Cybersecurity and Deterrence

Persistent Engagement Neglects Secrecy at Its Peril

By Lennart Maschmeyer
Wednesday, March 4, 2020, 8:00 AM

The United States Cyber Command is fundamentally changing its cyber strategy, moving from restraint and deterrence toward a posture of persistent engagement. This new strategy is better aligned with the practice of cyber conflict, and its innovativeness is reflected in the lively debate it has generated among scholars and practitioners. Much of this debate has focused on the lack of clarity concerning the strategy’s implementation and the resulting risks of unintended consequences. Some analysts have argued that persistent engagement could provoke escalation due to misperception. Others claim it may cause friction with allies and signal normative acceptance of adversaries’ disruptive operations. The underlying theory has received less attention, however, despite its importance.

The theory of “cyber persistence” that informs the strategy of persistent engagement is a key contribution by Michael Fischerkeller and Richard Harknett. This theory rests on a crucial assumption: that the interconnectedness of modern information communications technology is the fundamental organizing principle of cyber conflict, because it places actors in a condition of constant contact. According to the theory’s proponents, this condition of constant contact is what renders the adoption of a strategy of persistent engagement imperative.

I argue this logic is flawed. Persistence is not required due to a “structural imperative” that follows from interconnectedness, as Fischerkeller and Harknett assert. Rather, the logic works the opposite way. Actors choose to connect—and the need for persistence follows from their subsequent strategic choices to exploit interconnectedness. Persistence becomes relevant only after this choice because the design of the technology requires secrecy for the exploitation to succeed. In other words, the properties of the technology do not require actors to persistently engage adversaries, but they do require actors to operate secretly if they choose to engage. Persistence is only one of several other consequences of this need for secrecy. The theory of cyber persistence neglects the central role of secrecy at its peril, undermining the prospects of the strategy of persistent engagement. In this post, I will show that secrecy is crucial for three main reasons.

First, persistence is important not because actors are interconnected, but because the design of information technologies prevents forced entry. Consequently, operators have to sneak into systems undiscovered. Doing so requires not only creativity but also persistence in probing the target for vulnerabilities. It also requires restraint, since premature discovery means failure. Fischerkeller and Harknett do not fully consider the implications of this need for secrecy, instead conceptualizing it as an operational choice actors make to “manage attribution” by choosing to reveal their presence in a system and/or producing effects carelessly enough to allow attribution in order to signal resolve to the victim. This choice reflects a covert mode of operation, defined by obscuring the identity of an actor behind an operation. Yet for the reasons laid out above, cyber operations must typically also operate clandestinely—obscuring the activity itself. In other words, secrecy is a necessity, not an option.

Second, neglecting secrecy misses the parallels between cyber conflict and earlier intelligence contests. Fischerkeller and Harknett develop the strategy of persistent engagement based on the idea that interconnectedness has created an “entirely novel” space of strategic competition where tacitly agreed rules of engagement are only beginning to emerge. This focus on novelty misses the ways in which secrecy links cyber conflict to past intelligence contests, as an increasing number of scholars are pointing out. Importantly, there are already clear, tacitly agreed rules in such intelligence contests, such as the mutual acceptance of espionage, as well as tacit agreement not to conduct reprisals targeting each others’ operational centers. Failing to recognize these similarities puts the strategy at risk of producing potentially dangerous unintended consequences. Unless Cyber Command enjoys overwhelming dominance, once it begins targeting operational centers to generate “organizational friction” as Harknett envisions, adversaries are likely to replicate the strategy. The United States’s operational centers would then be targeted in ways that were hitherto perceived to violate existing norms and increase instability. Rather than cementing stability, persistent engagement risks disrupting it.

Third, the exclusive focus on persistence opens up new strategic vulnerabilities for actors that cleverly leverage the interplay between covert and clandestine modes of operation. A smart adversary could tie down persistently engaging American “cyber warriors” with operations of low covertness, while pursuing a parallel campaign that aims to maximize both covertness and clandestineness to evade detection and achieve strategic aims against the United States.

