The field of cyber security is no stranger to hyperbole and scaremongering – including the doom rhetoric forecasting a ‘Cyber Pearl Harbour’ or ‘Cyber 9/11’. For AI, the equivalent would be debates about its existential risks that invoke Arnold Schwarzenegger’s serial portrayal of The Terminator. While both cyber security and AI share the burden of unhelpful baggage, they also share something more important: AI and cyber security are likely to become increasingly interdependent. States have long tried to mitigate the risks and embrace the opportunities of cyberspace. As they now play catch up in efforts to regulate and negotiate shared principles about how to use AI, states should ensure that their respective cyber diplomacy and AI diplomacy are not conducted in silos. They should be pursued as closely together as possible.
No state wants to be left behind in the race to secure strategic advantage in AI or cyberspace – although, realistically, some states are better placed than others to cultivate a domestic ecosystem supportive of AI innovation and to harness its operational benefits. While AI is far from being a new development in cyber security, it will nonetheless be increasingly integrated into both defensive and offensive operations in cyberspace. This will increase the speed and scale of engagements, raising questions about how to ensure adequate human comprehension and control – and how to constrain competition to reduce the risk of imprudent or escalatory uses of AI in cyberspace.
Cyber Diplomacy and Cyber Power
The interdependence of AI and cyber power (in short: the ability of a state to achieve its objectives in and through cyberspace) is a striking example of how contemporary trends in geopolitical competition have affected how we think about developments in science and emerging technology. This is not a new development. International discussions of responsible state behaviour in cyberspace and efforts to collaborate against cybercrime have been a formal part of the global agenda for 20 years. Through this process, states and non-state stakeholders (from the private sector to civil society) have wrestled with the darker side of the rise of the internet and digital technologies, discussing the threats posed by cyber-criminals and hostile states. The diplomatic process has had its ups and downs, but it has delivered an emerging agreement about the applicability of international law to cyberspace and the existence of a range of voluntary norms, rules and principles that should guide states’ behaviour therein. Many debates remain to be settled, such as those over the interpretation and implementation of existing norms, the merits of elaborating new norms, and the best institutional format for the next phase of global cyber diplomacy.
Foreign Ministries and Cyber Diplomacy
In the UK and other states, foreign ministries have become increasingly active in this agenda. At one level, it is unsurprising that the Diplomatic Service should be a leading institutional player in cyber diplomacy, but at another level it should be remembered that much of the substance of these diplomatic discussions has a bearing on operational activities that are the domain of a state’s armed forces and intelligence agencies. Consequently, the institutional landscape of cyber policy is somewhat crowded – particularly in those states that possess more ‘cyber power’, such as the UK. Different institutional actors will have different views about what a state’s policy should be, and relatedly, different equities at stake in the decision-making process.
Across four iterations of UK strategy (2009, 2011, 2016 and 2022), it has been evident that the UK has increased its investment in the diplomatic and foreign policy elements of cyber strategy. The Foreign, Commonwealth and Development Office (FCDO) is active in global cyber negotiations and discussions, including in forums such as the UN and OSCE. It is engaged in funding and developing the cyber capacities of other states and regional bodies. It is also involved in the UK’s elaboration of the concept of Responsible, Democratic Cyber Power, which serves both as an underlying principle of how the UK approaches the use of cyber power, and as a trope of strategic communication as the UK tries to shape domestic and international debates about how states should organise themselves to exercise cyber power in a precise, proportionate and well-regulated fashion.
The role of foreign ministries in this process is multifaceted. In addition to leading the negotiating effort in diplomatic forums, they provide a window into the thinking of other states about how cyber capabilities should be used and regulated, and act as a source of reporting about foreign AI innovations (both scientific and in policy or regulation). Foreign ministries have long since lost their monopoly on managing relationships with other states – defence ministries, for example, have a clear need to maintain direct contact with their foreign counterparts – but there remains a coordinating role for foreign ministries to ensure that this patchwork of foreign ties is pursued coherently.
Foreign ministries need to be organised for effective performance, for example by creating departments for cyber and emerging technology policy. The FCDO has had a cyber policy department for over a decade, and it has grown significantly in that time, but there is a valid question for the future about whether more coherence could be established by merging the department with its counterpart focused on international technology policy. Similarly, beyond the policy branch, foreign ministries should improve the knowledge baseline for policy decisions by creating and resourcing cadres for research and analysis. For all foreign ministries increasing the size of their policy effort on AI and cyber power, a useful question to ask is what a sensible commensurate increase would look like in supporting functions like research. The risk of pursuing one without the other is that the institution gets less bang for its buck overall. If states are worried about geopolitical competition in AI and cyber power – and they clearly are worried – then there is a need for a systematic net assessment of developments in other states. This should be pursued collaboratively with allies and partners, but it is first necessary to look at domestic arrangements and determine whether they are fit for purpose.
Summit Meetings: Good or Bad?
Finally, a word about the UK’s intended hosting of a global summit for AI safety, announced by the prime minister on his recent visit to the US and scheduled for later this year. It is easy to be cynical or sceptical about such initiatives. Is the cost justified by the likely benefits; could the official bandwidth they consume be devoted to other, more productive things; or will heads of government grandstanding together project the image of substantive engagement, but lead to little in practice?
In fairness, these summits can have their place, so long as they are a productive part of a wider effort. They can signal that heads of government are interested, which can drive bureaucratic activity. Even if the attendance list is restricted to the most ‘likeminded’ states, this can still have value (a recent example is the US-led Summit for Democracy) and in the short term can actually be more productive, helping to coordinate a coalition of those states most willing to embrace the challenge of ensuring that the impact of emerging technologies does not undermine democracy, freedom and human rights. But preaching to the converted will only do so much. This is especially true when an alternative approach, such as China’s, is being marketed energetically to states already receptive to the message that new technologies of surveillance and control can further tip the balance between governments and citizens.
The global agenda of cyber diplomacy is already busy, with debate about norms of state behaviour in cyberspace and a new cybercrime treaty. Similarly, the UK proposal of a summit on AI safety is but one example of intensifying international efforts to address the impact of AI. The challenge for foreign ministries will be to ensure coherence between these two agendas, especially recognising the priority of understanding the implications of AI for cyber norms diplomacy. Foreign ministries need to organise themselves, coordinate effectively (domestically and with allies), and contribute to the process of understanding and shaping relevant developments in other states. The implications of AI and other emerging technologies for cyber power represent a significant new priority for diplomacy and foreign policy. Foreign ministries need to adapt to meet this challenge.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to [email protected] and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.