Building the Grand Strategy for Cybersecurity
Persistent engagement in cyberspace could make the world a more dangerous place.
Second of a two-part report.
The Cyber Solarium Commission, a congressionally chartered panel of expert policymakers, was created to tackle cyber conflict in the same way its Truman-era predecessor addressed the Cold War confrontation between the United States and the Soviet Union. An article in SIGNAL Magazine’s August issue (“Leaders Seek a Grand Strategy for Cybersecurity") explored the commission’s theory of deterrence by denial and how it embraced the concept of resilience.
The Cyber Solarium Commission’s March 2020 report put a blue ribbon around a package of grand strategic concepts for cyber conflict that U.S. military leaders had adopted two years earlier. The commission, despite some public debate among its staff members, endorsed the strategy of defending forward through persistent engagement.
Laid out in the U.S. Cyber Command 2018 Command Vision statement, this strategy is based on the theory that the very nature of the battlespace in cyber conflict—the global information networks over which it is fought—fundamentally changes the way conflict unfolds and the dynamic of state-to-state military confrontation.
But critics argue that the new strategy executed in a new cyber domain that’s still poorly understood is worsening the risks of cyber conflict. Instead of improving U.S. cybersecurity, it is increasing the danger of unintended escalation and other kinds of strategic miscalculation.
The 2018 vision statement argues that the interconnectedness of global information networks means that U.S. military forces patrolling American cyber territory inevitably come into daily contact with their adversaries, who are constantly probing U.S. systems, looking for weaknesses they might be able to exploit. Instead of merely reacting to adversary penetrations and other types of attacks, the Command Vision states, the U.S. military should “defend forward as close as possible to the origin of adversary activity and persistently contest malicious cyberspace actors. … We achieve success by seizing the initiative, retaining momentum and disrupting our adversaries’ freedom of action,” the statement contends.
One of the most effective advocates for the strategy, former Cyber Command scholar-in-residence Richard Harknett, explains that in persistent engagement, “Security flows from being active and anticipatory.” It rests on seizing and holding the initiative, including within adversary systems, he adds.
One U.S. Cyber Command (CYBERCOM) operation—reported in The Washington Post a year after it took place—has become a poster child for the defend forward/persistent engagement approach. On U.S. election day in 2018, CYBERCOM operators cut Internet access to the Russian troll farm believed to be behind many of Moscow’s information war efforts during the 2016 and 2018 elections.
The assumption underlying persistent engagement operations like this, explains Centre for Strategic and International Studies scholar James A Lewis, “is that sharp rebukes, ‘painful but temporary and reversible,’ will reset opponents’ analysis of the benefits [and costs] of continued cyber actions against the United States.”
Crucially, as Lewis notes, all this happens well below the thresholds of armed conflict set by the laws of war. He sees the new strategy as a response to Russian and Chinese hybrid and gray zone operations over the past decade—from little green men in the Ukraine to hack-and-dump operations against the Democratic Party in the United States.
What the success of these types of operations demonstrated, strategists inside CYBERCOM came to believe, was U.S. adversaries’ capability to achieve strategic effects, while still not crossing the legal redline into warfare. These hybrid or cyber operations turn on its head the aphorism coined by military strategist Carl von Clausewitz, that “War is the continuation of politics by other means.” In the persistent engagement concept, cyber conflict is the continuation of war by other means.
Persistent engagement also is the United States’ answer to gray zone and hybrid strategies by U.S. adversaries. As the Command Vision lays out: “Through persistent action and competing more effectively below the level of armed conflict, we can influence the calculations of our adversaries, deter aggression and clarify the distinction between acceptable and unacceptable behavior in cyberspace.”
Gray zone conflicts are nothing new, of course. Indeed, cyber operations are often compared to classic gray zone tactics like covert actions because of their deniability and asymmetry, former senior CIA official Marcus Fowler, a 15-year veteran of the agency’s global cyber operations, tells SIGNAL Magazine.
But in the classic spy-versus-spy confrontation between intelligence agencies during the Cold War, both sides understood certain unwritten rules, explains Fowler, now director of strategic threat for AI cybersecurity firm Darktrace.
“There were lines, not that you wouldn’t ever cross, but that you knew, if you crossed them, you’d gone to the next level of engagement,” he recalls. Both sides knew where the unwritten lines were drawn, and that meant they could be used to de-escalate as well as ramp up. By foregoing or underplaying an expected response, for example, one side could cross the line in the other direction, such as lowering the level of engagement.
Scholars call this type of situation agreed competition. It is at least a tacit acknowledgment between adversaries that there is a range of actions that neither side will regard as hostile acts.
But, Fowler says, “In cyber, those are kind of understood [and] accepted norms are missing. … We haven’t had the time or the experience to really wrap our heads around that.”
There really aren’t any universally accepted norms in cyber conflict, warns Duncan Hollis, professor of international law at Temple University and a board member of the Microsoft-backed civil society group Digital Peace Now. “Few [nation-]states will commit— ...even privately—to forgo specific tools, techniques or targets in their cyber operations,” he tells SIGNAL Magazine. “On the contrary,” he adds, “it’s become apparent that some states will target infrastructure critical to our daily lives, whether it’s power grids or hospitals.”
That recognition is echoed in some parts of the U.S. military. In remarks earlier this year, Pentagon General Counsel Paul C. Ney Jr. highlighted the lack of consensus among nation-states about what kind of cyber actions would count as a violation of sovereignty or cross other legal lines.
Not only are there no agreements on norms, but also the ballooning number of players in the cyber game makes it all but impossible to craft them. “During the Cold War, you knew who was playing,” Fowler says. Now growing numbers of nations boast a cyber conflict capability, and even nonstate actors are at the table—some perhaps possessing what the acolytes of persistent engagement regard as strategic capabilities in the information warfare space.
“It’s a natural progression for every nation-state to be thinking about how their offensive cyber is moving,” he notes. “Every [nation-]state now wants a cyber command,” Hollis adds, contrasting the situation to the global nuclear club. “This is no longer a small group of ‘high capacity’ actors. … Rather, it’s an environment in which dozens of states—and others—are looking to develop or acquire their own cyber forces.”
The combination of all those actors and the absence of agreed norms “frightens me,” Hollis says. “To me, it’s a recipe for an inadvertent escalation into an actual armed conflict.”
The risk of inadvertent escalation is magnified, Fowler argues, because it is so hard to be certain about the second- and third-order effects of cyber weapons. Even Stuxnet, which was so carefully crafted by its Israeli and U.S. authors to impact only Iranian centrifuges enriching uranium for Tehran’s nuclear program, ended up spreading to more than a dozen countries because it was equipped with automated propagation tools.
“Very rarely is it a kind of a one-and-done approach with a cyber tool,” Fowler notes. “It can very easily get out of hand and have unplanned secondary and tertiary impacts and collateral damage.”
Fowler argues that the tendency of cyber operations to produce unplanned effects underlines the importance of oversight from outside the agency planning the operation. “There are some very serious pointed questions that need to be asked about the application of cyber,” he notes.
But the widely acknowledged over-classification of cyber issues and the native secretiveness of the nation’s cyber operatives combine to stifle needed public debate about the nation’s new strategic stance, Hollis argues. “Simply put, we lack a clear picture of what these concepts [defend forward and persistent engagement] mean in practice, let alone how effective they are. … There was a time when nuclear policy was done entirely in classified contexts, and yet, over time, it became possible to discuss and evaluate those policies in public settings as well. We need more of that for cyberspace,” he says.
This lack of transparency, which Hollis argues afflicts cyber policy in most nation-states, means other nations’ intentions are harder to divine, adding to the likelihood that any player might make a mistake. “On the Internet,” as the old cartoon has it, “nobody knows you’re a dog.” And nobody knows whether you’re a criminal, a spy or a soldier, either, which can really create the possibility for some serious misunderstandings.
Advocates of persistent engagement admit the potential for error. “Miscalculation, for example, underestimating how highly an adversary values a target that is attacked via cyberspace, will remain a risk and could lead to unintended escalation,” acknowledge Defense Science Board member and former Undersecretary of Defense for Policy James N. Miller and former intelligence official Neal A. Pollard.
Persistent engagement makes the world a “riskier place for unintended escalation, a riskier place for collateral damage,” Fowler summarizes. And there are other risks, too, he argues, stemming from one of the unique characteristics of cyber conflict: In general, when a new cyber weapon is deployed, warfighters are forced to leave it on the field of battle for others to analyze, admire—and copy, he says.
That means the kind of demonstrative attack that defending forward and persistent engagement demand is much more costly, he argues. “Because in that exact moment, if you do that, you’ve lost the advantage. ... If I know you’re on my electrical grid because of something I did, I’m going to go out on it and find you. If I know you have a tool that does X because you used it against my air defense system, I’m going to go look for X on every system I have and try to find that tool.”
As a result, he argues, “Projecting power via cyber has a special set of risks associated with it that actually can really impact not only other operations, other access, but your overarching strategic advantage. The right patch [applied to enemy systems] or the right tool discovered and now all of a sudden your strategic advantage disappears in moments.”
Persistent engagement risks give up long-term strategic advantage, including exploits or access to enemy systems the enemy doesn’t yet recognize, to satisfy the short-term frustration of policymakers, he argues. “I’ve put strategic long term aside because I’ve taken a near-term decision to use cyber to show force because it might be the only card I have that I can immediately show that isn’t kinetic and escalatory but also isn’t as soft as diplomacy or sanctions, putting people on lists and stuff like that,” he says.
But most importantly, Fowler argues, defend forward/persistent engagement ignores the fact that, in a world where “everyone’s attacking,” and the most advanced tools proliferate because they’re in daily use by adversaries engaged in persistent conflict, the only real strategic advantage lies in defense.
Lani Kass, one of the architects of the Pentagon’s cyber strategy under the George W. Bush administration, was fond of warning U.S. cyber warriors, “If you’re playing defense, you are losing.” Fowler believes you have to reverse that. “The real strategic differentiator for cyber superiority is going to be who can defend better, because everybody’s going to be attacking,” he says.