Cybersecurity and Deterrence

Cyber Command’s Strategy Risks Friction With Allies

By Max Smeets
Tuesday, May 28, 2019, 7:50 AM

 Much has been written about the fundamental changes in U.S. cyber strategy. U.S. Cyber Command’s vision of “persistent engagement” and the Department of Defense’s new strategy of “defend forward” have, in particular, led to numerous critical remarks about the risks of escalation between the U.S. and its main adversaries in cyberspace.

These debates are worth continuing, including about what the change in strategy means for establishing norms in cyberspace. But commentators have so far ignored a key dimension: The strategy’s main implications may not reside in how it changes the dynamics between the U.S. and its adversaries but, instead, in how it affects broader alliance relationships, especially beyond the Five Eyes (Australia, Canada, the U.K., the U.S. and New Zealand). U.S. Cyber Command’s mission to cause friction in adversaries’ freedom of maneuver in cyberspace may end up causing significant friction in allies’ trust and confidence—and adversaries may be able to exploit that.

Operating “Seamlessly, Globally, and Continuously”

Cyber Command’s new strategy seeks to operate “seamlessly, globally, and continuously.” It states that “[s]uperiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” According to the strategy document, Cyber Command intends to do this “as close as possible to adversaries and their operations,” connecting persistent engagement to the Pentagon’s principle of “defending forward.”

In an article for Joint Force Quarterly (JFQ), NSA Director and Cyber Command head Gen. Paul Nakasone writes: “We must instead maneuver seamlessly across the interconnected battlespace, globally, as close as possible to adversaries and their operations, and continuously shape the battlespace to create operational advantage for us while denying the same to our adversaries.”

When Nakasone says the U.S. must get “as close as possible to adversaries and their operations,” he implies that the U.S. seeks to achieve effects that are outside of its own networks and beyond the networks of its adversaries. This vast area is not ungoverned space. It includes, for example, routers in Nairobi, servers in Denmark or operating infrastructure in any other country around the world.

Blue Space, Gray Space and Red Space

In the JFQ article, Nakasone also states that “if we are only defending in ‘blue space’ we have failed.” This use of terminology as well as talk about “operating close to the adversary” evades one issue: It is unclear whether Cyber Command only seeks to cause friction in “red space” or if it seeks to compete in “gray space” as well. These terms are often confused and not well-understood. (The terms “gray zone”—areas where it’s unclear whether the government has legal authority to act—and “gray space” are also frequently confused.) In fact, the issue was raised for “further exploration” at Cyber Command’s 2018 symposium, specifically understanding the “relevance of concepts like area of responsibility and red-blue-gray space to the cyberspace domain.”

Joint Publication 3-12 (JP 3-12) on cyberspace operations, prepared under the direction of the chairman of the Joint Chiefs of Staff, explains the terminology:

The term “blue cyberspace” denotes areas in cyberspace protected by the US, its mission partners, and other areas DOD may be ordered to protect. Although DOD has standing orders to protect only the Department of Defense information network (DODIN), cyberspace forces prepare on order, and when requested by other authorities, to defend or secure other United States Government (USG) or other cyberspace, as well as cyberspace related to critical infrastructure and key resources (CI/KR) of the US and PNs [partner nations]. The term “red cyberspace” refers to those portions of cyberspace owned or controlled by an adversary or enemy. In this case, “controlled” means more than simply “having a presence on,” since threats may have clandestine access to elements of global cyberspace where their presence is undetected and without apparent impact to the operation of the system. Here, controlled means the ability to direct the operations of a link or node of cyberspace, to the exclusion of others. All cyberspace that does not meet the description of either “blue” or “red” is referred to as “gray” cyberspace.

Gray space is defined based on the nodes adversaries control. This means the vast area between U.S. government-owned networks and adversaries is not considered to be gray space. Instead, if for instance the GRU (Russia’s military intelligence agency) controls a node in the Netherlands, it is considered to be red space based on JP 3-12. And it’s worth mentioning that the notion of control is open to interpretation by states.

This means that if Cyber Command seeks to operate only in “red space,” its activities will still have global reach (globally). It also suggests that red space grows as adversaries expand their operational activity. Most importantly, this implies that if Cyber Command seeks to achieve “effects” in gray space, this will involve operating infrastructure that adversaries do not control—which is to say those systems or networks on which adversaries merely have a presence or are not active at all.

What’s New Under the Sun?

What’s really new here? The United States has long operated in networks “close to the adversary.” As Ben Buchanan’s book, “The Cybersecurity Dilemma,” demonstrates, the U.S. has long acted as an “observer” in gray space, gathering intelligence of adversarial activity in those others’ networks. In fact, information has become public concerning a case in which the Five Eyes collected intelligence about an espionage platform (dubbed “Snowglobe” by the Canadian Intelligence Agency CSEC and “Animal Farm” by Kaspersky Lab) of an allied country, France, likely operating in adversarial networks in the Middle East. In other words, the practice of fourth-party collection is nothing new. And the U.S. has also long acted in foreign nonadversarial networks as a “passerby,” transiting through gray space networks to access an adversarial network.

But the new Cyber Command and Defense Department strategy changes the nature of the U.S. military’s behavior within those systems and networks. Under the new strategy, Cyber Command wants to be an active disrupter on those networks. It wants to achieve effects.

The only known precedent is Cyber Command operators wiping Islamic State propaganda material off a server located in Germany. The German government was notified in some fashion but not asked for advance consent, causing much frustration.

This will likely lead to a systematic scaling up: Cyber Command now also seeks to be an active disrupter on those networks “globally, continuously and seamlessly”—not regionally and sporadically.

The Danger of Operating Seamlessly in Allied Networks

Operating instantly makes sense considering the potential operational tempo of adversaries: You can’t have protracted diplomatic discussions for two months with an ally about whether or not to take down some command and control infrastructure of an adversary hosted in the allied country. You don’t have days, let alone months. As a participant mentioned at the recent Chatham House Rule 2019 Cyber Command Symposium on strategy: “Opportunities within this domain are fleeting.”

Operating seamlessly could also make sense if an ally does not mind the U.S. coming into its networks to address the malicious activity. In this vein, the U.S. can continue to build partnerships with countries that do not have the capacity to defend against cyber attacks on their own.

But, what if an allied country is not keen on having the U.S. military in its networks, actively, seamlessly, and continuously disrupting an adversary’s cyber operations? As the German case shows, this scenario will likely come up a lot more in the near future.

In other words, in seeking to successfully create friction in cyberspace for adversaries, Cyber Command may also seek to act within allied networks, even if the ally does not approve. It might even be successful in its mission, causing friction in adversaries’ operations before they cause serious harm to the U.S. But this strategy runs a real risk of undermining allies’ trust and confidence in ways that are subtle and not easily observable. This ought not to be overlooked, especially since this element may itself be exploited by adversaries.

Adversaries don’t randomly choose which intermediate nodes to direct their operations through. If Russia has the choice to go through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally, or operate through a network that would cause no diplomatic friction for the U.S., what would it prefer?It would make sense for adversaries to operate through the networks of exactly those countries with which the U.S. has a strong relationship but that do not want the U.S. to operate within their networks causing any effects.

Russia is already good at exploiting divisions between the U.S. and its allies. Cyber Command’s new strategy might give it another avenue to do so.

A Final Word

Bobby Chesney recently offered a brief overview of what is known about the out-of-network operations Cyber Command has conducted, based on reporting from Mark Pomerleau at Fifth Domain. Chesney notes that there is still a lot of uncertainty about what did and did not change in terms of the interagency process and how often Cyber Command seeks to operate outside the Department of Defense Information Network.

I would add that there is also much uncertainty about where Cyber Command currently operates. This dimension, however, is crucially important for understanding the true implications of the United States’s change in cyber strategy. By operating in allied networks, Cyber Command is running the risk of causing the wrong type of friction.