Author Archives: smeetsmwe

Cyber Conflict and International Relations: Where to get started

Cyber conflict seems to have become necessary and normal. Nearly every day cyber attacks occupy the headlines of mainstream media. A diverse group of governments across the world state that they are exploring options to (further) develop a capacity to conduct offensive cyber operations. Non-state actors also continue to rely on cyber means whilst pursuing a diverse set of motives.  

Yet, the dynamics of cyber conflict are complex, understudied, and constantly changing.  In 2012, when Gen. Keith Alexander was still heading the NSA and US Cyber Command, he stated that there is “much uncharted territory in the world of cyber-policy, law and doctrine”. Gen. Alexander’s statement still holds today. There is still much uncertainty about a broad set of related issues, such as the potential normative restraints on cyber conflict, fourth party intelligence collection, the strategic value of offensive cyber operations, and how state and non-state actors (can) work together in cyberspace – both from offensive and defensive perspective. Researchers have tried to answer these questions whilst the conceptual and empirical underpinnings of the field are fluid. New ‘data points’, like the cyber-enabled information operations during the US Presidential Elections, have (re)shifted the focus of the field and changed our understanding of what cyber conflict entails. New interpretations of old ‘data points’, like the re-study on the 1990s Moonlight Maze campaign, have equally altered our understanding of the field.

So where to get started if you’re a political science student (or diplomat, congressional staffer, etc.) new to the field of cyber conflict? Below you can find a very, very short reading list. It’s based on my teaching at Stanford University for the Master in International Policy (MIP), analysis of 25+ cyber conflict syllabi, and review of cyber conflict articles in top 50 Poli Sci journals. 

  1. Conceptualizing Cyberspace and Cyber Conflict

2. Types of Threat Actors and forms of Activity

3. Policy Dilemmas

(Public) Attribution

  • Rid, Thomas & Ben Buchanan, ‘Attributing Cyber Attacks’, Journal of Strategic Studies, 38:1-2 2015, http://www.tandfonline.com/doi/abs/10.1080/01402390.2014.977382
  • Florian Egloff, “Public Attribution of Cyber Incidents,” (2019, May),  CSS Analyses in Security Policy, http://www.css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/CSSAnalyse244-EN.pdf

VEP / Capability Build up

Organizational Integration

  • Michael Hayden, Playing the Edge: American Intelligence in the Age of Terror 
  • Michael Sulmeyer, “Much Ado About Nothing? Cyber Command and the NSA,” WarontheRocks, (2017, July 19) https://warontherocks.com/2017/07/much-ado-about-nothing-cyber-command-and-the-nsa/ 
  • Smeets, Max, “Organisational Integration of Offensive Cyber Capabilities: A Primer on the Benefits and Risks,” NATO CCD COE Publications, 2017, http://maxsmeets.com/wp-content/uploads/2018/09/Art-02-Organisational-Integration-of-Offensive-Cyber-Capabilities-2.pdf

Cybersecurity Dilemma

  • Buchanan, Ben, Cybersecurity Dilemma, 2017, Oxford University Press

Collateral Damage

4th Party Collection

  • Juan Andres Guerrero-Saade & Costing Raiu, “Waling in our enemy’s shadow: When Fourth-Party Collection Becomes Attribution Hell”, Virus Bulletin Conference, (2017, October): https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf
  • GReAT, Animals in the APT Farm, Kaspersky Lab (2015, March 6): https://securelist.com/animals-in-the-apt-farm/69114/

Dealing and Responding to Proxy Activity

  • Healey, Jason. “The Spectrum of National Responsibility for Cyberattacks.” Brown Journal of World Affairs 18.1 (2011): 57–69.
  • Maurer, Tim “‘Proxies’ and Cyberspace,” Journal of Conflict and Security Law, (December 17, 2016)
  • Bejtlich, R. ‘What Does “Responsibility” Mean for Attribution?’ (TaoSecurity, 22 December 2014) http://taosecurity.blogspot.com/ 2014/12/what-does-responsibility-mean-for.html4

4. History US Cyber Conflict

  • Warner, Michael (2012) Cybersecurity: A Pre-history’, Intelligence and National Security, 27:5, 781-799 http://www.tandfonline.com/doi/full/10.1080/02684527.2012.708530
  • Healey, Jason, and Karl Grindal. 2013. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012. Cyber Conflict Studies Association.
  • Sanger, David E., 2012. Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (NY: Crown), pp. 188-209

5. US(CYBERCOM) Cyber Strategy

  • Lynn, William J. III, “Defending a New Domain,” Foreign Affairs 89.5 (2010), 97-108.
  • United States Cyber Command, “Achieve and Maintain Cyberspace Superiority”, (March 23, 2018), retrieved from: https://assets.documentcloud.org/documents/4419681/Command-Vision-for-USCYBERCOM-23-Mar-18.pdf
  • Smeets, Max and Herbert S.  Lin, Chapter 4: A Strategic Assessment of the U.S Cyber Command Vision, 2018, Bytes, Bombs & Spies, Brookings Institution Press: https://medium.com/freeman-spogli-institute-for-international-studies/bytes-bombs-and-spies-261564d51157

6. The Strategic Value of Cyber – Deterrence, Compellence, Persistence and more

  • Gartzke, Erik. “The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth.” International Security 38, no. 2 (October 2013): 41–73. doi:10.1162/ISEC_a_00136.
  • Harknett, Richard J. and Michael P. Fischerkeller, “Deterrence is Not a Credible Strategy for Cyberspace,” (2017), Orbis Summer 2017, Vol. 61, No. 3
  • Gartzke, Erik and Jon R. Lindsay. “Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace.” Security Studies 24, no. 2 (April 3, 2015): 316–48. doi:10.1080/09636412.2015.1038188.
  • Aaron F. Brantly, Cyber Actions by State Actors: Motivation and Utility, International Journal of Intelligence and CounterIntelligence, 27:3 (2014)465-484

7. Cyber Norms

  • Finnemore, Martha “Cultivating International Cyber Norms.” America’s Cyber Future: Security and Prosperity in the Information Age 2 (2011).
  • Farrell, Henry and Charles L. Glaser, The role of effects, saliencies and norms in US Cyberwar doctrine, Journal of Cybersecurity, 3, 1, 1 March 2017, 7–17, https://doi.org/10.1093/cybsec/tyw015
  • Finnemore, Martha and Duncan B. Hollis, “Constructing Norms for Global Cybersecurity,”  110 American Journal of International Law, Temple University Legal Studies Research Paper No. 2016-52

8. International Law

  • Koh, Harold Hongju. “International Law in Cyberspace.” Harvard International Law Journal Online 54 (2012): 1–12.
  • Schmitt, Michael N. “International Law in Cyberspace: The Koh Speech and the Tallinn Manual Juxtaposed,” Harvard International Law Journal, 54 (2012) http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf
  • Waxman, Matthew C., “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4),” Yale Journal of International Law, vol. 36, no. 421 (2011): pp. 421-459.

Links

Cyber Command’s Strategy Risks Friction With Allies

Much has been written about the fundamental changes in U.S. cyber strategy. U.S. Cyber Command’s vision of “persistent engagement” and the Department of Defense’s new strategy of “defend forward” have, in particular, led to numerous critical remarks about the risks of escalationbetween the U.S. and its main adversaries in cyberspace.

These debates are worth continuing, including about what the change in strategy means for establishing norms in cyberspace. But commentators have so far ignored a key dimension: The strategy’s main implications may not reside in how it changes the dynamics between the U.S. and its adversaries but, instead, in how it affects broader alliance relationships, especially beyond the Five Eyes (Australia, Canada, the U.K., the U.S. and New Zealand). U.S. Cyber Command’s mission to cause friction in adversaries’ freedom of maneuver in cyberspace may end up causing significant friction in allies’ trust and confidence—and adversaries may be able to exploit that.

Operating “Seamlessly, Globally, and Continuously”

Cyber Command’s new strategy seeks to operate “seamlessly, globally, and continuously.” It states that “[s]uperiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” According to the strategy document, Cyber Command intends to do this “as close as possible to adversaries and their operations,” connecting persistent engagement to the Pentagon’s principle of “defending forward.”

In an article for Joint Force Quarterly (JFQ), NSA Director and Cyber Command head Gen. Paul Nakasone writes: “We must instead maneuver seamlessly across the interconnected battlespace, globally, as close as possible to adversaries and their operations, and continuously shape the battlespace to create operational advantage for us while denying the same to our adversaries.”

When Nakasone says the U.S. must get “as close as possible to adversaries and their operations,” he implies that the U.S. seeks to achieve effects that are outside of its own networks and beyond the networks of its adversaries. This vast area is not ungoverned space. It includes, for example, routers in Nairobi, servers in Denmark or operating infrastructure in any other country around the world.

Blue Space, Gray Space and Red Space

In the JFQ article, Nakasone also states that “if we are only defending in ‘blue space’ we have failed.” This use of terminology as well as talk about “operating close to the adversary” evades one issue: It is unclear whether Cyber Command only seeks to cause friction in “red space” or if it seeks to compete in “gray space” as well. These terms are often confused and not well-understood. (The terms “gray zone”—areas where it’s unclear whether the government has legal authority to act—and “gray space” are also frequently confused.) In fact, the issue was raised for “further exploration” at Cyber Command’s 2018 symposium, specificallyunderstanding the “relevance of concepts like area of responsibility and red-blue-gray space to the cyberspace domain.”

Joint Publication 3-12 (JP 3-12) on cyberspace operations, prepared under the direction of the chairman of the Joint Chiefs of Staff, explains the terminology:

The term “blue cyberspace” denotes areas in cyberspace protected by the US, its mission partners, and other areas DOD may be ordered to protect. Although DOD has standing orders to protect only the Department of Defense information network (DODIN), cyberspace forces prepare on order, and when requested by other authorities, to defend or secure other United States Government (USG) or other cyberspace, as well as cyberspace related to critical infrastructure and key resources (CI/KR) of the US and PNs [partner nations]. The term “red cyberspace” refers to those portions of cyberspace owned or controlled by an adversary or enemy. In this case, “controlled” means more than simply “having a presence on,” since threats may have clandestine access to elements of global cyberspace where their presence is undetected and without apparent impact to the operation of the system. Here, controlled means the ability to direct the operations of a link or node of cyberspace, to the exclusion of others. All cyberspace that does not meet the description of either “blue” or “red” is referred to as “gray” cyberspace.

Gray space is defined based on the nodes adversaries control. This means the vast area between U.S. government-owned networks and adversaries is not considered to be gray space. Instead, if for instance the GRU (Russia’s military intelligence agency) controls a node in the Netherlands, it is considered to be red space based on JP 3-12. And it’s worth mentioning that the notion of control is open to interpretation by states.

This means that if Cyber Command seeks to operate only in “red space,” its activities will still have global reach (globally). It also suggests that red space grows as adversaries expand their operational activity. Most importantly, this implies that if Cyber Command seeks to achieve “effects” in gray space, this will involve operating infrastructure that adversaries do not control—which is to say those systems or networks on which adversaries merely have a presence or are not active at all.

What’s New Under the Sun?

What’s really new here? The United States has long operated in networks “close to the adversary.” As Ben Buchanan’s book, “The Cybersecurity Dilemma,” demonstrates, the U.S. has long acted as an “observer” in gray space, gathering intelligence of adversarial activity in those others’ networks. In fact, information has become public concerning a case in which the Five Eyes collected intelligence about an espionage platform (dubbed “Snowglobe” by the Canadian Intelligence Agency CSEC and “Animal Farm” by Kaspersky Lab) of an allied country, France, likely operating in adversarial networks in the Middle East. In other words, the practice of fourth-party collection is nothing new. And the U.S. has also long acted in foreign nonadversarial networks as a “passerby,” transiting through gray space networks to access an adversarial network.

