Prescribing a New Paradigm for Cyber Competition
Michael P. Fischerkeller, Emily O. Goldman, and Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace (Oxford University Press, 2022).
Predictions about cyber war have ranged from the apocalyptic to the reassuring over the past decade, and the current war in Ukraine — beyond its horrific violence, dislocations, and criminality — provides a test case for those theories. Do cyber operations provide decisive advantages in war? Are they more escalatory or de-escalatory than other weapons? Or is it more appropriate to consider cyber capabilities primarily as instruments of interstate competition short of war?
The Russo-Ukrainian War is the first case in which opponents with advanced cyber capabilities have used them to achieve material and cognitive effects in armed conflict. Firm conclusions must await the end of the war, but for now, cyber operations do not appear to have been decisive in destroying or disrupting military forces and economic wherewithal, or in affecting societal willpower and political cohesion.
Even the most revisionist states most of the time want to gain intelligence, enhance revenue through favorable trade, theft or sanctions evasion, and sabotage adversaries politically and economically, while avoiding shooting wars, especially with more powerful adversaries. Such states and their opponents are better off pursuing these aims through cyber operations if they can. Violent actions intended to take or hold territory or steal or disable assets are much more likely to provoke violent, costly, and irreversible responses. Once war is underway, it is thus far unclear whether roughly equivalent cyber capabilities would advantage an attacker or a defender.
The authors of a new book argue persuasively that the habitual U.S. approach of deterrence (primarily nuclear) and coercion (primarily threats of conventional attack) will not effectively dissuade adversaries’ cyber operations because they involve threats to inflict violence and damage disproportionate to the harm done unto us by those operations. Though written before the invasion, Cyber Persistence Theory does not flunk the Ukraine test thus far. Thanks to their pioneering diagnosis of the structure of the digital environment and the incentives it creates for competition, Michael Fischerkeller, Emily Goldman, and Richard Harknett posit that “cyber warfare” per se will be rare, and that most exertions will be below the violence and destruction of armed conflict. The authors are, respectively, a researcher at the Institute for Defense Analyses, a strategist at U.S. Cyber Command, and a professor at the University of Cincinnati.
If the great strength of the book is its structural analysis, its weakness is policy prescription. The authors propose an alternative approach of using persistent offensive and defensive competition with adversary cyber operators to establish customary legal boundaries between acceptable and unacceptable cyber espionage, economic and political competition, and warfighting. Unfortunately, the authors — and the short span of cyber-age history — do not provide detailed bases for thinking the United States and its friends will be able and willing to offer Russia, Iran, North Korea, and perhaps others sufficient threats and rewards to change their cyber behaviors.
The United States would prefer to extend its advantages in cyber-enabled precision warfare while minimizing adversary utilization of cyber to spy, steal, sabotage, and subvert below the level of armed conflict. But, if they can avoid war, adversaries have much to gain and little to lose from cyber competition with the United States, whereas the United States in toto — government, businesses, and the public — has more to lose from theft, sanctions evasion, and information warfare than its adversaries do. China could be an exception here, as discussed further below. Unlike the other adversaries, it is still a rising power in all relevant domains and could see benefit from negotiating rules on an equal footing. But the current political environment, with fault spread all around, precludes the authors and others from detailing sustainable experiments to this end. Absent a breakthrough on this front, the costs and anxieties of persistent exploitation of governmental, corporate, and personal computing and communications networks will continue.
The Long Shadow of Deterrence
Cyber Persistence Theory argues that the nature of information and communication technologies structures actors’ competition for relative gain: “The global networked computing environment is a warehouse for and gateway to troves of sensitive, strategic assets that translate into wealth and power, and the capacity to organize for the pursuit of both.” This environment is resilient at the macro-level — it’s hard to crash the internet, and there’s little gain from doing so. But billions of individual addresses in it are vulnerable, and it costs relatively little to acquire capabilities to exploit these vulnerabilities. So, “every minute of every day some actor somewhere has both the capacity and will to [gain] access to one’s national sources of power directly or indirectly.”
It is impossible to completely defend against or deter capable adversaries from attempting intrusions. So, states must persistently compete for relative gains that, over time, could make them strategically better off than their adversaries. Each seeks to add to its power and wealth more than its competitors add to theirs, or — especially in the case of Russia — to detract more from its adversaries’ power and wealth than is detracted from its own.
