Bytes, Bombs, and Spies
Chapter 4: A Strategic Assessment of the U.S. Cyber Command Vision
Excerpt from Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations, a new book from Brookings Institution Press. Chapter Four was written by Max Smeets, a cybersecurity postdoctoral fellow at FSI’s Center for International Security and Cooperation (CISAC), and Herbert Lin, a senior research scholar at CISAC.
Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations, edited by CISAC’s Herbert Lin and Amy Zegart, comes out this week. A collection of 16 papers, the book grew out of a 2016 Hoover Institution workshop held in partnership with U.S. Cyber Command, which gathered more than 20 distinguished researchers from academia and think tanks as well as former policymakers in the Department of Defense and U.S. Intelligence Community to consider cyber strategy and doctrine.
The chapter below addresses an important strategic question. Given the inadequacies of a cyber strategy based on a policy of restraint, how and to what extent is the 2018 adoption of U.S. Cyber Command’s new vision likely to change the strategic calculus of U.S. adversaries and/or alter their current patterns of adversarial behavior in cyberspace? (Spoiler alert: It depends.)
The book demonstrates a need for a more comprehensive approach toward understanding offensive cyber operations, without access to classified information and without introducing new analytical concepts and tools. As a whole, the papers seek to provide a foundation for continued analysis of the many potential cyber scenarios of the future.
On April 15, 2010, Lieutenant General Keith Alexander appeared before the Committee on Armed Services in the United States Senate to review his nomination to become the first commander of the U.S. Cyber Command and also lead the National Security Agency (NSA).¹ During the hearing, General Alexander noted that serious challenges await: “While cyberspace is a dynamic, rapidly evolving environment, what will never change will be an unwavering dedication by both Cyber Command and the National Security Agency to the protection of civil liberties and the privacy of American citizens.”² He told the committee that there is “much uncharted territory in the world of cyber-policy, law and doctrine.”³
Four years later, on March 11, 2014, the Senate Armed Services Committee held a nomination hearing for Vice Admiral Michael S. Rogers to succeed Keith Alexander as head of the NSA and U.S. Cyber Command. In advance of the hearing he was asked about the major challenges that would confront the commander of U.S. Cyber Command. “I believe the major challenge that will confront the next Commander, U.S. Cyber Command will be dealing with the changing threat in cyberspace. Adversaries today seek persistent presences on military, government, and private networks for purposes such as exploitation and potentially disruption. We as a military and a nation are not well positioned to deal with such threats,” Rogers stated.⁴
On March 1, 2018, Lieutenant General Paul Nakasone appeared before the same committee to become the third commander of U.S. Cyber Command (and director of the NSA).⁵ Most of the questions the committee asked Nakasone were on the Cyber Command’s readiness and response to the Russian interference in the U.S. election.⁶ In line with this trend, Senator Ben Sasse asked: “In the cyber space, are our problems primarily technical, or are they primarily strategic and will?” “Senator,” General Nakasone responded, “I would offer that we have a number of different capabilities, and I don’t think that our problems are either of those. I think that what we have to do is continue to determine what is the best way forward here, what fits within our national strategy, and then act on that, Senator.”⁷
The purpose of this chapter is to assess to what degree U.S. Cyber Command now has a clear vision of the best way forward. Is cyberspace closer to being “well-charted territory” for the U.S. government? And has the United States found a (potential) way to deal with the variety of cyber threat actors that are said to (co)exist in this space?⁸ Our assessment focuses primarily on the 2018 U.S. Cyber Command vision entitled “Achieve and Maintain Cyberspace Superiority,” which lays out the potential benefits and risks of following this strategy.
Our main finding is that, with the publication of the most recent vision, U.S. Cyber Command has for the first time articulated a comprehensive strategy that is well adapted to the unique “symptoms” of cyberspace. Yet we also argue that the “medicine” the Cyber Command prescribes to effectively deal with the symptoms needs to be further scrutinized; indeed, the “side-effects” of the strategy are still ill-understood. We described multiple possible scenarios and provide several recommendations.
The remainder of this chapter proceeds as follows. We briefly discuss the history and mission of U.S. Cyber Command. Next, we introduce the 2018 vision and compare it with the 2015 vision. The following sections review how the new vision will likely be implemented within a changing institutional landscape, assess the strategy and provide a scenario-based analysis of the possible short-term and long-term strategic effects of the vision’s implementation, and list several important factors — not discussed in the scenarios — that may influence the potential course of action. The final section provides several recommendations.
History and Mission of U.S. Cyber Command
In mid-2009, Secretary of Defense Robert Gates directed the commander of U.S. Strategic Command (USSTRATCOM) to establish a subunified command, Cyber Command.⁹ According to Michael Warner, the U.S. Cyber Command historian, “the creation of USCYBERCOM marked the culmination of more than a decade’s worth of institutional change. DoD defensive and offensive capabilities were now firmly linked, and, moreover, tied closely, with the nation’s cryptologic system and premier information assurance entity, the NSA.”¹⁰ With the establishment of the new command came a new seal, which has the following code written in its inner gold ring: 9ec4c12949a4f314 74f299058ce2b22a.¹¹ The odd string is the MD5 cryptographic hash of the unit’s mission statement:¹² U.S. Cyber Command “plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace and deny the same to our adversaries.”¹³
Since 2009, U.S. Cyber Command has grown significantly to execute this mission. Table 4–1 provides a brief overview of the U.S. Cyber Command’s budget, workforce, and development.
