Soldiers, Statesmen and Cyber Crises: Cyberspace and Civil-Military Relations

By Jason Healey
Wednesday, March 16, 2022, 8:01 AM

The internet, at the core of cyberspace, was designed to be non-hierarchical, based on substantial trust, with no privileged role for governments and no sovereignty or borders. Engineered into the very physics of the domain, such characteristics are nearly the exact opposite of the traditional, nationalistic military values asserted by Samuel Huntington in his classic “The Soldier and the State,” and they are one reason why the Department of Defense has found it so hard to succeed in cyberspace. 

These dynamics of cyberspace and conflict are driving fundamental shifts that the military and society will have to surmount. The study of civil-military relations “largely focuses on the control or direction of the military by the highest civilian authorities in nation-states,” which is sufficiently broad enough to cover some of these shifts but not others. 

Taking into account both objective political control (professionalism and culture) and subjective political control (more direct oversight), this post explores issues and recommendations across three broad areas: challenges unique to the cyberspace domain, challenges common with traditional civil-military relations, and challenges that are a combination of the first two. 

Challenges Unique to the Cyberspace Domain

First, cyber civil-military relations must expand to include intelligence. Cyber conflict has recently been assessed to be an intelligence contest, a finding matched by the history and practice of the U.S. military. Most obviously, the commander of U.S. Cyber Command is dual-hatted as the director of the National Security Agency (NSA), simultaneously an intelligence professional and a manager of (online) military violence. The most explosive example of political-military-intelligence tensions was the shattering details of the NSA’s electronic spying bursting into the news through revelations by Edward Snowden. 

Second, senior military officers historically tended to resist new wars, mindful of the cost in blood. Since cyber conflict is not hell, generals and admirals may favor a cyber fight rather than a physical one, with a greater chance of the situation taking on a life of its own from political control. 

Third, cyber conflict is an awkward fit with military preferences of civil-military relations. As one former chairman of the Joint Chiefs of Staff described it, “Military leaders generally believe that the less civilian oversight in the conduct of operations the better.” Political leadership should determine the nation’s abiding interest, and when to commit the military to advance those interests, and then “give the military autonomy on the implementation of how to fight.”

Since the U.S. military has directly engaged with adversaries in cyberspace, it has insisted on quasi-wartime rules of engagement. At least one member of the Joint Chiefs of Staff believes “we’re at war right now in cyberspace,” so it’s no wonder the military wants fewer operational constraints to “defend forward” and “pursue attackers across networks and systems.” 

But cyber conflict has lacked dividing lines between war and peace, so there has been no clear moment for when the politicians or the military should tag in the other. Cyber conflict is not only a “persistent engagement” taking place in this gray zone, but it will also have no end: “[S]uperiority in cyberspace is temporary,” in the words of Gen. Paul M. Nakasone, the commander of U.S. Cyber Command. 

There can be no exit strategy, no lasting or decisive victory in cyberspace after which the cyber GIs return home: “[C]onflict will not end in lasting victory or defeat for any side, but rather be an endless ebb and flow of operations and campaigns marked by waxing and waning of competing national capabilities.” What is the role of political control during a never-ending military conflict that involves nuclear-armed rivals and happens to be fought online? 

Fourth, U.S. military culture can discount and misunderstand the role of private-sector entities, which don’t just own most of the domain but are the most powerful actors. 

When Nakasone says his cyber forces must “maneuver seamlessly across the interconnected battlespace, globally[,]” he means in systems that are usually someone else’s property, as much as the Defense Department hides this fact behind the euphemism of “gray space” systems. 

The Defense Department has advanced capabilities, but these are limited mostly to protecting government networks, spying or shooting back. These powerful military tools cannot fix the internet at scale (as can, say, Microsoft or Google), directly thwart adversaries at scale (like CrowdStrike or Mandiant can), share intelligence at scale (as does Cyber Threat Alliance), or reinforce core infrastructure during attacks (like Cloudflare or Verizon does). 

These companies are the supported command, not the supporting command, or like the host nation during an insurgency, and “have the agility, subject matter expertise, and ability to change cyberspace directly to resolve incidents decisively, usually while the government is still arguing about what should be done and which agency has the right authority.” 

Military strategies embrace the private sector not as the historically decisive force it has been but, invariably, as a lesser priority (fourth out of five in the 2011 strategy and fifth out of five in the 2015 and 2018 versions, and U.S. Cyber Command Vision). 

Traditional Challenges, Applied to Cyber Conflict

While the preceding challenges are relatively novel, a substantial amount of previous civil-military findings apply to cyber conflict.

First, the central issue of civil-military relations is that the “very institution created to protect the polity is given sufficient power to become a threat to the polity.” At its most obvious and extreme, politicians might abuse the military to repress dissent and retain power. It is unfortunately no longer far-fetched to imagine that if U.S. presidents can order the 82nd Airborne Immediate Response Force to suppress protesters in Washington, D.C., then they might equally direct Cyber Command to do the same. 

Second, Benjamin Jensen and J.D. Work noted previous research that “insular military organizations,” such as U.S. Cyber Command, can be “prone to a cult of the offense, exaggerating gains to ensure their bureaucratic autonomy.” If Cyber Command’s concept of defending forward is not successful, and since the conflict cannot ever be decisively won, it may feel pressure to be overly optimistic: “We’re about to turn the corner in cyberspace.” 

Defending forward is a particularly offensive kind of defense, with Gen. Nakasone insisting his forces “must take this fight to the enemy, just as we do in other aspects of conflict” and his then-deputy arguing the United States “cannot cede any territory to these adversaries” as the “Russians will keep pushing until we push back on them.” 

In late 2020, Russian intelligence teams obtained access into more than 100 well-protected cybersecurity companies and U.S. government departments, through a cyber espionage intrusion into the SolarWinds software company. Skeptics saw the failure of defending forward while the military and its supporters unsurprisingly argued the need for more, since “defend forward thus far appears to have been implemented only on a limited basis.”

Third, what happens when a military trained to achieve nothing short of victory finds that goal elusive? It was one thing for Gen. Douglas MacArthur to argue that “in war there can be no substitute for victory,” but since “superiority in cyberspace is temporary,” that won’t work for Nakasone or his successors. Seeking more decisive results, future commanders may demand ever-looser rules of engagement to defend ever-further forward. 

Nor are cyber operators likely to be any more immune to the temptations to transgress the boundaries of political control, which allegedly led two separate classified cells of U.S. special operations to falsely claim “self-defense” to target airstrikes against the Islamic State, including against a major dam on the “no-strike” list

Fourth, an underappreciated area of cyber civil-military relations is the steady influx of military veterans (like me) into private-sector cybersecurity. As cyberspace becomes increasingly treated like a battlefield within the private sector, the hiring of veteran cyber defenders continues to gain momentum. A recent report found that 57 percent of U.S. cybersecurity teams had hired at least one veteran to fill key roles, a trend that is accelerating as companies work to fill a deep cybersecurity workforce gap. American cyber defenses have been bolstered by these veterans, but they can bring their military worldview, which Huntington described as pessimistic, collectivist, power oriented, nationalistic and militaristic. 

A fifth challenge based in traditional civil-military relations is the continued militarization of U.S. cybersecurity.

The U.S. government’s cyber efforts have long leaned heavily on the military—especially the concentration of talent at the Fort Meade home of both NSA and Cyber Command—which has overawed the Department of Homeland Security, which had a nominal lead. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security (CISA, where I am a part-time official) has broader responsibilities than Cyber Command but receives only a fraction of the military cyber budget. Until recently, as much was budgeted for the military’s construction of cyber units as for the entirety of cybersecurity at CISA and across the Department of Homeland Security. 

And the institutional discrepancies are even clearer in other areas. Just the operational elements of Cyber Command have more than 6,200 military personnel, while CISA has less than a third of that support to conduct not just its cyber missions but also infrastructure protection, national risk management, emergency communications and other responsibilities. This institutional oomph matters in the nation’s capital, as generals and admirals have been able to portray themselves as the government’s most capable cyber organization

Challenges From Both Cyberspace and Traditional Civil-Military Relations 

Cyber conflict may favor dangerous, positive feedback, with each new incident seeming to invite more, leading to a three-decade intensification. Not only is there a systemwide offense advantage, but offense can be hard to distinguish from defense, espionage, subversion and preparation for a major attack. There are low barriers to entry; capabilities are actually used, covertly, and not just stockpiled; and attacks can cascade messily if not meticulously well planned.

In traditional international relations, Robert Jervis warned of the spiraling escalation of a security dilemma in situations even fraughter than this—where rivals must out-arm each other as their defense capabilities might be repurposed for offense and “incentives to strike first will turn crises into wars.” 

The current state of cyber civil-military relations that has led the White House and Congress to allow Cyber Command substantial authorities to defend forward might be appropriate during times of relative peace. However, there are reasons for grave doubts as to whether it provides sufficient subjective control with more great-power crises, nearer to the edge of war. Politicians will not be pleased if a crisis takes on its own life because Cyber Command was “taking the fight” to China, as Gen. Nakasone argues as a necessity.

Improving Cyber Civil-Military Relations

Traditional models of civilian control no longer fit neatly in a domain where contact with the adversary is nonstop and perpetual with the private sector on the front lines, actively defending key digital terrain against the forces of nuclear-armed adversaries. 

Subjective control cannot be a blank check written once, at the beginning of the persistent engagement, to last forever, an online version of the 2001 Authorization to Use Military Force. Defending forward should be authorized only with several conditions

  • Criteria and timeline for success and failure: The Defense Department asserts defending forward will cause adversaries to back down, leading to stability. To avoid another seemingly open-ended conflict like Iraq or Afghanistan, the White House and congressional oversight committees should require the department to answer the questions of how long the operation will take and what success (or failure) will look like.
  • Political throttle: To signal to allies and adversaries, the president must be able to ramp down (or, less frequently, up) military cyber operations.
  • Sunset: Without a sell-by date, authorities to defend forward may become permanent, even if they are expensive and show only marginal success. So authorizations for defending forward should expire after one or two years, so that Congress and the National Security Council can frequently review the criteria for success and failure, and apply the throttle if needed. 

Effective subjective control also requires amendments to the Insurrection Act, including further legislative and executive branch checks on presidential authority; an increase in the number of political appointees in the intelligence agencies, to capture their role in cyber conflict; and an end to the dual-hat role for the commander of Cyber Command and director of NSA. Congress has mandated that this cannot happen until Cyber Command can stand on its own. But military effectiveness should not be allowed to undermine control by endowing so much power in one person.

Objective political control (and, not coincidentally, mission success) requires major changes to U.S. military culture, both to recognize the role of the private sector and the many ways the internet was engineered differently from military values, and to accept that cyber conflict is different and never-ending and so requires a different civil-military deal. 

Academics must adapt as well, by expanding their normal concept of civil-military relations as discussed in this post, especially the inclusion of intelligence professionals and organizations.

Cyberspace may be a domain of military operations, but it is not predominantly so. The internet is perhaps the most transformative invention to spring from human minds since the development of the printing press. It underpins the entirety of modern societies and economies not just for the United States but increasingly for all humans everywhere. Civil-military relations in the United States must adapt to new demands, or cyberspace may be irretrievably diminished, not just for this generation, but for our grandchildren’s grandchildren.