Interconnectedness and Its Limitations

Interconnectedness is the bedrock of the theory of cyber persistence, determining strategic dynamics in cyberspace and necessitating a strategy of persistent engagement. The theory of cyber persistence, as articulated by Fischerkeller and Harknett, rests on a four-step logical sequence: (a) cyber conflict’s organizing structural principle of interconnectedness (b) places actors in a condition of constant contact with each other, (c) rendering persistent engagement a necessary strategy while (d) limiting escalation risks by facilitating tacitly agreed competition. In other words, proponents of the theory assert that interconnectedness shapes strategic dynamics. And, moreover, they propose that interconnectedness has created “an entirely novel cyber strategic competitive space” in which “cyber actors appear to have tacitly agreed on lower and upper bounds of the cyber strategic competitive space short of armed conflict.” Fischerkeller and Harknett also argue that the properties of this space necessitate a strategy of persistent engagement, writing that “the interconnectedness of cyberspace creates a structural condition that generates a strategic imperative for operational persistence and persistent engagement.” This strategy promises “continuous tactical, operational, and strategic advantage in cyberspace.” Interconnectedness thus lies at the heart of the theory by determining prevailing strategic dynamics and informing necessary strategies to prevail.

This theory is elegantly simple, but unfortunately it rests on flawed and incomplete logic that undermines the prospects of the strategy. Interconnectedness is a clear precondition for cyber conflict—and the core design principle of the internet—but it does not determine the dynamics and outcomes of conflict in the way Fischerkeller and Harknett assert. Interconnectedness is not a fundamental organizing principle because actors can determine their own level of interconnectedness: Actors can choose to disconnect, either temporarily in response to cyber operations or permanently to limit exposure. This capacity is, for instance, illustrated by the increasing segmentation of the internet. Rather than providing an underlying principle, interconnectedness is relevant for cyber conflict because the actors’ choices to maintain a given level of interconnectedness provide their adversaries with opportunities for exploitation. How this exploitation is carried out, and to what ends, depends on the adversary’s strategic preferences and choices. Interconnectedness does not determine the strategic aims, the means chosen to achieve these aims or the conflict dynamics that follow from them. However, the design of the technology requires actors to proceed secretly once they decide to engage.

Why Secrecy Matters

The theory of cyber persistence captures the importance of time in cyber conflict, but it neglects the essential role of secrecy. Cyber persistence posits that actors have the capacity to manage the degree of covertness of an operation. Yet a successful compromise always requires a clandestine approach. Covert operations obscure the origins of an operation but not the activity itself, while clandestine operations strive to obscure both the origins and the activity. Fischerkeller and Harknett cover only the former, asserting that cyber operations are “unique because operators can manage attribution and design operations to generate a range of damage … short of internationally agreed upon definition of use of force.” This capacity, they argue, creates “uncertainty regarding the source of an attack.” In theory, cyber operations are distinguished by their covertness and limited damage potential.

In practice, however, cyber operations are defined by the need for clandestine action—managing covertness becomes a strategic choice only after compromises have been achieved. Cyber operations must proceed clandestinely because information technologies operate based on a set of logical rules and instructions that cannot be overridden by force. Unable to muscle their way in, operators strive to exploit vulnerabilities in targeted systems to use them in unexpected ways. These vulnerabilities are existing flaws in the programming code or the design of hardware. Identifying them and developing suitable means of exploiting them without alerting the system’s owner to one’s presence takes time, persistence and skill. Once discovered, victims can typically neutralize compromises quickly by removing vulnerabilities or simply disconnecting the affected systems. Because premature discovery means failure, cyber operations must proceed clandestinely to achieve the capacity to produce effects against an adversary.

The choice of what effects to produce, and how covertly, follows only after necessary compromises have been established. Contrary to Fischerkeller and Harknett’s conception, secrecy is not an optional feature, but an integral requirement for the success of a cyber operation. For some types of cyber operations, a covert approach may suffice, such as social media disinformation campaigns that dominate current threat perceptions. However, the types of operations persistent engagement mainly aims to counter typically need to be both covert and clandestine because they aim to penetrate adversary organizations undetected. Key examples cited by Fischerkeller and Harknett include the Chinese efforts to compromise U.S. contractors and agencies involved in the development of the F-22 and F-35, a separate campaign striving to obtain personally identifiable information through broad compromises of American organizations across multiple sectors as well as the North Korean cyber campaign to subvert the Society for Worldwide Interbank Financial Telecommunication. All these examples require the actors to proceed both covertly and clandestinely to avoid discovery at least until the desired effect—information exfiltration in these cases—is produced.