A New Vision: Persistence through Superiority
U.S. Cyber Command published its first “vision” in 2015, which recognizes that, when it comes to cyber operations, “We as Department are still in the early stages of this journey.”¹⁴ It has a strong focus on specifying U.S. Cyber Command’s role within the Department of Defense and stresses the role of partnerships and the development of capability and force.¹⁵ The document can better be described as an elaborate mission statement, rather than a strategy. Its most explicit discussion of what that entails is found at the start of the document: “Our mission in cyberspace is to provide mission assurance for the operation and defense of the Department of Defense information environment, deter or defeat strategic threats to U.S. interests and infrastructure, and support achievement of Joint Force Commander objectives.” And the ultimate goal of the Cyber Command is to protect “freedom, liberty, prosperity, intellectual property, and personal information.”¹⁶ The document does not say how it aims to “deter” or “defeat” actors in cyberspace. Similarly, it does not describe any mechanisms for protecting the essential values, or at what costs.¹⁷
The new 2018 vision, entitled “Achieve and Maintain Cyberspace Superiority,” does provide a coherent plan for directing U.S. Cyber Command’s activities in cyberspace. The document offers “a roadmap for USCYBERCOM to achieve and maintain superiority in cyberspace as we direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and foreign partners.”¹⁸ Taken as a whole, the new command strategy emphasizes continual and persistent engagement against malicious cyberspace actors. One could summarize the vision using Muhammad Ali’s famous phrase: “Float like a butterfly, sting like a bee.” The U.S. Cyber Command aims to move swiftly to dodge blows of opponents, while simultaneously being attentive to and creating openings to strike.¹⁹
The emergence of this new vision recognizes that previous strategies for confronting adversaries in cyberspace have been less than successful. Table 4–2 provides a brief comparison of the main imperatives of the two visions. As the report notes:
Adversaries direct continuous operations and activities against our allies and us in campaigns short of open warfare to achieve competitive advantage and impair U.S. interests. Our adversaries have exploited the velocity and volume of data and events in cyberspace to make the domain more hostile. They have raised the stakes for our nation and allies. In order to improve security and stability, we need a new approach.²⁰
The 2015 vision observes that cyberspace is an ever-changing space of constant contact and activity.²¹ Yet, whereas in the 2015 vision it is a mere throwaway comment, this observation has become the foundation of the 2018 vision to seek superiority through persistent engagement.
Another key change in the vision is the acknowledgment that activities in cyberspace that do not rise to the level of armed conflict (as traditionally understood in international law) can nevertheless have strategically significant effects. The document notes:
The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this “new normal,” our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for responseto adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.²²
Overall, it should be noted that, in theory, a strategy of persistence could be the most defensive one. Think about how Muhammed Ali famously dodged punches from his opponents: the other guy in the ring is desperately punching, but Ali persists, wearing him out and mentally dominating his opponent. A strategy of persistence could also be the most aggressive one. Think about Ali’s practice of constantly punching his opponents, leaving them no opportunity to go on the offense — and sometimes he knocked them out.
A New Vision in a Changing Institutional Landscape
In addition to coinciding with a new administration, the new vision came into being in an evolving institutional landscape that will directly affect its implementation and further development.²³ This includes three (ongoing) institutional changes: (1) U.S. Cyber Command decoupling from Strategic Command, (2) a change of “cyber guards,” and (3) a maturing U.S. Cyber Command.
First, in August 2017, the Department of Defense (DoD) initiated the process to elevate U.S. Cyber Command to a unified combatant command,²⁴ and the official elevation of the command took place on May 4, 2018.²⁵ Proponents argue that this elevation will speed up U.S. Cyber Command’s operational approval and coordination.²⁶ The official DoD statement also said that it “will help reassure allies and partners and deter adversaries” as the elevation demonstrates increased U.S. resolve.²⁷ Alternatively, the decoupling of U.S. Cyber Command from USSTRATCOM might help to dispel the notion that adversaries should or can be deterred in cyberspace. After all, USSTRATCOM’s official role is strategic deterrence, whereas the U.S. Cyber Command vision seeks to move away from the deterrence paradigm and focus on strategic persistence to achieve superiority.²⁸
Second, U.S. Cyber Command’s elevation coincided with the confirmation of General Nakasone. It remains unclear in which direction Nakasone will steer the agency. The prepared statement of his testimony before the committee closely matched the vision’s “new thinking” on persistence, noting that “operating and aggressively defending our networks is a foundational mission . . . we need to impose costs on our adversaries to ensure mission success by persistent delivery of cyberspace effects in defense of our nation and in support of our combat forces.”²⁹ Yet his answers in the Q&A mostly reflected “old thinking” within the cyber deterrence paradigm. For example, Nakasone talked about the need to build up a diverse set of capabilities to deter cyberattacks.³⁰
Third, the vision will be implemented against the backdrop of an everexpanding U.S. Cyber Command capacity. On May 17, 2018, the Cyber Mission Force (CMF) attained full operational capability of all 133 teams.³¹ This means that in three years the organization doubled in capacity: in March 2015 it was about half of its target.³² U.S. Cyber Command has also opened its new Cyber Center and Joint Operations Center (ICC/JOC) at Fort Meade.³³ Finally, the possible splitting of NSA and U.S. Cyber Command remains an unresolved issue.³⁴ The NSA and U.S. Cyber Command have been “dualhatted” since the inception of the latter in 2009.³⁵ The splitting of the dual-hat role has been considered for years.³⁶ Although there has been an expectation that the role would eventually be uncoupled, a logical recommendation following the vision would be to maintain the dual-hat arrangement. After all, “seizing the initiative” in cyberspace requires the need to constantly move between different types of computer network operations (CNO).³⁷
A Scenario-Based Analysis of Cyber Persistence
U.S. Cyber Command’s new vision, a high-level document, is far from comprehensive. It may serve as a starting point for the U.S. government to adjust its strategic behavior in cyberspace, but U.S. Cyber Command will have to do a lot more heavy intellectual lifting to identify and address critical stumbling blocks it is likely to encounter in its implementation. This section highlights some of those and further develops the U.S. Cyber Command research agenda through scenario-based analysis.
At the outset, it is important to describe what U.S. Cyber Command seeks to achieve. Its ultimate objective is to “gain strategic advantage,” which according to Richard Harknett and Michael Fischerkeller can be interpreted to mean changing the distribution of power in favor of the United States.³⁸ This is in line with the observation made by Harknett that the cyber activity of adversaries that takes place below the threshold of war is slowly degrading U.S. power — both state and nonstate actors.³⁹ More generally, the premise underlying U.S. Cyber Command’s vision is depicted in figure 4–1.
The notion is that the U.S. government’s position has slipped over the years and that therefore international stability has increased. The series of cyberattacks that took place in the early 2000s with highly disruptive consequences — including the hacking of the Democratic National Committee (2016), WannaCry (2017), and NotPetya (2017) — underline this view. These attacks suggest that adversaries have grown bolder and potentially also more capable. This new status quo is deemed unacceptable by the United States, a situation also more broadly recognized in the 2017 National Security Strategy and the 2018 National Defense Strategy.⁴⁰
The best-case scenario following the command vision is therefore that the U.S. government achieves the end it desires and dramatically improves the (“general” or “cyber”) distribution of power — that is, it achieves superiority through persistence.⁴¹ More specifically, the way the U.S. Cyber Command aims to gain strategic effect is to seize the initiative, retain momentum, and disrupt adversaries’ freedom of action.
Yet we need to be clear about the possible consequences of seeking this objective: a United States more powerful in cyberspace does not necessarily mean one that is more stable or secure. As used here, stability is a subset of the broad view of cyberspace that includes freedom, liberty, prosperity, intellectual property, and personal information.⁴²
More formally, there are four possible scenarios, as shown in figure 4–2:
1. Win/Win: The strategy will lead to a more favorable distribution of power as well as a more stable and secure cyberspace and world.
2. Win/Lose: The strategy will lead to a more favorable distribution of power but also a growing degree of hostility in cyberspace and the world.
3. Lose/Win: The strategy will not lead to a more favorable distribution of power, but it does ensure a more stable and secure cyberspace and world.
4. Lose/Lose: The strategy will not lead to a more favorable distribution of power and will lead to a growing degree of hostility in cyberspace and the world.⁴³
To gain a better understanding of which scenario is most likely, we address each in turn, providing an overview of the mechanisms that could cause the United States to end up in each situation.⁴⁴ For each scenario we take the following mechanisms into consideration: (1) threat perception of other (relevant) actors, (2) the ability of the United States to take away the initiative, and (3) the ability of the United States to seize the initiative. On the former, “Scholars in international relations have long given threat perception a central role in theories of war, deterrence, alliances, and conflict resolution,” Janice Gross Stein notes.⁴⁵ Threat perceptions are subjective, but have “real” implications. Indeed, as Raymond Cohen writes: “Threat perception is the decisive intervening variable between action and reaction in interna-tional crisis.”⁴⁶ How other actors, both adversaries and allies, will perceive U.S. (intended) actions in cyberspace will therefore have a decisive influence on how the strategy plays out in the future. In addition, the success of the U.S. Cyber Command strategy depends on its ability to dominate cyberspace and reduce the opportunity of adversaries to (re)act.
An important limitation of this scenario-based analysis is that we only project what could happen if the United States were to change its current approach.⁴⁷ In line with the above discussion of the U.S. government’s perception of a degrading status quo, there are equally risks to not changing the course of action (which some would describe as “inaction”). Indeed, it is highly unlikely that, if the command scrapped its vision and proceeded on course, we would end up in a better situation in the (near) future.
First, there could be convergence of goals (win/win); superiority in cyberspace will in the long run also lead to a more stable environment, less conflict, norms of acceptable behavior, and so on. In fact, some argued at the first U.S. Cyber Command symposium that strategic persistence might first worsen the situation before making it better.⁴⁸ This notion is depicted as arrow A in figure 4–3. The figure also shows two other potential win/win scenarios.
The first scenario (arrow A) is possible when: (1) U.S. Cyber Command initially is unable to seize the initiative from a capacity perspective but becomes increasingly better at it in the future; and/or (2) other actors increase their hostility in the short term, but become less hostile in the long run. The first condition may well hold; as was noted, U.S. Cyber Command is still developing its cyber capacity. Even though the CMF has achieved full operational capability, it will take time for the new workforce to operate capably and for all units to coordinate effectively.⁴⁹ The second condition is much less likely to hold: other actors are likely to adapt to U.S. activities over time, and the number of actors in this space (with hostile intent) will increase. FireEye has reported on the “rise of the rest,” stating: “While Russia and China remain atop the list of the most sophisticated cyber adversaries, FireEye has been observing an uptick in the number of state-sponsored cyber espionage campaigns from other countries.”⁵⁰
Another scenario, parsimoniously depicted as arrow C in figure 4–3, is interesting to consider as well. This situation could, perhaps paradoxically, be described as “deterrence through a strategy of persistence.” The condition that would likely underlie this scenario is that the main threat actors are initially cautious to act following the release of a new U.S. believe it to be unlikely that other actors will wait and see which way the wind blows. An excerpt from Nakasone’s nomination hearing is telling:
Senator Sullivan: They [our adversaries] don’t fear us.
General Nakasone: They don’t fear us.
Senator Sullivan: So, is that good?
General Nakasone: It is not good, Senator.⁵¹
Following up on Senator Dan Sullivan’s question, Senator Sasse asked: “And three years ago at the OPM hack we had Obama intelligence chiefs up here, primarily before the Homeland Security Committee, and we asked them the exact same questions: Is there any response from the United States Government that’s sufficient to change the Chinese behavior? And they said absolutely not. Do you think there’s any reason the Chinese should be worried about U.S. response at the present?” Nakasone responded: “Again, I think that our adversaries have not seen our response in sufficient detail to change their behavior.”⁵² In line with this comment, it is unlikely that the vision alone will be sufficient or threatening enough to have this type of response.
Second, it is worth considering several “escalation scenarios” — lose/lose and win/lose as shown in figure 4–2. One could equally argue that a strategy of superiority through persistence comes with a set of ill-understood escalation risks about which the vision is silent. It is noteworthy that neither “escalate” nor “escalation” appears in the new strategy document.⁵³ As Jason Healey has argued:
The vision … ignores many of the risks and how to best address them. Most importantly, the vision does not even recognize the risk that more active defense — in systems and networks in other, potentially friendly nations — persistently, year after year, might not work and significantly increases the chances and consequences of miscalculations and mistakes. Even if they are stabilizing, such actions may be incompatible with the larger U.S. goals of an open and free Internet.⁵⁴
To address these concerns in a more detail, figure 4–4 depicts five types of escalation scenarios: examining the arrows from right to left (A → E), they go from bad to worse. Arrows A and B both depict scenarios in which the United States achieves its ultimate objective, but has to pay a price for it. Arrows C–E depict a situation in which following the strategy does not make anything better.
In situations A and B the adversaries become more aggressive and conduct attacks that are highly disruptive to society.⁵⁵ These behaviors could be the result of either an increased willingness to do so or an increased capacity. With respect to the latter, the U.S. vision — and associated changed course of action — may encourage other actors to grow increase spending on offensive cyber operations. The conventional proliferation literature on weapons of mass destruction (WMD) includes extensive examination of the role of special interests in stimulating demand for weapons development.⁵⁶ The notion is that the new U.S. vision can be used by those groups within a country that favor a growing cyber command to justify or lobby for greater military spending.⁵⁷
Situations A and B, as shown in figure 4–4, may also come about because of adversaries’ growing incentive to conduct offensive cyber operations of a highly disruptive nature. In this case, the heightened hostility might be a sign that the U.S. strategy is effective. Consider, for example, the current war against the Islamic State of Iraq and Syria (ISIS): losing territory and grip in the Middle East, the terrorist organization is said to be keen to recruit followers in Europe and other places in the world to conduct lethal attacks outside of Iraq and Syria. Attempts to perpetrate mass killings are a way to show they still need to be feared (and potentially to bolster recruitment), but they do not change the balance of power (BoP) in the region. Actors in cyberspace might become more noisy and aggressive purely to increase friction, gain attention, and so on — and perhaps also to influence public opinion in the hope the United States will change its strategy.
Arrows C–E paint a picture of the most grim possible scenarios, with the U.S. strategy failing on all accounts. These worst-case scenarios might partially result from the causal mechanisms on adversaries’ capacity building described above for situations A and B. They also come about owing to U.S. failure to seize the initiative. This type of failure could stem from a multitude of sources.
First, a failure to seize the initiative may be due to a misunderstanding of the required means. The Cyber Command vision has remained silent on the available arsenal of capabilities. Scholars, however, have offered some examples of what this could entail. Michael Sulmeyer argues that the United States should “hack the hacker”: “It is time to target capabilities, not calculations Such a campaign would aim to make every aspect of hacking much harder: because hackers often reuse computers, accounts, and infrastructure, targeting these would sabotage their capabilities or render them otherwise useless.”⁵⁸ Such activities would indeed increase the friction that adversaries encounter in conducting hostile cyber activities against the United States.
It remains to be seen, however, whether that approach will result in persistent strategic advantage. The mixed results from the takedown of WebStresser, the largest service providing distributed denial of service (DDoS) available on the market, illustrate the issue. Europol shut down the website’s infrastructure in late April 2018, at a time when the online service had more than 136,000 users.⁵⁹ According to Link11, a cybersecurity firm based in Germany, a week after the takedown of the portal the DDoS attacks fell 60 percent across Europe.⁶⁰ But a different firm, Corero Network Security, claimed that DDoS attack volumes actually increased the week after the shutdown.⁶¹
Second, the United States might overplay its hand. Muhammad Ali boxed sixty-one matches as a professional. He would not have won fifty-six of those fights if he had fought all of his opponents at the same time. U.S. Cyber Command is operating in a space in which it has to seize the initiative against a large and ever-growing number of actors. The dangers of fighting on multiple fronts, even for the most capable actors, are well known from conventional warfare. Because the number of (potential) cyber fronts is several orders of magnitude greater than the number of conventional warfare fronts, the risks of overextension have become exponentially higher too.
Superiority through Persistence: Against Whom, for Whom, and What Else?
The scenarios described in the previous section provide an overview of several causal mechanisms that could have implications for the new vision. Several other important factors may influence the potential course of action as well. This section discusses four additional considerations that are largely left undiscussed in the vision.
First, the scenario-based analysis did not distinguish between different types of adversaries. Yet even if the United States were able to seize the initiative against one actor, it might not be able to do so against all actors. It has been argued that the United States has historically focused on the large states in the international system. As Thomas Barnett writes in a well-known Esquire article:
Ever since the end of World War II, this country has assumed that the real threats to its security resided in countries of roughly similar size, development, and wealth — in other words, other great powers like ourselves. During the Cold War, that other great power was the Soviet Union. When the big Red machine evaporated in the early 1990s, we flirted with concerns about a united Europe, a powerhouse Japan, and — most recently — a rising China. What was interesting about all those scenarios is the assumption that only an advanced state can truly threaten us. The rest of the world? Those less-developed parts of the world have long been referred to in military plans as the“Lesser Includeds,” meaning that if we built a military capable of handling agreat power’s military threat, it would always be sufficient for any minor scenarios we might have to engage in the less-advanced world. That assumption was shattered by September 11.⁶²
In the same vein, there is likely no one-size-fits-all way to implement strategic persistence in the cyber domain.⁶³ Note that several reports, including one from former secretary of defense Ash Carter, have argued that U.S. Cyber Command contributions in the campaign against ISIS have been minor.⁶⁴ It is unclear to what degree this alleged underperformance is the result of the United States preparing for the wrong threat. In any case, it does provide a valuable lesson about the difficulty of being effective in cyberspace against all types of threat actors.⁶⁵
Second, much has been written on cyber deterrence in recent years. Given the low signal-to-noise ratio of policy discussions on this topic, the vision understandably and reasonably tries to shift the focus of cyber strategy toward an approach that is more closely matched to the realities of today. However, in being entirely silent about the topic of deterrence, it might go too far, and it implies that concepts of cyber deterrence have no relevance to U.S. cyber policy. It is likely that some form of deterrence is still needed to address lowprobability cyber threats of high consequence.
Third, the U.S. Cyber Command vision acknowledges the importance of increasing the resilience of U.S. cyber assets as an important aspect of sustaining strategic advantage. But the only words in the document about doing so say that U.S. Cyber Command will share “intelligence and operational leads with partners in law enforcement, homeland security (at the federal and state levels), and the Intelligence Community.”⁶⁶ Greater resilience of U.S. cyber assets will enhance our ability to bring the cyber fight to adversaries by reducing their ability to gain benefits by escalating in response, and yet the coupling between cyber defense and offense goes unmentioned.
Fourth, the vision correctly notes that “cyberspace threats . . . transcend geographic boundaries and are usually trans-regional in nature.” It also notes “our scrupulous regard for civil liberties and privacy.”⁶⁷ But U.S. guarantees of civil liberties and privacy are grounded in U.S. citizenship or presence on U.S. soil. If cyber adversaries transcend geographic boundaries, how will the command engage foreign adversaries who operate on U.S. soil? The vision document is silent on this point, even though it could have significant implications on its course of action.
Conclusion and Recommendations
The purpose of this chapter is to provide a brief overview of the U.S. Cyber Command strategy. In the constantly changing terrain of cyberspace in which “everyone is everyone’s neighbor,” the United States seeks (cyber) superiority through persistence, as stated in the 2018 vision. The ultimate goal is to maintain or favorably change the balance of power by seizing the initiative in cyberspace. We noted, however, that it remains unclear what will be sacrificed in pursuit of this optimal outcome.
From an operational perspective, we recommend that the U.S. Cyber Command give high priority to the following two aspects when implementing the strategy: prioritization and operational speed.
First, in seeking to engage on so many levels against so many actors, prioritization has to become a top issue in implementing the new vision. Priorities should not be decided on the basis of state actor versus nonstate actor, or nation-state versus criminal, hacktivist, or something else. Instead, in line with the vision’s objective, prioritization decisions should be made on the basis of BoP-relevant actor versus BoP-irrelevant actor.⁶⁸ As said, this does however not mean that the United States should act in the same way against all BoP-relevant actors.
Second, operational speed and agility will manifest differently against different opponents; moreover, significant government reorganization will be required to increase operational speed and agility. What Muhammad Ali was most famous for — and what remained constant throughout all of his matches — was his amazing speed. The United States seems to be aware of the importance of threat actor prioritization and operational speed, as both are mentioned in the strategy.
The scenario-based analysis in this chapter aims to provide more insight into how the new strategy might play out. More research should be conducted on time frames for implementation, operational codes, and other external factors.
1. United States Senate Armed Services Committee, “Stenographic Transcript before the Committee on Armed Services United States Senate Nominations General Keith Alexander,” U.S. Senate Committee on Armed Services, April 15, 2010 (www.armed-services.senate.gov).
2. Ibid. Also see Brian Prince, “Serious Challenges Await Head of Cyber Command,” eWeek, May 12, 2010 (www.eweek.com/blogs/security-watch/serious-challenges-await-head-of-cyber-command).
3.Similar statements about the lack of strategic thinking have been made over the years.For example, former NSA and CIA director Michael Hayden noted: “From their inception, cyber weapons have been viewed as ‘special weapons,’ not unlike nuclear devices of an earlier time. But these weapons are not well understood by the kind of people who get to sit in on meetings in the West Wing, and as of yet there has not been a Herman Kahn [of On Thermonuclear War fame] to explain it to them.” Michael V.Hayden, Playing the Edge, American Intelligence in the Age of Terror(NewYork: PenguinPress, 2016).
4. United States Senate Armed Services Committee, “Advance Questions for Vice Admiral Michael S. Rogers, USN Nominee for Commander, United States Cyber Command,” March 11, 2014, pp. 7–8 (www.armed-services.senate.gov/imo/media/doc/Rogers_03-11-14.pdf).
5. United States Senate Armed Services Committee, “Stenographic Transcript before the Committee on Armed Services United States Senate Nominations for Lieutenant General Paul Nakasone to be Commander of the U.S. Cyber Command and Director of the National Security Agency and Chief of the Central Security Service,” March 1, 2018 (https://assets.documentcloud.org/documents/4407097/United-States-Senate-Armed-Services-Committee.pdf) (hereafter “Nakasone Hearings”).
6. Ibid., See the opening statement of Senator Inhofe, and questions of Senators Hirono, Gillibrand, Graham, Blumenthal, Warren, and Donnelly. All asked about or commented on the Russian disinformation campaign during the 2016 presidential election.
8. The new U.S. strategy is important because it may directly enable or contain the actions of other actors, both adversaries and allies. It is also relevant for its indirect effects: given the position of the United States in the world, other governments will likely attempt to learn from any changes in U.S. thinking and adapt their policies as well.
9. For a pre-institutional history of the U.S. Cyber Command, see United States Strategic Command,“JFT-CND/JTC-CNO/JTF-GNO: A Legacy of Excellence,” December 30, 1998/September 7, 2010 (https://nsarchive2.gwu.edu//dc.html?doc=2849764-Document-05). For a more general history of U.S. cyberwar, see Michael Warner, “Cybersecurity: A Pre-history,” Intelligence and National Security 27, no. 5 (2012), pp. 781–99; and Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon & Schuster, 2016).
10. Michael Warner, “U.S. Cyber Command’s Road to Full Operational Capability,” in Stand Up and Fight: The Creation of U.S. Security Organizations, 1942–2005, edited by Ty Seidule and Jacqueline E. Whitt (Carlisle, Pa.: Strategic Studies Institute and U.S. Army War College Press, 2015), chap.7.
11. The official document of STRATCOM on the seal does not explain the code; it only states, “The eagle, our national symbol, is revered for the keen eyesight that allows it to pierce the darkness and remain vigilant. The two swords on the shield represent the dual nature of the command to defend the nation and, if necessary, engage our enemies in the cyber domain. The lightning bolt symbolizes the speed of operations in cyber, and the key illustrates the command’s role to secure our nation’s cyber domain.” Strategic Com- mand, “United States Cyber Command,” March 2015(www.stratcom.mil/Portals/8/Documents/CYBERCOM_Fact_Sheet.pdf?ver=2018–04–18–172134–583).
12. An MD5 algorithm is a common hash function used in cryptography. Coinciden- tally and ironically, the U.S. intelligence community seems to have been interested in MD5 hashes at the time the U.S. Cyber Command was set up. In fact, one of the most complex espionage platforms ever developed, allegedly by the United States, Flame had as one of its most interesting features that it reengineered a certificate that could be used to sign Windows updates. As researchers from Kaspersky Lab note, “The certificate relied on an MD5 signature, which the attackers managed to fake, indicating they had the ability to break arbitrary MD5 hashes.” In other words, Flame marked the death of MD5. See Mary-Beth Samekh, “Lessons learned from Flame, three years later,” Securelist, May29, 2015 (https://securelist.com/lessons-learned-from-flame-three-years-later/70149/); Alexander Gostev, “The Flame: Questions and Answers,” Securelist, May 28, 2015 (https://securelist.com/the-flame-questions-and-answers-51/34344/).
13. Noah Shachtman, “Crack the Code in Cyber Command’s Logo (Updated),” Wired, July 7, 2018 (www.wired.com/2010/07/solve-the-mystery-code-in-cyber-commands-logo/); Noah Shachtman, “Code Cracked! Cyber Command Logo Mystery Solved,” Wired, July 8, 2018 (www.wired.com/2010/07/code-cracked-cyber-command-logos-mystery-solved/). Even though the following operations order is heavily redacted, it provides the most detailed(publicly available)overview of the relevant tasks of U.S. Cyber Command: United States Cyber Command, “USCYBERCOM Operations Order (OPORD) 11–002, Operational Gladiator Shield(OGS),” May 19, 2011 (https://nsarchive2.gwu.edu//dc.html?doc=2692120-Document-12).
14. United States Cyber Command, “Beyond the Build: Delivering Outcomes through Cyberspace,” June 3, 2015 (www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/docs/US-Cyber-Command-Commanders-Vision.pdf).
15. The focus on capability development (instead of strategy development) is in line with Rogers’s nomination testimony in front of the Armed Services Committee: “If confirmed as the Commander, U.S. Cyber Command, my priority will be to generate the capabilities and capacities needed to operate in this dynamic environment and to provide senior decision makers and my fellow operational commanders with a full range of op- tions within the cyberarena. I will partner aggressively with others in doing so, particu- larlywithouralliesandpartners,thoseintheprivateandacademicsectors,within the Department of Defense, and agencies and organizations across the U.S. Government as well as the Congress.” Michael S. Rogers, “Confirmation Hearing: Opening Statement to the U.S. Senate Armed Services Committee,” March 11, 2014 (www.americanrhetoric.com/speeches/michaelrogersopstsarc.htm).
16. Ibid., p.2.
17. Also, at a high-level event of the Aspen Institute, just after the vision was released, Admiral Rogers provided little strategic insight on these issues. In a conversation with David Sanger, he only expressed his concern about several cyber operations of adversaries and talked about the command’s capability and force buildup (the“cybermissionforce”). See Aspen Institute, “Beyond the Build: Leveraging the Cyber Mission Force,” July 23, 2015 (http://aspensecurityforum.org/wp-content/uploads/2015/07/Beyond-the-Build-Leveraging-the-Cyber-Mission-Force.pdf).
18. United States Cyber Command, “Achieve and Maintain Cyberspace Superiority” (https://assets.documentcloud.org/documents/4419681/Command-Vision-for-USCYBERCOM-23-Mar-18.pdf), p.2.
19. For more details, see Richard J. Harknett, “United States Cyber Command’s New Vision: What It Entails and Why It Matters,” Lawfare, March 23, 2018(www.lawfareblog.com/united-states-cyber-commands-new-vision-what-it-entails-and-why-it-matters).
20. United States Cyber Command, “Achieve and MaintainCyberspace Superiority.”
21. Also see U.S. Cyber Command Combined Action Group, “Beyond the Build: How the Component Commands Support the U.S. Cyber Command Vision” (Washington: National Defense University Press, January 1, 2016)(http://ndupress.ndu.edu/Media/News/Article/643106/beyond-the-build-how-the-component-commands-support-the-us-cyber-command-vision/).
22. Although the document never says so explicitly, it clearly contemplates U.S. Cyber Command conducting many activities below the threshold of armed conflict as well. As Harknett notes, “This insight moves away from the conventional bifurcation of looking at cyberactivity as ‘hacking’ and binning it as either nuisance (crime) or as a potential surprise attack against critical infrastructure. Instead, the strategy focuses on adversarial cyber operations for what they are — well thought out campaigns seeking to degrade U.S. power and advance their own relative capacities, while avoiding significant American reaction.” Harknett, “United States Cyber Command’s New Vision.”
23. It is unlikely these institutional changes had an impact on the vision’s content.
24. Jim Garamone and Lisa Ferdinando, “DoD Initiates Process to Elevate U.S. Cyber Command to Unified Combatant Command,” Department of Defense News, August 18, 2017 (www.defense.gov/News/Article/Article/1283326/dod-initiates-process-to-elevate-us-cyber-command-to-unified-combatant-command/).
25. Katie Lange, “Cybercom Becomes DoD’s 10th Unified Combatant Command,” DOD Live, May 3, 2018 (www.dodlive.mil/2018/05/03/cybercom-to-become-dods-10th-unified-combatant-command/).
26. Michael Sulmeyer notes that the elevation of U.S. Cyber Command might not ac- tually change much: “I am of the view that a stove-piped Joint Staff had more to do with delays and miscommunication than anything else; nor could I ever find a function Cyber Command might be asked to execute that could only be performed by a full, unified com- mand (like Strategic Command) but not by a sub-unified command (like Cyber Command). We looked at this several times during the last administration: If the secretary of defense wanted the sub-unified command to execute, they could and would. It wasn’t a problem, so elevating the command wasn’t necessary.” Also, some have argued that the U.S. Cyber Command indeed has been ineffective or overdue in its response to cyber threats. It is unclear, however, to what degree this was due to the organizational setup in the past — that is, that U.S. Cyber Command’s commander has to go through STRATCOM’s chain of command. See Michael Sulmeyer, “Much Ado about Nothing? Cyber Command and the NSA,” War on the Rocks, July 19, 2017 (https://warontherocks.com/2017/07/much-ado-about-nothing-cyber-command-and-the-nsa/). On U.S. Cyber Command’s “slow-start,” see Ellen Nakashima and Missy Ryan, “U.S. Military Has Launched a New Digital War against the Islamic State,” Washington Post, July 15, 2016.
27. Garamone and Ferdinando, “DoD Initiates Process to Elevate U.S. Cyber Command.”
28. Also see Brad D. Williams, “Meet the Scholar Challenging the Cyber Deterrence Paradigm,” Fifth Domain, July 19, 2017 (www.fifthdomain.com/home/2017/07/19/meet-the-scholar-challenging-the-cyber-deterrence-paradigm/).
29. In addition to these points, Nakasone said he was taught two other important les- sons over the past decade: defending the nation requires a “whole-of-nation approach” and “while technology drives change in cyberspace, it’s the people . . . who guarantee our success.” See U.S. Senate Armed Services Committee, “Nakasone Hearings.”
30. Also, in response to a question from Senator Harry Reed, Nakasone talked about the continuing need and challenges of attribution. Ibid.
31. U.S. Department of Defense, “Cyber Mission Force Achieves Full Operational Capability,” May 17, 2018 (www.defense.gov/News/Article/Article/1524747/cyber-mission-force-achieves-full-operational-capability/).
32. Admiral Michael S. Rogers, USN, “Testimony on United States Cyber Command in Review of the Defense Authorization Request for Fiscal Year 2019 and the Future Years Defense Program,” February 27, 2018 (www.armed-services.senate.gov/hearings/18–02–27-united-states-cyber-command); Joe Gould, “Constructing a Cyber Superpower,” Defense News, June 27, 2015 (www.defensenews.com/2015/06/27/constructing-a-cyber-superpower/).
33. Rogers, “Testimony on United States Cyber Command,” Statement before the Senate Committee on Armed Services, February 27, 2018 (www.armed-services.senate.gov/imo/media/doc/Rogers_02–27–18.pdf).
34. When the senators asked Nakasone about this at the nomination hearing, he avoided providing an answer: “I don’t have a predisposed opinion on this. I think we begin with the question: What’s best for the nation? And I think that’s critical for us to consider. Is it best for the nation that the Nation Security Agency and U.S. Cyber Command stay together under one leader? Or is it time now that we think about a separate National Security Agency and a separate combatant command?” U.S. Senate Armed Services Committee, “Nakasone Hearings.”
35. As Andy Greenberg notes, “For the first time since those two roles were combined in 2010, the man leading them may be more comfortable with the latter — leaving the NSA with the unfamiliar feeling of being the not-quite-favorite-sibling.” Andy Green- berg, “The Next NSA Chief Is More Used to Cyberwar Than Spy Games,” Wired, March 3, 2018 (www.wired.com/story/paul-nakasone-nsa-cyber-command/).
36. For recent discussions on the benefits, risks, and legal hurdles, see Sulmeyer, “Much Ado about Nothing?”; Robert Chesney, “Should NSA and CYBERCOM Split? The Legal and Policy Hurdles as They Developed over the Past Year,” Lawfare, July 24, 2017 (www.lawfareblog.com/should-nsa-and-cybercom-split-legal-and-policy-hurdles-they-developed-over-past-year); Max Smeets, “Organisational Integration of Offensive Cyber Capabilities: A Primer on the Benefits and Risks,” 9th International Conference on Cyber Conflict, Tallinn, Estonia, 2017 (https://ieeexplore.ieee.org/document/8240326/).
37. This also leads to questions about the potential use of offensive cyber capabilities under title 10 and title 50. CNO consists of computer network defense (CND), computer network attack (CNA), and computer network exploitation (CNE). For a good discussion of how these activities overlap, see Matthew Monte, Network Attacks and Exploitation: A Framework (Hoboken, N.J.: Wiley, 2015); Hayden, Playing the Edge.
38. Richard J. Harknett and Michael P. Fischerkeller, “Deterrence Is Not a Credible Strategy for Cyberspace,” Orbis 61, no. 3 (2017), pp. 381–93. See also Richard J. Harknett and Joseph S. Nye Jr., “Is Deterrence Possible in Cyberspace?,” International Security 42, no. 2 (2017), pp. 196–99.
39. Harknett, “United States Cyber Command’s New Vision.”
40. Donald J. Trump, National Security Strategy of the United States of America, The White House, December 2017 (www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12–18–2017–0905.pdf); Department of Defense, Summary of the 2018 National Defense Strategy of the United States of America: Sharpening American Military’s Competitive Edge (www.defense.gov/Portals/1/Documents/pubs/2018-National-Defense-Strategy-Summary.pdf).
41. The U.S. military makes an important distinction between superiority and supremacy. In the context of cyberspace, as the vision states, “superiority is the degree of dominance in cyberspace by one force that permits the secure, reliable conduct of operations by that force, and its related land, air, maritime, and space forces at a given time and place without prohibitive interference by an adversary.” Cyberspace supremacy, following JP 1–02, would be the degree of cyberspace superiority wherein the opposing force is incapable of effective interference through cyberspace. Inherently, given the low barriers of entry for actors to conduct offensive cyber operations, supremacy would seem to be nearly impossible to achieve. See U.S. Cyber Command, “Achieve and Maintain Cyberspace Superiority”; Department of Defense Dictionary of Military and Associated Terms, Joint Publication 1–02, November 8, 2010/February 15, 2016 (https://fas.org/irp/doddir/dod/jp1_02.pdf).
42. This broad view is in line with the 2015 vision and President Obama’s often-cited statement: “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.” The White House, Statement by the President on the Cyber- security Framework, February 12, 2014 (https://obamawhitehouse.archives.gov/the-press-office/2014/02/12/statement-president-cybersecurity-framework).
