Leave a Comment

Assessing the Application of a Cold War Strategic Framework to Establish Norms in the Cyber Threat Environment

Jason Atwell is an officer in the U.S. Army Reserve and a Senior Manager with FireEye, Inc. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

Title:  Assessing the Application of a Cold War Strategic Framework to Establish Norms in the Cyber Threat Environment

Date Originally Written:  December 28, 2020.

Date Originally Published:  March 29, 2021.

Author and / or Article Point of View:  The article is written from the point of view of the United States and its Western allies as they seek to impose order on the increasingly fluid and frequently volatile cyber threat environment.

Summary:  The continued growth and maturity of cyber operations as a means of state sponsored espionage and, more recently, as a potential weapon of war, has generated a need for an “accepted” strategic framework governing its usage. To date, this framework remains unestablished. Cold War strategic frameworks could help govern the future conduct of cyber operations between nation states and bring some semblance of order to this chaotic battlespace.

Text:  The cyber threat environment continues to evolve and expand. Threat vectors like ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid, are now daily subjects for discussion among leaders in the public and private sectors alike. It is against this backdrop that high-level initiatives like the Cyberspace Solarium Commission have sought to formulate comprehensive, whole-of-government strategies for dealing with cyber threats and developing capabilities. The U.S. Department of Commerce’s National Institute for Standards in Technology issues a steady stream of best practices for cyber risk management and hygiene. Yet, no comprehensive framework to govern cyber operations at the macro, nation-to-nation level, has emerged and been able to achieve buy-in from all the affected parties. In fact, there are not even useful norms limiting the risk in many of these cyber interactions[1]. Industry leaders as well have lamented the lack of a coherent doctrine that governs relations in cyberspace and discourages the violating of doctrinal norms[2]. In some ways the Cold War norms governing armed conflict, espionage, and economic competition can be used to provide much needed stability to cyber and cyber-enabled operations. In other ways, the framing of current problems in Cold War vocabulary and rhetoric has proved unworkable at best and counterproductive at worst. 

Applying the accepted framework of great power interactions that was established during the Cold War presents both opportunities and challenges when it comes to the cyber threat environment. The rules which governed espionage especially, however informal in nature, helped to ensure both sides knew the red lines for conduct and could expect a standard response to common activities. On the individual level, frameworks like the informal “Moscow Rules” governed conduct and helped avoid physical confrontations[3]. When those rules were violated, and espionage came into the open, clear consequences were proscribed via precedent. These consequences made the use of persona-non-grata expulsions, facility closures, the use of neutral territories, exchanges and arrests were predictable and useful controls on behavior and means to avoid escalation. The application of these consequences to cyber, such as the closure of Russian facilities and expulsion of their diplomats has been used[4], however to little or no apparent effect as administrations have changed their approach over time. This uneven application of norms as cyber capabilities have advanced may in fact be leading the Russians in particular to abandon the old rules altogether[5]. In other areas, Cold War methods have been specifically avoided, such as the manner in which Chinese cyber operators have been indicted for the theft of intellectual property. Lowering this confrontation from high-level diplomatic brinkmanship to the criminal courts both prevents a serious confrontation while effectively rendering any consequences moot due to issues with extradition and prosecution. The dynamics between the U.S. and China have attracted a lot of discussion framed in Cold War terminology[6]. Indeed, the competition with China has many of the same hallmarks as the previous U.S.-Soviet Union dynamic[7]. What is missing is a knowledge of where the limits to each side’s patience lie when it comes to cyber activity. 

Another important component of Cold War planning and strategy was an emphasis on continuity of operations and government authority and survivability in a crisis. This continuity was pursued as part of a deterrence model where both sides sought to either convince the other that they would endure a confrontation and / or decisively destroy their opposition. Current cyber planning tends to place an emphasis on the ability to achieve overmatch without placing a similar emphasis on resilience on the friendly side. Additionally, deterrence through denial of access or geophysical control cannot ever work in cyberspace due to its inherently accessible and evolving nature[8]. Adopting a mindset and strategic framework based on ensuring the ability of command and control networks to survive and retaliate in this environment will help to impose stability in the face of potentially devastating attacks involving critical infrastructure[9]. It is difficult to have mutually assured destruction in cyberspace at this phase, because “destruction” is still nebulous and potentially impossible in cyberspace, meaning that any eventual conflict that begins in that domain may still have to turn kinetic before Cold War models begin to function.

As cyber capabilities have expanded and matured over time, there has been an apparent failure to achieve consensus on what the red lines of cyber confrontation are. Some actors appear to abide by general rules, while others make it a point of exploring new ways to raise or lower the bar on acceptable actions in cyberspace. Meanwhile, criminals and non-aligned groups are just as aggressive with their operations as many terrorist groups were during the height of the Cold War, and they are similarly frequently used or discarded by nation states depending on the situation and the need. However, nation states on the two sides were useful bulwarks against overzealous actions, as they could exert influence over the actions of groups operating from their territory or abusing their patronage. Espionage in cyberspace will not stop, nor can a framework anticipate every possible scenario that my unfold. Despite these imperfections, in the future an issue like the SolarWinds breach could lead to a series of escalatory actions a la the Cuban Missile Crisis, or the cyber threat environment could be governed by a Strategic Arms Limitation Talk-like treaty which bans cyber intrusions into global supply chains[10]. Applying aspects of the Cold War strategic framework can begin to bring order to the chaos of the cyber threat environment, while also helping highlight areas where this framework falls short and new ways of thinking are needed.

Endnotes:

[1] Bremmer, I., & Kupchan, C. (2021, January 4). Risk 6: Cyber Tipping Point. Retrieved February 12, 2021, from https://www.eurasiagroup.net/live-post/top-risks-2021-risk-6-cyber-tipping-point 

[2] Brennan, M., & Mandia, K. (2020, December 20). Transcript: Kevin MANDIA on “Face the Nation,” December 20, 2020. Retrieved February 12, 2021, from https://www.cbsnews.com/news/transcript-kevin-mandia-on-face-the-nation-december-20-2020/ 

[3] Sanger, D. (2016, December 29). Obama Strikes Back at Russia for Election Hacking. Retrieved February 13, 2021, from https://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html 

[4] Zegart, A. (2021, January 04). Everybody Spies in Cyberspace. The US Must Plan Accordingly. Retrieved February 13, 2021, from https://www.defenseone.com/ideas/2021/01/everybody-spies-cyberspace-us-must-plan-accordingly/171112/

[5] Devine, J., & Masters, J. (2018, March 15). Has Russia Abandoned the Rules of Spy-Craft? Retrieved February 13, 2021, from https://www.cfr.org/interview/are-cold-war-spy-craft-norms-fading 

[6] Buchanan, B., & Cunningham, F. (2020, December 18). Preparing the Cyber Battlefield: Assessing a Novel Escalation risk in A Sino-American Crisis. Retrieved February 13, 2021, from https://tnsr.org/2020/10/preparing-the-cyber-battlefield-assessing-a-novel-escalation-risk-in-a-sino-american-crisis/ 

[7] Sayers, E. (2021, February 9). Thoughts on the Unfolding U.S.-Chinese Competition: Washington’s Policy Towards Beijing Enters its Next Phase. Retrieved February 13, 2021, from https://warontherocks.com/2021/02/thoughts-on-the-unfolding-u-s-chinese-competition-washingtons-policy-towards-beijing-enters-its-next-phase/ 

[8] Borghard, E., Jensen, B., & Montgomery, M. (2021, February 05). Elevating ‘Deterrence By Denial’ in U.S. Defense Strategy. Retrieved February 13, 2021, from https://www.realcleardefense.com/articles/2021/02/05/elevating_deterrence_by_denial_in_us_defense_strategy_659300.html 

[9] Borghard, E. (2021, January 04). A Grand Strategy Based on Resilience. Retrieved February 13, 2021, from https://warontherocks.com/2021/01/a-grand-strategy-based-on-resilience/ 

[10] Lubin, A. (2020, December 23). SolarWinds as a Constitutive Moment: A New Agenda for International Law of Intelligence. Retrieved February 13, 2021, from https://www.justsecurity.org/73989/solarwinds-as-a-constitutive-moment-a-new-agenda-for-the-international-law-of-intelligence/

