Make Cyberspace Great Again Too!
President Obama’s reluctance to punish malicious cyberspace actors gave us the cyber world we most wanted to avoid. Malicious governments now see cyberspace as a largely unconstrained space for political maneuver, disinformation, information operations, and occasional destruction; a few governments actively support cybercriminals who advance state interests (mostly against the United States).
Our most dangerous opponents in cyberspace are states, three of which – Russia, China, and North Korea – also use cybercrime as a tool of state power. Nation-states use cyberspace for espionage, industrial theft, coercion, and crime to advance their aims – most importantly, the dismantling of the liberal-democratic world order to replace it with something more favorable to their own interests.
Warfare today is a combination of low-intensity (military) conflict and a fight over information via cyberspace -- especially over “narratives” that sway public opinion. And usually, this warfare does not involve much violence, certainly not compared to the wholesale slaughters of the 20th century. Our opponents adopt unconventional strategies, leveraging cyberspace to ensure that their actions stay below the level that could trigger military conflict. Our adversaries and competitors have embraced cyber warfare precisely to avoid kinetic hostilities with the United States but still achieve their political objectives.
The United States, in particular, is engaged in almost continuous contact with adversaries in cyberspace, with often-ambiguous legal implications that frequently hamstring our ability to respond. The media has occasionally called it “virtual warfare,” but a better term for the situation may be “persistent cyberspace confrontation,” or “warfare during peacetime.” Russia, China, North Korea, Iran, and the Islamic State/al-Qaeda use cyberspace to pursue a variety of goals, including operations that emplace cyber weapons on our critical infrastructure (both public and private), steal intellectual property, attack U.S. industry, and enable terrorist acts. More recently, Russia has used such methods to interfere in presidential elections (not just in the United States) -- a new threshold of audacity and political danger.
The Obama Administration’s hopes that cyberspace would emerge as a peaceful domain where speech was open and free (where the internet would not be regulated or censored by states), and where proprietary and personal information was respected and safe through the acceptance of norms, were unambiguously dashed. Cyberspace is the domain where adversaries come to change the political status quo via information operations, use our infrastructure to steal our information and wealth, and plan and execute terrorism. Adversaries no longer fear competing with us in cyberspace, believing either that we are self-restrained for legal or politically naïve reasons or we are not as capable as they thought we were.
Imagine if the air domain had just emerged and Russian, Chinese, Iranian, and North Korean aircraft flew unmolested above the skies of New York, San Francisco, Washington, DC, and every city and town in the United States, mapping our infrastructure, and stealing modest amounts of U.S. wealth and proprietary information in each pass. Would the U.S. practice good, ‘risk-adverse’ strategy by complaining but doing nothing – not threatening the aircraft, launching our own aircraft inside adversary airspace, or even simply sanctioning such states for their malicious actions? The conventional wisdom of rank and file U.S. Government bureaucrats on cyberspace thinks it is being risk-adverse by not responding aggressively – by not pushing back on malicious cyberspace behavior. They fear escalation. Passivity invites escalation, not acceptance of our idealistic goals for cyberspace. Which risks escalation more: to hit a bully back or to not hit a bully back?
During the past few years, the United States found itself reacting late, insufficient, or more often not-at-all to more nimble, authoritarian states. The United States needs to shape the cyber environment to affect the norms and behavior we expect: respect for sovereignty, respect for proprietary information, and the inviolability of critical infrastructure, not to mention, to protect the future gems of the state: intellectual property, data analytics, AI, algorithms, and cognition. Cyberspace intrusions conducted and left unchallenged will begin to enjoy a level of international acceptance, no matter how many demarches or norms are advocated diplomatically.
America’s attackers in cyberspace are not interested in conducting a ‘cyber 9/11.’ The Chinese focus on industrial theft to enrich their state and leapfrog ahead militarily and commercially. The Russians use cyberspace to pedal false narratives on social media and with international proxies and ‘experts’ to influence elections, leverage criminal groups to steal industrial information and western money, and stealthily emplace code on our civilian infrastructure for industrial espionage and to threaten such infrastructure in a time of crisis or war. Iran and North Korea use cyber operations against American companies to punish states and industry they oppose (see Saudi Aramco 2012 and Sony Pictures 2014); their goal is usually political coercion and signaling, though occasionally destruction. The Islamic State/al Qaeda use the internet to post illegal speech that calls for the murder of innocents and recruitment, weapons information sharing, inspiration, and crude command and control. Cyberspace is the one military domain where clear boundaries and red lines have not been established or defended by the United States.
