US Cyber Command: “When faced with a bully…hit him harder.”

| Jason Healey
Jason Healey
Cipher Brief Cyber Advisor & Senior Research Scholar, Columbia University

In Washington, there may be division and confusion about how to deal with Russian cyber-based interference. But 25 miles north, at Fort Meade, home of U.S. Cyber Command, they are angry and ready.

Cyber Command’s new strategy demands that, “We must not cede cyberspace superiority.” The goal is “superiority” through “persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.”

Through agility, they want to increase not just readiness and advantage, but also “lethality,” a word given true punch by Cyber Command’s stated desire to move to contact and beat the Russians … as well as Chinese, Iranians and North Koreans. This seeming has worked well in the cyber fight with ISIS, against whom JTF-Ares has used the agility and looser rules of engagement to ever-improving effect.

In discussions with the command at a recent strategy conference, it was clear: Cyber Command has moved past thinking like the “father of the Air Force” Brig. Gen. William “Billy” Mitchell, having to prove the worth of a new capability. Now they are thinking like WWII Air Force hero and Chief of Staff of the Air Force Gen. Curtis Lemay. We are at war now, today and must be ready to dominate with overwhelming power, to make the silicon rubble bounce, if called upon.

When faced with a bully who pushes you down in the school yard, I was told, you must not just get back up, but hit him harder. And what then? What if he doesn’t back down? Well, pull out a two-by-four and hit him again, harder.

Getting in close to grapple with adversary cyber forces is almost certainly the right move, at this stage of conflict. Like many of the of us, Cyber Command seethes at the election interference and other nation-state hacking – like WannaCry and NotPetya – which are spiraling out of control.

Despite being the right move, however, it is also an incredibly risky one.

How can the fighters in the cage, in the heat of the moment known the limits in a match that will happen every day, for years? One side will go a bit too far, punch a bit too hard, pull a trick a bit too dirty, and ignore the double-tap of “too much” from the other. At what point will U.S. Cyber Command – if it gets its sought-after new agility and looser rules of engagement – need U.S. European Command and NATO to tag into the fight?

We cannot forget that our adversaries are sure they are hitting back, not first. They have their own sense of righteous purpose and the United States is seen the schoolyard bully. This isn’t to make any moral equivalence between U.S. cyber operations and theirs, but there is an escalatory equivalence as each side responds tit-for-tat against the campaigns of the other. Nations will respond very differently to cyber deterrence when they are sure they are hitting back, not hitting first.

Putin seems sure the United States was behind the Panama Papers leak to smear and destabilize his regime. The subsequent U.S. election interference was his moving up the ladder of escalation. Such dynamics must be part of the operational considerations, not to justify them, but to be sure we understand the best avenue to success for the United States. But to hear those at the Cyber Command conference, the United States is a victim only. The adversary’s response to outbound U.S. operations was never mentioned.

Lastly, the nation that will dominate, at least in the medium term, is not the one that can achieve “capability overmatch” no matter how technologically advanced or agile. The gold medal will go to the nation prepared to be the most ruthless and audacious. Given the deep divisions within Washington and around the country, this is not us.

The Department of Defense must be incredibly cautious escalating the conflict, however justified, as it is doubtful that there would be consensus to match Russian President Vladimir Putin’s counterpunch. Calls to interfere with Putin’s own upcoming election only make sense if it is winning move, one that takes Putin out of the game.

These risks can be mitigated, somewhat. Constant contact between opposing the cyber forces of nuclear-armed states in a time of turmoil will be destabilizing. The U.S. strategy must focus not on deterrence, or victory, but on maintaining that stability. This may mean restraining some operations, not least covert actions, which merely stir the pot.

U.S. cyber operations should disrupt operations and command and control of nation-state adversaries, but not go further without except in rare circumstances, backed by decisions by political decision-makers. Pressure on Russian hackers by indicting and arresting them can keep the pressure on, in a less escalatory manner.

The United States must call together its NATO allies to combat this threat though a common front. As with the Russians in Syria, we must have stronger military-to-military (and spy-to-spy) communication channels to somewhat reduce the dangers.

Fighting back is viscerally satisfying. It may even prove successful. But it must not be done out of revenge but with a real chance of success, of better national security outcomes for the nation. This requires not just agility and aggression, but a blueprint for what comes next, and it is not yet clear the United States has, or is the position to execute, such a plan.

The Author is Jason Healey

Jason Healey is a Cipher Brief Cyber Advisor and Senior Research Scholar at Columbia University’s School for International and Public Affairs, and Visiting Scholar at the Hoover Institution at Stanford University, specializing in cyber conflict and risk. He started his career as a U.S. Air Force intelligence officer, before moving to cyber response and policy jobs at the White House and Goldman Sachs. Healey was founding director for cyber issues at the Atlantic Council where he remains a... Read More

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

8 Replies to “US Cyber Command: “When faced with a bully…hit him harder.””
  1. Since WW 2, the U.S. has had is say as well as its forces throughout the world, to having U.S. military units in over 180 countries, all trying to justify their existence, especially with the increase of the DoD budget. Over confidence in having spread as much as it has, along with engaging weaker foes, doesn’t equate to superiority in any field, let alone cyber. Having the ability to throw the “hail Mary pass” – an American idea – feeds into that overconfidence, which could lead to a very rude awakening if not downright destruction of imagined consequences. Opinions, yes, from one of the many who have been brushed aside, in contrast to the choir.

    1. “U.S. cyber operations should disrupt operations and command and control of nation-state adversaries”–How, exactly? Assuming these are closed networks, then this could be challenging. And once in, to do what? Simply deny service? OK, then what? The problem with the argument is that it’s suggesting military action, but cautioning at the same time not to become escalatory. Isn’t that akin to suggesting that a woman get a little pregnant? The reality, I’m afraid, is that the viable responses aren’t military but diplomatic and judicial. Which are not in Cyber Command’s armory.

  2. What the author discusses, called hacking back, is an act almost universally derided as foolish by cybersecurity officials. Primarily due to the fact that it’s almost impossible to attribute an attack with 100% success to any one country or group, there is a good chance the counterattack could go awry causing a great deal of collateral damage and finally the malware used in such an attack can be grabbed and then used against the U.S.

  3. I, too, was in attendance at CYBERCOM’s symposium last week but after reading Mr Healey’s summary of the day, I’m left wondering if one of us was in an alternate universe. I did not witness any of the extraordinarily professional men and women who spoke on the well-balanced and thoughtful panels speak in anger, seethe, refer to the United States as a victim, evince a desire for revenge, or remotely use the metaphor of schoolyard bully to describe what they all clearly understood to be a complex strategic environment in need of a more effective strategic response from the United States. Moreover, while there certainly were discussions of the need to consider rules of engagement for the cyberspace domain, I don’t recall the term “looser” (and its cavalier connotation) being part of those discussions. Rather, panelists talked about the need for rules of engagement that were better aligned with lessons learned from many years of operating in the domain. Evidence-based recommendations strike me as responsible rather than cavalier. Speaking of evidence, Mr. Healey makes several claims that are not born of evidence but, instead, seem to align with the emotional-bent that runs throughout his article. For example, to equate tit-for-tat exchanges with “escalatory equivalence” is an unusual choice of wording when the well-understood concept of proportional response is equally, if not more, appropriate. Moreover, if the past several years may serve as evidence, the behavioral dynamic in cyberspace that leads to escalation appears to be engagements between major powers pursuing operational restraint and others pursuing operational persistence – hardly a tit-for-tat relationship. Finally, while it may be a difficult concept to grasp, the notion of constant contact in cyberspace is not a strategic choice, it is an operational condition that results from the interconnectedness of the domain. And so for Mr. Healey to state that constant contact will be destabilizing in a time of turmoil between nuclear-armed states (and, therefore, the U.S. must focus instead on deterrence and stability) represents a misunderstanding of constant contact. It is not a choice in cyberspace, it is a condition of cyberspace. Being such, what is critical, then, is crafting strategic campaigns that leverage that condition to U.S. advantage. And how to do that is a subject that many panelists commented on deliberately and thoughtfully. I hope my comments makes clear to readers that there was quite a lot more substance and far less emotion in the Symposium than Mr Healey’s words suggest. I considered the symposium an important inaugural effort to lay bare the evidence that’s been gathered, the challenges that are still before us, and the importance for making progress deliberately and hastily.

