What a U.S. Operation in Russia Shows About the Limits of Coercion in Cyber Space

The New York Times recently reported that the United States planted computer code in the Russian energy grid last year. The operation was part of a broader campaign to signal to Moscow the risks of interfering in the 2018 midterm elections as it did in 2016.  According to unnamed officials, the effort to hold Russian power plants at risk accompanied disruption operations targeting the Internet Research Agency, the “troll farm” behind some of the 2016 election disinformation efforts. The operations made use of new authorities U.S. Cyber Command received to support its persistent engagement strategy, a concept for using preemptive actions to compel adversaries and, over time, establish new norms in cyberspace.

The character of cyber competition appears to be shifting from political warfare waged in the shadows to active military disruption campaigns. Yet, the recently disclosed Russia case raises question about the logic of cyber strategy. Will escalatory actions such as targeting adversaries’ critical infrastructure actually achieve the desired strategic effect?

The New York Times report highlights the operational limits of using cyber capabilities to compel rival states. The United States needs a broader public conversation engaging practitioners and scholars that evaluates different strategic approaches to securing U.S. interests in cyberspace. The new Cyber Solarium Commission is the perfect forum for starting this conversation. As the United States adopts a more escalatory posture in cyberspace, such a dialogue should address prevailing assumptions about cyber warfare and the efficacy of cyber operations as a component of U.S. grand strategy.

The Problems With Signaling

The U.S. response to Russian election inference illustrates the complexity of signaling an adversary in a connected era. To be credible, signals of the possible use of force need to be backed by a reputation for resolve and sufficient capabilities to achieve the desired effect.  In this case, Russia needs to know the United States is willing to shut down the power to Moscow, to St. Petersburg, and to key military installations and that it has the capability to do so. Washington certainly has the capabilities, but the question of resolve is not as clear-cut. In fact, one has to ask: What Russian action would really push the United States to shut down power and cripple civilian as well as military facilities in a nuclear-armed state’s territory? Would the United States really run the risk that Russia might view the power cuts as the precursor to a preemptive strike? Thus, it is unclear whether the signaling effort described in the Times article worked. Such actions demonstrate a capability to access a rival state’s network, but not necessarily the resolve or ability to carry out more devastating cyber operations.

The question becomes, first, whether a state has the resolve to risk escalation and, second, whether it believes it is worth sacrificing lower-end tools. This dilemma relates to what Robert Art called swaggering: actions taken simply to signal your capabilities to the adversary, rather than to coerce them into doing or not doing something. In cyberspace, such signals require revealing that you have access to a network – for instance, making a relatively minor incursion into a power facility to prove to Russia that you might one day do more. In other words, cyber swaggering requires sacrificing lower-end cyber capabilities for the sake of signaling to a rival. For example, U.S. operators could have deposited code on Russian networks meant to be discovered to suggest the potential for other intrusions and more dangerous operations in the future.

Therefore, a central question in cyber strategy is how to demonstrate resolve and signal capabilities without sacrificing access or risking inadvertent escalation. Cyber operations are unique in this regard. Once an adversary knows their network is compromised, it moves either to patch the network or take entire systems temporarily offline. Thus, cyber capabilities used to deny adversary networks are often “use and lose.”

Furthermore, most offensive cyber actions start as espionage, creating an intelligence gain/loss dilemma. In U.S. joint doctrine, maneuver in cyberspace requires first gaining access to adversary networks. Once you are on the network, you can collect valuable information while preparing future offensive actions to disrupt, degrade, destroy, or manipulate your rivals’ systems. Therefore, every attack risks sacrificing your access to the network and losing the ability to collect valuable intelligence.In addition, if you sacrifice your access to the network for a short-term signal, what future opportunities are you forgoing? In this case, did the United States jeopardize cyber capabilities it might need to defend a NATO ally in the event of a conventional Russian invasion, or worse, a nuclear confrontation, to signal the risk of interfering in a midterm election?

To make matters worse, inherent coordination challenges also that plague cyber operations. Many U.S. competitors use similar hardware and software. In all likelihood, any cyber capability the United States uses to signal to Russia risks jeopardizing its ability to affect Chinese, Iranian, and North Korean computer networks in the future.  By entering the Russian power grid, the United States gave Moscow, as well as Beijing, the opportunity to observe technical methods and harden networks against future intrusions – especially now that the story has been leaked. It remains unclear whether the tradeoff was worth it.

As social scientists start using larger data sets and experiments to analyze cyber operations, they are casting doubt on whether coercion in this new domain works at all.  Wargame experiments analyzing cyber attacks against critical infrastructure reveal difficulties coordinating responses between private industry and the national security establishment, as well as a reluctance to escalate when a cyber incident might cause significant economic damage. Other experiments and simulations similarly demonstrate that players, including national security experts, are unlikely to escalate in response to cyber acts alone. Players seem reluctant to risk World War III over hacking. This hesitation likely is due to the covert character of cyber campaigns and the fact that any predicted coercive effects, to include deterrence, are expectations about the future. Because cyber operations occur in the shadows, politicians can hide the fallout in the short term and avoid public pressure to respond.

There are real concerns about whether cyber operations are a sufficiently costly signal or even the right instrument of power to coerce rivals. Previous studies have found cyber operations can compel rivals, but only when used in conjunction with other instruments of power. It is also unclear whether cyber operations achieve demonstrable battlefield effects. A recent study by Nadiya Kostyuk and Yuri Zhukov finds cyber attacks in Syria and Ukraine did not change combatant behavior. These findings echo earlier studies questioning the efficacy and very concept of cyber war.

