Cybersecurity and Deterrence
Cyberspace Is Neither Just an Intelligence Contest, nor a Domain of Military Conflict; SolarWinds Shows Us Why It’s Both
Operations in cyberspace—at least those perpetrated by nation-state actors and their proxies—reflect the geopolitical calculations of the actors who carry them out. Strategic interactions between rivals in cyberspace have been argued by some, like Joshua Rovner or Jon Lindsay, to reflect an intelligence contest. Others, like Jason Healey and Robert Jervis, have suggested that cyberspace is largely a domain of warfare or conflict. The contours of this debate as applied to the SolarWinds campaign have been outlined recently—Melissa Griffith shows how cyberspace is sometimes an intelligence contest, and other times a domain of conflict, depending on the strategic approaches and priorities of particular actors at a given moment in time.
Therefore, rather than focusing on the binary issue of whether a warfare versus intelligence framework is more applicable to cyberspace, the fact that activity in cyberspace takes on both of these characteristics at different times raises interesting questions about how these dimensions relate to one another at the operational level. How does maneuvering in cyberspace for intelligence purposes impact military cyberspace operations, and vice versa? When are these actions not mutually exclusive? Typically, operational considerations of intelligence and military action are discussed in the context of intelligence gain-loss calculations—that is, the trade-offs between prioritizing intelligence versus military objectives. But this framing plays into the overall dichotomy that pervades the discourse. Certainly, in some contexts there are compromises and zero-sum choices between intelligence and military operations—where, for instance, the decision to conduct an offensive cyber operation might jeopardize valuable access to a network that is used for intelligence purposes. However, less explored is how military operations shape and are shaped by intelligence considerations for mutual opportunities.
An important caveat is that this analysis defines intelligence operations in conceptual, rather than legal, terms. It sets aside critical legal distinctions in the United States, for instance, between the authorities that govern Title 50 and Title 10 cyber operations, as well as the different organizational stakeholders involved. Instead, “intelligence” used here refers to the broad category of cyber behaviors that entail surreptitiously gaining access to networks for the purposes of information gathering, in which maintaining secrecy is an imperative, while “military” or “offensive” connotes cyber operations that cause effects, such as disrupting, denying, or degrading data on a network or in transit.
How does this apply to SolarWinds? From the Russian perspective, SolarWinds is emblematic of how cyberspace could enable opportunities for both intelligence collection and offensive cyber operations, potentially even those that may serve different strategic objectives. Russia’s supply chain breach of SolarWinds has been suggested to have largely enabled the Russian government to exfiltrate data in support of national security intelligence objectives, illustrated by the compromise of various high-ranking U.S. officials’ emails—a clear intelligence purpose. However, as many commentators have pointed out, this access to U.S. communications could have given Russia the ability to exploit public- and private-sector networks for coercive purposes, particularly if Russia had decided to take advantage of the access to telecommunications and financial institutions. The point here is not to speculate about why Russia chose to exhibit relative restraint in, thus far, not exploiting access for offensive purposes. Rather, this example demonstrates how the unique scope afforded by these kinds of supply chain breaches could create opportunities for states to leverage access for multiple, rather than competing, purposes. This is compounded by the revelation that the SolarWinds Orion software was not the only access vector used in the operation. In this way, a cyber campaign that involves multiple means of access to a range of different targets could create simultaneous opportunities for intelligence and offensive cyber operations.
At the same time, the Microsoft Exchange hack likely generated greater risks than the SolarWinds campaign. China used web shells to gain access to tens of thousands of networks around the world to gather as much information as possible, leading to widespread compromise that could be exploited by other malicious actors for offensive purposes, including ransomware (or for their own data theft). While this may have been an unintended synergy between intelligence and offensive operations, the dynamics of this campaign illustrate how an operation that began as an ostensibly traditional cyber espionage operation created the conditions for a range of offensive actions. China may have absconded with the data it needed for its intelligence purposes and, at the same time (even if inadvertently), left the door open for offensive actions.
