Cybersecurity and Deterrence
Persistent Engagement: Foundation, Evolution and Evaluation of a Strategy
In 2018, U.S. Cyber Command was elevated to a unified combatant command, one of only four of these functional commands in the U.S. military. To harken the institution’s independence, Cyber Command released a strategic vision announcing a new concept of persistent engagement. The document explained that:
Superiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver. It describes how we operate—maneuvering seamlessly between defense and offense across the interconnected battlespace. It describes where we operate—globally, as close as possible to adversaries and their operations. It describes when we operate—continuously, shaping the battlespace. It describes why we operate––to create operational advantage for us while denying the same to our adversaries.
Persistent engagement, in other words, means that the newly elevated Cyber Command will be everywhere, all the time and in all ways.
As well as an articulation of a command vision, the document was a repudiation of the previous seven years of cyberspace strategy under Strategic Command and the Obama administration. Shortly after Cyber Command achieved initial operating capability as a subunified command, the Obama White House published the 2011 International Strategy for Cyberspace, which articulated a largely optimistic view of cyberspace as an environment with clear collective good for humanity—a perspective informed by the recent events of the Arab Spring. Accordingly, the strategy sought to uphold the universal good of an open and interoperable, secure and reliable cyberspace primarily through norms, diplomacy, active law enforcement, and dissuasion and deterrence. The document called for little from the Defense Department, asking the military simply to “recognize and adapt to the military’s increasing need for reliable and secure networks, build and enhance existing military alliances, and to expand cyberspace cooperation.” Even the document’s understanding of deterrence was predicated largely on resilience and proportional threats of punishment, promising to
reserve the right to use all necessary means—diplomatic, military, and economic—as appropriate and consistent with applicable international law ... we will exhaust all options before military force whenever we can; we will carefully weigh the costs and risks of action and of inaction; and will act in a way that reflects our values and strengthens our legitimacy and international support whenever possible.
The four years after the 2011 strategy saw an exponential increase in the scope, severity and diversity of cyber hacks and attacks. In that time, Iran launched the Shamoon virus attack against Saudi Aramco, a series of coordinated attacks against U.S. financial institutions and dams, and a daring exploitation of U.S. Navy networks. China hacked into the Office of Personnel Management, stealing sensitive data about thousands of U.S. federal employees while also conducting wide-scale intellectual property theft. Russia was increasingly active and overt in its exploitation of critical infrastructure in Ukraine as well as in U.S. military networks. Finally, North Korea launched a series of ransomware attacks and the attention-grabbing hacking, blackmail and destruction campaign against Sony.
Despite the increase in both the scope and the sophistication of cyber attacks against the United States in that time, the 2015 Defense Department Cyber Strategy (like the 2011 International Strategy for Cyberspace) still relied mostly on norms and deterrence to combat cyber threats. The document called for the Defense Department to “be prepared to” defend the U.S. homeland and to “build and maintain viable cyber operations” in order to “control escalation.” This strategy focused on responding to and preparing for cyber incidents and leaned heavily on deterrence—by denial and punishment—as the primary line of effort for ensuring the open and secure use of cyberspace. Government responses to cyber incidents from 2011 to 2015 centered mostly on economic, diplomatic and legal activities, and the Defense Department was largely positioned to support other agencies rather than acting on its own. As former Secretary of Defense Chuck Hagel asserted in 2014, the Pentagon “will maintain an approach of restraint to any cyber operations outside the U.S. Government networks. We are urging other nations to do the same.” While the Defense Department’s 2015 cyber forces were placed primarily in a reserve and deter posture, however, they were experiencing exponential growth: 133 new cyber mission teams were developed, and four service cyber commands began to equip, train and operate cyber forces to support operations on the air, land and sea.
Persistent Engagement: Foundation and Evolution
The 2018 Cyber Command Strategic Vision should be understood within the context of the previous eight years, during which cyber institutions within the Defense Department grew in manpower and funding without similar growth in roles, responsibilities and authorities. The vision’s call for persistence is, therefore, not as much an articulation of a new stand-alone strategy as it is a counterargument against the deterrence-based and norms-based strategies of the Obama administration. In other words, the vision is less about what it is and more about what it is not.
