Category Archives: Uncategorized

NATO’s Cyber Policy 2002-2019: A very, very brief overview

Over the years, NATO members have presented and rolled out several plans for improving cyber-defense governance. Official commitments made at NATO summits on cyber security have become increasingly granular. One topic that government leaders have long avoided talking about, however, is their own willingness and capacity to conduct military cyber operations.

Times are changing. As one senior official put it at a military cyber conference: “Speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced”. Last year the Alliance reached a landmark that went largely unnoticed: there are now more member states which have publicly declared they are seeking to establish an offensive cyber capability than there are member states which have remained publicly silent on this issue.  In late 2018, it was also announced that at least five countries would contribute national cyber forces to NATO missions and operations.

The coming days senior leaders will meet in London for the NATO Summit. Whilst I do not expect cyber policy to be a leading topic on the agenda (after all, there are bigger issues to worry about and space is now recognized as the newest domain of warfare by NATO), its a good opportunity to take stock of NATO’s cyber efforts over the past two decades. 

Below I have provided an overview of evens between 2002-2019 & list of reading  which I found particularly useful and relevant, preparing for NATO cyber-related events and workshops. 

Period of early awareness 2002-2016

2002 Prague Summit: First time NATO recognize that the Alliance should “Strengthen our capabilities to defend against cyber attacks.

2008 Bucharest Summit: Adoption ‘Policy on Cyber Defense’ 

Aim is to “protect key information systems in accordance with their respective responsibilities; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber attack. We look forward to continuing the development of NATO’s cyber defence capabilities and strengthening the linkages between NATO and national authorities.”

2014 Wales Summit: Discussion cyber in relation to Article 5

“Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack. We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.”

Operationalizing cyber as a domain 2016 – 

Warsaw Summit 2016 : cyberspace officially recognized as a domain of operations

Brussels Summit 2018: NATO reiterated its commitment to implement the cyber defense pledge & officially announced establishment Cyber Operations Center

Offering ‘Soveiregn Cyber Effects’

Latest news I found on this comes from Cyberscoop: “Nine NATO members have signed on to offer their capabilities: the U.S., the UK, The Netherlands, Estonia, Norway, Germany, France, Denmark, and Lithuania” 

Laura Brent from NATO has written on this as well (generally great overview)

For a US perspective see Trey Herr and Jackie Schneider CFR piece.

Cyber Defense Pledge

Each member country pledges, among other things, to “develop the fullest range of capabilities to defend [their] national infrastructures and networks,” and reaffirms the alliance’s commitment to international law in cyberspace.

My view on this Pledge is that it still leaves most strategic questions unanswered. Eg. As I asked in a piece with Alex Grisby; “are information operations part of the Cyber Defense Pledge or is it conveniently bracketed off as something different (possibly part of Finland’s Hybrid Warfare Center)?” 

Cyber Operations Center (CYOC)

There is a lot of hype about the CYOC. Retired U.S. Air Force Colonel Rizwan Ali, who helped to establish NATO’s cyber program, makes that case in a recent article in Foreign Policy that NATO has “embraced” a more “aggressive” stance with respect to “the use of cyber weaponry” when it recently established a Cyber Operations Center. Others argue that CYOC is a “big deal

Best description about the goal and workings of CYOC is by Don Lewis in War on the Rocks (also read his discussion on NATO’s ‘Roadmap to Implement Cyberspace as a Domain of Operations’):

“The Cyberspace Operations Centre can leverage the strategic staff capabilities of the existing headquarters without having to provide them for itself, which also serves to hasten its development. The center functions as the theater component for cyberspace, just as the geographic commands do for their respective operational domains. The deputy chief of staff for cyberspace is supreme allied commander Europe’s domain advisor for cyberspace. The director of the Cyberspace Operations Centre reports to deputy chief of staff for cyberspace.”

Together with Daniel Moore, I have been critical about CYOC’s “game changing” role. Discussion can be found here – we certainly don’t believe it makes NATO “more aggressive” – and that’s a good thing.

Other NATO programs/institutions:

  • The NATO School in Oberammergau, Germany
  • The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia
  • The NATO Computer Incident Response Capability (NCIRC) based in SHAPE, Mons
  • The NATO Defence College in Rome, Italy
  • The Trust Fund on Cyber Defence for Ukraine

Useful source for overview can be found here

Also, if you have a bit more time, read the excellent RAND report on ‘Operationalizing Cyberspace as a Military Domain

*Introduction of this blog is based on my CyCon 2019 piece ‘NATO Members’ Organizational Path Towards Conducting Offensive Cyber Operations: A Framework for Analysis 

NATO Allies Need to Come to Terms With Offensive Cyber Operations

In May 2008, the U.S. Department of Defense and the German Ministry of Defence signed a memorandum of understanding concerning “Cooperation on Information Assurance and Computer Network Defense.” Computer network defense (CND) refers to actions taken on computer networks to monitor and protect those networks. It is not the only memorandum the U.S. Department of Defense has signed with allies on cyber defense.

In late 2016, U.S. Cyber Command operators wiped Islamic State propaganda material off a server located in Germany. The German government was notified in some fashionbut not asked for advance consent, causing much frustration. While U.S. Cyber Command’s reported action may have violated Germany’s sovereignty, it didn’t explicitly violate the memorandum. It wasn’t an act of CND; it was a computer network attack (CNA), seeking to disrupt, deny, degrade or destroy.

This reveals an uneasy situation within cyber cooperation: Allies do not agree on the appropriate procedures and boundaries for offensive cyber operations. More specifically, there is no agreement on when military cyber organizations can gain access to systems and networks in allied territory to disrupt adversarial activity. As I have argued previously, this issue may end up causing significant loss in allies’ trust and confidence. My proposed solution: NATO allies should establish memoranda of understanding on offensive cyber effects operations in systems or networks based in allied territory.

Objectives of Out-of-Network Operations in Allied Networks

Allied states may operate in each other’s systems or networks in at least three ways: as an observer, gathering intelligence on adversarial activity in others’ networks; as a passerby, transiting through allied systems and networks to access a certain adversarial target; or as a disrupter, seeking to cause friction for an adversary’s operation within an ally’s network or system. The German case discussed above is the only publicly known case of a state acting as a disrupter in an allied network. But we can expect that more of these cases will be publicly disclosed in the future.

It has now been widely discussed that the U.S. Cyber Command has undergone a significant shift in strategic thinking away from deterrence toward persistent engagement and defend forward. Following these recent changes in strategic thinking, U.S. Cyber Command seeks to cause friction “wherever the adversary maneuvers,” operating “globally, continuously and seamlessly.” In a similar vein, NSA director and Cyber Command head Gen. Paul Nakasone writes in an article for Joint Force Quarterly: “We must … maneuver seamlessly across the interconnected battlespace, globally, as close as possible to adversaries and their operations, and continuously shape the battlespace to create operational advantage for us while denying the same to our adversaries.”

While one may expect adversaries to maneuver in allied networks, the U.S. is currently the only NATO state that makes causing friction in allied networks a necessary and explicit component of its strategy. Other military cyber organizations could follow in the near future.

And we already see countries moving in this direction. On Aug. 1, the Communications Security Establishment Act (CSE) came into force in Canada. According to the Canadian government, “CSE could be authorized to proactively stop or impede foreign cyber threats before they damage Canadian systems or information holdings, and conduct online operations to advance national objectives.” The Canadian government does not explicitly talk in its latest strategy about the need to operate “globally, continuously and seamlessly” or to cause friction “wherever the adversary maneuvers.” In that regard, it needs to do more strategic thinkingas other countries do—on the exact role of cyber operations on allied networks in the military context.

But the proposed memorandum of understanding on cyber offense addresses exactly this possibility.

The Goal of the Memorandum of Understanding

The goal of the proposed memorandum is to reduce discord among the allies; enhance trust, transparency and confidence between allies; and improve the effectiveness of disrupting and deterring adversaries’ operations in cyberspace.

The scope of the memorandum should include (a) developing a common notification equity framework for out-of-network operations that seek to achieve cyber effects in allied systems or networks; (b) identifying procedures for communicating the consideration and conduct of offensive cyber effects operations between states against systems or networks in allied territory; and (c) identifying technical solutions and administrative documentation required for the continuous exchange of information on offensive cyber operations.

In writing the memorandum, states first and foremost should agree on the equities involved in permitting signatories to conduct cyber effect operations in each other’s networks—and the relative weight of those equities. Equities that should be considered include (a) the ability of an actor to take action to negate known threats on or to the other parties’ networks and systems; (b) the likelihood that an action will negate known threats; (c) the imminence and scale of the threat; (d) the risk of collateral damage; (e) whether the computer system or network is government owned or privately owned; and (f) the certainty that the system or network will be used to achieve strategic effects by the adversary.

There are three open questions about the memorandum of understanding.

I. Should the Proposed Memorandum Be NATO-Wide or Bilateral?

There are benefits of negotiating a NATO-wide agreement, including ensuring it contributes to the defense of all NATO members’ networks and enhances resilience across the alliance. It could also guard against the potential that persistent engagement and defense forward might be exploited by adversaries, as I argued previously:

Adversaries don’t randomly choose which intermediate nodes to direct their operations through. If Russia has the choice to go through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally, or operate through a network that would cause no diplomatic friction for the U.S., what would it prefer? It would make sense for adversaries to operate through the networks of exactly those countries with which the U.S. has a strong relationship but that do not want the U.S. to operate within their networks causing any effects.

But there are constraints on a NATO wide-memorandum, too. To start, not all states are equally willing to share intelligence information. A bilateral agreement would make it easier to tailor the notification equity framework to the specific preferences and capabilities of both governments.

