The 21st century digital “Information Age” is characterized by dynamism, innovation, and new technological capabilities. The cyber domain provides limitless technological capabilities to improve living in the modern world. As technological capabilities expand to meet the needs of an information-driven society, it is critical that the international community create an international mechanism for effective cyber-governance to mitigate vulnerabilities and respond to threats that impact national and international security.
Cyber activities are transnational, evolve rapidly, and affect the international community’s critical infrastructure, states, cities, and localities. Most cyber activities are legitimate; they respond to people’s demands, promote economic growth, and support quality of life for many people around the world. Nation-state cyber actors are at the forefront of cyber discussions among cyber-centric international governments, the private sector, and academia. A gap, however, pertains to information about non-state actors regarding regulation, compliance, and enforcement mechanisms. The Tallinn Manuals’ International Group of Experts (IGE) were unanimous in their estimations that cyber activities do not exist in a normative void and that existing international law applies to cyber operations. Cyber governance cannot be solely based on the concept of sovereignty, regulated by nation-states. Formal international governing mechanisms are critical for global understanding of cyberspace boundaries and a unified response to resolve cyber disputes. There are very few treaties for cyber activities and those that do exist are of limited scope and applicability. Efforts need to involve coordinated partnerships that span federal, state, and local levels in the United States; internationally; in the private sector; and with academic subject matter experts to develop and implement effective governance.
During the April 2019 Atlantic Council’s Eighth Annual International Conference on Cyber Engagement (ICCE) in Washington, DC, a group of cyber experts discussed multi-disciplinary approaches to develop international collaboration and norms to act against growing cyberattacks. David Koh, chief executive of Singapore’s Cyber Security Agency, advised of the need for a whole-of-government global engagement to develop a legal framework of measures and oversight; a “vibrant cybersecurity ecosystem.” International order is necessary for the collective security of all nation-states.
This thesis arose from Isaac “Ike” Barnes’s 2018 Center for Homeland Defense and Security (CHDS) thesis. As part of his holistic approach, Barnes discussed the need for a cyber dispute mitigation entity. He identified the North Atlantic Treaty Organization (NATO) Cooperative Cyber Defence Centre of Excellence (CCDCOE) as the entity together with the Budapest Convention on Cybercrime as the framework. Barnes’s designation of the CCDCOE as the governing body is based on the center’s history with cybersecurity; specifically its IGE, who interpreted and restated international law, contained within the Tallinn Manuals, as applied to the cyber domain. This thesis disputes his proposal and builds upon his effort by considering an alternative approach to international governance of non-state actors in the cyber domain. Numerous stakeholders influence cyber strategies in the United States and internationally; therefore, a one-system entity is an ineffective regulatory mechanism. Rather, an international cyber-governance mechanism should be a multi-pronged, multilateral, and unified approach to achieve the greatest success with concession by a majority of the international cyber community.
This research explored the current cyber landscape including existing international law, cyber rules of engagement (ROE), and regulatory mechanisms. Then, this study examined Barnes’s recommended future course of study for a mitigation entity in the context of non-state cyber activities. Subject matter analysis from multiple datasets provided insight into the existence, enforcement, and effectiveness of international law application to the cyber domain, as well as missing pieces in cyber international governance.
After reviewing Barnes’s mitigation proposal, the researcher identified flaws and proposed an alternative multi-pronged regulatory mechanism solution. Numerous stakeholders influence cyber strategies in the United States and internationally; therefore, a one-system entity is an ineffective regulatory mechanism. Rather, it should be a multi-pronged, multilateral, and unified approach to achieve the greatest success, with concession by a majority of the international cyber community. The multi-pronged approach includes NATO, the International Criminal Police Organization (INTERPOL), and unilateral processes such as the Paris Climate Agreement and the United Nations (UN). The Paris Climate Agreement should be referenced as a model for success in garnering support for this major global cyber initiative, and the UN should delineate the space and develop a clear, well-defined framework using both the Budapest Convention and the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual 2.0) encapsulated in an amendable treaty. In consideration of cyberspace’s rapid evolution and key players, the Tallinn 2.0 restatements of law should be expanded to include non-state activity, either through attribution or forensic analysis to associate them with a state, for international law application. Similar to the post–World War II era establishment of international laws and norms governing conflicts between states, the United States should guide conversations to develop recommended courses of action to apply law to cyberspace, explore threats, understand their drivers and challenges, determine the best courses of action for regulatory measures and compliance, and offer suggestions for cyber-specific regulatory measures. Likewise, this thesis also recommends future areas of study to explore compliance, enforcement, and the United States’ role in such an international cyber governance mechanism.
The United States is a key player in the cyber domain and needs to fully engage in governance discussions and development to ensure inclusion, intelligence and information sharing, transparency, and accountability. A key takeaway and lesson learned from the research is that the U.S. government must continue to build and improve cooperation with national and international partners, as the issue will not be resolved unilaterally. An international governing mechanism will impact global security, and concurrently, U.S. homeland security by providing clarity on cyber rules and regulation measures for mitigation and response to malign cyber actions by non-state actors. A secure border is a multilateral, shared effort; difficulties arise when the borders are complex and activity frequently travels across state borders. The issue will not be solved quickly, yet the discussions must continue at full speed to head toward a resolution before cyberspace expands beyond our ability to regulate it. An effective multi-pronged international governance approach will be a culmination of effective coordinated partnerships and collaborative efforts to provide critical oversight and response to criminal and terrorist activity within the rapidly expanding and evolving cyber problem space. A governance mechanism will provide homeland security benefits for the United States via operational approaches, augmented responses to criminal activity, increased resources for cyber security resilience, and possible deterrence.
 Catherine Lotrionte, “Atlantic Council Eighth Annual International Conference on Cyber Engagement (ICCE): Introductory Remarks” (symposium, G.W. Lisner Auditorium, George Washington University, Washington, DC, April 22, 2019), https://www.atlanticcouncil.org/icce.
 David Koh, “Atlantic Council Eighth Annual International Conference on Cyber Engagement (ICCE): Keynote Address” (symposium, G.W. Lisner Auditorium, George Washington University, Washington, DC, April 22, 2019), https://www.atlanticcouncil.org/icce.