How to reverse three decades of escalating cyber conflict

A man looking at a phone is seen through a digitally decorated glass. November 23, 2020. REUTERS/Aly Song

This article has been adapted from The Escalation Inversion and Other Oddities of Situational Cyber Stability with the permission of the Texas National Security Review.

Cyber conflict has not yet escalated from a fight inside cyberspace to a more traditional armed attack because of cyberspace. In part this is because countries understand there are some tacit upper limits to escalation above which the response from the offended country will be war. Unfortunately, this happy state may not last: Cyber conflict and competition are intensifying, increasing the chances of escalation into a true global crisis.

Gauging the intensity of cyber conflict requires measuring both inputs (traditionally expressed in terms like the number of troops committed to the fight, which is less obvious in cyber but can be estimated by the size and number of cyber organizations) and outputs (the cyber operations that have significant impact, like the suspected Russian SolarWinds hack). It helps if there is a clear causal link between cyber incidents, but this is not necessary if the direction and magnitude of the vector are consistent over a long period of time—in this case, thirty years.

Charting the intensification of cyber conflict over thirty years

In 1988, countries did not have major cyber organizations. Within the US Department of Defense (DoD), there were small groups planning and conducting offensive operations. Yet there was no dedicated civilian defensive team in the United States until the creation of the Computer Emergency Response Team, funded by the DoD in November 1988. There were significant incidents—such as the Morris Worm of 1988 and a case known as the Cuckoo’s Egg of 1986, in which KGB-backed German hackers stole information on US ballistic missile-defense technologies. But however shocking at the time, those incidents were still quite modest in scope, duration, and intensity.

Just ten years later, the situation looked quite different. In 1995, the first major cyber bank heist occurred, targeting Citibank. By 1998, the world’s first combat cyber unit, established in the US Air Force, had already been in existence for three years and featured ninety-three officers and enlisted. That same year, the US military created the first cyber command in response to its internal Eligible Receiver exercise and the Solar Sunrise incident. This command was staffed by about two dozen defenders (including one of the authors, Jason Healey) and worked with other DoD response teams to counter the Moonlight Maze espionage case. Within two years, the command had taken on responsibilities to coordinate offensive operations, expanding to 122 personnel with a $26 million budget.

Roughly a decade after that, in 2007, Estonia suffered a debilitating cyberattack from Russia. Russian espionage against the United States became increasingly worrisome, including a case known as Buckshot Yankee where Russian spies breached classified networks. By 2012, meanwhile, Chinese theft of American intellectual property had become known as the “ greatest transfer of wealth in history.” In direct response to these incidents, the Defense Department combined its dedicated offensive and defensive task forces into a single US Cyber Command in 2010.

Over the next decade, the United States launched a sophisticated cyber assault on Iranian uranium-enrichment facilities; Iran conducted sustained denial-of-service attacks on the US financial system; North Korea attacked Sony; and Russia disrupted the Ukrainian power grid in winter (twice) and the opening ceremony of the 2018 Winter Olympics in South Korea. The operational element alone of US Cyber Command grew to 6,200 personnel. What had been a defensive-only command with twenty-five people in 1998 grew to cover both offense and defense with a staff of over nine hundred by 2011 and at least seven times that size by 2018. Iran and China created their own cyber commands, as did the Netherlands, the United Kingdom, France, Singapore, VietnamGermany, and others.

Breaking the cycle of escalation

The trend of intensifying cyber conflict is quite clear: The problems we faced in 2008 seem minor compared to today and the organizations seem small and limited, while the cyber incidents from 1998 and 1988 seem trivial. Operations considered risky twenty years ago are now routine.

The US military’s preferred strategy to “defend forward” and impose costs by conducting operations “as close as possible to adversaries and their operations” is a critical aspect of cybersecurity. But it is only effective at stopping individual campaigns one at a time—by, for example, preventing Russian actors from repeating a disruption of the Olympics like in 2018.

US Cyber Command has said persistent engagement is necessary not just to immediately counter adversaries but also to “improve the security and stability of cyberspace.” It has been over two years since former US President Donald Trump delegated authorities to conduct offensive cyber operations in accordance with defending forward. Yet the SolarWinds intrusion underscores that those stated goals seem farther away than ever.

The White House, with its broader view, must make the key decisions. Limiting further intensification will require a new US strategy that ensures cyber defenders have advantages over attackers. The strategy should leverage the innovations that impose the highest costs for attackers and the least costs for defenders, including end-to-end encryption to stymie espionage and automated updates to rapidly patch vulnerabilities. Innovations like the cloud are increasingly scaling security and deserve at least as much attention as persistent engagement.

Further, the Biden administration, led by the newly created deputy national security advisor for cyber and emerging technology, should revoke delegated offensive authorities unless the DoD can provide criteria that define success for the defending-forward strategy and an estimated timeline for when the president can expect results of improved security and stability.

Defending forward seems an unlikely solution for reversing the decades-long intensification of cyber conflict—a pattern of escalation often led by the United States. Perhaps defending forward is necessary to frustrate particularly reckless and brazen campaigns, but in the long run it may someday spark a larger conflict.

Jason Healey is a nonresident senior fellow at the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative at the Atlantic Council and a senior research scholar at the Columbia University School of International and Public Affairs.

Robert Jervis is the Adlai E. Stevenson professor of international politics in the Department of Political Science at Columbia University and a member of the Arnold A. Saltzman Institute of War and Peace Studies in the School of International and Public Affairs at Columbia University.

Further reading