Cyber War as an Intelligence Contest

September 16, 2019

Editor’s Note: Joshua Rovner’s special series, “The Brush Pass,” is back. Rovner is rejoining us after spending a year at the National Security Agency and Cyber Command as a scholar-in-residence.

After being the target of several cyber operations over the last decade, the United States is in a mood to fight back. But there is little agreement about what to do, and how far to go. The Department of Defense has pledged to “defend forward” in cyberspace, and U.S. Cyber Command is committed to “persistent engagement” against U.S. adversaries. Critics, however, warn that these steps create new risks in a domain already fraught with uncertainty. The debate is also playing out in Congress, where the Cyberspace Solarium Commission is currently weighing different options.

The debaters on all sides draw their logic from strategic theory, the family of ideas about how states use force and coercive threats to achieve their national interests. Advocates of a more aggressive approach refer to ideas about agreed competition below the line of armed conflict. Channeling Thomas Schelling, they argue that competition in cyberspace is necessary to establish boundary lines of acceptable conflict in a domain that has been witness to all manner of mischief. More cautious analysts lean on a different set of strategic theories, which focus on crisis instability and the potential for escalation. According to this argument, the nature of cyberspace invites a particularly intense security dilemma. The things that states do in the name of cyber defense look like preparations for attack. In a crisis such activities could quickly spiral into war.

 

 

The U.S. government also uses the language of strategy in its official documents. This is unsurprising, given that responsibility for operating in cyberspace lies with a military organization —specifically U.S. Cyber Command, which is organized along traditional military lines, with officers reporting up a traditional chain of command. Its operating concepts borrow language from other domains of battle: engagement with adversaries, battlespace maneuver, direct and indirect approaches, operational effects, munitions effectiveness, and battle damage assessment. Its mission: “to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.”

It is not surprising that analysts and government organizations have turned to strategic theory, given that military organizations are deeply interested in cyberspace operations. But it is also peculiar, because most activities in cyberspace have little to do with the use of force. Instead, they are part of an intelligence contest.

What is an Intelligence Contest?

An intelligence contest has five elements. First, it is a race among adversaries to collect more and better information. Second, it is a race to exploit that information to improve one’s relative position. Third, it is a reciprocal effort to covertly undermine adversary morale, institutions, and alliances. Fourth, it is a contest to disable adversary capabilities through sabotage. Fifth, it is a campaign to preposition assets for intelligence collection in the event of a conflict. Note that none of these elements are directly related to military posturing or war, and only the last one hints at the prospect of combat. Instead, an intelligence contest is a part of an open-ended competition among rival states.

A military contest by contrast is a test of physical power. Peacetime military movements are designed to deter adversaries and reassure allies. Leaders use them to signal their advantages — or in some cases to bluff. Meanwhile military innovation, production, and exercises are designed to increase combat effectiveness. These activities may be public if the goal is deterrence, or secret if the goal is to prevail in an expected future war.

There is some overlap between intelligence and military contests. The idea of prepositioning intelligence assets is not so different from forward deploying forces in strategic locations. Military efforts to build strength are complementary with intelligence efforts to sabotage adversary capabilities; both are ways of shifting the balance of power. Finally, intelligence efforts serve military planning, offering a preview of adversary strengths and weaknesses, military doctrine, leadership tendencies, and so on. But there are fundamental differences between military competitions and intelligence contests. The former is a typically overt process of determining relative strength and, if the balance is unclear, settling the issue through the test of arms. The latter is a clandestine competition with no clear end point and much more ambiguous results.

How Did We Get Here?

The outlines of the current intelligence contest have recently come into focus. The end of the Cold War left the United States without any obvious rivals. The demise of the Soviet Union meant that the United States had nothing like a peer competitor, which meant there was no longer a focal point for its intelligence community. Most of the Cold War was spent collecting information on Moscow, tracking its communist fellow travelers abroad, and attempting to undermine both. The end of that competition meant that U.S. intelligence was adrift. The experience gained over decades of building tradecraft and analytical expertise on a single target appeared to be irrelevant. “We have slain a large dragon,” Director of Central Intelligence James Woolsey said shortly before he took office in 1993. “But we live now in a jungle filled with a bewildering variety of poisonous snakes.” The notion of competing was absurd because there was no one with whom to compete. As Woolsey put it, “the dragon was easier to keep track of.”

That situation changed after the Sept. 11, 2001 attacks. Terrorism was placed atop the intelligence agenda. But Osama bin Laden’s organization was shattered within a decade. New versions of al-Qaeda appeared, but none enjoyed all of the qualities that made the original unique: organization, funds, and charismatic leaders. The self-proclaimed Islamic State established a quasi-caliphate in Iraq and Syria, and then lost it. While both groups are still capable of violence, U.S. officials have made it clear that more serious long-term threats lie elsewhere.

In the years that counterterrorism operations dominated U.S. attention, Russia and China made dramatic military strides, and began acting in ways that suggested more ambitious grand strategies. Notably, both made large investments in cyberspace capabilities. All of this inspired the Pentagon to declare the return of great power competition in 2018. Today, U.S. policy is grounded on the assumption that its main adversaries are few — China and Russia, with regional threats North Korea and Iran trailing — and that all of them are actively using cyberspace operations to try to overcome their material disadvantages. The rise of technologically sophisticated rival great powers lends structure to the competition that had largely been absent since the end of the Cold War. The ingredients for a protracted intelligence contest are in place.

