1 March 2018

US Cyber Command: “When faced with a bully…hit him harder.”


JASON HEALEY

In Washington, there may be division and confusion about how to deal with Russian cyber-based interference. But 25 miles north, at Fort Meade, home of U.S. Cyber Command, they are angry and ready.

Cyber Command’s new strategy demands that, “We must not cede cyberspace superiority.” The goal is “superiority” through “persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.”

Through agility, they want to increase not just readiness and advantage, but also “lethality,” a word given true punch by Cyber Command’s stated desire to move to contact and beat the Russians … as well as Chinese, Iranians and North Koreans. This seeming has worked well in the cyber fight with ISIS, against whom JTF-Ares has used the agility and looser rules of engagement to ever-improving effect.

In discussions with the command at a recent strategy conference, it was clear: Cyber Command has moved past thinking like the “father of the Air Force” Brig. Gen. William “Billy” Mitchell, having to prove the worth of a new capability. Now they are thinking like WWII Air Force hero and Chief of Staff of the Air Force Gen. Curtis Lemay. We are at war now, today and must be ready to dominate with overwhelming power, to make the silicon rubble bounce, if called upon.

When faced with a bully who pushes you down in the school yard, I was told, you must not just get back up, but hit him harder. And what then? What if he doesn’t back down? Well, pull out a two-by-four and hit him again, harder.

Getting in close to grapple with adversary cyber forces is almost certainly the right move, at this stage of conflict. Like many of the of us, Cyber Command seethes at the election interference and other nation-state hacking – like WannaCry and NotPetya – which are spiraling out of control.

Despite being the right move, however, it is also an incredibly risky one.

How can the fighters in the cage, in the heat of the moment known the limits in a match that will happen every day, for years? One side will go a bit too far, punch a bit too hard, pull a trick a bit too dirty, and ignore the double-tap of “too much” from the other. At what point will U.S. Cyber Command – if it gets its sought-after new agility and looser rules of engagement – need U.S. European Command and NATO to tag into the fight?

We cannot forget that our adversaries are sure they are hitting back, not first. They have their own sense of righteous purpose and the United States is seen the schoolyard bully. This isn’t to make any moral equivalence between U.S. cyber operations and theirs, but there is an escalatory equivalence as each side responds tit-for-tat against the campaigns of the other. Nations will respond very differently to cyber deterrence when they are sure they are hitting back, not hitting first.

Putin seems sure the United States was behind the Panama Papers leak to smear and destabilize his regime. The subsequent U.S. election interference was his moving up the ladder of escalation. Such dynamics must be part of the operational considerations, not to justify them, but to be sure we understand the best avenue to success for the United States. But to hear those at the Cyber Command conference, the United States is a victim only. The adversary’s response to outbound U.S. operations was never mentioned.

Lastly, the nation that will dominate, at least in the medium term, is not the one that can achieve “capability overmatch” no matter how technologically advanced or agile. The gold medal will go to the nation prepared to be the most ruthless and audacious. Given the deep divisions within Washington and around the country, this is not us.

The Department of Defense must be incredibly cautious escalating the conflict, however justified, as it is doubtful that there would be consensus to match Russian President Vladimir Putin’s counterpunch. Calls to interfere with Putin’s own upcoming election only make sense if it is winning move, one that takes Putin out of the game.

These risks can be mitigated, somewhat. Constant contact between opposing the cyber forces of nuclear-armed states in a time of turmoil will be destabilizing. The U.S. strategy must focus not on deterrence, or victory, but on maintaining that stability. This may mean restraining some operations, not least covert actions, which merely stir the pot.

U.S. cyber operations should disrupt operations and command and control of nation-state adversaries, but not go further without except in rare circumstances, backed by decisions by political decision-makers. Pressure on Russian hackers by indicting and arresting them can keep the pressure on, in a less escalatory manner.

The United States must call together its NATO allies to combat this threat though a common front. As with the Russians in Syria, we must have stronger military-to-military (and spy-to-spy) communication channels to somewhat reduce the dangers.

Fighting back is viscerally satisfying. It may even prove successful. But it must not be done out of revenge but with a real chance of success, of better national security outcomes for the nation. This requires not just agility and aggression, but a blueprint for what comes next, and it is not yet clear the United States has, or is the position to execute, such a plan.

No comments: