Americans would be wrong to conclude that the lesson our cyber adversaries have taken is that the United States was simply slow to recognize how cyber provided them a means to change political realities below the level of armed conflict. Many U.S. analysts discerned cyberspace as the domain for autocracies as early as 2015. No, the lesson our adversaries learned is that the United States is always late to react to adversary, asymmetric maneuver, given that authoritarian regimes can act more quickly than liberal democracies, which are slowed by consensus building, political concerns and timetables, risk-adverse general officers and State Department diplomats, bureaucratic inertia, opposing legal interpretations, and competing personalities.
Russian and Chinese cyber officials, therefore, will most certainly maneuver to continue their advantage in cyberspace and prepare for Cyber Command’s ‘persistent engagement’ policy.
- Persistent Engagement: The continuous execution of the full spectrum of cyberspace operations to achieve and maintain cyberspace superiority, build resilience at home, ‘defend forward’, and contest adversary campaigns and objectives. Its key principles include agile collaboration; continuous interaction (rather than episodic reaction); seamless campaigns (rather than discreet operations); aggressive protection of blue cyberspace; Rules of Engagement (rather than concepts of operations) initiatives, causing friction, exploiting targets of opportunity (not just holding targets at risk).
- Defending Forward: A subset strategy within persistent engagement involving engaging adversaries in networks closer to the origin of malicious cyberspace activities, including providing enhanced (early) warning of adversary actions, intentions and capabilities, enabling the United States to better defend government and civilian networks, data and platforms; encouraging stability by disabusing adversaries of the idea that they can operate with impunity in cyberspace; positioning cyber capabilities forward that can be leveraged to degrade the effectiveness of adversary capabilities, and blunting their actions and operations before they reach U.S. networks.
Our task now is to anticipate how such adversaries will react and position ourselves to take advantage of the likely next era. U.S. DoD officials need to discern the next, next era and be there before the adversary shapes it to its advantage.
James Van de Velde, Associate Professor, National Intelligence University and Adjunct Faculty, Johns Hopkins and Georgetown University
"In short, the next era of cyberspace strategy will likely include a form of US Balkanization (‘Gates’) (to protect U.S. public and private technology and wealth) plus numerous, smaller, private-sector segmented firewalls (‘Guards’) against malicious cyberspace activities (particularly IP theft) and significant U.S. cyberspace active defense and offense (‘Guns’) to re-shape cyberspace back to acceptable levels."
"In short, the next era of cyberspace strategy will likely include a form of US Balkanization (‘Gates’) (to protect U.S. public and private technology and wealth) plus numerous, smaller, private-sector segmented firewalls (‘Guards’) against malicious cyberspace activities (particularly IP theft) and significant U.S. cyberspace active defense and offense (‘Guns’) to re-shape cyberspace back to acceptable levels."
‘Gates:’ Balkanization
The future of cyberspace is now likely to include a form of Balkanization (aka ‘splinterization’) – the fracturing and dividing of internet networks into separate, independent networks, defended by state-wide and additional internal state firewalls, inspired ostensibly by state concerns over technology or intelligence loss, commerce, politics, or sovereignty. This Balkanization is being driven by the authoritarian states of the world (Russia, China, Iran, North Korea) who wish to control information inside their borders and enable and harbor criminal cyber activity focused against the United States, as well steal Western industrial technology, which they will want to protect, once stolen. Cyber Balkanization is a zero-sum authoritarian approach to information control and theft of Western proprietary information and wealth. (‘What’s yours is mine, but once stolen, it’s only mine. I can conduct info ops in your country but you can’t in mine.’) There may be some good, legitimate reasons for data to be localized (so that good states can prosecute citizens with data they can find on servers inside their states), but Balkanization will serve authoritarian states and criminal elements especially well to better protect them from U.S. cyberspace operations.
There is a crude convergence of opinion now that cyber Balkanization is happening worldwide (whether we like it or not), driven by disparate state interests in either data control (‘data sovereignty’) or information control for internal political control (China’s definition of ‘internet sovereignty’). There are competing (Balkanization) models now for the world: the EU model (mildly protective data centers to house data in country) or the PRC model (total information control). However, no one is discussing the ‘U.S. model’ because there is no U.S. model or vision for cyberspace for the future. The EU model will likely become the model for regulators, while the China model will become the model for autocracies to effect information control and regime sovereignty (which means it will appeal to many states). Most states will adopt at least the EU model; many will like and import the China model, complicating U.S. efforts to achieve adversary access.
‘Guards:’ More Private Sector Defense
The former Director of the National Security Agency and the CIA, Michael Hayden, famously said, the U.S. Cyber Calvary ain’t coming to save any U.S. business. At the very least, the U.S. Government ought to inform industry that it cannot protect proprietary information from Chinese government hackers and should continue to point out that business in or with China will likely ultimately cost more than they realize (such as loss of their source code as well as any intellectual property advantage they may have).
Cyber’s ongoing hazards will drive more private sector encryption; VPNs; development of a Decentralized Web (a ‘peer-to-peer’ web); cryptocurrencies; two factor authentication; company firewalls; Artificial Intelligence (AI) to close off vulnerabilities or open accesses; data analytics to auto-protect against unauthorized credit card access and bank account transfers; and algorithms derived from social media, surveillance cameras, and police records to take proactive measures against crime (i.e., AI ‘pre-crime’).
‘Guns:’ Escalation Dominance to Force a More Benign Cyber World
In the future, the United States must use offensive cyberspace capabilities in ways that make it clear that it will back up words with action, while reinforcing the ability of the government to exercise power and defend the nation. At present, the U.S. approach to the era of continuous confrontation has been almost exclusively defensive — the hardening of defenses of government and DoD networks. The U.S. approach to shaping norms of cyberspace, therefore, will need to involve many more elements of active defense and offense, as well as involve the private sector if it is to be successful, in order to shape adversary activity downward in scope and quantity.
Cyberspace will continue to favor authoritarian states that violate sovereignty, law, and international norms in peacetime as long as the United States does not successfully engage to impose costs for such activity. Until the United States demonstrates the willingness to use cyber capabilities to punish unacceptable behavior in cyberspace, threats of punishment alone will continue to ring hollow, while defense alone will be insufficient. The United States needs to shape (i.e., influence) the international environment constantly — a combination of international norms promulgated on paper but also clear, well-signaled responses in reply to certain unacceptable activities. It may sound contradictory, but if the United States wants to reduce the number and severity of malicious cyber-attacks against it, it must attack back more often.
James Van de Velde, Associate Professor, National Intelligence University and Adjunct Faculty, Johns Hopkins and Georgetown University
"The United States will have to become the meanest cyberspace dog in the neighborhood to dissuade malicious state activity downward. It must adopt its 2018 elections mindset worldwide to break the state and criminal group addiction to malicious cyberspace activity."
What is needed is an inverted ‘J’ curve of U.S. cyberspace activity (‘cyberspace operations’ vs ‘time’): a mix of overt, clandestine, public and nonpublic cyberspace operations that, at first, will involve much more active defense/offensive activity before norms are clearly established and stability recovers and ultimately improves to a parietal optimal levels. Current U.S. Government cyberspace leaders in the past were so worried about cyberspace stability that they eschewed most any operation that involved pushing back against adversaries and state thieves. Today, democrats and republicans, industry and government all agree that to get the cyberspace world we want, the United States will have to act, and that means act offensively. In other words, if you are worried about cyber instability, although it may sound counter intuitive at first, one has to conduct much more activity and escalation to hammer cyberspace back down to acceptable malicious limits.
Needed and Likely Elements of the Next Cyber Era:
‘Guards’
Devise and embrace a form of U.S. cyberspace Balkanization. The world is moving to wall off its states, just as they walled off airspace. It was naive in the extreme to think states would allow unfettered access to virtually anything via cyberspace. Instead, cyberspace has become a boondoggle for criminals and authoritarian states. We sit by, watch Balkanization happen, and thereby encourage China to become the mentor for developing states who want some level of cyber security.
Discourage U.S. business from doing business in China (do business in Latin America). S. technology is inevitably lost to the Chinese Government, which has weaponized business to extract intellectual property and supplant U.S. business wherever possibly worldwide.
‘Gates’
Create firewalls for citizens and U.S. business (encourage U.S. businesses to do the same). The Government protects Americans in the domains of land, sea, air, space but claim Americans are on their own in cyberspace. Yet many cyber threats are too sophisticated for citizens to discern. It is an abdication of responsibility to state or imply that cyberspace is the one domain of warfare that the Department of Defense will not defend for the American people.
Pass a law to requiring automatic cyber security upgrading on all private systems by IT firms. The NSA, Cyber Command, FBI, and DHS should better assist public and private sector entities from malicious cyberspace activity from abroad by sharing more intelligence; the private sector must be required to auto upgrade security. Require two-factor authentication for communications. Everyone carries a cell phone or a watch anyway; the addition of a token or a second authentication via cell phone would pose an insignificant burden on the public.
‘Guns’
Escalate to de-escalate. The United States must conduct targeted cyberspace offense against malicious state actors to dissuade them from continuing their currently unmolested and successful cyberspace activities.
Attack cyber criminals abroad, just as we used to attack pirates at sea. Ransomware, sophisticated phishing, state-sponsored cyber-attack via proxies, terrorist use of the internet and the weaponization of business are all far beyond the average American to perceive on the internet, let alone defend against. It is the responsibility of the U.S. government to attack these attackers, just as the military did against lawless pirates on the high seas.
Take down ISIS and AQ communications anywhere and everywhere. Encourage other states to do the same. The speech of a declared enemy of the United States is the information operations of a combatant. States that house ISIS or AQ speech are advancing the information operations of a nonstate actor in declared war with the United States. We have the legal right to contest this speech.
Greenlight a limited degree of private sector ‘hack back.’ Since our adversaries allow ‘private’ entities to conduct malicious cyberspace operations, allow U.S. private entities to conduct a level of hack back as well (to develop a level of deterrence). If successful, new norms could be subsequently negotiated with adversaries and – indirectly – with even criminal groups. In short, since the USG has admitted to the private sector that it cannot defend all private sector equities, the USG should allow and advocate a level of gray-space, private sector ‘hack-back.’ If not, private sector entities will forever suffer a significant level of proprietary loss to cyberspace adversaries every year (with no chance of recovery), which the government will do nothing about.
Release (declassify) much more malicious, adversary, cyberspace intelligence. Via the DNI, the DoD ought to leverage attribution studies and intrusion intelligence to shape foreign policy (i.e., declassify and release adversary intelligence intrusion reports strategically to allies, partners, and to the public in high profile releases on a case by case basis in order to shape adversary activities). Such information is perishable anyway. Releasing such activity will deter such activity generally, educate the world, and is often worth the intelligence loss even if the adversary can discern some cyberspace forensic methods better. Similarly, the government ought to produce many more high-profile public releases (op-eds, articles, expert conferences) of Russian Information Confrontation and Chinese proprietary theft to reveal adversary cyberspace.
Hire a U.S. firm to conduct counter-trolling. The private sector ought to be challenged to contribute financially to this effort to create better standards in social media and in journalism generally. The government ought also to reveal publicly Russian ‘experts’ who are, in fact, paid Russian Government spokesmen (i.e., expose phony experts).
Get more unique perspectives, insights and thoughts on current and emerging cyber-based threats in The Cipher Brief
Consider joining the Cyber Initiatives Group to participate in regular briefings and conversations on cyber issues that impact both the public and private sectors.
“I’m honored to be a part of this important group and am looking forward to bringing fresh, critical thinking to how we – as a country and as a private sector community – address current and emerging cyber issues that impact us all.” – Matthew Olsen, Chief Security & Trust Officer, Uber
