9 September 2023

Remind Me Again...What Were We Deterring? Cyber Strategy and Why the United States Needed a Paradigm Shift

Sam Brown

Since the turn of the century, cyber warfare has developed into a new domain of conflict. Cyber warfare has recently brought new conceptual frameworks to strategic thinking. Persistent engagement, sometimes called active defense or hunt forward, is a new paradigm within the domain. In short, persistent engagement enables American cyber warriors to take a more forward-leaning posture, proactive rather than reactive. This approach has critics, of course. At times, persistent engagement seems to be little more than a thin veneer of justification for aggressive offensive action. Stepping back to a more theoretical level, the question is whether a new paradigm is even necessary. The answer to this question is an unqualified yes.

The primary purpose of this work is to explore why shifting to a new paradigm was so necessary. This will involve a brief historical summary of cyber conflict. Furthermore, an analysis of the deterrence paradigm that came before persistent engagement must be included. Of course, persistent engagement itself must be described. To wrap up, a follow-on question will be discussed. What precedents and norms does persistent engagement set for the international community? How cyberspace is being normed is the main thrust of persistent engagement’s critics. Thus, establishing whether the policy is creating or reacting to its environment is an important distinction.

CYBER STRATEGY: ORIGINS AND DEVELOPMENT

Cyberspace originated in the 1970s and 1980s as the American military developed new information technology for communications.[1] Information technology’s interconnected nature enabled a user on one system to affect other systems’ functionality. A malicious actor could potentially cripple an entire communication system. Once information technology became integrated with physical control systems, the ability expanded to remotely causing physical damage. Quick proliferation in the commercial and private worlds meant this vulnerability now threatens everybody. Given information technology’s ubiquity and low cost of entry, the range of potentially malicious actors is quite broad. On the one hand, nation state actors employing national level agencies have a lot to gain from espionage and can apply damaging or destructive cyber actions in a more military-like manner. On another extreme, individuals can wreak havoc for profit or personal ideology. In between, there are plenty of non-state groups active in cyberspace from organized crime to “hacktivist” organizations.

Until recently, the U.S. approach to defending against these threats had been to adapt the deterrence paradigm to cyberspace.[2] Deterrence itself was born out of the advent of nuclear weapons and the early Cold War.[3] Previously, militaries had defended their own civilian population from other, invading militaries. However, between the sheer destructive force of a single nuclear weapon and the advent of long-range strike capability, attackers could entirely bypass an opposing military’s defense to get straight to the civilian population. This necessitated a strategic shift. No longer could the threat of attacks be adequately defended against; rather, they must be deterred from attacking in the first place. The deterrence theory that grew out of this reality placed high value on concepts like credibility and commitment.

When cybersecurity began to arise as a serious issue, the United States was fresh out of the Cold War. Adapting the strategy that had just won the Cold War was natural enough and no paradigmatic alternative was seriously considered. Consequently, American policy makers labored under a number of assumptions. First, establishing American credibility in cyberspace, or the threat of American counterattack, was critical. Additionally, routine statements have been made reiterating the importance of cyberspace to U.S. interests to establish commitment in the domain.[4] In turn, this raised important legal questions. For instance, what constitutes an armed attack in cyberspace? Other problems of deterrence-based thinking, such as escalation risk or the question of how states can adequately signal intentions in an arena with a defining feature of non-attributability, have been embedded in the cyber policy conversation.

The trickle-down policy from this strategic framework struggled. Particularly in the 2010s, the United States was on the receiving end of an increasing volume of malicious cyber behavior that it struggled to deal with effectively. The Shamoon virus, presumably Iranian, nearly wrecked the global economy.[5] The North Korean hack of Sony was less economically damaging, but brought home the threat of state actors targeting American corporations.[6] Individual cyber actors extended the threat down to an even smaller level with increasing ransomware attacks against an array of American targets ranging from private individuals to corporations and government entities.[7] Russian use of cyberspace to meddle in American elections was perhaps the most concerning threat.[8] Throughout this period as well, the Chinese government used cyberespionage to exfiltrate vast amounts of American corporate secrets worth an incalculable sum.[9]

Clearly, the American posture in cyberspace was deterring very little. Many called for a more proactive response.[10] Deterrence theory’s shortcomings have become apparent. At the theoretical level, much like the nuclear weapons that necessitated a paradigmatic shift to deterrence, cyberspace’s unique characteristics shift the strategic environment. The non-attributability of cyber weapons and the defiance of physical location inherent in cyberspace are novel features that undercut the assumptions of deterrence. More practically, low consequence attacks in cyberspace put the United States between a rock and a hard place. On one hand, responding aggressively to such attacks under the deterrence paradigm risks escalation. Is the United States willing to risk war over something like the loss of some of Boeing’s proprietary data? On the other hand, doing nothing undercuts American credibility and commitment in cyberspace. Neither option prevented nor recouped mounting losses.

