The United States is in the midst of the most resounding policy shift on cyber conflict, one with profound implications for national security and the future of the internet. The just-released U.S. Cyber Command “vision” accurately diagnoses the current state of cyber conflict and outlines an appropriate new operational model for the command: since cyber forces are in “persistent engagement” with one another, U.S. Cyber Command must dive into the fight, actively contesting adversaries farther forward and with more agility and operational partnerships.
The vision, however, ignores many of the risks and how to best address them. Most importantly, the vision does not even recognize the risk that more active defense – in systems and networks in other, potentially friendly nations – persistently, year after year, might not work and significantly increases the chances and consequences of miscalculations and mistakes. Even if they are stabilizing, such actions may be incompatible with the larger U.S. goals of an open and free Internet.
Understanding and dealing with these risks will be a process which will not be completed in weeks or months, but, as with nuclear weapons, over years and decades. After all, this fight will not just be “persistent” but “permanent.”
Getting to the Idea of Persistent Engagement
The U.S. Cyber Command vision is directly rooted in international affairs scholarship on cyber conflict. The idea dates back several years, but momentum picked up with a spring 2016 piece by Richard Harknett and Emily Goldman, which mentioned the environment of persistent offense. The real paradigm shift started with a summer 2017 article by Harknett and Michael Fischerkeller, which developed the ideas and noted that in a conflict of persistent engagement deterrence was not a particularly useful concept. Rather the United States must reduce the operational constraints on U.S. Cyber Command so that it could better engage and achieve superiority.
The March 2018 U.S. Cyber Command vision document, “Achieve and Maintain Cyberspace Superiority” stems directly from this Goldman-Fischerkeller-Harknett lineage. Perhaps this is no surprise as both as both Goldman and Harknett were current or former international relations scholars working at U.S. Cyber Command. Harknett simultaneously published a companion 2300-word Lawfare blog giving additional scholarly oomph to the release of the official vision. The remainder of this current piece will pull equally from the vision and that blog from one of its key intellectual parents.
Operating in a World of Persistent Engagement
The U.S. Cyber Command vision is a critical document, perhaps the first from any part of U.S. government that presents a clear-eyed view of cyber conflict and a plan to deal with it.
The vision begins with several problem statements, including that, “Achieving superiority in the physical domains in no small part depends on superiority in cyberspace. Yet we risk ceding cyberspace superiority.” This is in line with many other documents, but the vision goes beyond to a key point, that adversaries use “continuous operations and activities against our allies and us in campaigns short of open warfare.”
This element of “continuous operations” is vital: cyber warriors are not just waiting back in their barracks and their capabilities are not sitting in the arsenals. They are constantly engaged on offensive and defensive operations (as well as espionage, a point that vision sidesteps, as we’ll discuss below).
Harknett’s companion piece develops this further, that “adversary behavior intentionally set below the threshold of armed aggression has strategic effect.” Normally, having this kind of strategic effect “required territorial aggression (or the threat thereof)” but now cyber operations “can impact relative power without traditional armed aggression” into territory. He believes the “status quo is deteriorating into norms that by default are being set by adversaries.”
A critical point from Harknett which is easily lost is that cyber strategists, policymakers and scholars must move framing the conversation “away from the ‘hack,’ ‘breach,’ ‘incident,’ [and] ‘attack.’” Since there is always contact, conflict is best analyzed as continuous rather than discrete. It is not, to extend this point, an arms race as the arms are being used.
Moving from descriptive to prescriptive, U.S. Cyber Command’s vision to achieve cyberspace superiority is therefore to “defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors.” This requires “scaling to the magnitude of the threat, removing constraints on our speed and agility, and maneuvering to counter adversaries.” In an aside that certainly will deserve dissertations itself, they also see it as a part of an “imperative” to “integrate cyberspace operations with information operations.”
Understanding Persistent Engagement
The U.S. Cyber Command vision presents a strong case for persistent engagement but little about what it would operationally entail. What would they need to start doing? What is new and what changes?
First and foremost, in its vision, U.S. Cyber Command calls for fewer operational constraints to allow them to “defend forward” and is clear: “We will pursue attackers across networks and systems.” They are smart to avoid calling this “active defense” – a controversial concept often mistakenly associated with hacking back – but the idea isn’t far off: by “seizing the initiative, retaining momentum, and disrupting our adversaries’ freedom of action.”
This means energetically “contesting active campaigns,” by kicking adversaries out of networks. If, for example, teams of the Cyber Mission Force see Russian intelligence forces building infrastructure in other countries from which to conduct additional espionage or disruptive campaigns against the U.S. and our allies, they will have the authority to apply some “tactical friction….compelling them to shift resources to defense and reduce attacks.”
This might mean entering in those same systems to establish their own presence, kick out the Russians, or even take control of the Russian malware. “Fewer operational constraints” can mean doing so without asking mother-may-I or even if the Russians are in computers or networks in the territory of NATO or other allies.
The immediate goal is to slow down adversaries with tactical friction. But Harknett sees a larger mechanism. Persistent engagement “can, over time, lead to a normalization of cyberspace that is less free-for-all and potentially more stable. It is not contradictory to assume that in an environment of constant action it will take counter action to moderate behavior effectively.”
Related to this vision is the gaining continued access to key adversary infrastructure to make reciprocal threats. This is not part of defending forward but ensuring that if adversaries want to hold US infrastructure at risk, then the President has similar, symmetric options to respond.
And last constant contact means potentially increasing cyber intelligence operations in “grey” and “red” space, that is in non-U.S. computers and infrastructure and those of the adversary. For years, this has been the case, and with a new U.S. vision to triple-down, it may increase further as all adversaries grab what they can, actively contest each other’s access, and gain new purchase in (for example) the internet backbone to better improve their intelligence advantages for persistent engagement.
The Right Vision … But Oh So Many Concerns
The U.S. Cyber Command vision, and the associated scholarship, are some of the most important contributions to understanding cyber conflict. In their diagnosis of the problem as one of persistent engagement, they are certainly correct.
They may also be right in their proposed solution of reduced operational constraints to apply tactical friction and regain the initiative. As my colleague Bob Jervis might put it, persistent engagement with adversaries just might apply negative feedback, gradually nudging conflict back towards lower levels of aggression.
Also, it is clear policymakers and military commanders see persistent engagement as only part of the solution, and perhaps not even the most important one at that. The Trump administration has continued and expanded a wide set of policy tools used by the Obama administration, including sanctions and indictments, as well as introducing new ones, most importantly coordinated international attribution of Iranian, Russian and North Korean operations seen as particularly insulting to global norms.
Against these solid strengths, there are a number of concerns, or at least topics that need significantly more attention and study.
The top concern is that U.S. Cyber Command does not appear to see this approach as in any way risky. They say they want to be “not risk averse but risk aware” and do mention two key risks: the lack of enough of the highly trained people required and the “diplomatic” danger that adversaries “seek to portray our strategy as ‘militarizing’ the cyberspace domain.” But those are the only risks they imagine, or at least are willing to publicly acknowledge.
A longer list of risks will start with the simple one that strategy might not actually work or might cause unintended effects. What if a more engaged forward defense does not create negative feedback and reduce conflict but instead “positive” feedback, i.e. adversaries seeing the new active U.S. position as a challenge to rise to, rather than one from which to back away?
Even accepting that adversaries’ operations have been far more aggressive, surely they can become more aggressive still. They may also able to scale faster and better than the United States, either by relying on artificial intelligence (China or maybe Russia) or hiring or enrolling ever more hackers and proxies to conduct more campaigns using more infected networks and infrastructures than the U.S. can counter (which any might achieve and all will try). If it is a strong positive feedback loop, then each side (including ours) will go back to their legislatures or paymasters, asking for yet more budget and looser rules, pointing to the other sides’ newly aggressive forward defense as proof of their intransigence.
A second, related risk is that adversaries may see this not as a reasonable response to their norm-busting behavior but as a U.S. escalation. China, Iran and Russia probably feel quite confident they are hitting back, not first. The vision does not address espionage or covert action, as these are the job of the intelligence community. In the U.S. model, these are kept firmly apart even though they are commanded by the same leaders, from the same bases, and often use the same capabilities and even personnel. Only the “hat” of the leader, the flag of the unit, and the authorities of the action may change.
The Department of Defense has indeed shown restraint in Title 10 disruptive military action. If the search includes Title 50 espionage and covert action, then U.S. restraint is a bit lost in the noise.
