Key Points of the New US Cyber Strategy

The new US Department of Defense Cyber Strategy that was published last week offers a remarkably clear and comprehensible insight to the US military view on cybersecurity and is the first official update to the DoD strategy published in 2011.

So what can we learn from how the US DoD thinks about “cyber” in 2015?

“Cyber” is indisputably a military domain

The strategy repeatedly refers to cyber, cyberspace, cybersecurity, cyberattacks (the list goes on) but since there are no definitions of either concept it is not very clear exactly what the DoD is talking about when it comes to “cyber”. What is clear however, is the fact that cyber is indisputably a military domain. A concept that was, and in some corners continue to be, widely contested during the evolution of the Internet seems to have cemented itself in the global policy debate along with the notion that nation states continue to be key actors in Internet governance and global cybersecurity issues.

However, the DoD does not claim ownership of “cyberspace” but instead frequently stresses the importance of cooperation and multilateralism – both in terms of cooperation with domestic industry as well as international partners. The strategy, presented at Stanford University, especially seeks to appease the somewhat tense relations between the Pentagon and Silicon Valley through the idea that “if we cannot get Silicon Valley to come to the Pentagon, we’re going to bring the Pentagon to Silicon Valley”.

A catastrophic attack is no longer the primary focus

Since 2013, the Director of US National Intelligence has named the “cyber threat” as the number one strategic threat to the United States but the new strategy indicates a shift in what kind of threat the US is actually concerned with. When cybersecurity began its rise to prominence following 9/11 the debate was littered with warnings of catastrophic, crippling attacks and metaphors of “cyber 9/11s” and “cyber Pearl Harbors”.

In contrast, the DoD has now shifted their attention to persistent low level attacks that could damage individuals, firms, and some industrial systems as well cyberespionage that steals U.S. intellectual property to undercut the US technological and military advantage. The strategy also (unsurprisingly) singles out China, Russia, Iran, North Korea, and the Islamic State (IS) as actors that have displayed an overt level of hostile intent towards the United States and its interests in cyberspace.

Concern for malware proliferation and zero-day markets

The strategy highlights the proliferation and marketisation of malware as a key security challenge for the United States. The opportunities for nation states, non-state actors, or individuals to purchase destructive malware and other capabilities continue to increase and has created a dangerous and uncontrolled market that serves multiple actors within the international system, often for competing purposes.

This will most likely be an increasingly important policy issue for the US government where it will be faced with the two-pronged challenge of creating norms or regulation that can appease both political adversaries and the legitimate information security research sector.

A new found belief in deterrence

The concept of deterrence (and comparisons to the nuclear weapons proliferation debate) have been present in the cybersecurity debate for a long time. However, very few policy makers and scholars have found Cold War deterrence frameworks to be applicable or relevant to cybersecurity – mainly due to the low barrier of entry and attribution problems. There have been signs that the US policy has been slowly shifting in relation to “cyberdeterrence” and it is now clear that the DoD believes deterrence is not only possible but necessary for a secure US cyberspace.

The DoD presents a three-fold deterrence strategy of response, denial, and resilience.

  • Response – The US needs to convince a potential adversary that it will suffer unacceptable costs if it conducts an attack on the United States and the strategy makes it clear that the US will continue to respond to cyberattacks at a time, in a manner, and in a place of their choosing, using appropriate instruments of US power and in accordance with applicable law.
  • Denial – In essence making the US infrastructure so difficult to successfully attack that potential adversaries will be deterred to try.
  • Resilience – To achieve a national infrastructure that is so resilient and redundant that it continues to operate even if an adversary is successful in a disruptive or destructive attack.

There seems to be little concern for attribution problems as the DoD quotes “significant investments” from both Pentagon and the intelligence community in the collection, analysis, and dissemination capabilities to reduce the anonymity of state and non-state actor activity in cyberspace.

The US capability for attribution will be key in dissuading actors from conducting cyberattacks and will grow increasingly important for deterrence as activist groups, criminal organisations, and other actors acquire advanced cyber capabilities over time.

Offense is the new defense

The new strategy presents a clear policy shift from the DoD when it comes to openness with offensive cyber capabilities, which previously have been (mostly) absent from public strategy documents. While the strategy does not disclose the specifics of what offensive capabilities the US currently possesses it is made clear that the “DoD must be able to provide the President with a wide range of options for managing conflict escalation” – including disrupting an adversary’s command and control networks, military-related critical infrastructure, and weapons capabilities.

The strategy also gives some hints when it would be appropriate for the US military to conduct (offensive) cyber operations to protect U.S. interests in an area of operations.

For example, the United States military might use cyber operations to terminate an ongoing conflict on U.S. terms, or to disrupt an adversary’s military systems to prevent the use of force against U.S. interests. United States Cyber Command (USCYBERCOM) may also be directed to conduct cyber operations, in coordination with other U.S. government agencies as appropriate, to deter or defeat strategic threats in other domains.

These offensive cyber capabilities are to be developed and deployed to achieve key security objectives with precision and minimal loss of life and destruction of property. The DoD also envisions that these capabilities will be synced with kinetic operations across all domains of military operations.

Aggressive defence policy can create security dilemmas

Whereas the DoD acknowledges the need for offensive capabilities, it is also concerned with the potential negative consequences of offensive policy. An increasingly aggressive cyber policy may create a security dilemma with a global escalation of offensive capabilities that could endanger US interests in cyberspace.

To ensure that the DoD supports the overall US policy for an open, free, and prosperous Internet it is made clear that the DoD will always act in a way that reflects enduring US values, including support for the rule of law, as well as respect and protection of the freedom of expression and privacy, the free flow of information, commerce, and ideas.

Any decision to conduct (offensive) cyber operations will be made with the utmost care and deliberation and under strict policy and operational oversight, and in accordance with the law of armed conflict. This is also in line with recent US policy efforts to build influence over Internet policy and cybersecurity issues by promoting norms supportive of US policy objectives. How successful this cautionary offensive doctrine will be remains to be seen but it will undoubtedly be challenging for nation states to justify why certain actors are entitled to offensive capabilities and others are not.

However, the strategy also makes it clear that not all cyberattacks will warrant a military response and that the US will continue to be flexible in its responses, including the possibilities for diplomatic action, legal action, and economic sanctions.

Asia-Pacific Cyber Insights

The ASPI Asia-Pacific Cyber Insights aims to bring the Asia-Pacific experience and perspective to the key themes and questions of the Global Conference on Cyberspace 2015 (GCCS) taking place this week.

As a key region in the global Internet space with almost half of global netizens, Asia-Pacific represents diverse, dynamic, and important perspectives on international cyber issues.

The themes to be discussed at GCCS and highlighted in the publication include:

  • International peace and security
  • A secure place for business and people
  • Global Forum on Cyber Expertise: A global platform for cyber capacity building
  • Fast forward, economic growth and development in cyberspace
  • Privacy

The publication highlights three key general takeaways from the Asia-Pacific experience: clarity, capacity, and responsibility.

Clarity

To strengthen cybersecurity and build confidence governments need to be clearer about the governance structure of the Internet as well as their intentions in cyberspace. Publication of policies, strategies, and doctrines, clearer definitions and terminology, and the establishment of national points of contact can all help reduce the risk of miscommunication and conflict.

Capacity

The Asia-Pacific region is home to several least developed and developing countries that have, and will continue to, benefit the most from technical, policy, legislative, organisational and law enforcement capacity building efforts. Nevertheless, as ICT continues to play an increasingly important role in both developing and developed countries there is a need to build expertise and invest in knowledge transfer on the global level as well.

Accountability

Internet issues and cybersecurity are rarely straightforward. Complex relationships between governments, international organisations, civil society, network operators, service providers, and individuals make it challenging to understand who is responsible for what in what circumstances. In order to build trust and confidence in the global cyber environment accountability is a key challenge. All actors need to be clear what they are responsible for and what can be expected from them in order to successfully avoid, mitigate, and resolve cyber issues.

The whole publication is well worth a read if you would like to know more about the current cyber situation in the Asia-Pacific and it is available for download here.

 

Breakdowns of Democracy

Lately I’ve been experimenting with visualising data using Tableau and although I’m still a beginner the software has some neat features. The dashboard below shows breakdowns of democracy between 2000 and 2014.

CFR Launches the Cyber Brief Series

The Council on Foreign Relations recently launched their new Cyber Briefs series through the Digital and Cyberspace Policy Program. The Cyber Briefs are short memos that offer concrete recommendations on topics such as cybersecurity, Internet governance, and online privacy that will be published bimonthly on the CFR website.

The first brief in the series titled ‘Promoting Norms for Cyberspace‘ is written by Henry Farrell, associate professor of political science and international affairs at George Washington University. Mr. Farrell has also provided some additional thoughts on the topic at the Washington Post.

Mr. Farrell makes the case that norms matter for (US) cybersecurity due to four reasons:

  1. The US is vulnerable to cyberattacks and this weakness is difficult to address using conventional tools of military statecraft.
  2. It is difficult to ensure that complex information systems are fully defended, since they may have subtle technical weaknesses.
  3. Classical deterrence is not easy in a world where it is often challenging to identify sophisticated attackers, or even to know when an attack has taken place.
  4. Treaties are hard to enforce because it is so difficult to verify compliance – particularly in cyberspace, where weapons are software, not missiles.

He further argues that it will be difficult for the U.S. to shape norms without making major changes to other aspects of their policy. His main recommendations for this policy alignment are to:

  1. Reform U.S. intelligence activities to make them more consistent with the publicly expressed norms of Internet openness that the United States is trying to establish.
  2. Disclose more convincing evidence when trying to shame actors that do not abide by cybersecurity norms.
  3. Encourage other states and civil society actors to take a leading role in norm promotion—even when this cuts against U.S. interests. To develop legitimate norms, the U.S. should let some of its partners take the lead. New norms will not be seen as legitimate if they are perceived to be solely a projection of U.S. interests.

Overall, Mr. Farell provides some important points in his brief but I think his comments in the Washington Post most succinctly summarises the challenges ahead:

When actors have many shared values, norm building is easier. When actors have few shared values, then norm building is hard. Furthermore, if you want to persuade others to accept norms, you will have a hard time unless you are obviously and sincerely committed to those norms yourself.

It is clear that the Snowden revelations have tarnished the U.S. reputation as a proponent for a free, open, and democratic Internet but perhaps more importantly it has also tarnished its reputation with key allies such as Germany and other European countries. Mr. Farrell correctly highlights that the US needs to work both on aligning its intelligence activities to its Internet policy and include other non-government actors such as the EFF in its norm advocacy. However, as with many policy suggestions in the cybersecurity arena they are easier said than done.

As long as the creation of common global cybersecurity norms will be challenging to develop, and they will be for a long time, the US will be faced with the decision of what will be most rewarding between NSA intelligence operations and their alignment with open Internet norms. My guess is that wide scale intelligence gathering will continue to hold the upper hand for some time to come.

Further, rebuilding the US reputation with key cybersecurity allies has and will continue to be a policy priority for the White House moving forward but the main challenge will be to build common norms with countries outside the American sphere of influence. In the Washington Post Mr. Farrell notes while the US has promoted an open and robust Internet, other important (authoritarian and semi-authoritarian) countries may view this as a threat to the stability of their governments.

There is a significant divide between the position for a free and open Internet, typically led by the US and the EU, and a more restricted, nation-state controlled, Internet, typically led by Russia, China, and supported by a majority of developing countries. For the creation of common Internet norms that will have a significant impact on the global level of cybersecurity, I believe this to be a fundamental challenge. The main challenges and cybersecurity threats that the US faces do not originate from its allies but from countries like Russia and China and it will be imperative that the US will be able to reach a common understanding about what is acceptable behaviour in cyberspace in order to reduce these risks.

And while there has been significant development in the last ten years with ICANN reform and dialogues like NetMundial there is still a huge divide to overcome, a divide that will be incredibly complex and difficult to solve. But I agree with Mr. Farrell that if the US is seriously committed to building norms in cyberspace, it is going to have to start thinking about how to do this.