The United States has adopted a new cyber warfare strategy focused on “persistent engagement” and “forward defense” in an attempt to thwart Chinese, Russian and other state-sponsored cyber attacks. While this unprecedented “defend forward” approach gives America many significant advantages in navigating cyber warfare, it also entails high-risks that could unintentionally escalate conflict. As a result, America must consider whether its traditional understanding of concepts like offense, defense and deterrence are applicable to the strategy of cyber warfare and whether they should continue to inform Washington’s cyber strategies.
This was the theme of a panel discussion held by the Center for the National Interest on September 10, 2019. The discussion featured prominent experts on cyber warfare: Jason Healey, a senior research Scholar at Columbia University’s School for International and Public Affairs and the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012; and Ben Buchanan, assistant professor at Georgetown University and author of the book The Cyber Security Dilemma, which examines the intersection between cybersecurity and statecraft. The discussion focused on unpacking Washington’s new cyber strategy while raising questions on its effectiveness and subsequent implications on national security.
Healey explained that the new strategy of persistent engagement and forward defense is not just designed to deter cyber adversaries, but to force adversaries to “play defense” and “raise the costs of offensive operations.” Persistent engagement refers to the Defense Department’s initiative to counter foreign cyber threats as they emerge. Forward defense, similarly, aims to gain the upper hand against an adversary by using direct actions to track, intercept and disrupt attacks in foreign cyberspace before they occur.
America’s two strategies work together to ensure that there is no operational pause in American cybersecurity operations and that America has the capacity to disrupt attacks so effectively that an adversary’s “costs of employing an attack” against the United States are “higher than its benefits.” When deployed correctly, they put America’s enemies on the defensive and ensure that any states attempting to launch offensive cyber operations against America would be forced to rebuild its software and focus on its own defensive tactics instead of attacking. Healey explains that, from Washington’s perspective, such strategies would allow the United States to dominate the cyber domain, whilst establishing a set of norms of conduct in the cybersphere in a way that diplomatic negotiations would be unable to achieve via cyber redlines. In this way, these strategies would act as its own deterrent mechanism by setting the “guardrails” of permissibility in cyber warfare through the use of standard “tacit bargaining,” where states will moderate their behavior towards the United States over the long-term, thereby creating a more stable cyber environment and lasting U.S. superiority.
Unfortunately, these strategies do have drawbacks. Although the Defense Department contends that persistent engagement and forward defense are inherently nonaggressive, move-countering strategies, it continues to promote them and use axioms like, “the best defense is a good offense,”—a phrase Healey finds extremely problematic. To Healey, this illustrates a lack of understanding in Washington as to what offense and defense actually mean in the context of cyber warfare, which could cause states to find themselves in a position of “not just persistent, but permanent conflict.”
Buchanan provides an explanation for how the lines between offense and defense can be easily blurred through his discussion of reconnaissance and intelligence collection. The United States needs to conduct cyber operations and collect intelligence so that it can effectively anticipate and defend itself against a cyber attack. America used the Fanny computer worm for just this purpose in 2010, conducting extensive reconnaissance on how other malicious codes are utilized and how they could be broken.
However, Buchanan argues that the operational feature of cyber offense and defense are essentially one in the same, stating that “if [a state] wants to have a cyber capability, then [the state] will need to break into the capability of the adversary in order to determine how to have it for itself.” In other words, a state must initiate offensive measures in order to gain the knowledge it needs to execute effective defensive measures, blurring the lines between what constitutes an “offensive” or “defensive” measure in the first place. Further complicating matters, Buchanan states that, because tacit bargaining is impossible in the cyber world where communication between different actors is virtually nonexistent, signaling one’s intent to an adversary is very difficult and often unsuccessful: If it’s been done, it hasn’t been recognized.
Buchanan argues that Washington’s poor understanding of the indistinguishability between offense and defense is the pitfall in current American cyber strategy and that the utilization of traditional militaristic concepts in the cyber domain prevents the United States from identifying how intelligence collection can create unintended escalation. Buchanan remains skeptical that states will be encouraged to self-regulate their behavior in cyberspace. He worries that America’s cyber strategy may actually incentivize conflict escalation. Countries that perceive America’s defensive strategy to be offensive in nature would be encouraged to attack the United States in order to retaliate or acquire intelligence of their own to ensure their defense in the future. Healey describes this as a tit-for-tat response. Should the United States continue to utilize these strategies, then states will find themselves in a position of “not just persistent, but permanent conflict,” according to Healey. Though a defensive strategy of retaliatory countermeasures may be intended to avoid escalation, friction may instead lead to increasing instability in the cyber realm which could quickly spiral out of control.
America’s new cyber strategy runs the risk of creating a security dilemma in cyber warfare, an arena in which traditional theories of deterrence are largely inapplicable. According to Healey, there exists a perceived “lack of restraint” in cyber warfare that gives the attacker a dangerous inherent advantage. In the cyber world, “defensive success” does not discourage attackers—advantage comes from the use of capabilities, “not their possession.” Thus, in a domain where cyber capabilities are likely to be used as first-strike weapons, “surprising your adversary” is much more important, further decreasing the likelihood that signaling will take place. Further insecurity is created due to rapidly regenerating capabilities in cyberspace, causing any relative superiority gained by the United States to be inherently fleeting and thus deterring an adversary from responding to traditional deterrence strategies. In other words, even if the United States were to gain superiority in the cyber field, it would not last long and would likely encourage other actors to attack the United States using newly developed cyber technology. For Healey, this is the most destructive factor to any strategy that attempts to deter escalating conflict.
Both Healey and Buchanan argue that America must adopt a holistic and comprehensive approach to cybersecurity that acknowledges both the inherent uncertainty of cyber warfare dynamics and the fact that the cybersecurity cannot be achieved using traditional military concepts of offense and defense. To prevent the current system from “spiraling out of control” due to an offensive deterrence posture, Healey advocates for the creation of “military-to-military hotlines” and other mechanisms to help create some means of communication to reduce the chances of miscalculation.
Still, it may be too early to discount the value of forward defense. Above all, both Buchanan and Healey acknowledge the overwhelming need for an increased study of cyberspace and the ways we engage in it, even if that means in order to do so, we must continue to participate blindly in its depths. “Forward defense must be conducted as an experiment;” Healey says, “The U.S. must be open to the evidence and change course as necessary.”
María Ellers is a US-Russia Relations Intern at the Center for the National Interest.