China’s Cybersecurity Law requires multinational companies to make data accessible to the Chinese Government and strengthens the Communist regime’s control over web content it considers inappropriate. Internet ‘sovereignty’ to China is freedom from western influence via the internet. Chinese law requires tech companies operating in China to retain consumer data and provide the state access, while also filtering content deemed illegal. China will soon use such data to monitor all Chinese citizens. The tool the West may have thought would open totalitarian regimes has served such regimes very well in maintaining totalitarian control.
China’s cyberlaw includes now a ban on foreign internet firms unwilling to comply with the country’s policies on content removal -- most notably Google, Facebook, and Twitter. This has led to domestic firms essentially imitating western business models, such as Google’s Chinese counterpart, Baidu, or Renren, the Facebook of China, or Weibo and Twitter, while adhering to government restrictions. Perhaps the most important (and protectionist) policy within Chinese law is the requirement that companies cough up their source code so that the government may ensure that it is ‘secure’ and ‘legal.’ The Chinese then steal such source code and provide it to Chinese companies, who integrate it and subsequently push the American firms out of the market. These American firms just cannot help themselves but comply. The U.S. Government ought to admit to these companies that they cannot protect them in China from industrial espionage and that they are most likely to lose their intellectual advantage. (Why don’t these American companies go to Latin America, which desperately needs development assistance, and help our immigration problem? Why doesn’t the Congress pass legislation to encourage them to do so?)
Action in violence-free cyberspace is far easier for authoritarian and totalitarian states to conduct than liberal, consensus-building democracies. In short, the invention once thought as a panacea for advancing free speech and liberal democracy is instead the perfect tool to effect internal political control against dissidents and freedom seekers and asymmetrical warfare against the United States.
Cyberspace is sometimes referred to as the “Wild West” precisely because it has not been tamed by the United States and its allies. The shaping of cyberspace requires a combination of international norms promulgated on paper in international forums but also clear, well-signaled responses to unacceptable activities. The United States needs to introduce the concepts of dominating and ‘winning’ in cyberspace, first and foremost to protect internationally accepted notions of property and sovereignty.
The cyber world had expected President Trump to release the country from the previous administration’s naive restraints. So far, strangely, there has been no change to cyber policy. We need to adopt a broken windows policy toward cyber, or we will live forever with a level of crime and malicious activity that will forever sap the West of wealth, technological advantage, and political security. Our adversaries are using the very technology we invited to undermine us, enrich and empower themselves, and strengthen authoritarian rule, yet we do little about it.
How to Fight During Peacetime
The Trump Administration must demand and pre-approve more timely and bold defensive and offensive operations from DoD for cyberspace to cease being the domain where U.S. and western interests, wealth, and proprietary information continue to be lost to malicious, adversary cyberspace activity. The country must shift to an operational mindset in the cyber domain, just as we would if U.S. airspace or sea space were continually violated by adversaries to steal U.S. wealth and information. Failing to do so will result in the very environment we fear – one where our adversaries and competitors take what they can via cyberspace, meddle in our politics and shape new political realities, while we stand by naively expecting international law and norms regarding sovereignty, proprietary information, and wealth to be respected.
Western response to such cyber activity should include elements of deterrence, capabilities that can de-escalate an international crisis, and the legal recognition that much of what the Islamic State publishes on the web is illegal (not just hate) speech.
We need to test and deploy offensive cyberspace capabilities, at scale, and in ways that make it clear that we can back up words with action while reinforcing the ability of the U.S. government to exercise power and defend the nation consistently with international law and norms. At present, our approach to the current period of continuous confrontation has been almost exclusively defensive, including the hardening of defenses of U.S. government and DoD networks. The U.S. approach to shaping norms of cyberspace will need to involve elements of offense, as well as the private sector if it is to be successful.
Cyberspace will favor authoritarian states that violate sovereignty, law, and international norms all in ‘peacetime’ as long as the United States does not successfully impose costs for such warfare. The sooner we recognize how our adversaries ‘fight’ in peacetime, and what is required of us to compete and win in this new ‘Phase 0’ of warfare, the more successful we will be in defending our sovereignty and preventing conflicts from escalating to actual violence.
Without both elements – denial and punishment – deterrence will be weak or fail. The goal for cybersecurity, therefore, should not be to appear non-threatening, but to appear extremely capable in cyberspace (like in the nuclear world) to deter malicious and destructive cyberspace actions through the credible threat of retaliation or horizontal or vertical escalation. Additionally, this goal must include demonstrating that capability when necessary. The United States cannot achieve the outcome it desires without conditioning the behavior it expects.
The west runs the very real risk of trivializing cyber-attacks, such as the November 2014 North Korean attack against Sony Pictures, the April 2015 denial of service attack against TV5Monde in France, or the December 2015 and 2016 cyber-attack against Ukraine’s electrical power. Instead of retaliation, the Obama Administration labeled these events ‘vandalism’ and abstained from punishing the attackers appropriately to deter future acts.
Further, assuming that our adversaries likely think the United States is already in their networks or at least could be during a crisis, our adversaries might become emboldened to escalate a crisis if the United States were to not use cyberspace capabilities to control a crisis. Since we are more capable, they assume, inactivity would be evidence of a lack of capability. Similarly, assuming that adversaries think that the United States is already in their networks, in a crisis, adversaries might assume that the United States is going to attack their networks and, therefore, believe they ought to preempt such an attack in cyberspace.
Therefore, by not having such a cyber-attack capability ready or policy in place to retaliate against lower level, unacceptable cyber activity, the United States may only be placing itself at greater risk of escalation. As a crude analogy, if the United States voluntarily were to eschew the use of airpower in confrontations with adversaries, where it was assumed U.S. airpower was highly capable, the United States might suggest over time that its airpower was not as strong as thought. If nations cannot agree diplomatically on general concepts and rules of behavior in the cyberspace domain, the United States cannot realistically expect malicious actors to respect the norms it voluntarily imposes on itself in cyberspace.
‘Cyber deterrence’ may imply that deterrence of malicious cyber activity occurs through the employment of defensive and offensive cyber capabilities. But malicious cyber activity does not have to be deterred necessarily by cyber activity. Malicious cyber activity can be deterred by defense and punishment through the other domains and a whole of government approach, including sanctions, public attention, diplomacy, and private sector activity.
Until the United States demonstrates the willingness to use cyber or other capabilities to punish unacceptable behavior in cyberspace, threats of punishment alone will continue to ring hollow, and defense alone will be insufficient. It may sound contradictory, but if the United States wants to reduce the number and severity of malicious cyber-attacks against it, it must attack back more often. Without action, no discussion paper or thought piece is going to establish ‘cyber deterrence.’ What is needed is a ‘J’ curve of cyberspace activity: operations that, at first, may involve more activity before norms are clearly established and stability recovers and ultimately improves. Current U.S. Government cyberspace leaders are so worried about stability that they eschew most any operation that involves pushing back against our adversaries and state thieves – sadly, the worst thing to do and precisely what our adversaries want us to do.
The cyber problem is not intellectual. The problem is bureaucratic and personnel. People with the wrong mindset, thinking cyberspace is just about defense and security, are in the U.S. Government blocking cyberspace counter-preparation of the environment and requisite cyberspace operations necessary to restore cyberspace equilibrium, the defense of U.S. intellectual property, and strategic stability. The blocking of requisite U.S. cyberspace activity had led to drastic conclusions, as allegedly noted in the U.S. Nuclear Posture Review, which claims that the U.S. might have to use nuclear weapons in response to strategic cyberspace attack by malign actors. This is likely the sad, largely desperate result of having abdicated a mutually assured disruption relationship with our state competitors. The United States sits by impotent and feckless, wondering why things do not get better on their own in cyberspace. Further, the United States wrongly concludes that rights involving proprietary information and what constitutes free vs. illegal speech are not internationally established. Such laws and norms are indeed well established but are not respected by our adversaries and nonstate (terrorist) actors who know that we choose not to react to their violations.
The Trump Administration must assume a larger role in defending the nation from malicious cyber actors because both the President called for a greater role and because it is obvious that malicious state and nonstate cyber activity continues unabated. More response to malicious cyberspace activity is as important to the country as immigration reform, health care reform, and our war against Islamist terrorism. The era of U.S. self-restraint must end.
James R. Van de Velde is an Associate Professor at the National Intelligence University, as well as Adjunct Faculty member at Johns Hopkins and Georgetown University. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the U.S. Government, the Department of Defense, or the National Intelligence University.