II. Can It Be Used as a Public Signaling Device?

The notification equity framework part of the memorandum of understanding can remain classified. Governments might not get it right the first time. As the framework might need tweaking, immediate public disclosure is risky. But a public version, if crafted carefully, can also help to set the parameters of what Michael Fischerkeller and Richard Harknett call “agreed competition.” That is, it can help clarify where adversaries are allowed and not allowed to go within each other’s networks. If we want stability in cyberspace, this is a mechanism by which to achieve it.

III. Should the Memorandum Also Address Cyber Operations Beyond Allied Networks?

A memorandum of understanding narrow in scope—that is, addressing the allies’ conduct of cyber effect operations taking place only in systems or networks in allied territory—would ignore the negative impact on allied intelligence operations and capabilities beyond these systems and networks.

Military cyber organizations are operating in a global environment historically dominated by intelligence agencies, and the Five Eyes has always been the most dominant actor in cyberspace. But the anglophone intelligence alliance is not the only intelligence actor operating across the world. Recent cases—such as the Dutch ’s General Intelligence and Security Service infiltration into the Russia-based network of the infamous hacking group Cozy Bear—have illustrated the continued global prevalence and value of allies’ intelligence operations beyond the Five Eyes alliance.

If military cyber organizations increasingly take up the role of “disrupter,” it may negatively impact global intelligence collection of allies—particularly those countries that favor long-term access over immediate effect. It will also more likely uncover and burn allied capabilities.

The risks of occurring are higher than one may think as intelligence agencies have a tendency and incentive to target and track the same entities. For example, in late 2014, cybersecurity company Kaspersky Lab reported on the Magnet of Threats. The cybersecurity company discovered a server belonging to a research organization in the Middle East that simultaneously hosted implants for at least five Advanced Persistent Threat (APT) actors: Regin and the Equation Group (English language), Turla and ItaDuke (Russian language), Animal Farm (French language) and Careto (Spanish language). Consider what would have happened if one of those five APT groups had sought to cause a disruptive effect—rather than collect intelligence—against the target in the Middle East. It likely would have resulted in much earlier discovery and analysis by threat intelligence companies (or other actors) exposing the tactics, techniques and procedures (TTPs) of each actor group.

Also, even the anticipation of more cyber effect operations in nonallied networks from one allied state could lead to a change in operations by another state. Indeed, states have shown in the past that the anticipation of early discovery of an operation has led to a change in their TTPs. For example, the National Security Agency (NSA) created an“exploit orchestrator” called FoxAcid, an Internet-enabled system capable of attacking target computers in a variety of different ways, depending on whether it is discovered—or likely to be discovered—in a given network. FoxAcid has a modular design, with flexibility allowing the NSA to swap and replace exploits and run different exploits based on various considerations. Against technically sophisticated targets where the chance of detection is high, FoxAcid would normally choose to run low-value exploits.

Not a Silver Bullet

While I argue that the NATO memorandum of understanding on offensive cyber operations in systems or networks based in allied territory can greatly help in promoting stability and enhancing confidence among allies, it is not a silver bullet. It can only reduce allied concerns rather than mitigate them. Military cyber organizations may still conduct effect-based operations in allied territory without consent, leading allies to assert that their sovereignty has been violated. And there’s another crucial player involved. As Gen. Nakasone noted in the Joint Force Quarterly article, cyberspace is owned largely by the private sector. They deserve a seat at the table as well.

This article was first published by Lawfare

Cyber Command’s Strategy Risks Friction With Allies

Much has been written about the fundamental changes in U.S. cyber strategy. U.S. Cyber Command’s vision of “persistent engagement” and the Department of Defense’s new strategy of “defend forward” have, in particular, led to numerous critical remarks about the risks of escalationbetween the U.S. and its main adversaries in cyberspace.

These debates are worth continuing, including about what the change in strategy means for establishing norms in cyberspace. But commentators have so far ignored a key dimension: The strategy’s main implications may not reside in how it changes the dynamics between the U.S. and its adversaries but, instead, in how it affects broader alliance relationships, especially beyond the Five Eyes (Australia, Canada, the U.K., the U.S. and New Zealand). U.S. Cyber Command’s mission to cause friction in adversaries’ freedom of maneuver in cyberspace may end up causing significant friction in allies’ trust and confidence—and adversaries may be able to exploit that.

Operating “Seamlessly, Globally, and Continuously”

Cyber Command’s new strategy seeks to operate “seamlessly, globally, and continuously.” It states that “[s]uperiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” According to the strategy document, Cyber Command intends to do this “as close as possible to adversaries and their operations,” connecting persistent engagement to the Pentagon’s principle of “defending forward.”

In an article for Joint Force Quarterly (JFQ), NSA Director and Cyber Command head Gen. Paul Nakasone writes: “We must instead maneuver seamlessly across the interconnected battlespace, globally, as close as possible to adversaries and their operations, and continuously shape the battlespace to create operational advantage for us while denying the same to our adversaries.”

When Nakasone says the U.S. must get “as close as possible to adversaries and their operations,” he implies that the U.S. seeks to achieve effects that are outside of its own networks and beyond the networks of its adversaries. This vast area is not ungoverned space. It includes, for example, routers in Nairobi, servers in Denmark or operating infrastructure in any other country around the world.

Blue Space, Gray Space and Red Space

In the JFQ article, Nakasone also states that “if we are only defending in ‘blue space’ we have failed.” This use of terminology as well as talk about “operating close to the adversary” evades one issue: It is unclear whether Cyber Command only seeks to cause friction in “red space” or if it seeks to compete in “gray space” as well. These terms are often confused and not well-understood. (The terms “gray zone”—areas where it’s unclear whether the government has legal authority to act—and “gray space” are also frequently confused.) In fact, the issue was raised for “further exploration” at Cyber Command’s 2018 symposium, specificallyunderstanding the “relevance of concepts like area of responsibility and red-blue-gray space to the cyberspace domain.”

Joint Publication 3-12 (JP 3-12) on cyberspace operations, prepared under the direction of the chairman of the Joint Chiefs of Staff, explains the terminology:

The term “blue cyberspace” denotes areas in cyberspace protected by the US, its mission partners, and other areas DOD may be ordered to protect. Although DOD has standing orders to protect only the Department of Defense information network (DODIN), cyberspace forces prepare on order, and when requested by other authorities, to defend or secure other United States Government (USG) or other cyberspace, as well as cyberspace related to critical infrastructure and key resources (CI/KR) of the US and PNs [partner nations]. The term “red cyberspace” refers to those portions of cyberspace owned or controlled by an adversary or enemy. In this case, “controlled” means more than simply “having a presence on,” since threats may have clandestine access to elements of global cyberspace where their presence is undetected and without apparent impact to the operation of the system. Here, controlled means the ability to direct the operations of a link or node of cyberspace, to the exclusion of others. All cyberspace that does not meet the description of either “blue” or “red” is referred to as “gray” cyberspace.

Gray space is defined based on the nodes adversaries control. This means the vast area between U.S. government-owned networks and adversaries is not considered to be gray space. Instead, if for instance the GRU (Russia’s military intelligence agency) controls a node in the Netherlands, it is considered to be red space based on JP 3-12. And it’s worth mentioning that the notion of control is open to interpretation by states.

This means that if Cyber Command seeks to operate only in “red space,” its activities will still have global reach (globally). It also suggests that red space grows as adversaries expand their operational activity. Most importantly, this implies that if Cyber Command seeks to achieve “effects” in gray space, this will involve operating infrastructure that adversaries do not control—which is to say those systems or networks on which adversaries merely have a presence or are not active at all.

What’s New Under the Sun?

What’s really new here? The United States has long operated in networks “close to the adversary.” As Ben Buchanan’s book, “The Cybersecurity Dilemma,” demonstrates, the U.S. has long acted as an “observer” in gray space, gathering intelligence of adversarial activity in those others’ networks. In fact, information has become public concerning a case in which the Five Eyes collected intelligence about an espionage platform (dubbed “Snowglobe” by the Canadian Intelligence Agency CSEC and “Animal Farm” by Kaspersky Lab) of an allied country, France, likely operating in adversarial networks in the Middle East. In other words, the practice of fourth-party collection is nothing new. And the U.S. has also long acted in foreign nonadversarial networks as a “passerby,” transiting through gray space networks to access an adversarial network.

But the new Cyber Command and Defense Department strategy changes the nature of the U.S. military’s behavior within those systems and networks. Under the new strategy, Cyber Command wants to be an active disrupter on those networks. It wants to achieve effects.

The only known precedent is Cyber Command operators wiping Islamic State propaganda material off a server located in Germany. The German government was notified in some fashion but not asked for advance consent, causing much frustration.

This will likely lead to a systematic scaling up: Cyber Command now also seeks to be an active disrupter on those networks “globally, continuously and seamlessly”—not regionally and sporadically.

The Danger of Operating Seamlessly in Allied Networks

Operating instantly makes sense considering the potential operational tempo of adversaries: You can’t have protracted diplomatic discussions for two months with an ally about whether or not to take down some command and control infrastructure of an adversary hosted in the allied country. You don’t have days, let alone months. As a participant mentioned at the recent Chatham House Rule 2019 Cyber Command Symposium on strategy: “Opportunities within this domain are fleeting.”

Operating seamlessly could also make sense if an ally does not mind the U.S. coming into its networks to address the malicious activity. In this vein, the U.S. can continue to build partnerships with countries that do not have the capacity to defend against cyber attacks on their own.

But, what if an allied country is not keen on having the U.S. military in its networks, actively, seamlessly, and continuously disrupting an adversary’s cyber operations? As the German case shows, this scenario will likely come up a lot more in the near future.