Iran cannot be entirely blameworthy if it felt the need to respond in kind to the Stuxnet attack, attributed to the U.S. and Israel. And not just Russia and China, but very close U.S. allies felt that NSA espionage, as revealed by Snowden, were beyond the pale. If it is true that the “status quo is deteriorating into norms that by default are being set by adversaries,” then it is only by narrowing the issue at hand to ignore espionage and covert action, where the United States was often the state most pushing the limits.
Such operations may have been right and good and fully in U.S. interests but cannot be ignored when trying to understand conflict dynamics, adversary responses, and determining counters. Nations might be willing to accept a U.S. forward defense if they felt the United States would not take advantage of the new equilibrium, such as with widespread internet surveillance or covert cyber actions. Unfortunately, Washington DC will not take these off the table.
Third, there is the risk that strategy will work narrowly but fail broadly. Cyberspace is critical to all nations and they will not lightly permit an enduring U.S. “superiority.” Adversaries who find their cyber operations hampered may find other ways to challenge the new U.S. superiority in ways that are even more averse to U.S. interests. Most U.S. adversaries see little distinction between U.S. cyber operations and hostile information, which is “harmful to the spiritual, moral and cultural spheres” of their states. Such states may decide that if their main targets are now blocked by U.S. Cyber Command, they must conduct more aggressive operations against softer information targets, from mainstream news organizations, code repositories, and elections. This is not a reason to avoid a strategy like “persistent engagement” but it is a reason to be cautious and curious.
Fourth, even if it is the right strategy, there are high risks of mistakes, misinterpretation and miscalculation. There is no demilitarized zone as between North and South Korea to separate opposing militaries, no strategic depth to slow down an assault. They will be constantly grappling. As I’ve written previously,
How can the fighters in the cage, in the heat of the moment known the limits in a match that will happen every day, for years? One side will go a bit too far, punch a bit too hard, pull a trick a bit too dirty, and ignore the double-tap of “too much” from the other. At what point will U.S. Cyber Command … need U.S. European Command and NATO to tag into the fight?
After all, the contact discussed in this strategy is not just constant or persistent. It is forever. It is permanent, a lasting dynamic of security services engaging in close (but virtual) combat. If the United States reduces operational constraints, even the most experienced and professional teams will make mistakes, as will our adversaries’ teams, as has happened countless times in wartime. These mistakes may seem like intentional signaling from the other side, or brazen ignoring of agreed-to norms – and there are few ways to communicate otherwise between military cyber commands.
Certainly, as Department of Defense dives into persistent engagement and defending forward, the personnel and units conducting offense will only seem more prestigious and command more of the budget. Whether or not this vision “militarizes” cyberspace, a notion U.S. Cyber Command protests, it is likely to continue to devalue the role of mere cyber defense.
Fifth, this strategy may be incompatible with nation’s larger policy to “promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity.” This may not be achievable, even if the strategy embracing persistent engagement is correct.
As my colleague Adam Segal often says , the United States has been here before when after the Snowden revelations our allies moved to create stronger European borders in cyberspace. U.S. hot pursuit of adversaries into European infrastructure, uninvited, may not get the thanks of grateful allies for liberating their systems from the Russians. And the problem is not just with foreigners, as Segal has pointed out: “As story after story emerged alleging that the NSA undermined encryption, hacked into cables carrying the data of U.S. companies, placed implants and beacons in servers and routers, and generally weakened Internet security, Washington struggled to find its feet … Policymakers failed to comprehend the depth of Silicon Valley’s anger.” Cyberspace may not be able to support both persistent engagement and still be open, interoperable, reliable, and secure.
Sixth, this strategy ignores the impact on the rest of us. U.S. Cyber Command mentions several of the most important dynamics that set cyberspace apart, such as disruptive technology and shifting terrain. But they do not adequately address that it is, unlike other warfighting domains, dominated by the private sector, civil society and individuals. We use, each of us in our private and professional lives, the same technologies as America’s adversaries. If U.S. Cyber Command is to reduce operational constraints, that is likely to mean, for example, more Microsoft zero-day vulnerabilities, more compromised certificate authorities and more government access to encrypted communications.
In an era of persistent engagement, the internet will be changed, possibly fundamentally, and it is hard to know the broader impact. To paraphrase a quote from my Columbia colleagues, in a complex and tightly connected system like the internet, we can never do merely one thing.
