Cybersecurity and Deterrence

Through Persistent Engagement, the U.S. Can Influence ‘Agreed Competition’

By Michael P. Fischerkeller, Richard J. Harknett
Monday, April 15, 2019, 10:45 AM

In a recent Lawfare post, Max Smeets examines the implications of the shift in U.S. strategic thinking on cyberspace. He correctly notes that U.S. concern has broadened to include not only an adversary’s potential use of cyber means to engage in coercion and operations equivalent to a kinetic armed attack, but also cyber campaigns that can achieve strategic outcomes without resort to war. Smeets cites our work examining how the strategy of persistent engagement can forward U.S. security interests while also stabilizing cyberspace. In assessing the relationship between persistent engagement and the concept of agreed competition, Smeets concludes that “if there is anywhere in cyberspace that state-actors are allowed to compete, it is a very, very small subset of competitive environments.” We come to a different conclusion. Despite agreeing with Smeets that the cyber competitive space is strategic—meaning that it puts relative national power in play—we view the cyber strategic competitive space as wide and fluid.

We would suggest that the variance in analysis lies primarily in our differing applications of terms, which should not come as a surprise, as the scholarship on persistent engagement is at a nascent stage. We thank the editors of Lawfare for the opportunity to provide some clarifying response to encourage growth in the intellectual exchange over persistent engagement.

We view the construct of “agreed competition” to be, at a minimum, descriptive of the actual empirical reality of cyber operations among state actors. We view the term as encompassing the cyber strategic competitive space, but excluding armed conflict or operations generating armed-attack equivalent effects. It is a structural construct that allows us to understand the dynamics of strategic competition that have effectively been set in the space between inactivity and conduct that equates to the legal standards of warfare. There appears to be a tacit agreement among states that they will actively pursue national interests through cyber operations that pursue strategic interests while carefully avoiding the equivalence of armed attack. This is simply based on the known record of cyber interactions. Critical to this agreed competition is the recognition that it appears to be reinforced structurally  (by for example, technology that has created the opportunity to achieve strategic advantage without war) and strategically (in that states are making the choice to pursue that opportunity).

Viewing cyberspace not simply as an area of state-to-state competition but as one where states tacitly agree to certain norms of behavior suggests a possibility for stabilization due to the logic Thomas Schelling articulated in his analysis of collaboration between competitors. Thus, we view the construct of agreed competition as an important analytical starting point that covers the whole of the cyber strategic competitive space.

Now, what of the competition within that space? We view persistent engagement as explaining the behavior of states below the level of armed attack and as prescriptively suggestive of how different states might strategically act. The concept of persistent engagement suggests that states will continuously seek to anticipate the exploitation of their own vulnerabilities while simultaneously seeking to exploit the vulnerabilities of others. Relative security will be found in gaining initiative by being ahead of others in the anticipation of both sides of the exploitation coin. The United States’s pursuit of its persistent engagement strategy, initially appears to be emphasizing a continuous set of cyber operations heavily focused on shifting the balance of initiative back in its favor through a defend-forward operating concept that is improving resiliency and defense.

With foresight, the U.S. might have tackled the challenge of cyberspace as a strategic space short of war decades ago, leveraged its advantages to sustain the balance of initiative in its favor, and attempted to lead in promoting cyber operations that prioritized stabilizing and securing cyberspace. Unfortunately, the U.S. has primarily learned through passive discovery that some states have already undermined its interests through cyber strategic campaigns short of armed conflict by targeting intellectual property, undermining confidence in institutions both domestic and international and supporting efforts to evade sanctions. As former Homeland Security Secretary Kirstjen Nielsen succinctly observed about cyber threats “Failure to look at the future or limiting our thinking based on what we’ve observed in the past, those in and of themselves are risks.”

Currently, at the macro level, what has been “agreed to” is a competition that, with very few exceptions, employs cyber means that do not take on the features of armed conflict and avoid the dominant strategies of coercion, crisis management, and escalation dominance that characterize the armed conflict strategic space. Leaving that high and right box aside, our analysis suggests that little else with regard to cyber operations and campaigns has been tacitly removed from the playing field of the cyber strategic competitive space. And herein lies our main difference with Smeets’s analysis: the U.S.’s pursuit of persistent engagement to counter the cyber strategic campaigns of others is part of the competition. We should assume that all states playing in this space will be pursuing their own interests and countering those of others through a variety of cyber operations and campaigns. Echoing both Schelling and Herman Kahn, we do not assume there will be a symmetry between actors’ views initially on what is a legitimate cyber operation or campaign within the competitive space, but we do assume that states accept the reality that there is a competition and that it can lead to strategic advantage. Smeets seems to see U.S. counter-campaigns as declarations of unacceptability, when they should more simply be viewed as campaigns in pursuit of sustained initiative (which, as we argue, provide relative security). Although the U.S. might not like the cyber operations of other states, it does not mean that they are breaking the “rules” of legitimate competition.

For example, the U.S. might not like that a state may use cyber operations to undermine the effectiveness of international sanctions through strategic theft and will try to limit the success of that exploitation through persistent engagement by countering or contesting operations. Regardless of U.S. efforts, a state desperate for resources, such as North Korea, will continue to seek the initiative in stealing currency. But in this competitive interaction, both states seem to have tacitly agreed (based on public evidence so far) that what should be avoided—what would be regarded as outside the legitimate parameters of competition—are cyber operations that lead to the actual manipulation of the unit of currency (its fundamental integrity). Such operations would undermine the entire global financial system. Our analytical frame linking persistent engagement with tacit bargaining suggests that this is a good example of how cyber campaigns and counter-campaigns can lead to both competition and stabilization around expectations of that competition. These focal points constructed over time and through interactions can converge on norms that stabilize this space by manifesting boundary conditions that more and more actors can buy into.

Different states will have different understandings of what they will view as campaigns that go beyond competition and cross over into coercion or war. Again, there is unlikely to be a lot of symmetry in this early phase of competition. What each cyberpower may define as a central to its political integrity may differ, but capability and initial restraint can be signaled in the expectation that quid pro quos might emerge. Where they do not, we will see campaigns and counter-campaigns and active interactions for some time to come.

Smeets raises a critically important point through extension of his argument. If a state is so effective in competition that it sustains an advantage to the point that it begins to undermine the core power of an adversary, would that not push the losing state to stop competing and escalate out of agreed competition and rely on war or the threat of war to contain the loss of vital power? The answer is yes. The implication, thus, is that sustained advantage in persistent engagement should induce restraint on the part of the more effective state. There is a structural and strategic reinforcement toward restraint in that scenario that would have to be part of the overall strategic approach.

We have a long way to go. The parameters of the cyber strategic competition itself are just emerging. The dominant states in cyberspace need to be intentional in clarifying the line between strategic cyber competition and armed attack. They also must try to delineate between cyber operations and campaigns that by their nature are part of the competition; those that create either an undermining of the upper boundaries directly; and those that can, inadvertently, undermine the competitive space and escalate to war. But the competition is on and it remains broad, fluid and open to the potential for stabilization if intentionality is linked with adoption of tacit bargaining strategies.