How can governments, in partnership with each other and with their societies, create conditions for enduring security in the cyber age?[1] In various ways, this question was posed repeatedly—and urgently—at the inaugural CyConUS conference held in Washington, D.C., in October 2016. This event, co-sponsored by the Army Cyber Institute at West Point and NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) headquartered in Tallin, Estonia, convened the best and the brightest in the world of cyber affairs, including leaders in government, industry, academia, and the media. While no consensus answer to the question was on offer, the assembled cyber luminaries contributed to an overarching theme: we are all living through, and participating in, a revolution in human affairs with significant consequences for how states achieve their core national security objectives. The characteristics of this revolution include exponentially accelerating social action-reaction times, dramatic increases in the complexity of the interactions among people and their environments, and the emergence of new tools and techniques that are readily available to actors both old and new.

The tempo and scope of the cyber revolution are developing in ways that are beyond anyone’s complete comprehension.  To achieve success in this dynamic environment, government policy must be keyed to system effects. That is, policy has to leverage multiple domains, working through many different areas of social life, to have chance at achieving its stated goals. Those objectives, moreover, must be directed toward the emergent properties generated by open and dynamic systems, environments in which governments are but one of many different types of actors. All told, the cyber age is imposing significant burdens on governments, the most demanding of which are cognitive and intellectual in nature.

This last point implies a special burden on cybersecurity professionals and students of cyber affairs. As a result of the relative newness of the cyber domain, and the rapid pace of the developments therein, there is a tendency to turn away from traditional concepts and theoretical frameworks and to see cyber affairs as fundamentally and irreducibly novel; a realm of conflict that necessitates its own specialized (an impenetrable) vocabulary and set of explanatory tools.  Such a view comes at a cost, however, because most of what is occurring in the cyber domain is explicable in terms familiar to those who are not cyber professionals. For those convened at CyConUS, confusion is an enemy. “We must demystify cyber offense and defense,” Sven Sakkov, the director of NATO CCDCOE, urged the conferees. “We need to have a normal, adult conversation about these matters.” Yet, the problem remains: cyber affairs are extraordinarily complicated, and if all of the revolution talk is to be believed, no one can actually understand the totality of what we are experiencing and facilitating.

In the spirit of attempting to make sense of some of the cyber challenges confronting governments today—to take seriously the demystification imperative—I offer here four major takeaways from this important gathering.

Emerging Vulnerabilities: Blurring the Critical and Noncritical Infrastructure Boundary

A core element of strategic decision making is establishing priorities among important objectives. Priorities are essential because states do not possess unlimited resources to tackle every threat confronting them. Two realities of cybersecurity reinforce the necessity of establishing a hierarchy of goals: the exponential growth of the internet and the insecurity that infuses its architecture. This ubiquitous, insecure, and polymorphic communications medium poses a number of problems for governments, not the least of which is the issue of deciding which networks are critical to national security and which are not. The distinction between critical and non-critical infrastructures was reasonable, for a time, because it allowed governments to conceive of ways in which scarce resources could be effectively marshaled to address the most pressing challenges.

This distinction proved short-lived, however, because ostensibly critical infrastructures were embedded in the same internet as non-critical infrastructures. As the former Director of the National Security Agency General Keith Alexander explained, the distinction evaporated with the birth of network convergence, or the coexistence of different forms of communications within the same network. Exacerbating this trend was the rise of the internet of things (IoT). As more and more devices of dubious security (routers, programmable logic controllers, heart monitors, and refrigerators, for example) come online, the range of co-optable platforms available to bad actors grows substantially. As it turned out, the cyber-fates were with Gen. Alexander as he delivered his keynote address to CyConUS attendees. Beginning on the morning of October 21, 2016, a massive distributed denial of service (DDOS) attack, exploiting thousands IoT devices, hit the company Dyn, one of the main domain name system (DNS) services in the U.S., crippling major web services for extended periods throughout the day. This attack proved to be an annoyance for most users by temporarily rendering inaccessible Twitter, Pinterest, and WhatsApp among others. Yet, the reality is that vital sectors of modern life (banking and finance, electrical grids, telecommunications, etc.) are all embedded in the same internet. As the number of potential targets and attack vectors grows with network convergence, the utility of differentiating between critical and non-critical infrastructures declines.  The implication is that strategic prioritization of targets (identifying which to defend most heavily), and the corresponding rational allocation of scarce resources to that effort, becomes extraordinarily difficult.