Arms Control Assessment Papers Below Established Threshold Activities (BETA) Cold War Cyberspace Governing Documents and Ideas Jason Atwell Soviet Union Treaties and Agreements United States
Leave a Comment

Options to Enhance Security in U.S. Networked Combat Systems

Jason Atwell has served in the U.S. Army for over 17 years and has worked in intelligence and cyber for most of that time. He has been a Federal employee, a consultant, and a contractor at a dozen agencies and spent time overseas in several of those roles. He is currently a senior intelligence expert for FireEye, Inc. and works with government clients at all levels on cyber security strategy and planning.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  As combat systems within DoD become more connected via networks, this increases their vulnerability to adversary action.

Date Originally Written:  November 1, 2020.

Date Originally Published:  January 11, 2021.

Author and / or Article Point of View:  The author is a reservist in the U.S. Army and a cyber security and intelligence strategist for FireEye, Inc. in his day job. This article is intended to draw attention to the need for building resiliency into future combat systems by assessing vulnerabilities in networks, hardware, and software as it is better to discover a software vulnerability such as a zero day exploit in a platform like the F-35 during peacetime instead of crisis.

Background:  The United States is rushing to field a significant number of networked autonomous and semi-autonomous systems[1][2] while neglecting to secure those systems against cyber threats. This neglect is akin to the problem the developed world is having with industrial control systems and internet-of-things devices[3]. These systems are unique, they are everywhere, they are connected to the internet, but they are not secured like traditional desktop computers. These systems won’t provide cognitive edge or overmatch if they fail when it matters most due to poorly secured networks, compromised hardware, and untested or vulnerable software.

Significance:  Networked devices contain massive potential to increase the resiliency, effectiveness, and efficiency in the application of combat power[4]. Whether kinetic weapons systems, non-lethal information operations, or well-organized logistics and command and control, the advantages gained by applying high-speed networking and related developments in artificial intelligence and process automation will almost certainly be decisive in future armed conflict. However, reliance on these technologies to gain a competitive or cognitive edge also opens the user up to being incapacitated by the loss or degradation of the very thing they rely on for that edge[5]. As future combat systems become more dependent on networked autonomous and semi-autonomous platforms, success will only be realized via accompanying cybersecurity development and implementation. This formula for success is equally true for ground, sea, air, and space platforms and will take into account considerations for hardware, software, connectivity, and supply chain. The effective application of cyber threat intelligence to securing and enabling networked weapons systems and other defense technology will be just as important to winning in the new multi-domain battlefield as the effective application of other forms of intelligence has been in all previous conflicts.

Option #1:  The Department of Defense (DoD) requires cybersecurity efforts as part of procurement. The DoD has been at work on applying their “Cybersecurity Maturity Model Certification” to vendors up and down the supply chain[6]. A model like this can assure a basic level of protection to hardware and software development and will make sure that controls and countermeasures are at the forefront of defense industrial base thinking.

Risk:  Option #1 has the potential to breed complacency by shifting the cybersecurity aspect too far to the early stages of the procurement process, ignoring the need for continued cyber vigilance further into the development and fielding lifecycle. This option also places all the emphasis on vendor infrastructure through certification and doesn’t address operational and strategic concerns around the resiliency of systems in the field. A compliance-only approach does not adapt to changing adversary tactics, techniques, and procedures.

Gain:  Option #1 forces vendors to take the security of their products seriously lest they lose their ability to do business with the DoD. As the model grows and matures it can be used to also elevate the collective security of the defense industrial base[7].

Option #2:  DoD takes a more proactive approach to testing systems before and during fielding. Training scenarios such as those used at the U.S. Army’s National Training Center (NTC) could be modified to include significant cyber components, or a new Cyber-NTC could be created to test the ability of maneuver units to use networked systems in a hostile cyber environment. Commanders could be provided a risk profile for their unit to enable them to understand critical vulnerabilities and systems in their formations and be able to think through risk-based mitigations.

