Cyber Challenges for the New National Defense Strategy
A major moment for America’s approach for cyberspace might be just around the corner. It’s hard to make a new national defense strategy an exciting watershed, especially when a curious and ill-defined term — “integrated deterrence” — is at the center of it. But skeptics should be a little more open to the idea that the Pentagon is on the verge of pushing out a key idea that could solve many of its struggles in cyberspace. According to defense officials, integrated deterrence includes incorporating military capabilities across domains, theaters, and phases of conflict; rebuilding alliances; and fostering innovation and technological development, all with an eye towards creating a more resilient military. This list sounds good in theory. But, gauging from some expert reactions so far, it’s not clear what successful integration (or deterrence) would look like in practice.
Recently, Assistant Secretary of Defense Mara Karlin emphasized that the Pentagon is “stress-testing ideas…so that everybody knows what we’re talking about.” In the spirit of this stress test and, since the Defense Department has a well-known track record with vague deterrence strategies and neologisms that seem designed to justify defense budgets, below we conduct our own stress test for cyber and the new strategy.
What does integration look like for cyberspace? What will the strategy have to overcome in order to be successful? Is deterrence the right frame for strategic success, or should the new strategy focus more squarely on resilience? The answers to these questions can help guide the Department of Defense as they make the final tweaks to their new strategy and, hopefully, make the United States more successful not just in cyberspace but across domains.
How Would “Integrated Deterrence” Actually Integrate Cyber?
Cyberspace is an important component of the Defense Department’s integrated deterrence efforts. As Secretary of Defense Lloyd Austin noted in his remarks, this new strategic approach involves “integrating our efforts across domains and across the spectrum of conflict” as well as “the elimination of stovepipes between services and their capabilities, and coordinated operations on land, in the air, on the sea, in space and in cyberspace.”
This idea makes inherent sense. It is also consistent with research that has found cyber operations have limited utility as independent instruments of coercion, are rarely decisive in conflicts, and are generally poor signals of resolve for deterrence. Instead, cyber operations are more effective when they augment other military and foreign policy tools. This could include through deception and espionage, manipulating the information environment and decision-making, and potentially shaping or complementing conventional operations on the battlefield.
So, integrating cyber operations across theaters, domains, and phases of conflict is a good thing. Why does the Department of Defense need a new concept to do this? Cyber operations have been difficult to incorporate into the normal defense planning process. This process, a highly formulaic procedure (usually focused on a single theater) of allotting troops and weapons by phases of conflict, is unwieldy for cyberspace operations. This is because cyber operations struggle with assured access, good estimates of effectiveness or extent of damage, or even certainty about for how long they will work (or even if they will work as intended). Though using a cyber operation, for instance, to blind air defenses before an airstrike sounds good on paper, in practice mission commanders would rather rely on cruise missiles or electronic jamming that can meet time on target needs and have better estimates of effectiveness than cyber operations. Further, cyber accesses for conventional conflicts (for instance, access to an adversary’s weapons networks or military command systems) are difficult to obtain and retain, meaning that cyber capabilities rarely “sit on a shelf” for an extended period, available to use at a whim when an operational plan is executed. That said, substituting cyber for conventional capabilities comes with some unique benefits, such as the temporary and reversible nature of the damage inflicted and the ability to operate in a more deniable fashion. Discerning how to capitalize on these aspects of cyber capabilities while addressing their limitations represents a central challenge for planners.
For years, the solution was to invest in systems (like Cyber Command’s Unified Platform) that were supposed to provide greater certainty about cyber effects. However, these efforts have struggled to create certainty in a domain where uncertainty is a fixture, not a temporary defect. Perhaps, therefore, a better approach is to instead assimilate other domains and capabilities into processes in which cyber operations have been innovative and successful. In particular, event-based task forces increasingly used for cyber events (such as Joint Task Force-Ares or the inter-agency task force to combat election interference) provide an alternative planning mechanism that is dynamic, works across government agencies, and fits nicely within the infamous “phase 0” of competition where most gray zone operations take place (and the joint planning process is notoriously unsatisfying).
Commanders also need to think about cyber effects in conflict as more than just replacements for things they could otherwise do with conventional capabilities. Cyber operations are at their best not when they are designed to create an effect in a moment in time, but instead when they are part of a larger strategy of obfuscation, deception, and sabotage. These can be extremely useful complements to conventional missions but how they are targeted, tasked, and executed will likely not fit best within the “tasking order” cycle or even in service silos that disproportionately focus on single platforms versus network effects.
Finally, planning and process integration will ultimately fail if the Defense Department does not make good on innovation. Currently, the program of record and acquisition process makes acquiring cyber capabilities (especially on the defensive side where commercial software solutions far outpace the Department of Defense) extremely difficult. Software, unlike most defense acquisition widgets, requires constant development, patching, and updating — all tasks the current acquisition process is not designed to accommodate. Even worse is the Pentagon’s record of investing in software through research or small businesses and getting it across the valley of death and implemented on its own networks. Further, the lack of information technology integration between the armed services means that networks, software, even data are owned and more often than not administered separately by each service. This is a nightmare for acquiring cyber capabilities — whether defensive or offensive — and large enterprise-wide solutions (even from Cyber Command) are almost impossible to implement without an advocate from one of the armed services spearheading the effort.
Challenges (and Opportunities) of Alliances
Integrated deterrence goes beyond what is already a very difficult challenge of making cyberspace work better within the U.S. military. Alliances also seem to play a huge role in the Department of Defense’s new deterrence concept. As Undersecretary of Defense Colin Kahl explained, the new strategy requires that the Department of Defense be “integrated across our allies and partners, which are the real asymmetric advantage that the United States has over any other competitor or potential adversary.”
Cyberspace presents a unique challenge for alliances. For years, Washington’s traditional alliance relationships struggled to even agree on basic cyber terms and attempts to share information were complicated by cyber operations’ close relationship with the highly classified world of signals intelligence. Moreover, U.S. actions in cyberspace have, in some cases, strained alliance relationships. Two prominent examples include the backlash over the Edward Snowden leaks as well as concerns about the implications of persistent engagement and defend forward for allied-owned networks.
These were considerable challenges. However, as cyber incidents have escalated over the last few years, there has also been an increasing recognition across these relationships that cyberspace matters. This joint recognition spurred new information-sharing mechanisms and partner efforts to find and root out adversary infiltration attempts on allied networks. Most recently, joint attribution by NATO and E.U. partners called out China for the Microsoft Exchange Hack — a rare reaction from these organizations. This comes on the heels of public statements at the NATO summit in Geneva in June that reaffirmed the applicability of the mutual defense clause of the alliance agreement to cyberspace. Further, despite the aforementioned alliance tensions, the Defense Department has conducted 24 “hunt forward” operations in which U.S. cyber protection teams partnered with 14 countries to root out adversary activity on allied networks.
Building on this forward momentum, perhaps the greatest opportunity for the Biden administration’s national defense strategy is to use military alliances and partnerships to facilitate norm development. Norms are shared understandings about appropriate behavior. Some norms are written down and formalized in agreements, while others are more informal and emerge as a result of state practice over time. Moreover, norms are agnostic with respect to morality: there could be “good” norms that facilitate cooperation, but also “bad” norms that make the international system less stable.
In the past, particularly under the Obama administration, norms were considered the realm of the State Department while the Department of Defense focused on deterrence by punishment and denial. This changed under the Trump administration, when the State Department’s norms efforts took a back seat to Department of Defense efforts to defend forward. The initial foundational work done by the Obama administration on cyber norms, paired with four years of experimentation and more risk-acceptant cyber authorities under the Trump administration, have created a track record for cyber norms that is far more heterogeneous than policymakers have let on. While there are certainly many areas where states disagree, norms do exist in cyberspace. For instance, a diverse set of states — beyond just the United States and “like minded” nations — has come to formal agreements about “rules of the road” for cyberspace through various international institution-driven processes, most notably the United Nations Group of Governmental Experts and the Open-Ended Working Group. To the surprise of many observers, earlier this year both of these processes resulted in consensus reports where parties agreed to a set of cyber norms. And from a bilateral perspective, rivals such as Russia have been willing to engage the United States in discussions about cyber norms, even if the prospects for cooperation remain uncertain. And beyond formalized agreements, there is a range of unwritten, implied norms that shape mutual expectations of behavior in cyberspace. These include a firebreak between cyber and conventional operations, such that states to not respond to cyber attacks with the use of kinetic military force; the idea that cyber espionage is generally treated as other forms of espionage (with some exceptions); and a pattern of tit-for-tat responses in cyberspace that have led to a nascent sense of what counts as “proportional.”
The Defense Department plays a large role in this process — though in the past this hasn’t been a formal effort. Specifically, how the Department of Defense uses its own cyber capabilities or threatens to respond to cyber capabilities can play an outsized role in whether cyberspace norms proliferate. Some have argued that employing military cyber power can, through a tacit process, contribute to the development of cyber norms. However, the ambiguous signaling strategies that this line of argument generates are often overly complicated and obtuse. Strategic documents are some of the clearest articulations of norms that adversaries receive. Given that, the U.S. military should use the opportunity of a new national defense strategy to voice clearly what the U.S. believes are appropriate norms of behavior in cyberspace. In particular, it should consider making unambiguous statements about what the Pentagon won’t do in cyberspace — in effect, a declaratory policy of restraint. This may be as important to norm propagation as efforts by the State Department to codify international agreements.
Are the Assumptions Correct?
We have previewed what integrated deterrence might look like in practice and how difficult it can be to actually integrate. Knowing whether deterrence can work is even more difficult. For cyber, we are concerned that previews of cyber deterrence assumptions rest on shaky assumptions. In particular, Austin’s remarks about the strategic environment in cyberspace suggest some faulty assumptions about escalation and deterrence in cyberspace. Austin described cyberspace as a domain in which “norms of behavior aren’t well established and the risks of escalation and miscalculation are high.” Implied in this statement is a link between the former and the latter — in other words, one of the reasons cyberspace may be a dangerous domain is due to the purported absence of meaningful norms of behavior. However, this is problematic for two reasons.
First, (as we alluded to before) cyberspace is not an ungoverned “Wild West” bereft of norms. When U.S. policymakers lament the absence of norms in cyberspace (or in other domains), they almost always mean the lack of norms that the United States perceives to be in its own interests or consistent with its values — but this does not mean that norms do not exist.
Second, despite fears among scholars and practitioners, there is little empirical support for the notion that cyberspace is a uniquely escalatory domain (or that cyber operations are effective signals for cross-domain deterrence). Academics have systematically explored this question through deductive analysis, wargames, and statistical analysis and rarely find evidence of escalation from cyberspace to violence. The reality is that escalation in cyberspace is neither rampant, nor wholly impossible — that’s because escalation is an inherently political phenomenon driven by the perceptions and risk calculations of adversarial actors. Therefore, sweeping pronouncements about cyber escalation do little to aid policymakers in developing reasonable assessments of escalation risks (and may actually handcuff otherwise useful below-violent options for decision-makers).
Assumptions matter because they guide strategy development and implementation, even if not explicitly. Therefore, reexamining long-held but erroneous understandings of the nature of strategic competition in cyberspace can provide a stronger basis for discerning how to incorporate cyber operations into defense strategy. Specifically, policymakers should set aside truisms about cyber escalation and instead focus on more granular discussions about a set of plausible scenarios that could give rise to different forms of escalation risks, and the mitigation strategies that follow from them.
Looking Ahead: Resilience!
Finally, Austin’s speech hints at what we see as a compelling opportunity to reimagine cyber strategy in a resilience context, potentially making progress in an environment of seemingly intractable debates among policymakers about the feasibility of cyber deterrence. The main difference between strategies of resilience versus other strategies that focus on deterrence or even defense is that resilience is about perseverance over time while responding to disruptive attacks. Whereas deterrence fails when states attack, resilience assumes that states will attack but instead predicates success on the ability to absorb these attacks and recoup, retrench, and conduct sustained campaigns. One of the limitations of previous cyber strategy has been the caging of ideas like persistent engagement in offensive or defensive language. Instead, the value of persistence is in resilience and survival.
What might a resilient cyber strategy look like? While a comprehensive take is beyond the scope of this article — indeed, it represents a significant research agenda in its own right — we offer a few initial suggestions for policymakers to consider. First, it would require the joint force to identify the critical functions and processes that are essential for core missions. Second, it would incentivize (and punish) the services for creating highly centralized or exquisite and fragile networks and platforms — recognizing that cyber security is less likely to succeed when these types of capabilities are built. Third, it would require the services to build manual workarounds and back-up solutions to limit adversary impact to critical systems and functions and to prioritize recovery efforts. Finally, a cyber strategy based on resiliency would measure success not by how many attacks occur but instead by the effects of cyber attacks on America’s ability to conduct operations across domains and achieve key military objectives. Together, these initiatives towards resilience would both require and create a more integrated force.
Erica Lonergan, Ph.D., is an assistant professor in the Army Cyber Institute and a research scholar in the Saltzman Institute of War and Peace Studies at Columbia University. The views expressed in this article are personal and do not reflect the policy or position of any U.S. government organization or entity. Follow her on Twitter @eborghard.
Jacquelyn Schneider, Ph.D., is a Hoover Fellow at Stanford University and an affiliate at Stanford’s Center for International Security and Cooperation. Follow her on Twitter @jackiegschneid.