But the new Cyber Command and Defense Department strategy changes the nature of the U.S. military’s behavior within those systems and networks. Under the new strategy, Cyber Command wants to be an active disrupter on those networks. It wants to achieve effects.

The only known precedent is Cyber Command operators wiping Islamic State propaganda material off a server located in Germany. The German government was notified in some fashion but not asked for advance consent, causing much frustration.

This will likely lead to a systematic scaling up: Cyber Command now also seeks to be an active disrupter on those networks “globally, continuously and seamlessly”—not regionally and sporadically.

The Danger of Operating Seamlessly in Allied Networks

Operating instantly makes sense considering the potential operational tempo of adversaries: You can’t have protracted diplomatic discussions for two months with an ally about whether or not to take down some command and control infrastructure of an adversary hosted in the allied country. You don’t have days, let alone months. As a participant mentioned at the recent Chatham House Rule 2019 Cyber Command Symposium on strategy: “Opportunities within this domain are fleeting.”

Operating seamlessly could also make sense if an ally does not mind the U.S. coming into its networks to address the malicious activity. In this vein, the U.S. can continue to build partnerships with countries that do not have the capacity to defend against cyber attacks on their own.

But, what if an allied country is not keen on having the U.S. military in its networks, actively, seamlessly, and continuously disrupting an adversary’s cyber operations? As the German case shows, this scenario will likely come up a lot more in the near future.

In other words, in seeking to successfully create friction in cyberspace for adversaries, Cyber Command may also seek to act within allied networks, even if the ally does not approve. It might even be successful in its mission, causing friction in adversaries’ operations before they cause serious harm to the U.S. But this strategy runs a real risk of undermining allies’ trust and confidence in ways that are subtle and not easily observable. This ought not to be overlooked, especially since this element may itself be exploited by adversaries.

Adversaries don’t randomly choose which intermediate nodes to direct their operations through. If Russia has the choice to go through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally, or operate through a network that would cause no diplomatic friction for the U.S., what would it prefer?It would make sense for adversaries to operate through the networks of exactly those countries with which the U.S. has a strong relationship but that do not want the U.S. to operate within their networks causing any effects.

Russia is already good at exploiting divisions between the U.S. and its allies. Cyber Command’s new strategy might give it another avenue to do so.

A Final Word

Bobby Chesney recently offered a brief overview of what is known about the out-of-network operations Cyber Command has conducted, based on reporting from Mark Pomerleau at Fifth Domain. Chesney notes that there is still a lot of uncertainty about what did and did not change in terms of the interagency process and how often Cyber Command seeks to operate outside the Department of Defense Information Network.

I would add that there is also much uncertainty about where Cyber Command currently operates. This dimension, however, is crucially important for understanding the true implications of the United States’s change in cyber strategy. By operating in allied networks, Cyber Command is running the risk of causing the wrong type of friction.

This article was first published by Lawfare

There Are Too Many Red Lines in Cyberspace

U.S. officials increasingly express old frustrations about the lack of standards for appropriate state behavior in cyberspace. As U.S.-China trade tensions soar, cybersecurity firms have reported that China is renewing its cyber-enabled economic espionage efforts against U.S. companies—if they ever ceased. Russia does not seem to be scaling down its cyber-enabled disinformation operations, threatening democracies worldwide. The Trump administration’s withdrawal from the Iran nuclear deal is also reported to have inspired Iranian actors to conduct a new wave of disruptive attacks. Concerns over North Korean hostile cyber activity have not gone away either.

Commentators and lawmakers have described the problem as twofold. First, U.S. government officials fail to set red lines, fearing that doing so would cede freedom to maneuver when responding to cyber operations. But second, whenever red lines are established, the U.S. fails to enforce them.

I believe these are problems of the past. Following the shift in strategic thinkingdocumented in the 2018 Department of Defense Cyber Strategy, the U.S. now increasingly faces a new challenge: There are too many red lines. If there is anywhere in cyberspace that state-actors are allowed to compete, it is a very, very small subset of competitive environments. The new challenge is to figure out what adversaries are allowed to do in cyberspace, not what they’re not allowed to do.

The Old View

U.S. government officials have repeatedly warned that a “cyber Pearl Harbor”—an incident that would rise to the level of an armed attack under international law—would not be tolerated. The U.S. also has repeatedly reiterated to the Chinese government that the U.S. views cyber operations to benefit commercial entities as a violation of international norms—resulting in the Obama-Xi cyber agreement in 2015. The Obama administration also marked tampering with polling or registration systems during U.S. elections as a red line, communicated to Russia in the lead-up to the 2016 presidential elections through the hotline connecting the Nuclear Risk Reduction Centers of both countries.

Over the years, U.S. policymakers have been less vocal in condemning other cyber activity, such as probing critical infrastructure. And in some cases they even paid tribute to adversarial cyber activity.

Following the disclosure of the Office of Personnel Management (OPM) breach, which involved the theft of almost 22 million records of government employees, former CIA and NSA Director Michael Hayden said that, even though “this is a tremendously big deal … don’t blame the Chinese for the OPM hack.” Hayden “would not have thought twice” about seizing similar information from the Chinese government if he had the opportunity. In a similar vein, James Clapper, then the director of national intelligence, told a group in Washington after the disclosure, “[Y]ou have to salute the Chinese for what they did. If we had the the opportunity to do that, I don’t think we would hesitate for a minute.” No retaliation followed the attack.

The New Approach

When then-Lt. Gen. Paul Nakasone appeared before the Senate Committee on Armed Services to review his nomination to become the director of the NSA and the third commander of U.S. Cyber Command, he spoke out against previous U.S. lack of response against cyberattacks, noting that “the longer that we have inactivity, the longer our adversaries are able to establish their own norms.”

In an article published in Joint Force Quarterly, Nakasone writes about how Cyber Command needs to become what he calls a “persistence force” that “will contest our adversaries’ efforts in cyberspace to harm Americans and American interests. … Over time, a persistence force, operating at scale with U.S. and foreign partners, should raise the costs that our adversaries incur from hacking the United States.”

His article closely follows-on from discussion found in the summary of the 2018 Department of Defense Cyber Strategy and the 2018 Command Vision for U.S. Cyber Command. These documents, as I have previously noted with Herb Lin, embody a fundamental reorientation in strategic thinking.

Cyber Command’s shift toward persistent engagement is based on a different understanding of the threat landscape. The U.S. no longer views many of the cyber operations below the threshold of armed attack as just tactical forms of espionage or subversion or as episodic forms of theft or crime. Instead, these operations are seen as important levers in a new domain of great power competition. Campaigns comprised of linked cyber operations below the threshold of armed attack are still able to achieve strategic outcomes.

Cyber Command seeks to achieve two goals through persistent engagement: 1) achieving “superiority” and improving the balance of power in their favor, and 2) creating a more stable and secure cyberspace. I previously noted with Herb Lin that “a United States that is powerful in cyberspace does not necessarily mean one that is more stable or secure.”

Tacit Agreed Competition 

But according to Michael Fischerkeller and Richard Harknett, one way the U.S. can achieve both objectives is through “tacit bargaining” leading to “agreed competition,” as spelled out in two recently published Lawfare articles. They write:

In efforts to arrive at tacit understandings of acceptable and unacceptable behavior in the cyber strategic competitive space, the tasks states face will be a function of the alignment of their national interests with mutual or common interests as manifested in cyberspace. Where those interests converge, we should anticipate states will engage in cyber operations around focal points that communicate shared interests and a willingness to collaborate on ranges of acceptable/unacceptable behavior about those interests. But where those interests are in conflict, states will communicate as much through cyber behaviors seeking to outmaneuver each other to achieve an advantage or at least avoid a disadvantage.

Persistent engagement should ultimately lead to “agreed competition” in cyberspace, they argue. It is a form of norms setting through practice (that is, showing what is appropriate behavior through constant action). The idea is that it leads to “a comprehensive strategic great power competitive space with its own distinct structural features.”

An attack like the one on the OPM would be at the top of the list of operations that Cyber Command deems unacceptable and would not tolerate as a part of this competitive space. It is a prime example of an operation that takes place below the threshold of armed attack but has great strategic impact—especially if it is linked to other operations.

The data stolen by Chinese hackers during the OPM hack included names, dates, places of birth, security background checks, data on intelligence and military personnel, and the fingerprint data of 5.6 million employees. Hackers even accessed the SF-86 security clearance application form, which includes information such as records of drug use, alcohol addiction and financial problems. While the OPM itself contains a great deal of data “perfect for blackmail,” if it is linked with data from other breaches, such as those of Anthem, American Airlines and Marriott, it has even more impact. Together, data from these breaches offer the Chinese government the opportunity to create a comprehensive database of current and former U.S. (intelligence) officials, who they meet, what they earn, where they go and so on.

The Problem

This shift in strategic thinking leads to new challenges for cyber norm setting.

On one hand, the strategy’s central point is that adversaries should not conduct offensive cyber operations against the U.S. that (independently or cumulatively) weaken the United States’s position in the international system. On the other hand, if we assume these adversaries are rational, they seek to conduct only those operations that are strategically advantageous to them (and not merely to cause a nuisance or for fun), including by weakening the United States.
Therefore, the space for agreed competition is very small: Only those operations against the U.S. that do not weaken the United States’s position in the international system but are strategically meaningful to the adversary form part of what Fischerkeller and Harknett call the “competitive space.” In fact, those operations that are potentially strategically consequential—operations for which the current strategic purpose is uncertain but that could be linked to other operations in the future to achieve meaningful effects—are also problematic but are excluded from the space.

The only case that comes to my mind that would meet both criteria is the Chinese government’s attack on GitHub in March 2018. The attack against GitHub was the biggest distributed denial-of-service attack recorded to date. (Hence, some might say it should not be allowed.) But it didn’t have any negative strategic consequences (not in the short nor long term) for the U.S., and it did strategically benefit China’s regime. The hackers attacked a web hosting service based in the United States, but the motivation of this attack was domestic censorship in China. The attack specifically targeted pages for two GitHub users that circumvent China’s firewall: Greatfire.org and the Chinese mirror site of the New York Times.

In my view, GitHub is the exception that proves the rule. But beyond that case, following the shift in U.S. strategic thinking, it is hard to see what exactly would be deemed as acceptable behavior.

This article was first published by Lawfare

An Outcome-Based Analysis of U.S. Cyber Strategy of Persistence & Defend Forward

By Max Smeets and Herb Lin

The new U.S. Cyber Command (USCYBERCOM) vision and the Department of Defense Cyber Strategy embody a fundamental reorientation in strategic thinking.

With the publication of these documents, as well as 2017 National Security Strategy and the 2018 National Defense Strategy, there is a general conception among expertsthat the U.S. has, for the first time, articulated a strategy that truly appreciates the unique “symptoms” of cyberspace. The documents recognize that there is a new structural set of dynamics associated with the new domain of cyberspace that has incentivized a new approach to power competition—in particular, that hostile or adversarial behavior below the threshold of armed attack could nevertheless be strategically meaningful (that is, change the balance of power).

Yet most cyber experts have also argued that the ‘medicine’ prescribed by the Defense Department  and USCYBERCOM should be further scrutinized. Indeed, the side effects of the strategy of “persistent engagement” and “defense forward” are still ill-understood. As we have argued elsewhere, a United States that is more powerful in cyberspace does not necessarily mean one that is more stable or secure. More research is required to better understand adversarial adaptive capacity and escalation dynamics.

We should note that the Department of Defense lexicon has not yet provided a formal definition of “defending forward.” We suspect the formal definition that is ultimately adopted will be similar to the earlier concept of “counter cyber,” though with an emphasis on adversarial cyber campaigns (instead of ‘activities’): “A mission that integrates offensive and defensive operations to attain and maintain a desired degree of cyberspace superiority. Counter-cyber missions are designed to disrupt, negate, and/or destroy adversarial cyberspace activities and capabilities, both before and after their employment.”

Scholarship to date has mainly pointed out that this new U.S. strategic thinking could be escalatory, but it has not sought to spell out the specific causal mechanisms and scenarios as to how the consequences of the strategic shift may unfold.

In a forthcoming article, part of an edited volume on offensive cyber operations published by the Brookings Institution (entitled “Bytes, Bombs, and Spies: Strategic Dimensions of Offensive Cyber Operations”), we systematically address some of these conflict outcomes. Specifically, we consider the four general outcomes possible over time with two outcome variables: a more (or less) powerful U.S. and a more (or less) stable cyberspace.

 U.S. power relative to adversaries

More

Less

Stability

More

More powerful & More stability

Less Powerful & More stability

Less

More powerful & less stability

Less powerful & less stability

 

The Optimal Outcome

From the U.S. standpoint, the optimal outcome is a United States that is more powerful in cyberspace along with a more stable cyberspace. Indeed, from the U.S. standpoint, the former will lead to the latter. A more stable cyberspace will involve norms of acceptable behavior, less conflict and so on.

One path towards this rosy outcome is that the strategy does what it is said to do: Creates significant friction and makes it hard for adversaries to operate effectively. Adversaries realize that the U.S. strategy of persistent engagement makes it more difficult to conduct various offensive cyber operations, and they have no strong incentives to escalate as it may trigger a U.S. response in the conventional domain. USCYBERCOM has the advantage from the beginning.

Some argued at the first USCYBERCOM symposium that persistent engagement may first lead to a worsening situation before it gets better. This outcome is possible under one of two conditions. First, USCYBERCOM could initially be unable to seize the initiative from a capacity perspective, but become increasingly better at it in the future. This may well be true: USCYBERCOM is still continuing to develop its cyber capacity. Even though the Cyber Mission Force (CMF) has achieved full operational capability, it will take time for the new workforce to operate capably and ensure the effective coordination of all units.

The second condition is that other actors could increase their hostile cyber activity in the short term, but become less hostile in the long run. This condition is much less likely to be true: Other actors are likely to adapt to U.S. activities over time rather than to reduce their own activities, and the expected number of actors with hostile intent in this space is likely to increase over time.  For example, FireEye recently reported on the “rise of the rest,” arguing that the world has seen a growing number of advanced persistent threat (APT) groups attributed to countries other than Russia or China.

Another more powerful and more stable situation analyzed in the paper could—perhaps paradoxically—be described as “deterrence through a strategy of persistence.”  In this particular outcome, the main threat actors are initially cautious to act, following the release of U.S. new strategy. However,  this is unlikely: Other actors will probably not exhibit caution to see which way the wind blows before acting. An excerpt from Lt. Gen. Nakasone’s nomination hearing to serve as director of the NSA is telling:

            Sen. Sullivan: They [our adversaries] don’t fear us.

Gen.Nakasone: They don’t fear us.

Sen. Sullivan: So, is that good?

Gen. Nakasone: It is not good, Senator.

As a follow-up to Sen. Dan Sullivan’s question, Sen. Ben Sasse asked: “Is there any response from the United States Government that’s sufficient to change the Chinese behavior?… Do you think there’s any reason the Chinese should be worried about U.S. response at the present?” Lt. Gen. Nakasone responded: “Again, I think that our adversaries have not seen our response in sufficient detail to change their behavior.” In line with this notion, it is unlikely that the publication of the strategies alone will be sufficiently threatening to lead to this optimal outcome.

Less Optimal Outcomes

One path towards escalation involves adversaries becoming more aggressive and conducting attacks that are highly disruptive to society—in other words, adversary activity leads to a less stable cyberspace. This could be the result of either an adversary’s increased willingness to conduct attacks using existing capacities or increased capacities of the adversary. Indeed, with respect to the latter, the U.S. vision—and associated changed course of action—may encourage other actors to grow their budgets to conduct offensive cyber operations. The proliferation literature on weapons of mass destruction has extensively covered the role of special interests in stimulating demand for weapon development. This makes it a strong possibility that the new U.S. vision can be used by those groups within a given country favoring a growing cyber command to justify and lobby for increased military spending.

A second possibility is that increased U.S. offensive cyber activity that operates below the threshold of armed attack activity reduces the value of cyber norms of behavior that support a more stable cyberspace.  Even today, some observers believe that the high level of offensive activity in cyberspace today demonstrates quite forcefully that nations find value in conducting such activity, and that such activity points to the difficulty of establishing a more peaceful cyber norms regime. These observers argue that there is no reason to expect that increasing the U.S. contribution to such activity worldwide will make it easier to establish such a regime. Finally, a third possibility is that increased U.S. offensive cyber activity will complicate diplomatic relations with allies and other nations whose cyber infrastructures are used in support of such activity.

Increased aggressiveness by adversaries could also result from growing incentives to conduct offensive cyber operations of a highly disruptive nature. In this case, heightened aggressiveness might be a symptom of the U.S. strategy actually being effective in making the U.S. more powerful. Consider, for example, the current war against the  Islamic State: losing territory and grip in the Middle East, the terrorist organization is said to be keen to recruit followers in Europe and other places in the world to conduct attacks outside of Iraq and Syria. These attempted mass killings are a way  to show that the group still needs to be feared and potentially to help recruiting—but they do not change the balance of power in the region. Actors in cyberspace might become more noisy and aggressive purely to increase friction, gain attention and so on —and perhaps also to influence international public opinion in ways that drive the United States toward changing its strategy.

Finally, worst-case outcomes—that is, a United States that is less powerful in cyberspace along with a less stable cyberspace—could stem from a multitude of sources. One possibility is that the United States could overplay its hand in terms of cyber capabilities. The USCYBERCOM is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. The dangers of fighting on multiple fronts—even for the most capable actors—are well known from conventional warfare. As the number of potential cyber “fronts” is much higher compared to conventional warfare, the risks of overextension have become much higher as well. The Defense Department vision’s explicit focus on Russia and China, following the USCYBERCOM vision’s silence on the issue of priorities, makes us less concerned about this scenario —though it is still a possibility.

