Leaders Seek a Grand Strategy for Cybersecurity
Geopolitics in an online world are defined by what’s changed and what hasn’t.
When the first Solarium Commission convened in 1953, it had the task of helping Former President Dwight D. Eisenhower and his cabinet colleagues assess the threat from the Soviet Union after the death of Joseph Stalin and agree on a strategic U.S. response. Three teams of policy experts put together three competing policy models: containment, confrontation and roll-back. Former President Eisenhower famously chose containment, a strategy based on the deterrence of Soviet military power and a norms-based alliance with Western Europe.
The Cyberspace Solarium Commission that Congress chartered in 2018 says in its March 2020 report that it also looked at three policy approaches. The first is denial and defense at home to strengthen the United States against online attacks. The second advises using networks of alliances to promote global norms and to define illegitimate behavior online. And the third proposes imposing costs on U.S. adversaries who violate those norms through defending forward and persistent engagement.
Unlike its predecessor, however, the 2018 Cyberspace Solarium Commission chose an all-of-the-above approach. It opted for a strategy it calls layered deterrence that weaves together all three methods to dissuade adversaries from trying to use cyber attacks against the United States.
But in cyberspace, deterrence means something very different than it meant for the first solarium commission. “In nuclear deterrence,” explains commission member and former Department of Homeland Security Undersecretary Suzanne Spaulding, “it’s really binary. You either have deterred someone from using a nuclear weapon or you haven’t. There’s really no shades of gray there.”
Conversely, conflict is persistent in cyberspace, pervasive and almost always conducted in shades of gray. “There is cyber malicious activity taking place every single day,” Spaulding says. And much of it is happening below the threshold of armed conflict. “We needed a new focus because many bad actors were going unchallenged when they acted under that threshold,” she adds.
And that means, in the cyber context, “When we talk about deterrence, we’re not talking about a strategy that will cause malicious actors to entirely give up on using cyber activity to achieve their desired goals,” Spaulding relates.
Instead, layered deterrence uses all the elements of national power to change the strategic calculation of U.S. adversaries. “We’re looking at how can we change their calculus to reduce the level and the impact of cyber activity to put us in a better position at the end of the day,” she says. “You want to increase their costs and reduce their benefits.”
Indeed, as Atlantic Council Cyber Statecraft Initiative Director Trey Herr observes, layered deterrence is better understood in criminological terms. “Deterrence in the context of cybersecurity looks much more like what we think about when we think about policing: trying to create change in a complex system to either incentivize or disincentivize certain behaviors.”
That difference is partially explained by the much larger numbers of players in the cyber arena as compared to the nuclear one, which was limited to a handful of nation-states. In cyber, many more states have pieces on the board, and their significant nonstate players include organized crime groups or ideologically motivated hacktivists.
These players often overlap, too. States will use criminal or hacktivist groups as proxies, fronts or cutouts to hide their hand. Intelligence services will reuse malware created by others for the same reason.
“Cyber undermines the fundamental principles of [classic Cold War style] deterrence because it enables malicious actors to operate ... in a gray zone where they enjoy plausible deniability,” explains Rear Adm. Mark Montgomery, USN (Ret.), executive director, Cyberspace Solarium Commission.
But a different concept of deterrence also is needed because there is one way in which the new connected world unquestionably changes the geopolitical equation between the United States and its adversaries: It abolishes geography. An attacker can reach across the world online and strike a connected target in the U.S. heartland as easily as they could shoot across the street—and more clandestinely, if they’re any good.
For almost two centuries after 1815, the continental United States, protected by thousands of miles of ocean, remained inviolate to its foes. “For all those years, we didn’t think we needed to invest in protecting our infrastructure,” Adm. Montgomery says.
The terrorist attacks of 9/11 “were an inflection point,” he says. For the first time in modern history, an attacker reached into mainland America, highlighting the many vulnerabilities of the nation’s immigration and aviation systems.
But even terrorists can be stopped at the border—or at the airport. The threat from cyber warfare is “more comprehensive,” the admiral says, holding at risk any piece of national infrastructure connected to the Internet, which is pretty much all of it.
“After 9/11, we hardened our aviation and border infrastructure ... Now we have to harden the rest of it,” he says.
To do so, the commission recommends drawing on a concept originally developed by the emergency management community charged with responding to natural disasters: resilience.
“Resilience is something the national security community started to think seriously about after 9/11,” says Spaulding, who is a commission member. “It’s about reducing the consequences.” That’s important in the disaster context because extreme weather events can’t be prevented. But it’s just as important in the cyber context, where the defender’s axiom is “assume you’ve been compromised.”
In the context of a natural disaster, resilience means things like having a diesel generator on hand in case the power goes out. In the cyber context, Spaulding explains, resilience means making society less reliant on computer networks that can be manipulated or brought down entirely. It means having redundant backup systems.
“Obviously, you do everything you can to dissuade your adversary from attacking in the first place, and everything you can to secure your crucial systems ... but at the end of the day, you may have to deal with a successful attack, and resilience means reducing the consequences of that attack,” she states.
In an election, for instance, resilience means having an auditable, recountable offline record like paper ballots. Online tabulation or reporting systems might be successfully attacked, but the paper ballots backstop those systems, thus reducing the damage from the attack, Spaulding says.
But Dave Aitel, one-time NSA hacker and founder of the cybersecurity firm Immunity, points out that hardening systems—deterrence by denial, as the commission calls it—isn’t as simple as it might seem, given the hugely complex supply chains for computer software and hardware. “To do deterrence by denial properly … you have to get your supply chain security exactly correct,” he says.
The problem is the globalization of supply chains, both for computer components like microchips and motherboards, and for software itself because U.S. companies often outsource their code development offshore. And at least one link in almost all of those chains is in China, one of the largest manufacturers of information technology products and software development services in the world.
That means that U.S. companies are often using components made, or software developed, in a country that has one of the most aggressive cyber-espionage programs in the world, too.
Aitel ridiculed the decision by the British government to hold cabinet meetings on Zoom, a video conferencing tool that bases its engineering team in China and uses Chinese servers to generate the mathematical keys utilized in its encryption. “When you’re doing national grade work, how secure your supply chains are and where they’re coming from becomes a major national security issue,” he points out.
“Deterrence by denial involves really hard decisions about platforms,” Aitel adds. And those decisions are made even more difficult when the national software and hardware production base has eroded because it was undercut by much cheaper products from China and elsewhere. “When you’re not the producer of any of the software you rely on, you are essentially beholden to the people that do produce the software,” he says.
But Martin Libicki, professor of cybersecurity studies at the U.S. Naval Academy, says beyond the supply chain issues, some cyber strategy scholars see other problems with the concept of deterrence by denial. “There’s no evidence that it works,” he says. Indeed, he adds, “the evidence is that hardening systems doesn’t stop anybody from trying anything,” though it might protect systems from compromise when they do. But that’s not deterrence, argues Libicki. “If I’m wearing armor and you swing a sword at me, I may be unharmed. But were you deterred? No!”
The commission’s vision of layered deterrence also depends on successfully promulgating international norms of cyber behavior, something that has been one of the central principles of U.S. global cyber strategy for at least a decade.
These norms, articulated most recently in a 2017 G7 declaration, don’t have the authoritative status or the exactitude of international law. In theory, they represent a set of commitments broad enough to have impact if widely respected but fuzzy enough that states don’t feel like they’re tying their own hands too tightly. They include actions such as not attacking or using Computer Emergency Response Teams (CERTs) as attackers; not engaging in commercial cyber espionage such as intellectual property theft; and not damaging civilian infrastructure such as the power grid or elections systems.
But Aitel argues that there’s a level of hypocrisy in U.S. endorsements of these principles. Last year, for example, The New York Times reported that U.S. Cyber Command was “stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin.” And U.S. intelligence agencies have a long and, to some observers, inglorious history of interfering in foreign elections, though not by cyber means.
The United States is not on the same page even with some of its closest allies when it comes to cyber issues like privacy and data protection, for instance. “The Europeans view privacy in a very different way than Americans do,” Aitel contends. “If we think that they believe the same thing we do, we are fooling ourselves.
“We want to be special,” he says of the United States. “We want the rest of the world to live by a set of rules that we’re not necessarily willing to live by ourselves.”
Libicki agrees, noting that, “We’ve paid some very smart people in this country to do unto other countries the sort of things we don’t like being done unto us.”
To avoid the charge of hypocrisy, he adds, “The sorts of things that we are wanting to prohibit [through global norms] should be the sorts of things that we’re willing to forego or never wanted to do in the first place.”
But, Libicki observes, swearing off certain categories of cyber attack might mean limiting the activities of top-tier U.S. hackers to the detriment of national security. “Maybe you shouldn’t give up things that we’re very good at even if [the adversary is] very good at them too, because that will end up favoring them,” he offers.
Aitel notes that states generally don’t forgo such advantages. “A lot of the pushing of cyber norms runs into the sand because state cyber interests are all conflicting.”
It gets more complex still when you consider that the principal U.S adversaries see cybersecurity in a very different way than the United States where it’s a technical issue.
“China and Russia view cybersecurity issues inside their country primarily in terms of if they can control information, if they can protect the regime,” Aitel says. Their norms center on censorship and surveillance, he explains, and those concerns about the integrity of national information ecosystems and regime survival are widespread in other countries, too. “I think their cyber norms ring pretty true to a lot more countries than we would prefer,” he states.
This is the first of two articles addressing the Cyberspace Solarium Commission’s proposed strategy of layered deterrence. The second article will look at persistent engagement and defending forward.
Shaun Waterman is an award-winning reporter and editor who has worked for the BBC, UPI and POLITICO. He is currently freelancing covering federal information technology, cybersecurity and homeland security.