Herb Lin and Max Smeets: What is absent from the U.S. Cyber Command 'vision'

cyber news

 Herbert Lin and Max Smeets wrote the following essay for Lawfare:

United States Cyber Command recently released a new “command vision” entitled “Achieve and Maintain Cyberspace Superiority.” The document seeks to provide: “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners.”

Taken as a whole, the document emphasizes continual and persistent engagement against malicious cyberspace actors. One could summarize the new U.S. vision using Muhammad Ali’s famous phrase: “Float like a butterfly, sting like a bee.” Cyber Command aims to move swiftly to dodge opponents’ blows while simultaneously creating and recognizing openings to strike.

Cyber Command’s new vision is noteworthy in many ways. Richard Harknett’s March Lawfare post provides more context on “what it entails and how it matters.”

The emergence of this new vision—coinciding with a new administration—recognizes that previous strategies for confronting adversaries in cyberspace have been less than successful:

[A]dversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair US interests. ... Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation and allies. In order to improve security and stability, we need a new approach.

Another key realization is that activities in cyberspace that do not rise to the level of armed conflict (as traditionally understood in international law) may nevertheless have strategically significant effects:

The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.

Although the document never says so explicitly, it clearly contemplates Cyber Command conducting many cyber activities below the threshold of armed conflict as well.

At the same time, the vision is silent on a number of important points—after all, it is a short, high-level document. In this piece, we have highlighted some of these gaps to identify critical stumbling blocks and necessary areas of research. We categorized our comments below following the basic building blocks of any good strategy: ends, ways and means.

Ends

First, Cyber Command’s objective to “gain strategic advantage” seems obviously desirable. Yet, the vision doesn’t address what that actually means and how much it will cost. Based on Harknett and Fischerkeller’s article, strategic advantage can be interpreted as changing the distribution of power in favor of the United States. (This is in line with the observation made at the start of Harknett’s Lawfare piece: The cyber activity of adversaries that takes place below the threshold of war is slowly degrading U.S. power toward rising challengers—both state and non-state actors.)

But Cyber Command needs to be clear about the consequences of seeking this objective: A United States that is more powerful in cyberspace does not necessarily mean that it is more secure. The best-case scenario following the vision is that the United States achieves the end it desires and dramatically improves the (general or cyber) distribution of power—that is, it achieves superiority through persistence.

Yet, it remains unclear what will be sacrificed in pursuit of this optimal outcome. Some argued at Cyber Command’s first symposium that strategic persistence may first worsen the situation before improving it. This presumes that goals will converge in the future; superiority in cyberspace will in the long run also lead to a more stable environment, less conflict, norms of acceptable behavior, and so on. If this win-win situation is really the intended outcome, Cyber Command needs to provide the basis for its logic in coming to this conclusion—potentially through describing scenarios and variables that lead to future change. Also helpful would be an explanation of the timeframe in which we can expect these changes.

After all, one could equally argue that a strategy of superiority through persistence comes with a set of ill-understood escalation risks about which the vision is silent (Jason Healey has made a similar point). Indeed, it is noteworthy that neither “escalate” or “escalation” appear in the document. Fears of escalation have accounted for much of the lack of forceful response to malicious cyber activities in the past, and it can be argued that such fears have carried too much weight with policy makers—but ignoring escalation risks entirely does not seem sensible either.

Furthermore, high-end conflict is still an issue. True, the major security issue in cyberspace today is the possibility of death by a thousand cuts, and failure to respond to that issue will over time have strongly negative consequences. But this should not blind us to the fact that serious, high-profile cyber conflict remains possible, perhaps in conjunction with kinetic conflict as well. One consequence of the post-9/11 security environment has been that in emphasizing the global war on terror, the U.S. military allowed its capabilities for engaging with near-peer adversaries to atrophy. We are on a course to rebuild those capabilities today, but we should not make a similar mistake by neglecting high-end cyber threats that may have significant consequences.

Ways

The way Cyber Command aims to accomplish its goals, as noted above, is to seize the initiative, retain momentum and disrupt adversaries’ freedom of action.

Given the low signal-to-noise ratio of policy discussions about cyber deterrence over the past several years, it is reasonable and understandable that the vision tries to shift the focus of cyber strategy toward an approach that is more closely matched to the realities of today. But in being silent about deterrence, it goes too far and implies that concepts of cyber deterrence have no relevance at all to U.S. cyber policy. At the very least, some form of deterrence is still needed to address low-probability cyber threats of high consequence.

The vision acknowledges the importance of increasing the resilience of U.S. cyber assets in order to sustain strategic advantage. But the only words in the document about doing so say that Cyber Command will share “intelligence and operational leads with partners in law enforcement, homeland security (at the federal and state levels), and the Intelligence Community.” Greater U.S. cyber asset resilience will enhance our ability to bring the cyber fight to adversaries by reducing their benefits from escalating in response. And yet, the coupling between cyber defense and offense goes unmentioned.

The vision correctly notes that “cyberspace threats ... transcend geographic boundaries and are usually trans-regional in nature.” It also notes “our scrupulous regard for civil liberties and privacy.” But U.S. guarantees of civil liberties and privacy are grounded in U.S. citizenship or presence on U.S. soil. If cyber adversaries transcend geographic boundaries, how will Cyber Command engage foreign adversaries who operate on U.S. soil? The vision document is silent on this point.

Means

Of the strategy’s three dimensions, Cyber Command’s new vision is least explicit about the means required to enable and execute strategic persistence.

However, a better understanding of the available means is essential if we want to know how much the U.S. will go on the offense based on this new strategy. In theory, a strategy of persistence could be the most defensive strategy out there. Think about how Muhammed Ali famously dodged punches from his opponents: the other guy in the ring desperately punches but Ali has the upper hand and wears him out; he mentally dominates his opponent. A strategy of persistence could also be the most aggressive one. Muhammed Ali would also punch his opponents repeatedly, leaving them no opportunity to go on the offense—and sometimes being knocked out.

While the command vision has remained silent on available means, others seem to be moving into this direction and offering some examples. In a recent Foreign Affairs article, Michael Sulmeyer argues that the U.S. should ‘hack the hacker’: “It is time to target capabilities, not calculations. […] Such a campaign would aim to make every aspect of hacking much harder: because hackers often reuse computers, accounts, and infrastructure, targeting these would sabotage their capabilities or render them otherwise useless.” Such activities would indeed increase the friction that adversaries encounter while conducting hostile cyber activities against the United States—but whether that approach will result in persistent strategic advantage remains to be seen.

Also, Muhammad Ali boxed differently against different opponents—especially if he was up against taller boxers. Analogously, there might not be a one-size-fits-all solution when it comes to strategic persistence in the cyber domain. The means used to gain superiority against ISIS aren’t the same as those that are effective against China. Future research will have to list them and parse out the value of different approaches.

What Muhammad Ali was most famous for—and what remained constant throughout all of his matches—was his amazing speed. The new vision shows that the Cyber Command is well-aware of the importance of speed. Operational speed and agility (each mentioned four times in the vision and central to the vision’s fourth imperative) will manifest differently against different opponents; moreover, significant government reorganization will be required to increase operational speed and agility. We should, however, watch out that these concepts do not become meaningless buzzwords: An article on the meaning of an agile cyber command would be a welcome contribution to the field.

Prioritizing

Muhammad Ali boxed 61 matches as a professional. He would not have won 56 of those fights if he had fought all of his opponents at the same time. The Cyber Command is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. In seeking to engage on some many levels against so many actors, prioritization (as discussed in the strategy) will become a top issue when implementing this new vision.

What’s not in the strategy is as important as what is. Having said that, a short 12-page document cannot be expected to address all important issues. So the gaps described above should be taken as a sampling of issues that will need to be addressed as the vision is implemented.