A few thoughts on the new cyber strategy

This past Wednesday, the Pentagon released an unclassified summary of its new cyber strategy and, Thursday, National Security Advisor John Bolton provided a brief, public account of what the new strategy entails.

National Security Adviser John Bolton at a forum hosted by the Federalist Society for Law and Public Policy Studies in Washington on September 10, 2018. REUTERS/Eric Thayer

To quote from the fact sheet on the strategy released by the Defense Department, the key themes are:

• Using cyberspace to amplify military lethality and effectiveness;
• Defending forward, confronting threats before they reach US networks;
• Proactively engaging in the day-to-day great power competition in cyberspace;
• Protecting military advantage and national prosperity;
• Recognizing partnerships are key to shared success in protecting cyberspace;
• Actively contesting the exfiltration of sensitive DoD information;
• Embracing technology, automation, and innovation to act at scale and speed;
• Supporting the defense of critical infrastructure;
• Recruiting, developing, and managing critical cyber talent.

Although many, indeed most, of these are not new and would have been included in any cyber strategy document, what is new in the strategy is that it explicitly mentions China and Russia using cyberspace as an integral element to their great power competition with the United States. While obvious to anyone who has not been asleep the past decade, the decision to call out China and Russia in the document falls in line with the unequivocal language about China and Russia in the National Security and National Defense Strategies issued by the Trump administration this past year. As a doctrinal matter, it’s good to have all your ducks in a row: whatever tentative agreements were made between the White House and Beijing and the Kremlin to work on tempering conflict in cyberspace has not, from the American perspective, seen satisfactory progress.

What also seems new is the emphasis, as the Pentagon’s fact sheet puts it, on “proactively engaging in the day-to-day” cyber competition. As Bolton noted, the administration is putting aside the Obama-era hurdles to America’s cyber forces going on the offensive and, as he bluntly put it, “we are going to do a lot of things offensively and I think our adversaries need to know that.”

The goal, obviously, is to raise the costs on foreign states for using cyber tools and techniques for purposes of commercial and national security-related espionage, political and information warfare, putting key infrastructure at risk, and so on. For cyber “hawks,” the price being paid by these states has been too little in relation to the gain they perceive from continuing to engage in these practices. And, given the continuation of these practices, the administration is undoubtedly right.

A key question going forward is whether the administration and its cyber forces will be able, in the strategic parlance of days past, to establish “escalation dominance” as the competition heats up — that is, as the US applies its cyber capabilities to China and Russia and they perhaps react with even more aggressive attacks of their own. Presumably, if they have additional capacities, they will want to test just how far down this road Washington is willing to go. Complicating this calculus will be the concerns of America’s own cyber forces, who will be reluctant to show their most advanced capabilities in a tit-for-tat competition on the grounds that they need to keep in reserve those “weapons” for the extreme instances, such as open conflict. The worry is that cyber techniques, once used, will be met by the other side setting up defensive measures to meet that particular threat, putting at risk the particular cyber tool’s continued effectiveness. Unlike nuclear weapons, there may not be “assured destruction” when it comes to cyber weapons, once used.

Again, this is a question that should be raised — not an assertion that there isn’t an answer. But this is a question that cannot be adequately addressed in public. This puts added responsibility on the two armed services committees of Congress to oversee the new doctrine’s implementation. What can be and should be discussed in public, however, is understanding how the doctrine fits within the larger “war-making” authorities of the government. Responding to attacks on the US has traditionally been seen as a prerogative of the executive. But it is Congress’ authority to move the country from a state of peace to war and determine what forces are to be raised and provided for. In this new cyber era, and with a new cyber doctrine in place, getting better clarity on such matters would seem to be increasingly urgent.