DESCRIBING PERSISTENT ENGAGEMENT

Around 2018, U.S. Cyber Command approved a new approach, persistent engagement, that many see as a paradigmatic shift away from deterrence.[11] Persistent engagement cuts out an attack as a prerequisite to action. Rather, cyber warriors are authorized to actively search out and take down malicious actors in cyberspace. Because these actions are not physically destructive and cyberspace is so dynamic, such engagements must persist to remain effective. Authorizations only extend to going after an adversary’s ability to conduct cyber-attacks on the United States. Presumably, although offensive measures are taken, the actions remain strictly defensive in objective. Hence we have the term active defense. In addition, teams can be preemptively sent forward beyond the walls of U.S. Cyber Command to help potential targets of cyber-attacks hunt down malicious actors on their own systems, or hunt forward. Viewed in traditional military terms, persistent engagement is offensive action for defensive purposes.


Director of the NSA and Commander of the U.S. Cyber Command Paul Nakasone speaks during a hearing on April 15, 2021 in Washington, D.C., where he suggested that deterrence “is a model that does not comport to cyberspace.“ (Al Drago-Pool/Getty)

The strategy has its critics.[12] Some felt that active defensive measures had already been in use. Persistent engagement was an ex post facto policy justification and opened the floodgates to many more cyber operations. Generally, taking preemptive offensive action is a slippery slope. Although a preemptive offensive does have international legal justification, cyberspace’s non-attributional character makes justifiable proof for it tricky. Currently, cyberspace is viewed as an internationally un-normed environment. As such, persistent engagement risks a classic chess fork problem. Either it can be potentially illegal under international law, or it could establish a precedent that justifies offensive actions by an adversary actor. Furthermore, the institutional logic of authorizing the command responsible for cyber operation to take offensive actions it deems necessary to defense is dubious. Persistent engagement certainly has its flaws.

Nonetheless, persistent engagement was a necessary development and is not completely detached from the realities of cyberspace. There are a couple of factors that lend it weight. The first is the shortcomings of its predecessor. With a deterrence paradigm hamstringing decisionmakers, something new had to be tried.[13] Persistent engagement is that something. We can usefully view it as an experiment rather than a permanent solution. More time will provide more data on its efficacy. This new data can be used to evolve persistent engagement theory. Perhaps deterrence theory could even be amended. Potentially, alternative paradigms could be worked out. Regardless, something needed to break out of the deterrence paradigm while providing some current functionality. For all its flaws, persistent engagement has done that.

Furthermore, persistent engagement is closely aligned at a theoretical level with one of cyberspace’s unique characteristics. Cyberspace warps physical geography to near irrelevance.[14] A skilled cyber operator can jump from system to system, regardless of location or system type. Hypothetically, someone on a laptop in Mongolia could jump from a smart refrigerator in Spain to a cell phone in Costa Rica to an oil pump control in Kuwait with relative ease. This blurs the traditional lines of state sovereignty. It also removes meaningful buffers between a malicious actor and their target; there is no military or police force to fight through or bypass, at least not in the same way as conventional domains. All users of cyberspace are potentially always at risk.

Consequently, it would seem that to adequately protect cyberspace, nothing threatening should be tolerated in cyberspace in the first place. Zero reaction time or warning to malicious acts means that the possibility of attack must be closed off before it materializes. This is the driving idea behind persistent engagement.[15] Threats are neutralized as soon as they are discovered. Obviously, persistent engagement operations will never achieve perfect success. The sheer logistical problem of persistently engaging all threats is impossible. But at least persistent engagement is a framework from which to work. As for the sovereignty problem, persistent engagement does not solve it, but neither is it encumbered by it in the way deterrence-based thinking was. After all, it is the domain itself, not merely the operations, that challenge the sovereignty norm.

