Cybersecurity and Deterrence
The Cyberspace Solarium Commission Report and Persistent Engagement
In the recently released Cyberspace Solarium Commission report, the commission reaffirmed Congress’s ongoing support for the Department of Defense’s “defend forward” strategy as operationalized through persistent engagement (DF/PE) by U.S. Cyber Command. Indeed, the last of the six “pillars” organizing the commission’s recommendations—“preserve and employ the military instrument of power”—focuses entirely on DF/PE within the context of the military instrument’s contribution to the commission’s proposed strategic approach. And Lawfare posts by Erica Borghard and Mark Montgomery, along with Laura Bate, Phoebe Benich, Valerie Cofield, Karrie Jefferson, Ainsley Katz, and Sang Lee—all staff members on the commission—are also consistent with DF/PE.
However, a post by another staff member, Benjamin Jensen, questions the strategic approach of persistent engagement. If the United States is to gain maximum benefit from the work of the commission, there must be consistency and clarity in characterizations and understandings of persistent engagement and its components—including DF/PE and how it complements the construct of layered deterrence. Unfortunately, Jensen’s comments distract from the consistency and clarity found in the report and the other posts cited above as well as in other published work. He argues, for example, that persistent engagement offers a “false promise” of security, implies it comprises more offensive than defensive operations, and claims it does not take account of the limits of cyber strategy.
First, Jensen references the “false promise” of “persistent offensive cyber operations”—presumably referencing the “promise” of security provided by persistent engagement. The empirical record does not support the notion that this security is a false promise, however. There are three open-source-reported cases of specific and successful Cyber Command efforts enabled by the strategic approach of DF/PE: securing the U.S. 2018 midterm elections from external interference; generating cyber-enabled effects against Iranian ship tracking capabilities in response to Iran’s kinetic attack on a U.S. RQ-4 Global Hawk drone; and Operation Glowing Symphony, a campaign to counter Islamic State internet and media operations. (Note that the successful midterm election campaign is actually referenced in the commission’s report on page 29.) Importantly, these operations represent DF/PE successes across the full spectrum, from competition short of armed conflict through militarized crises and into armed conflict.
Additionally, Bate and co-authors note that DF/PE campaigns and operations also contribute to security by supporting, through norms construction, understandings of acceptable and unacceptable cyber behaviors: “U.S. norms-based international engagement and military activities under defend forward don’t just serve the shared goal of deterrence; in fact, they complement one another.” Borghard and Montgomery take a similar view:
[T]o be meaningful, norm-building initiatives must be coupled with consistent (and, when possible, collective and transparent) action to support and enforce them when they are violated. In addition to law enforcement, sanctions, and collective attribution efforts after norms are violated, defend forward cyber operations can help establish norms the U.S. seeks to promote in the first place.
Richard Harknett and I have maintained this position in our published articles.
Second, Jensen’s characterization of PE as comprising “persistent offensive operations” and being “more offensive than defensive” is not consistent with how the commission report describes DF/PE in Pillar Six, nor with how Borghard and Montgomery argue DF/PE should be understood. They state that the layered deterrence strategic approach “should explicitly and deliberately clarify the fact that defend forward is an inherently defensive strategy—despite the fact that there are offensive components at the tactical and operational levels.” This characterization is in keeping with how U.S. Cyber Command characterizes PE in its Command Vision and how Harknett and I describe it in our work.
Third, Jensen seemingly argues for the superiority of layered deterrence over DF/PE, noting the former is a “whole of nation” approach. However, DF/PE is compatible with such an approach: Harknett and I have previously argued that a “whole of nation +” approach to cyber security, in addition to an operational cyber strategy (DF/PE), is necessary to blunt adversary strategic gains in, through and from cyberspace, and that PE could be an anchor for such an approach. Notably, the strategic framework and several pillars in the commission’s report incorporate that perspective.
The report is organized around both the three-layered strategic framework of layered deterrence and the six pillars used to categorize report recommendations. Aspects of DF/PE both anchor and appear as threads throughout these organizing constructs. For example, the report positions DF/PE in layer 3 (cost imposition). But it also notes, in Section 6.1.2, that Cyber Command’s contribution to the virus-analyzing website VirusTotal of malware discovered through DF/PE supports the broad objective of layer 2 (deny benefits) by allowing the private sector to develop response plans and potentially inoculate their systems to avoid harm. Additionally, as referenced previously, both Borghard and Montgomery as well as Bate and co-authors concur with Harknett and my views that DF/PE contributes to the broad objective of layer 1 (shape behavior) by supporting norms construction and reinforcement.
The same influence can be seen in the pillars. DF/PE is the anchor of Pillar Six, on preserving and implementing military power. Meanwhile, threads from Cyber Command’s VirusTotal activity and supporting operations run through Pillar Five, on operationalizing cyber collaboration with the private sector; and norms construction and reinforcement efforts appear throughout Pillar Two, on strengthening norms and nonmilitary tools.
In sum, the commission’s report aligns in important ways with the writings on and application of DF/PE. That said, I encourage the commission to go one step further.
The fundamental strategic principle of PE is seizing the initiative. This principle could (and should, in my view) be the basis of a national cyber strategy and a national framework for strategic competition short of armed conflict, though the commission did not explore this idea. The report reflects PE’s strategic principle by elevating aspects of the Defense Department’s DF strategy to a national strategic concept of “Defend Forward”—a concept the commission report argues should be a core element of a new national cyber strategy.
To wit, the report says that “Defend Forward posits the United States must shift from responding to malicious behavior after it has already occurred to proactively observing, pursuing, and countering adversary operations and imposing costs to change adversary behavior.” This aligns nicely with the Cyber Command Vision’s view of PE’s strategic principle as seizing the initiative to set the conditions of security. Indeed, the commission report argues that Defend Forward “implies persistent engagement with adversaries as part of an overall integrated effort to apply every authority, access, and capability possible (e.g., laws, financial regulation, diplomacy, education) to the defense of cyberspace in a manner consistent with international law.” And so it seems that, as a matter of fact, PE’s core strategic principle of seizing the initiative is the very heart of the Defend Forward concept as applied to all national sources of power—known as DIMEFIL, for diplomatic, information, military, economic, financial, intelligence and law enforcement.
In building on the commission’s work, it will be useful to push harder for even greater consistency and clarity. For example, although the Department of Defense construct of DF takes a higher profile in the commission report, policymakers might benefit from more thinking about the distinction between “big DF” (the national-level concept) and “little DF” (the Defense Department construct). Borghard and Montgomery argue that “big DF” is represented by “forces and capabilities … forward-positioned, both geographically and virtually. This is analogous to historical strategies of forward defense, which was the foundation for the U.S. and NATO grand strategy during the Cold War.” If this frame is applied across all sources of power, it is easy to argue that most, if not all, instruments of U.S. national power are already forward positioned in the sense used by the report—U.S. embassies house diplomatic, economic and other capabilities; the Federal Bureau of Investigation has offices overseas; intelligence capabilities are deployed globally both physically and virtually; and so on. What primarily matters in cyber strategic competition short of armed conflict (and the larger strategic competition, as well) is not that the U.S. has assets forward but that its assets are seizing the initiative. And this applies to aspects of national instruments of power not forward, as well.
There is a bounty of evidence that several U.S. agencies and departments embodying national instruments of power are, in fact, seizing the initiative to stem the tide of strategic effects of adversary campaigns in, through and from cyberspace. The matter of China’s licit and illicit efforts to acquire U.S. intellectual property is a case in point. Over the past few years, Congress (and now the commission) has proposed strengthening the capabilities of the Committee on Foreign Investment in the United States; the Department of Justice stood up the China Initiative to combat intellectual property theft; the National Security Agency stood up the Cybersecurity Directorate to “eradicate threats to national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of our weapons’ security”; and Cyber Command operationalized the Defense Department’s established construct of DF through a strategic approach of persistent engagement. What’s more, though the Department of State had to accept the resounding defeat of its nominee to lead the U.N. Food and Agriculture Organization to China’s preferred candidate, the department later seized the diplomatic initiative through an aggressive diplomatic campaign to help ensure Darren Tang of Singapore prevailed over China’s nominee to lead the U.N. World Intellectual Property Organization.
The horse has just now left the barn when it comes to the Cyberspace Solarium Commission report itself. But policymakers can still build on the momentum described above. Those wanting to incorporate into policy guidance the commission’s national strategic concept of Defend Forward should consider, instead, incorporating the language of the strategic principle that Defend Forward actually represents—seizing the initiative.
The commission’s report and key commission staff acknowledge that both DF/PE and the strategic principle it embodies are effective anchors and touchstones for a national cyber strategy. Let’s move forward and effectively grasp the new opportunities found in the report by building on those acknowledgments.