How is the Contest Playing Out in Cyberspace?

The race for information is already in high gear. Most cyber operations among great powers are about collecting and protecting information. China’s main effort in foreign cyberspace has been to steal intellectual property, though it has cast the net widely for other kinds of political and military information. Meanwhile, Russia has increased its investment in computer network exploitation against a variety of targets.

The race to exploit that information to improve states’ relative position is also ongoing. China has endeavored to use stolen information to reduce its conventional military disadvantages, though with mixed results. Meanwhile, America’s persistent engagement approach deliberately seeks to use cyberspace competition to gain strategic advantage, not to score a decisive victory.

The offensive elements of the intelligence contests were put most clearly on display during the 2016 election and afterwards, when Russia attempted to sow discord and division throughout the American population. Whether deliberately or not, these efforts may have contributed to more public questions about the integrity of U.S. institutions. For its part, the United States has begun talking about using cyberspace to contest adversaries by injecting friction into their systems and organizations.

Direct sabotage of adversary systems has been less visible. Examples include alleged efforts against Iran’s uranium enrichment facility at Natanz, alleged Iranian efforts to disable thousands of workstations at Saudi Aramco, and supposed interest in “left of launch” attacks against North Korean ballistic missile facilities. These operations involving regional powers may foreshadow more ambitious efforts among the great powers. Government advisories and media reports suggest that they have already begun laying the groundwork. Such efforts would invite new risks, however, which may explain why they have not moved beyond preparation.

Finally, there is some evidence that great power rivals have prepositioned assets on American. and friendly networks. The FBI has warned, for example, that “Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.” The Department of Defense has responded by suggesting it will do the same in its effort to defend forward. Not all states will target the same networks, nor will they do so for the same reasons. Nonetheless they all share a general logic: prepositioning assets allows them to hedge against future uncertainty, prepare for a variety of contingencies, and perhaps generate some coercive leverage.

So What?

The cyberspace competition is an intelligence contest in a technologically novel domain. It is a struggle to protect information, while corrupting and stealing information from rivals. Because it is not a test of overt military power, traditional strategic theories about force and war may not be our best guide.

Deterrence is mostly irrelevant in an intelligence contest. No combination of threats and promises will stop a rival intelligence service from collecting information. Nor is it easy to imagine what kind of signals would be strong enough to stop adversaries from influence activities such as those of Russia during the 2016 election in the United States. Covert action is inherently hard to deter if the responsible party remains hidden. And in other cases, states might tacitly tolerate one another’s covert campaigns as a safer substitute for war. Similarly, the coercive value of offensive cyber operations is likely to be modest at best. There is not much evidence that non-kinetic threats are enough to change anyone’s behavior. Recent research suggests that the victims are surprisingly tolerant of cyber operations. Strategy is fundamentally about coercion, but cyberspace operations carry little coercive value.

There are some exceptions. It is possible to deter significant cyberspace operations against critical infrastructure, for instance, because such operations require a great deal of time, money, and organization. They would invite a ferocious response, making deterrent threats inherently credible. The language and logic of strategy is useful here.

But in most cases the logic of intelligence is more appropriate. It helps to explain why the balance of capabilities is hard to assess. Long-term intelligence contests are not easy to measure, not least because the contestants work in secret. The relative position of rival intelligence services does not lend itself to quantitative measures. Who is “winning” an intelligence contest at any given moment is rarely clear.

To understand why, imagine having unfettered access to all the intelligence collected by two great power rivals. In this idealized setting, it might be possible to judge which side had collected the most. It might also be possible to determine which side had penetrated more difficult targets. But even here it would still difficult to judge winners and losers, because possessing information is not the same as understanding it. Intelligence services struggle to interpret data, and the more they collect, the more they face the challenge of separating meaningful information from background noise. It is also difficult to put technical knowledge of adversary capabilities to use. It is one thing to steal intellectual property, for instance, and quite another to reverse engineer it. Finally, comparing the volume of intelligence says nothing about the quality of intelligence-policy relations. Intelligence services may perform admirably and still be ignored.

Looking through the intelligence lens puts the cyberspace competition in perspective, but it requires a willingness to live with ambiguity. Signs that one side seems to be winning may be misleading. Breathless headlines about the latest cyber penetration may exaggerate the extent to which one intelligence service is racing ahead, or whether it is able to translate successful cyberspace espionage into meaningful policy advantage. Viewing the competition as an intelligence contest puts alarming headlines about “cyber war” into context.

It also creates opportunities for creative analysis. If cyberspace operations operate according to the same logic as covert action, then they might be important tools for crisis management. While scholars have sounded the alarm about the destabilizing aspects of cyber attacks, there may be scenarios in which they have the opposite effect. If nothing else, they may provide a non-kinetic option for leaders who feel pressure to act in a crisis, but who are also wary of using force.

Finally, it will encourage a more accurate categorization of cyberspace threats. An intelligence contest covers a lot of ground: not all adversary actions are geared towards shifting the military balance, and we should not treat them as such. Using intelligence as the analytical starting point will allow a more detailed net assessment of the cyberspace balance, and a more realistic portrayal of the cyberspace competition.

 

 

Joshua Rovner is an associate professor in the School of International Service at American University. He served as scholar-in-residence at the National Security Agency and U.S. Cyber Command in 2018 and 2019. The views here are his alone. 

Image: U.S. Army (Photo by Staff Sgt. George B. Davis)