Fragmentation or Like-Mindedness: Rethinking Responsible Behavior in the Age of Multilateralism

Commentary by James Andrew Lewis

Published October 16, 2024

This commentary was initially presented as opening remarks by James A. Lewis at the Securing Cyberspace 2024 conference, "Responsible Cyber Behaviour in Practice: A Global View," held at the Royal United Services Institute on October 9, 2024.

Security in cyberspace is ultimately determined by relations among powerful states. The trends shaping these relations include the revanchism of the former Communist giants, the rise of China, the decline of Europe, and the end of America's unipolar moment, but above all, they are shaped by the close of the era of great power cooperation. Between 2009 and 2015, when states could cooperate, they were able to reach an agreement on norms for responsible state behavior. Now that cooperation has been replaced with competition and conflict, what is left?

To an extent, this change makes UN norms an artifact of an earlier time. The concepts that guided agreement in 2015 and 2021, which held that mutual understandings and cooperative mechanisms for a global community would reduce the chances of conflict and miscalculation, no longer apply. For cybersecurity, the shared global vision for responsible behavior peaked in 2015. While a formal agreement was reached in 2021, the spirit of the agreement was not. For example, confidence-building measures (CBMs) that do not interest potential opponents have limited utility for global great power competition. Building confidence among nations that are unlikely to ever fight can have value, but it is limited. There are no regular negotiations or agreed framework for talks between the United States and China, much less with Russia, as was the case in the Cold War. This makes the question before us what can be done without a willingness to compromise. That question is fundamental for cybersecurity because the majority of harmful actions are carried out by a few powerful states.

It may provide a degree of assurance if we consider the hypothesis that the long-term trend towards connectivity and integration, which began several centuries ago and is driven by technological and economic change, will eventually lead to a more integrated global society based on respect for individuals and their rights. Certainly, the signs of increased social and economic connectivity are profound. But this outcome is not certain, and it is worth recalling the Keynesian caveat in the long term when we ask what can be done in the next few years.

There are also trends, such as economic globalization, which despite the growing penchant for sovereignty, are now more than two centuries old and apparently relentless. There is the digital connectivity that creates cyberspace and has become indispensable, even addictive. But these are not enough to change the short-term impulse toward fragmentation. However, fragmentation can be managed. Fragmentation does not mean bifurcation, and while it creates friction points in international relations, it is better to think of this as a period of competition and hostility among opposing blocs, with most other states seeking to be neutral or nonaligned to avoid conflict.

Democracies cannot be said to have a strategy to change this. The fundamental problem for responsible state behavior is the inability to get major opponents to change their behavior. This is the strategic problem that confronts democracies and puts them on the defensive. The long-predicted multipolar world is now here, but it is more difficult to manage than expected. Some of this reflects an unwillingness to abandon strategic concepts from the twentieth century, like deterrence. It reflects in part a relative decline in transatlantic power and influence, if only because of the rise of other states. Above all, it reflects the daunting challenge of reshaping a world greatly changed since 1990 and the end of the Cold War, something that will require vision, leadership, and most probably a crisis, to incentivize change.

The greatest problem for responsible behavior is the general decline in support for the principles that undergird the UN Charter. The UN Charter, with its limits on the use of force and coercion and its balance between sovereignty and universal rights, is at the core of responsible state behavior and the norms agreed in the UN Open-Ended Working Group (OEWG). The UN Charter grew out of the experiences of the 1930s and 1940s, which showed that conflict between major powers that do not share values is unavoidable. But this lesson has been ignored by some and forgotten by others.

Does this mean war among major powers is inevitable? Not necessarily, although the chances of armed conflict are greater than a decade ago. Nuclear powers are cautious about war with each other, although they will exploit every opportunity, including cyber operations, to gain an advantage in their contests with each other. They will also be less cautious about war with nonnuclear neighbors. Miscalculation by dictators surrounded by sycophants adds to the risk, and CBMs governing war and international security are no longer considered seriously by Russia, China, or the other nations likely to enter into conflict with democracies.

Responsible state behavior must be balanced against the realities of competition. The ideas of 2015, that norms and CBMs for cyberspace were based on the assumption that states sought to avoid conflict and that this would lead to a greater agreement to limit the use of cyber operations among states. Some degree of fragmentation is unavoidable in a global environment shaped by the rebalancing of international power. While the United States remains primus inter pares, the unipolar moment is over. The rise of China can be explained in part as an effort to counter what it would call "American hegemony." Other emerging powers are also eager to assert their independence. The expansion of the BRICS, although it is a feeble instrument, is one sign of larger political divisions.

This is a difficult prognosis, but fragmentation is not necessarily bad if it is accompanied by engagement among contending parties. Engagement is lacking, however. The leaders of China and Russia believe the West is in decline-they make a good case, by the way-and seek to build global support for a competing vision that emphasizes sovereignty and places the state over the rights of individuals. Most people find this authoritarian alternative less appealing, but unfortunately, some governments do not.