In other words, in seeking to successfully create friction in cyberspace for adversaries, Cyber Command may also seek to act within allied networks, even if the ally does not approve. It might even be successful in its mission, causing friction in adversaries’ operations before they cause serious harm to the U.S. But this strategy runs a real risk of undermining allies’ trust and confidence in ways that are subtle and not easily observable. This ought not to be overlooked, especially since this element may itself be exploited by adversaries.

Adversaries don’t randomly choose which intermediate nodes to direct their operations through. If Russia has the choice to go through a network that would raise some serious diplomatic friction between the U.S. and a U.S. ally, or operate through a network that would cause no diplomatic friction for the U.S., what would it prefer?It would make sense for adversaries to operate through the networks of exactly those countries with which the U.S. has a strong relationship but that do not want the U.S. to operate within their networks causing any effects.

Russia is already good at exploiting divisions between the U.S. and its allies. Cyber Command’s new strategy might give it another avenue to do so.

A Final Word

Bobby Chesney recently offered a brief overview of what is known about the out-of-network operations Cyber Command has conducted, based on reporting from Mark Pomerleau at Fifth Domain. Chesney notes that there is still a lot of uncertainty about what did and did not change in terms of the interagency process and how often Cyber Command seeks to operate outside the Department of Defense Information Network.

I would add that there is also much uncertainty about where Cyber Command currently operates. This dimension, however, is crucially important for understanding the true implications of the United States’s change in cyber strategy. By operating in allied networks, Cyber Command is running the risk of causing the wrong type of friction.

This article was first published by Lawfare

There Are Too Many Red Lines in Cyberspace

U.S. officials increasingly express old frustrations about the lack of standards for appropriate state behavior in cyberspace. As U.S.-China trade tensions soar, cybersecurity firms have reported that China is renewing its cyber-enabled economic espionage efforts against U.S. companies—if they ever ceased. Russia does not seem to be scaling down its cyber-enabled disinformation operations, threatening democracies worldwide. The Trump administration’s withdrawal from the Iran nuclear deal is also reported to have inspired Iranian actors to conduct a new wave of disruptive attacks. Concerns over North Korean hostile cyber activity have not gone away either.

Commentators and lawmakers have described the problem as twofold. First, U.S. government officials fail to set red lines, fearing that doing so would cede freedom to maneuver when responding to cyber operations. But second, whenever red lines are established, the U.S. fails to enforce them.

I believe these are problems of the past. Following the shift in strategic thinkingdocumented in the 2018 Department of Defense Cyber Strategy, the U.S. now increasingly faces a new challenge: There are too many red lines. If there is anywhere in cyberspace that state-actors are allowed to compete, it is a very, very small subset of competitive environments. The new challenge is to figure out what adversaries are allowed to do in cyberspace, not what they’re not allowed to do.

The Old View

U.S. government officials have repeatedly warned that a “cyber Pearl Harbor”—an incident that would rise to the level of an armed attack under international law—would not be tolerated. The U.S. also has repeatedly reiterated to the Chinese government that the U.S. views cyber operations to benefit commercial entities as a violation of international norms—resulting in the Obama-Xi cyber agreement in 2015. The Obama administration also marked tampering with polling or registration systems during U.S. elections as a red line, communicated to Russia in the lead-up to the 2016 presidential elections through the hotline connecting the Nuclear Risk Reduction Centers of both countries.

Over the years, U.S. policymakers have been less vocal in condemning other cyber activity, such as probing critical infrastructure. And in some cases they even paid tribute to adversarial cyber activity.

Following the disclosure of the Office of Personnel Management (OPM) breach, which involved the theft of almost 22 million records of government employees, former CIA and NSA Director Michael Hayden said that, even though “this is a tremendously big deal … don’t blame the Chinese for the OPM hack.” Hayden “would not have thought twice” about seizing similar information from the Chinese government if he had the opportunity. In a similar vein, James Clapper, then the director of national intelligence, told a group in Washington after the disclosure, “[Y]ou have to salute the Chinese for what they did. If we had the the opportunity to do that, I don’t think we would hesitate for a minute.” No retaliation followed the attack.

The New Approach

When then-Lt. Gen. Paul Nakasone appeared before the Senate Committee on Armed Services to review his nomination to become the director of the NSA and the third commander of U.S. Cyber Command, he spoke out against previous U.S. lack of response against cyberattacks, noting that “the longer that we have inactivity, the longer our adversaries are able to establish their own norms.”

In an article published in Joint Force Quarterly, Nakasone writes about how Cyber Command needs to become what he calls a “persistence force” that “will contest our adversaries’ efforts in cyberspace to harm Americans and American interests. … Over time, a persistence force, operating at scale with U.S. and foreign partners, should raise the costs that our adversaries incur from hacking the United States.”

His article closely follows-on from discussion found in the summary of the 2018 Department of Defense Cyber Strategy and the 2018 Command Vision for U.S. Cyber Command. These documents, as I have previously noted with Herb Lin, embody a fundamental reorientation in strategic thinking.

Cyber Command’s shift toward persistent engagement is based on a different understanding of the threat landscape. The U.S. no longer views many of the cyber operations below the threshold of armed attack as just tactical forms of espionage or subversion or as episodic forms of theft or crime. Instead, these operations are seen as important levers in a new domain of great power competition. Campaigns comprised of linked cyber operations below the threshold of armed attack are still able to achieve strategic outcomes.

Cyber Command seeks to achieve two goals through persistent engagement: 1) achieving “superiority” and improving the balance of power in their favor, and 2) creating a more stable and secure cyberspace. I previously noted with Herb Lin that “a United States that is powerful in cyberspace does not necessarily mean one that is more stable or secure.”

Tacit Agreed Competition 

But according to Michael Fischerkeller and Richard Harknett, one way the U.S. can achieve both objectives is through “tacit bargaining” leading to “agreed competition,” as spelled out in two recently published Lawfare articles. They write:

In efforts to arrive at tacit understandings of acceptable and unacceptable behavior in the cyber strategic competitive space, the tasks states face will be a function of the alignment of their national interests with mutual or common interests as manifested in cyberspace. Where those interests converge, we should anticipate states will engage in cyber operations around focal points that communicate shared interests and a willingness to collaborate on ranges of acceptable/unacceptable behavior about those interests. But where those interests are in conflict, states will communicate as much through cyber behaviors seeking to outmaneuver each other to achieve an advantage or at least avoid a disadvantage.

Persistent engagement should ultimately lead to “agreed competition” in cyberspace, they argue. It is a form of norms setting through practice (that is, showing what is appropriate behavior through constant action). The idea is that it leads to “a comprehensive strategic great power competitive space with its own distinct structural features.”

An attack like the one on the OPM would be at the top of the list of operations that Cyber Command deems unacceptable and would not tolerate as a part of this competitive space. It is a prime example of an operation that takes place below the threshold of armed attack but has great strategic impact—especially if it is linked to other operations.

The data stolen by Chinese hackers during the OPM hack included names, dates, places of birth, security background checks, data on intelligence and military personnel, and the fingerprint data of 5.6 million employees. Hackers even accessed the SF-86 security clearance application form, which includes information such as records of drug use, alcohol addiction and financial problems. While the OPM itself contains a great deal of data “perfect for blackmail,” if it is linked with data from other breaches, such as those of Anthem, American Airlines and Marriott, it has even more impact. Together, data from these breaches offer the Chinese government the opportunity to create a comprehensive database of current and former U.S. (intelligence) officials, who they meet, what they earn, where they go and so on.

The Problem

This shift in strategic thinking leads to new challenges for cyber norm setting.

On one hand, the strategy’s central point is that adversaries should not conduct offensive cyber operations against the U.S. that (independently or cumulatively) weaken the United States’s position in the international system. On the other hand, if we assume these adversaries are rational, they seek to conduct only those operations that are strategically advantageous to them (and not merely to cause a nuisance or for fun), including by weakening the United States.
Therefore, the space for agreed competition is very small: Only those operations against the U.S. that do not weaken the United States’s position in the international system but are strategically meaningful to the adversary form part of what Fischerkeller and Harknett call the “competitive space.” In fact, those operations that are potentially strategically consequential—operations for which the current strategic purpose is uncertain but that could be linked to other operations in the future to achieve meaningful effects—are also problematic but are excluded from the space.

The only case that comes to my mind that would meet both criteria is the Chinese government’s attack on GitHub in March 2018. The attack against GitHub was the biggest distributed denial-of-service attack recorded to date. (Hence, some might say it should not be allowed.) But it didn’t have any negative strategic consequences (not in the short nor long term) for the U.S., and it did strategically benefit China’s regime. The hackers attacked a web hosting service based in the United States, but the motivation of this attack was domestic censorship in China. The attack specifically targeted pages for two GitHub users that circumvent China’s firewall: and the Chinese mirror site of the New York Times.

In my view, GitHub is the exception that proves the rule. But beyond that case, following the shift in U.S. strategic thinking, it is hard to see what exactly would be deemed as acceptable behavior.

This article was first published by Lawfare

US Cyber Command: An Assiduous Actor, Not a Warmongering Bully

Jason Healey recently posted an interesting piece on The Cipher Brief, US Cyber Command: “When faced with a bully…hit him harder.” Healey writes: “Cyber Command’s new strategy demands that, ‘We must not cede cyberspace superiority.’ The goal is ‘superiority’ through ‘persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.’….Despite being the right move, however, it is also an incredibly risky one.”

I largely agree with Healey’s account of the first U.S. Cyber Command Symposium. As the United States is moving away from a strategy of deterrence to a strategy of persistence, it has to be careful that it is not creating the opposite effect of what it intends to do.

Indeed, one concern that could be raised is that this new strategy might be dangerously escalatory. The statement was made that, “It might get worse, before it gets better.” When do we reach the tipping point, if there is one? And how can we know? Cyber Command’s view is that it has learned over time through observation, and believes that their strategy will lead to stabilization. This needs to be scrutinized and studied.

Yet, my take away from the U.S. Cyber Command symposium is also different from Healey’s in a several important ways: I didn’t sense the same level of emotion and warmongering from the speakers and panelists as Healey does.

U.S. Cyber Command does not ask for “looser rules of engagement” as per Healey – it asks for ‘closer organization integration’ and a better understanding of the ‘box’ in which it is allowed to operate. Healey suggests, that “The gold medal will go to the nation prepared to be the most ruthless and audacious.” U.S. Cyber Command rather argued that advantage lies in the initiative.  (Indeed, as someone noted at the event, “In cyberspace, it is not the big that eat the small; it is the fast that eat the slow.”)

“Seizing the initiative” – a phrase frequently used at the conference – is not about “hitting back harder” as Healey writes. Instead, it is as much about prevention and control as it is about post-action. And I didn’t hear them talking about “lethality” nor about “revenge.”

As Henry Kissinger observed in World Order: “Internet technology has outstripped strategy or doctrine – at least for the time being. In the new era, capabilities exist for which there is as yet no common interpretation – or even understanding. Few if any limits exist among those wielding them to define either explicit or tacit restraints.” For any country, it requires significant efforts to articulate a strategy, align interests and coordinate around these new capabilities.

A more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’ In doing so, it is willing to also open up to a broader community – as this inaugural annual symposium indicates – and talk about how to interpret and understand the explicit and tacit restraints of wielding these capabilities.

Another way to describe the Command’s new efforts is that it intends to be assiduous in this new domain of warfare: In an environment of constant contact, it aims to constantly (or ‘persistently’ as conference speakers would say) engage with the adversary – both defensively and offensively, if these can be separated in this domain – whilst doing so in a planned, diligent manner.

Finally, there were several other interesting takeaways from this event which deserve attention.

First, more insight was provided on the current progress within the organization. The goal of Cyber Command is to have 133 operational units. Officials revealed that they currently have 128.

Second, ‘agile’ was indeed a widely used buzzword, almost seen as a panacea against all organizational problems. For example, it was said by one of the speakers, “We need to combine maintenance and maneuver. Agile is the solution.” Yet, its meaning in this context remains vague.

Third, while former U.S. Secretary of Defense Ash Carter recently expressed his disappointment at the U.S. military’s failure to integrate cyberattacks into its war-fighting against ISIS, U.S. Cyber Command provided, unsurprisingly, a more positive account at the conference. This was repeated in NSA & Cyber commander Adm. Mike Roger’s Senate testimony: “Today, ISIS’s so-called ‘Caliphate’ is crumbling….Cyberspace operations played an important role in this campaign, with USCYBERCOM supporting the successful offensive by U.S. Central Command, U.S. Special Operations Command, and our Coalition partners.”

This article was first published by The Cipher Brief

Dutch Hacking: The Rise of a New Cyber Power?

The world opened its eyes to a new cyber power. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”

By sharing information with their U.S. counterparts, JSCU helped oust the Russian government-linked group thought to be responsible for the Democratic National Committee breach during the 2016 U.S. presidential campaign.

Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cyber-capability.

There’s a paradox about signaling offensive cyber-capability

It is difficult for an actor to prove its offensive cyber-capability without playing its hand — and losing this advantage. This is in part because cyber-capabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”

My research on the transitory nature of cyberweapons also explains that once a country’s cyber-capability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cyber capability after the fact are therefore essential to gauge an actor’s ability to conduct cyber-operations. 

These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyber-operations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”

After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.

During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.

A well-placed leak — or just lucky timing? 

It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.

There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success. 

What’s next for the Netherlands?

As of now, Dutch cyber-capability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.

The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot“disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.

Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”

At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cyber-command — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.

In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cyber-capabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.

Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.

This article is an edited version of my op-ed published by the Washington Post, The Monkey Cage

Contesting “Cyber”

Here are the links to all the New America blog posts:

Part I: Cyber: not just a confused but also a contested concept.

Part II: The Connotations of “Cyberspace” Shift From Opportunity to Threat

Part III: Substantive vs. implied definitions: A Mundane stuff or the Wild West?

Part IV: “Cyber Exceptionalism”

Part V:  ARPANET; Where did it all start again?

Part VI: Exit, Voice, and Cyberspace

Contesting “Cyber” – Introduction and Part I

By Max Smeets and James Shires. More info about the series here


Over the last few decades there has been a proliferation of the term “cyber”, and commensurate levels of inconsistency. This series argues that the inconsistent application of the prefix “cyber” stems not only from confusion, as some scholars and policymakers have proposed, but also from contest. Our goal of this series is not to resolve conceptual disputes, but instead to understand how and why contests occur, and whether, once the lines along which contests occur are identified, resolution is possible.

As the prefix “cyber” has rarely been used alone, we place the concept of cyberspace at the centre of analysis, for two reasons. First, it is considered to be the “elemental” concept in the field, and demarcates the boundaries of relevant technical and social activity through an intuitive geographical metaphor. Second, selecting the concept “cyberspace” for analysis can be considered a least-likely (or least-obvious) study of contest. The attachment of the prefix “cyber” to various nouns has left cyber-related concepts with a variety of underlying normative connotations. On the one side, some concepts describe a clear activity or state of affairs, which are prima facie undesirable, like “cyber warfare” or “cyber threat”. On the other side, various concepts reflect a more positive degree of attractiveness—“cyber democracy” is a good example of this. The obvious normative aspects of these terms to which the cyber prefix is attached make these likely sites for contest, whereas “cyberspace” is seemingly more neutral. We suggest instead that it is the ominous calm at the heart of the storm, providing an excellent case in which to study the tension regarding the prefix more broadly.

Over the next six days, we will publish a series of blog post that show that cyberspace is contested in a number of ways: through its change in connotations from opportunity to threat; through the existence of substantive and implied definitions, with different rhetorical functions; and through competing understandings of the key historical exemplar for cyberspace: that of ARPANET. We therefore note that the prospects for agreement regarding cyberspace are low. Overall, this presents the choice of what we term, following Hirschman, an ‘exit’ rather than ‘voice’ strategy, to use other concepts instead. An initial post in this series was published last Friday at Slate’s Future Tense and can be found here.

PART 1. Cyber: not just a confused but also a contested concept.

Since the early 1990s the prefix “cyber” has become widespread. As often noted, its use stretches back to Norbert Wiener’s coinage of “cybernetics” from its Greek equivalent in the 1940s. It is similarly canonical to cite novelist William Gibson as creating the “ur” metaphor for this prefix in the early 1980s by combining it with “space”. Almost three decades later in an interview with The A.V. Club, Gibson argued that “‘cyberspace’ as a term is sort of over. It’s over in the way that after a certain time, people stopped using the prefix ‘-electro’ to make things cool, because everything was electrical. ‘Electro’ was all over the early twentieth century, and now it’s gone. I think ‘cyber’ is sort of the same way”.

In contrast to Gibson’s prediction, a simple automated content analysis using Google Trends indicates that the popularity of the prefix “cyber” has remained stable (with a spike in November each year for “cyber Monday”). There are ever more applications of this prefix, to words such as crime, law, cafe, hate, bullying, attack, war, vandalism, politics, dating, security, and power. Today, more people enter the search term “cyber” into Google than the term “democracy” or “terrorist”. Needless to say, the term “cyber” has also gained in prominence in academia and policymaking.

The proliferation of this prefix has, inevitably, led to substantial inconsistencies in its use. On one level, these contradictions may stem from simple confusion. As Michael Hayden, former director of the CIA and NSA, remarked: “rarely has something been so important and so talked about with less clarity and apparent understanding than this phenomenon.” Scholars and policy-makers, among others, are not always consistent in their own usage of cyber-related concepts, and they sometimes reinterpret the definitions employed by others, especially when given a liberal dose of cross-disciplinary fertilization.

Many hold that such disagreement is primarily caused by the apparently abstruse and multifaceted nature of the phenomenon. For example, in a Foreign Policy article, Stephen Walt notes that “the whole issue is highly esoteric—you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be,” concluding that “here are lots of different problems being lumped under a single banner, whether the label is ‘cyber-terror’ or ‘cyber-war’. If this is the case, more research can iron out the lack of clarity surrounding this relatively young concept, and then we can get to the one and only “meaning of the cyber revolution,” as Lucas Kello emphasizes in his recent book (and earlier article). However, in this article series we argue that the inconsistent application of the prefix “cyber” stems not only from confusion, but also from contestation.

In other words, the roots of disagreement are deeper than a mere struggle to absorb the collective knowledge of another discipline, but stem from underlying normative disagreements.

Understanding the nature and extent of this contestation of “cyber” is important for both policy-making and academic research. For policy-makers, the promise of what Joseph Nye Jr. calls “rules of the road” in cyberspace is much diminished if the very domain itself remains in question (also see the UK government strategy). Constructing effective international cyber-governance becomes more difficult—although not impossible—if the scope of what to be governed is fundamentally disputed.

For academics, if the roots of disagreement are deeper, then faith in a unified understanding of the cyber-issue is utopic; and further investigation of why and how broader political disputes are translated into problems with this proliferating prefix is urgently required.

Here we will explore what it means when we talk about cyber, and address the nature of contestation from various angles.

This article was originally posted @NewAmerica