James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"Although it sounds contradictory, states ‘fight’ today in ‘peacetime’ via cyberspace below the legal threshold of armed conflict. They conduct ‘warfare in peacetime.’ U.S. Government legal departments failed to keep up with this clever, adversary, asymmetric strategy to permit a requisite reply."
States have discerned how to compete via the manipulation of narratives, facts, information operations, and occasional cyberspace attack that injure or kill no one and usually do not elicit a strong counter attack (assuming they are even discerned). Yet, through these cyberspace operations, political realities change, borders change, and technology and wealth is stolen. In response to these challenges (in Ukraine; across the Taiwan Strait; against the U.S. defense industrial base; from cyber criminals who enjoy state protection) the United States often finds itself legally confused, jelly-legged, and politically fractured.
Russia and China are not ‘great power’ competitors – they are autocracies – authoritarian and totalitarian states that use Western institutions when in their interests and violate the norms of civil behavior when they are not. This is not 19th century Britain, Spain, and France competing for continental dominance or colonial empires. The United States is not in an era of great power competition; it is in an era of the rise of global authoritarian and totalitarian states, which are purposefully undermining the rule of Western law and norms of international behavior to create new political realities and false images of themselves. They smear the United States in a perceived zero-sum competition for global influence. These states now believe their own talking points, that the United States is some sort of global colonial power. Like with all authoritarian states, their rulers are more and more deluded by their own megalomania and information operations (which is why authoritarianism is so dangerous).
Cyberspace norms are being created by default as the United States and Western democracies fail to push back violations of their sovereignty and defend against the theft of Western wealth and proprietary information or deny the use of the internet by terrorist groups. Adversaries no longer fear competing with the United States in cyberspace, believing that we are either self-restrained for legal or political reasons or we are not as capable as they thought we were. Consequently, there is no risk or serious repercussion for malicious activity. Adversaries hide behind anonymity.
Some analysts claim that there are no ‘defined rules of engagement in cyberspace yet.’ But that’s not quite right. There are already many rules, including the Law of Armed Conflict, proprietary law, trade law, concepts of sovereignty … but they are often not respected by the malicious cyber actors. And there are no repercussions for their violations, though many are unambiguously illegal: proprietary information theft, cyberspace attack on civilian infrastructure in peacetime, safe haven for ransomware attackers, or overt support to criminal groups. Therefore, these malicious cyber actors will continue to press forward unless and until they are punished (it’s not that their malicious activities are ambiguous or undefined). But if they are not punished, you can expect no change in cyberspace or in the behavior of the malevolent states.
Both China and Russia enjoy an ‘asymmetry of interest.’ Both believe they care more about their foreign policy, national security, and cyberspace interests than do the United States and Americans generally. This asymmetry – which they foster — allows more maneuver and malicious activity. If warfare is a test of will, our adversaries currently enjoy more of it (at least they believe they do).
James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"Currently, cyberspace promises an asymmetry of the offense over the defense. Further, there is no balance of power (or balance of terror) in cyberspace – small state and non-state actors can and do wield strategic power against much larger states."
Worse, adversaries and the United States play by different rules: adversaries by pressing boundaries; the United States by expecting respect for international law. There is currently little fear of U.S. counter-engagement in cyberspace that would make the malicious actor regret its initial malicious cyberspace operations.
The US policy of restraint — a naïve attempt to demonstrate to adversaries that all states should refrain from militarizing cyberspace — is in contradiction with the expectation that malicious cyberspace actors should somehow be deterred from malicious activity. You cannot deter adversaries in a domain in which you do not act or defend sufficiently, or in which you do not punish transgressors with unacceptable costs. Cyberspace has been militarized by our adversaries precisely because of U.S. passivity.
The United States considers itself a status quo power globally. This is also a problem. Competitors have maneuvered the United States to appear as a stale, defensive power and often a cyber menace, claiming it violates other states’ sovereignty and the privacy of Americans via cyberspace. By definition, status quo powers decline (and are expected to decline). Being defensive in cyberspace means constantly apologizing or self-limiting. Russia and China have largely succeeded in integrating into the minds of many that the United States is often the malicious, ‘colonialist,’ or not particularly better than its alleged competitors (i.e., them). Many Americans today, no doubt, believe the United States is no better than Russia or China in cyberspace.
James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"China’s information operations, conducted mostly via cyberspace, are directed first against its own people, led by the ‘Golden Shield Project’ (aka the Great Chinese Firewall) – a massive censorship and surveillance system, operated by the Ministry of Public Security."
This system attacks and blocks certain websites, poisons cache, conducts speech and face recognition, sucks in closed-circuit television, smart cards, credit cards and other surveillance technologies; it indexes content around the world (in anticipation of filtering it when it heads to China), filters incoming content, blocks pro-democracy groups and certain content, including anything to do with the Dalai Lama, Falun Gong or Taiwan as well as news stories that embarrass the Government, along with Voice of America and many Western news sites, such as the Chinese edition of the BBC. And now, China has gone full Black Mirror, devising social media scores for citizens to control and limit their ability to move freely around the world, or secure loans, or get jobs, or speak – all based on one’s government-derived social media ‘score.’ China is so brazen and confident in its use, it may extend the Firewall around regions it wishes to control politically or export its social media score program to other states.
Chinese President, Xi Jinping, puts the economy first so that he can modernize the Chinese military, ease social discontent (i.e., placate rising expectations by aiding Chinese industry), and increase China’s stature internationally – but not move the state toward liberal democracy. Xi loves the internet (it’s China’s best tool to steal technology to catch up to and surpass the West) – a state wealth multiplier and monitoring system that connects every Chinese citizen — and believes Chinese socialist propaganda is good stuff, important food for the Chinese youth, and the internet and social media is its best delivery mechanism.
China is also now ‘out-cycling’ the United States, thanks primarily to its cyberspace operations. The Chinese may soon perform acquisition faster than the United States can develop and field new defense technology. This means China may soon be able to steal (or at least learn of) U.S. technological plans and developments (via cyberspace) and develop counter measures to U.S. defenses faster than the U.S. can conceive of and field ‘Third Offset’ technology – technology that aims to generate and sustain strategic advantage by acquiring technologically more-advanced weapons to defeat adversary advancements. This may be especially true in cyberspace where acquisition favors the fast — not necessarily the most advanced — technology.
It will soon be impossible for the United States to compete with China via numbers. China will soon outnumber U.S. forces in every sector, including cyberspace forces. The United States, therefore, will have to discern an asymmetrical cyberspace strategy toward China and perhaps Russia and Iran too, as these states place the highest priority on advancing and funding their cyberspace forces. Worse, all these states share a common political enemy and cyberspace nemesis: the United States and its influence and leadership worldwide.
James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"Russia conducts information operations via cyberspace to change the political status quo in Europe, the United States, and the Middle East. Because cyberspace activity results in little or no casualties, traditional notions of warfare are becoming antiquated and obsolete."
What does U.S. air or sea dominance, for instance, give us relative to the political future of Crimea or Ukraine? What difference does it make whether Taiwan is absorbed by China through incremental intimidation or the changing of global attitudes toward Beijing it manipulates? Or whether the United States rips itself apart via its own media, competing political narratives, China-compliant-movies that imply the U.S. Government is the global problem, or academia that is corrupted by an obsession with victimization, tribalism, and foreign influence it refuses to admit? Russia and China believe the United States is currently politically ill (but revel in our malady).
Russia’s SORM (‘System for Operative Investigative Activities’) is Russia’s social media/information control mechanism for the interception of telecommunications and telephone networks operating in Russia. It allows the Putin Government to monitor all dissent or threats to the regime. It is Russia’s Great Firewall, only less obvious and heavy-handed than China’s, but more subtly threatening. Russia bought out (against his will) Russia’s equivalent of Mark Zuckerberg and Facebook (VKontakte) in order to absorb social media into its state monitoring and control mechanism. (Yet Russia paints the United States as a cyber menace.)
Russia sees no guardrails in cyberspace. It uses Ukraine as a cyber test bed to conduct offensive operations against the Ukrainians in order to try to discredit the government to intimidate or shame the Ukrainian people back under Russian hegemony. But Russian offensive cyberspace operations sometimes spill out of Ukraine to infrastructure in other states. Notpetya – a variant of the Petya code – was reconfigured from ransomware to destroy Ukrainian civilian systems it infected. It spread from Ukraine – its principle target — to dozens of other countries.
Malicious cyberspace operations have moved from writing and inserting malicious code, Trojan horses, worms, and viruses to stealing credentials (the username and password) of users and maneuvering inside networks with authentic authorizations. This makes forensics harder to discern, since there is often less malicious, foreign code to analyze, which normally helps discern attribution to a state. (Malicious code has a syntax that can often easily be attributed to states, if not specific individuals.) And if this stealing of credentials becomes automated or conducted by AI (AI speech has already passed the Turing test), there may be far less faith in our systems and cyber defenses in the future, not more.
The introduction of artificial intelligence may permit an automated and masked approach to offensive cyberspace activity by states – most especially by the legally unconstrained authoritarian states (which will especially serve to obscure their operations).