New Conflict Drivers: Fusing Cyber Offense and Defense

Preventing network penetrations from malicious actors is a top priority for companies, organizations, and governments. With the growth in the number and sophistication of the threats seeking to exploit networks for either commercial or political gain, the nature of the response is changing dramatically. While strong perimeter defense (largely in the form of firewalls) remains an integral part of cybersecurity, those tools alone are inadequate to the task. The reason, Lucas Kello argues, is due to a substantial offensive advantage in the cyber domain.  “Whereas the attacker need understand only the procedures of entry and attack it decides to employ, the defender must continuously protect the entire network surface against the vast universe of conceivable attacks….”[2]  This asymmetry confronts purely defensive measures with nearly insurmountable challenges.

Cyber defense is moving beyond the “Maginot Line” mentality of the firewall; offense and defense are becoming increasingly interdependent.

To redress the offense-defense imbalance, synergies between cyber defense and offense are now being explored to enhance network security. “Cyber hunting”—the proactive scanning of the threat horizon for potential adversaries and acting preemptively against them—is increasingly prevalent. Employing automation, artificial intelligence, and targeted operations, corporations and governments are beginning to engage in actions that seek to disrupt would-be threats before they fully materialize. In so doing, a division of labor is developing between humans and machines. Identified threats that are deemed to be of lower-order concern are dealt with by automated systems, whereas humans (i.e., policymakers) are brought into the decision process to address threats that are likely to be of much greater magnitude—or whose sponsors are nation-states. Cyber defense is moving beyond the “Maginot Line” mentality of the firewall; offense and defense are becoming increasingly interdependent.  One implication is that conflict in the cyber domain is becoming more recognizable to both classical and modern strategists who have long recognized the close relationship between offense and defense. Another, potentially troubling, implication is that as cyber defense incorporates more offensive elements, the ability of actors to distinguish between offense and defense declines. Offense-defense indistinguishability has long been understood to be a generator of the security dilemma and a source of interstate competition and international instability.

Crisis Management: Attribution, Escalation, and Cross-Domain Coercion

Although computer network attack (CNA) is becoming a more accepted instrument in the cybersecurity toolkit, the likely implications of widespread CNA operations should be more thoroughly considered. Two issues must factor into this discussion: attribution and escalation. Correctly attributing a particular threat or exploitation is as important in the cyber realm as it is in any other realm of conflict. Despite its technological shroud, cybersecurity remains fundamentally about people—agents using cyber tools for political or commercial motives. Effective cyber coercion (either in the form of deterrence or compellence) will necessarily be directed against those agents. Misattributing responsibility for an attack, and taking retaliatory action against the wrong target, can induce unanticipated conflict escalation. Not only would the scale and scope of such an escalation be difficult to foresee, but the domains in which escalation would occur is also unknowable beforehand. In response to the persistent cyber operations against the Democratic National Committee during the 2016 U.S. presidential elections, for example, proposals have been floated for cross-domain retaliation against suspected Russian perpetrators. Should a non-cyber retaliatory operation be carried out, the U.S. might have to contend with possible counter-actions in every other domain. Actors in cyberspace are not necessarily confined to it.