Final Word

After initial, prompt analysis from the scholarly community of the strategies, the country now needs systematic research on how persistent engagement and defense forward may play out. We believe that outcome-based analysis is one desired form of research which could be expanded. (One important limitation of our analysis is that we do not pay sufficient detail to risks of the U.S. not changing its course of action.)

Other research in this field is would be helpful as well—consider case study analyses. Russia conducts very different cyber campaigns to affect U.S. sources of power than does China, and defense forward will thus look very different in both cases. But how the U.S. should defend forward  for each specific case, in order to optimize power gains and reduce escalation, has not yet been addressed. This work is needed.

Also, the question is not just how adversaries will respond to the change in U.S. strategy. It is equally important to analyze the behavior of allies. With the implementation of this strategy, will allies follow? Or will they stick to the general deterrence-type strategies?

The bottom line?  More research is needed—let’s get to it.

This article was first published by Lawfare

  • Corrected Defense forward –> Defend forward

Offensive Cyber Capabilities: To What Ends?

Here’s the abstract of the paper I wrote with Herb Lin for Cycon X:

There is a growing interest in the use of offensive cyber capabilities (OCC) among states. Despite the growing interest in these capabilities, little is still known about the nature of OCC as a tool of the state. This research therefore aims to understand if (and how) offensive cyber capabilities have the potential to change the role of military power. Drawing on a wide range of cases, we argue that these capabilities can alter the manner in which states use their military power strategically in at least four ways. OCC are not particularly effective in deterring adversary military action, except when threatened to be used by states with a credible reputation. However, they do have value in compellence. Unlike conventional capabilities, the effects of offensive cyber operations do not necessarily have to be exposed publicly, which means the compelled party can back down post-action without losing face thus deescalating conflict. The potential to control the reversibility of effect of an OCC by the attacker may also encourage compliance. OCC also contribute to the use of force for defensivepurposes, as it could provide both a preemptive as well as preventive strike option. Finally, its symbolic value as a ‘prestige weapon’ to enhance ‘swaggering’ remains unclear, due to its largely non-material ontology and transitory nature.

Read the full paper here: https://ccdcoe.org/sites/default/files/multimedia/pdf/Art%2003%20Offensive%20Cyber%20Capabilities.%20To%20What%20Ends.pdf

 

What Is Absent From the U.S. Cyber Command ‘Vision’

Written together With Herb Lin.

United States Cyber Command recently released a new “command vision” entitled “Achieve and Maintain Cyberspace Superiority.” The document seeks to provide: “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners.”

Taken as a whole, the document emphasizes continual and persistent engagement against malicious cyberspace actors. One could summarize the new U.S. vision using Muhammad Ali’s famous phrase: “Float like a butterfly, sting like a bee.” Cyber Command aims to move swiftly to dodge opponents’ blows while simultaneously creating and recognizing openings to strike.

Cyber Command’s new vision is noteworthy in many ways. Richard Harknett’s March Lawfare post provides more context on “what it entails and how it matters.”

The emergence of this new vision—coinciding with a new administration—recognizes that previous strategies for confronting adversaries in cyberspace have been less than successful:

[A]dversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair US interests. … Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation and allies. In order to improve security and stability, we need a new approach.

Another key realization is that activities in cyberspace that do not rise to the level of armed conflict (as traditionally understood in international law) may nevertheless have strategically significant effects:

The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.

Although the document never says so explicitly, it clearly contemplates Cyber Command conducting many cyber activities below the threshold of armed conflict as well.

At the same time, the vision is silent on a number of important points—after all, it is a short, high-level document. In this piece, we have highlighted some of these gaps to identify critical stumbling blocks and necessary areas of research. We categorized our comments below following the basic building blocks of any good strategy: ends, ways and means.

Ends

First, Cyber Command’s objective to “gain strategic advantage” seems obviously desirable. Yet, the vision doesn’t address what that actually means and how much it will cost. Based on Harknett and Fischerkeller’s article, strategic advantage can be interpreted as changing the distribution of power in favor of the United States. (This is in line with the observation made at the start of Harknett’s Lawfare piece: The cyber activity of adversaries that takes place below the threshold of war is slowly degrading U.S. power toward rising challengers—both state and non-state actors.)

But Cyber Command needs to be clear about the consequences of seeking this objective: A United States that is more powerful in cyberspace does not necessarily mean that it is more secure. The best-case scenario following the vision is that the United States achieves the end it desires and dramatically improves the (general or cyber) distribution of power—that is, it achieves superiority through persistence.

Yet, it remains unclear what will be sacrificed in pursuit of this optimal outcome. Some argued at Cyber Command’s first symposium that strategic persistence may first worsen the situation before improving it. This presumes that goals will converge in the future; superiority in cyberspace will in the long run also lead to a more stable environment, less conflict, norms of acceptable behavior, and so on. If this win-win situation is really the intended outcome, Cyber Command needs to provide the basis for its logic in coming to this conclusion—potentially through describing scenarios and variables that lead to future change. Also helpful would be an explanation of the timeframe in which we can expect these changes.

After all, one could equally argue that a strategy of superiority through persistence comes with a set of ill-understood escalation risks about which the vision is silent (Jason Healey has made a similar point). Indeed, it is noteworthy that neither “escalate” or “escalation” appear in the document. Fears of escalation have accounted for much of the lack of forceful response to malicious cyber activities in the past, and it can be argued that such fears have carried too much weight with policy makers—but ignoring escalation risks entirely does not seem sensible either.

Furthermore, high-end conflict is still an issue. True, the major security issue in cyberspace today is the possibility of death by a thousand cuts, and failure to respond to that issue will over time have strongly negative consequences. But this should not blind us to the fact that serious, high-profile cyber conflict remains possible, perhaps in conjunction with kinetic conflict as well. One consequence of the post-9/11 security environment has been that in emphasizing the global war on terror, the U.S. military allowed its capabilities for engaging with near-peer adversaries to atrophy. We are on a course to rebuild those capabilities today, but we should not make a similar mistake by neglecting high-end cyber threats that may have significant consequences.

