Reports & Papers

Establishing norms for state behavior in cyberspace is critical to building a more stable, secure, and safe cyberspace. Norms are defined as “a collective expectation for the proper behavior of actors with a given identity,” and declare what behavior is considered appropriate and when lines have been crossed. Cyberspace is in dire need of such collective expectations. However, despite efforts by the international community and individual states to set boundaries and craft agreements, clear and established cyber norms for state behavior remain elusive. As early as 2005, the UN Group of Governmental Experts (GGE) and UN Open-Ended Working Group (OEWG) both aimed to create shared “rules of the road,” but fundamental disagreements between states and a lack of accountability and enforcement mechanisms have prevented these initiatives from substantively implementing cyber norms. As a result, the international community and individual states are left with no accountability mechanisms or safeguards to protect civilians and critical infrastructure from bad actors in cyberspace.

The Intelligence and Applied History Projects hosted a National Security Act Essay Contest in 2022 entitled: “Imagining a New National Security Act for the 21st Century.” The contest sought to generate new ideas for improving the intelligence and national security community in the US based on the dynamic security environment we face in the 21st century. The essay prompt offered a variety of hypothetical scenarios where intelligence failure contributed to catastrophic failure and posed the question: what you would change now to improve the intelligence and national security posture of the US?

The winning essays, from a field of approximately 75 applicants, were authored by (1) Russell Travers, (2) Sophie Faaborg-Andersen, and (3) Marie Couture and Laurie LaPorte. The authors' winning essays appear in this report.

The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”

This essay makes three arguments. First, the US government will need to establish a coronavirus commission, similar to the 9/11 commission, to determine why, since April 2020, the United States has suffered more coronavirus fatalities than any other country in the world. Second, the COVID-19 pandemic represents a watershed for what will be a major national security theme this century: biological threats, both from naturally occurring pathogens and from synthesized biology. Third, intelligence about globalized challenges, such as pandemics, needs to be dramatically reconceptualized, stripping away outmoded levels of secrecy.

"When government agencies discover or purchase zero day vulnerabilities, they confront a dilemma: should the government disclose such vulnerabilities, and thus allow them to be fixed, or should the government retain them for national security purposes?"