Covert Action, Espionage, and the Intelligence Contest in Cyberspace

6322947 (2) (1)

In recent months, the world learned that China carried out an indiscriminate hack against Microsoft Exchange, while Russia hacked U.S. information technology firm SolarWinds and used cyber capabilities in an attempt to influence the 2020 U.S. presidential election. The attacks raise important questions about how best to characterize these and other kinds of disruptive cyber events. One perspective that has gained considerable traction is that cyberspace is not primarily a warfighting domain where strategic theories involving deterrence and coercion reign supreme, but rather an intelligence contest centered on spies and spycraft.

Embracing this paradigm shift has significant implications. It affects how we think about a broad range of fundamental questions. How can the United States actually succeed in cyberspace? How might it fail? When should the United States compete hard and threaten retaliation? When should it show restraint?



In practice, however, the answers to these questions depend significantly on what kind of intelligence activity we are dealing with. Cyber operations focused on information acquisition (i.e., espionage) operate according to a different logic than those meant to exert influence or cause some effect (i.e., covert action). The intelligence contest concept in its current form does not explicitly grapple with these differences. But they are essential.

Understanding these nuances is critical to setting clear objectives that match what a given situation calls for. It also highlights potential trade-offs. Responding to covert cyber operations with an espionage mindset, for example, may lead policymakers to exercise forbearance when they should instead be more assertive, and vice versa. Moreover, ambivalence about the goals of an operation, or confusion about what a particular operation is, has the potential to yield unwanted results.

The variety of Russian operations against the United States in recent months clearly illustrates the need for a more refined framework. The hack against SolarWinds, which compromised hundreds of Fortunate 500 companies and U.S. government agencies, appears to be a work of espionage. Their continued efforts to sow disinformation during U.S. elections, laid out in a recently declassified report from the director of national intelligence, was a work of covert action. While both are intelligence activities, the U.S. response should be tailored. Whereas bolstering resilience may be how we prevent another SolarWinds, signaling of some kind may be an appropriate response to election meddling and help set the parameters of “agreed competition” the United States can live with.

The ‘Cyber as an Intelligence Contest’ Concept

Cyberspace was firmly established as a warfighting domain — alongside sea, land, air, and space — a little over a decade ago. In a recent article in War on the Rocks, however, Josh Rovner argues that cyber is really more of an intelligence contest. Making this conceptual shift has significant implications for how we understand this space. For example, whereas “an intelligence contest is about information, the essence of military conflict is violent coercion.” While wars require some kind of end point, intelligence contests can go on indefinitely. They are also different from diplomacy, which “is about persuading self-interested states that cooperation is in their best interests” rather than “gaining information advantages.”

Intelligence contests, according to Rovner, are characterized by five core elements:

First, it is a race among adversaries to collect more and better information. Second, it is a race to exploit that information to improve one’s relative position. Third, it is a reciprocal effort to covertly undermine adversary morale, institutions, and alliances. Fourth, it is a contest to disable adversary capabilities through sabotage. Fifth, it is a campaign to preposition assets for intelligence collection in the event of a conflict.

Several observers have pushed back against the intelligence contest concept. In the Texas National Security Review, Michael Fischerkeller and Richard Harknett argue that proponents have wrongly assumed that coercion is necessary for strategic effects and coercion is nearly impossible — hence the appeal of the intelligence contest. Instead, they argue for a theory of persistence in which a series of continuing cyber fait accomplis cumulatively produce strategic effects. In a different vein, historian Michael Warner argues that issues such as scale and the ideological nature of cyberspace competition render the notion of cyber as an intelligence contest wanting.

Despite these challenges, the intelligence contest concept still provides a useful paradigm for thinking about cyber. To realize its full potential, however, one should bifurcate its two main elements into distinct categories that share some affinities. Specifically, the first two principles of intelligence Rovner identifies, a race to collect information in ways that improve one’s position, which is effectively espionage, should be in one group. The second two, undermining the morale of, and sabotaging, one’s rivals, which is effectively covert action, belong in another. (The fifth — prepositioning assets in the event of hostilities — is somewhat distinct from the others.) 

Disaggregating the intelligence contest in this way has significant implications for policy. For starters, it could influence how policymakers respond to intrusions. Retaliating for intelligence activities that qualify as espionage is tricky. Spying is a routine part of statecraft. It may be difficult to punish others for doing what our own intelligence agencies will continue to do. For activities that qualify as covert action, the set of options are broader. When perpetrators opt for secrecy to avoid escalation, it may be feasible to engage in some kind of tacit bargaining. When secrecy is used to hide from domestic audiences or conceal violations of international law, the victim may reap benefits from exposing nefarious activity.

