Herb Lin
In 2018, U.S. Cyber Command (USCC) released its Command Vision statement for the organization, advancing officially for the first time “defend forward” and “persistent engagement” as new elements in the United States’ approach to advancing its security interests in and through cyberspace. Since then, much debate has ensued about the pros and cons of these concepts. But this debate has not included much discussion of one key aspect—what would be the impact of other cyber powers adopting these concepts in pursuing their own security interests?
As a thought exercise, the document below is the USCC Command Vision statement rewritten as though it were the basis for a document that the People’s Republic of China might adopt and issue. To first order, the new document simply replaces every reference to “U.S.” in the Command Vision statement with “China” or “Chinese.” Although the hypothetical document includes a bit of verbiage to make it more consistent with the different context in which the Chinese military operates, such as its role in serving the Chinese Communist Party with policies like military-civil fusion, nearly all of the words and sentences are taken directly from the USCC Command Vision statement. Changes from the USCC Command Vision statement in the hypothetical document below are indicated in bold.
The reader is cautioned that there is no evidence whatsoever that China is about to form its own independent Cyber Command, that it would issue a vision statement if it did, or that Chinese concepts for military cyber operations emulate those of the United States. Some analysts believe that the Network Security Division of the Chinese Strategic Support Force is a close analogue to U.S. Cyber Command, while others reject the comparison. But the document below should not be judged on the basis of its fidelity to actual Chinese organization, decision making or strategic thought—it is offered only as an analytical tool to probe how Americans might view Chinese intentions and capabilities if they adopted similar operational concepts to the United States in cyberspace, and thus perhaps how the Chinese (and other U.S. competitors in cyberspace) might view American intentions and capabilities.
Achieve and Maintain Cyberspace Superiority
Command Vision for the People’s Liberation Army Cyber Command
China’s Challenge in Cyberspace
SUPERIORITY IN THE PHYSICAL DOMAINS IN NO SMALL PART DEPENDS ON INFORMATION SUPERIORITY.
WE CAN INFLUENCE AND SHAPE ADVERSARY BEHAVIOR THROUGH PERSISTENT, INTEGRATED OPERATIONS.
Military superiority in the air, land, sea, and space domains is critical to our ability to defend our interests and protect our values. Achieving superiority in the physical domains in no small part depends on superiority in cyberspace. Yet we risk ceding cyberspace superiority. Adversaries are increasingly capable of contesting and disrupting Chinese society, economy, and military. This is in part because of our growing reliance on cyberspace. Adversaries direct continuous operations and activities against us in campaigns short of open warfare to achieve competitive advantage and impair Chinese interests in the struggle for information superiority. The cyberspace domain that existed a decade ago has changed. Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation. In order to improve security and stability, we need a new approach.
As the nation’s cyber warriors, the People’s Liberation Army Cyber Command (PLACC) operates daily in cyberspace against capable adversaries, some of whom are now near-peer competitors in this domain. We have learned we must stop attacks before they penetrate our cyber defenses or impair our military forces; and through persistent, integrated operations, we can influence adversary behavior and introduce uncertainty into their calculations. Our forces must be agile, our partnerships operational, and our operations continuous. Policies, doctrine, and processes should keep pace with the speed of events in cyberspace to maintain decisive advantage. Superior strategic effects depend on the alignment of operations, capabilities, and processes, and the seamless integration of intelligence with operations. Now we must apply this experience by scaling to the magnitude of the threat, removing constraints on our speed and agility, and maneuvering to counter adversaries and enhance our national security.
This document is a roadmap for PLACC to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance our national interests in collaboration with civilian partners. We will demonstrate our resolve against cyberspace threats. We will unify cyberspace operations. We will secure networks, platforms, and data. We will expand the military options available to the national leadership. This document implements China’s Military Strategy for a New Era by posturing PLACC to counter increasingly aggressive competitors.
Strategic Context
ADVERSARIES ARE CONDUCTING A CONTINUOUS STRUGGLE TO WEAKEN OUR INSTITUTIONS AND GAIN STRATEGIC ADVANTAGES.