James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"If AI can discern vulnerabilities autonomously and attack through them, AI will usher in a new area of constant adversary attack, not just an era of persistent competition."
It is not a coincidence that the states that are heavily investing in AI are … Russia and China. AI may usher in an era of near constant malicious cyberspace activity of un-attributable origin and change our expectations of privacy and political freedom in cyberspace.
The near future of cyberspace is Balkanization (aka ‘splinterization’) – the fracturing and dividing of internet networks into separate, independent networks, usually defended by a firewall, inspired ostensibly by state concerns over technology or intelligence loss, commerce, politics, or sovereignty. This Balkanization is being driven by the authoritarian states of the world (Russia, China, Iran, North Korea) who wish to control information inside their borders and enable and harbor criminal cyber activity focused against the United States, as well steal Western industrial technology, which they will want to protect, once stolen. Balkanization is the next stage of the cyber world because the original vision for cyberspace – that it would emerge as a global commons and a global good for the sharing of information and political discourse – was unambiguously crushed by these authoritarian states and the criminals they harbor. Cyber Balkanization is a zero-sum authoritarian approach to information control and theft of Western proprietary information and wealth. There may be some good, legitimate reasons for data to be localized (so that good states can prosecute citizens with data they can find on servers inside their states), but Balkanization will serve authoritarian states and criminal elements especially well.
By Balkanizing the internet, these authoritarian states are encouraging Western states to retreat in cyberspace into a more bunkered mentality. The U.S. vision for a global cyber commons has been utterly subverted into the opposite — the internet is now a terrific tool for autocracy: steal, damage, retreat, and shelter. There is a crude convergence of opinion now that cyber Balkanization is happening worldwide whether we like it or not, driven by disparate state interests in either data control (‘data sovereignty’) or information control (China’s definition of ‘internet sovereignty’). Even New York City has, now, its own Cyber Command — a form of Balkanization.
Balkanization promises states both ‘security’ and ‘information control’ because cyberspace has been so abused by malign actors; ‘splinterization’ is now the new, inevitable internet end state following the naive attempt to create a global cyber commons. There are competing (Balkanization) models now for the world: the EU model (data centers to house data in-country) or the PRC model (total information control). But no one is discussing the ‘U.S. model’ because there is no U.S. model or vision for cyberspace now for the future. The EU model will likely become the model for regulators while the China model will become the model for autocracies to effect information control and regime sovereignty. Most states will adopt at least the EU model; many will like and import the China model too.
At first, Western leaders thought the web would be the death tool for authoritarian and totalitarian states. President Clinton once famously said (18 years ago) that China controlling the internet would be like trying to ‘nail Jell-O to the wall.’ (Mr. President: see wall.) In fact, the internet – the tool thought to advance free speech and liberalism – is instead today the perfect tool to effect control for many states. Many social scientists and academics predicted the demise of the totalitarian state of China 20 years ago, arguing that per capita wealth would create demand for freedom and the internet would provide the democratization wedge that would pry open the State. Instead, wealth has increased pride inside China and placated discontent (as well as in Russia). States manipulated the internet to advance nationalism, suppress dissent, steal Western wealth, smear the West, and monitor outside news and political opposition.
The internet has lost the veneer that it is the instrument of liberty. It may expand communications but it is also a tool for espionage and industrial theft, a force multiplier for autocracies, a military domain, and a political control instrument, sensor, and weapon. Worse, smaller states see how the malicious states have been able to steal wealth and proprietary information with impunity and are, sadly, beginning to emulate them. And as the number of internet users increases, so does the attack surface. In short, the trends are not getting better.
Cyberspace’s very nature guarantees that the future will involve persistent – if not continuous — confrontation with authoritarian states and never-ending challenges to defend Western wealth and security as long as these authoritarian autocracies and totalitarian states exist. The United States voluntarily eschewed using offensive cyberspace operations to wedge open these dangerous autocracies, yet these very states have no compunction in using cyberspace to undermine the United States and Western democracies.
Cyberspace’s very nature thus demands that the United States engage in continuous cyberspace maneuver and competition – actively confronting forward (i.e., inside adversary networks) in real time to defeat adversary operations, while remaining cyber resilient and well-defended at home.
James Van de Velde, Adjunct Faculty Member, Georgetown University, Johns Hopkins University and National Intelligence University
"This will require greater partnership with industry, internet service providers, and private security firms, as well as a more sophisticated (i.e., realistic) understanding by the American public of the challenges cyberspace poses to our way of life."
All this coordination and activity has to move quickly to meet what Secretary of Defense James Mattis calls the “speed of relevance.” Cyberspace’s future may promise many things, but persistent adversity is likely one of them.
