U.S. national security experts and policymakers are heatedly debating how best to respond to the rising challenge of state cyber intrusion. One school of thought, embraced by the current administration, seeks to adopt more aggressive offensive measures in cyberspace to challenge adversaries and demonstrate American power. Other thinkers, best exemplified by the more cautious approach of the Obama administration, contend that the immediate priorities for the U.S. are to improve defensive capabilities and avoid dangerous escalation in cyberspace. This paper will explore the arguments for both offensive and defensive strategic approaches in cyberspace.
Filling the Breach: Defensive Cyber Strategy
Proponents of what might be broadly termed cyber defense argue that attacks in cyberspace from both state and non-state actors are increasingly ubiquitous and pervasive and therefore the United States should focus its efforts on strengthening key computer infrastructure to reduce harmful infiltration and sabotage. There are millions of cyberattacks a day on government and private computer systems in the United States, most of which are exceedingly difficult to attribute to certain actors. To attempt widespread attribution would be a waste of time and resources. The priority should be on mitigating losses and making it as difficult as possible for attackers to access critical information. The definition of critical or essential information varies by organization but includes personal information or intellectual property for companies and state secrets for government agencies. Practically speaking, this first means installing more effective monitoring technology to alert authorities to system breaches, preferably by installation teams comprising both government and private experts. Once a breach is identified, response teams both within the government and the private sector repair the point of failure and learn how to prepare defenses more effectively in the future. In a similar vein, defensive thinkers strongly advocate the constant use of ‘red-team’ tactics and ‘stress-tests’ to find gaps in U.S. cyber defenses before adversaries do. In this way, U.S. cyber experts can dynamically respond to a variety of threats by strengthening defenses across the board. Through monitoring and stress-testing, the U.S. government can raise the costs of cyber infiltration while concentrating resources on achievable goals.
Another important strand of defensive thinking is its emphasis on the dangers of escalation in cyberspace. Drawing on the rich studies of misperception by Robert Jervis and others, experts such as Miguel Gomez of the Center for Security Studies argue that while cyberattacks have so far fallen below the threshold of war, this will not necessarily be the case in the future. As cyberattacks grow in sophistication and as the world increasingly relies on integrated computer systems, cyberattacks increasingly threaten to breach crucial national security boundaries for many nations. An action in cyberspace intended as a low-level warning or routine surveillance might be perceived by the target state as the opening salvo in a conflict. For this reason, defensive thinkers argue that U.S. cyber strategy should adopt a restrained approach in order to avoid unintended confrontation. Rather than pursuing unilateral cyber operations, defensive thinkers advocate diplomatic efforts with allies, international organizations, and even adversaries to establish clear norms and standards for the use of cyber actions. These international norms could decrease the chance of misperception and escalation by providing a framework for acceptable offensive and defensive measures, much as similar frameworks have been established regulating the use of chemical weapons. The U.S. relies to a large extent on the Internet and its advanced computer infrastructure to operate its modern economy and is thus a status-quo power in cyberspace. Adversaries seek to improve their own position by degrading America’s technological edge through aggressive infiltration of its cyber systems. Only by adopting a defensive stance can the U.S. hope to maintain its advantage.
Leveling the Playing Field: Offensive Cyber Strategy
Offensive cyber strategists assert that the only way to establish proper deterrence in cyberspace is to establish cyberattack capabilities on par with adversaries. When opposing powers recognize the U.S. as a force capable of striking back with equal force, they will be forced to limit their destructive intrusions into American cyber infrastructure. Cyberwarfare in this conception works similarly to classic twentieth century theories of nuclear deterrence, where broadcasting a certain amount of strength is necessary to forestall aggressive enemy action. Offensive thinkers argue that foreign adversaries will not cease launching cyber actions against the U.S. until the costs outweigh the benefits. Countries like China and Russia need to be aware that the U.S. can inflict just as much damage on them as they can on the U.S. More broadly, offensive thinkers seek to free the U.S. from what they see as its defensive crouch in cyberspace by embracing military doctrines of initiative and preemption. An aggressive and dynamic cyber strategy will not only defend the homeland but will also open up offensive targets in enemy territory. Only by establishing an effective offensive and retaliatory power of its own can the U.S. hope to establish deterrence in cyberspace and achieve national security goals abroad.
Offensive cyber strategists also contend that the very nature of U.S. cyberspace makes a defensive strategy difficult to implement. These thinkers argue that deep intrusions into governmental and private computer systems by foreign adversaries are essentially unstoppable as long as the U.S. maintains the open Internet structure from which it has benefitted for the last few decades. They cite the privacy protections that often severely hamper the U.S. government’s ability to identify cyberattacks in the private sector. There is generally a wide separation between the commercial sector and the American government, a positive structure for many reasons but unfortunately a significant barrier for effective cyber defense and monitoring. At the same time, the U.S. government relies to a large extent on the private sector for vital national security research and procurement, making the security disconnect even more dangerous. Because the U.S. cyber system is so fractured and insulated from government oversight, efforts to improve cyber defenses will be minimally effective and will strategically cede ground to opponents. Government resources should instead be concentrated in retaliatory and even preemptive offensive abilities that can degrade foreign adversaries’ ability to strike America. Offensive thinkers often advocate the concentration of resources within U.S. Cyber Command, a military cyber unit established in the Obama administration. They argue that rather than spreading resources across the vast bureaucracy, Cyber Command can act as the focal point for both offensive and defensive action in cyberspace. Through its military nature and legal authorities, Cyber Command can also act more quickly than other bureaucratic entities, a necessity in the dynamic environment of cyberspace. By striking hard and fast, offensive thinkers argue that the U.S. can finally bring its immense technological resources to bear within the realm of cyberspace and seize the strategic initiative.
The debate over cyber strategy is likely to be a lasting one as both the offensive and defensive approaches have advocates within government and policymaking circles. The Obama administration tightly supervised military cyberattacks and was reluctant to escalate confrontation. The Trump administration has authorized cyberattacks inside adversaries’ borders and given U.S. Cyber Command more leeway over strike commands. It is unclear which approach is more effective. Widespread foreign hacks and infiltration of U.S. government and private computer systems have continued apace, as the U.S. has generally struggled to compete with rivals in cyberspace and to articulate a unified cyber strategy. The debate over U.S. cyber strategy remains unsettled even as cyberspace becomes an increasingly important domain of state conflict.
About the Author:
Reid Barbier is a graduate student in the School of International Service at American University. He is currently working towards his masters degree in the Foreign Policy and National Security program.
*THE VIEWS EXPRESSED HERE ARE STRICTLY THOSE OF THE AUTHOR AND DO NOT NECESSARILY REPRESENT THOSE OF THE CENTER OR ANY OTHER PERSON OR ENTITY AT AMERICAN UNIVERSITY.