In May 2024, the Biden administration released the United States’ (U.S.) International Cyberspace and Digital Policy Strategy. With a heavy emphasis on multilateralism, multi-stakeholders, and the rules-based international order, the Strategy presents a comprehensive plan to engage U.S. allies and partners toward “digital solidarity” – a concept that underpins the Strategy as a whole – and “rights-respecting approaches” to cyber governance. In so doing, the Biden administration draws a clear line in the sand around the use of cyber tools for malicious and destructive purposes, including domestic repression.
The Strategy is the country’s first international plan, but it is the latest in a series of policy documents and initiatives from the Biden administration intended to strengthen and streamline the U.S.’ approach to cyber and technology policy domestically, while it simultaneously invests in building coalitions and engaging internationally in response to specific cyber threats and its own cyber activities. The document is a direct output of the 2023 National Cyber Strategy’s implementation plan and is the culmination of more than a year of consultations and careful development.
The Strategy provides an assessment of the evolving threat environment in cyberspace, citing both geopolitical challenges and technological innovation as accelerators of change. It examines possible harms in the context of the dual-use nature of emerging digital technologies, blurring the lines between peacetime and military applications, the proliferation of state and non-state actors, and the competitive nature of the cyber domain. Threats to human rights, gender equality, and democratic processes are also described, as are specific types of cyber operations or tools. The scope is wide, inclusive of influence operations, data security, digital infrastructure, technology-facilitated gender-based violence, and even artificial intelligence.
Digital Solidarity: A North Star
Digital technologies are ubiquitous and their impact on national, regional, and international peace and security is constantly evolving. The U.S. Strategy is significant in asserting this connection explicitly: “Nearly all foreign policy issues – from international security to democracy and human rights to global health and climate change – will be shaped by today’s investments in cyberspace and digital technology diplomacy.” The Strategy calls upon the U.S. to be an active leader in cyber and tech policymaking, noting that a “lack of U.S. leadership in international fora may allow adversaries to fill the void and shape the future of technology to the detriment of U.S. interests and values.”
The Strategy is clear in describing the two diverging roads that the global community is facing with respect to technology governance: one road that offers a unified and open approach juxtaposed against a second road that points to increasing fragmentation and divergence, with the clear risk of more repressive approaches in some contexts (i.e., “digital sovereignty”).
The Strategy’s consistent emphasis on partnership and coalition building is a deliberately proactive check against fragmentation and signals an invitation to middle-ground states and would-be allies to join with the U.S. in choosing the first road.
This invitation is reinforced by the steady integration of the term “digital solidarity” throughout most of the Strategy. Digital solidarity is presented as an alternative to the notion of digital sovereignty. While it is not a new concept, digital solidarity is an approach whereby states reject inward-looking isolation and embrace interdependence: “The goal of digital solidarity is to enable technological cooperation and interaction that advance collective national interests.” It surfaces in different ways within the Strategy; at times, digital solidarity is framed in relation to building cyber capacity or assisting other states in better leveraging technology to achieve economic goals; elsewhere it manifests as mutual support between the U.S. and its partners to counter and respond to malicious cyber operations, or in relation to cooperative efforts to defend and advance human rights.
The Strategy also doesn’t shy away from naming specific adversaries and countries of concern. It identifies the People’s Republic of China (PRC) as the “broadest, most active, and most persistent cyber threat” to the U.S., while also naming Russia, Iran, and North Korea as persistent and active cyber threat actors.
The Accountability Factor
“Accountability” is another prominent theme throughout the Strategy. The concept is particularly important in Action Area 4 (Strengthen and Build International Partner Digital Policy and Cyber Capacity), which focuses on multilateral and diplomatic cyber policy fora, and related instruments. “When a state engages in significant destructive, disruptive, or otherwise destabilizing malicious cyber activity contrary to the framework, responsible states must cooperate to hold that irresponsible state accountable.”
Stimson’s Cyber Program is preparing to publish a major report on cyber accountability, as the culmination of two years of research. We are pleased to see some cohesion between our findings and the contents of the U.S. Strategy—for example, evidence of a toolbox approach to cyber governance and accountability, or the emphasis placed on regional approaches/organizations and on capacity building. The Strategy refers to the many ‘tools of statecraft’ that can be leveraged to address the complex risks in cyberspace such as diplomatic isolation, law enforcement, counter-cyber operations, and economic sanctions. Such approaches can help create the credible threat of consequences (i.e., punishment) that is necessary for deterring malicious actions in cyberspace, thus creating greater accountability for bad behavior.
Political attribution statements are also an important dimension of cyber accountability. The Strategy observes that the number of states willing to publicly hold other states accountable reached 39 in July 2021 as part of the public condemnation of China’s involvement in the Microsoft Exchange server data breach incident. In the Strategy the U.S. commits to expanding the coalition of countries willing to hold states accountable for disruptive and destabilizing cyber activity; per our research, collective attributions could be more effective if states cooperated to streamline attribution methods for consistency, predictability, and uniformity. The value of like-minded coalitions and developing policy or legal responses to address specific and targeted threats is also highlighted through references to US-led initiatives such as the Counter Ransomware Initiative (CRI), and the interagency Transnational and High-Tech Crime Global Law Enforcement Network (GLEN).
Under the status quo, gaps exist in collective norm production and real-world enforcement in cyberspace. Coalitions can leverage these cross-domain tools to improve responses to irresponsible behavior.
Other portions of the Strategy describe tools such as export controls, technical standards and training, dialogue, coalition action, and outreach to private sector partners. These initiatives, coupled with robust participation in big-picture international fora such as the United Nations, can bridge domestic and international implementation gaps. Stimson’s study of the experiences of the international community in seeking to address diverse international non-cyber threats demonstrates how some of these mechanisms have been effective in incentivizing compliance in ways that could be instructive for cyber.
Making It Work
To successfully implement the International Cyberspace and Digital Strategy in coordination with the interagency, private industry, and foreign partners, an implementation framework will be released by the Department of State in the coming weeks. The final section of the Strategy identifies four “early signposts” of moving forward; the implementation framework may contain more specific milestones. But the effective realization of this strategy will hinge on the government’s ability to overcome specific challenges. The digital solidarity premise is appealing and strategic. But given the disparities among the U.S. and its partners, not only on levels of cybersecurity but also on capabilities, this concept may prove hard to implement. Even among partners with roughly symmetrical cyber capabilities, interoperability across networks and systems may necessitate a costly and time-consuming overhaul of existing digital infrastructure. Finally, this approach may be incompatible with existing U.S. policy on export controls targeting the PRC, specifically, semiconductor export controls through the CHIPS Act as well as broader regulations on AI export models proposed in Congress. Broad-spanning export controls, such as the package enforced on October 7, may get in the way of greater technological cooperation among U.S. allies if allied policy does not mirror U.S. regulation.
Digital solidarity relies on interdependence, not control, and while the United States demonstrates its commitment to this approach (e.g., through financial assistance to Albania and Costa Rica in the aftermath of highly disruptive cyberattacks) it must reconcile other aspects of foreign policy with this ideal.
In building collective resilience against intrusive and malicious cyber operations, the U.S. must be prepared to call out such acts when they are conducted by its partners and allies. While digital repression is widely used by authoritarian regimes like Iran and North Korea, there is growing evidence of transnational and domestic repression tactics employed by U.S. partners—democracies and non-democracies alike. To advance rights-respecting approaches to cyberspace, the administration must encourage objectivity in assessing risks to civil society and human rights, including at home and in its own missions.
The Strategy release also raises some questions about the administration’s plan to implement its goals toward a free and secure cyberspace:
- Can the U.S. interagency rally behind a unified approach on operating in cyberspace?
- How can the lines of effort be effectively divided among the diplomatic and military arms of U.S. cyber strategy, such as the Department of State’s Bureau of Cyberspace and Digital Policy and DOD’s Cyber Command, as well as a potential U.S. Cyber Force?
Additionally, the Bureau of Cyberspace and Digital Policy must ensure that its efforts complement but do not duplicate the efforts of the White House, Department of Defense (DoD), and the National Security Agency, outlined in the 2023 National Cybersecurity Strategy and the DoD’s Cyber Strategy. In the former, the word ‘accountability’ only appears three times, in reference to attributing and prosecuting perpetrators of malicious cyber operations. Given the ubiquitous nature of cyberspace, it is impossible to silo military and intelligence operations from civil or commercial network activities. Considering the International Cyberspace Strategy’s heavy emphasis on the rules-based order, the U.S. must ensure that use of its own military, intelligence, and law enforcement cyber capabilities also conforms with international law and the norms it wishes to promote through digital solidarity.
The Biden administration has commendably signaled to the international community its sensitivity to the changing cyber and digital landscape, and as a result it is asserting leadership and renewed commitment to multilateral governance of the digital commons. In the coming months, the success of this strategy will hinge on the ability to reconcile its goals with existing constraints and challenges domestically and abroad.