More Aggressive and Less Ambitious: Cyber Command’s Evolving Approach
This year, U.S. Cyber Command celebrated its tenth birthday. It has much to celebrate: It achieved the status of a unified combatant command, its budget is healthy, and its commander, Gen. Paul Nakasone, is popular on both sides of the aisle. Nakasone’s more aggressive posture in cyberspace — what the command calls persistent engagement — has won the support of policymakers and legislators who wanted to see action against those who had been targeting U.S. interests. Before, U.S. cyber forces had shown restraint even in the face of repeated cyber attacks. Now, they will reach out into cyberspace to discover and mitigate threats before they could reach U.S. networks and damage U.S. interests.
But questions remain. How does persistent engagement affect efforts to coordinate with the private sector, which, after all, owns and maintains most of the Internet? What does it mean for U.S. allies and partners? Does the commitment to preempt threats mean that U.S. cyber teams will operate on friendly foreign networks without the knowledge or consent of allies and partners? And how does Cyber Command’s approach fit within the larger Department of Defense cyber security framework? While the command was advocating persistent engagement, the Pentagon was putting the final touches on what it called “defend forward.” Are these different concepts, or just different labels for the same approach?
Nakasone tries to answer these questions in the latest issue of Foreign Affairs. Writing alongside his senior advisor Michael Sulmeyer, he restates the principles of persistent engagement and justifies the logic of a “proactive defense.” Being proactive means operating outside of U.S. networks, where adversaries are preparing operations against U.S. interests. This approach puts a premium on aggressive intelligence collection abroad to gather “indications and warnings” it can share with other government agencies, industry, and foreign partners. In order to do this without upsetting friendly countries, Nakasone and Sulmeyer describe “hunt forward” missions, in which foreign partners invite U.S. cyber protection teams to work together against common threats. Sustained diplomacy with like-minded countries, in other words, is the foundation for the intelligence effort that enables preemptive action against cyberspace threats. Finally, Nakasone tries to address any conceptual confusion by situating his command’s activities within the broader Defense Department approach. “Cyber Command implements this defend forward strategy,” he writes, “through the doctrine of persistent engagement.”
The article provides a clear overview of Cyber Command’s current thinking and may go some distance toward clarifying the command’s role. A hodge-podge of agencies and departments are involved in cyber security. Statements like this are useful in sorting out organizational responsibilities. Nakasone and Sulmeyer also seek to assuage concerns that the command’s new approach amounts to reckless digital unilateralism. While they are unapologetic about defending forward, their emphasis on diplomacy is a clear effort to assuage concerns that persistent engagement is a license for running roughshod over friendly foreign networks. The extended discussion of private sector coordination sends a similar message to skeptical industry leaders.
The command, in other words, seems to believe it can convince partners that a more aggressive approach is in everyone’s best interest. Congress was a relatively easy sell, especially after the 2016 election. Foreign partners may be more reluctant, given local political sensitivities about cooperating with the United States, and natural concerns about letting their information networks become arenas for competition between third parties. Some may not be willing to make “hunt forward” requests, even if they agree with U.S. intelligence about common threats. The private sector has other incentives. Sharing information on threats can be difficult when doing so requires pulling back the curtain on sensitive or confidential data. Some corporate leaders have been frustrated that the government treats information sharing as a one-way street. More broadly, corporations in competition for foreign market share are understandably reluctant to gain a reputation for working hand-in-glove with the U.S. military.
Nonetheless, Cyber Command is pushing hard to overcome these problems, and points to some recent success stories as proof of concept. Nakasone and Sulmeyer draw attention to the “power of partnership” in preventing foreign interference in the 2018 midterm election. The command and National Security Agency collaborated in a task force called the Russia Small Group to discover evidence of election meddling. It shared that information with the Department of Homeland Security in order to harden election infrastructure, and with the Federal Bureau of Investigation “to counter foreign trolls on social media platforms.” Finally, the election effort included the deployment of hunt forward teams in response to foreign requests for assistance locating malware on partner networks.
