Jason Atwell is an officer in the U.S. Army Reserve and a Senior Manager with FireEye, Inc. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
Title: Assessing the Application of a Cold War Strategic Framework to Establish Norms in the Cyber Threat Environment
Date Originally Written: December 28, 2020.
Date Originally Published: March 29, 2021.
Author and / or Article Point of View: The article is written from the point of view of the United States and its Western allies as they seek to impose order on the increasingly fluid and frequently volatile cyber threat environment.
Summary: The continued growth and maturity of cyber operations as a means of state sponsored espionage and, more recently, as a potential weapon of war, has generated a need for an “accepted” strategic framework governing its usage. To date, this framework remains unestablished. Cold War strategic frameworks could help govern the future conduct of cyber operations between nation states and bring some semblance of order to this chaotic battlespace.
Text: The cyber threat environment continues to evolve and expand. Threat vectors like ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid, are now daily subjects for discussion among leaders in the public and private sectors alike. It is against this backdrop that high-level initiatives like the Cyberspace Solarium Commission have sought to formulate comprehensive, whole-of-government strategies for dealing with cyber threats and developing capabilities. The U.S. Department of Commerce’s National Institute for Standards in Technology issues a steady stream of best practices for cyber risk management and hygiene. Yet, no comprehensive framework to govern cyber operations at the macro, nation-to-nation level, has emerged and been able to achieve buy-in from all the affected parties. In fact, there are not even useful norms limiting the risk in many of these cyber interactions[1]. Industry leaders as well have lamented the lack of a coherent doctrine that governs relations in cyberspace and discourages the violating of doctrinal norms[2]. In some ways the Cold War norms governing armed conflict, espionage, and economic competition can be used to provide much needed stability to cyber and cyber-enabled operations. In other ways, the framing of current problems in Cold War vocabulary and rhetoric has proved unworkable at best and counterproductive at worst.
Applying the accepted framework of great power interactions that was established during the Cold War presents both opportunities and challenges when it comes to the cyber threat environment. The rules which governed espionage especially, however informal in nature, helped to ensure both sides knew the red lines for conduct and could expect a standard response to common activities. On the individual level, frameworks like the informal “Moscow Rules” governed conduct and helped avoid physical confrontations[3]. When those rules were violated, and espionage came into the open, clear consequences were proscribed via precedent. These consequences made the use of persona-non-grata expulsions, facility closures, the use of neutral territories, exchanges and arrests were predictable and useful controls on behavior and means to avoid escalation. The application of these consequences to cyber, such as the closure of Russian facilities and expulsion of their diplomats has been used[4], however to little or no apparent effect as administrations have changed their approach over time. This uneven application of norms as cyber capabilities have advanced may in fact be leading the Russians in particular to abandon the old rules altogether[5]. In other areas, Cold War methods have been specifically avoided, such as the manner in which Chinese cyber operators have been indicted for the theft of intellectual property. Lowering this confrontation from high-level diplomatic brinkmanship to the criminal courts both prevents a serious confrontation while effectively rendering any consequences moot due to issues with extradition and prosecution. The dynamics between the U.S. and China have attracted a lot of discussion framed in Cold War terminology[6]. Indeed, the competition with China has many of the same hallmarks as the previous U.S.-Soviet Union dynamic[7]. What is missing is a knowledge of where the limits to each side’s patience lie when it comes to cyber activity.
Another important component of Cold War planning and strategy was an emphasis on continuity of operations and government authority and survivability in a crisis. This continuity was pursued as part of a deterrence model where both sides sought to either convince the other that they would endure a confrontation and / or decisively destroy their opposition. Current cyber planning tends to place an emphasis on the ability to achieve overmatch without placing a similar emphasis on resilience on the friendly side. Additionally, deterrence through denial of access or geophysical control cannot ever work in cyberspace due to its inherently accessible and evolving nature[8]. Adopting a mindset and strategic framework based on ensuring the ability of command and control networks to survive and retaliate in this environment will help to impose stability in the face of potentially devastating attacks involving critical infrastructure[9]. It is difficult to have mutually assured destruction in cyberspace at this phase, because “destruction” is still nebulous and potentially impossible in cyberspace, meaning that any eventual conflict that begins in that domain may still have to turn kinetic before Cold War models begin to function.
As cyber capabilities have expanded and matured over time, there has been an apparent failure to achieve consensus on what the red lines of cyber confrontation are. Some actors appear to abide by general rules, while others make it a point of exploring new ways to raise or lower the bar on acceptable actions in cyberspace. Meanwhile, criminals and non-aligned groups are just as aggressive with their operations as many terrorist groups were during the height of the Cold War, and they are similarly frequently used or discarded by nation states depending on the situation and the need. However, nation states on the two sides were useful bulwarks against overzealous actions, as they could exert influence over the actions of groups operating from their territory or abusing their patronage. Espionage in cyberspace will not stop, nor can a framework anticipate every possible scenario that my unfold. Despite these imperfections, in the future an issue like the SolarWinds breach could lead to a series of escalatory actions a la the Cuban Missile Crisis, or the cyber threat environment could be governed by a Strategic Arms Limitation Talk-like treaty which bans cyber intrusions into global supply chains[10]. Applying aspects of the Cold War strategic framework can begin to bring order to the chaos of the cyber threat environment, while also helping highlight areas where this framework falls short and new ways of thinking are needed.
Endnotes:
[1] Bremmer, I., & Kupchan, C. (2021, January 4). Risk 6: Cyber Tipping Point. Retrieved February 12, 2021, from https://www.eurasiagroup.net/live-post/top-risks-2021-risk-6-cyber-tipping-point
[2] Brennan, M., & Mandia, K. (2020, December 20). Transcript: Kevin MANDIA on “Face the Nation,” December 20, 2020. Retrieved February 12, 2021, from https://www.cbsnews.com/news/transcript-kevin-mandia-on-face-the-nation-december-20-2020/
[3] Sanger, D. (2016, December 29). Obama Strikes Back at Russia for Election Hacking. Retrieved February 13, 2021, from https://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html
[4] Zegart, A. (2021, January 04). Everybody Spies in Cyberspace. The US Must Plan Accordingly. Retrieved February 13, 2021, from https://www.defenseone.com/ideas/2021/01/everybody-spies-cyberspace-us-must-plan-accordingly/171112/
[5] Devine, J., & Masters, J. (2018, March 15). Has Russia Abandoned the Rules of Spy-Craft? Retrieved February 13, 2021, from https://www.cfr.org/interview/are-cold-war-spy-craft-norms-fading
[6] Buchanan, B., & Cunningham, F. (2020, December 18). Preparing the Cyber Battlefield: Assessing a Novel Escalation risk in A Sino-American Crisis. Retrieved February 13, 2021, from https://tnsr.org/2020/10/preparing-the-cyber-battlefield-assessing-a-novel-escalation-risk-in-a-sino-american-crisis/
[7] Sayers, E. (2021, February 9). Thoughts on the Unfolding U.S.-Chinese Competition: Washington’s Policy Towards Beijing Enters its Next Phase. Retrieved February 13, 2021, from https://warontherocks.com/2021/02/thoughts-on-the-unfolding-u-s-chinese-competition-washingtons-policy-towards-beijing-enters-its-next-phase/
[8] Borghard, E., Jensen, B., & Montgomery, M. (2021, February 05). Elevating ‘Deterrence By Denial’ in U.S. Defense Strategy. Retrieved February 13, 2021, from https://www.realcleardefense.com/articles/2021/02/05/elevating_deterrence_by_denial_in_us_defense_strategy_659300.html
[9] Borghard, E. (2021, January 04). A Grand Strategy Based on Resilience. Retrieved February 13, 2021, from https://warontherocks.com/2021/01/a-grand-strategy-based-on-resilience/
[10] Lubin, A. (2020, December 23). SolarWinds as a Constitutive Moment: A New Agenda for International Law of Intelligence. Retrieved February 13, 2021, from https://www.justsecurity.org/73989/solarwinds-as-a-constitutive-moment-a-new-agenda-for-the-international-law-of-intelligence/