GAVIN WILDE
An updated U.S. cyber strategy should incorporate lessons learned about the nature and limitations of offensive cyber capability—operations which “deceive, degrade, disrupt, deny, destroy, or manipulate” adversary systems—which has proven most effective at espionage and disruption and less as a decisive element of warfare.1A continued military-centric approach to cyber issues risks underemphasizing the other core competencies of U.S. statecraft—intelligence, diplomacy, law enforcement, and other tools—necessary to address illicit cyber activity like ransomware and state-backed hacking.The most persistent and enduring threats from the cyber domain are best addressed through investments in law enforcement, civil infrastructure, public-private resiliency, and international coalitions—less through military superiority.
THE FEDERAL GOVERNMENT’S CYBER ORGANIZATIONAL STRUCTURE
Created in 2021, the Office of the National Cyber Director is supposed to synchronize and oversee federal cyber policy. However, with few formal powers and an annual budget of only $250,000, it will be difficult for the office to provide meaningful oversight or coordinate federal cyber policy from the White House.
THE CYBER LANDSCAPE U.S. STRATEGY CURRENTLY CONCEIVES
The U.S. faces formidable nation-state adversaries in cyberspace. China, Russia, North Korea, and Iran have all demonstrated capabilities to hold U.S. interests at varying degrees of risk—from intellectual property to democratic institutions to state secrets.
Non-state and semi-state actors, like hacktivists, ransomware collaboratives, private surveillance companies, and cyber criminals, have also grown in sophistication—disrupting routine economic, governmental, and civic interactions.
The U.S. strategy currently conceives of cyberspace as a militarized, warfighting domain—evinced by the standup in 2010 of DoD’s Cyber Command and its more recent guiding principles: “Defend Forward” and “Persistent Engagement,” prioritizing assertiveness in disrupting malicious cyber activity, even below the level of armed conflict.
2This concept fuels debates over “offense vs. defense” in cyberspace, a false binary that distracts from the need to confront cyber issues holistically, using the most appropriate tools and authorities available to the U.S. government for the discrete types of threats they pose. Relative to other departments and agencies, however, the preponderance of resources is dedicated to DoD.3
THE LIMITS OF OFFENSIVE CYBER
The relatively muted success of Russian cyber operations in achieving its military and political aims in Ukraine in 2022 call into question notions about cyber as a decisive, coercive element of modern war and suggest a more ancillary role.4
More broadly, in pursuing both battlefield and strategic political objectives, nation-states largely fail to demonstrate in practice the decisive power cyber weapons provide in theory: deterrence, compellence, escalation dominance, or signaling.5 Kinetic weapons offer more speed, control, and intensity6 during a conventional armed conflict.
The primary threat to the U.S. from both nation-state and non-state cyber actors stems from their increasing capacity to conduct more traditional forms of interstate competition: surveillance, espionage, subversion, deception, and disruption, all of which occur below the level—and often in lieu of—conventional armed conflict.
The most prevalent forms of malicious activity in cyberspace—often incorrectly portrayed as “attacks”—are less measures of war and more of an unending intelligence contest expanding into the digital realm to seek advantage through espionage and subversion.7 This was the case with the notorious SolarWinds hack in which the Russian foreign intelligence service leveraged a software supply-chain to spy on a broad range of prominent public and private downstream targets.8
Competing and defending in this environment requires partnerships spanning civil society and industry. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is poised to establish such a multi-stakeholder task force to counter ransomware, building on the progress of extant private sector initiatives and leveraging competencies that are often beyond the resources and remit of governments—and outside the scope of warfighting.9
While sophisticated cyber operations targeting U.S. critical infrastructure threaten major disruptions to economic and civil activity, a military-led response may not be best suited such discrete risks—contrary to U.S. Cold War and post-9/11 political reflexes.10
U.S. cyber strategy should thus de-emphasize military- and battlefield-centric notions of offensive superiority and instead center around more effective aims of coalition-building to raise collective cyber-defenses and build operational capacity among stakeholders in critical infrastructure and business. These efforts will both help prevent and speed recovery from cyber incidents.
RIGHT-SIZING THE MILITARY ROLE IN U.S. CYBER STATECRAFT
Civilian and law enforcement agencies, like CISA, DOJ, FBI, and Department of State made major strides in recent years toward preventing, disrupting, and prosecuting illicit transnational cyber activity.11
Such successes are often forged with interagency, international, and industry partnerships with verifiable results.12 They demonstrate that addressing issues like ransomware and botnets as national security concerns requires neither militarizing the nature of the threat nor deputizing DoD as a digital police force.13
These breakthroughs notwithstanding, funding for U.S. military cyber operations dwarfs the combined cybersecurity budgets of all other agencies combined.14 The NDAA, DoD’s annual authorization bill, is also, concerningly, becoming the sole vehicle via which other departments and agencies can overcome congressional gridlock to secure funding for their own cyber initiatives.15
Meanwhile, the authorities under which DoD conducts cyber operations are subject to decreasing civilian oversight, a sharp contrast with those necessary for other military operations.16 Previously, Cyber Command’s offensive cyber operations reportedly required presidential approval and interagency coordination prior to execution.17
A 2018 White House directive—the details of which are classified and were withheld from congressional review by the Trump Administration—reportedly relegated these authorities to DoD.18 The Biden administration examined further refinements to these authorities that would lend additional weight to the diplomatic ramifications of overseas operations.19
Like concerns over unconstrained drone warfare, it is unclear whether a more aggressive, unilateral military posture in cyberspace is strategically sound policy—it
may risk further inflaming the very domain it seeks to pacify.20 In both cases, technological advances lower the barriers to entry into military conflict without enabling decisive victory within it.This mismatch in cyber budget, oversight, and authorities creates competing incentives within a national cyber strategy and risks both distracting and overextending the military from its core warfighting competencies into less existentially vital aspects of global competition.
Future U.S. strategy should redirect resources toward capacity-building among civilian and law enforcement agencies to enable better prevention, disruption, and resilience. It should likewise reconceptualize DoD’s role as an adjunct, not a centerpiece, of U.S. cyber statecraft.
FY 2022 MILITARY VS. CIVILIAN CYBER-RELATED BUDGETS
DoD’s cyber-related budget, even excluding classified expenditures, exceeds the budget for all civilian departments combined. This reflects the over-militarization of U.S. cyber policy.
A NEW ORGANIZING PRINCIPLE FOR U.S. CYBER STRATEGY
The ambiguity the cyber domain affords makes it highly attractive to nation-states seeking alternatives to conventional war. This is not a failure of a deterrence, but rather a workaround due to deterrence’s effectiveness.
The cyber domain’s capacity to land decisive blows amidst conventional conflict has also proven thus far to be a less viable prospect than previously envisioned.21
Casting warfare as the organizing bureaucratic and conceptual substrate to U.S. cyber power and strategy risks underservicing the other elements of national power, including legal, economic, intelligence, and diplomatic efforts that have proven effective to securing and advancing U.S. interests in cyberspace.
A more durable framework would place robust cyber defense, multi-stakeholder resiliency, and coalition-based statecraft of our own at its core.
No comments:
Post a Comment