Lawfare recently published two responses—one by Bobby Chesney, the other by Robert Williams and Ben Buchanan—to my Lawfare essay providing a Chinese perspective on the concept of “Defending Forward” adopted in the latest Department of Defense Cyber Strategy. Chesney, Williams and Buchanan all agreed with my assessment of the possible risks of escalation posed by the more proactive nature of the strategy, but argued that the Defense Department was justified in choosing such an approach to cyber security.
It is important to explore why the U.S. made such a choice. But it might be more important to explore whether that choice is wise—and what needs to be done after making the choice.
It is true, as Chesney, Williams and Buchanan write, that the United States faces serious cyber threats. But what country is not? The new domain of cyberspace will never be an attack-free area, due to its distinctive features: the low barriers to entry, various types of actors, easy access to cyber tools, wide application in society, difficulties in attribution and thus low possibilities of getting punished for malicious activities. Unlike extremely rare nuclear attacks and relatively rare conventional military conflicts, cyber attacks take place almost every day and everywhere. In addition to Russia’s 2016 hacking campaign, Iranian denial-of-service attacks, North Korea’s attack on Sony and China’s cyber activities (mentioned by Chesney), the world also saw the release of Stuxnet on Iran’s nuclear facilities and the activities of the Equation Group, the most advanced hacking operation ever uncovered, which is believed to be operated by the NSA. Or consider the statement by then-Director of National Intelligence James Clapper in response to the hack of the Office of Personnel Management: “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
To be clear, I am not trying to say any country is completely innocent or the only one to blame. Rather, it is exactly this course of actions and reactions—during which no side views itself as responsible for escalation, but each side takes actions to defend itself—that, in turn, leads to escalation and further instability. This is the security dilemma all countries face in cyberspace. In such a context, a proactive posture is more harmful than helpful in de-escalating tensions.
In fact, some research suggests that cybersecurity in the United States is improving faster than in other countries. An annual report from FireEye shows that in 2017 the global median dwell time—the average number of days from the first evidence of an attacker’s presence on a victim network to detection of the attacker—was 101 days. This is essentially unchanged from the global median dwell time of 99 days in 2016. But when divided by region, FireEye statistics show that the median dwell time in the Americas has decreased from 99 days in 2016 to 75.5 days in 2017. Meanwhile, the dwell time in Europe, the Middle East and Africa has increased from 106 days in 2016 to 175 days in 2017, and in the Asia-Pacific, from 172 to 498. That is to say, the United States is able to detect threats increasingly quickly and can do so faster than countries in other regions.
Likewise, if measured in terms of the percentage of machines attacked, the U.S. has better protections against cyber threats. Consider a study by the Spanish cybersecurity company Panda Security. Panda Security used data gathered by what it calls “Contextual Intelligence” to conduct analyses including the “Geographical Distribution of Attacks”—that is, the percentage of machines attacked within a given country. In 2017, among the 86 countries listed, Iran ranks first with the percentage of 11.9 percent, China ranks 24th with 3.42 percent, Russia the 33rd with 2.86 percent and the United States ranks 67th with 0.99 percent.
What’s more, due to the asymmetric development of situational awareness and attribution capabilities, the countries with the most developed cyber capabilities also have the best ability to identify whether they are under attack and where the attacks come from. Countries with less advanced capabilities may not feel or claim to feel as insecure as those advanced countries—not because this is the case, but because they are not aware of being attacked or not willing to speak up before having a full picture of the attacks. If a country claims to have been attacked without providing credible facts such as who is attacking, where the attack came from, how long it has been there, how much damage has been caused, and so forth, its claim will either be viewed as absurd or reveal the country’s lack of capabilities to detect cyber attacks and defend against them.
Of course, statistics do not tell the whole story. The U.S. government and many citizens feel strongly that the country’s economic strength, critical infrastructure, impetus to innovation and military superiority rely on cybersecurity. Therefore, it could be argued that the U.S. is more vulnerable to cyber attacks. But most other countries have very similar understandings of how their national interests are closely connected with a secure cyberspace. If the United States believes a more proactive cyber posture is necessary to improve cybersecurity, then it is highly possible that many other countries will choose to follow America’s lead, becoming aggressive in building cyber forces and developing cyber operation theories—just as more and more countries publicly declared the establishment of cyber commands or cyber forces after 2009, when Defense Secretary Robert Gates directed the creation of U.S. Cyber Command. Cyberspace will then become more destabilized rather than secure for all countries, including the United States.
But whether potential U.S. cyber activity is understood as an offensive initiative or a response to an outside threat, what really matters will be avoiding unintended escalation. The Defense Department strategy frames the United States as advocating for an “rule-based international order” in general and for “reinforce[ing] norms of responsible State behavior in cyberspace” in particular. If the United States desires to avoid conflict, it should make clear its positions with respect to the concerns listed below in order to mitigate the risk of unintended escalation.
- What kinds of attacks will trigger defending forward? As it is well known, international law prohibits the threat or use of force by states except in self-defense in response to an “armed attack.” Given the 2018 Defense Department Cyber Strategy’s claims that the U.S. will “disrupt or halt malicious cyber activity … , including activity that falls below the level of armed conflict,” it is natural that other countries will wonder what kinds of threats the U.S. might respond to with the use of cyber force. Since both the U.S. government and many American scholars view China as a serious threat in cyberspace, is it possible that the Defense Department will take preemptive measures to deal with this kind of “predicted” threat? Though such assumptions cannot represent official positions, it still causes worries in other countries—that is China in this case, especially when tension between China and the U.S. keeps escalating—since media plays an important role in influencing public opinions and thus indirectly impacting decision-makings.
- How does defending forward, which aims to “disrupt or halt malicious cyber activity at its source,” interact with the traditional principle of sovereignty and territorial integrity in international law? Both the consensus report adopted by the fourth Group of Governmental Experts on Information Security (GGE) and the Tallinn Manual 2.0 expressed respect for sovereignty and territorial integrity. In a 2016 speech, then-State Department Legal Advisor Brian J. Egan made it even clearer that, “[I]n certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force.” Given this, it seems fair for other countries to ask for more explanation from the U.S. as to the circumstances under which it will authorize cyber activities going to the “source” of the outside threat, i.e,. into the territory of other countries, and how to make sure such activities won’t violate international law. If there is no evidence of a foreign government’s support for these threats, will the U.S. military provide some form of prior notification before an incursion against a private attacker based in that government’s jurisdiction—similar to rules established under the U.N. Convention on the Law of the Sea? If not, how will the U.S. keep the foreign government from misinterpreting its actions as an attack on that government, leading to escalatory countermeasures? On the other hand, if there is evidence of foreign government support, when the U.S. initiates cyber activities in accordance with the concept of defending forward, does the U.S. agree that such activities are equal to an international armed conflict? Common Article 2 to the Geneva Conventions of 1949 states that the Convention—which set up rules that apply only in times of armed conflict—“shall also apply to all cases of partial or total occupation of the territory of a High Contracting Party”.
- Given that there is no clear line between military and civilian facilities in cyberspace, will the U.S. take precautions to mitigate collateral and secondary damages after conducting offensive cyber operations? Although the United States recognizes that the fundamental principles of humanity, necessity, proportionality and distinction under jus in bello should be applied in cyberspace, here are intense debates regarding the challenges and dilemmas in its applicability. For example, years after the Stuxnet worm—which is widely believed to be the work of U.S. and Israeli experts and proceeded under the Obama administration—was released to disrupt Iran’s nuclear program, one of the Microsoft Windows vulnerabilities used to spread the worm still remained the most widely exploited software bug in the world, according to a research by Kaspersky Lab in 2017. Many other questions follow: Could there be some self-destructive function preventing the weapon from becoming available to other actors once released? Could a weapon be designated for use only for a single purpose, perhaps by adding specific code to clarify its use for cyber espionage or cyberattack? How will the U.S. make sure the weapons used will only attack specific targets?
For the world to benefit from the development of cyberspace and avoid unintended crises and conflicts in this new domain, these concerns deserve more discussion and debate—more so than the questions of who first conducted cyberattacks or who is more justified in being proactive in cyberspace.