Cybersecurity and Deterrence

Progress Is the Promise in National Cybersecurity Strategy

By Richard J. Harknett
Monday, March 23, 2020, 3:20 PM

How can progress be measured when it comes to shifts in national security strategy and practice? Several assessment variables might include changes in official national guidance, legal authorities, types of campaigns or operations, lexicon used in national security discourse, and early results of the application of those changes. Since 2016, with the introduction of the construct of persistent engagement and the subsequent development of defend forward, all these variables have changed in a positive manner.

National guidance has certainly shifted since 2016. The 2017 U.S. National Security Strategy recognizes that cyberspace is enabling strategic competition. The 2018 National Defense Strategy claims a role for the U.S. Department of Defense in managing cyber competition below the threshold of armed attack. The 2018 Defense Department Cyber Strategy recognizes that the majority of cyber activity is taking place short of war in pursuit of strategic ends. While noting the continued need to deter cyber-enabled war, the Defense Department strategy calls for engaging simultaneously against persistent activity that is short of armed conflict. Finally, U.S. Cyber Command publicly provided articulation of the operational strategy—persistent engagement—that aligns with these shifts in guidance.

Legal authorities and presidential directives have also changed. Congressional legislation treating cyber operations as traditional military activities, along with reported new authorities under National Security Presidential Memorandum 13, are enabling continuous defensive and offensive operations. These align with the expectations of persistent engagement and its partnering construct of defend forward. The latter was initially introduced as a concept within persistent engagement, but the Defense Department has embraced defend forward as its strategy and understands it as encompassing both persistence against cyber malicious activity below the threshold of armed conflict and deterrence of war.

Additionally, the empirical record has shifted as cyber operations in the 2016 contest with the Islamic State, in relations with Iran, and in defense of the 2018 midterm election successfully advanced the core strategic principle behind persistent engagement, seizing the initiative in cyberspace. All three examples reportedly relied on aspects of persistent engagement, including introducing organizational friction to unbalance adversaries and reorient them away from attacking the U.S. and toward having to find the weaknesses in their own networks. These operations all incorporated the core of persistent engagement as an operational strategy: anticipating the exploitation of U.S. vulnerability before it is exploited, while simultaneously exploiting adversary vulnerabilities to advance, primarily, an overall defensive objective.

The Cyberspace Solarium Commission report now can be added to the list of evidence that change in U.S. national cybersecurity thinking—although neither linear nor easy—is occurring. In 2016, while serving as scholar-in-residence at U.S. Cyber Command, I wrote a short white paper calling for a Cyber Solarium exercise. The core framework and language of that precis, including the notion of persistence, was translated into the 2019 National Defense Authorization Act section establishing the commission. The commission’s 75 recommendations, some if acted upon today and others studied more deeply, can improve U.S. cybersecurity and sustain the momentum that has been occurring in the United States when the construct of persistent engagement first began to shape U.S. government thinking in 2016. (I served as a red team member to the commission; however, this post reflects my own analysis and not that of the commission.)

The commission includes persistent engagement and defend forward in the report’s six organizing strategic “pillars”—specifically in Pillar Six, “Preserve and Employ the Military Instrument of Power.” The report adopts the central importance of interconnectedness as an organizing principle, finding that growing connections between states and societies are core to cyber vulnerability. Moving from theory to strategy, the report sees “persistent engagement with adversaries as part of an overall integrated effort to apply every authority, access, and capability possible (e.g., laws, financial regulation, diplomacy, education) to the defense of cyberspace in a manner consistent with international law.” This aligns very well with what Michael Fischerkeller and I have called for during the past few years—an overall “whole-of-nation-plus” model for national cybersecurity. As we concluded prior to the commission’s work,

this is why a “Whole of Nation+” approach (in which all instruments of national power are involved in numerous ways) should be used to blunt the adversary’s achievement of strategic ends—if persistent engagement makes cyber means and/or ways less effective, adversaries will naturally gravitate to using other means and/or ways in other domains and sectors, and the U.S. should anticipate and be prepared for that possibility.

The commission captures the complementarity of a strategy of deterrence and persistent engagement—which Fischerkeller and I have argued links the two strategic environments of competition and war—in the report’s strategic framework. The framework comprises three “layers”—cost imposition (layer 3), deny benefits (layer 2) and shape behavior (layer 1). Persistent engagement populates layer 3 in this framework but contributes, through its execution, to deterrence in layers 2 and 1. We have recently explained on Lawfare how understanding cost imposition within a persistent engagement framework can expand options for U.S. security.

To offer but two examples of the influence of persistent engagement, in a recent speech discussing the legal analysis behind the approach, the Defense Department general counsel explained that “[p]ersistent engagement recognizes that cyberspace’s structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace.” And, as noted in that speech, NSA Director and Commander of Cyber Command Gen. Paul Nakasone has said, “If we find ourselves defending inside our own networks, we have lost the initiative and the advantage.”

The recognition of persistence as a new component of national cybersecurity has created a different focus on the types of activities, partnerships and authorities required to support the operations needed to achieve U.S. strategic objectives. There is now enough of an open-source literature from practitioners, analysts, and academics concerning both cyber persistence theory and persistent engagement for a straightforward assessment of progress and ongoing development. To sustain momentum toward a more secure cyberspace, the U.S. must continue to critically assess elements of this progress. Specifically, the government should continue to develop persistent engagement and defend forward—in both their definition under Defense Department strategy and their application by U.S. Cyber Command—as the Cyberspace Solarium Commission report recommends. And outside analysts should seek to improve understandings of how cyber operations informed by these constructs can continue to make an impact.

All in all, there is much to explore in how persistent engagement and defend forward can continue to contribute to overall U.S. national cybersecurity and that of U.S. allies (who represent the “plus” in the “whole-of-nation-plus” model). However, as with any new paradigm, misunderstandings of core elements remain, and so I offer here a short comparative synopsis lexicon taken from what has been published to date that reflects how persistent engagement is recasting thought and action. (I am indebted to Emily Goldman for this analysis of the lexicon.)

As the U.S. moves forward in assessing how persistent engagement can advance the commission’s recommendations, consider these fundamental conceptual contrasts when thinking within this new paradigm: Interconnectedness is no longer treated as a mere description (that is, “the internet is global and interconnected”) but is rather understood as the core structural feature of cyberspace. Interconnectedness, along with the condition of constant contact between entities that it creates, are not choices but defining features of cyberspace. Discourse now talks of campaigns—not incidents, intrusions or hacks. Interaction among cyber actors is pervasive but no longer equated with escalation. Operators recognize the need for rules of cyber engagement, not contingency planning options, because activity in cyberspace is continuous, not episodic, and costs and benefits are cumulative, not event based. Security flows from being active and anticipatory, which is not the same as being aggressive (rather, it is just being active); and from seeking initiative rather than privileging inaction and restraint until attacked, and then acting only in response. Action focuses on seizing targets of opportunity because the dynamic terrain of cyberspace makes it virtually impossible to hold targets at risk. The empirical record shows that the most effective cyberspace campaigns and operations have been exploitative, not coercive; that cost imposition is an effect of changing the cyberspace environment, not a strategy to primarily influence adversary cost-benefit analysis/decision-making; and that competition below the level of armed conflict is as strategically consequential as war and territorial aggression.

Admittedly, there are a few future dissertations packed into that paragraph. But the point here is simply that, taken together, the theory of persistent engagement and its operational application—when accurately characterized and assessed—are contributing to the improvement of U.S. national cybersecurity, which the commission seeks. From the beginning, the construct of persistent engagement has shifted the government’s mindset as much as it shifts actual campaigns and operations. Viewed as a framework for assessing cyber challenges, the combination of persistent engagement and defend forward have contributed to positive change over the past several years—shifts in guidance, authorities, policies, planning, and campaigns and operations. U.S. operations defending the 2018 midterm elections were fundamentally different than the approach taken in 2016 or earlier. That is positive progress. What is most “new” in the Cyberspace Solarium Commission report fits well with and can bolster these positive developments.

The Cyber Solarium Commission report offers 75 recommendations. Each will have to be evaluated on its own merits, but the release of the report creates an opportunity to accelerate the progress that already has been made in guidance, authorities, organization, planning of campaigns and operations, and applications. Let’s hope that working together, academics, practitioners and analysts can seize this initiative—just as persistent engagement would counsel.