The security of our nation depends on international stability and global prosperity. The spread of technology and communications has enabled new means of influence and coercion. Hostile foreign forces continuously operate against us in an ongoing struggle in which they seek cyber hegemony. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which China chooses to operate in cyberspace, including our tradition of active defense and building of a community of shared future for all humankind. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to subvert our government and gain economic, diplomatic, and military advantages.
Cyberspace threats are growing. They transcend geographic boundaries and are usually trans-regional in nature. States possess resources and patience to sustain sophisticated cyber campaigns to penetrate even well-protected networks, manipulate software and data, and destroy data, computers, and systems. Certain big powers seeking hegemony [Translator’s note: PLA documents often use such language to refer to the United States.] invest in military capabilities that reduce our military’s competitive advantages and compromise our national security. Those powers have demonstrated the resolve, technical capability, and persistence to undertake strategic cyberspace campaigns, including theft of intellectual property and personally identifiable information that are vital to our defenses and violate our cyber sovereignty. Disruptive technologies will eventually accelerate their ability to impose costs.
Aggressive non-state actors like terrorists, criminals, and hacktivists pose lesser threats than states but can still threaten social stability, damage our military capabilities and critical infrastructure, as well as endanger Chinese lives. Splittist organizations and violent extremist organizations, such as the Islamic State of Iraq and Syria, al-Qaida, and affiliated groups, are threatening national unity, destabilizing whole regions, attacking our global interests, and endangering our homeland and citizens around the world. These groups use cyberspace to conspire against the Party, promote their ideology, inspire followers, and control operations that threaten our allies and us. Organized criminal groups provide cover for states and terrorists, and possess significant capabilities to steal data and disrupt government functions. Hacktivists work to expose classified information or impair government services. These malicious cyber actors frequently pose threats that law enforcement and diplomatic means cannot contain without military assistance.
Operating Environment
IN CYBERSPACE, WELL-DEFENDED TERRAIN IS CONTINUALLY AT RISK AND ADVERSARY OFFENSIVE ACTIVITIES PERSIST.
Cyberspace is a fluid environment of constant contact and shifting terrain. New vulnerabilities and opportunities continually arise as new terrain emerges. No target remains static; no offensive or defensive capability remains indefinitely effective; and no advantage is permanent. Well-defended cyber terrain is attainable but continually at risk. Adversary offensive activities persist because opportunity costs are low, and accesses, platforms, and payloads can remain useful for extended periods.
The underlying technologies and protocols of cyberspace enable both legitimate and malicious activities. Adversaries exploit and weaponize vulnerabilities to steal wealth and intellectual property, manipulate information, and create malicious software capable of disrupting or destroying systems. The constant innovation of disruptive technologies offers all actors new opportunities for exploitation. In this dynamic hostile environment, China must increase resiliency, defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage. We achieve success by seizing the initiative, retaining momentum, and disrupting our adversaries’ freedom of action.
National Policy Framework
CYBERSPACE OPERATIONS CAN MAKE POSITIVE CONTRIBUTIONS TO OUR COMPREHENSIVE NATIONAL POWER
WHOLE OF GOVERNMENT EFFORTS MUST KEEP PACE WITH THIS DYNAMIC DOMAIN.
Our ability to prevail in strategic competition requires the seamless integration of all instruments of national power. Chinese cyberspace operations can make positive contributions to diplomatic power by providing fast, temporary, and reversible sanctions or communicating discreetly to the adversary. Cyberspace capabilities are key to identifying and disrupting adversaries’ information operations. They facilitate overmatch of adversary military capabilities in all domains, expanding options for our decision makers, and producing integrated effects. Insights and threat information gleaned from operating in cyberspace can make key elements of economic power more resilient and defensible.
Whole-of-government approaches for protecting, defending, and operating in cyberspace must keep pace with the dynamics of this domain. We should not wait until an adversary is in our networks or on our systems to act with unified responses across agencies regardless of sector or geography. Lengthy approval processes that delay PLA responses or set a very high threshold for responding to malicious cyber activities will put us in a passive position, unable to seize the initiative. Our adversaries maneuver deep into our networks, forcing us into a reactive mode after intrusions and attacks that cost us greatly and provide them high returns. This passive posture introduces unacceptable risk to our systems, data, decision-making processes, and ultimately our mission success. The PLA is building the operational expertise and capacity to meet growing cyberspace threats and stop cyber aggression before it reaches our networks and systems and breaches our sovereignty. We need a policy framework that supports and enables these efforts.
VISION: Achieve and maintain superiority in the cyberspace domain to influence adversary behavior, deliver strategic and operational advantages for the Joint Force, and defend and advance our national interests
Superiority through Persistence
WE WILL OPERATE SEAMLESSLY, GLOBALLY, AND CONTINUOUSLY.
WE SUSTAIN STRATEGIC ADVANTAGE BY INCREASING RESILIENCY, DEFENDING FORWARD, AND CONTINUOUSLY ENGAGING OUR ADVERSARIES.
Superiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.* It describes how we operate—maneuvering seamlessly between defense and offense across the interconnected battlespace. It describes where we operate—globally, as close as possible to adversaries and their operations. It describes when we operate—continuously, shaping the battlespace. It describes why we operate––to seize the initiative to create operational advantage for us while denying the same to our adversaries.
*Cyberspace superiority is the degree of dominance in cyberspace by one force that permits the secure, reliable conduct of operations by that force, and its related land, air, maritime, rocket, and space forces at a given time and place without prohibitive interference by an adversary. Cyberspace persistence is the continuous ability to anticipate the adversary’s vulnerabilities, and formulate and execute cyberspace operations to contest adversary courses of action under determined conditions.
Cyberspace is an active and contested operational space in which superiority is always at risk. We seize the initiative and sustain strategic advantage by increasing resiliency, defending forward, and continuously engaging our adversaries. Increased resiliency reduces our attack surface at home, anticipates adversary actions, and increases flexibility in our response. Defending forward as close as possible to the origin of adversary activity extends our reach to expose adversaries’ weaknesses, learn their intentions and capabilities, counter attacks close to their origins, and defend our sovereignty. Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks. We will pursue attackers across networks and systems to render most malicious cyber and cyber-enabled activity inconsequential while achieving greater freedom of maneuver to counter and contest dangerous adversary activity before it impairs our national power.
Through persistent action and competing more effectively in cyberspace struggles, and especially those short of war, we can influence the calculations of our adversaries, deter aggression, and clarify the distinction between acceptable and unacceptable behavior in cyberspace. Our goal is to improve the security and stability of cyberspace. This approach will complement the efforts of other agencies to preserve our interests and protect our values. We measure success by our ability to increase options for decision makers and by the reduction of adversary aggression.
Commander’s Intent
WE WILL PREPARE, OPERATE, AND COLLABORATE WITH COMMANDS, SERVICES, FORCES, CIVILIAN AGENCIES, AND ENTERPRISES.
THE FOLLOWING PRINCIPLES GUIDE THE PLA CYBER COMMAND
We follow the Party, fight to win, forge exemplary conduct.
We empower our workforce.
We champion integrated, scalable solutions.
We compete by employing a long-term, campaign mindset.
We are risk aware, not risk averse.
Our purpose is to achieve cyberspace superiority by seizing and maintaining the tactical and operational initiative in cyberspace, culminating in strategic advantage over adversaries. Our efforts will increase our freedom of maneuver, create friction for adversaries, and cause them to shift resources to defense. We will erode their belief that hostile activities in cyberspace against us are advantageous. We will hold adversaries accountable for cyber-attacks.
PLACC will contribute to our national strategic deterrence based on multiple means. We will prepare, operate, and collaborate with theater commands, services, forces, civilian agencies, and enterprises to continuously thwart and contest hostile cyberspace actors wherever found. We will attract new partners and strengthen ties with critical mission partners, especially inside the PLA and the intelligence community, while deepening military-civilian fusion. We will enable and bolster our partners. We will share our insights in order to anticipate evolving cyberspace threats and opportunities. We will keep the leadership apprised of cyberspace threats, the operating environment, and changes needed in policies and processes to achieve superiority. We will execute our new responsibilities that accompany our new organizational structure, emphasizing mission and operational outcomes, military cyber capabilities building, and enhancing the readiness of the nation’s cyberspace military forces.
