Fri, Mar 5, 2021

The 5×5—Questioning basic assumptions in the cyber domain

New Atlanticist by Simon Handler, Emma Schroeder

Related Experts: Erica Borghard, Andrea Little Limbago, Nina Kollars,

Cybersecurity Internet Technology & Innovation

Computer security illustration. Lines of code on a laptop screen. Photograph by Mathieu Thomasset / Hans Lucas. Illustration securite informatique. Des lignes de codes sur un ecran d ordinateur portable. Photographie de Mathieu Thomasset / Hans Lucas. NO USE FRANCE

This article is part of the monthly 5×5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the 5×5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at [email protected].

Cyberspace is the newest domain of conflict—and the only human-made one at that. This helps explain why theorists and strategists are still hotly debating its key characteristics, which paradigms ought to shape decision-making, and whether certain basic assumptions about cyberspace should be ditched altogether.

But challenging assumptions in cyberspace also means challenging assumptions about the theorists and strategists themselves. International Women’s Day, coming up on March 8, serves as a reminder to include female voices as a means of enriching policy discussions, producing more insightful work, and driving impact. The community of experts guarding the cyber domain should reflect the community of users they seek to empower and protect.

In that spirit, we asked five leading cybersecurity professionals—all women—to assess some of the most popular assumptions about conflict in the cyber domain.

#1 In cyberspace, is offense or defense dominant? Or is this an obsolete paradigm?

Melissa K. Griffith, non-resident research fellow, Center for Long-Term Cybersecurity; public policy fellow, Science and Technology Innovation Program, Woodrow Wilson International Center for Scholars:

“When we ask this question, we are really asking the following: Is this a domain where conflict is likely to be more frequent? Why? Because an offense-dominant world makes offensive action easier, incentivizes striking first, inspires secrecy, and encourages brinksmanship. It is clear that the general consensus is that cyberspace is largely offense-dominant. However, if our goal is to decrease the frequency and impact of cyber conflict, there are two far more pressing policy questions. How can we shift that balance further in favor of defense through concerted efforts focused on 1) how we design and maintain cyberspace (remember this is an entirely human-made domain), and 2) increasing the cost of offensive cyber operations through our own organizational skills and capacity (we can’t lie down on the job simply because defense is organizationally and technically difficult).”

Erica Borghard, senior fellow, New American Engagement Initiative, Scowcroft Center for Strategy and Security:

“It depends! Where people stand on the offense-defense debate typically depends on how they measure offense and defense, the level of analysis (e.g., strategic, operational, or tactical), and whether they treat the offense-defense balance as a systemic variable or one that might vary across different dyads or in different contexts. On the whole, my take is that the offense-dominant nature of cyberspace is often exaggerated. A dedicated, persistent attacker with a long time horizon may indeed, at some point, always be able to gain access to a target—but that’s not how political scientists define offensive advantage, because it doesn’t take into account the resources (material and temporal) this may require.”

Andrea Little Limbago, nonresident fellow, GeoTech Center; vice president, research and analysis, Interos Inc:

“It’s an obsolete paradigm for so many reasons, the most relevant of which is that the private sector is very often the frontline in attacks and the government maintains the legal monopoly on offense. Those lines [between government and the private sector] are increasingly blurred, and we need to reinvent the role of the private sector in the defense equation, incentivizing greater security and defense while taking a more networked approach to defense given the risks inherent across supply chains.”

Nina Kollars, associate professor, Strategic and Operational Research Department, Naval War College; adjunct senior fellow, Defense Program, Center for a New American Security:

“I never found value in the abstract nature of that conversation when it came to state-on-state conflict and the potential for war. That being said, there are versions of ‘the offense is dominant’ that are fairly core philosophical approaches to structuring systems against threats, including ‘assume breach’ and ‘zero trust,’ that make productive use of that assumption to establish policy.”

Meg King, director of the Science and Technology Innovation Program, Woodrow Wilson International Center for Scholars:

“That’s not the right question. A better one would be what ratio of offensive and defensive measures should a country deploy in cyberspace? The answer: It depends. Many in policy circles have suggested that a good offense is the best defense. As in sports, that idea presumes one must only outscore opponents. But, as basketball fans and anyone who has tuned into news about the SolarWinds hack know, we will never be able to block all the possible shots taken (or rid our networks of all vulnerabilities from which our computer systems may suffer). And sometimes the game just won’t go our way. For certain adversaries, the offensive-heavy strategy may make sense. But for other, scrappier ones, it may not. As the cyber playing field levels, more nation states are getting in the game. And, in that case, a good defense is a good offense. What we need is a clearly defined and nimble strategy for a variety of cyber-capable opponents.”

#2 Does the concept of deterrence apply in cyberspace? If so, to what degree?

Griffith: “While there are many well-documented challenges to conventional models of deterrence, we also need to set a fair standard by which to assess our ability to deter malicious cyber activity. You cannot deter all malicious activity all the time. Deterrence, in practice, is about setting thresholds around activity that you simply will not and cannot tolerate and then enforcing (or signaling your ability to enforce) those thresholds. Even the Cold War, the heyday of deterrence theory, was not a period without conflict, espionage, or strategic jostling. All of that occurred fairly regularly. When it comes to cyberspace, we all too often reference any high-profile hack, whether it is an espionage operation or an attack, as evidence that deterrence has failed entirely. That’s an unfair standard. Is deterrence uniquely difficult in cyberspace? Yes. Does the feasibility of deterrence live or die on our ability to deter all malicious activity? No.”

Borghard: “It’s popular to argue that deterrence has failed in cyberspace because there is so much malicious cyber activity taking place on a near-routine basis—including cyber-enabled espionage campaigns, intrusions into critical-infrastructure networks, influence operations, and so on. All of these activities have taken place below a ‘use of force’ threshold. However, deterrence has largely held above that threshold—namely, with regard to strategic cyberattacks that would cause significant harm or even loss of life. Moreover, there are some actions in cyberspace that states simply don’t or shouldn’t aim to deter, like espionage for national security purposes, because they are accepted practice for states. Therefore, the blanket statement that deterrence doesn’t apply to cyberspace is misguided. In some cases, deterrence seems to work (at high thresholds); in others, it may have failed (at lower thresholds); and still in other cases, it’s not applicable (espionage).”

Little Limbago: “Deterrence could play a role in cyberspace if viewed within a broader framework of strategic capabilities. Cyberspace does not exist in a silo but rather is one of numerous tools of statecraft. Deterrence requires a credible commitment that some form of impactful retaliation would result if specified actions are taken, and importantly the range of responses should include, but must not be limited to, the cyber domain.”

Kollars: “My optimistic belief is, uhh… yes? If scoped appropriately to clarify who and what cyber events we are deterring, you can deter in cyberspace. The problem with talking about deterrence in cyberspace writ large as part of a national strategy is that some want it to be all attacks all the time. That’s unrealistic in scope. What is it specifically we want actors not to do? And what are the tools of national power we can use to either deny or punish? However, I have yet to see someone do deterrence effectively…”

King: “Yes. But let’s be clear: We can’t expect cyber deterrence to be similar to what we experienced during the Cold War with US nuclear deterrence strategy. Cyberspace is a completely different construct than the one we traditionally assessed for nuclear posture. For one, you can count weapons (at least most of them). But it’s not so easy in cyberspace. When things get to the level of ‘act of war’—for example, a nation state turning off the United States’ electricity—certain adversaries know a response will be swift and direct. So that kind of attack isn’t likely. But those scrappier adversaries with little to lose might try and possibly succeed. And for deterrence to work, our messaging has to be clear. It isn’t today.”

More from the Cyber Statecraft Initiative:

#3 To what extent do our preconceived notions about sovereignty influence cyberspace? How relevant are they?

Griffith: “We are sometimes too quick to frame cyberspace as a borderless domain. Is it global in its reach? Yes. Does it challenge traditional mechanisms through which states might govern or shape activity within or passing through their territory? Yes. But one only has to look at a map of undersea cables, examine data-localization trends, or consider privacy regulations like the European Union’s General Data Protection Regulation to see the ways in which borders and sovereignty continue to shape cyberspace.”

Borghard: “Sovereignty is alive and well in cyberspace. States—particularly authoritarian ones—exert control over data that resides in and transits through their digital sovereign borders. While actors may transverse the digital infrastructure of other countries and conduct operations in other states’ space, legal scholars and policymakers continue to debate the conditions under which different types of operations would constitute a violation of sovereignty. However, the fact that these conversations are taking place means that sovereignty is still an anchoring concept for international politics in cyberspace.”

Little Limbago: “For a while the notion that borders did not exist on the Internet was gaining traction. That is increasingly false as governments implement data-sovereignty laws that require localized data storage, censor or manipulate content, and even require government access to data when requested. Conversely, other states are implementing greater data-protection and integrity laws. In the digital age, where you stand depends on where your data sits.”

Kollars: “In most cases they still matter. The civilian landscape of cyberspace is built upon firms that must, themselves, be pinned to a country. The complications arise not because sovereignty doesn’t matter, but because we often don’t know how to untangle the interdependencies of those sovereignties. Banks are often global in footprint and yet sovereignty still matters. Cyberspace is everywhere, but at some point it dumps out onto the physical world and that is where it is pinned.”

King: “For one, most countries don’t agree on sovereignty in cyberspace. That’s partly because governments are concerned that any rules they put in place won’t apply to others and will hinder their own capabilities in the future. And the absence of an international agreement means it’s unlikely we will have any answers to the sovereignty question in the short term. Some countries and regions are attempting to set rules, but most focus on the economics of cyberspace or the protection of personal privacy.”

#4 Cyber conflict is often compared to other types of conflict to make it more relatable. Is this more helpful or harmful to policymakers’ understanding?

Griffith: “It depends on the analogy and the context in which it is deployed. Analogies are a useful heuristic for explaining how an event, concept, or process is similar in some important way to a different but often more readily or well-understood event, concept, or process. That assumed similarity then allows policymakers to draw more informed conclusions about cyber conflict and make more informed policy decisions. The analogies become harmful when that assumed similarity is sloppily drawn, entirely incorrect, or largely insignificant to the question at hand. In short, it behooves us to pick our analogies in a rigorous manner and to be transparent about why we are deploying them.”

Borghard: “Understanding cyberspace by way of a heuristic or comparison can be useful to help policymakers wrap their heads around core issues particularly in highly technical areas. But choosing the right analogy as well as appreciating its limitations and biases is essential. For instance, a state’s strategic culture shapes the analogies policymakers rely on—such as comparisons to historical events, conflicts, or capabilities. Differences across states in anchoring analogies could lead to mirror imaging, strategic surprise, miscommunication or misperception, and other adverse outcomes. Therefore, policymakers should be more self-aware of the limitations of analogies.”

Little Limbago: “Comparisons are useful, but they have become too much of a crutch and are limiting creative thinking on par with global threats. This is a problem beyond cyber conflict that permeates into broader strategic thinking regarding shifts in global power and the impact of technology. Both cyber and emerging technologies writ large are upending pre-existing notions of power and conflict, but yet we still rely heavily on Cold War analogies that are anachronistic and limit the solution set.”

Kollars: “It could be useful, but we are doing it wrong. The conflict terms we use now are nearly purely about fighting and fear. They are predominantly militarized and framed through war. It’s stupid. It leads policymakers to think about cyber issues predominantly in terms of escalating violence. That’s far too narrow. Conflict is also about harm and how to recover from it. Conflict and the resolution of conflict includes many things like negotiations, agreements, treaties, resolution, mitigation, revitalization, and recovery—all these terms and concepts are related to conflict. But, as it stands right now, if you want to talk cyber, especially for the US Department of Defense, it is fight, fight, fight.”

King: “It depends. Policymakers are smart but very busy people. If an analogy or example helps them understand and remember an abstract technological concept, then yes this can be helpful. But context matters. This is why the Wilson Center’s Technology Labs help build understanding about the use and abuse of emerging technologies (including deep dives on cybersecurity). But that’s just the beginning; after completing our sessions, we offer policymakers access to a broad network of experts who can help ensure that the policymakers aren’t applying the wrong analogy to the wrong situation so that they can make informed decisions. Policymakers are experts in policy and governing, not technology. And that’s a good thing.”

#5 What’s an assumption that national-security policymakers have for other domains of conflict that just doesn’t apply to cyberspace?

Griffith: “I would actually flip this question on its head: What is an assumption that national-security policymakers make about cyberspace that they would not make if they treated it more like other domains of conflict, assuming that everything about the domain is different and, therefore, historical approaches can’t apply? For example, cyber conflict can sometimes be discussed as if it exists in its own discrete vertical rarely informed by, or a part of, a broader set of operational and strategic goals. That isn’t any more accurate for cyber operations than it is for operations carried out by air, on land, or at sea. While there are tactical and operational dynamics that are unique to cyberspace, this domain—just like air, land, and sea—can support and should be understood within a state or non-state actor’s broader operational and strategic goals.”

Borghard: “US policymakers like to have the ability to respond at a time, place, and manner of their choosing. That’s typically possible in other domains of warfare. However, in cyberspace policymakers are likely to find themselves evaluating the cyber response options they have rather than the ones they want. Unlike other capabilities, a particular set of offensive cyber capabilities may not be available at the right time, with access to a specific target and with the ability to deliver a preferred effect. Cyber capabilities are ephemeral and imperfect.”

Little Limbago: “The notion of power is very different for cyberspace as it can take minimal resources to have an outsized impact. Power assumptions still largely rely on Cold War models and, even in the other domains of conflict, these are quickly becoming outdated. The use of drones in regional conflicts, for instance, has proven that we need to rethink our approach to power capabilities and adjust strategies accordingly.”

Kollars: “Cyberspace is like improv: It is all ‘yes and….’ The fluidity of the systems underneath and through cyberspace create crazy second- and third-order effects and mock the boundaries we like to place around ‘traditional’ domains.”

King: “With conventional attacks, physical damage is measurable. With cyberattacks, assessing damage is usually more muddled. A lot of the time, we can’t even see the damage—even if news reports tell us that damage is in the billions of dollars. So measuring impact—and explaining why investing in prevention efforts matters—is a harder sell to the public than in the case of a physical attack. That’s a big problem for preventing future cyberattacks.”

Simon Handler is the assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.

Emma Schroeder is an assistant director with the Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security. Her focus in this role is on developing statecraft and strategy for cyberspace that is useful for both policymakers and practitioners.