Walter Pincus is a contributing senior national security columnist for The Cipher Brief. He spent forty years at The Washington Post, writing on topics from nuclear weapons to politics. In 2002, he and a team of Post reporters won the Pulitzer Prize for national reporting.
OPINION — When it comes to cyberspace, “the United States is on the defensive,” James A. Lewis, Cipher Brief Expert and Director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), told the 2021 Cyber Command Legal Conference last Thursday.
“For more than twelve years,” Lewis said, “our great power opponents have held the initiative and scored success after success, while the U.S. remained in a reactive posture. These opponents have had their share of failures, but particularly in cyberspace, which is a focal point for conflict today, they have had an open field for action. The topic before us is how we can change this.”
We should listen to Lewis.
As a member of the U.S. Foreign Service and Senior Executive Service, he worked on political–military issues and developed policy for satellites and encryption, as well as military basing in Asia, the Cambodia Peace Process, and the Five-Power talks on arms transfers. In 2010, 2013 and 2015, he was Rapporteur for the United Nations Group of Government Experts on Information Security. His current CSIS research involves the internet and politics, surveillance and espionage, and the effect of military innovation on stability.
As he told Thursday’s CYBERCOM session, Lewis believes, “Relations among great powers no longer follow peacetime patterns or rules. While we are not in full conflict today, we are also no longer at peace…In cyberspace, it is conflict where opponents routinely violate American sovereignty and use coercive actions to harm our nation.”
Lewis compared today’s situation to the Cold War, when enormously destructive nuclear weapons posed the threat. “In that environment of existential threat, a strategy of deterrence made sense,” he said, adding, “That construct remains powerful among a generation of strategists whose views are shaped by the Cold War – indeed much of the lexicon of cyber strategy is drawn from the Cold War.”
However, he pointed out, “Cyber conflict does not pose an existential threat. This increases opponents’ willingness to accept risk and decreases their incentives for negotiation. A nuclear exchange would have produced millions of casualties in a few minutes. Cyber attacks cannot match this, and media efforts to inflate cyber risk are unpersuasive.”
Thus, as Lewis described it, “In the absence an existential threat or even the risk of the significant damage that armed conflict brings, there is little incentive for opponents to make concessions on the use of coercive cyber actions or to stop using them.”
It was March 2018, almost two years after the fact, that the Trump administration sanctioned 19 Russian individuals related to Moscow’s 2016 interference with the U.S. presidential election. It had little effect, although less Russian activity was apparent in the 2020 presidential election.
However, the late 2020 Russian-attributed, so-called Solar Winds attack, may have planted malware in at least 18,000 platforms run by the U.S. government and private companies. The website of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said it is “tracking a significant cyber incident [Solar Winds] impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations.” In response, “CISA, the FBI, and the Office of the Director of National Intelligence have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to this significant cyber incident,” according to the website.
In his January 26, telephone call with Russian President Vladimir Putin, President Biden raised Moscow’s widespread Solar Winds hack and “made clear that the United States would act firmly in defense of its national interests,” according to a White House statement.
An “executive action” response to Solar Winds was promised, but nothing has so far been announced. National Security Advisor Jake Sullivan said on CBS’ Face the Nation, January 21, that it would be “a mix of tools seen and unseen, and it will not simply be sanctions.”
On March 3, CISA warned hacking had taken place on a wide scale in Microsoft Exchange products “enabling them [allegedly Chinese hackers] to gain persistent system access and control of an enterprise network.” On Friday, White House Press Secretary Jen Psaki told reporters the Microsoft attack “could have far-reaching impacts.”
“We are in a conflict,” Lewis said Thursday, “but it’s not the Cold War and it’s largely not military. The military plays an important role. CYBERCOM is the spearpoint for a lot of our activities now…but we’ve got to rebuild the other elements that the U.S. had in the Cold War – our information elements, our emphasis on technology leadership, our alliances…We can no longer assume we have technological leadership.”
He added, “This new kind of conflict is ambiguous and less reliant on conventional military actions, and we lack the analytic tools needed to re-conceptualize strategy for it.”
In Lewis’ analysis, deterrence so far has not worked to prevent conflict so “a new approach must discard deterrence and identify the goals we wish to achieve in ways that are actionable.” He acknowledged that there had been many cyber successes against Russia and China, but they have not been made public and “if the battle is over perception and public opinion, secret successes contribute little.”
“Domestically, a new cyber strategy must be accompanied by public messaging and by building both stronger defenses and greater resilience for when defenses fail,” Lewis said. But, he emphasized, “Better network defenses and private sector actions are important, but by themselves, they are the digital equivalent of the Maginot Line.”
Noting that “maneuver warfare” defeated a Maginot Line, Lewis proposed a new U.S., coercive, strategy of “using cyber actions against opponents to reshape their calculations” of the risk they face in cyberspace if they keep acting against the United States. Non-force actions such as economic sanctions and criminal indictments have not worked so far.
CYBERCOM Commander General Paul Nakasone said in his keynote address to the Thursday conference, the U.S. is currently following a practice of “ensuring there are meaningful consequences from malign activity in cyberspace,” but that has not had the deterrent effect needed.
As Lewis put it, “Anything short of a forceful response is likely to go unnoticed by opponents who are no strangers themselves to the use of force and threats and expect it to be a normal part of the exercise of power.”
He also downplayed “fears that an assertive strategy will lead to tit-for-tat exchanges that will escape our control.” Lewis said that fear “ignores the fact that our opponents are already engaged in aggressive actions and they see our repeated failure to respond as a green light for continued and more damaging action in cyberspace.”
While constant cyberspace conflict has been ongoing for almost 20 years, Lewis claims that although there have been unintended consequences from some actions and collateral damage from others, “there has never been an incident that has led to escalation.”
However, the time has come for the U.S. to adopt what Lewis called “a more assertive posture in cyberspace,” saying an announcement of that would be “in itself a message that will improve our position with opponents.”
Of course, he said, “We will need to identify the right targets and the right level of damage to achieve strategic effect.”
Creating the right effect is a problem.
“Despite all the discussion of cyber attacks on critical infrastructure,” Lewis said, “there is little strategic benefit in attacking them. A truly crippling attack would provoke a powerful response from the opponent. This is why Russia and China have not attacked American critical infrastructures.”
Instead, Russia, China and other potential adversaries have carried out reconnaissance necessary for such attacks on our key facilities, as has the U.S. on theirs. Lewis described these recon activities as creating and maintaining potential cyber capabilities “like building missiles but not launching them.”
Much of our understanding of strategic effect still relies on World War II and Cold War nuclear concepts at a time when new ones for the cyber era are needed.
Join The Cipher Brief March 23-25 for a three-day Virtual Cybersecurity Summit co-hosted by Cipher Brief CEO Suzanne Kelly and Former NSA Deputy Director Rick Ledgett featuring leaders from the public and private sectors, including Microsoft President Brad Smith, FireEye CEO Kevin Mandia, General David Petraeus (Ret.), former PDDNI The Hon. Susan Gordon and a host of other public and private sector experts. Attendance is free and registration is required. Sign up today.
Russia’s 2016 efforts to influence the U.S. election through social media had some impact, and Lewis suggested “information operations to expand discontent…would be particularly effective against China.” But he cautioned, “Such actions would need to be carefully calibrated since efforts undermining their [Chinese and Russian] regimes are what our opponents fear most and could trigger a more aggressive response.”
Instead, Lewis chose “actions against opponent [cyber offensive] capabilities as the most compelling target set… Damaging the cyber infrastructure that provides an opponent the ability to engage in espionage or politically coercive actions is most likely to benefit the U.S., while minimizing the risk of escalation.”
He described such a strategy as “the equivalent of the ‘border clashes’ and maneuvers used by 19th century powers to signal priorities and interests. It is likely that opponent political leadership will feel less threatened by actions against their cyber attack infrastructures and will not perceive this as creating the same level of risk as would be the case if the objective was other political or strategic capabilities.”
Lewis suggested risk could be managed by pacing attacks “with pauses to observe opponent reaction and to appropriately communicate intent, rather than a continuous sequence of actions. Intermittence also reduces the risk of expanded conflict, but pace and rhythm in a more assertive strategy needs further consideration.”
What’s also needed is the bringing in of allies so responses are collective. There is also the question of diplomatic and public messaging, which can help manage escalation risk.
Summing up, Lewis said, “We need to identify cyber actions that create strategic effect, ensure they are consistent with our obligations under international law, coordinate them with allies to achieve this, and communicate our intent to our publics and opponents.”
Read more expert-driven national security opinions, insight and analysis in The Cipher Brief