Risk:  This option could cause significant delay in operationalizing some systems if they are found to be lacking. It could also give U.S. adversaries insight into the weaknesses of some U.S. systems. Finally, if U.S. systems are not working well, especially early on in their maturity, this option could create significant trust and confidence issues in networked systems[8].

Gain:  Red teams from friendly cyber components could use this option to hone their own skills, and maneuver units will get better at dealing with adversity in their networked systems in difficult and challenging environments. This option also allows the U.S. to begin developing methods for degrading similar adversary capabilities, and on the flip side of the risk, builds confidence in systems which function well and prepares units for dealing with threat scenarios in the field[9].

Option #3:  The DoD requires the passing of a sort of “cybersecurity sea trial” where the procured system is put through a series of real-world challenges to see how well it holds up. The optimal way to do this could be having specialized red teams assigned to program management offices that test the products.

Risk:  As with Option #2, this option could create significant delays or hurt confidence in a system. There is also the need for this option to utilize a truly neutral test to avoid it becoming a check-box exercise or a mere capabilities demonstration.

Gain:  If applied properly, this option could give the best of all options, showing how well a system performs and forcing vendors to plan for this test in advance. This also helps guard against the complacency associated with Option #1. Option #3 also means systems will show up to the field already prepared to meet their operational requirements and function in the intended scenario and environment.

Other Comments:  Because of advances in technology, almost every function in the military is headed towards a mix of autonomous, semi-autonomous, and manned systems. Everything from weapons platforms to logistics supply chains are going to be dependent on robots, robotic process automation, and artificial intelligence. Without secure resilient networks the U.S. will not achieve overmatch in speed, efficiency, and effectiveness nor will this technology build trust with human teammates and decision makers. It cannot be overstated the degree to which reaping the benefits of this technology advancement will depend upon the U.S. application of existing and new cybersecurity frameworks in an effective way while developing U.S. offensive capabilities to deny those advantages to U.S. adversaries.

Recommendation:  None.

Endnotes:

[1] Judson, Jen. (2020). US Army Prioritizes Open Architecture for Future Combat Vehicle. Retrieved from https://www.defensenews.com/digital-show-dailies/ausa/2020/10/13/us-army-prioritizes-open-architecture-for-future-combat-vehicle-amid-competition-prep

[2] Larter, David B. The US Navy’s ‘Manhattan Project’ has its leader. (2020). Retrieved from https://www.c4isrnet.com/naval/2020/10/14/the-us-navys-manhattan-project-has-its-leader

[3] Palmer, Danny. IOT security is a mess. Retrieved from https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that

[4] Shelbourne, Mallory. (2020). Navy’s ‘Project Overmatch’ Structure Aims to Accelerate Creating Naval Battle Network. Retrieved from https://news.usni.org/2020/10/29/navys-project-overmatch-structure-aims-to-accelerate-creating-naval-battle-network

[5] Gupta, Yogesh. (2020). Future war with China will be tech-intensive. Retrieved from https://www.tribuneindia.com/news/comment/future-war-with-china-will-be-tech-intensive-161196

[6] Baksh, Mariam. (2020). DOD’s First Agreement with Accreditation Body on Contractor Cybersecurity Nears End. Retrieved from https://www.nextgov.com/cybersecurity/2020/10/dods-first-agreement-accreditation-body-contractor-cybersecurity-nears-end/169602

[7] Coker, James. (2020). CREST and CMMC Center of Excellence Partner to Validate DoD Contractor Security. Retrieved from https://www.infosecurity-magazine.com/news/crest-cmmc-validate-defense

[8] Vandepeer, Charles B. & Regens, James L. & Uttley, Matthew R.H. (2020). Surprise and Shock in Warfare: An Enduring Challenge. Retrieved from https://www.realcleardefense.com/articles/2020/10/27/surprise_and_shock_in_warfare_an_enduring_challenge_582118.html

[9] Schechter, Benjamin. (2020). Wargaming Cyber Security. Retrieved from https://warontherocks.com/2020/09/wargaming-cyber-security

Cyberspace Defense and Military Reform Emerging Technology Information Systems Jason Atwell United States