29 March 2020

The Intelligence Contest in Cyberspace

By Joshua Rovner 

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

The ongoing competition in cyberspace is largely an intelligence contest. Although the technology is different, the underlying contest exhibits all the characteristics of traditional spy-versus-spy battles.

An intelligence contest is an effort to steal secrets and exploit them for relative advantage. Great powers today are using cyberspace with vigor, seeking to steal communications in transit and data at rest. China’s effort to steal intellectual property via cyberspace was famously described as the “most significant transfer of wealth in history.” China has attempted to exploit this effort to improve its military capabilities, with mixed results. Russia has also become more active in cyberspace espionage, targeting the United States and its partners abroad.

Intelligence contests also include sabotage. All bureaucracies suffer from some amount of friction: the inevitable daily hiccups that slow down operations and make organizations less efficient. Sabotage in cyberspace weaponizes friction to undermine rival capabilities and morale. Offensive cyberspace operations are well suited for this task because they offer a range of tools for the saboteur. States can opt for cheap and easy harassment campaigns like denial of service attacks, or they can engineer sophisticated operations against specific facilities. In either case, the benefits to the saboteur are both practical and psychological. Practical results include harm to networks, data, and infrastructure, all of which forces the target to spend time and money on recovery. Psychological results are equally important. It may not be necessary to cause physical damage if personnel in target organizations fall victim to frustration and finger pointing.

Finally, intelligence contests involve efforts to pre-position espionage assets that may be useful in war. Military organizations increasingly rely on cyberspace for organizing and directing conventional campaigns. Intelligence agencies have an obvious interest in monitoring their efforts. Gaining access to adversary networks makes it possible to reduce the fog of war in the case of a conflict. It also suggests the ability to confuse enemies by inhibiting their communications or flooding the zone with disinformation.

Cyberspace is a good venue for intelligence but a bad one for deterrence. It is good for intelligence because the ubiquity of cyberspace in organizational management creates extraordinary opportunities for surveillance. States that depend on cyberspace for normal operations also make themselves vulnerable to sabotage. Even modest offensive cyber operations can inject friction into adversary organizations.

Deterrence is different. It is difficult to deter states from activities below the line of armed conflict because retaliatory threats inherently lack credibility. No one is likely to believe that states will use violence to stop espionage, for instance, which probably explains why small states have spied on large ones for centuries. More importantly, victims are surprisingly tolerant of cyber operations. Research suggests that individuals are less willing to retaliate against cyber blows than physical violence. If this is correct, then strategies based on punishment are likely to fail. Deterrence by denial is also likely to disappoint, because the barriers to entry for espionage and harassment are relatively low. States will continue to conduct cyber intrusions even if previous efforts were unsuccessful.

There are important exceptions to this rule. Deterring major attacks against critical infrastructure is possible, for instance, because these attacks threaten significant harm to civilians. Deterring this kind of cyberspace operation makes sense because anyone considering such an attack would risk a ferocious response. Executing large-scale attacks on infrastructure probably also requires a lot of time, money and organization. Adversaries would surely think twice about that investment, especially if the United States issues clear deterrent threats. But deterrence is mostly irrelevant in cyberspace, because most activities fall well short of threats to infrastructure. Understanding the present problem in terms of deterrence theory is not particularly helpful.

At best, a well-fought intelligence contest can slowly convince adversaries that certain targets and methods are beyond the pale. During the Cold War, Soviet and U.S. intelligence professionals came to observe some rules of the game. Aggressive counterintelligence methods were expected, for example, but not against family members. Neither side could deter intelligence efforts, but they could structure the contest in order to reduce the risk.

What does the future hold for the intelligence contest in cyberspace? The good news is that the United States is exceptionally well positioned to compete. It possesses extraordinary technical and human resources, in both the public and private sectors. Its intelligence agencies are the largest and richest in the world. It also benefits from decades of experience competing against capable rivals. This is not the first time the U.S. intelligence community has dealt with committed and occasionally ruthless intelligence foes.

The bad news is that it will not be easy to know victory when we see it. Intelligence contests are inherently hard to measure. They are allergic to quantification, and the increasing volume of cyberspace activities means that more attacks will occur even if there is a net gain in cybersecurity. Observers will understandably be skeptical if U.S. officials claim success in the midst of high-profile security incidents. Moreover, progress reports will reflect differing value judgments. Those who believe the government is obligated to protect private firms will view all breaches as failures. Those who believe that the government has no such obligation will likely view private-sector attacks as unfortunate but unrelated to the government’s effort against foreign adversaries.

Although recognizing success will be hard, it is not impossible. Rough indicators may offer useful clues. If rules of the game are taking hold in cyberspace, we should see changes in patterns of cyber operations. Attackers will focus on some types of targets and increasingly ignore others. The percentage of state attacks on private firms and nongovernmental organizations should decrease.

Intelligence should also be able to monitor the frequency and severity of offensive cyberspace operations. Success will obtain when rivals come to see the risks of action and the value of restraint. While they will not cease activities, high-profile damaging attacks will become rare. States will also eschew the use of malware that they cannot control; instead, they will use customized payloads against specific targets and take steps to ensure that they do not inadvertently affect other systems. Fearful of letting their intelligence activities spill into other domains, they will design operations to avoid unwanted contagion.

Sustained dialogue among cyberspace operators and analysts may produce other useful measures. Encouraging this dialogue is essential, though difficult in practice. (Operators and analysts had an uneasy coexistence during the Cold War, with sometimes-tragic consequences.) Bringing analysts on board will not only help generate better measures of progress but also help avoid operational dead ends. Finally, an ongoing effort to be explicit about what constitutes success will help make signs of failure apparent. Those responsible for waging the intelligence contest in cyberspace need to be forthright about what it means to lose.

No comments: