Major Cyber Attacks Not the ‘New Normal'
Cyberspace is the only warfighting domain in which daily degradation of critical assets is tolerated. This tolerance is not born out of willful indifference, but out of willful engagement in a losing battle due to lack of strategic response.
The scale and scope of advanced persistent threat-perpetrated aggression is beyond existing surveillance and incident response capabilities of any one nation. Despite America’s technical advantage and consequential fighting force, it is and will always be outnumbered in the cyber domain. However, “always outnumbered” is not necessarily a decisive disadvantage. Military history is replete with smaller forces overcoming larger ones to achieve mission success.
The imbalance of power should be the leading factor when evaluating engagement strategies, but this is not currently the case.
Instead, priority is given to triaging obvious insufficiencies in lieu of developing a viable asymmetric battle strategy. This approach yields stopgap solutions, piecemeal strategy and continued unencumbered success for adversaries.
Despite doctrine issued from both the Defense Department and the White House, the United States does not have a cohesive, sustainable strategy to efficiently deter nation-state aggression nor to adequately defend critical assets.
“Persistent engagement” and “defend forward,” the two pillars of the current cyber national security strategy, are lines of effort unviable as standalone strategies. While both gambits yield intermittent efficacy in shaping adversary behavior, there are limits to their effectiveness. Given the escalating sophistication and scale of malicious cyber actors, scaling these lines of effort in a sustainable way is not possible.
Unfortunately, effort and budget continue to be allocated to the low hanging fruit and triage initiatives: establishment of norms and redlines for adversaries who flout international humanitarian law; initiatives that only incrementally increase the cybersecurity workforce; innovation programs that yield few results; and vague vows to increase resiliency. These initiatives fall short of the kind of strategic thinking and cohesive, sustainable, strategy development that the current situation requires.
These efforts are misaligned because the objective is unclear. The desired end-state has yet to be defined in the context of comprehensive strategy.
Further confounding the disorganization is a lack of consensus on the current state of affairs. There is no doubt among adversaries that they are each engaged in effective, active conflict on American soil, yet American authorities are still discussing where on the conflict continuum cyberattacks rank.
Adversaries are fighting — and winning — and we can’t decide if we’re in cooperation, competition, or conflict. The disconnect is stark.
The ultimate authority for strategy development is nebulous given the number of military, law enforcement, civilian, homeland security and diplomatic stakeholders who have equity in the cyber conflict at hand. Defense leaders articulate disparate goals.
“Collective defense,” “integrated deterrence” and “strategic stability” are neither aligned nor have they been built out beyond catchphrases into comprehensive strategies. Responsibility and negligence for the lack of a fully developed strategy lay somewhere, but it isn’t clear where.
Regardless of who leads a strategic response, resilience and defense alone are inadequate. Even the most viable defense strategies necessitate prolonged engagement in a resource-intensive battle to maintain a status quo in which the best outcome is a condition of precarious security. This begs the questions of what exactly are the desired ends and what are we willing to sacrifice to achieve them? A defeat strategy has a high likelihood of escalating into traditional armed conflict and a coercion strategy is de-escalatory, but there is currently no authority engaged in the composition of this unprecedented and complicated effort.
To reset security conditions that favor the United States and its allies, conflict resolution must occur and result in a condition in which the nation is not restricted to a persistently defensive posture.
However, as in any conflict, the adversary has a vote in the direction of this current one. For the major threat actors, cyber aggression is a highly effective way to achieve their mission of degrading U.S. power and economic and institutional stability. It is reasonable to assume that they do not desire resolution and prefer to continue offensive operations.
De-escalation via coercion is a viable strategy for conflict resolution with favorable conditions. Taxonomic classification divides coercion into two main types: compellence and deterrence. Compellence requires a significant direct action or credible threat of action — which in this case could be singular or combined consequential military, economic, or diplomatic actions — that compel the adversary to abandon their U.S.-targeted offensive cyber operations. Compellence could be perceived as provocative by the major threat actors and yield an unintentional escalatory response. Given the high level of economic and trade entanglement with China — and Russia’s historic volatility and perceived willingness to engage in kinetic conflict — compellence is not a viable resolution strategy for the current cyber conflict.
Deterrence also can be delineated into two types: “deterrence by punishment” and “deterrence by denial.” Both forms are de-escalatory by nature because they are collaborative and afford the adversary agency. Deterrence by punishment presents a credible threat of strong punishment to deter the adversary from taking an unwanted action. The clumsy, uncoordinated efforts currently in place are the application of deterrence by punishment. The full gamut of punishments — such as sanctions, public naming/shaming, criminal prosecution and tacit threat of an armed response — have been applied, but they have done little or nothing to deter a state of persistent aggression.
Deterrence by denial deters unwanted aggression by rendering adversary offensive operations impossible or unlikely to succeed, thus negatively impacting the adversary’s cost-benefit calculus and prompting prioritization of other opportunities with higher likelihoods of success.
But the application of deterrence by denial in the cyber domain manifests differently than it does in traditional warfighting domains. Deterrence by denial on land, air and sea often rely on a level of impenetrability that is neither practical nor achievable in the cyber domain. The attack surface in cyberspace is simply too big, too complex and too dynamic to adequately secure without impeding the free flow of information or denying the right to reasonable privacy.
Effective deterrence by denial in cyberspace may eschew impenetrable resilience and permit the breach of lines of defense, but reliably denies operations at some point in the kill chain before mission success can be achieved.
Deterrence by denial has never been applied in the cyber domain, nor has any cohesive battle strategy. The value in the de-escalatory nature and also the collaborative aspect of deterrence by denial cannot be underestimated in multinational conflict resolution.
Allowing the adversary agency to determine and decline engagement by their own volition is key to sustainability. Without adversary buy-in, sustaining the achieved ends is precarious.
The unique features of this nascent warfighting domain — an ephemeral, binary battlefield that traverses all other warfighting domains as well as civilian, governmental and international environments — offer advantages and constraints that have yet to be studied, let alone tested. As the primary architect and provider of internet infrastructure, the United States has inherent advantages.
Full strategic, tactical and operational exploitation of these advantages is essential in the development of strategy, but this knowledge remains siloed among operational teams in intelligence agencies and far from the offices where military strategy development occurs.
Understanding the gaps in technological capabilities required to achieve coercion is crucial. Currently, there are no commercial off-the-shelf or government-bespoke solutions that reliably deny mission success. Timely, deep situational awareness over civilian critical infrastructure is currently unavailable to any security authority. The lack of traditional visibility and latency in determining conclusive attribution is an adversary advantage that can and must be removed.
None of these deficits are technologically insurmountable, but without understanding and acknowledging that these capabilities are required for cyber conflict resolution, resources for their realization will never be prioritized. Nor will these capabilities be valued or recognized as essential when they do appear.
While the adversary’s capabilities are advancing, their capacity is subject to constraints. Aggregate analysis of advanced persistent threat behavior over time shows an intentional focus on critical infrastructure assets and the software supply chain that affords access, indicating limited capacity that necessitates prioritization.
Adequate surveillance and incident response capabilities for the several hundred-thousand public and private entities that comprise critical infrastructure is possible, but the programs in current use are deficient. The technology that powers them is clumsy and verging on outdated. And the programs themselves are subject to suspicion by the assets they are meant to protect. It’s essential that authorities instill confidence and engender trust in civilian sector partners to successfully execute a conflict response. The current government-provided monitoring technology, and slew of fusion centers and collaboration centers, have done little to engender trust and continue to deliver subpar results for both private and public stakeholders.
The impunity which adversaries currently enjoy is not a permanent feature of the cyber domain. Major cyber attacks on civilian assets do not have to be the new normal, nor can they be without significant compromise to the American way of life. Lack of stability in the cyber domain undermines power projection in all warfighting domains and standing in the liberal world order. Lack of domain dominance hinders the ability to strike at the time and place of America’s choosing in all warfighting domains. The risk of intentional or inadvertent catastrophic failure of critical functions or significant compromise to force readiness is too high.
Until a clear end is defined, authorities are deconflicted, and the myopic focus on triage is eschewed in favor of resources allocated toward the composition of a viable coercion strategy, adversaries will continue to exploit the disorganization and draw the United States further into a quagmire of resource attrition. This current level of aggression is not sustainable and certainly on an escalatory trajectory. A cohesive, sustainable, equitable, coercion strategy that leverages all diplomatic, informational, military and economic institutions and elements of power, creates a coalition of allies, implements viable technology, and aligns incentives for private sector collaboration that are required to resolve the current state of conflict.
Perpetual cyber conflict engagement is futile, expensive and does not yield a secure end-state. And further pursuance of misaligned, Sisyphean efforts is not in the best interest of the country.
Gentry Lane is the CEO and founder of ANOVA Intelligence, a venture-backed cyber national security software company. She is also a fellow at the Potomac Institute for Policy Studies, a visiting fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School, represents the United States on a NATO science and technology panel and is a consultant with NATO Allied Command Transformation.