The high-stakes trade-offs for US cybersecurity policy

Last week, my AEI colleague Gary Schmitt presented a careful analysis of the Trump administration’s new cybersecurity policy. He noted that while a number of the themes were not new, the Trump administration did advance in certain areas. The document directly called out China’s and Russia’s efforts to leverage cyberspace as a weapon in great power competition. And even more significantly, the Trump administration bluntly affirmed that it would be actively engaging in the “day-to-day” cyber competition, including offensive tactics doctrinally defined as “defense forward.” As National Security Adviser John Bolton stated: “We are going to do a lot of things offensively and I think our adversaries need to know that.”

While some have critiqued the new Trump strategy (inspired often by visceral reactions to any policy associated with John Bolton), the document has also received respectful attention, with former Obama State Department official Christopher Painter writing “there’s a lot to like in this strategy.” (Painter also argues that the real test is whether the Trump administration follows up with decisive action.)

The purpose of this blog, however, is not to debate the merits of the new Trump cyber strategy. It is rather to place the document in the broader context of the larger debate over how the US, its allies, and its adversaries should respond to the technological and strategic challenges of conflicts in cyberspace — specifically, to explore the “contrarian” thoughts and proposal advanced by Jack Goldsmith. As most know, Goldsmith, now a Harvard Law School professor, served in the Justice Department under President George W. Bush. He has written extensively on cybersecurity matters and by no stretch could be counted as critical of the vigorous assertion of US strategic power.

In this instance, however, though skeptical of a formal international treaty for cyberwarfare norms, he has advocated that the US reach “an explicit understanding with major cyber adversaries, akin to understandings about the rules of espionage during the Cold War, that the United States will not engage in certain specific disruptive actions in exchange for desirable restraint by adversaries in U.S. networks.”

Abbreviating and oversimplifying, Goldsmith reasons the following. First, he does not think that the US will be able to raise its defenses adequately to ward off the worst effects of cyberattacks: “The United States is not close to raising its defenses adequately and likely will not in the foreseeable future. Offense has too great an advantage over defense.” One paradoxical reason for this circumstance is US technological prowess and advanced digitalization.

The United States has the most powerful military in the world, including the greatest capacities in offensive cyber. . . [But] the United States[‘] significant digital dependencies mean that it loses in escalation in cyber because, as President Obama explained, “our economy is more digitalized and it is more vulnerable, partly because we are a wealthier nation and we are more wired.”

Goldsmith makes clear that his own normative values would dictate action.

My normative preferences . . . are for the United States to exploit its offensive advantages in cyber to collect whatever information serves our national interests, to use this information in ways that serve our interests, and to promote those interests further by spreading the U.S. conception of freedom of speech and thought to other nations.

But he posits:

The question is whether these are realistic goals. I think they are not, given the clear costs that the United States is suffering and will continue to suffer in the cyber realm. I don’t think the United States can continue unabated with all of its aggressive cyber actions abroad . . . especially operations that undermine control abroad — if it wants relief from the cyber operations that are proving so damaging to U.S. society.

Elsewhere, he writes:

I still think the U.S. government should consider seriously the idea of a deal with Russia for mutual forbearance from meddling in domestic politics. When nations face serious threats from one another, and when neither defense, nor deterrence, nor coercion suffices to alleviate the threat adequately, cooperation in the guise of mutual restraint is a natural option to explore.

As an example, Goldsmith suggests the US back away from the so-called Internet Freedom initiative that fosters democratic freedom in Russia and offers means of getting around government information control. He concedes that this would entail a “huge cost” for US cyber subversion efforts against authoritarian governments such as Russia, China, and Iran. But he concludes that on balance, the US should consider and at least analyze the trade-offs entailed in an agreement of cyber de-escalation with the Russians and other adversaries (acknowledging difficulties of defining covered activities and the technical difficulties of attribution and verification).

The Trump administration seems to be moving in the opposite direction. Interestingly, both Bolton and Goldsmith strongly critiqued what they considered the Obama administration’s dithering and public indecision in the wake of the cyberattacks on Sony Pictures and the Office of Personnel Management. But Bolton argued then and now for a more vigorous US response — retaliation that was “disproportionate” to show that the costs to US adversaries would be unbearable.

On technological grounds and given the current realities of cyber warfare, I lean toward Goldsmith’s approach, but the point of this blog is that this is a debate of the highest strategic order, one that will have huge consequences for US cybersecurity in an increasingly digitalized world.