History suggests that applying the wrong operational framework to an emerging strategic environment is a recipe for failure. During the World War I, both sides failed to realize that large scale artillery barrages followed by massed infantry assaults were hopeless on a battlefield that strongly favored well-entrenched defense supported by machine gun technology. The Imperial Japanese during World War II never appreciated that continuing to rely on the Bushido warrior ethos – fighting to the death instead of surrendering to fight another day – could not overcome Allied technology and industrial capacity. The failure to adapt had disastrous consequences.
Today, it’s the United States that’s on the wrong side of history. It has failed to appreciate the unique characteristics of cyberspace as a strategic environment in which it must operate, and instead applied a nuclear deterrence framework. This framework has created a preference for a “Doctrine of Restraint,” which was central to the most recent 2015 Department of Defense Cyber Strategy.
U.S. decisionmakers assumed that restraint would induce similar restraint by adversaries as deterrence theory might predict. That mistaken approach has had the opposite effect as America’s adversaries have leveraged cyberspace (and the larger geoinformation space) as a domain in which they can achieve a fundamental shift in global power toward their advantage. While the United States assumed cyber deterrence could work, adversaries have pursued a very different strategic approach. They have recognized the distinctive characteristics of the cyberspace domain demand new operational concepts. The United States has not.
There are three overlapping strategic environments today, and each demands a unique operational response. The conventional strategic environment is the oldest, and historically has moved between “offense-advantaged,” (such as maneuvered, mechanized warfare) to “defense-advantaged,” (trench warfare). The security of the state rested with its ability to field military forces to contest the adversary. Distinct from the conventional weapons environment, which is driven by contestable costs, the nuclear weapons environment is defined by its incontestable nature—it is offense dominant. This reality required a new way for states to think about security: How do I secure myself if I cannot defend? The answer was strategic deterrence: convince the adversary not to attack in the first place. The strategic effect was achieved by the simple possession of nuclear weapons, not by their use.
Cyberspace is an entirely new strategic environment, one which has important distinctions from the traditional domains of land, sea, air, and space. Questions of sovereignty are ambiguous at best in cyberspace. The domain cannot be segmented into a military sphere and civilian sphere in ways that we do in traditional areas like land, sea, or air. One cannot declare a “war zone” in cyberspace for example. Indeed, cyberspace is a domain in which military operations are conducted while in constant contact with all actors – civilian, business, criminal, other military, social, etc. In cyberspace, determining which actors can have a significant impact is not well known, their intentions are difficult to discern, and their acts are often impossible to attribute. That makes calculating proportional responses problematic. All of this suggests a distinct environment of persistent behavior in which many actors are seeking initiative.
Which brings us back to the fool’s errand of “cyber deterrence.” The United States has organized its governance and force employment in cyberspace based on an understanding that the information space is demarcated by “rules and roles,” rather than as a blended, interrelated space. Cyberspace capabilities were developed in highly classified compartments by intelligence agencies and their employment and use were held at the highest levels (not unlike nuclear weapons).
This created two debilitating intellectual constraints: cyber = compartmented capability and cyber = nuclear. This approach was institutionalized when U.S. Cyber Command was stood up as a sub-unified command under U.S. Strategic Command (where nuclear forces are controlled) and its commander was also the director of the National Security Agency (a highly compartmentalized signals intelligence collection agency).
Fortunately, there is a better approach. Richard Harknett, one of America’s leading thinkers on strategic deterrence, has recognized cyberspace as a strategic environment with distinct dynamics that requires a new framework, just as nuclear weapons necessitated a fundamental change. He has introduced the concept of cyberspace as an offense-persistent strategic environment. Working with Michael Fischerkeller and Emily Goldman, the trio has undertaken the monumental task of breaking U.S. thinking out of a deterrence cul-de-sac.
This new operational concept requires American national security thinkers to rethink security as denying, disrupting, seizing, and retaining the cyber initiative. This can be thought of as simultaneously anticipating one’s own vulnerabilities while leveraging the those of the adversary. It runs the full spectrum of security operations, including resiliency, defense, active-defense, counter-offense, counter-campaign, and offensive campaigns. As I noted elsewhere:
No steady state can exist here—every defense is a new opportunity for offense, and every offense generates a new defense. Operating [in cyberspace] will require new models — those which embrace constant contact, which move from trade-off models to synergy models, and which transition from coordination to integration. Security is achieved not through imposed norms but through retaining the “cyber initiative” — the operational outcome of effectively anticipating the exploitation of cyber-related vulnerabilities.
The recently released National Security Strategy by the Trump administration offers a glimmer of hope that these intellectual constraints might be dying off. Important progress was made when cyberspace operations was tied to great power competition, rather than merely crime, nuisance, or the means of the weak to challenge the strong. It highlights the fact that:
Cyberspace offers state and non-state actors the ability to wage campaigns against American political, economic, and security interests without ever physically crossing our borders. Cyberattacks offer adversaries low cost and deniable opportunities to seriously damage or disrupt critical infrastructure, cripple American businesses, weaken our Federal networks, and attack the tools and devices that Americans use every day to communicate and conduct business.
The choice to use the word “campaign,” rather than the traditional “hack,” as well as highlighting the need to respond to “persistent cyberattacks” provides some insight into how policy makers view adversary use of cyberspace. Deterrence does not apply in a space where adversaries are conducting long-term, persistent campaigns – especially campaigns “operating below the threshold of military conflict … cloaked in deniability.” The strategy responds by stating that “none should doubt our commitment to defend our interests …” which hopefully indicates the willingness to abandon the aforementioned “Doctrine of Restraint” or the idea that U.S. persistent cyberspace campaigns are inherently escalatory.
Moreover, the strategy demands that “Malicious activity must be defeated within a network and not be passed on to its destination whenever possible.” This is an important intellectual acknowledgement that global networks are the battlefield, and constraining operations based on geographic boundaries is both counter-productive and self-defeating.
To be sure, the intellectual constraint of “deterrence” still plays heavily. Indeed, an entire section is titled “Deter and Disrupt Malicious Cyber Actors,” emphasizing cost imposition on states and criminals who “undertake significant malicious cyber activities” while also building resiliency to “create doubt” that adversaries can achieve their objectives.” This is classic “deterrence by punishment” and “deterrence by denial” thinking, and while sounding unobjectionable at first blush, signals that remnants of old thinking are difficult to abandon. Operationally, the NSS aligns more with Harknett’s notion of persistence, but has not adopted a direct shift in base strategy. Time will tell whether this NSS marked the beginning of a new approach to cyber operations.
That said, the new document’s approach to cyberspace operations seemed to earn praise from eminent former members of the Obama Administration. Michael Sulmeyer, former director for plans and operations for cyber policy in the Office of the Secretary of Defense, applauds it as
“A more thorough treatment of cybersecurity as a core national-security concern than we’ve seen in the past. Before, for Democrats and Republicans, the priorities have been stopping the theft of U.S. intellectual property and hacking of U.S. businesses and protecting federal networks and critical infrastructure. How? Concepts like deterrence are often—maybe too often—borrowed from the Cold War and grafted onto this more complex domain.”
Old habits die hard, and outdated thinking harder still. Time yet remains for American national security thinkers to embrace this new operational approach and properly organize, man, train, and equip cyberspace forces. And perhaps we have begun to take steps to do so – but time may be running out.