Did these efforts stop Russia? Did they stop anyone else? Nakasone and Sulmeyer state that Cyber Command “disrupted a concerted effort to undermine the midterm elections,” but we don’t really know what foreign actors were planning, or how hard they tried for a repeat of 2016. Without knowing what foreign adversaries had in mind, is hard to judge the results of Cybercom’s activities. For the command, however, the effort was a clear success story. Beyond preventing election interference, it proved that the command could coordinate with several agencies, integrate intelligence with law enforcement, and work in tandem with the private sector.
Buoyed by this experience, Cyber Command is intensifying its efforts. It is operating on more networks and against more adversaries. It is using a variety of tools at its disposal, and investing in new ones. And the command is committed to acting fast, on the belief that the risks of escalation are much lower than the costs of restraint. Observers have warned for years about aggressively defending U.S. interests in cyberspace will create a particularly intense security dilemma for other states, who may respond in kind. Nakasone and Sulmeyer are clearly aware of these arguments and they promise that all cyberspace operations go through a careful risk assessment process in advance. More importantly, say the authors, “inaction poses its own risks: that Chinese espionage, Russian intimidation, Iranian coercion, North Korean burglary, and terrorist propaganda will continue unabated. So the question is how, not whether, to act.”
In other ways, however, the new approach represents a step back. When Cyber Command published its Command Vision in 2018, it claimed that persistent engagement would be important for coercion and norm-setting. Adversaries would think twice about attacking U.S. interests if they faced a continuous and active response, and a forward U.S. effort would also strengthen norms by demonstrating that the United States would not tolerate certain kinds of attacks. Over time, deterring adversaries would help clarify cyberspace norms for allies. “Through persistent action and competing more effectively below the level of armed conflict,” the document stated, “we can influence the calculations of our adversaries, deter aggression, and clarify the distinction between acceptable and unacceptable behavior in cyberspace.”
In contrast, the Foreign Affairs article is conspicuously modest about the command’s ability to influence anyone. Gone are the claims about coercion: The word deterrence does not appear even once. Nakasone and Sulmeyer present a simpler vision. Rather than trying to change adversaries’ behavior, they just want to make it harder for them to succeed. Continuous action may not shape their behavior, but it will make it “far more difficult for them to advance their goals over time.” Going on the offensive does not mean nudging adversaries towards better behavior, it just means making them less effective. As Nakasone and Sulmeyer put it, “cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks.” Adversaries aren’t going to change their stripes, no matter what we do, so investing in coercion is throwing good money after bad.
Similarly, they mostly ignore the notion of cyberspace norms. This topic has occupied a great deal of attention over the years, but Nakasone and Sulmeyer only offer a vague promise that “the United States and its allies are building unity of purpose to promote respect for widely held international norms in cyberspace.” What this means is left to the reader’s imagination. But the argument seems to be that because norms are already clear and uncontroversial among allies, the command’s aggressive pursuit of norm-breakers can only make things better. The United States and its friends do not need to invest too much in high-profile norm building exercises, given that they already agree on a basic set of norms. Adversaries, by contrast, have shown that they have no interest in observing them. Thus persistent engagement will succeed not by changing anyone’s views, but simply by reducing the number of serious challenges to the normative regime.
These are sensible omissions. They suggest a more modest and practical approach to cyberspace. Under Nakasone, the command no longer views cyberspace as an arena for political competition, where U.S. efforts can influence adversaries and allies. Instead, it views cyberspace as a domain in which everyone’s intentions are more or less fixed. Adversaries are committed to acting against U.S. interests, no matter what we say or do, so the command’s task is to block them. Allies already share an understanding of right and wrong, so the task is to help them. The goal is better collective security through coordinated operations against determined foes. Persistent efforts are necessary because malicious actors will not back down any time soon. The approach turns away from deterrence and normative appeals. It relies instead on intelligence and preemption.
