Pages

10 December 2020

Five Cyber Strategies to Forget in 2021

James Andrew Lewis

There is an exuberant public discussion of cybersecurity. However, at times this discussion is not as well thought out as one might hope. The starting point for analysis should not be artifacts from Cold War strategic thinking or hypothetical scenarios that are demonstrably improbable (now that we have had more than 25 years of experience with cyber conflict), but observable fact. Guided by observation and experience, we can improve analysis and policymaking if we eliminate these five refutable concepts from our cyber vocabulary for 2021.

Stability. U.S. opponents do not want stability; they want change. They are challenging the status quo. They see the pursuit of stability as serving Western interests to preserve a status quo where the West, led by the United States, is dominant. The post-1945 international order is eroding in good measure because of their intent to reshape it, and they see cyber operations as a valuable tool for pursuing this goal. They will not renounce actions we consider to be destabilizing, nor is the risk of undertaking cyber operations sufficient to affect their behavior. Cyber operations do not create an existential threat, and this realization has given opponents the freedom to act maliciously in the cyber domain, which they see as risk free as long as they avoid crossing an implicit use-of-force threshold we can observe in state practice. We should plan for an international environment of decreasing stability, all other things being equal. 

Escalation. Escalation is probably the most overrated risk in cybersecurity. Confidence-building measures, improved communications channels, exchanges of doctrine, and countless Track II dialogues are undertaken to reduce the risk of miscalculations that could lead a cyber incident to escalate into violence. Yet, in two decades of malicious cyber action, there has never been an incident that has led to escalation. The likely reasons there have been no cyber incidents that result in escalation is that states maintain careful control of their most dangerous cyber capabilities, they respect the implicit use-of-force threshold, and cyber operations are embedded in their larger strategies of avoiding direct military conflict with the West.

A decade ago, analysts speculated that as states made greater use of offensive cyber operations, there could be escalation to a larger and more damaging conflict, given the covert nature of cyber action, the difficulty (then) of attribution, and the potential for unintended consequences and collateral damage. While there have been a few instances of unintended consequences and collateral damage, such as NotPetya, these did not lead to escalation of conflict. We can now reject the initial hypothesis of miscalculation and escalation as inaccurate.

Deterrence. Deterrence works as well as it always has in the domains it was designed for, but it is remarkably ineffective in the cyber domain. Russia has not sent its army to invade Europe, but it has not been deterred from using corruption, organized crime, influence operations, espionage, and the occasional assassination to promote its interests in Europe. Nor have the Chinese been deterred from continuing a massive cyber espionage campaign (to say nothing of building islands in the South China Sea). It is likely that these states have studied how to circumvent U.S. deterrence, and this study guides their cyber operations and strategy. We are not deterring our opponents in cyberspace. Perhaps there is a way to resurrect deterrence for cyber and other new forms of conflict, but whatever the United States is doing now does not work. The implied goal of deterrence is stability, and since our opponents do not want stability, this makes it ineffective as a strategy. 

Norms “Implementation.” Norms are not implemented; they are observed. States choose to base their action on norms and, if they wish, implement those norms through law or policies to guide national action. Implementation does not reflect intent, however, and is not determinative in itself. It is demonstrably possible to implement norms on a pro forma basis and not observe them, rendering them useless. The observation of norms reflects intent and a national decision.

From direct experience in the negotiation and drafting of the UN-agreed norms, we can say that these norms drew from arms control precedents and were based on the assumption that there were shared perceptions of risk among competing powers. This latter assumption no longer holds, removing the incentive for hostile powers to observe norms without some external reason for them to do so.

Transparency. A few states, notably Australia and the United States, have been increasingly transparent about their possession of offensive cyber capabilities. This transparency has not been reciprocated by any opponent. Transparency does not deter, and unilateral transparency does not improve stability. Even Western states that have increased transparency must maintain a degree of opacity about their actual capabilities to preserve their effectiveness. Cyber is a domain dominated by covertness and surprise. It is not the kind of thing you can parade on May Day, allowing Western observers to photograph and count. These attributes are antithetical to transparency and create a ceiling for transparency that no reasonable state will go beyond. There are domestic political necessities in democracies that make it imperative to be transparent to legislatures and citizens on cyber capabilities, but the international benefit of transparency is limited, particularly when opponents do not reciprocate and are not deterred. 

There are other concepts—cyber peace, cyber catastrophe—that also do not bear scrutiny, but they play a minimal role in shaping policy, and most people already realize their lack of analytic utility. The five terms listed above, however, form an outmoded construct for strategic analysis of cybersecurity (and for negotiations). When they are used, it is a signal that we should take a skeptical view of any resultant recommendation. Look at the trends and count the incidents. They are heading in the wrong direction. To change this, we need new concepts and a new approach.

No comments:

Post a Comment