Such distinctions are also relevant to the promise and potential pitfalls of persistent engagement and “defend forward” as articulated in the 2018 Department of Defense Cyber Strategy. The idea of “tak[ing] this fight to the enemy,” as Gen. Paul Nakasone recently stated, may be preferable to a reactive posture. But to do it well, we need a clear understanding of what our rivals are doing in any given instance so that we can devise the appropriate response. This will determine whether we can get to a place where there is agreed competition that’s acceptable to the United States, something proponents of persistent engagement view as essential. Misidentifying activity, misjudging rival objectives, or responding discordantly may impede this objective. 

Covert Action’s Relationship to Intelligence

It’s important to take a step back to understand why — and whether — covert action qualifies as an intelligence activity at all, especially since it looks and feels different in certain respects than its more traditional counterpart, espionage. Understanding what covert action and espionage share in common is key to appreciating their differences.

At first blush, the reason covert action qualifies as an intelligence activity appears partly institutional. Covert action, defined as operations in which the sponsor’s identity is meant to be unacknowledged or plausibly deniable, has traditionally been the mainstay of the Central Intelligence Agency. But this was not preordained. Following World War II, the administration of President Harry Truman purportedly contemplated giving the State Department or the Defense Department authority over covert action. According to intelligence historian Sarah-Jane Corke, “[n]either the State Department nor the military wanted their reputations tarnished by having these activities under their auspices, so in the end the job was given to the CIA.”

There are also practical reasons why the CIA took control of covert action that have little to do with reputation (e.g., spy agencies are well poised to handle secret operations). But the reality is that many other entities, including Joint Special Operations Command and U.S. Cyber Command, frequently carry out operations that look an awful lot like covert action even if they are not legally defined as such. Since 9/11, U.S. special operations forces have conducted numerous counter-terrorism missions that are hidden from public view. Even more relevant for present purposes are highly classified cyber operations carried out by Cyber Command under the banner of traditional military activities, which, since 2018, they have been empowered to do.

If entities like Joint Special Operations Command and Cyber Command conduct operations that are for all intents and purposes covert action even if they are not legally classified as such, institutions are an insufficient reason why covert action qualifies as an intelligence activity. A more compelling reason is the fact that covert action, like espionage, traffics in secrecy and deception. As Jon Lindsay notes, the reason why covert action and traditional spying all count as intelligence activities are that they are a form of “secret statecraft.” Warner’s popular definition is slightly more involved, defining intelligence as “secret, state activity to understand or influence foreign entities.”

While perhaps true, the fact remains that two of the main variants of intelligence activities — espionage and covert action — perform qualitatively different functions. The former is predominantly about information acquisition. The latter seeks to cause effects. And as already noted, while the information gatherers may be best suited to carrying out covert action in many cases, these two activities are still distinct enterprises with their own logic and implications.

In practice, the lines between espionage and covert action may be somewhat blurry. For example, an operation such as SolarWinds appears to have been primarily an act of espionage given the absence of evidence that data was degraded, manipulated, or destroyed. If Russia had not been caught, however, the prospect that they might have leveraged their access for nefarious purposes would be precisely the kind of operation that sits at the intersection of espionage and covert action.

Disaggregating the Intelligence Contest

The fact that espionage and covert action are not the same thing isn’t a reason to abandon the intelligence contest concept. But there are at least four major reasons why scholars and practitioners looking to use this framework should distinguish between these two functions.

First, as with espionage in other domains, cyber-enabled espionage is typically a means to an end. The value of stolen information is in better understanding rivals and finding vulnerabilities. China’s hack of the Office of Personnel Management in 2014 or Russia’s SolarWinds hack presumably are meant to provide these states with information they can later exploit for political advantage. The delta between means and end for many covert operations, including those effected through cyberspace, is typically smaller. The Iranian cyber attack on Saudi Aramco in 2012 that wiped tens of thousands of computers was the thing meant to provide some kind of political advantage or value. In other words, whereas cyber-enabled espionage is a prelude to achieving some other objective later on, covert cyber operations — whether influencing elections or sabotaging centrifuges, and so forth — is the actual objective.

