Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
This winter, the United States entered into dangerous, escalating hostilities with Iran in the most significant U.S. military contingency with a cyber-capable adversary to date. The crisis, coupled with the expectation that Russia will seek to use cyberspace operations to disrupt the 2020 election, should drive the U.S. technology sector and U.S. government into enhanced operational cooperation to prevent cyberattacks on the nation.
Why does the U.S. need an enhanced public-private operational partnership, and what would it look like?
Over the past decade, the U.S. government has invested significant resources to defend the country’s interests in cyberspace. The largest investment was the Defense Department’s Cyber Mission Force, an elite force of 6,200 cyberspace operators tasked to blunt and disrupt incoming cyberattacks on the nation from abroad, to defend military networks, and to conduct operations in support of military requirements. Within the Cyber Mission Force, the National Mission Force is tasked to defend the United States against incoming cyberattacks and prepare to “stop threats before they hit their targets” through forward defense campaigns, as the 2018 Department of Defense Cyber Strategy states.
The “defend forward” approach is the right one. For years, adversaries have exploited a gray space below the level of armed conflict, imposing costs on the United States through cyberspace. Such exploitations have included China’s cyberspace-enabled intellectual property theft, Iran’s attacks on the U.S. financial sector, North Korea’s destructive attack on Sony Pictures Entertainment, and Russia’s influence operations on the 2016 U.S. presidential election. Years of sanctions and indictments failed to deter these adversaries; it was time for a more forceful posture.
But here’s the hitch: While the U.S. military is on the right strategic and investment footing, the government does not own or operate most of the technological infrastructure of cyberspace—the private sector does—and this limits the government’s reach and situational awareness. Absent a public assessment of the Cyber Mission Force’s posture, it is unclear whether the National Mission Force can conduct multiple operational campaigns at once with success. For example, if the National Mission Force was directed to counter Russian cyberspace operations in advance of the 2020 election, would it also have the capacity to conduct a concurrent counteroffense mission against Iran if one was required?
Outside the question of military capacity, how might major information technology companies help in such a crisis? Companies own, operate, and control the infrastructure of cyberspace, and they may be able to sense threats, shut off adversaries’ access to their services, or manipulate their own infrastructure to block an attack. While the U.S. government assumes the burden of risk in defending the United States constitutionally, and should avoid placing U.S. companies in a compromised position with customers unless absolutely required, there may be more ways for the public and private sectors to work together to drive down risk and deescalate in a crisis. The country would be well served if the two communities could initiate contingency planning and discover options for countering adversary actions—each operating under its own legal authorities and terms of service during a potential crisis.
Yet this proposition is complicated. The U.S. government and U.S. technology sector share a history of mistrust and, in some cases, have different perceptions on violence, technology and the use of force. But recent events show a useful path ahead. In advance of the 2018 U.S. congressional elections, both Microsoft and Facebook took actions to remove Russian operatives from their platforms, while U.S. Cyber Command concurrently used forward defense operations to block the Russian Internet Research Agency’s access to social media. Such actions provide a blueprint for a new normal of combined operations to counter adversary operations.
The U.S. government has worked closely with the private sector on peacetime projects, like cybersecurity standards and incident response, but less on operational planning. To build cohesiveness for a national crisis, we recommend that the government make high-end contingency planning a regular feature of cooperation with the information technology sector. Cooperation hinges in part on expanding perspectives. Scenario exercises can help companies and the government to understand each others’ perspectives, particularly customer, market, and security risks that may arise during a conflict. Such exercises can help build trust and, most importantly, lead to the development of defensive options.
To do this work, companies should update their terms of service agreements to explain their positions on cyberdefense cooperation and mitigate any corporate risks that may arise from cooperating with the U.S. government. Microsoft has already taken a position, declaring a “100% commitment to defense” and zero to offense. Public statements can help corporations preserve neutrality, define policies for hostile actors and set operational norms to drive down risk.
The U.S. government’s Enduring Security Framework also presents a natural forum for cooperative planning as it grants clearances to participants and can convene leaders, planners and operators in one place. Cooperation should extend down from the chief executive and Cabinet secretary level to that of the deputy assistant secretary level and below to facilitate regular contact and options development. It can bring together the best strategists and operators from each organization to embark on combined planning. Leaders will need to sustain their focus over years to build strong ties between the public and private sectors to develop the trust required. Given the high payoff of robust public-private cooperation, joint planning, and combined operations for U.S. cybersecurity, this newfound effort should begin immediately.