war on the rocks

Cyber Civil-Military Relations: Balancing Interests on the Digital Frontier

September 4, 2018

In an era of persistent cyber conflict, how can the United States respond to cyber-attacks in a manner that ensures sufficient civilian oversight to safeguard civil liberties?

Civilian leaders are responsible for creating a policy framework in which multiple interagency stakeholders craft cyber strategy and establish how a country can legally use the digital domain to achieve a position of relative advantage. Such a framework must enable interagency contingency planning that combines cyber operations with other instruments of power such as economic sanctions, diplomatic demarches, and military threats. No one agency in government, be it the military or intelligence community, can balance these equities alone. Therefore, cyber strategy requires an interagency process, consistent with an agency approach to civil-military relations that efficiently coordinates cyber operations while ensuring civilian control.

The Current Context: Presidential Policy Directive 20

The United States is changing the policy framework governing the execution of offensive and defensive cyber operations. According to retired Gen. Keith Alexander, America lacks “clear rules of engagement” for conducting offensive cyber operations. In response, the 2018 National Defense Authorization Act calls for addressing “cyber activities … carried out against infrastructure critical to the political integrity, economic security, and national security of the United States.” To this end, Sen. Ben Sasse of Nebraska inserted a provision into the bill establishing a Cyber Solarium Commission.

Parallel to these efforts,  the National Security Council and U.S. Cyber Command are rescinding and replacing Presidential Policy Directive 20, an Obama-era policy framework governing offensive cyber operations. According to Politico, “in rescinding PPD-20, [President] Trump put cyberattacks on the same level as kinetic operations, which do not require high-level approval or interagency discussions.” In theory, this change empowers Cyber Command to conduct short-notice attacks without White House approval or interagency coordination. Seen in the context of civil-military relations, this shift assumes positive objective control: a professional military cyber force capable of autonomously protecting society absent constant civilian oversight.

Under the Obama administration, offensive cyber operations required extensive interagency vetting and executive approval, similar to what Samuel Huntington called subjective control. In an article for the Washington Post, reporter Ellen Nakashima quoted the State Department’s former cyber coordinator on the need to balance the desire for offensive cyber operations with “ ‘other national equities’ … to ensure that a cyber operation does not compromise intelligence collection, law enforcement investigations and diplomatic relations.” Multiple officials complained this interagency staffing process slowed or stalled cyber operations as officials struggled to get buy-in from different stakeholders. Subjective control reduced the efficacy of cyber operations.

Balancing Equities: Cyber Operations Meet Bureaucratic Politics

At its core, the debate about Presidential Policy Directive 20 concerns the distinctions in U.S. legal code between traditional military activity (governed by Title 10) and covert action (governed by Title 50) as well as the diplomatic risks and legal challenges triggered by cyber operations. There are real questions concerning where to draw the line between the world of soldiers (i.e., Title 10) and the world of spies (i.e., Title 50). How civilian leaders draw this line and exert control over the foreign policy process amplifies bureaucratic interests and competition for resources at the commanding heights of government.

There are few clear distinctions between soldiers and spies in cyber space given the rapid rate at which adversary capabilities and tradecraft — often deliberately deployed to thwart response — evolve. There is a reason why Russian military intelligence leased servers in Arizona while targeting the 2016 U.S. presidential election. Placing data on servers in the United States made it difficult for American intelligence and military agencies to respond.

Beyond bureaucratic intrigue, key interagency stakeholders maintain competing theories of victory for cyber strategy. To date, cyber space has been a world of spies where espionage, covert action, and sabotage — not conventional military operations — play the dominant role. From sabotaging Iranian centrifuges to high-profile espionage operations, U.S. strategy since 2000 reflects classical political warfare optimized for new technology. This theory of victory lends itself to subjective control. Covert action, as Americans have unfortunately learned all too often, requires extensive civilian oversight.

As more military resources and personnel align with cyber missions, there are growing calls for a forward-leaning posture focused less on intelligence and more on seizing the digital high ground. In this theory of victory, cyber strategy is not just a world of spies, but more akin to traditional military strategy. Since Americans’ social lives, consumer habits, and precision munitions all rely on global connectivity, defending U.S. core interests requires allowing soldiers to safeguard digital infrastructure absent civilian oversight or extensive interagency coordination.

Just as Alfred Thayer Mahan looked at the intersection of economics and military power to advocate securing sea lines of communication, the next generation is likely to see soldiers securing network society. In place of battleships and dreadnoughts, the new theory of victory sees a vital role for cyber military options countering hostile intrusion campaigns targeting U.S. and allied critical infrastructure and key intellectual property interests. Soldiers, not spies, become the main effort.