The credibility of appeals to adhere to a rule-based order was damaged after the unsanctioned invasions of Iraq and Ukraine, and after Snowden's charges, which exposed a subterranean world of cyber espionage in which the United States is only one actor among many and by far not the most irresponsible. Democracies may be right about the value of norms, but by itself, this does not provide a compelling diplomatic strategy for hostile or skeptical audiences. China, Russia, and their supporters are unwilling to engage, much less observe responsible state behavior. Consider the effectiveness of Russian and Chinese propaganda in shaping global views of the war in Ukraine. These have been surprisingly successful, meaning support for responsible state behavior is not a foregone or automatic conclusion.

To advance responsible behavior, a new diplomatic strategy is essential. This strategy would accept fragmentation and set three goals. The first goal would make a more compelling case for the norms of responsible state behavior. A compelling case for responsible state behavior can be built around respect for sovereign rights and the utility of avoiding a world shaped entirely by power. The recently agreed-upon UN draft cybercrime convention shows that there is still room for agreement, even if some agreed unwillingly. A key point must be that responsible state behavior supports development by creating the conditions for growth that all nations will need for a global digital economy.

A second goal would be to reinforce responsible state behavior by creating accountability for malicious cyber actions. There is very limited accountability now because there is no penalty for irresponsible behavior. Accountability has always been a weakness in the international system. States are understandably reluctant to use force or the threat of force, especially for incidents where culpability can be murky and actual damage is minor. This makes it essential to find agreement on the conditions under which states governed by the rule of law would decide to impose consequences individually or collectively.

Finding agreement on accountability, even among like-minded states, will be complicated since most cyber actions fall below the threshold of the use of force upon which norms for international security is predicated. Bear in mind that before 2020 had never come before the UN Security Council. This is changing as the damage and risk of malicious cyber action continue to increase, driven by our dependence on digital technology and because networks have become the space for great power competition. The issue of accountability remains whether there are actions that victim states, collectively or individually, are willing to undertake in response to irresponsible state behavior.

Creating accountability unavoidably raises the question of agreement on evidentiary standards for attribution and the development of a menu of retaliatory measures that are in accordance with international law. These are political decisions, and the imposition of meaningful consequences may require a greater acceptance of risk than most states are willing to accept. It also requires the development of new measures of coercion. Russia, Iran, and North Korea are all capable of shrugging off the sanctions that have been the primary type of consequences that democracies have been willing to use. China may be more sensitive to economic sanctions, but many countries fear Chinese retaliation affecting access to its enormous market. Yet there is little incentive to observe norms if there is no consequence for failing to do so and these states are convinced of the legitimacy, even the necessity, of their foreign policies.

Precedents for this situation are suggestive. After 1933, democracies were ultimately unable to avoid war with authoritarian states, in good measure. They failed to respond to acts of aggression in Asia and Europe because their defenses were inadequate, and because they were reluctant to use their offensive capabilities. The chief differences between now and the 1930s are the creation of global institutions for governance and the advent of nuclear weapons. These factors reduce the arena for conflict.

The advent of nuclear weapons is even more important for shaping international relations and the link between cyber and nuclear in great power conflict deserves more attention. Since acquiring these weapons, nuclear states have avoided direct armed conflict. A related precedent comes from the Cuban Missile Crisis, when the prospect of nuclear war led opponents to begin negotiations that led, after twenty years, to a framework of agreements that reduced the chances of armed conflict. We have not yet had a crisis in cyberspace, despite lurid claims in the media, which can bring opponents to the negotiating table.

So, a third element is to create engagement strategies, for both "neutrals" and opponents. To some extent, this has been done for neutrals. While the UN Cybercrime Convention raises concerns with some audiences, it shows a shared global concern over the risks and harms of cybercrime. The progress of the U.S. Counter Ransomware Initiative, which met last week and discussed accountability, shows a similar interest among its members in a common approach. Work in regional groups, particularly on CBMs, has been a marked success, and work in the OEWG and the UN Programme of Action offers potential mechanisms to expand common understandings of what responsible state behavior entails. Expanding common understandings and accountability and undertaking engagement strategies all offer a path for strengthening responsible state behavior.

But none of these directly address the issue of conflict between opposing great powers. Where does responsible state behavior fit in this complex environment? First, we must recognize that democracies are the demanders in cyber diplomacy. Their ability to meaningfully change the behavior of opponents who cannot be deterred or defeated is limited, making the issue of how to manage conflict.

Second, opponents will not compromise, making continued conflict and some degree of further political bifurcation unavoidable, even if the return of a modernized Iron Curtain is impossible, given the deep transnational interconnections created in the last 35 years. They face an inevitable erosion of their claims to legitimacy with their own citizens, making them vulnerable in ways that even troubled democracies are not.

Third, common understandings and shared institutions for global governance remain better than the alternatives. The norms and other mechanisms for responsible state behavior are a part of global governance and while they are currently in decline, technological change and commercial interconnection suggest this is temporary. Norms and governance will become even more essential, and states' actions can accelerate and strengthen the pace and form of responsible state behavior's resurgence.

Fragmentation, while unavoidable, can be managed to reduce the chance of conflict and to lay the foundation for a more secure future. The agreements of 2021 were written for a different world, but it is a world that, with the right policies, has a chance of eventually returning.

James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Programs & Projects