Persistent competition, the authors write, generally takes the form of “cyber faits accomplis — a limited unilateral gain at a target’s expense.” Examples of these include China’s theft of aircraft designs or other intellectual property, North Korea’s crypto heists, Russia’s theft and political manipulation of data from the Democratic National Committee, and the U.S./Israeli destruction of Iranian centrifuges. Once states discover they have been exploited, they try to reduce their vulnerabilities and perhaps increase their own capacities to penetrate their adversaries. Hence, persistent cycles of engagement. This mode of competition is less expensive and risky in every way than armed conflict. It reflects a tacitly produced mutual understanding of acceptable and unacceptable behaviors similar to what the United States and the Soviet Union developed during the Cold War, which Herman Kahn dubbed “agreed battle.”
The book’s basic argument is easy to follow, not least because the authors adeptly, if not eloquently, summarize its elements at each stage in their 157-page text. The reader feels in the presence of excellent teachers. After describing the nature of the networked computing environment and the proclivities it produces, the book pivots to a discussion of how the United States could compete more effectively with its adversaries and, over time, temper the costs and risks to international society.
The United States and its allies — governments, businesses, and customers — should be relieved that the damage from adversary cyber operations is below what would be done by armed conflict. But things would be even better if adversaries stole less information, intellectual property and money, stopped conducting influence operations to exacerbate political polarity and dysfunction, limited penetration of key civilian infrastructure, and so on. While the case of China is more complicated, the authors argue with evidence that sanctions and other coercive threats generally have not deterred or compelled Russian, North Korean, or Iranian behavior as American policymakers, imbued with nuclear deterrence strategy, long assumed or hoped it would.
But saying deterrence and compellence won’t work is not a viable policy. Something still must be done to change adversaries’ hostile behavior. Here, the authors urge an approach that is laudable and worthwhile, but still problematic. They urge the United States and allies to evolve existing international law and establish customary law that defines responsible state behavior and wrongful acts in this domain. The aim would be, over time, to motivate states to limit the targets, effects, and collateral damage of operations. Such restraint, it is argued, would benefit everyone by containing risks of major instability and escalation.
A Law-Building Project
Building such a legal regime would require the United States to overcome its frequent aversion to invoking international law when it indicts Chinese and other hackers. As part of the recommended legal-power strategy, the United States would declare what information and communication systems it deems exclusively its sovereign affair and off-limits from foreign interference under its interpretations of existing principles and rules of international law.
The power of this legal strategy would come from a third element: conducting cyber campaigns against adversaries in ways that reinforce the legal framework the United States is proposing. That is, the flip side of defining international legal obligations is the legitimacy it gives to countermeasures when someone violates an asserted obligation. Cyber operations to counter “violations” would, iteratively, amount to tacit bargaining with competitors over the boundaries between “acceptable and unacceptable behaviors around and about” functions or infrastructure that have been declared off-limits.
Unfortunately, the authors cannot say why Russia, North Korea, and Iran would change their behavior to comport with customary international law as interpreted by the United States. These regimes use cyber operations to acquire intelligence, steal intellectual property, evade sanctions, and exacerbate political divisions in adversary societies in ways that they cannot by other means. These states remain isolated, economically hamstrung, and technologically underdeveloped, but they are better off than they would be without cyber operations against the United States and others.
China arguably should be understood and treated differently by the United States and other states. It seeks the capacity to sabotage the United States’ high-tech weaponry, reconnaissance, command and control, and logistics operations in warfare. Short of armed conflict, it has used cyber espionage to gain technological capability for military and civilian purposes, to enhance counter-intelligence to protect against U.S. spying, and to project favorable opinions about China’s government and leaders into foreign countries. Unlike Russia, Iran, and North Korea, China is a rising technological and economic power with big equity stakes in the global trading system. It will want rules that others, including the United States, live by, to protect its wealth and intellectual property as well as its one-party political system, something especially problematic for the United States and its allies. And China wants to be central in writing those rules, not passively receiving them from U.S. policymakers. Yet, China does not have the experience and international following to take a leading role. The current all-encompassing antagonism between the two countries, epitomized by Speaker Pelosi’s visit to Taiwan, vitiates initiatives to create a modus vivendi in the cyber domain.