Cyber Command has floated the idea that the contemporary cyber environment is marked by persistent engagement — a near-constant state of pressure against key aspects of American national power by adaptive adversaries who tailor sustained, long-term campaigns precisely to avoid triggering a response by the U.S. government. This idea parallels the concept of “contact” in the 2018 National Defense Strategy. Contact is the gray zone, a layer of defense in which the United States, including the Department of Defense, competes with adversaries beneath the level of armed conflict. As a cyber extension of this concept, persistent engagement is vital for understanding how, and why, Obama-era policy mechanisms for responding to hostile acts in cyber space are changing. Soldiers, not just spies, secure U.S. economic and military interests along global networks.

The Obama-era Presidential Policy Directive 20 sought to establish subjective civilian control and create a political framework balancing political warfare and persistent engagement. The process acknowledged that soldiers and spies, as well as diplomats and law enforcement personnel, all have a seat at the table. For example, a high-profile hack back against a country tampering with elections or stealing intellectual property from leading U.S. businesses carries reputational risk (i.e., what if the hack fails or unintentionally hits U.S. citizens) and diplomatic consequences. Government agencies best placed to discuss these issues had a seat at the table under the Obama-era framework. Yet, this interagency de-confliction process suffered from delays, bureaucratic inertia, ill-defined decision pathways, and the lack of a clear “referee” to resolve competing positions at the working level.

As a result of such weaknesses, the prior version of the directive can be seen as at times failing to serve its intended purpose — with major stakeholders frequently if not exclusively seeking to pursue mission objectives under other standing processes governed by separate authorities. Consistent with Huntington’s characterization of subjective control, this bureaucratic quagmire likely affected cyber responses. Civilian oversight and interagency coordination mechanisms produced delays and, in all likelihood, diminished options for responding to time-sensitive crisis events.

Furthermore, the process amplified rather than diminished bureaucratic competition. Bureaucratic struggles at the heart of the policy process surrounding national security decision-making can lead to wayward soldiers assuming more risk than civilians are often willing to accept in a crisis. Alternatively, when intelligence considerations are given primacy a procedural bias often emerges against actions that would result in a loss of collection visibility. Spies want to keep reporting, not jeopardize their placement and access. While such access is essential for providing warnings about future threats, potential intelligence loss considerations must be weighed against the operational impact of adversary action on victim organizations. Soldiers want to safeguard key terrain and are reluctant to cede ground to enable spies. These arguments play out against a backdrop of diplomatic concerns, where advocacy for the perspectives of third-party states often results in avoiding counteroffensive operations in favor of law enforcement or administrative remediation measures.

New Threats: The Changing Character of Cyber Operations

A changing threat environment further complicates finding the right policy framework for ensuring civilian oversight of cyber operations and balancing competing stakeholders. The majority of cyber operations since 2000 are best classified as 21st century political warfare. Rival states used disruption, espionage, and degradation to undermine their adversaries and signal the risk of escalation. In this digital gray zone, cyber operations provided a low-cost, low-threat means of engaging in competition short of violent conflict. These operations were often related to larger influence campaigns, such as Russian efforts to target the 2016 U.S. presidential election and undermine democratic institutions in Western Europe.

While the utility of cyber operations for great powers and emerging players to date has largely been driven by the logic of political warfare, the ongoing evolution of capabilities strongly suggests different intentions. For example, ongoing warnings of Russian penetration of U.S. critical infrastructure provide early indications of hostile operational preparation of the environment. Russia is using cyber intrusions to signal the risk of escalation in a crisis and gain a position of advantage in the event of a militarized dispute. Future meetings in the situation room during a tense standoff will involve more than identifying Russia’s nuclear force. Analysts will need a better understanding of Russian cyber posture and the risk of unknown exploits emerging in key systems like power grids and cellular networks — capabilities Russia demonstrated in the live-fire “battle lab” of Ukraine.

In this scenario, who responds: soldiers or spies? Even more importantly, what is the civil-military context in which they respond: objective or subjective control? At stake is not just an optimal policy process, but the stability of a connected world. Leaving the planning to any single group produces bureaucratic pathologies that risk inadvertent escalation.

The Risks of Soldiers Left Unchecked

Insights from the literature on civil-military relations and planning suggest not leaving cyber strategy to soldiers alone. Military planning in isolation historically tends to produce narrow plans prone to worst-case biasing and escalation risks. Risa Brooks demonstrates the importance of information sharing and strategic coordination in her work on civil-military relations and strategic planning. There are real distributional conflicts in domestic institutions that affect strategic assessments and planning. When military actors are isolated, they tend to safeguard information to gain a bargaining advantage and capture resources. In his work on military planning on the eve of World War I, Jack Snyder finds that insular military organizations are prone to a cult of the offensive, exaggerating gains to ensure their bureaucratic autonomy. Furthermore, small groups of soldiers engaged in classified planning are prone to cognitive bias, including false optimism, overconfidence, and an implemental mindset that closes them off to new information.