A second reason for distinguishing between espionage and covert action is that it clarifies where secrecy is primarily functional and where it is more political. For espionage, alerting a target that you have penetrated their networks to steal information would be counterproductive and jeopardize access. In contrast, the primary purpose of secrecy and deception during covert operations is political. Leaders seek plausible deniability to deceive domestic audiences, manage escalation, circumvent international law, and avoid nationalist backlash. Whereas the reasons for secrecy and deception during cyber-enabled espionage are largely uniform (i.e., it is all about preserving access), an actor’s decision to hide their sponsorship during a covert cyber operation — irrespective of whether the initial intrusion is clandestine for maximum impact — offers precious clues about their motivations. Failing to distinguish between cyber-enabled espionage and cyber-enabled covert action in the context of the intelligence contest concept risks mischaracterizing the primary purpose of secrecy and deception in specific instances.

Third, distinguishing between espionage and covert action helps us understand how and when actors can signal in cyberspace even in an intelligence contest. As Austin Carson and Keren Yarhi-Milo — scholars of interstate communication and secrecy — have argued, the fact that many covert operations are visible to rivals enables sponsors to send signals of resolve. Indeed, this may be by design. Earlier this month, the New York Times reported that the Biden administration is contemplating private actions to send a message to Russia in the aftermath of the SolarWinds hack. National Security Adviser Jake Sullivan stated:

I actually believe that a set of measures that are understood by the Russians, but may not be visible to the broader world, are actually likely to be the most effective measures in terms of clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response.

This does not mean that such operations would ultimately deter Russia in the future or serve as a credible signal. But a cyber operation akin to what Sullivan suggests, one meant to demonstrate U.S. resolve, is conceptually distinct from operations to steal information even though both rely on secrecy and deception.

Finally, the ability to measure the effectiveness of cyber operations depends partly on operational goals. According to Rovner, assessing efficacy in intelligence contests is fraught. Since policymakers and military leaders arrive at their own individual judgments about whether the information they have acquired is useful, “it is hard to conceive of consistent measures of effectiveness.” While this makes good sense for espionage, measuring the efficacy of covert action, while by no means easy, is more straightforward. Scholars Lindsey O’Rourke and Dov Levin, for example, have quantified the success rate of covert regime change and covert electoral meddling efforts, respectively. It may be possible to do the same in cyberspace.

At the same time, one should acknowledge the lingering challenges of measuring the efficacy of covert cyber operations. For example, how should analysts and officials think about the alleged U.S. and Israeli cyber operation known as Stuxnet? On the one hand, it temporarily took a large number of centrifuges at Natanz offline. But as Lindsay explained, “The worm was a technical marvel but it did not have lasting effects on Iranian enrichment.” Moreover, did it have any effect on moving Iran to the negotiating table, or did they come in spite of Stuxnet? All of this suggests that even though covert operations are more amenable to measuring efficacy than espionage, assessing success still requires a clear articulation of what the objectives are and if they are met. This is all the more essential given the non-trivial risk that in cyberspace, similar to drones, there is a high risk of tactics driving strategy (i.e., leaders pursue operations simply because they can).


Cyberspace may be an intelligence contest among rivals, but all intelligence operations are not created equal. While cyber-enabled espionage and covert cyber operations both qualify as intelligence activities given their reliance on secrecy, and are therefore distinct from conventional warfare or diplomacy, they are also distinct in key ways from one another. Failing to appreciate these differences impedes our ability to understand the richness of cyber operations, underlying motivations, the prospect for signaling, and metrics of success.

Going forward, appreciating this nuance will be important for several reasons. First, as U.S. Cyber Command enters its second decade of existence, having a clear sense of how to think about the variety of operations in cyberspace is critical. In many cases, cyber activity approximates an intelligence contest in which states jockey for information and influence. While it is not always easy to tell which is which, it is imperative to try. Second, assessing the wisdom of the previous administration’s decision to give Cyber Command more latitude in conducting operations — which the Biden administration has purportedly left in place — requires clear metrics of what has worked and what has not. Covert cyber operations may provide a more useful benchmark than espionage operations.



Michael Poznansky is an assistant professor in the Graduate School of Public and International Affairs at the University Pittsburgh. He is also a U.S. foreign policy and security fellow with the Dickey Center at Dartmouth College and a non-resident fellow with the Modern War Institute at West Point during the 2020-2021 academic year. He is the author of In the Shadow of International Law: Secrecy and Regime Change in the Postwar World (Oxford University Press, 2020).

Image: U.S. Air Force (Photo by Staff Sgt. Devin Boyer)