In conversations, officials and experts from Russia, Iran, and China typically assume the United States has better offensive cyber capabilities than they do — to spy on them, to know how to sanction them and detect their evasions, to sabotage their infrastructure, to obtain and publicize damaging information on their leaders, and to precisely and speedily fight a conventional war. (Presumably, North Koreans would say the same, but I have not spoken with them). In their view, whatever measures the United States proposes will be meant to preserve U.S. advantages over them. And as far as international law goes, adversaries like Putin, Xi, Kim, and Khamenei assume the United States will interpret it unilaterally and use it to mobilize or justify punishing its adversaries, while ignoring or violating others’ interpretations of international law whenever it wants, without repercussions.
The authors of Cyber Persistence know this. They want to build up customary international law so the United States can internally and internationally justify more vigorous cyber operations against adversary networks and machines. “Were adversary behaviors described in unsealed public indictments framed as internationally wrongful acts,” they write, “the extraordinary detail in the indictments should make policymakers comfortable with pursuing countermeasures, if the behavior identified in the indictment is ongoing.” This is a very important sentence nine pages from the end of the book: The United States has been too self-deterred, too inhibited, in the authors’ view. Senior officials — and presumably influential corporate leaders and shareholders — need to be pushed to see that the best defense is a good offense, and that this can be legitimized.
Unfortunately, the wisdom of their bold prescription is difficult to assess because the authors do not describe the countermeasures they have in mind. Classification and the traditional covertness of cyber operations prevent more transparency. Assuming for many good reasons the authors do not recommend armed attacks in response to adversary cyber operations of the kind seen so far, countermeasures would likely be in the cyber domain. The often-understandable lack of clarity regarding how the United States would react to hostile cyber operations leaves room for adversaries and commentators in swing countries, perhaps fueled by cinema and memories of Edward Snowden, to assume that the United States is doing more in their computers and networks than Russia, North Korea, Iran, and China are. And this is a problem for the authors’ other recommendation: The United States is competing with Russia and China for the rest of the world’s support in developing international norms and potentially customary law. If it cannot say more about the legitimating rationale and effects of operations it conducts in other countries’ systems, and plausibly distinguish between the normal and arguably legitimate espionage and countermeasures that the United States and its partners conduct compared to the less defensible targets and tradecraft of adversaries, the law-building strategy will founder.
Of course, even if Russia and China confine themselves to acceptable data-collecting espionage and preparation to attack legitimate U.S. military and war-supporting industry targets in war, the United States is likely to counteract. The hope for stabilizing cyber competition rests on the possibility of reciprocally bounding the targeting and probable effects of operations, and on very careful tradecraft. This will require the sustained, high-level attention of senior leaders, especially from the United States and China, and a steady diplomatic effort to explicate to each side which targets and effects are intolerable and will cause one to take countermeasures, and to create processes for communicating about ambiguous cases. Tacit bargaining will be essential given the secrecy of action in the cyber domain and the deranged politics of relations between the United States and the countries of greatest concern. But, at some point progress will depend on the U.S. political system tolerating leaders having a sustained, public dialogue or negotiation with leaders of adversary countries. Tacit bargaining is too ambiguous to rely upon alone.
Cyber Persistence Theory is a must-read even if it is far from the last word. The authors invoke Thomas Kuhn and his famous concept of “paradigm shift.” They penetratingly describe the structural shift that the information revolution imposes on some aspects of interstate competition. But cyberspace, unlike the phenomena that Kuhn’s natural scientists sought to understand, is human-made. Contending groups compete against each other by altering and exploiting their creations in this environment. The challenge is not merely to understand these dynamics like scientists do, but to shape them in ways that avert massive harm and, ideally, facilitate the pursuit of well-being. Meeting this latter challenge will require additional volumes that build on this one.
George Perkovich is Kenneth Olivier and Angela Nomellini Chair, vice president for studies at the Carnegie Endowment for International Peace. He is co-editor of Understanding Cyber Conflict: 14 Analogies (Georgetown University Press, 2017) which can be downloaded free at 19029-Perkovich_Understanding.indd (carnegieendowment.org).