The inherent difficulties of cyber attribution, and the relationship between attribution and escalation, suggest at least three policy-related concerns. The first pertains to the freedom that private entities have in conducting cyber offensive operations, either in response to an attack that has occurred or in anticipation of one that is in the offing. Many at CyConUS argued that national governments should retain for themselves the responsibility of conducting CNA due to the limited capacities of private companies to ensure correct attribution. The likelihood of misattribution declines when cyber offensives are informed by the products generated by the intelligence agencies of nation states. Intelligence agencies are fallible, of course. As such, the second implication is that widespread sharing of cyber-related intelligence among (and within) national-level governments must continue and expand. Third, proposals for retaliatory or anticipatory cross-domain coercion must be considered with caution. An eagerness to respond to cyber threats with all available tools carries substantial risk by traversing an easily recognizable escalation threshold. Scholars of conflict escalation have long emphasized the value of tacitly-agreed upon walls and ceilings that can—when observed—confine ongoing conflicts. Each subsequent transgression of a threshold makes the next crossing all the easier. The upshot is that governments would do well to invest heavily in offensive cyber capabilities. The more states can tailor their responses within the cyber domain, the more likely the conflict will remain controlled, and the less likely more kinetic and lethal operations will be needed.

Mitigating Cyber Conflict: Transparency, Norms, and Stability

Among the many problems confronting the United States (which is simultaneously the most cyber-endowed state and also one of the most vulnerable) is how to chart a course with other nations toward global governance in cyberspace. Part of the problem, as the author Fred Kaplan noted, is the uneven manner in which the Obama administration has handled the two components of cybersecurity, attack and defense. The problems associated with excessive classification are not new, nor are they restricted to cybersecurity. But in terms of CNA, classification has been extreme. Indeed, it was only recently that the administration even made public statements to the effect that CNA—as a concept—exists at all. The extreme secrecy blanketing CNA precludes scholars, activists, and practitioners from making meaningful contributions to the discussion about the development of standards of conduct which, if mutually agreed upon, could contribute to stability and predictability in an area of international relations that is now an ungoverned space.

At the same time, the U.S. government has engaged in a form norm entrepreneurship, at least with respect to the U.S.-China bilateral relationship. From the American perspective, political and military information are legitimate targets for cyber espionage. These are, after all, the traditional objectives of spies. What the Obama administration has pushed back on is the issue of industrial and intellectual property theft. For the time being, the U.S. seems to have had some success. There has been a marked decline in Chinese cyber operations targeting American corporations. Two non-exclusive explanations exist for this decline. First, the U.S. effectively convinced the Chinese to behave in more acceptable ways, and second, the Chinese have become more adept in their ability to exfiltrate industrial information and intellectual property without detection. Despite the possibility of the latter, mutual restraint is a positive first step in the process of creating norms that regulate to some extent how nation-states engage one another in cyberspace. Left to be addressed is the problem of officially upholding a norm while seeking to skirt its constraints through state-sponsored private actors. This problem will likely persist and grow, but the perceived necessity of governments appearing to be responsible cyber-stakeholders can have positive security benefits for all involved.

Conclusion

Few at CyConUS were optimistic about the future of cyber restraint among states, however. Rather, it was the assertiveness of nation-states—including the extensive cyber-information operations targeting the American electoral process conducted by a foreign power—that featured prominently in many of the keynotes and panel discussions.  Whether the U.S. and its allies can respond effectively to these challenges, and the many others likely to follow, remains an open question. The road ahead is fraught. As Senator Mark Warner (D-VA) noted correctly, the cyber era is one of asymmetric conflict. For all of the billions of dollars the U.S. spends on cybersecurity through the departments of Defense and Homeland Security, determined attackers can find success for a minuscule fraction of that cost. Bending that cost-curve in a more favorable direction must be a top priority for the U.S. and its global partners.

Spencer Bakich is an associate professor political science at the Virginia Military Institute and the author of Success and Failure in Limited War: Information and Strategy in the Korean, Vietnam, Persian Gulf, and Iraq Wars.

Have a response or an idea for your own article? Follow the logo below, and you too can contribute to The Bridge:

Enjoy what you just read? Please help spread the word to new readers by sharing it on social media.

Header Image: Cyberspace (Indian Case Laws)

Notes:

[1] The author thanks Virginia Military Institute cadets Mark Barbera, Anna Conover, Tyler DeJoe, Scott Kerchberger, and Hunter Wolfe for their thoughtful and trenchant criticisms of an early draft of this piece.

[2] Lucas Kello, “The Meaning of the Cyber Revolution: Perils to Theory and Statecraft,” International Security, vol. 38, no. 2 (Fall 2013), 28.