Tag Archives: Cyber command

What Is Absent From the U.S. Cyber Command ‘Vision’

Written together With Herb Lin.

United States Cyber Command recently released a new “command vision” entitled “Achieve and Maintain Cyberspace Superiority.” The document seeks to provide: “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners.”

Taken as a whole, the document emphasizes continual and persistent engagement against malicious cyberspace actors. One could summarize the new U.S. vision using Muhammad Ali’s famous phrase: “Float like a butterfly, sting like a bee.” Cyber Command aims to move swiftly to dodge opponents’ blows while simultaneously creating and recognizing openings to strike.

Cyber Command’s new vision is noteworthy in many ways. Richard Harknett’s March Lawfare post provides more context on “what it entails and how it matters.”

The emergence of this new vision—coinciding with a new administration—recognizes that previous strategies for confronting adversaries in cyberspace have been less than successful:

[A]dversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair US interests. … Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation and allies. In order to improve security and stability, we need a new approach.

Another key realization is that activities in cyberspace that do not rise to the level of armed conflict (as traditionally understood in international law) may nevertheless have strategically significant effects:

The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.

Although the document never says so explicitly, it clearly contemplates Cyber Command conducting many cyber activities below the threshold of armed conflict as well.

At the same time, the vision is silent on a number of important points—after all, it is a short, high-level document. In this piece, we have highlighted some of these gaps to identify critical stumbling blocks and necessary areas of research. We categorized our comments below following the basic building blocks of any good strategy: ends, ways and means.

Ends

First, Cyber Command’s objective to “gain strategic advantage” seems obviously desirable. Yet, the vision doesn’t address what that actually means and how much it will cost. Based on Harknett and Fischerkeller’s article, strategic advantage can be interpreted as changing the distribution of power in favor of the United States. (This is in line with the observation made at the start of Harknett’s Lawfare piece: The cyber activity of adversaries that takes place below the threshold of war is slowly degrading U.S. power toward rising challengers—both state and non-state actors.)

But Cyber Command needs to be clear about the consequences of seeking this objective: A United States that is more powerful in cyberspace does not necessarily mean that it is more secure. The best-case scenario following the vision is that the United States achieves the end it desires and dramatically improves the (general or cyber) distribution of power—that is, it achieves superiority through persistence.

Yet, it remains unclear what will be sacrificed in pursuit of this optimal outcome. Some argued at Cyber Command’s first symposium that strategic persistence may first worsen the situation before improving it. This presumes that goals will converge in the future; superiority in cyberspace will in the long run also lead to a more stable environment, less conflict, norms of acceptable behavior, and so on. If this win-win situation is really the intended outcome, Cyber Command needs to provide the basis for its logic in coming to this conclusion—potentially through describing scenarios and variables that lead to future change. Also helpful would be an explanation of the timeframe in which we can expect these changes.

After all, one could equally argue that a strategy of superiority through persistence comes with a set of ill-understood escalation risks about which the vision is silent (Jason Healey has made a similar point). Indeed, it is noteworthy that neither “escalate” or “escalation” appear in the document. Fears of escalation have accounted for much of the lack of forceful response to malicious cyber activities in the past, and it can be argued that such fears have carried too much weight with policy makers—but ignoring escalation risks entirely does not seem sensible either.

Furthermore, high-end conflict is still an issue. True, the major security issue in cyberspace today is the possibility of death by a thousand cuts, and failure to respond to that issue will over time have strongly negative consequences. But this should not blind us to the fact that serious, high-profile cyber conflict remains possible, perhaps in conjunction with kinetic conflict as well. One consequence of the post-9/11 security environment has been that in emphasizing the global war on terror, the U.S. military allowed its capabilities for engaging with near-peer adversaries to atrophy. We are on a course to rebuild those capabilities today, but we should not make a similar mistake by neglecting high-end cyber threats that may have significant consequences.

Ways

The way Cyber Command aims to accomplish its goals, as noted above, is to seize the initiative, retain momentum and disrupt adversaries’ freedom of action.

Given the low signal-to-noise ratio of policy discussions about cyber deterrence over the past several years, it is reasonable and understandable that the vision tries to shift the focus of cyber strategy toward an approach that is more closely matched to the realities of today. But in being silent about deterrence, it goes too far and implies that concepts of cyber deterrence have no relevance at all to U.S. cyber policy. At the very least, some form of deterrence is still needed to address low-probability cyber threats of high consequence.

The vision acknowledges the importance of increasing the resilience of U.S. cyber assets in order to sustain strategic advantage. But the only words in the document about doing so say that Cyber Command will share “intelligence and operational leads with partners in law enforcement, homeland security (at the federal and state levels), and the Intelligence Community.” Greater U.S. cyber asset resilience will enhance our ability to bring the cyber fight to adversaries by reducing their benefits from escalating in response. And yet, the coupling between cyber defense and offense goes unmentioned.

The vision correctly notes that “cyberspace threats … transcend geographic boundaries and are usually trans-regional in nature.” It also notes “our scrupulous regard for civil liberties and privacy.” But U.S. guarantees of civil liberties and privacy are grounded in U.S. citizenship or presence on U.S. soil. If cyber adversaries transcend geographic boundaries, how will Cyber Command engage foreign adversaries who operate on U.S. soil? The vision document is silent on this point.

Means

Of the strategy’s three dimensions, Cyber Command’s new vision is least explicit about the means required to enable and execute strategic persistence.

However, a better understanding of the available means is essential if we want to know how much the U.S. will go on the offense based on this new strategy. In theory, a strategy of persistence could be the most defensive strategy out there. Think about how Muhammed Ali famously dodged punches from his opponents: the other guy in the ring desperately punches but Ali has the upper hand and wears him out; he mentally dominates his opponent. A strategy of persistence could also be the most aggressive one. Muhammed Ali would also punch his opponents repeatedly, leaving them no opportunity to go on the offense—and sometimes being knocked out.

While the command vision has remained silent on available means, others seem to be moving into this direction and offering some examples. In a recent Foreign Affairs article, Michael Sulmeyer argues that the U.S. should ‘hack the hacker’: “It is time to target capabilities, not calculations. […] Such a campaign would aim to make every aspect of hacking much harder: because hackers often reuse computers, accounts, and infrastructure, targeting these would sabotage their capabilities or render them otherwise useless.” Such activities would indeed increase the friction that adversaries encounter while conducting hostile cyber activities against the United States—but whether that approach will result in persistent strategic advantage remains to be seen.

Also, Muhammad Ali boxed differently against different opponents—especially if he was up against taller boxers. Analogously, there might not be a one-size-fits-all solution when it comes to strategic persistence in the cyber domain. The means used to gain superiority against ISIS aren’t the same as those that are effective against China. Future research will have to list them and parse out the value of different approaches.

What Muhammad Ali was most famous for—and what remained constant throughout all of his matches—was his amazing speed. The new vision shows that the Cyber Command is well-aware of the importance of speed. Operational speed and agility (each mentioned four times in the vision and central to the vision’s fourth imperative) will manifest differently against different opponents; moreover, significant government reorganization will be required to increase operational speed and agility. We should, however, watch out that these concepts do not become meaningless buzzwords: An article on the meaning of an agile cyber command would be a welcome contribution to the field.

Prioritizing

Muhammad Ali boxed 61 matches as a professional. He would not have won 56 of those fights if he had fought all of his opponents at the same time. The Cyber Command is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. In seeking to engage on some many levels against so many actors, prioritization (as discussed in the strategy) will become a top issue when implementing this new vision.

What’s not in the strategy is as important as what is. Having said that, a short 12-page document cannot be expected to address all important issues. So the gaps described above should be taken as a sampling of issues that will need to be addressed as the vision is implemented.

This article was first published on Lawfare

When Routine Isn’t Enough: Why Military Cyber Commands Need Human Creativity

Former Secretary of Defense Ashton Carter recently published a report on the campaign to destroy ISIL. Particularly notable was what Carter said about the “cyber component” (or lack thereof) of the U.S. efforts:

I was largely disappointed in Cyber Command’s effectiveness against ISIS. It never really produced any effective cyber weapons or techniques. When CYBERCOM did produce something useful, the intelligence community tended to delay or try to prevent its use, claiming cyber operations would hinder intelligence collection. This would be understandable if we had been getting a steady stream of actionable intel, but we weren’t. The State Department, for its part, was unable to cut through the thicket of diplomatic issues involved in working through the host of foreign services that constitute the Internet. In short, none of our agencies showed very well in the cyber fight.

The statement sounds alarm bells about the current organizational efforts of U.S. Cyber Command. In fact, the United States is not the only one struggling. A growing number of countries are said to be establishing military cyber commands or equivalent units to develop offensive cyber capabilities, and they all seem to have their growing pains stemming from the unique nature and requirements of offensive cyber operations.

Carter’s statement primarily refers to interagency problems, for instance, on how the use of militarized cyber operations by CYBERCOM may endanger current or future intelligence collection operations by the NSA. But the problems with successfully carrying out offensive cyber operations are deeper and more complicated. Specifically, military cyber commands require individual creativity — which is too often is sacrificed on the altar of organizational routines.

Routines are considered to be the oil that keeps government institutions running. In the academic literature, routines are defined as ‘‘an executable capability for repeated performance in some context that has been learned by an organization in response to selective pressures.” One benefit of routines is that they provide stability, which in turn leads to predictability. In the cyber domain, where there is already considerable uncertain and imprecise information, predictability of actions is certainly a welcome asset.

Yet offensive cyber capabilities are inherently based on unpredictability. As the RAND Corporation’s Martin Libicki observes, there is no “forced entry” when it comes to offensive cyber operations. “If someone has gotten into a system from the outside, it is because that someone has persuaded the system to do what its users did not really want done and what its designers believed they had built the system to prevent,” Libicki argues. Thus, to ensure repeated success, one must find different ways to fool a system administrator. Repetition of an established organizational routine is likely to be insufficient when conducting military cyber operations. The command must foster an environment in which operators can depart from routine and nimbly adapt their actions to stay ahead of their adversaries.

More specifically, Jon Lindsay and Erik Gartzke note that “cyber operations alone lack the insurance policy of hard military power, so their success depends on the success of deception.” Deception as a strategy is based on two tactics: dissimulation, or hiding what’s there; and simulation, or showing something that’s not. The cyber weapon Stuxnet, for example, utilized both tactics. Through what is known as a “man-in-the-middle attack,” Stuxnet intercepted and manipulated the input and output signals from the control logic of the nuclear centrifuge system in Natanz, Iran. In this way, it was able to hide its malicious payload (simulation) and instead replayed a loop of 21 seconds of older process input signals to the control room, suggesting a normal operation to the operators (dissimulation). To ensure that an offensive cyber attack is successful, the attacker needs to constantly find innovative ways to mislead the enemy — which may mean deviating from routines, or crafting routines that permit individuals to make adjustments at their discretion.

There is no easy resolution of this dilemma. Few of the mechanisms organizations use to encourage creative behavior can be applied to military cyber commands. Instead, what governments can focus on to foster creativity in these organizations is workforce diversification and purpose creation.

First, a common form of encouragement is to reward risk-takers in the organization. Yet military cyber commands need to be risk-averse and cautious. It is essential for “cyber soldiers” to stick to the rules to avoid escalation and possible violation of the laws of armed conflict, just as it is for more traditional soldiers. Despite the need for unpredictable and deceptive responses, military cyber commands cannot simply try things out and see what happens. Indeed, though offensive cyber capabilities are not inherently indiscriminate, without careful design and deployment there is a high potential for severe collateral damage. The Morris Worm of 1988 is an illustrative case in this regard. Robert Morris “brought the internet to its knees” due to a supposed error in the worm’s spreading mechanism. The worm illustrated the potential of butterfly effects in cyberspace – small changes in code can escalate into large-scale crises.

Similarly, military cyber commands will find it more difficult than private companies to grant autonomy to individuals. The underlying management logic for granting personal autonomy was perhaps most famously spelled out (and radically implemented) by Brazilian entrepreneur Ricardo Semler: Let employees decide how to get something done, and they will naturally find the best way to do it. For cyber operations, while outcomes are important, precisely how the job gets done is equally relevant. After all, unlike most conventional capabilities, the modus operandi of one cyber operation may greatly affect the effectiveness of other operations.

This is partially due to what’s known as the “transitory nature” of cyber weapons. Cyber weapons are often described as having “single-use” capabilities. The idea is that once a zero-day vulnerability – that is, a publicly undisclosed vulnerability – has been exploited and becomes known to the public, the weapon loses its utility. Although I’ve argued before that this view lacks nuance – as in reality it often still takes time before patches are installed and vulnerabilities closed (and only the minority of cyber weapons exploit zero-days) – the likelihood of successfully accessing the target system does nonetheless reduce after initial use. In other words, the use of a zero-day exploit by one operator may complicate efforts for other operators.

So, what can be done? At a minimum, military commands should make sure they attract a diverse group of people. Only recruiting people within government organizations for the command, as for example the Netherlands supposedly does, should be discouraged. Conventional human resource matrices (i.e., the candidate should have a university bachelor’s degree, good grades, courses in certain areas etc.) should be reconsidered too.

We have already seen various encouraging initiatives on this front. The U.S. Army recently launched the cyber direct commissioning program, so (qualified) civilians can now directly apply to become officers. Countries like the United Kingdom, the Netherlands, and Estonia are also setting up cyber reserve units to attract civilians with the right skill set. Yet these programs are not yet widely adopted across states, nor do they tend to extend far enough (the responsibilities of reserve officers are often unclear).

Military cyber commands should also make sure they create an inspiring workplace to capitalize on people’s intrinsic motivation. Senior leaders have generally been good at providing a vision for their cyber command; this is normally expressed as a desire to become a world leader in offensive cyber operations (see, for instance, the UK’s cyber security strategy). They are also explicit about their mission. Yet, hardly ever do they provide purpose: how does the command fit into the big picture, and what is the strategic framework being followed? Jim Ellis, the former commander of U.S. Strategic Command, has noted the shortcomings of the cybersecurity discourse, saying the debate is “like the Rio Grande, a mile wide and an inch deep.” A deeper focus on purpose-driven values is needed to motivate people to enter a field like cyber operations.

As more countries look to get into the business of offensive cyber operations, the inherent tension between the requirements of these operations and the regimented tendencies of national security bureaucracies will become starker and starker. If governments want to bring together different minds, inspire creativity, and maximize human performance, they need to clearly communicate the value of cyber commands to their people.

This article was first published @WarontheRocks

Europe Slowly Starts to Talk Openly About Offensive Cyber Operations

Europe is finally starting to talk more publicly and candidly offensive cyber operations.

Two weeks ago, the Dutch Ministry of Defense hosted the Third International Cyber Operations Symposium. In conference hand-outs, the commander of Dutch Defense Cyber Command, Hans Folmer, said he hoped to “foster a shared and realistic understanding of the role of cyber capabilities in future operations, while facilitating the opportunity to develop and strengthen relationships among all participants.” One senior participant at the conference observed: “speaking at NATO about offensive cyber was blasphemy a few years ago. We have advanced.”

At the same conference last year, former UK Defense Minister Michael Fallon acknowledged that states “must have the capability to project power in cyberspace as in other domains” and confirmed that the United Kingdom was using “offensive cyber” against the self-declared Islamic State group. This year, participants discussed lessons learned from those operations, and explored how and when cyber tools could be the most useful against an adversary.

However, based on the discussions this year, there seemed to be less excitement about the potential of offensive cyber tools. In Europe, cyber capabilities were once seen as a silver bullet for Europe’s defense problems—chronically low defense budgets and outdated materiel could be replaced with an asymmetric capability that could improve Europe’s ability to deter adversaries and project power. Now, as one participant said, “cyber is no longer something special.” There was a more honest and open debate about how cyber capabilities can be used, the challenges with developing and maintaining them, and understanding their strategic effects.

Nevertheless, Europe will continue to struggle with at least three issues.

First, not all European cyber commands are created equal. In fact, the diversity of capability in Europe makes it difficult to compare them in theory, and probably even more difficult to coordinate efforts in practice. Whereas Germany is said to have thousands of ‘information and cyber officers’, you can count the people working at cyber defense units in other European countries on two hands. Also, all states are in need of technical personnel, but not all have the resources to attract them. Although many European countries started building a cyber offensive capability almost a decade ago, many states are still far away from a meaningful capability.

Second, Europe is still searching for a strategic objective for its offensive cyber capability. Every scholar or policymaker at the conference noted that deterrence was a flawed strategy to pursue in cyberspace—either partially or completely. Yet, there remains a lack of alternatives and policymakers at the conference seemed unaware of ideas raised in the academic literature about the strategic value of offensive cyber capabilities, such as Kello’s cumulative deterrence, Harknett’s notion of persistence, or Lindsay and Gartzke’s discussion of deception.

Third, Europe lacks a common doctrine on the use of offensive cyber operations. NATO recently finished a first draft of its own cyber operations doctrine, and is going through the process of addressing comments made by member states and invited observers. Europe will need a common doctrine, or at least a common lexicon that can be used by military planners, if it wants to take a coordinated approach to cyber operations. Doctrine normally tries to link theory and practice. Yet, cyber operations in a military context are still fairly new and the lack of practice means that policymakers tend to concentrate primarily on theory, making the development of doctrine a difficult exercise.

This article was first published on the Net Politics Blog of the Council on Foreign Relations