Ways

The way Cyber Command aims to accomplish its goals, as noted above, is to seize the initiative, retain momentum and disrupt adversaries’ freedom of action.

Given the low signal-to-noise ratio of policy discussions about cyber deterrence over the past several years, it is reasonable and understandable that the vision tries to shift the focus of cyber strategy toward an approach that is more closely matched to the realities of today. But in being silent about deterrence, it goes too far and implies that concepts of cyber deterrence have no relevance at all to U.S. cyber policy. At the very least, some form of deterrence is still needed to address low-probability cyber threats of high consequence.

The vision acknowledges the importance of increasing the resilience of U.S. cyber assets in order to sustain strategic advantage. But the only words in the document about doing so say that Cyber Command will share “intelligence and operational leads with partners in law enforcement, homeland security (at the federal and state levels), and the Intelligence Community.” Greater U.S. cyber asset resilience will enhance our ability to bring the cyber fight to adversaries by reducing their benefits from escalating in response. And yet, the coupling between cyber defense and offense goes unmentioned.

The vision correctly notes that “cyberspace threats … transcend geographic boundaries and are usually trans-regional in nature.” It also notes “our scrupulous regard for civil liberties and privacy.” But U.S. guarantees of civil liberties and privacy are grounded in U.S. citizenship or presence on U.S. soil. If cyber adversaries transcend geographic boundaries, how will Cyber Command engage foreign adversaries who operate on U.S. soil? The vision document is silent on this point.

Means

Of the strategy’s three dimensions, Cyber Command’s new vision is least explicit about the means required to enable and execute strategic persistence.

However, a better understanding of the available means is essential if we want to know how much the U.S. will go on the offense based on this new strategy. In theory, a strategy of persistence could be the most defensive strategy out there. Think about how Muhammed Ali famously dodged punches from his opponents: the other guy in the ring desperately punches but Ali has the upper hand and wears him out; he mentally dominates his opponent. A strategy of persistence could also be the most aggressive one. Muhammed Ali would also punch his opponents repeatedly, leaving them no opportunity to go on the offense—and sometimes being knocked out.

While the command vision has remained silent on available means, others seem to be moving into this direction and offering some examples. In a recent Foreign Affairs article, Michael Sulmeyer argues that the U.S. should ‘hack the hacker’: “It is time to target capabilities, not calculations. […] Such a campaign would aim to make every aspect of hacking much harder: because hackers often reuse computers, accounts, and infrastructure, targeting these would sabotage their capabilities or render them otherwise useless.” Such activities would indeed increase the friction that adversaries encounter while conducting hostile cyber activities against the United States—but whether that approach will result in persistent strategic advantage remains to be seen.

Also, Muhammad Ali boxed differently against different opponents—especially if he was up against taller boxers. Analogously, there might not be a one-size-fits-all solution when it comes to strategic persistence in the cyber domain. The means used to gain superiority against ISIS aren’t the same as those that are effective against China. Future research will have to list them and parse out the value of different approaches.

What Muhammad Ali was most famous for—and what remained constant throughout all of his matches—was his amazing speed. The new vision shows that the Cyber Command is well-aware of the importance of speed. Operational speed and agility (each mentioned four times in the vision and central to the vision’s fourth imperative) will manifest differently against different opponents; moreover, significant government reorganization will be required to increase operational speed and agility. We should, however, watch out that these concepts do not become meaningless buzzwords: An article on the meaning of an agile cyber command would be a welcome contribution to the field.

Prioritizing

Muhammad Ali boxed 61 matches as a professional. He would not have won 56 of those fights if he had fought all of his opponents at the same time. The Cyber Command is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. In seeking to engage on some many levels against so many actors, prioritization (as discussed in the strategy) will become a top issue when implementing this new vision.

What’s not in the strategy is as important as what is. Having said that, a short 12-page document cannot be expected to address all important issues. So the gaps described above should be taken as a sampling of issues that will need to be addressed as the vision is implemented.

This article was first published on Lawfare

US Cyber Command: An Assiduous Actor, Not a Warmongering Bully

Jason Healey recently posted an interesting piece on The Cipher Brief, US Cyber Command: “When faced with a bully…hit him harder.” Healey writes: “Cyber Command’s new strategy demands that, ‘We must not cede cyberspace superiority.’ The goal is ‘superiority’ through ‘persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.’….Despite being the right move, however, it is also an incredibly risky one.”

I largely agree with Healey’s account of the first U.S. Cyber Command Symposium. As the United States is moving away from a strategy of deterrence to a strategy of persistence, it has to be careful that it is not creating the opposite effect of what it intends to do.

Indeed, one concern that could be raised is that this new strategy might be dangerously escalatory. The statement was made that, “It might get worse, before it gets better.” When do we reach the tipping point, if there is one? And how can we know? Cyber Command’s view is that it has learned over time through observation, and believes that their strategy will lead to stabilization. This needs to be scrutinized and studied.

Yet, my take away from the U.S. Cyber Command symposium is also different from Healey’s in a several important ways: I didn’t sense the same level of emotion and warmongering from the speakers and panelists as Healey does.

U.S. Cyber Command does not ask for “looser rules of engagement” as per Healey – it asks for ‘closer organization integration’ and a better understanding of the ‘box’ in which it is allowed to operate. Healey suggests, that “The gold medal will go to the nation prepared to be the most ruthless and audacious.” U.S. Cyber Command rather argued that advantage lies in the initiative.  (Indeed, as someone noted at the event, “In cyberspace, it is not the big that eat the small; it is the fast that eat the slow.”)

“Seizing the initiative” – a phrase frequently used at the conference – is not about “hitting back harder” as Healey writes. Instead, it is as much about prevention and control as it is about post-action. And I didn’t hear them talking about “lethality” nor about “revenge.”

