Editor’s Note: Please check out the full roundtable at our sister publication, the Texas National Security Review.
President Donald Trump’s first National Security Strategy is out, and the contours of the hot takes are familiar: Which adversaries got big coverage? Which didn’t? What will it mean for the budgets of Agency X, the Department of Y, or Program Z? And every take is, of course, subject to hand-wringing about whether the strategy matters at all (always a lively discussion, but a question that is especially relevant with a president who might not have read the document). I’ll leave this more traditional territory to others and focus on a different question: Does the new strategy grasp the current state of affairs in international cyber-security and outline America’s plan to manage it?
Specifically, does the Trump administration recognize and address that, in cyberspace, America’s adversaries are playing Calvinball* (the famous game from the Calvin and Hobbes cartoon strip in which there are no rules) while the United States is still playing a regimented and well-defined game of chess?
The short answer is no. The strategy’s relevant sections are all about the classical and well-defined mechanics, broadly speaking, of American cyber-security. Its stated priorities are risk management, network defense, deterrence, information sharing, and establishing layered defenses. Though the discussion in these areas is fairly solid, this ground is so well-trodden that it is as hard as concrete. Many of the proposed steps forward are fairly predictable, such as pledging to streamline authorization and “improve the integration of authorities and procedures across the U.S. government so that cyber operations against adversaries can be conducted as required.” Done right, these sorts of actions are useful, but the devil is in the details — something that a strategy document rarely contains.
Most worryingly, though, the document misses the opportunity to make strategic sense of what happened in cyber-operations in 2016. The foreign hacking activity that should have served as a wake-up call and an indication that previous American strategies needed revising is mostly ignored. In so doing, the strategy mostly sidesteps three of the most pressing national security questions the United States faces: First, how can America deter adversaries, particularly Russian hackers emboldened by their successful interference in the 2016 election, from acting similarly again? Second, how can it defend American electoral networks from foreign penetration? And third, how can it manage the clear and present threat of information operations enabled in part by hacking, a danger that strikes at the very heart of the democratic process?
A few years ago, these questions and their answers would have seemed fairly speculative and out of place in the national security strategy. It was taken as a given that American elections were secure from foreign intelligence agencies, or that those agencies would likely be deterred from interference. While the flaws in American voting infrastructure deserved attention, it felt like a matter of domestic politics and policy more than an international concern. Large-scale information operations at home were far from the minds of most American national security policymakers. Information operations practitioners were mostly concerned with what the United States could do to improve its image in the Muslim world and undermine violent extremism.
But that world has given way to a different one. In this new world, where the old rules and assumptions about adversary behavior no longer apply, this document should outline what Washington’s strategy will be.
There is an opportunity for strategic answers to these questions. One natural option is to re-establish some rules through deterrence. It is reported, for example, that President Barack Obama threatened Russia just before the election in order to assure that its hackers did not manipulate the vote tallies. Does the Trump administration believe deterrence worked in that case, and would similar warnings work again? The Obama administration punished Russia by expelling “diplomats” and seizing compounds likely involved in intelligence activity. Will that be part of the Trump administration’s new strategy? More generally, can attempts at cyber deterrence even constrain adversary behavior, or is that a distraction in the no-holds-barred world of cyber-security? The section on deterrence in the national security strategy is largely silent on these important points, instead reciting vague language about consequences and resilience.
But not only does the strategy not address how the United States should engage in cyber Calvinball, it doesn’t seem to even acknowledge that Calvinball is the game du jour. There’s not even direct mention of the election hacking activities in 2016. The document addresses Russian interference in domestic political affairs, but with the distancing caveat that the Russian activity occurs “around the world.” The next sentence focuses on Eurasia, suggesting the authors’ reluctance to acknowledge that such interference happened in the United States and could well happen again. The discussion of foreign information operations calls out Russia (even if the president will not) — which is good — but again includes the distancing language of “around the globe.” Most of the priority actions in this section are improving American information operation overseas, something which would be nice but which will do little to stop Russian efforts to sow division within our borders.
Even where the strategy does acknowledge how foreign hacking “can undermine faith and confidence in democratic institutions,” it once again misdirects. The priority actions in this section refer to improving attribution — not an area of dispute for Russia’s 2016 anti-democratic activities for anyone outside the Trump orbit — bolstering government hiring and retention, and streamlining American cyber-operations and authorities. These would all be good things to do, but, once again, they are chess moves.
In the end, Calvin and Hobbes devised a single rule for Calvinball: You can’t play it the same way twice. Unfortunately, that rule doesn’t apply in cyber-security. Adversaries can employ the same tactics again and again with success. And, until U.S. strategy recognizes that and stops them, they will.
*This analogy comes from a conversation earlier this year on Twitter between myself and @TheGrugq.
Ben Buchanan is a Postdoctoral Fellow at Harvard University’s Cybersecurity Project, where he conducts research on the intersection of cybersecurity and statecraft. His first book, The Cybersecurity Dilemma, was published by Oxford University Press in 2017. Previously, he has written on artificial intelligence, attributing cyber-attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors.
Image: U.S. Army