February 28, 2022
The 5×5—What’s in a cyber strategy?
On January 25, the United Kingdom published its first-ever Government Cyber Security Strategy. The document outlines the panoply of cyber threats facing the United Kingdom and announces measures for protecting UK public services, including increased funding for local authorities and the establishment of a center to improve cybersecurity coordination across the public sector.
In the coming year, US President Joe Biden’s administration is expected to release its own national cyber strategy to provide a roadmap for improving US capabilities and defending the United States from cyber threats. Some have speculated that, if the cyber section of President Biden’s Interim National Security Strategic Guidance was any indication, the forthcoming national cyber strategy will likely be largely a continuation of the 2018 version of the document published by the previous administration—the first US national cyber strategy in fifteen years.
What’s in a cyber strategy, how should one be created, how can observers gauge its effectiveness, and how might such a strategy be reflected in real-world conflicts? We brought together a group of experts, with experiences from government to academia to industry, to share a range of perspectives. These responses were collected and edited prior to the start of Russia’s massively expanded invasion of Ukraine on February 24 and subsequent developments.
#1 What strategic goals (if any) should be unique to a cyber strategy, as opposed to pulled from the broader National Security Strategy?
Jason Healey, nonresident senior fellow, Cyber Statecraft Initiative; senior research scholar, Columbia University School of International and Public Affairs:
“National security tends to be top-down with government as the main actor. Most of cybersecurity is bottom-up with the government in the supporting role, which means there should be key differences between a national security strategy and a cyber strategy. Moreover, national security strategies tend to focus just on adversaries, while cyber strategies need to cover adversaries as well as how improve defense across all of cyberspace, how to improve security for the companies, and for the people who use it.”
Joshua Rovner, associate professor, School of International Service, American University:
“Cyberspace is mostly owned and operated by the private sector, so collaboration is essential. An open, secure, and reliable public internet cannot function without ongoing voluntary cooperation among developers and engineers, IT firms, and civil society groups. Cooperation is hard because these actors do not always have shared interests. The challenge for government is maintaining a practical working arrangement; there is no alternative.”
Emma Schroeder, assistant director, Cyber Statecraft Initiative; managing editor, Cyber Statecraft Strategy Series:
“A cyber strategy must, like the National Security Strategy, outline American policy objectives in and across domains. However, what is unique to cyberspace is the degree of consideration, made necessary by the domain’s interconnectedness and malleability, of how actions taken by the US government may impact adversaries, allies, and private sector partners, and even the environment. It is not enough to defend US assets. A US cyber strategy must improve the security and stability of the domain itself.”
Camille Stewart, cyber fellow, Harvard Belfer Center:
“The continued investment in public-private partnerships and the shared mission of resilience and reducing cyber threats is integral to a cyber strategy. Additionally, the role individuals play in national and international outcomes in cyber must be addressed as part of comprehensive cyber strategy.”
Heli Tiirmaa-Klaar, director, Digital Society Institute, ESMT Berlin; former ambassador-at-large for cyber diplomacy, Estonian Ministry of Foreign Affairs:
“Cyber strategy covers a distinct field of national critical information infrastructure protection, public-private cooperation, national regulatory requirements, fight with cybercrime, cyber defense and crises management, coordination between agencies with cyber portfolio, and national coordination of cyber issues at the strategic level, as well as developing cyber workforce. Therefore, cyber strategy should be a distinct separate strategic-level document that is informed by the national security strategy, but should cover its specific niche of national cyber readiness, resilience, and policy coordination.”
#2 What ongoing debate(s) within cybersecurity are the most important on which to gain consensus in order to craft the next national cyber strategy?
Healey: “Too much policymaking and research has reached consensus about how to win the last war in cyberspace: the intelligence contest of sabotage and theft of intellectual property. We need a new consensus which recognizes that while cyber conflict has been that way, this may change as the world enters a new phase of conflict. For the past 30 years, since the end of the Cold War (and across almost the entire history of cyber conflict), states generally have not invaded their rivals, so it is no wonder that cyber conflict has been similarly tame. As geopolitical stakes and conflicts intensify, cyber conflict is likely to become far more dangerous than it ever has before. This will be true, not just for major powers like Russia and China but even for regional ones like India and Pakistan and Armenia and Azerbaijan. Should Iran not back down from its enrichment, it will be true of the United States and Israel as well, which will surely use cyber as an adjunct to military strikes.”
Rovner: “Two questions are crucial. First, is cyberspace competition an intelligence contest? Answering this question will help to adjudicate organizational responsibilities. Second, what are the uses and limits of cyberspace operations in war? Answering this question will help to integrate cyberspace into conventional military planning.”
Schroeder: “One of the most interesting, and challenging, aspects of strategy and security in the cyber domain is its relative lack of history – partly as a consequence of this myriad debates persist with strong disagreement. The lack of precedent when it comes to escalatory exchanges in the cyber domain is especially dangerous where it hampers the ability of policymakers and leaders to modulate their response to different types of cyberattacks, and to do so in a way that sends a consistent message to adversaries. The threshold of physical, violent effect is largely agreed upon but an upper limit, if it does act as deterrent, does not temper adversary activity below that threshold – that requires coordinated and consistent response.”
Stewart: “1) Offense/defense advantage. The ongoing debate over whether (and how aggressively) the United States ought to use offensive cyber tactics in its conflicts with its adversaries, or whether it ought to stick to principally defensive maneuvers is an area where we must gain consensus and choose a direction. While the appropriate balance may change over time, we should have a clear direction for this moment in time. 2)Regulation. We need to make some decisions on the boundaries for how companies operate and elevate information to the government. The push and pull of unclear expectations and state-level requirements is unsustainable. 3) Roles and responsibilities. Clearer articulation of the roles, responsibilities, and authorities of federal agencies with cyber mandates, along with how and when they work together, is essential. While we have high-level guidance, tactical clarity would be very helpful.”
Tiirmaa-Klaar: “The offense/defense debate really depends on a specific nation that we talk about. Most of smaller nations that have smaller attack surface, but also limited offensive capabilities, would prioritize a defensive advantage approach, or deterrence by denial approach. Larger nations with greater resources will look into achieving offense/defense balance. It looks like the majority of nations have by now understood the necessity of building better defenses and resilience, as malicious actors that target private sector companies cannot be stopped by high-capability offensive operations only. A certain balanced approach is necessary where defense should provide basic resilience against lower capability actors and cybercriminal groups.”
#3 What measures of success can we use to gauge the effectiveness of US national cyber strategy?
Healey: “Because the United States has never had a clear policy goal, it has never known how to measure success. My policy goal has been to get defense better than offense, whether at the level of an individual, a company, a sector, a nation, or—better yet—across the Internet as a whole. This lends itself to specific metrics on whether defenders are outpacing attackers. If successful, we should see, for example, an increase in breakout times and a decrease in time to detect and eject intruders.”
Rovner: “It depends on our goals. If the goal is preventing attacks on critical infrastructure, for instance, then we can track the frequency and severity of such attacks. Such quantitative measure will be useless if the goal is broader (e.g., encouraging the development of cyber norms).”
Schroeder: “The US cyber strategy will be comprised of a multitude of goals, which will contribute to the effectiveness of the strategy as a whole. Each of these component parts will require multiple different methods to measure progress. A central measure however, that can serve as a litmus test of our resilience and preparedness, is increasing both the number and diversity of those in the cyber workforce. US cybersecurity is strengthened by including people from a wide range of backgrounds and experiences.”
Stewart: “Increased industry engagement and trust, reduction in ransomware attacks, greater resilience of critical infrastructure, investment in education and awareness, and clearer guidance for businesses of all sizes (standards, best practices, requirements, etc.) would be great to start.”