Imperatives
The following imperatives support this guidance. Our imperatives are mutually supporting, with success in one enhancing success in the others. They dictate what we must do in order to seize and retain the initiative in cyberspace. Attaining and sustaining these imperatives creates uncertainty for our adversaries and makes them hesitate to confront us. We must identify obstacles to achieving our goals, develop and implement plans to overcome those obstacles, and establish meaningful metrics to gauge our progress.
IMPERATIVE 1: Achieve and sustain overmatch of adversary capabilities. Anticipate and identify technological changes, and exploit and operationalize emerging technologies and disruptive innovations faster and more effectively than our adversaries. Rapidly transfer technologies with military utility to scalable operational capabilities. Enable our most valuable assets—our people—in order to gain advantages in cyberspace. Ensure the readiness of our forces.
IMPERATIVE 2: Create cyberspace advantages to enhance operations in all domains. Develop advantages in preparation for and during joint operations in conflict across the full spectrum of cyberspace struggles from peacetime to war. Integrate cyberspace capabilities and forces into plans and operations across all domains.
IMPERATIVE 3: Create information advantages to support operational outcomes and achieve strategic impact. Enhance information warfare options for PLA commanders. Integrate cyberspace operations with information operations. Unify and drive intelligence to support cyberspace operations and information operations. Integrate all intelligence capabilities and products to improve mission outcomes for the PLA and the nation.
IMPERATIVE 4: Operationalize the battlespace for agile and responsive maneuver. Facilitate speed and agility for cyberspace operations in policy guidance, decision-making processes, investments, and operational concepts. Ensure every process—from target system analysis to battle damage assessment, from requirements identification to fielded solutions, and from initial force development concepts to fully institutionalized force-management activities—aligns to the cyberspace operational environment.
IMPERATIVE 5: Expand, deepen, and operationalize partnerships. Leverage the talents, expertise, and products in the civilian sector, other government agencies, Services, and the education system. Rapidly identify and understand cyberspace advances wherever they originate and reside. Increase the scope and speed of enterprise and interagency threat information sharing, operational planning, capability development, and joint exercises. Enable and bolster our partners.
Risk Mitigation
The approach described in this document entails two primary risks. The first concerns the employment of a high-demand, low-density maneuver force. The prioritization of highly capable states and violent extremists means PLACC will devote comparatively fewer resources and less attention to other cyber actors. PLACC will seek to mitigate this risk indirectly by increasing resiliency in Chinese systems against all threats in order to render most malicious activity inconsequential, and directly by sharing intelligence and operational leads with government partners. The second risk is diplomatic. We recognize that adversaries already slander Chinese efforts to defend our interests as aggressive, and we expect they will similarly seek to portray our strategy as irresponsible in the cyberspace domain. PLACC makes no apologies for defending Chinese interests as directed by the General Secretary Xi Jinping in a domain already militarized by our adversaries. To the maximum extent possible, we will operate in concert with friendly states. We will also explain to the public the nature of threats in cyberspace, the threatening conduct of our adversaries, the limitations of passive defenses, and our scrupulous regard for data protection and privacy.
Mitigation of these primary risks will occur in parallel with PLACC’s coordination with other commands and services. Regardless of whether, when, or how PLACC’s structure changes, however, we will adopt a comprehensive risk management approach to maintain synergy between operational objectives and the intelligence required to inform and sustain effective information operations.
Implementation
This guidance informs our operations, structure, and resource requirements. The key to success is execution, and everyone has a part in this effort. Each unit within the PLA Cyber Command should embrace this guidance, communicate it to the workforce, work to implement it, and ensure all personnel understand their role and functions—all the while providing direct feedback on the effectiveness of its execution.
I suspect that the issuance of such a document from China would cause great public consternation in the United States. How would the United States react to an open declaration from China that its Cyber Command sought to achieve and maintain superiority in the cyberspace domain to influence adversary (such as U.S.) behavior, and to deliver strategic and operational advantages for Chinese military forces? Or to a declaration that China would employ persistent, integrated operations in cyberspace to influence and shape American behavior? Would the United States acknowledge that its forces are continuously operating against China in an ongoing struggle in which the United States is seeking cyber hegemony? Would the United States indeed shift resources to defend itself in cyberspace and thus reduce its own attack capabilities? While the USCC Command Vision articulates what the United States believes Cyber Command should be doing in cyberspace, U.S. Cyber Command is not the only entity within the U.S. government that has a claim on U.S. efforts in cyberspace. Another U.S. government agency with such a claim is the U.S. State Department, which has for many years been the lead in U.S. efforts to promote norms of behavior in cyberspace.
In 2016, Brian Egan, then legal adviser to the U.S. State Department, authoritatively identified and promoted four voluntary, nonbinding norms that addressed specific areas of risk of national and/or economic security concern to all states:
States should not conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets or other confidential business information with the intent of providing competitive advantages to their companies or commercial sectors.
States should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public.
States should not conduct or knowingly support activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents. (States also should not use CSIRTs to enable online activity that is intended to do harm.)
States should cooperate, in a manner consistent with their domestic and international obligations, with requests for assistance from other states in investigating cyber crimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from their territory.
Five years later, the United States endorsed the consensus report of the U.N. Open Ended Working Group of 2021, explaining that it was motivated by a desire to “universalize the emerging framework of responsible state behavior in cyberspace that was articulated in the three consensus GGE reports of 2010, 2013, and 2015 and affirmed by the UN General Assembly in 2015.” The United States was also a signatory to the 2021 report of the U.N. Group of Governmental Experts (GGE) on advancing responsible state behavior in cyberspace in the context of international security, which stated that “voluntary, non-binding norms of responsible State behaviour can reduce risks to international peace, security and stability” and that they reflect “the expectations of the international community and set standards for responsible State behaviour and “can help to prevent conflict in the ICT environment.” The GGE report in particular included norms 2, 3, and 4 as described in the Egan statement; norm 1 was reflected in 2015 in a statement from the G-20 nations, including Russia and China.
Agreement on norms of behavior in cyberspace is an important action that nations can take to advance the cause of cyber stability. But by their very nature, norms—whatever their content— should be understood as being universal and reciprocal: Behavior that is expected of one nation is expected of all. Juxtaposing the Command Vision statements from the (real) U.S. Cyber Command and the (fictional) PLA Cyber Command thus raises an interesting question—is cyberspace truly more peaceful, secure and stable if the USCC Command Vision is generally adopted by all nations in cyberspace? If my suspicion about the likely U.S. reaction to a comparable Chinese vision is correct, such a reaction would make clear that the United States believes that the answer to this question is no. And if that is so, it is inconsistent with the international norm promotion efforts of the United States, because it violates the requirement for universality and reciprocity to which norms—by definition—conform.
If these four norms constituted the entirety of U.S. norm promotion efforts, one could imagine carve-outs from the USCC Command Vision regarding norms 2 and 3 to prohibit cyber operations that would violate them—that is, the Command Vision (or some other authoritative document) could state explicitly that it would not conduct cyber operations that violated norms 2 and 3. Norm 1 would be satisfied automatically by virtue of the fact that U.S. Cyber Command is a military entity rather than an intelligence agency and, thus, under U.S. law does not conduct intelligence-gathering operations for anything but military purposes. That is, the United States would surely claim that it rigorously adheres to the Title 10-Title 50 distinction between governing military and intelligence activities and, thus, that U.S. Cyber Command is complying with norm 1. (At the same time, it stretches credulity to expect that other nations care about whether a U.S. cyber operation with a given set of effects is carried out against them by the U.S. military or the U.S. intelligence community.) Norm 4 is simply outside the scope of the USCC Command Vision.
Nevertheless, it is instructive to note that the USCC Command Vision statement does not contain the term “norm” at all, a point indicating the possibility that the statement could have been formulated without much concern for the U.S. position on norms of appropriate international behavior in cyberspace.
I may well be incorrect on this notion. So, for the moment, let’s assume that the USCC Command Vision is indeed intended to support the U.S. position on norms of appropriate international behavior in cyberspace. Supporting this assumption is Emily Goldman, cyber strategist and cyber persistence subject-matter expert at U.S. Cyber Command and the National Security Agency, and former cyber adviser to the director of policy planning at the U.S. Department of State, who has written recently that:
By persistently engaging and contesting cyberspace aggression, the United States can draw parameters around what is acceptable, nuisance, unacceptable, and intolerable. The United States should not abandon U.N. First Committee processes on responsible state behavior in cyberspace, or other avenues for socialization such as international institutions or cyber capacity-building programs. But to be more effective, explicit bargaining can be reinforced by tacit bargaining through maneuver with non-likeminded states in the strategic space below armed conflict.
What would it mean to assume that military cyber activity can and should be used to advance a particular set of norms?
It would mean that the fictional command vision of the PLA Cyber Command could also be intended to support China’s views regarding norms of appropriate international behavior in cyberspace. But China-friendly norms likely include ideas such as cyber sovereignty, Party supremacy, internal censorship of ideas and writings and media deemed hostile to state interests, and external actions (cyber activity outside Chinese networks) to suppress dissent and the expression of other perceived anti-China sentiments. And if persistent engagement and defend forward are intended to support U.S. advocacy and preferences for a variety of U.S.-friendly norms, what predicate principles of international law say that the PLA Cyber Command’s operations can’t be used in support of Chinese-friendly norms? For that matter, why can’t any nation use persistent engagement and defend forward to advocate for its own set of preferred norms?
It’s important to note that principles of universality and reciprocity do not imply a moral equivalence between the U.S. and Chinese views of cyberspace—I much prefer a cyberspace governed by the U.S. view, and I find much that is objectionable about the Chinese view. But principles of universality and reciprocity underpin international relations in a Westphalian world—one might call them meta-norms. It might be possible to enforce and impose the U.S. view of cyberspace on the rest of the world if the United States did in fact enjoy total dominance in cyberspace over every other nation (a kind of cyber Pax Americana). But even if the United States did have that capability at one point, that time—if it ever existed—is long gone.
I draw two conclusions from this thought exercise. First, although the United States is quite sincere in its belief that implementation of the USCC Command Vision statement will improve international peace, security and stability, it is quite unlikely that other nations, such as China, view it that way. As an American, I believe that the norms that China would advocate threaten cyberspace stability. But there is zero chance that the Chinese would agree that their norms would threaten stability; on the contrary, they would say that their norms, if universally adopted, would support stability in cyberspace. And we should not presume that China knows or believes that universal adoption of U.S. norms is better for stability than is adoption of theirs. Rather, China is more likely to push back at least—and if it does so by adopting strategies based on the principles of the Command Vision statement, the United States will not have the high ground to object.
Second, it’s unlikely that any U.S. cyber authority would concede the claim that persistent engagement and defend forward is a legitimate strategy for other nations to pursue their own norm advocacy. Thus, the juxtaposition of the USCC Command Vision statement and its association with U.S. norm advocacy is a statement that persistent engagement and defend forward is legitimate only in pursuit of the specific set of norms that the United States advocates. Other nations might well point to the hypocrisy of such a statement, to the detriment of U.S. foreign policy objectives for cyberspace—including in the area of norms creation and adoption.
In short, the cyber authorities of the United States have yet to reconcile its norm promotion efforts and its vision for operating in cyberspace, and as suggested above, the United States might be able to do so through the use of carve-outs in the Command Vision. But without these carve-outs to the strategy of persistent engagement and defend forward (or something else with equivalent effect), the United States will be acknowledging that it is legitimate for other nations to use their own military forces to advocate for their own preferred norms—in cyberspace, if nowhere else. The United States might want to reconsider the implications of that acknowledgement.
No comments:
Post a Comment