11 July 2022

Persistent Engagement in Cyberspace Is a Strategic Imperative

Michael P. Fischerkeller Emily O. Goldman Richard J. Harknett

The United States could lose its relative position of power in the world today without being defeated in an armed conflict. This is because cyberspace has opened a new avenue for international competition that coexists alongside the more familiar nuclear and conventional strategic environments where states interact in militarized crises and war. Competition in and through cyberspace, short of the threat or use of force, is potentially just as strategically consequential for a state’s relative position in the international system as war and militarized crises have been throughout history.

The strategic logic that drives cyberspace campaigns, operations, and activities, however, is distinct from that associated with militarized crises and armed conflict. It calls for operating continuously in cyberspace, seizing opportunities to advance national interests through competition, and setting favorable conditions for responding to potential crises or conflicts. The logic of strategic competition in cyberspace rests on anticipating the exploitation of one’s own vulnerabilities while leveraging the capacity to exploit others’. Because of the fluidity of digital technology, security rests on seizing and sustaining the initiative in this exploitation dynamic. If a state can sustain the cyber initiative, it becomes possible to achieve strategic success either by inhibiting an adversary’s gains or achieving such gains.

By 2018, the United States began to align its military cyberspace operations to this cyber strategic logic with a new operational approach—persistent engagement—along with new authorities and policies that enable initiative persistence. As we argue in a new book, Cyber Persistence Theory: Redefining National Security in Cyberspace, initiative persistence is essential to reducing cyber insecurity. Some U.S. allies are also instituting changes aligned with this logic. Russia, China, North Korea, and Iran have been operating with initiative persistence for years, seizing opportunities and exploiting vulnerabilities for cumulative gain while eroding U.S. power. Strategic intent reflects a state’s relative global position. Accordingly, Russia, China, North Korea, and Iran are operating in and through cyberspace to increase their power, circumvent obstacles, and undermine their adversaries, while the United States and its allies are operating to preserve the current (and, from their perspective, favorable) status quo.

States need not align with the logic of strategic environments, and even when they do, success is not assured. Opponents might simply be better at competing and contesting. But if states do not align to the structural imperatives of strategic environments, they will most certainly lose. The incontestable behavioral fact of continuous action in cyberspace—where states persistently exploit cyber and cyber-enabled vulnerabilities for advantage—is a significant difference from the security logic demanded in other strategic environments. In the nuclear environment, security is derived from the absence of action and the threat of an assured response. In the conventional environment, security depends on episodic action in militarized crises and armed conflict. The difference in advancing positive national security outcomes between the nuclear, conventional, and cyber strategic environments could not be starker.

It is important to recognize the implications of these differences for U.S. national security. Since the cyber strategic environment incentivizes states to act continuously, the metric for success of persistent engagement as an operational approach, as well as a broader cyber security strategy aligned with the environment, is not altering an adversary’s decision calculus to act. Security rests on inhibiting continuous adversarial cyber competitive activity to the point where its effects are not strategically impactful. The goal of initiative persistence is to preclude strategic consequences, not shape mindsets.

Adversaries Were the First to Recognize and Act

For at least a decade, the United States emphasized the development of exquisite cyber capabilities and access to support an off-the-shelf threat of response in what the Department of Defense (DOD) Cyber Strategy of 2015 enshrined as a “doctrine of restraint.” This approach fell comfortably within the parameters of Cold War security paradigms that relied on nuclear threats to deter war. The clear metric of success was the absence of a significant cyber incident—that is, a cyber action equivalent to a strategic armed attack.

However, none of the United States’ main adversaries were operating according to the same logic. Cyber capabilities were being employed continuously through operations and campaigns in a seemingly experimental approach. Lessons learned from this approach informed iterative advancements in further cyber action. U.S. restraint coincided with adversarial adventurism and led to strategic losses. Many in U.S. policy and academic circles blamed adversarial cyber activity on the failure to understand deterrence, rather than seeing it for what it represented. U.S. adversaries had recognized that cyberspace was a new competitive environment where strategic gains could be achieved through continuous activity below the threshold at which deterrence functions effectively.

The Democratic People’s Republic of Korea (DPRK) learned that it could circumvent international sanctions through cyber exploitation and the manipulation of financial infrastructure and transactions. The DPRK’s cyber campaign funded nuclear weapons and ballistic missile development programs that sanctions were trying to prevent, such as the recently deployed ballistic missile that can target most locations in the continental United States. Should its programs continue at this pace, U.S. Northern Command assesses that the DPRK will be able to overwhelm the U.S. Ground-Based Midcourse Defense System by 2025.

China’s cyber campaigns targeting the intellectual property (IP) of the U.S. defense technology and industrial base (DIB) and other forward-leaning growth sectors have been growing in scope, scale, and sophistication. Illicit acquisition of IP from the DIB has allowed China to threaten, and in some cases erode, U.S. overmatch through accelerated and truncated research and development. IP theft coupled with an ability to rapidly re-innovate it into indigenous products has helped China stave off a slowdown in economic growth. Left unabated, these cumulative gains will lead to sustained U.S. relative power loss.

Russia’s well-documented cyber activities focus not on circumventing or competing but on continuously stress-testing democratic institutions and alliances with the goal of undermining the United States’ ability to operate coherently as a great power. Left uncontested, trust in democracy will erode.

Adversaries are employing cyber means to achieve specific strategic objectives tied directly to their respective positions in the international system relative to the United States.

The U.S. Experience With Initiative Persistence

Persistent engagement has begun to take root in U.S. strategy. Early critics’ concerns that adopting a continuous cyber operational tempo would undermine U.S support for international “norms” or escalate competition into crises or armed conflict have not materialized. Moreover, the adoption of persistent engagement is producing effects that were unimaginable just a few years ago. These include a new executive policy delegating more authorities to the DOD for cyberspace operations below the use of force as well as cyber-specific statutory provisions that clarified the status of military cyber operations as traditional military activities exempt from covert action approval and oversight procedures.

Persistent engagement prescribes that the United States defend forward both geographically (beyond DOD networks) and temporally (ahead of adversary exploitation) to enable anticipatory resilience in domestic and foreign partner networks. Cyber National Mission Force Commander Gen. Joe Hartman explained that “[w]e get to find our adversaries in foreign space before they’re able to come to America and compromise our network. And while we do that, we get to make our partners and allies safer.” Timely security successes include disrupting Russian interference in the 2018 and 2020 elections and degrading Trickbot malware infrastructure.

Initiative persistence is also relevant for other U.S. government agencies that possess operational cyber capabilities and authorities. Consider the Federal Bureau of Investigation’s (FBI) Rule 41 of the Federal Rules of Criminal Procedure. Prior to 2018, the FBI leveraged Rule 41 in reaction to the Kelihos botnet. FBI redirected Kelihos-infected computers to a substitute server that recorded their Internet protocol addresses so the government could provide victims’ addresses to internet service providers (and others) who could help remove the malware. Since 2018, Rule 41 has been leveraged to support proactive anticipatory operations that secure compromised U.S. companies’ networks, systems, and devices before adversaries can act. The FBI removed the Webshell installed by China’s Hafnium advanced persistent threat group (APT) from hundreds of servers and the CyclopsBlink command and control (C2) malware associated with a Russian APT from thousands of devices. In the latter operation, the FBI also closed the external management ports being exploited to access the C2 malware.

There are other examples of initiative persistence. Working together with a third party, the FBI and U.S. Cyber Command disrupted REvil ransomware operations. Both organizations have released information on adversary techniques, tactics, and procedures, as well as indicators of compromise through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA), alerts to inoculate U.S. companies from malicious cyber actors. Collaboration with the private sector to get ahead of cyberattacks has matured under U. S. Cyber Command’s Under Advisement program and CISA’s Joint Cyber Defense Collaborative.

Persistent engagement does not only apply to countering malicious cyber actors. It can also be employed to contest ill-gotten adversary gains from non-cyber activities and set conditions to support deterrence in militarized crises and conflict. When asked about the importance of persistent engagement in the context of the Russo-Ukrainian War, U.S. secretary of defense Lloyd Austin stated that persistent engagement “is absolutely critical” and is paying dividends for Ukraine while also providing the United States and its allies key insights to detect developing threats. Political scientist Amy Zegart has accurately described the relentless and pro-active U.S. intelligence disclosure campaign to control the Russia-Ukraine narrative as a form of persistent engagement that seizes and maintains the narrative initiative, at least for Western audiences.

The Financial Times described a U.S. Cyber Command hunt forward mission where members of the Cyber National Mission Force worked alongside Ukrainian network operators in December 2021 to discover and mitigate a wiper malware capable of disrupting rail networks across the country. Millions of Ukrainians later used the railway system to escape the Russian assault on their cities. This may be the first report of a cyber activity that directly saved lives. Some speculate that Russia’s initial plan was to place intense pressure on the Ukrainian government to cause a quick collapse. Did that plan rest on a strategic assumption that civilians would be trapped in cities because the rail system would not function, and thereby intensify political pressure and popular panic? If historians find this to be the case, we may look back on this hunt-forward operation as having had a strategic impact on the conduct of a conventional war.

Additional examples of initiative persistence in the shadow of conflict have come to the fore. Hours before the Russian invasion, Microsoft detected a new malware, known as FoxBlade, intended to disrupt Ukraine’s digital infrastructure. Heeding the U.S. government’s advice, Microsoft immediately extended the warning to neighboring NATO countries. Ukraine’s cyber operators, for their part, shared with the United States (and others) the discovery of a novel industrial control system malware known as Industroyer2.

Moments that lead to fundamental changes in how national security is achieved are rare. But when they do occur, failure to adjust correctly and effectively can mean the difference between growing as a great power or being pushed off of the pedestal. Persistent engagement is the correct adjustment to the reality of cyber insecurity. The critical next steps are to scale it up while maintaining tempo and building it into a cornerstone of a whole-of-nation-plus (WON+) cyber framework. Initiative persistence in managing the potential exploitation of network vulnerabilities must drive inter-agency coordination and action, public-private alignment of interests and activities, and citizen engagement. All three elements must also align with international partners’ orientations and actions (i.e., the “+” in WON+). In an environment of continual action in the setting and resetting of network structures, processes, and components, the stark choice is to persist or lose. The good news is that the United States, as a status quo defensively oriented state, is beginning to regain some initiative in cyberspace by cultivating norms of responsible behavior and setting the terms for stabilizing global cyber activity. For the United States, the strategic stakes in moving forward on this course cannot be overstated.

No comments: