The Best Strategy for Cyber-Conflict May Not Be a Cyber-Strategy

November 8, 2016

For special access to experts and other members of the national security community, check out the new War on the Rocks membership.

It would be an understatement to say that Obama administration officials have been a bit vague when asked how they intended to retaliate for Russian meddling in the presidential election via hacks of Democratic Party organs. “[T]here are a range of responses that are available to the President,” White House Press Secretary Josh Earnest told reporters, “and he will consider a response that is proportional.” Homeland Security Advisor Lisa Monaco was more expansive if no more specific, stating:

We will respond in a time and place and manner of our choosing, and when we do so, we will consider a full range of tools, economic, diplomatic, criminal law enforcement, military, and some of those responses may be public, some of them may not be.

One analyst derided the vice president’s pronouncements on the topic as “Biden threatening to threaten Russia.

To be fair, Earnest was correct when he lamented last week that “the rules of the road when it comes to cybersecurity in large part are not well-established, and that makes it difficult” to devise a response to state-sponsored cyberattacks. Yet the problem runs much deeper than awkward press briefings. Despite the broad consensus regarding the threat malicious cyber activity poses to U.S. interests, the United States has failed to articulate or formulate a successful strategy for cyber conflict.

Senate Armed Services Committee Chairman John McCain (R-AZ) dismissed the Pentagon’s most recent cyber deterrence strategy, saying that “it mostly reiterates steps taken and pronouncements made over the past few years, all of which we know have failed to deter our adversaries or decrease the vulnerability of our nation in cyber space.” From the opposite end of the political spectrum, Senate Foreign Relations Committee Ranking Member Ben Cardin (D-MD) stated: “I’m concerned that there’s too much ambiguity in our current cyber deterrence policy which leaves our adversaries confused about what behavior in cyberspace the United States is willing to tolerate.” Or as one think tank report concluded, America’s cyber efforts are “a string of battles fought without a strategy, and a war fought without tactics.”

Why have U.S. policymakers been unable to develop a successful strategy for cyber conflict? As others have pointed out, there are multiple factors inhibiting the formulation of a successful cyber grand strategy. For example, despite the ominous proclamations of national security and law enforcement officials, “cyberwar skeptics” such as P.W. Singer and Thomas Rid argue that the misclassification of all hostile cyber activity as cyberwar has led policymakers to pursue misguided and counterproductive policies. Whether or not cyber conflict rises to the level of war, it undoubtedly challenges the traditional paradigms of military power and international conflict upon which U.S. grand strategies have traditionally been based. As Henry Kissinger suggests in World Order, “cyberspace challenges all historical experience.”

I argue that the problem stems from the perception of cyber-war as a single, unitary threat in and of itself, rather than as an evolution of interstate conflict that poses a more diverse array of challenges. Rather than seeking a comprehensive cyber grand strategy equivalent to the doctrines of containment and deterrence employed during the Cold War, America should pursue multiple discrete strategies tailored to the unique characteristics of our cyber adversaries. Rather than trying to solve the problem of cyber conflict like Alexander the Great cutting the Gordian Knot in one fell swoop, U.S. policymakers would be better served by viewing the problem in terms similar to the old riddle: “How do you eat an elephant?”

To date, U.S. policymakers have yet to find a strategy to solve the riddle of cyber conflict. The lack of internationally recognized norms regarding cyber behavior — plus Edward Snowden’s revelations about the extent of U.S. government hacking — have thwarted President Obama’s attempts to rally international support for sanctions against Chinese cyber-espionage. International agreements to limit cyber-weapons are unverifiable given that they can be stored entirely on a thumb drive. Although attempts to prosecute malicious cyber activity have netted some relatively low-level hackers, it is unlikely any significant Chinese or Russian hackers will ever see the inside of a U.S. courtroom or that “naming and shaming” will be sufficient to halt malicious cyber-activity these countries believe to be in their national interest. And although states who share economic interdependencies with the United States may exercise self-restraint with regards to catastrophic cyber-attacks that would genuinely damage our economy or risk American lives, neither the demonstration effect afforded by the 2010 Stuxnet attack nor the subsequent acknowledgement of U.S. offensive cyber capabilities has deterred the vast array of state-sponsored attacks against U.S. networks over the past decade.