From a U.S. perspective, the debate about the implications of SolarWinds for the Department of Defense’s relatively new strategic concept of “defend forward” also illustrates the links between intelligence and military operations in cyberspace. The defend forward concept implies two important (but not exhaustive) roles for military cyber forces. The first is to maneuver in adversary- or third-party-controlled cyberspace—what the military calls “red” and “gray” space—to learn about adversaries and share information gleaned with relevant stakeholders. The second is to conduct authorized counter-cyber operations to disrupt, deny, and degrade adversary offensive cyber capabilities and infrastructure. Setting aside the essential distinctions between the different authorities that govern the conduct of military and intelligence operations, there are “intelligence-like” functions that are inherent in the operationalization of defend forward.
Cyber Command’s “malware inoculation” and “hunt forward” efforts exemplify this shift in strategic concepts. These engagements entail U.S. cyber forces maneuvering in red and gray space to gain information about evolving adversary capabilities; tactics, techniques, and procedures; and potentially even intent. Sometimes, this takes place in collaboration with allies, as was the case in the fall of 2020 when U.S. Cyber Command worked with Estonian Defense Forces to hunt for malicious activity. Information that U.S. Cyber Command may gain from hunt forward operations could be shared, as appropriate, with other departments and agencies across the federal government, affected entities in the private sector, the public writ large (through posting malware samples on VirusTotal), and allies and partners to aid in their defensive efforts.
In fact, malware inoculation and hunt forward were part of the U.S. government’s response to SolarWinds. In April, Cyber Command issued a press release detailing how, along with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), it released malware samples associated with Russia’s Foreign Intelligence Service. This information was gained through hunt forward operations conducted by U.S. Cyber Command, as well as threat hunting by CISA. Moreover, the press release is explicit about how hunt forward missions “generate insights to understand the adversary”—which, broadly construed, reflects the intelligence value of cyberspace operations—as well as enable offensive operations, given that hunt forward also “provide[s] opportunities to disrupt, degrade, or defeat malicious cyber activity when needed.”
While this analysis may seem to be part of an esoteric academic debate, there are important implications for U.S. policy. Ongoing behavior in cyberspace suggests that states perceive a strategic utility in leveraging cyberspace for both intelligence and military purposes, and some states may even recognize the potential for a campaign to support both of those ends. Moreover, given how geopolitical conditions or policy preferences are not static, state behavior in cyberspace will take on different characteristics in varying contexts. However, the policy debate continues to treat military and intelligence operations as separate and sometimes even competing functions. The SolarWinds campaign has demonstrated that the U.S. government must improve how it is organized to address cyber challenges in a way that holistically considers intelligence and military opportunities and risks, rather than treating these as mutually exclusive or competing policy priorities.
Future conversation needs to move beyond the military versus intelligence contest binary construct to more meaningfully explore how states may seek to use cyberspace for multiple objectives, either in sequence or in parallel. This will require improving early warning and intelligence collection focused on adversary intent to better anticipate when cyber operations are likely to be contained to espionage versus when they may also include an offensive component. This also includes developing clear response mechanisms that distinguish between routine (if regrettable) cyber espionage and unacceptable offensive operations that the U.S. seeks to deter.
Moreover, the U.S. government should be more attuned to scenarios in which espionage unintentionally produces opportunities for offensive action, which may have been the case with the Microsoft Exchange hack. In these instances, the U.S. should promote norms around more responsible behavior and less recklessness within the confines of cyber espionage operations. Initially, this may take the form of a confidence-building measure (CBM). CBMs can promote transparency and stability in situations where it may be more difficult to gain initial consensus around a set of norms because they can occur on an entirely unilateral and voluntary basis. Some observers, like Jacquelyn Schneider, have argued for the United States to adopt a no-first-use policy for certain types of cyber operations. A U.S. declaration that clarifies what constitutes responsible versus irresponsible cyber espionage behavior—distinguished, for instance, by espionage activities that may inadvertently increase systemic vulnerabilities or enable malicious actions by third parties—and publicly commits the U.S. to that standard would be an important positive step.