An Approach to Striking Back in Cyberspace
BOOK REVIEW: Striking Back: The End of Peace in Cyberspace — and How to Restore It
by Lucas Kello / Yale University Press
Reviewed by Evan Rosenfield
The Reviewer — Evan Rosenfield spent almost a decade in the U.S. Intelligence Community serving in various operational, analytical, and policy positions in counterterrorism and cyber. He co-led the formation of one of the U.S. government’s first kinetic cyber foreign partnerships.
REVIEW — In 2013, a New York Times report detailed publicly, the activities of Unit 61398 of China’s People’s Liberation Army (PLA), a hacking group that was siphoning sensitive American technology and corporate trade secrets. The group’s operations were just one facet of China’s expansive campaign to shrink the technological gap with the United States via cyber operations and constitutes what then-Director of the National Security Agency (NSA) Keith Alexander described as “the greatest transfer of wealth in history.”
The U.S. response was milquetoast. U.S. National Security Advisor Tom Donilon called for China to cease its activities and agree to “acceptable norms of behavior in cyberspace.” The Department of Justice took the unprecedented, but largely symbolic, step of filing criminal charges against five PLA hackers, who will likely never see the inside of a U.S. courtroom.
In the years since, countries such as China, Russia, Iran, and North Korea have increasingly used cyberspace to pursue political and economic revisionism. Most notable, of course, is Russian state-sponsored hacking-and-leaking to sow discord, undermine civic solidarity, and influence elections throughout the West.
The West’s impotent responses have failed to establish cyber deterrence against future operations. Lucas Kello’s Striking Back: The End of Peace in Cyberspace — and How to Restore It offers a refreshingly approachable accounting of this failure.
In Kello’s telling, the failures are three-fold: 1) failure to protect against foreign intrusion in domestic information spaces; 2) failure to deter actions that are neither warlike nor peaceful; and 3) failure to achieve strategic accomplishment despite material cyber primacy.
Kello, an associate professor at Oxford University, describes the West’s current cyber deterrence strategy, as evidenced by the response to Unit 61398, as “cyber legalism,” a reliance on laws and norms to shape acceptable state behavior. Kello argues that cyber legalism, which — while salient in international security challenges such as nuclear deterrence — is generally impotent for cyber deterrence.
First, members of the international community do not agree about what is acceptable behavior in cyberspace. For example, the Kremlin sees no issue with kompromat hack-and-leak operations, and China’s use of state resources to benefit local champions is baked into its cyberspace doctrine.
Second, existing frameworks of international law, such as the UN Charter, fail to restrain conflict in cyberspace, where much of the objectionable activity occurs below the threshold of war. “There’s no playbook,” as Kello quotes the Sony Pictures CEO after North Korea wreaked havoc in his computer networks. Because North Korea bombed firewalls instead of physical walls, U.S. policymakers seemed befuddled by whether – or how – they could respond.
Amidst this confusion, Western responses to adversary cyber activities are endemically inadequate. “Aggressors are often named, but rarely shamed, sternly rebuked, but only meekly punished, harassed but largely undeterred,” Kello writes. Under-proportionate responses have “failed to convince adversaries that the retaliatory cost outweighs the gain.”
To Kello, the culprit is not that cyber is a novel technology, but rather that the West has utterly failed to adapt its strategies and policies to cyber’s watershed doctrinal implications.
For much of world history, war was the vessel for geopolitical change. Indeed, to Clausewitz, “war is…a continuation of political intercourse, a carrying out of the same by other means.” But much of the geopolitical posturing today occurs below the threshold of war, in the gray zone between peace and war, what Kello has termed “unpeace.” Although the much ballyhooed “Cyber Pearl Harbor,” characterized by cyber operations inflicting catastrophic physical effects, has not occurred, activity below the line has increased. This both undermines global security, renders irrelevant the West’s massive cyber primacy, and leaves the West flat-footed amidst geopolitical sea changes.
So, what’s the West to do?
The current en vogue strategy is “persistent engagement” in which cyber operators proactively disrupt malicious cyber activity at the source through active campaigning in adversary networks. Successful operations have immobilized ISIS media activities and disrupted Russian troll farms during the 2018 midterm elections. But Kello sees this cult of the cyber offensive as missing the forest for the trees and not truly reducing conflict in cyberspace or its deleterious geopolitical impact.
Kello proposes instead “punctuated deterrence” or “collective punctuation”: cumulative, targeted, and decisive cyber operations that signal that certain actions in cyberspace will not be tolerated. This approach punishes “credibly, forcibly, and intently”.
Kello argues that NATO, acting as a forum for a quasi- “coalition of the willing” could be the vehicle to inflict such an accretion of blows that would “inhibit boldness with boldness.” This deterrence by punishment seeks to change an adversary’s strategic calculus through cumulative effect, rather than tit-for-tat shots across the bow.
In Striking Back, Kello expands on the thesis from his previous book The Virtual Weapon and International Order, that cyberweapons can be as revolutionary as armored tanks or nuclear weapons. But even the most deadly cyberweapon cannot yet take physical battlefields. No Russian cyberattack post-invasion, has had visible effects of military significance in Ukraine. Only in the conclusion, does Kello concede the limitations of virtual weapons in the face of true hard power.
Kello also makes the distracting claim that “the U.S. and Britain do not enjoy a hundred years of experience in the weaponization of information” as an excuse for the West’s blind spot to gray zone activities. From the sabotage, subversion, and propaganda-driven information operations of the Office of Strategic Services and MI-6 to Radio Free Europe and CIA covert actions during the Cold War, information and political warfare are as American as apple pie and as British as bangers and mash. It’s not that the West doesn’t understand the utility of the gray zone; it’s that policymakers, from Brussels to Washington, do not seize its potential as do their counterparts in Beijing and Moscow.
Overall, Kello has crafted a work that deftly intertwines international relations theory, military history, and policy analysis. The book is clearly written and accessible to a wide range of readers, whether they’re roaming the halls at Fort Meade, crafting laws in Western capitals, or perusing the stacks at local book stores, wondering how we arrived at the current state of cyberwarfare.
Striking Back earns an impressive three-and-a-half out of four trench coats.
Disclaimer — The Cipher Brief participates in the Amazon Affiliate program and may make a small commission from purchases made via links
Read more expert national security perspectives and analysis in The Cipher Brief