Secrecy matters in two ways. First, it promises two strategic benefits: limiting escalation risks and avoiding reputational costs. Ideally, engaging adversaries clandestinely allows states to get what they want without the risks and costs involved in overt escalation. Second, and importantly, these strategic aims are exactly congruent with the observed low intensity of engagements in cyber conflict. In other words, actors competing in cyberspace pursue low-intensity effects not because interconnectedness prescribes it, but because secrecy allows them to avoid escalation. As touched upon earlier, maintaining a given level of interconnectedness is itself a choice, which actors continue to make in order to reap gains. Consequently, rather than creating a novel strategic space where interconnectedness shapes how actors compete, information technologies have simply provided states with new means to pursue existing strategies for competition under secrecy.

The Strategic Perils of Neglecting Secrecy

Neglecting this role of secrecy leads to two pitfalls. First, the strategy of persistent engagement may inadvertently upend the existing dynamic of competition under secrecy, as perceived by adversaries, leading to unintended consequences and instability. As scholars have noted, past forms of competition under secrecy followed a clear set of tacitly agreed rules—one key rule being the avoidance of reprisals against operational centers. As Stephen Grey underlines, in the Cold War intelligence contest, “by tacit agreement, the superpowers never tried to assassinate each other or take reprisals.” Rather than perpetuating stability under these tacitly agreed rules, persistent engagement may upend it by maneuvering “as close as possible” to adversary operational centers, as Gen. Paul Nakasone has suggested. Persistent engagement thus risks disrupting this strategic space, causing instability by signaling to adversaries that reprisals for intelligence coups affecting operational centers are now fair game. Unless the United States Cyber Command enjoys unrivaled dominance in this competition—which is far from clear based on past cyber conflicts—this change is likely to tie down significant resources in fending off adversary operations aiming to create the same “organizational friction” within Cyber Command that Fischerkeller and Harknett propose to impose on adversary operational centers.

Second, focusing on persistence alone risks opening new strategic opportunities for adversaries that cleverly leverage the advantages of secrecy. This risk is particularly acute if competition intensifies along the lines predicted above. Persistence is certainly relevant to prevail in cyber conflict. But leveraging secrecy is just as—if not more—important. Consider the following scenario: The U.S. implements persistent engagement and robustly engages adversaries—possibly even automatically, as Fischerkeller and Harknett suggest. In this situation, a rational adversary could respond with a two-pronged strategy: blanketing the U.S. with operations that cause low-level irritant effects at moderate efforts to maintain secrecy, accompanied by one or more operations that take intense efforts to avoid discovery. The persistent engagement of the low-level irritants would consume significant resources, leading to defender overstretch if a sufficient number of adversaries engage in such activity at sufficient scale. This overstretch would, in turn, lower the chance of detection of other operations pursuing actual strategic targets. Even as persistent engagement would appear to be working for the U.S., the adversary would clandestinely achieve its true strategic goals.

This scenario is not merely a hypothetical problem, but in line with current practice. The evolution of Chinese cyber operations following the 2015 “anti-spying” agreement between the U.S. and China suggests increased efforts at stealthiness in order to maintain an appearance of compliance. Similarly, the 2017 “Bad Rabbit” ransomware operation leveraged the deceptive use of broad proliferation of malicious code to hide an actual operational focus on high-value targets in Ukraine.

In short, successfully prevailing against adversaries requires not only persistence but also the shrewd employment of secrecy. Focusing on interconnectedness alone obscures this importance, leaving the theory incomplete and the strategy flawed. To fill this gap and strengthen both theory and strategy, scholars and policymakers must move beyond the focus on interconnectedness and integrate the strategic role and utility of secrecy into this emerging framework. For this task, the existing literature on intelligence and covert operations deserves more attention, while more empirical research on the role of secrecy is urgently needed.