Cybersecurity and Deterrence

An Outcome-Based Analysis of U.S. Cyber Strategy of Persistence & Defend Forward

By Max Smeets, Herb Lin
Wednesday, November 28, 2018, 8:00 AM

The new U.S. Cyber Command (USCYBERCOM) vision and the Department of Defense Cyber Strategy embody a fundamental reorientation in strategic thinking.

With the publication of these documents, as well as 2017 National Security Strategy and the 2018 National Defense Strategy, there is a general conception among experts that the U.S. has, for the first time, articulated a strategy that truly appreciates the unique “symptoms” of cyberspace. The documents recognize that there is a new structural set of dynamics associated with the new domain of cyberspace that has incentivized a new approach to power competition—in particular, that hostile or adversarial behavior below the threshold of armed attack could nevertheless be strategically meaningful (that is, change the balance of power).

Yet most cyber experts have also argued that the ‘medicine’ prescribed by the Defense Department  and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of “persistent engagement” and “defend forward” are still ill-understood. As we have argued elsewhere, a United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.

We should note that the Department of Defense lexicon has not yet provided a formal definition of “defending forward.” We suspect the formal definition that is ultimately adopted will be similar to the earlier concept of “counter cyber,” though with an emphasis on adversarial cyber campaigns (instead of ‘activities’): “A mission that integrates offensive and defensive operations to attain and maintain a desired degree of cyberspace superiority. Counter-cyber missions are designed to disrupt, negate, and/or destroy adversarial cyberspace activities and capabilities, both before and after their employment.”

Scholarship to date has mainly pointed out that this new U.S. strategic thinking could be escalatory, but it has not sought to spell out the specific causal mechanisms and scenarios as to how the consequences of the strategic shift may unfold.

In a forthcoming article, part of an edited volume on offensive cyber operations published by the Brookings Institution (entitled “Bytes, Bombs, and Spies: Strategic Dimensions of Offensive Cyber Operations”), we systematically address some of these conflict outcomes. Specifically, we consider the four general outcomes possible over time with two outcome variables: a more (or less) powerful U.S. and a more (or less) stable cyberspace.

 

 

 U.S. power relative to adversaries

 

 

More

Less

Stability

More

More powerful & More stability

Less Powerful & More stability

Less

More powerful & less stability

Less powerful & less stability

 

The Optimal Outcome

From the U.S. standpoint, the optimal outcome is a United States that is more powerful in cyberspace along with a more stable cyberspace. Indeed, from the U.S. standpoint, the former will lead to the latter. A more stable cyberspace will involve norms of acceptable behavior, less conflict and so on.

One path towards this rosy outcome is that the strategy does what it is said to do: Creates significant friction and makes it hard for adversaries to operate effectively. Adversaries realize that the U.S. strategy of persistent engagement makes it more difficult to conduct various offensive cyber operations, and they have no strong incentives to escalate as it may trigger a U.S. response in the conventional domain. USCYBERCOM has the advantage from the beginning.

Some argued at the first USCYBERCOM symposium that persistent engagement may first lead to a worsening situation before it gets better. This outcome is possible under one of two conditions. First, USCYBERCOM could initially be unable to seize the initiative from a capacity perspective, but become increasingly better at it in the future. This may well be true: USCYBERCOM is still continuing to develop its cyber capacity. Even though the Cyber Mission Force (CMF) has achieved full operational capability, it will take time for the new workforce to operate capably and ensure the effective coordination of all units.

The second condition is that other actors could increase their hostile cyber activity in the short term, but become less hostile in the long run. This condition is much less likely to be true: Other actors are likely to adapt to U.S. activities over time rather than to reduce their own activities, and the expected number of actors with hostile intent in this space is likely to increase over time.  For example, FireEye recently reported on the “rise of the rest,” arguing that the world has seen a growing number of advanced persistent threat (APT) groups attributed to countries other than Russia or China.

Another more powerful and more stable situation analyzed in the paper could—perhaps paradoxically—be described as “deterrence through a strategy of persistence.”  In this particular outcome, the main threat actors are initially cautious to act, following the release of U.S. new strategy. However,  this is unlikely: Other actors will probably not exhibit caution to see which way the wind blows before acting. An excerpt from Lt. Gen. Nakasone’s nomination hearing to serve as director of the NSA is telling:

            Sen. Sullivan: They [our adversaries] don’t fear us.