As Henry Kissinger observed in World Order: “Internet technology has outstripped strategy or doctrine – at least for the time being. In the new era, capabilities exist for which there is as yet no common interpretation – or even understanding. Few if any limits exist among those wielding them to define either explicit or tacit restraints.” For any country, it requires significant efforts to articulate a strategy, align interests and coordinate around these new capabilities.

A more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’ In doing so, it is willing to also open up to a broader community – as this inaugural annual symposium indicates – and talk about how to interpret and understand the explicit and tacit restraints of wielding these capabilities.

Another way to describe the Command’s new efforts is that it intends to be assiduous in this new domain of warfare: In an environment of constant contact, it aims to constantly (or ‘persistently’ as conference speakers would say) engage with the adversary – both defensively and offensively, if these can be separated in this domain – whilst doing so in a planned, diligent manner.

Finally, there were several other interesting takeaways from this event which deserve attention.

First, more insight was provided on the current progress within the organization. The goal of Cyber Command is to have 133 operational units. Officials revealed that they currently have 128.

Second, ‘agile’ was indeed a widely used buzzword, almost seen as a panacea against all organizational problems. For example, it was said by one of the speakers, “We need to combine maintenance and maneuver. Agile is the solution.” Yet, its meaning in this context remains vague.

Third, while former U.S. Secretary of Defense Ash Carter recently expressed his disappointment at the U.S. military’s failure to integrate cyberattacks into its war-fighting against ISIS, U.S. Cyber Command provided, unsurprisingly, a more positive account at the conference. This was repeated in NSA & Cyber commander Adm. Mike Roger’s Senate testimony: “Today, ISIS’s so-called ‘Caliphate’ is crumbling….Cyberspace operations played an important role in this campaign, with USCYBERCOM supporting the successful offensive by U.S. Central Command, U.S. Special Operations Command, and our Coalition partners.”

This article was first published by The Cipher Brief

Dutch Hacking: The Rise of a New Cyber Power?

The world opened its eyes to a new cyber power. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”

By sharing information with their U.S. counterparts, JSCU helped oust the Russian government-linked group thought to be responsible for the Democratic National Committee breach during the 2016 U.S. presidential campaign.

Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cyber-capability.

There’s a paradox about signaling offensive cyber-capability

It is difficult for an actor to prove its offensive cyber-capability without playing its hand — and losing this advantage. This is in part because cyber-capabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”

My research on the transitory nature of cyberweapons also explains that once a country’s cyber-capability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cyber capability after the fact are therefore essential to gauge an actor’s ability to conduct cyber-operations. 

These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyber-operations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”

After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.

During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.

A well-placed leak — or just lucky timing? 

It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.

There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success. 

What’s next for the Netherlands?

As of now, Dutch cyber-capability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.

The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot“disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.

Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”

At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cyber-command — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.

In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cyber-capabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.

Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.

This article is an edited version of my op-ed published by the Washington Post, The Monkey Cage

Why We Are Unconvinced NATO’s Cyber Policy Is More Aggressive, and That’s a Good Thing

Written together with Daniel Moore.

Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. The article provides valuable policy insights and highlights an important set of issues which have frequently been overlooked, including international cooperation on cyber capabilities and the (evolving) role of NATO in the cyber domain. It may also help to signal to a broad audience that NATO takes the ‘cyber domain’ seriously.

Yet, we are critical of his remarks and would like to pose two basic questions. First, should NATO want to be aggressive? Second, does the operations center truly mark a radical shift in policy?

First, an individual state or alliance may resort to the use of military force to pursue a range of objectives, such as defending a territory, deterring an adversary, or compelling a rival to do something. As a result, states try to be predictable in their actions or signal their credibility to follow through on a threat. All of these things are hard to do in cyberspace, making it prone to conflict and escalation. For example, states have a hard time assessing each other’s relative strength and capabilities, increasing the likelihood that offensive actions on either side could spiral out of control. As Ben Buchanan’s Cybersecuirty Dilemma shows, even routine intelligence operations can be misinterpreted as aggressive intent.

Second, (luckily) there is also little evidence to suggest that NATO has become more aggressive. It’s worth citing Secretary General Stoltenberg’s briefing following the Defense Ministers meeting held in November, which Col. Ali refers to, at length here:

Finally, we discussed ways to strengthen our cyber defense. We must be as effective in the cyber domain as we are on land, at sea, and in the air, with real-time understanding of the threats we face and the ability to respond however and whenever we choose. Today, ministers agreed on the creation of a new Cyber Operations Centre as part of the outline design for the adapted NATO Command Structure. This will strengthen our cyber defenses, and help integrate cyber into NATO planning and operations at all levels. We also agreed that we will be able to integrate Allies’ national capabilities into NATO missions and operations. While nations maintain full ownership of those capabilities. Just as Allies own the tanks, the ships and aircraft in NATO missions. NATO is a defensive alliance, whose actions are always subject to strict political oversight and always act in accordance with international law.

It might be that the prepared statements are an ill-reflection of what’s happening behind the scenes. Yet, from what’s known, NATO’s initiative to create of a new cyber operations center can equally be characterized as a new effort to solve internal integration problems or as a way for NATO to provide a more credible deterrence posture. From this perspective, the new center seems to represent both a consolidation of efforts that began with the establishing the Tallinn-based Cooperative Cyber Defense Centre of Excellence in 2008 and continued with the acknowledgement of “cyber” as a warfighting domain in 2017.

Individual NATO member states have a hard enough time articulating a defense strategy, aligning interests, developing and coordinating new capabilities among military branches and government departments. Although states have the intent to develop cyber weapons, very few actually possess a meaningful capability. Even states that can conduct military cyber operations, like the United States, have faced significant challenges in making them effective.

Between NATO member states, these issues are equally relevant and perhaps even more daunting. Hyping up NATO’s efforts does nothing to promote a better understanding of how states operate in cyberspace, or of how state interactions in cyberspace work.

This article was first published on the Net Politics Blog of the Council on Foreign Relations