U.S. officials increasingly express old frustrations about the lack of standards for appropriate state behavior in cyberspace. As U.S.-China trade tensions soar, cybersecurity firms have reported that China is renewing its cyber-enabled economic espionage efforts against U.S. companies—if they ever ceased. Russia does not seem to be scaling down its cyber-enabled disinformation operations, threatening democracies worldwide. The Trump administration’s withdrawal from the Iran nuclear deal is also reported to have inspired Iranian actors to conduct a new wave of disruptive attacks. Concerns over North Korean hostile cyber activity have not gone away either.
Commentators and lawmakers have described the problem as twofold. First, U.S. government officials fail to set red lines, fearing that doing so would cede freedom to maneuver when responding to cyber operations. But second, whenever red lines are established, the U.S. fails to enforce them.
I believe these are problems of the past. Following the shift in strategic thinking documented in the 2018 Department of Defense Cyber Strategy, the U.S. now increasingly faces a new challenge: There are too many red lines. If there is anywhere in cyberspace that state-actors are allowed to compete, it is a very, very small subset of competitive environments. The new challenge is to figure out what adversaries are allowed to do in cyberspace, not what they’re not allowed to do.
The Old View
U.S. government officials have repeatedly warned that a “cyber Pearl Harbor”—an incident that would rise to the level of an armed attack under international law—would not be tolerated. The U.S. also has repeatedly reiterated to the Chinese government that the U.S. views cyber operations to benefit commercial entities as a violation of international norms—resulting in the Obama-Xi cyber agreement in 2015. The Obama administration also marked tampering with polling or registration systems during U.S. elections as a red line, communicated to Russia in the lead-up to the 2016 presidential elections through the hotline connecting the Nuclear Risk Reduction Centers of both countries.
Over the years, U.S. policymakers have been less vocal in condemning other cyber activity, such as probing critical infrastructure. And in some cases they even paid tribute to adversarial cyber activity.
Following the disclosure of the Office of Personnel Management (OPM) breach, which involved the theft of almost 22 million records of government employees, former CIA and NSA Director Michael Hayden said that, even though “this is a tremendously big deal … don’t blame the Chinese for the OPM hack.” Hayden “would not have thought twice” about seizing similar information from the Chinese government if he had the opportunity. In a similar vein, James Clapper, then the director of national intelligence, told a group in Washington after the disclosure, “[Y]ou have to salute the Chinese for what they did. If we had the the opportunity to do that, I don’t think we would hesitate for a minute.” No retaliation followed the attack.
The New Approach
When then-Lt. Gen. Paul Nakasone appeared before the Senate Committee on Armed Services to review his nomination to become the director of the NSA and the third commander of U.S. Cyber Command, he spoke out against previous U.S. lack of response against cyberattacks, noting that “the longer that we have inactivity, the longer our adversaries are able to establish their own norms.”
In an article published in Joint Force Quarterly, Nakasone writes about how Cyber Command needs to become what he calls a “persistence force” that “will contest our adversaries’ efforts in cyberspace to harm Americans and American interests. ... Over time, a persistence force, operating at scale with U.S. and foreign partners, should raise the costs that our adversaries incur from hacking the United States.”
His article closely follows-on from discussion found in the summary of the 2018 Department of Defense Cyber Strategy and the 2018 Command Vision for U.S. Cyber Command. These documents, as I have previously noted with Herb Lin, embody a fundamental reorientation in strategic thinking.
Cyber Command’s shift toward persistent engagement is based on a different understanding of the threat landscape. The U.S. no longer views many of the cyber operations below the threshold of armed attack as just tactical forms of espionage or subversion or as episodic forms of theft or crime. Instead, these operations are seen as important levers in a new domain of great power competition. Campaigns comprised of linked cyber operations below the threshold of armed attack are still able to achieve strategic outcomes.
Cyber Command seeks to achieve two goals through persistent engagement: 1) achieving “superiority” and improving the balance of power in their favor, and 2) creating a more stable and secure cyberspace. I previously noted with Herb Lin that “a United States that is powerful in cyberspace does not necessarily mean one that is more stable or secure.”
Tacit Agreed Competition
But according to Michael Fischerkeller and Richard Harknett, one way the U.S. can achieve both objectives is through “tacit bargaining” leading to “agreed competition,” as spelled out in two recently published Lawfare articles. They write:
In efforts to arrive at tacit understandings of acceptable and unacceptable behavior in the cyber strategic competitive space, the tasks states face will be a function of the alignment of their national interests with mutual or common interests as manifested in cyberspace. Where those interests converge, we should anticipate states will engage in cyber operations around focal points that communicate shared interests and a willingness to collaborate on ranges of acceptable/unacceptable behavior about those interests. But where those interests are in conflict, states will communicate as much through cyber behaviors seeking to outmaneuver each other to achieve an advantage or at least avoid a disadvantage.
Persistent engagement should ultimately lead to “agreed competition” in cyberspace, they argue. It is a form of norms setting through practice (that is, showing what is appropriate behavior through constant action). The idea is that it leads to “a comprehensive strategic great power competitive space with its own distinct structural features.”
An attack like the one on the OPM would be at the top of the list of operations that Cyber Command deems unacceptable and would not tolerate as a part of this competitive space. It is a prime example of an operation that takes place below the threshold of armed attack but has great strategic impact—especially if it is linked to other operations.
The data stolen by Chinese hackers during the OPM hack included names, dates, places of birth, security background checks, data on intelligence and military personnel, and the fingerprint data of 5.6 million employees. Hackers even accessed the SF-86 security clearance application form, which includes information such as records of drug use, alcohol addiction and financial problems. While the OPM itself contains a great deal of data “perfect for blackmail,” if it is linked with data from other breaches, such as those of Anthem, American Airlines and Marriott, it has even more impact. Together, data from these breaches offer the Chinese government the opportunity to create a comprehensive database of current and former U.S. (intelligence) officials, who they meet, what they earn, where they go and so on.
This shift in strategic thinking leads to new challenges for cyber norm setting.
On one hand, the strategy’s central point is that adversaries should not conduct offensive cyber operations against the U.S. that (independently or cumulatively) weaken the United States’s position in the international system. On the other hand, if we assume these adversaries are rational, they seek to conduct only those operations that are strategically advantageous to them (and not merely to cause a nuisance or for fun), including by weakening the United States.
Therefore, the space for agreed competition is very small: Only those operations against the U.S. that do not weaken the United States’s position in the international system but are strategically meaningful to the adversary form part of what Fischerkeller and Harknett call the “competitive space.” In fact, those operations that are potentially strategically consequential—operations for which the current strategic purpose is uncertain but that could be linked to other operations in the future to achieve meaningful effects—are also problematic but are excluded from the space.
The only case that comes to my mind that would meet both criteria is the Chinese government’s attack on GitHub in March 2018. The attack against GitHub was the biggest distributed denial-of-service attack recorded to date. (Hence, some might say it should not be allowed.) But it didn’t have any negative strategic consequences (not in the short nor long term) for the U.S., and it did strategically benefit China’s regime. The hackers attacked a web hosting service based in the United States, but the motivation of this attack was domestic censorship in China. The attack specifically targeted pages for two GitHub users that circumvent China’s firewall: Greatfire.org and the Chinese mirror site of the New York Times.
In my view, GitHub is the exception that proves the rule. But beyond that case, following the shift in U.S. strategic thinking, it is hard to see what exactly would be deemed as acceptable behavior.