Civil-Military Relations for a Connected World

Recent disclosure about covert U.S. military campaigns also raises a host of civil-military concerns. If the leaks are true, which is always debatable, U.S. Cyber Command planted code in a nuclear rival’s power grid without notifying the president. That is,  it used new authorities associated with cyber operations to act without the extensive interagency coordination required previously. Just because a president has low approval ratings does not mean the national security bureaucracy should hide high-profile operations. Usurping authority is a recipe for disaster in a democracy even if one believes the president is an existential threat or prone to disclosing classified information.

Additionally, many studies find bad things tend to happen when military organizations – or any small insular group for that matter – develop plans in isolation. There are intrinsic organizational and psychological problems that prevent rational planning. Military organizations are often prone to a cult of the offensive.  That is, multiple studies on organizational routines show that, left unchecked, military organizations can inflate threats, exhibit a bias toward arms races, and develop war-prone doctrine. Preemptive cyber activity against great powers risks spiraling out of control and affecting not only military but also civilian networks. As previous high-profile incidents like the NotPetya ransomware attack illustrate, malware does not stay quarantined in a globally connected economy.

For Want of a Strategy: Why America Needs the Cyber Solarium Commission

If cyber operations are unlikely to compel or deter an adversary, why use them to send signals to a rival nuclear power? Does the promise of an important but elusive benefit outweigh the costs and risks associated with compromising commercial networks and publicly acknowledging you targeted a rival nuclear power’s critical infrastructure? Covert cyber campaigns are ambiguous signals, deniable actions taken in secret. How a democracy goes about authorizing and executing these highly sensitive operations, which often rely on commercial software and hardware, produces entirely new categories of civil-military concerns, escalation risks, and legal issues.

Even if cyber operations can coerce rival decision-makers into alternate courses of action, it is difficult to prove that Putin’s inner circle changed strategy because of a few lines of computer code with the potential to cripple infrastructure. It is hard to measure deterrence even with more traditional shows of force, like deploying carrier strike groups. Most cases in which deterrence “worked” in theory involve isolated case studies that are often highly contextual and not generalizable. Even when actors change their behavior – say, Russia decides to stop interfering in elections – how do we know the behavior change was a result of the signaling?

The fact is that the national security community – to include both practitioners and scholars – does not yet have a firm grasp on what cyber strategy is, much less an agreed-upon set of strategic approaches for using the digital domain to achieve various political ends. Gen. Paul Nakasone and staff at U.S. Cyber Command should be commended for trying to establish such a framework, but additional work remains. The nation needs an open debate examining not only the military effects of cyber but how to defend a connected democracy while ensuring continued economic prosperity. Cyber strategy is too important to be left to the generals alone.

Given the challenges associated with using cyber operations to coerce rival states as well as the associated escalation risks, and civil-military relations concerns, the Cyber Solarium Commission is a critical first step for defining cyber strategy and proposing the policy reforms required to defend a free and open Internet. Chartered by the John S. McCain National Defense Authorization Act, the commission brings together a mix of business leaders, representatives from both major political parties, scholars, and other national security experts. Connecting these perspectives to a commission that reports to Congress produces a real opportunity to link policy and strategy. The commission will need to do the following:

Define what strategy is in a connected world. Before considering how to protect U.S. interests, to include critical infrastructure and key economic networks, the commission needs to define how growing connectivity affects strategy. Anne-Marie Slaughter and Zeev Maoz write that networks are changing how we look at world politics, while Parag Khanna argues that global supply chains, not sovereign states, define 21^st-century geopolitics.

Test different strategic approaches. The commission needs to test research studies and wargames articulating different approaches against likely current and future threats. Concepts like persistent engagement need to be compared with approaches that prioritize active defense, public-private partnerships, and target hardening, as well as with entirely different approaches that put a premium on norms, international regimes, and law enforcement . Each of the approaches needs to think about how cyber operations are used above and below the threshold of armed conflict, as well as about the inherent challenges associated with attributing cyber attacks.

Consider the long-term consequences for America’s society and economy. Cyberspace is not just political. Long before soldiers used its pathways to support military operations and covert campaigns, researchers and activists traded information. Furthermore, cyberspace connects the very fabric of our social and economic lives. All strategy conversations need to consider how different strategic approaches affect not just military objectives, but also the ways in which free societies connect and collaborate.

Explore alternative futures. Developing and testing cyber strategies cannot be limited to estimates of the current threat. These strategies need to consider how threats might evolve as well as the impact of emerging technologies like 5G networks and satellite constellations providing cheap and fast Internet access.

Generate more data. Because cyber operations are technical and often compartmentalized, they are not transparent. Yet, researchers need publicly accessible data to analyze the correlates of cyber security. When social scientists use large data sets and design wargames as repeatable, randomized experiments, they are less susceptible to worst-case biasing and confirmation bias. The commission could help incentivize public-private partnerships that collect and publish the type of data required to analyze cyber strategy. The national security community should not keep extracting strategic truths from isolated cases like Stuxnet. As the old saying goes, the plural of anecdote is not data.

Benjamin Jensen holds a dual academic appointment at Marine Corps University and American University, School of International Service, and is a senior fellow at the Atlantic Council. He is the co-author of two recent books, Cyber Strategy: the Evolving Character of Power and Coercion and Military Strategy in the 21^st Century: People, Connectivity and Competition. Outside of academia he is an officer in the U.S. Army Reserve, 75th Innovation Command.

Image: Flickr