the PDF to read more.
Nina Jankowicz
Nina Jankowicz is writing a book on the evolution of Russian influence campaigns in Eastern Europe. She has previ- ously worked advising the Ukranian government on communication and managed democracy assistance programs for Russia and Belarus. She is currently a Global Fellow at the Woodrow Wilson International Center for Scholars’ Kennan Institute and has previously served as a Fulbright-Clinton Public Policy Fellow.
“No modern military can live without cyber capabilities, just as no nation could imagine, after 1918, living without airpower.”
In The Perfect Weapon, David Sanger argues that the nature of global power itself is undergoing dramatic changes, brought about by the proliferation of highly advanced cyber capabilities. Today, internet access is nearly ubiquitous, the cost of entry is low, and, particularly in the domain of cyberwarfare, there is one fundamental fact: offensive capabilities have critically outpaced cyber defenses. A weak and impoverished nation like North Korea can hold large swaths of public and private infrastructure in America at risk, steal military OpPlans, and pilfer millions of dollars from foreign banks. A Kremlin reeling from sanctions, low oil prices, and historically low public trust is able to threaten the very foundations of American democracy through targeted social media campaigns and hacking and leaking the emails of a major political party. But while the offensive advantage has given weaker powers greater capacity to pursue their geopolitical objectives, U.S. leadership has found that their response options have not similarly benefitted. America’s offensive cyber prowess so exceeds its own defensive capabilities that officials often hesitate to strike back for fear of establishing norms of retaliation against vulnerable infrastructure or inciting unintended escalation. Sanger argues that without an open public debate among government policy makers, military planners, and academics to coordinate a grand strategy, the United States will be forced to accept a world of constant cyberattacks, limited response options, and the greater risk of capitulating to foreign coercion...
This piece is offered in PDF format for easier reading. Download the PDF to read more.
Travis Frederick
Travis Frederick is a Ph.D. candidate in security studies at Princeton University and a graduate researcher in Princeton’s Socio-Cognitive Processes Lab. His research interests include Russian security policy, U.S.-Russia relations, and the psychology of threat perception. He is a Graduate Fellow at the Center for International Security Studies and has previously worked at OSD Policy, U.S. State Department, and GTRI.