31 July 2021

CONFRONTING CYBER THREATS: CHALLENGES AND OPPORTUNITIES

Michael Poznansky

A flurry of recent high-profile cyber operations targeting the United States, including the SolarWinds hack by Russia, the Microsoft Exchange hack by China, and the ransomware attack on Colonial Pipeline, among others, has led to spirited debate about how the United States can best defend itself and advance its interests in cyberspace. In May 2021, President Joe Biden released a detailed executive order to “improv[e] the nation’s cybersecurity.” The first head of the recently created Office of the National Cyber Director, Chris Inglis, was just sworn in. There are clearly more changes on the horizon to the institutional architecture, strategy documents, and policies in this domain.

With that in mind, this essay explores two of a much larger set of challenges facing the United States in cyberspace in the coming years. First is the perennial tension between the desire for more coordination and oversight on the one hand and flexibility, agility, and responsiveness on the other. The second turns on a particular kind of asymmetry in which the United States has certain vulnerabilities that its chief rivals do not, and the effect this has on interactions in cyberspace.

Balancing Agility and Coordination

One of the most pressing issues to grapple with in the coming years is how to strike the right balance between responding expeditiously to malicious activity in cyberspace and simultaneously ensuring proper coordination across the federal government. Former President Donald Trump’s widely reported decision in 2018 to give certain entities—most notably US Cyber Command (USCYBERCOM)—more authority to carry out offensive cyber operations tipped the scales in favor of speed and efficiency. According to news outlets, by rescinding PPD-20, an Obama-era policy that required interagency coordination of offensive cyber operations, the Trump administration sought to give USCYBERCOM the ability to swiftly take the fight to the adversary without getting bogged down in bureaucratic red tape. Reports also suggest that the CIA has similarly been given more freedom of action in cyberspace.

The benefits of such a strategy are straightforward. Unlike more conventional domains, cyberspace is characterized by constant contact. As such, the United States must be in a position where it is operating continuously rather than reactively. Continuous competition is the logic behind strategic concepts such as persistent engagement and defend forward. Rescinding PPD-20 was likely part and parcel of such a strategy. The fact that the Biden administration has reportedly kept this decision in place—at least for operations of a certain size—suggests that it may be with us for the foreseeable future. But what are the broader implications of this approach?

One commonly discussed risk of granting USCYBERCOM broader authority to act first and unilaterally in cyberspace is that it could inadvertently jeopardize ongoing intelligence operations. In this view, the military may choose to conduct an offensive cyber operation against a given target without regard for, or possibly even awareness of, whether US intelligence agencies are currently collecting against that same target. The fact that the commander of USCYBERCOM also serves as the head of the National Security Agency (what is known as a dual-hat role) may mitigate this problem somewhat, but not entirely.

Prioritizing speed and efficiency over coordination has several other potential implications. First, it could impact the dynamics of escalation in cyberspace. It may be true, as some argue, that the risks are actually negligible given the “self-dampening mechanisms” of cyber operations (e.g., attribution is not instantaneous, it takes time for victims to mount an appropriate counter-response, and there are limits on “the scale and magnitude of the costs that can be imposed solely through cyber campaigns.”)

While these arguments may apply in the short term, they could be less relevant for escalation risks in the long term. If adversaries do not have the capacity to immediately respond to an increase in the amount and kind of offensive cyber operations aimed at them, they may still seek to invest in new capabilities that could harm the United States in the future. Moreover, even the short-term risks of escalation may be greater than they seem at first. Targets may have prepositioned cyber assets that are capable of hitting back but which are unknown to the United States. And the states most likely to be potential targets of an increasingly empowered USCYBERCOM—Russia, China, Iran, and North Korea—may be precisely those who have offensive capabilities they can leverage.

This leads naturally to another point, namely that the empowerment of USCYBERCOM and the potential disconnect from other arms of the US government may impede the ability to gain an accurate understanding of who is doing what to whom and why. This is especially important for those tasked with defending the nation. If the Department of Homeland Security, the Federal Bureau of Investigation, or even the National Cyber Directorwhose job is to “lead the implementation of national cyber policy and strategy”—are not fully aware of what is happening on the offensive side, they may be caught off guard and less prepared to optimize America’s defenses.

This issue is related, but slightly distinct from, Jason Healey and Robert Jervis’s point in this series about the challenges of overclassification. For them, the layers of secrecy in cyberspace make it difficult to figure out cause and effect. My claim is slightly different but complementary. In short, it is the fact that one arm of the US government may be conducting operations against rivals that lead to a counter-response without the other arms of government being aware of this, and therefore drawing incorrect inferences and failing to anticipate potential retaliation from a defensive standpoint. In this scenario, it is not classification per se that is the problem but rather a lack of coordination.

Moreover, given the breadth of vulnerabilities in cyberspace that US adversaries can exploit, there is a necessary and symbiotic relationship between offensive and defensive operations. Offensive tactics inform defensive tactics and vice versa. Reduced visibility among those charged with defending the nation and those carrying out offensive operations against adversaries, while perhaps appealing from the standpoint of maximum efficiency, could inadvertently make the United States less effective at both.

Beyond escalation and coordination, the decision to remove certain constraints on USCYBERCOM could also affect US diplomacy, both the standard kind and the coercive variant. With respect to traditional diplomacy, it is useful for US diplomats and negotiators to understand any potential ongoing operations against the country they are dealing with. As Healey has noted, “If you’re meeting President Xi or Chancellor Merkel, it is not unfair for your NSC to know what US Cyber Command is up to and develop options to slow down (or speed up) such operations to send diplomatic signals or reducing the chances of a mistake which weakens your negotiating position.”

Regarding coercive diplomacy, prioritizing speed and efficiency when it comes to carrying out offensive cyber operations could have mixed effects. On the one hand, giving entities like USCYBERCOM more leeway may make it easier to credibly impose costs on rivals, thereby contributing to deterrence; indeed, this is part of the argument by proponents of this strategy. But if offensive cyber operations are too disconnected from other tools of US statecraft, it may impede the ability of decision makers to bring to bear all relevant pressure points for a more holistic coercive strategy (e.g., the imposition of sanctions, and so forth). Additionally, successful coercion in many cases could benefit from a degree of reassurance. That is, targets should believe that if they comply with demands they may not only avoid punishment but reap rewards. But if targets come to expect that USCYBERCOM is acting independently of entities that provide these benefits, reassurance is harder.

Another potential implication of enabling USCYBERCOM to carry out offensive cyber operations without broader input if it wishes to do so is that the United States could end up in a situation where tactics are driving strategy rather than the reverse. It may well be that in cyberspace, this is inevitable. The fast-moving nature of the domain combined with the reality of constant contact might mean that the best we can ever do is disrupt and degrade the ability of adversaries to do us harm.

But cyber activity does not occur in a vacuum. It is, or at least should be, tied to a state’s broader geopolitical objectives. Without conscious deliberation about how any given operation serves the United States’ broader foreign policy goals, there is a chance of conducting operations in adversary networks simply because the United States can, without asking whether and under what conditions it should. Indeed, many of the current debates about how we ought to conceive of cyberspace (e.g., as an intelligence contest or a variant of counterinsurgency as Emma Schroeder, Simon Handler, and Trey Herr argue in this series) entail different solutions that may or may not be well served by persistent engagement.

To be sure, it may well be that the Biden administration’s decision as reported in the New York Times to continue providing USCYBERCOM a longer leash to carry out “day-to-day, short-of-war skirmishes in cyberspace” while requiring greater coordination with the National Security Council on larger operations can mitigate many of these challenges. But mounting pressure to respond more quickly and forcefully to the spate of recent attacks could conceivably change things. Moreover, one can easily imagine semantic battles over what constitutes a “significant” attack such that it would require deliberation, or not.

Asymmetric Vulnerabilities

Another issue scholars and practitioners working on cyber issues will have to wrestle with in the coming years turns on asymmetries of various kinds. Oftentimes when the word “asymmetry” is used in the context of cyberspace operations, it is referring to instances in which actors engage in activities below the level of armed conflict to achieve some political objective (also known as hybrid warfare, gray-zone conflict, etc.). When I use the term asymmetries, I am referring to the unique set of vulnerabilities the United States has that rivals may not have and its effect on strategic dynamics in cyberspace.

The issue of election meddling specifically, and disinformation more broadly, is emblematic of this problem. Figuring out how to guard against malign foreign activity on these fronts is not simply a matter of cracking the code on how to credibly threaten punishment using cyber tools or any other means for that matter. The problem facing the United States is more complicated. One of the core challenges is that the actors most responsible for these activities are not vulnerable in the same way.

Consider that the two main perpetrators of meddling in the 2020 presidential election according to a recently declassified report—Russia and Iran—do not hold competitive, free and fair elections themselves. Moreover, these states, as well as China, tightly control the internet. While they are not immune from disinformation, they are likely less vulnerable. Hence the asymmetries.

America’s rivals are aware of this situation and act accordingly. As Sandor Fabian and Janis Berzins write in this series, Russia subscribes to “the idea that democratic societies are vulnerable to political manipulation.” Thomas Rid similarly argues that “disinformation operations, in essence, erode the very foundation of open societies.” Foreign actors are thus eager to continue meddling in US elections and propagating disinformation despite attempts to expose and disrupt their ability to do so.

This asymmetry also makes it more difficult to figure out what a proper response should be (bracketing the obvious, bolstering defenses, which we should try to do regardless). The astute reader may wonder why the United States cannot simply do to rivals what they are doing to the United States. As Former Secretary of Defense Robert Gates recently put it, the United States “also needs to take the offensive from time to time, especially against its primary adversaries. Authoritarian governments must get a taste of their own medicine.” This could include carrying out cyber intrusions aimed at delegitimizing and undermining those responsible for malign activity or “interfering in the systems that authoritarian countries use to surveil their own populations.”

US policymakers can obviously try to do these things, but the dynamics may not be the same. Research in political science about the different modes of exit—how leaders leave office—in democratic versus authoritarian regimes is potentially relevant here. In the former, the losers of elections can usually carry on doing whatever it is they wish to do. In authoritarian systems, leaders who lose power face the prospect of exile, punishment, or even death. To put it more concretely, when an adversary interferes in US elections to hurt a candidate and that candidate loses, the consequences are not as dire relative to the costs Putin, Xi, or the Ayatollahs in Iran would face were the United States to stir up the opposition by spreading propaganda and disinformation to undermine their regimes.

This does not mean we should simply accept interference in our elections; we should not. But it does unfortunately make the problem of how to respond more complex. Were the United States to adopt an eye-for-an-eye approach, it may be inherently more escalatory owing to the nature of the target, to say nothing of whether it would be in the United States’ interest to go down this road. The broader point is that the difficulty of threatening retaliation of a similar nature means that policymakers are often left with the choice of imposing costs that are disproportionate—in the direction of either too much, relative to the offense, or too little. This is not necessarily a problem, but it raises the question of what ought to be done when doing too little is unlikely to have a discernible impact on rival behavior and doing too much can heighten tensions.

The Road Ahead

As noted at the outset, the challenges identified above are a fraction of those confronting the United States. Others include whether the scale and scope of intrusions like SolarWinds render them distinct from traditional espionage, how to grapple with the fact that many of our rivals do not draw the same lines between national security espionage and economic espionage as we do, and how the pervasive secrecy that characterizes much of what goes on in cyberspace impacts the ability to develop norms and robust public-private partnerships. Nevertheless, awareness of America’s unique vulnerabilities and being clear-eyed about the pros and cons of greater coordination versus greater latitude—the two issues dealt with here—would put the United States in a better position in the coming years.

No comments: