27 December 2017

“Risk Informed, But Not Risk Averse”: the National Security Strategy Approach to Cyber Ops

by Eric Jensen

The Trump administration’s National Security Strategy (NSS) is replete with references to cyber operations and their impact on national security. It states that, “America’s response to the challenges and opportunities of the cyber era will determine our future prosperi­ty and security.” ­Like President Barack Obama’s 2015 NSS before it, Trump’s NSS identifies cyber capabilities as one of the great facilitators of U.S. national security, but also one of the country’s great vulnerabilities, with particular mention of China as a source of concern in both documents.

However, despite the shared cyber focus generally, cyber operations take a much more prominent role in the 2017 NSS, with both cyber risks and capabilities being discussed throughout the document in a much more comprehensive way than in the prior NSS. For example, the document establishes four pillars of national security that are vital national interests: Protect the American People, the Homeland, and the American Way of Life, Promote American Prosperity, Preserve Peace Through Strength, and Advance American Influence. The Strategy then identifies important cyber aspects of each of these pillars, including a fairly lengthy section devoted specifically to cyberspace in the third pillar: Preserve Peace Through Strength. Additionally, the document highlights the vulnerabilities to critical infrastructure from cyber threats and commits to strengthen cyber capabilities and resiliency.

This increased mention of, and emphasis on, cyber issues is well placed in a document that not only sets priorities for the U.S. government, but also sends signals abroad to both friends and adversaries (or “competitors,” as the 2017 NSS likes to describe them). For example, the 2017 NSS declares that “The United States will hold countries accountable for harboring [cyber] criminals.”

Perhaps the most notable mention of cyber issues is the formal recognition of the pervasiveness and accessibility of cyber capabilities. The Strategy states:

The spread of accurate and inexpensive weapons and the use of cyber tools have allowed state and non-state competitors to harm the United States across various domains. Such capabilities contest what was until recently U.S. dominance across the land, air, maritime, space, and cyberspace domains. They also enable adversaries to attempt strategic attacks against the United States—without resorting to nuclear weapons—in ways that could cripple our economy and our ability to deploy our military forces.

The Strategy then instructs the military to “remain capable of deterring and defeating the full range of threats to the United States. The Department of Defense must develop new operational concepts and capabilities to win without assured dominance in air, maritime, land, space, and cyberspace domains, including against those operating below the level of conventional military conflict.”

Accomplishing this charge will be especially difficult with respect to cyber operations. Given the architectural nature of the internet, the Strategy acknowledges that “Cyberattacks offer adversaries low cost and deniable opportunities to seriously damage or disrupt critical infrastructure, cripple American businesses, weaken our Federal networks, and attack the tools and devices that Americans use every day to communicate and conduct business.”

Accounting for this difficulty, it appears that the 2017 NSS takes an aggressive approach to cyber security. For example, the Strategy states “We will go after their digital networks and work with private industry to confront the challenge of terrorists and criminals ‘going dark’ and using secure platforms to evade detection.” It also speaks of using “sophisticated investigative tools to disrupt” illicit cyber activities. Similar other references are scattered throughout the Strategy.

Using the terms “go after” and “disrupt” portend the use of forceful cyber tools outside U.S. networks. Combined with the warning that the U.S. will “hold countries accountable” for malicious cyber activity from their territory, the language of the Trump NSS represents a more proactive and forward leaning attitude toward cybersecurity. Perhaps most indicative of this more aggressive approach is the statement at the end of the Cyberspace portion of the “Preserve Peace Through Strength” section of the Strategy. After describing the extent of cyber threats and steps the government will take to protect against them, the Strategy states “When faced with the opportunity to take action against malicious actors in cyberspace, the United States will be risk informed, but not risk averse, in considering our options.”

Since the publication of the Tallinn Manual 2.0, there has been an ongoing debate on the role of sovereignty with respect to cyber operations. Michael Schmitt, general editor of the Manual, has articulated and advocated for the view taken by the experts who wrote Tallinn Manual 2.0. Their position is that sovereignty is a “primary norm in itself that can be violated.” The contrasting view — that sovereignty is a foundational principle of international law, but not a separate norm that, when violated, leads to an internationally wrongful act — has been advocated by Col. Gary Corn, currently serving as the senior legal adviser to U.S. Cyber Command (Col. Corn was posting in his private capacity and not espousing the official view of either Cyber Command or the U.S. Government in his post). As the debate has continued, a range of views on the normative status of sovereignty with respect to cyberspace has developed.

For those of us looking for clues as to the approach the United States will take under President Donald Trump, the new NSS seems to view a cyber violation of sovereignty as a “risk” about which the government will be “informed,” but not necessarily “averse” to taking, particularly with respect to nations that harbor cyber actors for whom those nations are unwilling (or potentially unable) to accept the responsibility to stop malicious activity. Engaging in such a legal risk analysis is not a unique approach as governments routinely do so across a wide spectrum of decision-making, particularly where norms lack clarity or are developing such as with cyber operations. Of course, only time (and specific incidents) will give a full picture of the U.S. approach, but for those reading the 2017 NSS for indications, the more aggressive approach seems to be the preferred approach.

No comments: