Brendan Tower
Dispelling myths of an unfathomable cyber domain would allow the United States to build cyber deterrence and incrementally reshape cyberspace for stability. Stability in cyberspace occurs when cyber-criminals get apprehended and aggressor states get held accountable—both exceptions rather than the rule at present. The United States and like-minded partners should forge cyber deterrence by building resilience to attack, enhancing the capability to respond, and demonstrating a willingness to act. China’s manpower advantage extends to cyberspace and requires a technical and organizational offset if the United States expects to compete in cyberspace. Implementing tokenized internet access, avoiding splinter-net formation, creating a cyber reserve force, and delegating cyber-attack responses are concrete, tangible avenues the United States could take in securing this future. The establishment of a cyber reserve force, in particular, would provide critical cyber deterrence by distributing defensive and responsive cyber capabilities across the attack surface.
Shooting the Rain
Experts at a prominent government cybersecurity agency likened their defense attempts against cyber-attacks to shooting rain falling out of the sky—ineffective and overwhelming. President Biden lays out the challenge facing the United States in the cyber realm through the 2022 National Security Strategy (NSS): “Our societies, and the critical infrastructure that supports them, from power to pipelines, is increasingly digital and vulnerable to disruption or destruction via cyber attacks.”[1]
President Biden and the National Security Strategy (White House)
The strategy neglects to explain why the United States and like-minded nations face this challenge. The United States invented the Internet and developed the most prominent internet and technology companies—so why does the United States seem overwhelmed by this ephemeral threat?
Cyberspace is often framed inaccurately as an unlimited, incomprehensible domain that confounds rational analysis for policy creation. Cyberspace complexity is similar to the complexity of an ecosystem, yet ecosystems do not engender the same panic-inducing irrationality.[2] Ecosystems express relative stability, whereas the cyber domain remains unstable. Cyberspace complexity continues to grow, with only 64.6% of the world’s population currently internet-connected and annual digital connectivity growth over three times the population growth, 2.9%, and 0.84%, respectively.[3] Establishing stability in cyberspace is the goal, where economic activity progresses without widespread fear of attack and criminals and nefarious state actors alike are held accountable. Eventually, the cyber domain will reach stability, given the action and reaction behavior between the provocateurs and defenders. In the years before natural stability occurs, fortunes of nations will rise and fall, incentivizing the United States, as the current leader in prosperity, to hasten the approach to stability through creative policies.
Policymakers must understand the nature of the cyber domain to innovate policy that hastens stability. Recognizing that cyberspace is neither boundless nor incomprehensible but more akin to the land domain than the sea, air, and space, the landscape of challenges and how governments tackle find better parallels in the land domain. For example, the diversity of threats in the land domain ranges from trespassing and kidnapping to invasion and war crimes. Cyber threats are equally pervasive and segregating cybercrime from cyber-attack and cyber espionage is a necessary component of the division of responsibility and jurisdiction. The remarkable growth in cybercrime necessitates a local enforcement capability to attribute and aid just resolution of this lower-level cyber-attack.[4] The ability for local enforcement to conduct cyber investigations varies significantly across the United States, leaving gaps in protection.
One critical difference between the land and cyber domains is cyber’s rapid evolution. Most police work involves similar crimes conducted under similar methods under similar motives. Even the motivations for Russia’s second invasion of Ukraine stem from a classic geopolitical power struggle, unchanged for millennia. As noted by a cyber security expert at a leading U.S. technology company, the rapid advances in cyber security create an arms race for adversaries to innovate new methods of attack.[5] Often, the most successful attackers are “Advanced Persistent Teenagers,” those raised in an integrated cyber world. These individuals have considerable time to focus on a target to discern and exploit vulnerabilities. While the land domain lends itself toward a hierarchical framework, the rapid evolution in cyberspace advantages a horizontal structure. A flat structure facilitates swift detection and classification of new threats and disseminates threat telemetry quickly without burdensome reviews. The capacity and capability of U.S. adversaries in cyberspace exceeds the U.S. in the former and rapidly approaches equivalency in the latter as described in the 2023 National Cybersecurity Strategy (NCS):
The People’s Republic of China (PRC) now presents the broadest, most active, and most persistent threat to both government and private sector networks and is the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so. Over the last ten years, it has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten U.S. interests and dominate emerging technologies critical to global development.[6]
If strategic competition shifts to a great power war, China possesses the manpower advantage in the cyber realm. The United States requires a technical and organizational offset to counter that advantage. Given China’s drastic manpower advantage, the United States needs to invest time, capital, and manpower into building a credible cyber deterrence.
Resilience to Attack
To enhance overall resilience to cyber attacks, the United States should improve cyber system design for security, create a cyber reserve organization to integrate cybersecurity expertise within public and private enterprises, and discourage the formation of “splinter-nets” by allies and partners by listening to legitimate concerns and collaborating for just solutions.
As identified in the United States 2023 National Cybersecurity Strategy, creating inherently secure cyber infrastructure is a national priority.[7] The openness of nascent Internet and software infrastructure benefited from transparency to foster rapid innovation and improvement. However, the volume of wealth traversing cyberspace today requires a security baseline rather than a transparency baseline. Models for inherently secure networks exist, such as the online governance system of Estonia.[8] “E-Estonia,” in establishing zero-trust cyber architecture, instituted a high barrier to data exchange and collection, which prevents many U.S. companies, like Alphabet and Meta, from executing their business strategies. The United States, working with European regulatory partners, should create a zero-trust exchange infrastructure that validates permissions to access data and balances data access for privacy and private industry.
A critical step in zero-trust infrastructure is validating user authenticity. The e-Estonia system utilizes digital keys embedded in their national ID system to allow access to all government sites and many commercial enterprises. Adding a physical key is already commonplace in the U.S. government, where access to the Secret Internet Protocol Routing Network (SIPRNET) used by the Department of Defense and State Department is controlled with a user-issued token, the same size and shape as an ID card. Google’s Titan security key offers another possible physical key solution.[9] While the United States’ cultural history likely precludes adopting a national identification card, the federal government could create a template from which states could adapt. Standardizing the method of physical key implementation will improve understanding and trust in the security tool, as users could maintain the same key for life and start in childhood. Estonia’s financial industry served as an early adopter of digital key log-in. The advantages of reduced fraud saved such significant revenue that the industry incentivized expanded use of key log-in. Once the benefits of zero-trust infrastructure and improved data protection hit the population (like filing taxes in under three minutes!), cultural apprehension will likely dissipate.
Moving beyond the improved system design, creating a cyber reserve force in the United States would provide mutually beneficial technical experience, expertise, and information to private and public enterprises and respond against large-scale cyber-attack. The reserve structure allows experts to continue working in the private sector, benefiting innovation and economic prosperity while organizing a capability to leverage in a crisis. The United States should use tax benefits, access to privileged intelligence, and support of nationwide cyber defense expertise to incentivize the participation of private companies. The “New Social Contract” released by the Office of the National Cyber Director calls for improving the public-private partnership in cyberspace, precisely the purpose of cyber reserves.[10] These cyber reservists should be screened for security clearances to allow access to sensitive threat information. Today, civilian activists play a crucial role in cyber defense, attribution, and offensive cyber in the conflict in Ukraine,[11] the Cyber Defense Unit of Estonia,[12] and North Atlantic Fellows Organization (NAFO)[13] employ civilian volunteers to conduct a range of cyber operations, including identification and countering Russian disinformation and email phishing to identify Russian soldiers accused of war crimes.[14] Incorporating motivated civilians like these and offering additional resources would enhance cyber resilience. A network of experts across the private sector would share threat telemetry faster and remedy vulnerabilities at the speed of relevance.
A more resilient Internet provides little value to the United States if its allies and partners splinter their networks. Privacy concerns associated with significant technology companies scraping data without transparency perpetuate distrust of U.S. companies across the globe and, most significantly, in Europe. Growing calls for the nationalization of data and tighter privacy controls would hamper the development of new advanced technologies like artificial intelligence and cede the advantage to China, whose ruling communist party has no regard for the privacy of its citizens, much less the privacy of foreigners. The United States should value and respect privacy concerns and criticisms from allies and explore shared regulatory action to build commercial trust and accountability. As described in the 2022 National Security Strategy, “We are working closely with allies and partners, such as the Quad, to define standards for critical infrastructure to rapidly improve our cyber resilience, and building collective capabilities to rapidly respond to attacks.”[15] Keeping an open Internet is vital to success in strategic competition and relies on a collaborative approach that integrates concerns of U.S. allies and partners.
Capability to Respond
Concurrently with the adjustments making cyber infrastructure more resilient, the rules-based international order ought to bolster its ability to respond. In meetings with Ministry of Defense delegations in Latvia, Estonia, and Finland and officials across multiple U.S. departments, developing capabilities to respond to cyber-attacks is a lower priority than building resilience and often not worth pursuing. However, adversaries will remain incentivized to continue their onslaught without the ability to inflict punitive action, like USCYBERCOM’s defend forward.[16] Some of this reluctance stems from overreliance on USCYBERCOM’s exceptional capabilities and failure to appreciate the manpower and resource constraints. USCYBERCOM cannot serve as the lone guarantor of the world’s cyberspace. From the 2023 National Cybersecurity Strategy:
The governments of China, Russia, Iran, North Korea, and other autocratic states with revisionist intent are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms. Their reckless disregard for the rule of law and human rights in cyberspace is threatening U.S. national security and economic prosperity.[17]
To build better capability, the United States should leverage offensive cyber capabilities within the Cyber Reserve force discussed earlier and expand tuition and training assistance for cyber-related fields. Cybersecurity experts require years of training and education, contributing to a considerable shortage of trained workforce in both the private and public sectors.[18] Cyber reserves, through an initial training program, could alleviate some of this knowledge deficit and provide an avenue for professional development and subsidize higher certifications. In strategic competition, the cyber forces of the United States are already near capacity to respond to attacks and would likely come under significantly greater assault during a direct conflict with Russia or China.[19]
Cyber reserve personnel should be trained and empowered for limited hack-back techniques. A hack back consists of a counter-attack to negate the gains of the cyber attacker. For example, if a bank witnessed illegal activity diverting funds, a cyber reserve employee could use authorities under the cyber reserves to enter criminal networks and recover the funds. By incentivizing participation in the cyber reserves, an organized network of experts becomes enmeshed across the cyber-attack surface, improving the overall ability of the United States to detect, attribute, and respond to cyber-attacks. Additionally, trends forming in disparate aspects of society, like elementary education and the electric power grid, could coalesce to recognize a broad attack and trigger a federal response. Only through closer coordination and integration between public and private organizations can the defenders out-innovate attackers and raise the expertise threshold necessary to conduct cyber-attack. As responses’ regularity and effectiveness grow, adversaries’ risk calculus shifts. No longer able to attack with impunity, they must now consider the repercussions of each attack. With defenders across the spectrum using the best practices and intelligence, shooting the rain appears within reach.
Another critical aspect of the cyber reserves is the capacity for improved cyber defense during armed conflict between great powers. A recent congressional policy scenario revealed weaknesses and tough choices in protecting U.S. national interests under a hypothetical conflict with China.[20] The team chose to defend critical military networks over day-to-day infrastructure and massive disinformation campaigns, leaving millions of Americans without essential services and under the influence of a Chinese Communist Party information campaign. A 300,000-strong reserve force, comparable to the National Guard, would provide a tremendous boost available to surge capability during a conflict. The breadth of expertise envisioned in the cyber reserves would defend critical infrastructure while supporting an invaluable advantage in every U.S. conflict, allies and partners. Cyber reserve coordination and participation in NATO teams like the Cyber Rapid Reaction team and state teams like France’s Cyber Citizen Reserve strengthens the bonds with NATO allies and partners.[21]
Willingness to Act
The final and most challenging aspect of achieving cyber deterrence is demonstrating the willingness to act. With the ultimate aim of influencing adversary decision-making, the campaign to demonstrate willingness involves domestic and international information operations, execution of a cyber response playbook, and lastly, patience. Deterrence through capability and willingness imposes punishment greater than potential benefits. As detailed in the 2022 National Defense Strategy (NDS), U.S. adversaries already possess significant capabilities:
The PRC employs state-controlled forces, cyber and space operations, and economic coercion against the United States and its Allies and partners. Russia employs disinformation, cyber, and space operations against the United States and our Allies and partners, and irregular proxy forces in multiple countries.[22]
Russian and Chinese capacity create a tough but surmountable challenge to overcome.
Domestic information operations should message the steps taken to improve cyber resilience, build the capability to respond, and report successes and failures. The desired end state for the operation is an active, honest, and reassuring narrative for a broad domestic audience. By raising awareness of the cyber threats and sharing methods to improve resilience, the open society framework of the United States allows adversaries to witness the effort and expense, or Clausewitz’s value of the object, that the United States is willing to expend. For the international audience, the United States should target allies and partners to participate in and improve their own resilience, intelligence, and response processes. Conversely, the United States should inform adversary state populations of the risks their governments bring to average citizens and the possible repercussions. For instance, messaging that failed attempts to attack the United States through cyberspace will incur sanctions, and successful attacks will incur a proportionate, not necessarily cyber, response.
The cyber response playbook, operational plan, or menu of cyber options already exists but needs to expand to include cyber reserve capability and improve transparency to the public. Thousands and eventually hundreds of thousands of additional technicians will be available to execute responses, freeing top-tier experts at the National Security Agency (NSA) and USCYBERCOM away from lower complexity operations and preserving their focus for the most technical challenges.[23] Offensive cyber actions, including defend forward, require presidential authorization or, in some limited cases, Secretary of Defense approval.[24] This raises the necessity threshold, allowing the highest priority operations to get requested and leaving low priority operations in queue. Presidential authority also tends to slow down the authorization process, reducing the timeliness of response actions. Embedding agility across the attack surface would speed OODA loop in responding to cyber-attacks.[25] A key benefit to presidential authorization is the well-considered and careful deliberation on risks of unintended consequences and escalation.[26] However, escalation in cyberspace has shown to be limited or non-existent, with no instance of any cyber-attack escalating to a kinetic response.[27]
Understanding the risks of unintended consequences for lower-tier responses could be developed and recorded over time to determine the practicality of delegating low-consequence cyber responses to subordinate commanders. The Secretary of Defense directed the use of cyberspace to degrade malicious actors in the 2022 National Defense Strategy: “We will conduct cyberspace operations to degrade competitors’ malicious cyber activity and to prepare cyber capabilities to be used in crisis or conflict.”[28] Expanding the permissible actors in the United States to include private companies with cyber reserve force employees would signal potent willingness and determination in backing up deterrence.
After the information campaign and cyber response playbook are in motion, patience should prevail, as any expectation of immediate cyber deterrence is unlikely. Only the sustained improvement in resilience, demonstrated growth in capability, and conveyed willingness to act will change the risk calculus of adversaries. The nuclear taboo developed slowly, and the same can be expected in cyberspace.
Conclusion
By adjusting our paradigm for understanding the threats and opportunities in cyberspace, the United States can incrementally build cyber deterrence to shift the balance toward stability. States will still develop and exploit vulnerabilities. However, the proliferation of simple cyber tools for criminal usage can be defeated through increased resiliency. Improved capability and a demonstrated willingness to respond will encourage states to limit offensive cyber to espionage, saving cyber-attacks for the onset of hostilities where attribution is no longer a concern. Reshaping our national cyber defense organization by creating a cyber reserve force, implemented in a flatter, horizontal organization than typically found in government, can disseminate defensive and responsive cyber capabilities against U.S. adversaries. Working by, with, and through allies and partners, the United States can out-collaborate its adversaries, reinforcing the values of the rules-based international order.
No comments:
Post a Comment