This all begs the question of persistent engagement’s results. At this point, we have only had five years of persistent engagement, leaving us with limited and murky data points. Results are mixed and should be analyzed with a healthy dose of skepticism. Chinese corporate espionage has tapered off since its height a decade ago, but this began before the shift to persistent engagement and is probably unrelated.[16] Ransomware attacks continue unabated.[17] Any drop-off in the severity of ransomware attacks could be attributed to the American reiteration of critical infrastructure redlines following the Colonial Pipeline attack; a point that would actually suggest successful application of deterrence theory.[18]

Nonetheless, there may be some reason to hope for the efficacy of persistent engagement. After revelations of Russian meddling in the 2016 presidential elections, U.S. Cyber Command was tasked with protecting both the 2020 presidential and 2022 midterm elections.[19] Presumably, their attempt to accomplish this relied heavily on active defense measures. No major interference with either election has cropped up. Persistent engagement’s other large success has been the war in Ukraine. Cyber warfare has not played a major role in the kinetic war despite Russia possessing some of the most advanced cyber warfare capability in the world. U.S. Cyber Command attributes this to the success of their hunt forward units deployed in the lead up to the war.[20] Again, this must be taken skeptically. There are alternative explanations. In both cases, it is very difficult to prove a negative. However, these are cases where persistent engagement seems to have enabled successful, high stakes cyber operations.

PERSISTENT ENGAGEMENT, INTERNATIONAL NORMS, AND IMPLICATIONS

On a larger scale, persistent engagement has yet to be problematic in the international arena. No other countries have taken cyber actions under the justification of persistent engagement. The United States’ closest partners, its adversaries, and even non-aligned cyber powers such as India have not protested persistent engagement’s implementation. American partners stand to benefit from a proactive response. The cyber defense of Ukraine is an excellent demonstration of this. The interests of non-aligned actors in cyberspace have yet to emerge. Adversaries’ seeming acquiescence is at first blush more perplexing. Their endeavors in cyberspace stand to suffer direct setbacks from more active American defense. However, China and Russia may view persistent engagement as falling within their own strategic view of cyberspace. American norming of that framework would make tactical setbacks acceptable.

Russia does not distinguish between information and cyber operations; the latter is a subset of the former.[21] The Russian threat perception is that conflict in this domain has been ongoing for some time. Consequently, persistent engagement’s offensive actions are expected in the Russian paradigm. It validates deeply held Russian views. Legal justifications are largely irrelevant. Chinese interests are a bit more nuanced. While they share Russian doctrine, they do not share Russian paranoia.[22] Rather, they are primarily concerned with protecting their own sovereignty.[23] Controlling discontent at home and foreign perceptions abroad are national security issues for Beijing. They have conducted many operations to this end. Given the Chinese perception of what constitutes a national security threat, persistent engagement’s aggressive defense of American interests is not dissimilar. For both countries, persistent engagement is not an American innovation to be decried, but the United States showing up late to the party.


A Ukrainian army soldier checks her phone after a military sweep in the outskirts of Kyiv, in April 2022. (Rodrigo Abd/AP)

This raises an important endogeneity question. Is persistent engagement an agenda setting or reactionary piece of policy? Most criticism is predicated on persistent engagement setting precedents that will come back to haunt American interests. Will this strategic paradigm be used as justification for future cyber-attacks against the United States? Persistent engagement pushes hard where we should tread lightly with this consideration in the background. However, this train of logic would be completely derailed by the existence of other precedents. From the Chinese and Russian perspective, persistent engagement sets no precedents. So, critics have been asking the wrong questions. Rather than worry about legally justifying attacks against themselves, American strategic thinkers should be wondering if persistent engagement cedes too much to Russian or Chinese interests and paradigms.

China’s vision of cyberspace can be compared to land with clearly defined boundaries and jurisdictions. The key word that routinely appears in Chinese thinking is “sovereignty.” Russia adheres to a similar vision. On the other hand, the United States’ vision of cyberspace is more like the world’s oceans, a global common available to all with an internationalized system of regulations and enforcement. It is in this distinction that persistent engagement risks playing into Chinese or Russian designs. But it will not necessarily do so. The same documents that articulate the persistent engagement paradigm also articulate U.S. commitment to a free and open internet. Nonetheless, by playing at the Chinese and Russian level tactically, the United States needs to avoid following them strategically. Persistent engagement must maintain a globalist outlook when defining the American interests it protects.

CONCLUSIONS

Persistent engagement is a strategic paradigm for cyberspace born out of failure. Deterrence theory proved neither flexible enough nor well adapted to the domain. A new domain called for a new strategy. Rather than prevent cyber-attacks by convincing the attacker the cost is not worth the risk, persistent engagement seeks to prevent cyber-attacks by disabling the attacker’s capacity preemptively. There are fears around the precedents that persistent engagement sets and how those norms may one day be quite damaging. However, these concerns miss the broader nature of the environment and the already emerging norms that called for a response. To be fair, open questions remain. How the role of national sovereignty in cyberspace continues to develop could drastically alter the evolution of persistent engagement. Nonetheless, persistent engagement is a much sounder starting point for American cyber strategy than deterrence.

No comments: