As part of The Cipher Brief’s ‘Academic Innovator’ initiative to bring rising, innovative voices into the national security dialogue, we are reaching out to universities and inviting students to contribute their thoughts on pressing national and global security issues.
Below is a different twist on a current proposal put forth to create a Cyberspace Solarium Commission. The author is Jessica “Zhanna” Malekos Smith, an M.A. candidate with the Department of War Studies at King’s College London. Malekos Smith served as a Captain in the U.S. Air Force Judge Advocate General’s Corps. Before that, she was a post-doctoral fellow at the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. She holds a J.D. from the University of California, Davis, and B.A. from Wellesley College, where she was a Fellow of the Madeleine Korbel Albright Institute for Global Affairs.
The 2019 National Defense Authorization Act (NDAA) includes a provision by U.S. Senator Ben Sasse (R-NE) to establish a Cyberspace Solarium Commission. According to Sen. Sasse, this commission is necessary because: “We don’t have a playbook. It’s time to draft one.” He reasons that this commission is an opportunity to begin a much needed dialogue on “America’s cyber doctrine before it’s too late.”
In terms of concrete goals, the 14-member commission will be charged with the task of “develop[ing] a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” By September 2019, the Commission will submit its ‘playbook’ to various congressional defense and intelligence committees, as well as to the Office of the Director of National Intelligence, Secretary of Defense and Secretary of Homeland Security.
But here’s the dilemma: If the purpose of the commission is to produce a national cyber doctrine and encourage a “deliberate, structured debate,” then why is participation limited to only 14 hand-selected cybersecurity and national security experts? And who chooses these experts? Isn’t such cherry-picking likely to result in confirmation bias, or at least fuel other forms of cognitive bias?
Cyberspace is everyone’s space; is it not therefore reasonable to incorporate a more diverse cross-section of society to debate these issues?
So, if a greater cross-section of the people cannot be included in the commission, why not bring the ‘commission-concept’ to the people — in the form of a Platonic-style dialogue. The ancient Greek Philosophers Socrates and Plato valued this form of testing arguments because “reasoning and truth can only be gained through dialogue. They saw the search for truth as a process of assertions and testing those assertions.”
Reader, you are invited to join the Cyberspace Solarium Dialogue:
Hawk: Unacceptable! We, as a nation, have failed to establish a clear cyber doctrine. We need a playbook! We need to set expectations — something, to signal to the world about when and how the U.S. will respond to cyber attacks. Friends, we cannot afford to sit idly by as other states just write the rules of the road here!
Snark: Calm down. And you’re signaling enough to the world as it is — we were told to leave all electronic devices outside.
Hawk: ‘Twas but a minor oversight.
Chair: Getting back to the main issue, ladies and gentlemen before this Cyber Solarium discusses any new business, it is imperative that we first address —
Hawk: We need to draw a “red line” in cyberspace! A red line, signaling that if any government, or non-state actor, or lone hacktivist even places one toe over this red line, we are ready for them; locked and loaded, and ready to dance!
Snark: Remind me never to go dancing with you.
Hawk: This is no laughing matter – did you know that “Defense Department systems are probed by unauthorized users roughly 250,000 times an hour—over 6 million times each day.” Unbelievable!
Dove: I think Hawk raises a valid point in that we appear to be building this ‘policy airplane’ whilst flying it, however, I caution against a red line policy as it diminishes our response options; additionally, if action is not coupled with words once an aggressor crosses that line, it becomes embarrassingly ineffectual. For instance, do you recall in 2012, when U.S. President Barack Obama said that his “red line” with Syrian President Bashar al-Assad, was if chemical weapons were used, but then did not enforce this after Assad’s regime killed almost 1,500 people in a chemical-weapons attack?
Chair: Enough! We need to take things sequentially on the agenda to formulate a cohesive cyber doctrine. Not only to shape the U.S.’ vision for cyber operations, but also to relay to the International community how we regard international law to apply to State conduct in cyberspace. First, we need to reach a consensus on what constitutes an act of war in cyberspace. As it stands, there is no standard international legal definition of a ‘cyber attack’, and I imagine each of us in this room has a differing opinion as to what a cyber attack is, or is not. So, let’s discuss.
Dove: I propose we adopt the definition provided in the Tallinn Manual on the International Law Applicable to Cyber Warfare. Rule 30 reads that a cyber attack is a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Snark: What about harm to data? Your definition seems to fall short of the mark by not expressly mentioning damage to, or destruction of systems, data and information.
Hawk: What a sorry pedantic lot are we. Listen friends, there should be less of a preoccupation with divining some prized definition here and more focus on what bad acts in cyberspace are an act of war. Typical examples of cyber activity that amount to a “use of force” under Article 2(4) of the United Nations Charter are “(1) operations that trigger a nuclear plant meltdown, (2) operations that open a dam above a populated area causing destruction, or (3) operations that disable air traffic control resulting in airplane crashes.”
Chair: Sure, all those examples have some form of high-level destruction whether it be loss of human life or catastrophic physical damage. But what about cyber activity that doesn’t amount to an armed attack, but wreaks havoc in other insidious ways? Why are we focusing on just kinetic effects? Should attacking our election systems and judicial system constitute an act of war?
Dove: I agree, there is a danger in trying to hold fast to the traditional military definition of an armed attack as having physical, kinetic effects; this misses the nuances of aggressive cyber operations. From an ethics standpoint, however, should a cyber operation that harms data or produces misinformation be treated as an armed attack? I am concerned that we are lowering the threshold of conflict for states to go to war.
Snark: Eh, I think the future face of conflict will be much more subtle, think gray zone tactics, like when Russia invaded Ukraine in 2014 with its “little green men”, or Russia’s information operations and interference in the 2016 U.S. election. We don’t need to dwell on when a punch in the face, is a punch in the face. That’s self-evident. Acts of sabotage, influence operations, espionage and economic coercion are not new developments, but the ability to propagate and amplify their effects in cyberspace, is new.
Hawk: Which brings me back to my point at the beginning, we need a playbook of responses to cyber-attacks so that our opponents know full well, what type of cyber misconduct will trigger a response from us and what to expect.
Chair: Bringing the focus back here; can we all agree that a cyber attack on our protected critical infrastructure constitutes an act of war? As a reminder, under the 2001 Patriot Act, critical infrastructure includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security[.]”
All: Go on.
Chair: Okay, assuming we agree to that, by classifying certain systems and assets as “critical infrastructure,” we are in effect signaling to our opponents that these targets are “out-of-bounds” and if harmed, there will be serious consequences.
Dove: What about election infrastructure?
Snark: Yes, what is to be done, comrades?
Chair: It’s already included. Recall in 2017 that former DHS Secretary, Jeh Johnson, determined that election infrastructure should be designated as critical infrastructure as a part of “Government Facilities.”
Dove: I see. By applying the umbrella term of protected critical infrastructure to such systems, we are in effect signaling to opponents that these systems are ‘off-limits.’ At least this is more flexible and breathable a doctrine than drawing a red line or designing a playbook that could be obsolete after a few years based on the pace of technological innovation.
Snark: In all seriousness, I really dislike the playbook idea. It’s too rigid and to use it as a ‘signal’ to adversaries, is ill-conceived because it weakens the element of surprise in military cyber operations. Why make ourselves more vulnerable to opponents in advertising how we would respond?
Hawk: But a playbook imparts clarity on how we would respond to an attack.
Snark: That may very well be true, but it sounds like what is really needed is a fluid planning model of cyber-based operating procedures and contingency plans. Options, rather on how we may respond. We cannot plan for every form of attack and a playbook is way too formalistic here. Further, we should preserve our right to respond to a hostile cyber act in a time, place and manner of our choosing; flexibility is key.
Dove: Flexibility and the right blend of transparency to signal our nation’s resolve, and to promote global stability. To me, fluidity should animate a state’s analysis of whether the “scale and effects” of a cyber operation rises to the level of an “armed attack” under the Law of Armed Conflict, and how the victim state determines the proper legal basis for responding with force. Furthermore, for the planning model to be pragmatic, it must account for ambiguous conflict scenarios, like when the “armed attack” threshold is not met, but the cyber act still produces harmful effects. Here, an exploration of imposing non-forcible countermeasures, like economic sanctions and legal indictments, must be considered.
Snark: Countermeasures are useful quick fixes, but in the long run I am unconvinced. We’ve seen countermeasures used in 2014 when the US Department of Justice issued indictments against five Chinese military hackers for engaging in cyber economic espionage against US businesses. More recently, in 2018 and 2016 the Department issued indictments against several Iranian hackers with ties to Iran for targeting US banks, as well as the New York Bowman Dam, and for stealing intellectual property from universities. Yes, it’s a slap on the actor’s wrist for bad conduct and the blow smarts for a bit, but if the payoff is higher than the punishment, why stop? For countermeasures to be more durable, our planning model should be flexible and use a layered approach to deter bad conduct.
Hawk: Then we really don’t need a ‘playbook,’ per se.
Chair: And that, is the brick we shall build from.