The second fatal flaw of leaving cyber space to the soldiers is that it diminishes the probability of successful, coercive diplomacy. Cyber security scholars increasingly describe the domain in terms of coercion. States, and other interest groups, use cyber operations to coerce rivals. This diplomacy of violence, to use Thomas Schelling’s famous phrase, is designed to change behavior short of war. Seen as coercive diplomacy, this implies combining multiple instruments of power — such as military threats, economic sanctions, and diplomatic outreach — to change the cost-benefit calculation of the rival.

In fact, research suggests that the majority of political concessions produced by or linked to cyber operations involve other instruments of power. The campaign against Iran involved not just cyber espionage and degradation operations, but a concurrent threat of military pressure and economic sanctions alongside the promise of future trade deals and reintegration into the global community if Iran signed a nuclear deal. Real strategy, like combined arms, involves combining different ways and means to achieve objective ends. Furthermore, this coordination requires civilian oversight and subjective control. Consistent with agency theory, both soldiers and spies need to know civilians are monitoring them and willing to punish officials who cross the line.

Striking the Right Balance

Developing American cyber strategy starts with getting the policy framework right and ensuring civilian oversight. This framework must empower interagency planning that generates response options leveraging multiple instruments of power. These plans should address the possibility of time-sensitive crises involving defensive cyber fires intended to target hostile intrusion and/or computer network attack infrastructure while balancing competing equities between soldiers and spies alongside diplomats and law enforcement officials. In coordinating a response, the plans — which should be monitored by civilians, including Congress — must reconcile interagency conflict before they reach the Oval Office or situation room. Much like major war plans in the Department of Defense, these contingency plans should be periodically reassessed, to include war games and crisis simulations, and approved by appointed civilian officials. This review process has the added benefit of identifying critical vulnerabilities and requirements for new capabilities and partnerships that maintain America’s advantages in cyber space.

Consider the following example. Cyber Command and the intelligence community identify intrusion attempts targeting critical infrastructure in the United States. Initial assessments attribute the incident to Russia but cannot determine whether the incident is espionage or an attempt to insert payloads for use in future crises. Worse still, the incident takes place during a large Russian military exercise.

Objective control would imply the military is authorized to respond against the worst-case scenario and not only counterattack the point of origin of the attacks but potentially unleash a barrage of cyber degradation operations against Russian command and control facilities. In the best case, the counterattack only heightens diplomatic tension and burns multiple covert, cyber espionage campaigns. In the worst, case it unleashes a cyber Able Archer, the 1983 training exercise that some argue almost triggered World War III.

Alternatively, developing interagency contingency plans with flexible response options precleared to balance equities and assess risks would give decision-makers the ability to delegate release authority to ensure time-sensitive responses without sacrificing interagency coordination. In the above scenario, a Cyber Command team could enact a preapproved response option coordinated through the National Security Council to leverage multiple instruments of power. While diplomats give the Russians a demarche, Cyber Command burns older exploits that do not compromise ongoing espionage operations, and the Treasury warns of new economic sanctions. A team informs allies and key industries of risks to their systems while cross-checking industry reporting for signs of related intrusions. Cyber Command planners establish horizontal and vertical escalation criteria in consultation with the National Security Council, U.S. European Command and NATO in the event the response fails to reduce Russian cyber intrusions in the short term.

Conclusion

There are major questions regarding how to craft a policy framework for cyber strategy that does not create dangerous escalation pathways or jeopardize civil liberties and the free flow of information. These questions should not be reduced to expediting authorities at the expense of interagency coordination or civilian oversight.

Historically, military organizations, like Cyber Command, make bad decisions when left solely to their own devices. These lapses in judgment arise not because military organizations are bad institutions or are populated by people with bad intentions. Rather, competing organizational equities, given objective control in cyber space, tend to create a narrow strategic logic that does not adequately encompass the interests of the whole of government, much less elected officials. Strategy in a democracy requires civilian oversight, coordinating across the branches of government and a vibrant debate in the marketplace of ideas (i.e., fewer secrets).

 

Benjamin Jensen holds a dual academic appointment at Marine Corps University and American University, School of International Service and is a senior fellow at the Atlantic Council. He is the co-author of the recent book, Cyber Strategy: the Evolving Character of Power and Coercion. Outside of academia he is an officer in the U.S. Army Reserve, 75th Innovation Command.

J.D. Work serves as the Bren Chair for Cyber Conflict and Security at Marine Corps University, and as an adjunct associate professor at the School of International and Public Affairs, Columbia University.

The views expressed are their own.

Image: Owned by War on the Rocks