            Gen.Nakasone: They don’t fear us.

            Sen. Sullivan: So, is that good?

            Gen. Nakasone: It is not good, Senator.

As a follow-up to Sen. Dan Sullivan’s question, Sen. Ben Sasse asked: “Is there any response from the United States Government that’s sufficient to change the Chinese behavior?... Do you think there’s any reason the Chinese should be worried about U.S. response at the present?” Lt. Gen. Nakasone responded: “Again, I think that our adversaries have not seen our response in sufficient detail to change their behavior.” In line with this notion, it is unlikely that the publication of the strategies alone will be sufficiently threatening to lead to this optimal outcome.

Less Optimal Outcomes

One path towards escalation involves adversaries becoming more aggressive and conducting attacks that are highly disruptive to society—in other words, adversary activity leads to a less stable cyberspace. This could be the result of either an adversary’s increased willingness to conduct attacks using existing capacities or increased capacities of the adversary. Indeed, with respect to the latter, the U.S. vision—and associated changed course of action—may encourage other actors to grow their budgets to conduct offensive cyber operations. The proliferation literature on weapons of mass destruction has extensively covered the role of special interests in stimulating demand for weapon development. This makes it a strong possibility that the new U.S. vision can be used by those groups within a given country favoring a growing cyber command to justify and lobby for increased military spending.

A second possibility is that increased U.S. offensive cyber activity that operates below the threshold of armed attack activity reduces the value of cyber norms of behavior that support a more stable cyberspace.  Even today, some observers believe that the high level of offensive activity in cyberspace today demonstrates quite forcefully that nations find value in conducting such activity, and that such activity points to the difficulty of establishing a more peaceful cyber norms regime. These observers argue that there is no reason to expect that increasing the U.S. contribution to such activity worldwide will make it easier to establish such a regime. Finally, a third possibility is that increased U.S. offensive cyber activity will complicate diplomatic relations with allies and other nations whose cyber infrastructures are used in support of such activity.

Increased aggressiveness by adversaries could also result from growing incentives to conduct offensive cyber operations of a highly disruptive nature. In this case, heightened aggressiveness might be a symptom of the U.S. strategy actually being effective in making the U.S. more powerful. Consider, for example, the current war against the  Islamic State: losing territory and grip in the Middle East, the terrorist organization is said to be keen to recruit followers in Europe and other places in the world to conduct attacks outside of Iraq and Syria. These attempted mass killings are a way  to show that the group still needs to be feared and potentially to help recruiting—but they do not change the balance of power in the region. Actors in cyberspace might become more noisy and aggressive purely to increase friction, gain attention and so on —and perhaps also to influence international public opinion in ways that drive the United States toward changing its strategy.

Finally, worst-case outcomes—that is, a United States that is less powerful in cyberspace along with a less stable cyberspace—could stem from a multitude of sources. One possibility is that the United States could overplay its hand in terms of cyber capabilities. The USCYBERCOM is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. The dangers of fighting on multiple fronts—even for the most capable actors—are well known from conventional warfare. As the number of potential cyber “fronts” is much higher compared to conventional warfare, the risks of overextension have become much higher as well. The Defense Department vision’s explicit focus on Russia and China, following the USCYBERCOM vision’s silence on the issue of priorities, makes us less concerned about this scenario —though it is still a possibility.

Final Word

After initial, prompt analysis from the scholarly community of the strategies, the country now needs systematic research on how persistent engagement and defend forward may play out. We believe that outcome-based analysis is one desired form of research which could be expanded. (One important limitation of our analysis is that we do not pay sufficient detail to risks of the U.S. not changing its course of action.)

Other research in this field is would be helpful as well—consider case study analyses. Russia conducts very different cyber campaigns to affect U.S. sources of power than does China, and defend forward will thus look very different in both cases. But how the U.S. should defend forward  for each specific case, in order to optimize power gains and reduce escalation, has not yet been addressed. This work is needed.

Also, the question is not just how adversaries will respond to the change in U.S. strategy. It is equally important to analyze the behavior of allies. With the implementation of this strategy, will allies follow? Or will they stick to the general deterrence-type strategies?

The bottom line?  More research is needed—let’s get to it.