Cybersecurity and Deterrence
United States Cyber Command’s New Vision: What It Entails and Why It Matters
The United States Cyber Command (USCYBERCOM) has released effectively a new command strategy (formally called a “Command Vision,” although it addresses ends, ways and means), anchored on the recognition that the cyberspace domain has changed in fundamental ways since the Command was established in 2009. Drawing on its experience over the past eight years, the Command offers a new approach that aligns with the strategic realities within which it must successfully operate. The “Achieve and Maintain Cyberspace Superiority: A Command Vision for US Cyber Command” marks a significant evolution in cyber operations and strategic thinking, portending an opportunity to bring about greater security and stability to the interconnected global digital environment.
Recently in Lawfare, Michael Sulmeyer, former U.S. Department of Defense director for plans and operations for cyber policy, provided a relatively positive assessment of the new United States National Security Strategy’s (NSS) approach to cybersecurity, noting that the “administration shows an understanding that cyberspace is a critical part to practically every aspect of national security.” The Command’s new approach nests neatly under the NSS, provides a roadmap to guide cyber operations and points toward the policy framework that must evolve to ensure such operations succeed in advancing U.S. national interests. The Command’s approach also focuses on stemming the erosion of the United States’ competitive edge found in the newly released National Defense Strategy .
This Command Vision boldly aligns with the strategic context and operational environment that have emerged over the last decade and provides a comprehensive vision of how to tackle these new realities. Successful implementation of this new strategic and operational approach will require new thinking across the government and academia to ensure that the right organizational structures, decision-making processes, capabilities development pathways and authorities are in place. It has provided the foundation for such new cyber thinking.
The Command’s strategic approach makes some critical assumptions about cyberspace as a domain, which have either not been explicit in the past or represent important shifts from previous U.S. thinking. First and foremost is the recognition that adversary behavior intentionally set below the threshold of armed aggression has strategic effect. This insight moves away from the conventional bifurcation of looking at cyber activity as “hacking” and binning it as either nuisance (crime) or as a potential surprise attack against critical infrastructure. Instead, the strategy focuses on adversarial cyber operations for what they are—well thought out campaigns seeking to degrade U.S. power and advance their own relative capacities, while avoiding significant American reaction. Moving away from the ‘hack,’ ‘breach,’ ‘incident,’ ‘attack’ framing toward a recognition that what is significantly putting at risk American strength are sophisticated campaigns that undermine diplomatic, economic, and military power as well as social cohesion is an important step forward in U.S. thinking. The vision realizes that unlike in the terrestrial spaces where strategic effects have required territorial aggression (or the threat thereof), cyber operations have opened a new seam in the distribution of power and can impact relative power without traditional armed aggression. In his Lawfare essay, Sulmeyer complimented the NSS drafters for recognizing the connection between cybersecurity and American power. USCYBERCOM’s strategy builds off of that NSS frame.
The second critical assumption is that the United States now faces peer competitors in the cyberspace domain. Thus, cyber superiority, which is critical for superiority in all other military domains, is not assured and is actually under continual stress. The strategy accepts as a given that cyberspace is congested contested terrain and that while capabilities vary across states, violent extremist organizations, organized criminals groups and hacktivists, all of these actors can contribute to damaging American interests (including when state actors leverage these other actors to advance their goals while retaining deniability and uncertainty over attribution).
The final important strategic reality that the document recognizes is that the status quo is deteriorating into norms that by default are being set by adversaries. This not only challenges American interests, but orients cyberspace toward a chaotic future. The new strategy aims to redress these negative norms. The vision appropriately accords to our adversaries a reasonable assumption of clever calculation. USCYBERCOM is acknowledging that opponents “exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.” The implication, of course, is not only the need for a new approach, which USCYBERCOM now offers, but the need to readdress our overall national cyberspace strategic framework if we are to wrest the initiative away from opponents who are operating without real constraint below the threshold of war.
Building upon USCYBERCOM’s experience, the vision explicitly distinguishes characteristics of cyberspace as an operational domain. Specifically, the document recognizes that the interconnected nature of cyberspace leads to an environment of constant contact and shifting terrain in which persistent action continually challenges ones’ capacity to defend and to maneuver. Security is redefined as resting on seizing initiative to gain “continuous tactical, operational, and strategic advantage.” What might be missed in the public presentation of this construct is that initiative is not about going on the offense, but rather being one anticipatory step ahead across the spectrum of cyber operations.
Indeed, this approach notably emphasizes linking resiliency, defending, and contesting in a seamless operational framework. Success in each flows from having the initiative to anticipate where U.S. vulnerabilities lie, and through resiliency and defensive actions, taking those opportunities away from adversaries; when possible, defending forward so that adversarial action is blunted before getting into U.S. networks and, when necessary, contesting adversary capabilities and their own vulnerabilities to shift the focus of opponents in order to shape their behavior. It is the sum of these component parts of the strategy, not any one in isolation, that will lead to a more stable and secure cyberspace.
That being said, the important emphases on defending forward and contesting active campaigns are both noteworthy. These operational orientations recognize that previous U.S. approaches ultimately left the U.S. playing ‘clean-up on aisle nine,’ too often dealing with adversaries inside our networks (or in the aftermath of their exploitations), rather than stopping them before entering. What is interesting is how those efforts are linked back to resiliency to produce strategic outcomes. The strategy recognizes that along with government resiliency, better alignment between private sector technology development and national security goals as well as enhanced coordination between internet service providers, security firms, and government policy aims can render adversarial activities inconsequential. This will enable USCYBERCOM to direct its focus toward truly consequential threats. There is important similarity here with the United Kingdom’s 2016 Cyber Strategy, which created its National Cyber Security Centre that has a similar mission focus on proactively reducing the effects of persistent adversary cyber operations. While the strategy lays out this goal, it does not delineate how this critical alignment between the private sector and a military cyber operational approach will be produced. One new starting point to consider is that it is more about alignment of action than partnership—a concept still used in the vision document (and one we have been talking about in the United States for 20-plus years, but have failed to fully produce).
That limitation aside, the innovation here is the greater clarity of what is potentially consequential due to a shrinking vulnerability surface (both user and technical), contesting adversaries’ remaining cyber operations then can produce strategic effect as the “tactical friction” the adversary experiences through continuous engagement by the United States compels them to shift their resources (and thinking) toward their own vulnerabilities and defense. In this manner, the Command’s approach seeks to replace the current norm of adversaries acting with relative impunity to a different, more complicated calculus on their part. This can, over time, lead to a normalization of cyberspace that is less free-for-all and potentially more stable. It is not contradictory to assume that in an environment of constant action it will take counter action to moderate behavior effectively.
Interestingly, the strategy anticipates criticism from opponents who will accuse the United States of potentially militarizing cyberspace through this approach. The vision explicitly notes that cyberspace has been militarized by the actions of adversaries over the last decade. More importantly, the vision emphasizes that this is not an offensive doctrine, but a seamless operational approach integrating resilience, defense and contestation of adversary activity. Sulmeyer suggested in December that the NSS “missed an opportunity to stress the need for Cyber Command’s maturing Cyber Mission Force must be a force that is ready to fight.” USCYBERCOM’s strategy not only fills that omission in the NSS, but offers us a unique understanding of what it means to “fight” in cyberspace through its recognition of seamless resiliency, defense and offense. This is captured by one operational objective referred to as “create friction for adversaries.” One can see in all three forms of operations--resiliency, defending forward, and contesting--how each can create friction in the planning and operations of adversaries. Better resiliency will raise the initial effort an adversary needs to make, defending forward will create early interruption, and contesting will necessitate that adversaries reallocate resources to defense. Building such friction can have an overall potential shaping effect, but it comes through the friction produced, not the threat to inflict costs that is associated with previous strategies of deterrence by denial or punishment. This is a major conceptual advancement.
Adm. Michael S. Rogers’ commander’s intent section of the document fleshes out five distinct, but related and reinforcing, imperatives, to advance the strategy toward success. Without delineating them here in detail, the main takeaway is that they represent actions that as a new unified combatant command USCYBERCOM can achieve.
The document notes that it fully aligns with both the new National Security Strategy and National Defense Strategy. It speaks to those larger purviews by detailing the connection between cyber operations and the spectrum of American power. The strategy importantly addresses how cyber operations contribute to: U.S. diplomatic power (the potential for sanction support or discreet reversible compellence); combating others’ information operations; facilitating “overmatch of adversary military capabilities” and importantly making the sources of American economic power “more resilient and defensible.” Viewing cyber operations as a critical component in whole-of-government national security policy is important. (Consider, for example, that only 12 years ago the word “cyber” appeared only once in the entire NSS).
Within that policy context, one significant challenge is the American penchant to divide roles and responsibilities across government in a highly hierarchical, bureaucratic model. In an interconnected domain, however, the answer is not segmentation, but rather synergy. Again, the British appear to be seeking greater organizational synergy through their National Cyber Security Centre. Both Australia and Israel are organizing along similar lines. While the USCYBERCOM strategy does not directly address the pending organizational question of splitting the dual-hat of commander and director National Security Agency, it would behoove the Trump administration to consider a pause in thinking such a move as inevitable and open itself to a rethink—we may have been ahead of our time in organizing one area of cybersecurity correctly (a tight relationship between our lead cyber military operational command and our lead signals intelligence agency). The priority in the immediate, at least, should be in implementing USCYBERCOM’s new strategy in the context of its new unified command elevated status and then doing a new reality check on where to go organizationally (for example, a hybrid model of more empowered deputies in both organizations reporting to a dual-hatted leader might be considered).
To Boldly Go…
Big decisions remain. While the alignment of cyber operations with national policy is critical, the strategy will hopefully catalyze the rest of the policy community, to boldly rethink decision-making processes, operational authorities, and capabilities development -- all of which must realign to match the realities of cyberspace. Currently, none of these meet what Secretary of Defense James Mattis calls the “speed of relevance.” Two critical variables that the strategy notes are time and fluidity: things happen fast and things change regularly. The strategy succinctly outlines the: how (seamless), where (global), when (continuous), and why (achieve operational advantage), but none of that will attain full effect if it is not supported by an aligned policy framework that can adjust to the speed and fluidity of this operational domain. The nuclear revolution brought about fundamental changes in U.S. national security organizations, capabilities development and decision-making processes that mapped to nuclear realities. While it is beyond the scope of a unified combatant command’s strategy to bring such change, USCYBERCOM’s vision should be taken as an initiating point for significant research and discussion (and action) to address comprehensively how the United States should organize itself to secure the cyber domain. 70 years out, Strategic Command still holds annual symposia researching the implications of its core strategy of nuclear deterrence. We need the same sustained analysis of cyber operations.
The wider research and academic communities, along with core government agencies, need to more intensely evaluate the necessary adjustments needed in achieving success in an interconnected domain of constant contact, ever-shifting terrain, and a persistent contest over who can sustain initiative. We have much work in front of us. The problem, of course, is that adversaries are actively gaining advantages, thus the work must begin in earnest. One might suspect that in the capitals of some of our cyber adversaries, the alignment of USCYBERCOM’s strategy to the realities of the operational space will be met with, “darn, they have figured it out, this is going to become harder.” That will be the vision’s immediate effect. But perhaps more importantly, USCYBERCOM’s new strategy can be a spur to a more robust range of thinking about cyber operations, strategy, and power in the 21st century. That could be its demarcating legacy.