An Action Agenda for Digital Peace and Security

Ensuring that countries behave responsibly in cyberspace demands that we rethink how we, as an international community, write our rules and resolve our disputes. We cannot simply hammer out a peace treaty by convening heads of state around a mahogany table to draw lines on a map. The borders of cyberspace are elusive, the infrastructure, or battlefield, belongs largely to private companies, and the nature of the threat evolves as quickly as we draw up the rules.

The complexity is staggering.

Yet some truths of international cooperation remain steadfast. The United Nations affirmed earlier this year that international law applies in cyberspace and that all countries must abide by a set of norms that, for instance, bar them from launching attacks on critical infrastructure, such as hospitals and health care organizations. As we search for solutions to end the growing threat of cyberattacks outlined in the first section of this report, this affirmation by the UN sets a starting point. 

The next section will explore the path toward an effective global strategy for a rules-based order that ensures digital peace and security for everyone.

Our essayists will tackle critical questions, such as who should sit around that mahogany table to negotiate the rules, whether our zeal to curtail bad behavior in cyberspace could unintentionally squelch the human rights and freedom of expression, and how the rules can be enforced once they are set.

We will look at the nature of alliances in a cyberspace, in which the traditional treaties of mutual assistance will mean building a defense based on strategic intelligence sharing, collaboration and connecting the data points.

Beyond diplomacy, solutions must also recognize the need for investment in cybersecurity capacity, particularly for emerging economies. Rules are great, but countries must have the resources to follow them.

Finally, the new rulebook must understand and account for the ever-evolving nature of the threat. While the conventional weapons of war took years to develop, cyber warriors need only a nanosecond. The attack on SolarWinds brought global attention to a new front by tampering with legitimate software and disrupting the supply chain. The next attack is likely to use different tools and techniques, exploiting gaps in our defense systems that we are not yet aware of. Moreover, the technology we use will itself evolve and augment human capabilities for good — and for ill. The capacity for malevolence is endless; the consequences for failing to act today will be devastating for nations, economies and individuals.