The Trump Administration is likely deliberating now the U.S. Department of Defense’s role in defending US interests via cyberspace – specifically, whether to continue President Obama’s Presidential Policy Directive 20. U.S. military cyber operations will likely be determined by this internal debate.
The previous administration emphasized caution in the application of power via cyberspace. Limits were set and rules established. Yet no other domain has such limits (though arguably states can inflict much more damage in all of the other domains). The result was predictable: adversaries stole massive amounts of U.S. wealth and proprietary information, strategically placed malicious capabilities on U.S. civilian infrastructure that can cause civilian damage in times of crises or war, and terrorist groups used social media to transform their local grievances into a global movement, while most of the (cyber) DoD sat by idly.
There is something about cyber issues that make people lose all perspective. Cyberspace has emerged as largely no different from the other domains of warfare. Fears that single cyberspace operations would be enormously politically consequential were exaggerated. We don’t have all-encompassing restrictions in the other domains yet we do in cyberspace – a legacy of this original myth that cyber activities could elicit ‘cyber Pearl Harbors.’ Former DNI James Clapper told the Senate Armed Services Committee in February 2015 that a ‘cyber Armageddon’ is not likely, but instead that the United States will suffer ‘low-to-moderate level cyber-attacks.’ Whereas it is true that any individual act in cyberspace is likely not to be massively consequential, cumulative (persistent, ongoing) operations do become consequential – precisely the approach our adversaries have taken.
Today, it is clear that adversaries are maneuvering in cyberspace aggressively and they are conducting malicious cyberspace activities to advance their own interests, no doubt in large part due to DoD’s absence. As any psychiatrist will argue, you get the behavior you reward (or fail to punish). Adversaries discerned a lack of will and consequently pushed through any notional redlines in cyberspace, believing that the United States was either incapable or unwilling (for legal or political reasons) to defend itself, its infrastructure, its wealth, and its interests in cyberspace. The United States cannot achieve the outcome for cyberspace it desires without actively shaping the behavior it expects. This means establishing and defending against unacceptable behavior, including punishing activities that go beyond accepted norms.
The previous administration hoped that cyberspace would emerge as a peaceful domain where speech was open and free, proprietary information was inviolate, and state and non-state actors would protect cyberspace as a common good. Cyberspace, instead, is the domain today where adversaries come to change the political status quo via information operations, hold our critical infrastructure at risk, steal our information and wealth, and plan and execute terrorist acts.
During the past few years, the United States found itself reacting late, insufficiently, or more often not-at-all to more nimble, authoritarian states. The United States needs to shape the cyber environment in order to effect and defend the norms and behavior we want – specifically, respect for intellectual property and the inviolability of our critical infrastructure. These cannot be achieved through negotiations or demonstrations of restraint. The laws of the sea were only discerned via custom after years of contact at sea – not through pledges. DoD must play a larger role in defending the nation from malicious cyber actors, both because the new administration has called for a greater role and because it is obvious that malicious state and non-state cyber activity continues unabated.
The United States faces a challenging global order and is witnessing the emergence of global, authoritarian autocracies, which are inherently unstable, compete globally, and advance policies to undermine Western democracy and values, American global leadership, and the rule of Western norms and law. It also faces continuing competition from the totalitarian regimes of North Korea and Iran. In this complex security environment, and because of the mistaken cyberspace approach of the previous administration, deterrence sustained by U.S. conventional superiority is eroding and new threats to U.S. hard and soft power are emerging in every domain.
Cyberspace is marked by continual confrontation between and among actors. A persistently contested cyber environment is the norm now for the nation. The failure of the US Government to respond to malicious cyber behavior has demonstrated that a new attitude is needed to restore credibility and notional redlines in cyberspace. Fears that a U.S. military presence would militarize cyberspace have been stood on their head: cyberspace has been militarized by our competitors and adversaries because of our absence. We need a new approach that will address the need to both defend domestic cyberspace as well as engage those who have used cyberspace to gain advantage and undermine the interests of the United States worldwide.
DoD should adopt a well-defined, standing authority structure for cyberspace similar to what it created in the other domains. The United States should operate forward in contact with adversaries to degrade their offensive activities and impose costs that compel them to shift resources, deter their aggression, and preserve and extend our strategic advantage.
Policymakers and commanders should require DoD to conduct operations globally and be responsive to time-sensitive opportunities in the cyber domain and information environment. Although our enemies operate in theaters approved for kinetic operations, adversaries often leverage cyberspace outside wartime theaters too. Policymakers and commanders want DoD today to create limited and precise effects against enemies, even if such operations occur outside the theater of wartime operations.
To confront adversaries who threaten to hold our critical infrastructure at risk, the President must have options and the legal framework to confront adversaries who use cyberspace for malicious purposes. A legal, appropriate, proportional U.S. response to adversary activity should include elements of deterrence, capabilities that can de-escalate an international crisis, and the legal recognition that much of what the Islamic State and al Qa`ida publishes on the internet is the information operations of a declared enemy and therefore unprotected speech.
Our very restraint has served to advance greater and more adversary cyberspace operations and has had the perverse effect of advancing (not dissuading) military escalation by making our maneuver and escalation control options in cyberspace more difficult for the United States. The farther we fall behind addressing capabilities to threaten our critical infrastructure via cyberspace, the more we make escalation more manageable for adversaries and less possible for the United States and its allies.
In the future, the Department of Defense must engage in timely defensive and offensive operations for cyberspace to cease being the domain where US interests, wealth, and proprietary information continue to be lost to adversary activity. The Department must rescind the previous failed approach and shift to an operational mindset in the cyber domain, just like it has in all the others. Failure to do so will result in the very environment we fear most — one where our adversaries take what they can via cyberspace, meddle in our politics, and shape new political realities, while we stand by naively expecting international law and norms regarding sovereignty, proprietary information, and wealth to be respected because we showed restraint.
Military cyberspace operations must become ‘normalized’ with our other DoD military operations in order for the United States to match the pace and scale of adversary operations. Today, throughout many theaters, U.S. commanders make decisions that involve the loss of life under well-defined, delegated authority structures. Treating cyberspace as somehow extraordinarily unique risks making cyberspace more predictable for our adversaries and advancing the very instability we are trying to avoid.