This is exceedingly evident in Michael Fischerkeller and Richard Harknett’s 2017 Orbis publication, “Deterrence Is Not a Credible Strategy for Deterrence.” The piece, written during Harknett’s time as a scholar in residence at Cyber Command, foreshadows the Cyber Command Strategic Vision, and sets the foundation for persistent engagement by arguing for the uniqueness of cyberspace due to the interconnected and constantly interactive qualities of the “domain.” The piece then reasons that cyberspace’s uniqueness makes deterrence futile, instead proffering persistent engagement as a distinct strategic alternative. Fischerkeller and Harknett conclude that persistent engagement should be seen as an alternative to the Obama administration’s strategies of restraint.
Harknett and Fischerkeller extend their argument in Lawfare, proffering persistent engagement as a substitute for other more explicit norm-generation activities heavily emphasized under the Obama administration (in particular, United Nations Group of Government Expert negotiations, diplomacy and economic sanctions). They then offer a framework of tacit bargaining and agreed competition to explain how persistent engagement might create a bounded zone of contestation in cyberspace. Throughout their work on the subject, Harknett and Fischerkeller assert that actions taken in cyberspace carry limited escalation risk—an assumption that is the linchpin of persistent engagement’s viability as an alternative to restraint strategies that rely on deterrence and explicit norms.
Meanwhile, Cyber Command has also experimented with the concept. Perhaps most tellingly, a recent article by commander of Cyber Command Gen. Paul Nakasone in Joint Forces Quarterly details the implementation of persistent engagement since the elevation of the command. As Gen. Nakasone explains,
This persistence force will contest our adversaries’ efforts in cyberspace to harm Americans and American interests. It will degrade the infrastructure and other resources that enable our adversaries to fight in cyberspace. Over time, a persistence force, operating at scale with U.S. and foreign partners, should raise the costs that our adversaries incur from hacking the United States. To protect our most critical public and private institutions from threats that continue to evolve in cyberspace, we cannot operate episodically. While we cannot ignore vital cyber defense missions, we must take this fight to the enemy, just as we do in other aspects of conflict.
Nakasone’s vision of persistent engagement in practice seems to have animated a reported Cyber Command campaign against the Russian Internet Research Agency, in which the command conducted cyber-enabled information operations and other counter-cyber activities to dissuade and degrade Russian election interference in the 2018 midterms. The team designated to counter Russian threats is now a permanent unit, signifying the codification of issue- and adversary-centered task groups within persistent engagement.
Together, the Nakasone article and the Harknett and Fischerkeller dialogue suggest that persistent engagement consists of four characteristics. First, Nakasone states explicitly that persistent engagement transitions U.S. cyber defense strategy from a “be prepared” or crisis response stance to one of ongoing and indefinite operations—less like fortifying for a possible siege and more like surviving one. The codification of the issue-centered task groups like the counter-Russia unit illustrates how persistent engagement might organize. In this form, persistent engagement looks a lot closer to conflicts like the war on terror—which have no geographic or temporal boundaries—than Pearl Harbor, or even the conventional geographic campaigns that dominate U.S. defense planning.
Second, the discussion about persistent engagement suggests a move away from solely defending the Department of Defense Information Network and toward critical infrastructure and domestic partnerships. The prominence of the Cyber National Mission Teams and initiatives like Project Indigo (Cyber Command’s information-sharing collaboration with the finance sector) reveal the more active role that the Defense Department is taking in relation to the private sector under the Trump administration and the new Command Vision.
Third, persistent engagement is the strategic umbrella underneath which “defend forward”—a concept presented in the 2018 Defense Cyber Strategy, which promises to counter adversary cyber operations outside of U.S. Department of Defense networks “at their source”—can take place. There is still significant debate about the scope of the actions or effects defend forward might encompass, all the way from benign cyber network exploitation of adversary cyber capabilities, to cyber-enabled influence operations, to cyber attacks that degrade an adversary’s ability to use its offensive cyber capabilities. What is clear, however, is that the Defense Department believes defend forward actions can be preemptive, which is possible only with persistent engagement. Most importantly, both defend forward and persistent engagement suggest that increasing friction to adversary cyber capabilities is essential to strategic success.
Finally, discussion about persistent engagement both asserts and assumes that cyber operations can occur under the threshold of armed conflict. In fact, Harknett and Fischerkeller argue that persistent engagement increases incentives and generates norms for states to tacitly recognize a firebreak between cyber operations and other more conventional means of conflict. They go on to suggest that the implicit norms of agreed competition created by persistent engagement in cyberspace will create a sort of pressure valve that allows space for competition without escalation. This is a key assumption for the strategy because restraint under the Obama administration was largely tied to concerns about escalation. If persistent engagement is a counter-strategy to deterrence and norms, then it needs to solve apprehension that the use of cyber operations will create incentives for escalation.
Evaluating Persistent Engagement
Are the assumptions that underlie persistent engagement appropriate, and what are the limitations of the concept? Recently, James Miller and Neil Pollard have argued that the concept is too confident in its ability to bound cyber actions within tacit escalation limits—a critique also leveled by Max Smeets. It is almost impossible to prove assumptions about escalation. So much of escalation is based on perceptions (for instance, Miller and Pollard seem to have different beliefs about where economic or diplomatic measures sit in a escalation ladder) that it is both impossible to say that an action will never lead to escalation or that it will always lead to escalation.
However, existing evidence from big data analyses, survey experiments and war games suggests that cyberspace operations rarely create incentives for escalation to armed conflict. These scholarly explorations cumulatively suggest that individuals feel differently about cyberspace than other means of competition or conflict—a conclusion that largely supports the ideas behind persistent engagement. However, escalation is in the eye of the beholder—and the recent Israeli air strike against Hamas cyber operatives also supports Miller and Pollard’s concerns about a strategy predicated on assumptions about escalation bounds.
Herb Lin and Max Smeets also fault the vision for its promise to engage in all ways, in all times and in all places without articulating a prioritization of objectives and means. In this, Lin and Smeets identify one of the biggest problems with persistent engagement. While Harknett and Fischerkeller argue that the vision is a strategy because it includes “ends, ways, and means,” effective strategy is also about articulating limitations, challenges and priorities. How will we accomplish what we value given our limited resources and a proliferation of threats? It remains undertheorized how a strategy that promises so much can actually be accomplished. The vision, in general, is agnostic to the types of threats, actors or effects that will be engaged persistently, as well as vague about the resources required to execute the vision. Tellingly, Harknett offers a high bar for implementation, arguing that the “strategy succinctly outlines the: how (seamless), where (global), when (continuous), and why (achieve operational advantage).”
The reality is that persistent engagement will require significant investment in technical platforms, talent, and access to adversary networks and software, as well as institutional maturation for the acquisition of technology and manpower. In 2018, during its first year of budget authorities, Cyber Command executed just $43 million in contracts (in contrast, Special Operations Command manages a procurement portfolio of $2 billion). It remains unclear how much Cyber Command will need to invest in technological procurement to persistently engage, but—based on comparisons to Special Operations Command—it will likely require significantly more contracts than what the command can at present execute. Similarly, while the Defense Department has made strides in creative responses to talent gaps (cyber excepted service, direct commissioning programs, etc.), there continues to be a significant shortage of cybersecurity forces within the Pentagon specifically and the U.S. government more broadly.
Additionally, for persistent engagement to occur seamlessly and continuously, the U.S. will need to continue its move away from the joint planning process, which involves a large and inflexible bureaucratic procedure to allocate manpower, resources and authorities in response to triggering adversary activity (for instance, a conventional attack on an ally or the United States). So far, issue-based task forces—like the Russia task force and Joint Task Force Ares in Syria—have played a more important role in cyber campaigns than the joint planning process, which aligns cyber operations to conventional war plans. However, the increased normalization of task forces also opens a series of questions about how to best use task forces in Defense planning. When, for example, will the mission of the Russia cyber task force be complete—after the 2020 election, or the 2022 election, or never? And is the task force’s success determined by the inviolability of election data, the amount of influence Russia exerts on social media or the U.S. public’s belief in the integrity of the country’s electoral processes? Further, what are these task forces’ relationships with campaign plans, and, more granularly, how big and how scoped should task force aims be? Determining what constitutes success is exceedingly difficult, particularly given how the U.S. tends to struggle with theories of victories or measures of success in long-term conflicts or competition.
Finally, the “why” behind persistent engagement is probably the most important part of a successful strategy and why measuring task force success is such a difficult problem. Here I fundamentally disagree with Harknett’s assertion that persistent engagement aims to “achieve operational advantage.” It is unclear what operational advantage would mean for the U.S., especially in cyberspace. If the bar for success is just having the “advantage to conduct operations” (as currently defined in the Cyber Command Vision), then it will be hard for persistent engagement to measure whether or not it is ever successful. A clearer linkage between open, interoperable, reliable, and secure cyberspace and persistent engagement could help clarify priorities and success indicators for the strategy. For example, are there indicators within the economy that would suggest the strategy is more or less successful? Are digitally dependent industries no longer profitable? Are communities making decisions to avoid internet-dependent governance because of threats to cyber security? It is impossible to evaluate whether or not persistent engagement is successfully able to maintain an open, interoperable, reliable and secure cyberspace without more work to quantify the benefits that the U.S. receives from these characteristics.
So far, persistent engagement seems to base success only on whether or not an adversary is able to conduct cyber operations against the U.S. However, true success is not binary and, instead, is based just as much on the benefits that can be garnered from cyberspace as on how many attacks occur against the United States. In fact, the true story of the past eight years of cyber engagement may be the resilience and perseverance of the American economy and military despite a significant increase in cyber attacks.
As Miller and Pollard argue, it is helpful to think beyond the novelty of cyberspace and frame cyberspace strategy within the context of larger economic, diplomatic and military initiatives.Certainly, the idea of long-term competition and conflict with controlled escalation is not new—in fact, this concept guided much of the U.S. foreign policy during the Cold War. In 1947, George Kennan argued for a strategy of containment, arguing that the threat of communism “cannot easily be defeated or discouraged by a single victory ... and the patient persistency by which it is animated means that it cannot be effectively countered not by sporadic acts ... but only by intelligent long-range policies.” Faced with what he saw as a looming ideological-political threat to the core values of the U.S., Kennan advocated the containment of Soviet influence through a series of long-term competition measures including counter-force, diplomacy and deterrence measures.
Central to Kennan’s strategy was an articulation of what mattered to the long-term prosperity and success of the United States—something that persistent engagement needs in order to clearly prioritize the Defense Department’s limited cyber resources. Indeed, one of the most challenging aspects of containment was the difficulty in determining success at any point prior to the fall of the Berlin Wall. The containment analogy also reveals the difficulty of conducting a winning long-term competition, as many would argue that the constant friction of the containment strategy led the U.S. into a series of proxy wars and an expensive, costly and difficult-to-assess foreign policy. For persistent engagement not to fall into the same traps as containment, those implementing the strategy must think concretely about the measures required for success and prioritize limited resources to obtain these measures.
Perhaps the greatest promise of persistent engagement is the transition it represents from event-based strategies to long-term and objective-based strategies. This has larger implications for competition across domains, as Miller and Pollard allude, and nests squarely under the China- and Russia-focused strategies introduced by the National Defense Strategy and National Security Strategy. These strategies, like persistent engagement, see the U.S. in a current and ongoing competition for economic and political power across economic, diplomatic and military domains. They also argue that the U.S. has ceded much of its advantage in this competition because of adversaries’ willingness to conduct attrition operations below the threshold of armed conflict.
Persistent engagement in cyberspace echoes these themes, suggesting that experimentation with the strategy has implications beyond cyberspace. In particular, the issue-based task forces that have emerged to respond to cyber competition are an interesting alternative for defense planners previously confined by the rigid joint planning process and looking to counter maritime militias, influence operations, intelligence actions or force posturing below the threshold of armed conflict. These so-called “gray zone” operations have been difficult to frame within traditional campaign phases of conflict, which start with deterrence and move quickly to armed engagement and full-out conflict. Task forces may provide (as Fischerkeller and Harknett have argued) a pressure valve alternative that will allow the U.S. to compete without resorting to the execution of military campaigns (and inadvertent escalation).
Finally, for persistent engagement to move from a Cyber Command wish list to an executable strategy, it must more concretely articulate what the U.S. and the Defense Department value in cyberspace and how it will grapple with limitations on resources and time, and it must continue to experiment with plans and processes. Confronting limitations and creating prioritizations can help move persistent engagement from simply a counterargument to deterrence to a strategy in its own right.
These comments represent the author’s own views and do not represent those of the Naval War College, U.S. Navy or the Department of Defense.