    1. Sorry, just seeing this now or else I’d have responded to your important points earlier (as well as those posted by Michael, also at the conference). Max Smeets wrote a piece that complements mine, and aligns with your points.

      This was an amazing and important conference and this point, what we need to do to get back to stability and security, is the most important one. We held a workshop at Columbia with several of other conference attendees to come to terms with the important implications of “constant contact” as “a condition” of cyberspace, a phrase of Richard Harknett and Michael Fischerkeller I really like. We don’t have the room here to get into tit-for-tat, but I’ve a paper coming out with CISAC and I hope we can continue the discussion then, as you make good points.

      As for the article possibly mis-characterizing the conference, clearly I should have made clear it is not only based on just the public comments at the conference. I completely agree that most speakers there were not emotional or particularly seething. I did pick up on a few points. One senior leaders expressed disappointment at the US “lukewarm” reaction. Another professed the goal to not just beat our cyber adversaries, but destroy them. When combined with “defending forward” and “persistent engagement,” I feel it crucially important.

      But this piece is not just on these public comments but also private ones made to me on the sidelines, the “vision” document, as well as experience on the DSB task force on cyber deterrence, of which I was a member. It is also based on my experience over two decades of working with military leaders and having written the first history book of cyber conflict.

      I stand by the characterization that the US national security, including cyber professionals, are seething that Russia, China, Iran, North Korea are all attacking us seemingly at abandon. I share that anger and suspect you do as well. If we’re not seething, we’re not paying attention.

      But we can acknowledge that, examine how we got here, and decide what next to do which will get us back to a more stable situation. Perhaps defending forward and persistent engagement will do that. Perhaps not. No one has any idea if it will provide negative feedback, bringing us back to the past norm, or positive feedback, pushing us farther away. We need to experiment. And we won’t make good decisions when we’re seething. At a minimum, we need to think about firebreaks, exit ramps, and other ways to ensure constant contact doesn’t escalate.

      Thanks for the chance to respond. This was brief, but I do respect the points you’re making.

      Jason

  4. I attended the conference Mr. Healey was at and, frankly, I am disturbed by his mischaracterization of the tone, tenor, and topics covered during the day. I heard nothing that resembled “revenge”-driven analysis of the problem at hand. What was showcased was a sober discussion of the escalating and near-constant attacks on the systems upon which our economy, military, and government rides upon and the capabilities which those in our government tasked with defending the nation must consider developing and deploying. Mr. Healey seems uncomfortable with any discussion of “superiority” or, frankly, of a robust defense of our systems. And he seems to be of two minds (or more) on whether you push back against a bully or avoid doing so as it may escalate the situation. His confusion and lack of clarity surrounding these thorny issues is possibly the best indicator that conferences such as the one hosted by CyberCommand are needed — to hone the thinking on the best way forward.

  5. I wonder if the “casual” response of a tit-for-tat approach will gradually exhausts the available cyber attack tools ( that could be a positive outcome.)
    It’s interesting to see how to achieve the right balance between closing the back doors of the online systems and in the same time is developing tools to exploit them (back doors.)

    1. I have to say I disagree with Dr. Healey’s characterization of the atmosphere at the conference. I won’t reiterate what some of the other attendees have already said above. I’ll just say what I heard at the conference were quite a few thoughtful conversations about how to deal with some extraordinarily difficult problems. I regularly hear American’s asking why no one in government does anything about other countries hacking US citizens. The speakers at this conference appear to be taking an extremely measured approach.