Into an Era of Persistent Engagement
Perhaps the imperatives of the new U.S. Cyber Command vision are the right one, perhaps not. The risks mentioned there and here may be major concerns or not. No one, not U.S. Cyber Command and not me, can possibly know what will work in such a complex and interconnected systems as both cyberspace and international security surely are. What works with Russia, a declining power trying to regain global importance, may not work with China. The nation’s response to a cyberspace of persistent engagement must be one of experimentation: Try something. Measure what works. Abandon what doesn’t. Repeat.
There are many international crises where even hawks acknowledge there may be no military solution. If persistent engagement leads to positive feedback, amplifying the response from adversaries rather than tamping it down, the United States may have to accept this is one of situations. Or, the United States as a technology-dependent democracy may not be able to play the game hard enough to apply negative feedback. In either case, we may only be able to find stability through non-cyber responses.
Making such assessments may be harder with the current dual-hat relationship, where the head of NSA and U.S. Cyber Command are one and the same person. This means the same official is both responsible for executing the strategy, assessing the intelligence to determine if it has successful, the classification of the answer, and the budget either way. This is never a good idea, regardless of the talent or professionalism of the leader, and especially not in such a high-risk area with such implications for the U.S. society, innovation, and economy.
Most critically, the United States needs a national strategy for cybersecurity, else U.S. Cyber Command’s vision will become the nation’s by default. A larger national strategy, such as one built on getting defense better than offense, built on leverage, can help structure this vision for operational success.
Superiority is a fine goal for the military, but it can clash with other national, and even national security, priorities. Stability – keeping a lid on cyber conflict so it doesn’t get out of hand – may be a more important, or achievable, goal than superiority. Warriors don’t want stability, they want superiority. That doesn’t mean that needs to the top priority of the nation for a technology so ubiquitous and central to our success as cyberspace.
During the Cold War, for example, no matter how much it might have been disliked by Strategic Air Command, it was stabilizing for the Soviets to have satellites monitoring U.S. missile fields, they knew they’d be less likely to be surprised by a disarming first-strike. There may be similar tradeoffs between national interests and warfighting success here, but they can only be found if there is a larger discussion of the tradeoffs and a national cyber strategy.
Military and intelligence forces will be in close contact, actively contending with each other. If this isn’t to spiral out of control at the operational level, there must be military-to-military hotlines and other mechanisms to reduce the chances of miscalculation.
The academic community must first recognize the fact of persistent engagement. Theories and models will miss critical dynamics if they focus on arms races, rely on clear distinctions between peace and war or count discrete attacks. Research must now address issues of stability and escalation control, not least the role of “exit ramps” to reduce tensions if cyber conflict gets too hot and “firebreaks” between the use of cyber and kinetic force. This may be far easier than in the early nuclear era, as the strategy of the warfighting command was in part driven by international relations scholarship. Those briefing the head of Strategic Air Command, General Curtis LeMay, surely never had it this good.
More broadly, researchers cannot only focus on how this affects American security, but the larger issues in international security. For example, how will “persistent engagement” affect China-Taiwan dynamics or India-Pakistan?
Forever War
Even when presented with the same facts, reasonable people can disagree and much of our views on national security are colored by our early experiences. Many of mine are from my years at the U.S. Air Force Academy, where most of my instructors fought in the skies over Vietnam. All of them (except one) made sure we understood that the war could have been won, if only the damn politicians had lifted the operational restraints on the military. It wasn’t that simple, of course. They may not have been able to win regardless of the tonnage dropped and even if they could have the damage to the social fabric of the United States would never have been worth the cost.
Now we are being asked again to lift the operational restraints to let the military get on with winning. Unleashed, we are told, the nation’s Cyber Mission Force will grapple with the adversary with the glorious result of a “normalization of cyberspace that is less free-for-all and potentially more stable.” We cannot be sure, regardless of how honorable and professional America’s cyber warriors are, that this time will be different
Cyberspace is not Vietnam. The United States cannot just declare “peace with honor” and declare the conflict over. Cyberspace is perhaps the most transformative technology since Gutenberg’s printing press. We now understand cyberspace not just underpins our society and economies but is a domain of persistent engagement between militaries.
This is not just constant contact, but a new forever war. And we must all be ready for that.
No comments:
Post a Comment