There are two benefits to this stripped-down vision. First, it avoids setting unrealistic expectations. Cyberspace is a poor venue for coercion, meaning that deterrence will usually prove disappointing. By abandoning dreams of deterrence, the command is saving itself a lot of frustration. Second, it may help guard against accusations of hypocrisy by downplaying its role in upholding cyberspace norms. Nakasone does not promote any grand vision of the Internet or cast Cyber Command as its champion. Instead, he focuses on the more limited task of dealing with present threats. This will likely appeal to private sector firms and foreign countries who have long been skeptical of U.S. intentions.
While the Foreign Affairs article addresses many questions about Cyber Command’s basic approach, it doesn’t answer all of them. One is the nature of outreach to industry and to foreign allies. Partnership sounds terrific in the abstract, but it does not always translate into genuine coordination. Partners may be reticent to engage fully if they believe that the command does not see threat information sharing as a two-way street. Nakasone and Sulmeyer seem to anticipate this concern by describing some ways in which Cyber Command is sharing discovered malware openly. Continuing efforts in this vein might allay industry concerns that “sharing” is a euphemism for handing over data to the government.
The command can likewise improve coordination with allies by taking their advice, not just hearing their concerns. Listening to allies is not the same as making changes based on what they say. There may be times in which foreign partners want to slow down, despite the command’s belief in persistence. U.S. leaders would be wise to show restraint in such cases, even if this means shelving important operations. There may be no better way of showing that the command means what it says about partnership.
Another question is about how Cyber Command plans to evaluate the results of persistent engagement. Here Nakasone and Sulmeyer are mostly silent. They stress a “mindset of accountability” for network defense, but they do not say how Cybercom should hold itself accountable for its offensive operations. What are reasonable criteria for assessing success and failure? How will the command know if persistent engagement is working?
Organizations are notoriously allergic to self-evaluation, so much of this task may fall to oversight bodies and academic researchers. Still, the command has important capabilities that overseers and scholars lack. The command has its own intelligence directorate, and it can call on the immense resources of the National Security Agency, which occupies the same facilities in Ft. Meade, Maryland. While the command and others can monitor network security, the National Security Agency can collect intelligence on foreign responses to U.S. operations. If persistent engagement is really making adversaries less capable, it should be able to find evidence.
Finally, the article is light on details about Cyber Command’s role in preparing for conventional military operations. Nakasone and Sulmeyer write that the command “works closely with other combatant commands to integrate the planning of kinetic and nonkinetic effects,” but the emphasis is clearly on peacetime competition. In this sense Nakasone’s approach is the same as the 2018 Command Vision, which focused on countering sabotage and theft, and downplayed traditional combat. Later in the article they go further, arguing that the focus on fighting can distract attention from the corrosive effects of adversary operations below the level of war.
The opposite risk is that U.S. conventional forces will be unprepared in the event of high-intensity combat. Military officers without a cyber background may harbor unrealistic expectations about cyberspace capabilities, and Nakasone and Sulmeyer rightfully warn that “cyberspace operations are not silver bullets.” Overcoming misperceptions will not be easy, to say nothing of effectively integrating cyberspace and conventional operations. It will take a long time to normalize cyberspace in conventional planning. Formal exercises may help sort out responsibilities and lines of communication, and informal interactions among personnel from different communities help to make cyber seem less exotic. But none of this will happen quickly or cheaply.
The United States has not fought a conventional war against an enemy with sophisticated cyberspace capabilities. How such a war would play out is hard to predict, given the lack of precedent, but we can assume it will be complex and messy. Preparing for such a war, however unlikely, demands a great deal of attention. Moreover, while an aggressive approach might make sense in peacetime, where escalation is unlikely, the same tactics may be dangerous in a deep crisis or conflict. If great-power hostilities continue to rise, Cyber Command may have to pump the brakes on persistent engagement and devote more attention to the missions for which it was originally designed.
Joshua Rovner is associate professor in the School of International Service at American University. In 2018 and 2019 he served as scholar-in-residence at U.S. Cyber Command and the National Security Agency. The views here are his alone.