Furthermore, proposed strategies to counter malicious cyber activity often create as many problems as they resolve. For instance, allowing private companies to “hack back” would  weaken the state’s control over the use of force and increase the risk of inadvertent escalation. Conducting kinetic responses to cyber-attacks would strain the law of armed conflict’s of proportionality and require either an unattainable level of certainty regarding attribution or the exposure of highly classified programs to gain the necessary support from domestic and/or international audiences. A purely defensive strategy would merely create a cyber Maginot Line. Indeed, cyber conflict appears to pose what management theorists call a “wicked problem” in which the effort to solve one aspect of the problem may exacerbate situations by generating further undesirable consequences.

One way to solve wicked problems is to reduce their complexity by foregoing a comprehensive solution. In other words, policymakers must find a more effective way to disaggregate the problem of cyber conflict. Rather than treating cyber conflict as a unitary strategic problem in which a one-size-fits-all policy will achieve U.S. objectives, policymakers should recognize that malicious cyber activity is a means to an end for each adversary. For example, China’s malicious cyber activity stems from its unique perception of international relations and its centuries-long tradition of employing a strategy of asymmetry, for which cyber warfare is merely the latest tool. China seeks to become a first-tier economic and industrial power, and it views cyberespionage as a tactic to help them compete against more advanced economies. Moreover, the Chinese military views cyberspace as the new strategic high ground and hopes that stealing military secrets will offset the U.S. military’s technological and operational advantages.

China possesses little interest in crippling the U.S. economy or crashing our electrical grid, as it is one of our primary foreign lenders and needs a healthy U.S. economy to ensure an export market for Chinese goods. Yet other states are not as interconnected with the U.S. economy and hence less likely to feel any second-order effects from a catastrophic attack on U.S. networks. As Defense Intelligence Agency Director Lt. Gen. Vincent Stewart warned the House Armed Services Committee in 2015, “Iran and North Korea now consider disruptive and destructive cyberspace operations a valid instrument of statecraft, including during what the U.S. considers peacetime.” While North Korean strategic thinking remains opaque, since the Iran-Iraq War, the Islamic Republic’s strategic culture has emphasized deniability through the use of surrogates. Iran’s cyber army is controlled by the Iranian Revolutionary Guard Corps, which not coincidentally also oversees Iran’s support for terrorism abroad and focuses on attacking soft targets, which allows Iran to pursue strategic objectives beyond its conventional forces’ capabilities. Iran likely perceives offensive cyber capabilities as yet another asymmetric capability with which to threaten the United States and Israel.

Russian leaders view a wide range of activities that U.S. policymakers consider malicious and/or hostile acts to be an expected part of everyday competition. Cyber conflict falls squarely within Russian theories regarding hybrid warfare, in which a blend of military, economic, diplomatic, criminal, and informational means are employed to achieve desired political goals in a gray area between war and peace. Russia harnesses the hacking talent of various organized criminal syndicates and patriotic hackers — often one and the same — in pursuit of its political interests, as illustrated by its use of cyberattacks as a force multiplier in its 2007 dispute with Estonia, its 2008 invasion of Georgia, and its ongoing hybrid war against the Ukraine. Cyberattacks such as those that breached the DNC’s servers are just one means to manipulate information in a war with many fronts.

Cyber conflict embodies Sun Tzu’s famous dictum: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” By understanding how each of America’s adversaries uniquely perceives cyber conflict as furthering its strategic goals, policymakers can tackle the problem in terms of denying each adversary the strategic success it seeks rather than seeking to broadly deter them all. In other words, cyber conflict should be a component of our discrete strategies vis-à-vis potential adversaries in which policymakers craft multiple strategies tailored toward exploiting each adversary’s unique vulnerabilities.

For example, Moscow has repeatedly submitted draft treaties on disarmament in cyberspace to the United Nations. Yet in addition to banning logic bombs and deception in cyberspace, Russian diplomats also want these treaties to cover what they call “information terrorism” — namely, any use of the Internet that might threaten domestic stability. Russian officials clearly perceive their control of the information the Russian people obtain about world events as a potential vulnerability. This suggests that a covert information campaign threatening the stability of Vladimir Putin’s regime by weakening its control over information may be effective. If this administration or the next considers the DNC hacks to merit a response and wanted to counter Russian information operations strategy, it could launch what Michael Morrell calls an “aggressive Voice of America program in Russian” to tell the Russian people that Putin is threatening Russia’s economic integration with the West. Proportional responses to Russian information operations might include a cyber operation to temporarily render Russia’s web censorship inoperable or an operation to steal and publish the Kremlin’s censorship toolsets so Russian activists could evade them. Or as former NATO Commander Admiral James Stavridis suggests, using U.S. cyber capabilities to expose the overseas banking accounts and financial resources of high-level government officials would significantly raise the cost to the Kremlin of conducting such operations.

To be sure, there are some general policies that should be pursued to facilitate such discrete, adversary-centric strategies. U.S. cyber defenses must continue to be strengthened in order to deny attackers’ goals whether they are motivated by profit, strategic objectives, or pure nihilism. Although cutting-edge defensive cyber technologies are not a panacea for cyber conflict, preventing easy, low-level attacks such as those conducted against the DNC will free up defenders to focus time and resources on more sophisticated attacks against critical infrastructure and strategic targets. Additionally, the effort to establish norms regarding state behavior in cyberspace must be accelerated. Although the State Department touts the number of international conferences at which the topic of cyber norms has been raised, it mistakenly treats this as an end in itself rather than a means to an end. The establishment of and willingness to enforce cyberspace norms by a significant bloc of nations is necessary to enable international sanctions that would alter the cost-benefit calculation of state-sponsored cyber espionage that leads to World Trade Organization-related suits and other forms of trade, intellectual property, and fraud cases of action in foreign and international courts.

Yet above all else, U.S. policymakers must re-conceptualize cyber conflict as a form of “hybrid war” that must be contested even during what we consider “peacetime.” This is how adversaries such as Russia, China, and others perceive the competition that characterizes an anarchic international system. It is only when we recognize that they have shifted from overt military competition with the United States to exploitation of the gray zone of cyber conflict that we can begin to properly tailor strategies to meet these rising threats.

 

Benjamin Runkle has served as in the Defense Department, as a Director on the National Security Council, as a Professional Staff Member on the House Armed Services Committee, and as a consultant in DHS’s Office of Cybersecurity and Communications. He is current a Senior Policy Fellow with Artis International.

Image: Max DeRoin

We have retired our comments section, but if you want to talk to other members of the natsec community about War on the Rocks articles, the War Hall is the place for you. Check out our membership at warontherocks.com/subscribe!

4 thoughts on “The Best Strategy for Cyber-Conflict May Not Be a Cyber-Strategy

  1. While I detest the term “gray zone conflicts” – they’re gray only because we decline for one reason or another to turn them black and white – I share his objection to grounding deterrence of cyber attack in tit-for-tat responses. Surely we can be more creative than that, and we certainly have the means (the will is another matter). The real challenge, as it has been from the outset, is attribution. We’re getting better at that, but we still have a long way to go.

    1. That unicorn doesn’t exist.
      There is no such thing as an invulnerable system.
      There isn’t a computer or computer network on the planet in operation that cannot be compromised, given enough time or resources of a determined adversary.
      Any electronic components or devices are vulnerable to some type of attack.