43. Of course, it is possible to conceive of more complex scenarios. For example, persis- tence might have a strategic effect in the short term and the long term, but not in the me- dium term. We list only these four scenarios to avoid making the discussion unnecessarily complex.
44. We limited our discussion to scenarios 1, 2, and 4, and leave out 3 for reasons of space and word constraints.
45. Janice Gross Stein, “Threat Perceptions in International Relations,” in The Oxford Handbook of Political Psychology, edited by Leonie Huddy, David O. Sears, and Jack S. Levy (Oxford University Press, 2013).
46. Raymond Cohen, “Threat Perception in International Crisis,” Political Science Quar- terly 1 (1978), p. 93; also see Robert Jervis, Perception and Misperception in International Poli- tics (Princeton University Press,1976); Robert Jervis, “War and Misperception,” Journal of Interdisciplinary History 18 (1988), pp. 675–700; Joseph Nye Jr., “Transformational Leadership and U.S. Grand Strategy,” Foreign Affairs 85 (2006), p. 139; Barry Buzan, “Will the ‘Global War on Terror’ Be the New Cold War?,” International Affairs 82 (2006), pp. 1102–18.
47. We thank Emily Goldman and Michael Warner for pointing out this limitation.
48. Max Smeets, “U.S. Cyber Command: An Assiduous Actor, Not a Warmonger- ing Bully,” March 4, 2018, Cipher Brief (www.thecipherbrief.com/us-cyber-command-assiduous-actor-not-warmongering-bully).
49. After all, offensive cyber operations are as much based on tacit knowledge, learned through practice, as they are on explicit knowledge.
50. Sarah Geary, “Rise of the Rest: APT Groups No Longer from Just China and Russia,” FireEye, April 26, 2018 (www.fireeye.com/blog/executive-perspective/2018/04/rise-of-the-rest-apt-groups-no-longer-from-just-china-and-russia.html).
51. U.S. Senate Armed Services Committee, “Nakasone Hearings.”
53. Fears of escalation account for much of the lack of forceful response to malicious cyber activities in the past, and it can be argued that such fears have carried too much weight with policymakers; but ignoring escalation risks entirely does not seem sensible either.
54. Jason Healey, “Triggering the New Forever War, in Cyberspace,” Cipher Brief, April 1, 2018 (www.thecipherbrief.com/triggering-new-forever-war-cyberspace); see also Jason Healey, “U.S. Cyber Command: ‘When Faced with a Bully . . . Hit Him Harder,’” Cipher Brief, February 26, 2018 (www.thecipherbrief.com/column_article/us-cyber-command-faced-bully-hit-harder).
55. Healey also says that actors may gain more capabilities — for example, states like China might scale faster by relying on artificial intelligence. Yet, to understand the impact of the strategy, it is important to distinguish between those actions that are a (direct) response to the U.S. implementation of the new vision and those that occur whether or not the United States implements this strategy. See Healey, “Triggering the New Forever War, in Cyberspace.”
56. Matthew Evangelista, Innovation and the Arms Race: How the United States and So- viet Union Develop New Military Technologies (Cornell University Press, 1988); Etel Solin- gen, “The Domestic Sources of Nuclear Postures,” Policy Paper (San Diego: Institute of Global Conflict and Cooperation, October 1994); Scott Sagan, “Why Do States Build Nuclear Weapons: Three Models in Search of a Bomb,” International Security 21, no. 3 (Winter 1996–97), pp. 54–86.
57. As Scott Sagan notes, the reverse argument has also been made for the Nuclear Proliferation Treaty (NPT): “The NPT regime is not just a device to increase states’ con- fidence about the limits of their potential adversaries’ nuclear programs; it is also a tool that can help to empower domestic actors who are opposed to nuclear weapons development.” Sagan, “Why Do States Build Nuclear Weapons?,” p. 72.
58. Michael Sulmeyer, “How the U.S. Can Play Cyber-Offense: Deterrence Isn’t Enough,” Foreign Affairs, March 22, 2018.
59. Catalin Cimpanu, “Europol Shuts Down World’s Largest DDoS-for-Hire Service,” Bleeping Computer, April 25, 2018 (www.bleepingcomputer.com/news/security/europol-shuts-down-worlds-largest-ddos-for-hire-service/). Note that this was a coordinated take- down led by Europol, but it was not the only organization involved in the operation.
60. Nicholas Fearn, “DDoS Attacks in Europe ‘Down 60 Per Cent’ following Web- Stresser Takedown,” Inquirer, May 3, 2018 (www.theinquirer.net/inquirer/news/3031691/ddos-attacks-in-europe-down-60-per-cent-following-webstresser-takedown).
61. Andrew Lloyd, “DDoS Attacks Rose in 2nd Half Of April 2018 after Webstresser Take-Down,” Information Security Buzz, May 7, 2018 (www.informationsecuritybuzz.com/expert-comments/ddos-attacks-rose-in-2nd-half-of-april-2018-after-webstresser-take-down/).
62. Thomas P. M. Barnett, “Why the Pentagon Changes Its Maps,” Esquire, Septem- ber 10, 2016 (www.esquire.com/news-politics/a1546/thomas-barnett-iraq-war-primer/).
63. Indeed, Muhammad Ali also boxed differently against different opponents, especially taller ones.
64. Ash Carter, “A Lasting Defeat: The Campaign to Destroy ISIS,” Belfer Center for Science and International Affairs, Harvard Kennedy School Report (October 2017) (www.belfercenter.org/LastingDefeat).
65. Of course, we may also debate to what degree the United States has been effective against nation-state actors such as Russia, China, North Korea, and Iran.
66. U.S. Cyber Command, “Achieve and Maintain Cyberspace Superiority.”
68. It is best to consider these categories to be “ideal-types” on the far end of each spectrum, instead of conceiving them as binary categories. A potentially distinct category to include is BoP-enabling actors.
Views expressed here do not necessarily represent those of the Freeman Spogli Institute for International Studies or Stanford University, both of which are nonpartisan institutions.