Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
Every day, headlines tell the same stories. Another large-scale cyber intrusion steals millions of users’ data. Another city is held hostage by a ransomware attack. Another state is caught spreading disinformation through social media and probing networks for ways to undermine democratic institutions and elections. More malware is found on critical infrastructure.
It isn’t war, but it certainly doesn’t feel like peace. The United States has not been able to deter adversaries from using cyberspace to attack American interests. We are witnessing a new era of political warfare and subterfuge. The networks that connect people around the world and power the modern economy provide the perfect domain for undermining powerful states and robbing businesses and individuals on an entirely new scale.
Forging 21st century strategy starts with acknowledging the fundamental dilemma that the more connections we make, the more vulnerable we become. Connectivity changes the character of strategy, a trend identified by multiple studies including works by Anne-Marie Slaughter, Joseph S. Nye Jr., Zeev Maoz, Parag Khanna, and Charles Cleveland and colleagues. This is why the United States must reestablish deterrence in cyberspace to protect the connectivity now at the heart of our society.
To that end, the Cyberspace Solarium Commission developed a new approach to securing American interests in cyberspace: layered cyber deterrence. The strategy is a whole-of-nation approach, prioritizing public- and private-sector collaboration to make it more costly for adversaries to use cyberspace for competition beneath the threshold of armed conflict. The strategy seeks to adapt rational deterrence theory for the reality of 21st century connectivity and to reduce the severity and frequency of attacks by changing the cost-benefit calculus for actors deciding whether to attack in cyberspace. It fits within the larger, ongoing dialogue about how to think about an old concept—deterrence—and its efficacy in cyberspace.
The strategy envisions three protective layers that limit adversary options for using cyberspace. In the first layer, the strategy outlines policies to shape adversary behavior by building on America’s competitive advantage: its enduring network of allies and partners. Working with these partners, the United States will promote responsible behavior in cyberspace and use nonmilitary instruments to isolate malign actors. In the second layer, the strategy denies benefits to state and nonstate actors by reshaping the cyber ecosystem and making it more difficult to attack American interests through cyberspace. The policies that support this deterrent posture require a whole-of-nation approach that creates incentives for public- and private-sector collaboration to secure cyberspace. It prioritizes defense and resilience. In the third layer, the United States retains the ability to impose costs on adversaries in cyberspace by ensuring it has the capability and capacity to defend forward. In fact, defend forward—a historical posture dating back to the early Cold War—becomes a new guiding principle about how to combine actions in each layer to deter adversary use of cyberspace in a manner consistent with international law.
Actions in each layer are multiplicative and change how states and nonstate actors calculate the anticipated costs and benefits of using cyberspace to target an adversary. Unlike Cold War-era nuclear deterrence, where even a single use risked dangerous escalation, the objective here is to reduce the overall severity and frequency of cyberattacks of significant consequence. While there will still be attacks, over time the severity of the strategic threat should diminish and will no longer undermine the American economy and society.
Layered cyber deterrence stands in contrast to calls for forgoing the prudence of coercive diplomacy and statecraft for the false promise of persistent offensive cyber operations. Unlike persistent engagement, layered cyber deterrence is a whole-of-nation strategy that combines multiple instruments of power and focuses less on offense and more on defense based on positive national security objectives linked to long-term strategy. For the architects of persistent engagement, undefined structural features of the international system and the operating domain undermine the credibility of deterrence in cyberspace. From the perspective of the Cyberspace Solarium Commission, the degree to which the structure of the international system has changed is less significant than the degree to which connections between states and society have grown. The world still has great powers, international institutions and globalized economic activity. The goal is to protect those connections, not use them to launch fleeting attacks in cyberspace.
Advocates for persistent engagement also tend to treat cyber interactions as independent domain phenomena, hacker-versus-hacker, with limited risks of escalation. They do not factor cross-domain dynamics, the efficacy of coercion in cyberspace or the limits of cyber strategy. Cyber operations cannot be considered in isolation. States respond to cyber intrusions using threat of military force, legal indictments, sanctions and a host of instruments. Furthermore, the fact that 85 percent of critical infrastructure is in private hands changes how states think about competition in cyberspace. A nation cannot go on the offense, unless private networks are sufficiently secure and resilient and the state can ensure continuity of the economy and other measures required to bring networks back online after a major cyber incident. Layered cyber deterrence therefore focuses on deterrence by denial to protect the connectivity we all rely on in the 21st century.
The articles in this Lawfare series will discuss the policy pillars, key recommendations and overarching theory of competition in the strategy. The process that generated these recommendations—many of which are already informing legislative proposals before congressional committees—says something about how to craft 21st century strategy. The commission took nine months, divided into distinct phases, to develop layered cyber deterrence. In the first, research phase, staff traveled around the world and conducted more than 200 interviews with a variety of experts. They presented their initial findings to the members of the commission and debated emerging ideas. In the second, deliberation phase, an event modeled after the original Eisenhower administration Project Solarium and red team review was held to help translate ideas about strategy into tangible recommendations. If strategy is the art of creating power, then translating power into outcomes requires careful consideration of the policy trade-offs. The third, rollout phase focuses on engaging the public and began once the commission finalized the report. Strategy in a democracy requires contributing to the marketplace of ideas. The commission hopes that the articles in this series will inspire readers to challenge us and help us refine layered cyber deterrence so that we can secure 21st century connectivity.