Tiirmaa-Klaar: “Set measures that help improve cybersecurity management in all organizations. Avoid the avoidable nuisance-level attacks, avoid the exploits by known vulnerabilities, and avoid mistakes originating from poor end-user cyber hygiene and lax corporate processes. There are many small and simple steps of prevention that should be implemented in every organization. How should this be organized? In the European Union, there is the Network and Information system security directive, whose 2.0 version will make cyber requirements compulsory for a larger group of companies than the original regulation that set requirements for critical infrastructure only. A very good example of success is Estonia, which was nearly untouched by NotPetya ransomware in 2017 due to its rigorous patching requirements and close public-private partnerships in threat intelligence sharing.”
More from the Cyber Statecraft Initiative:
#4 To create a robust US national cyber strategy, which individuals/entities should be involved and how?
Healey: “A US national strategy must be built around key private-sector actors, which have key strengths the government lacks: agility, subject matter expertise, and ability to directly manipulate cyberspace at massive scales. These are the levers which will lead to success, when combined with the government’s resources, staying power, legitimacy, and access to other levers of power. The US government must use three Es here: Encourage those actors which have the means to improve defenses at scale but may lack the will; Enable those with the will but not the means; and Enforce with regulations when the first two options fail.”
Rovner: “The intelligence community will be front and center because the day-to-day national security implications of cyberspace operations are most relevant to intelligence work. The military will be essential in developing conventional operations that make use of cyberspace—without expecting too much from cyberspace operations. The Cybersecurity and Infrastructure Security Agency and the National Cyber Director should take a leading role in coordination with the private sector.”
Schroeder: “US cyber strategy needs to take a multi-stakeholder approach, including the private sector as core partners within the domain. The interconnectedness and inter-reliance that characterize the domain mean that our vulnerability is shared and thus our ability to create a more secure cyberspace must be cooperative. In the cyber domain, the government is reliant on the private sector, and this means that the government needs to operationalize its cyber strategy, in large part, according to the incentives and limitations of companies. This will require a wide range of efforts, from ensuring that information sharing networks are not unidirectional and provide benefit to contributing companies, to creating cybersecurity standards and requirements that are accessible and implementable, and much more.”
Stewart: “A truly robust cyber strategy not only includes the traditional players but also requires consulting and incorporating the relevant work of all domestic agencies. To look full scope at our cyber challenges and to make long-term investments that will mitigate risk, we have to look at how investments in domestic infrastructure like education can impact long-term outcomes. Also, we need to figure out how to incorporate the private sector in the development and execution.”
Tiirmaa-Klaar: “The United States has best cyber experts in the world and has demonstrated the ability to pull its collective cyber power together if necessary. But surely it can benefit from more coherent internal coordination and greater cooperation between different domestic agencies and the White House, Departments of State, Justice, and Defense, as well as other relevant players.”
#5 What do current geopolitical tensions suggest about the strengths and/or weaknesses of current US cyber strategy?
Healey: “The United States seems likely to build a strategy to deal with “death-by-a-thousand-cuts” campaigns right when conflict may be shifting more towards “digital Pearl Harbor” attacks, as states invade neighbors and are willing to engage in increasingly brazen and deadly attacks. Moreover, US Cyber Command, for all of its strengths, is not built for the larger problem of information warfare, leaving the Nation wanting against its Chinese and Russian counterparts. It is as if the United States stood up a Battleship Command in 1935. Maybe a good idea, but not in tune with the challenges of modern warfare.”
Schroeder: “The US has a tendency to put cyber in its own box—to miss the forest for the trees. Cyber is most effective as a tool of statecraft when it is part of a campaign, placing long-term strategic planning over incident response or retaliation. America’s adversaries have long known the operational and strategic benefits of wielding the tools of statecraft and irregular conflict (alternately referred to as grey zone activities, hybrid capabilities, etc.) and the utility of cyber operations as a part of such campaigns. When cyber disinformation operations are employed as part of a long-term strategy to legitimize and obscure the occupation of a sovereign state, for example, the cyber component cannot be considered or addressed separately.”
Stewart: “Our cyber strategy should orient itself around the reality that our adversaries are already in our networks. Also, the interconnectedness of systems and interdependencies of sectors must be acknowledged and accounted for more concretely. There must be heavy emphasis on enabling and encouraging necessary collaboration across sectors and breaking down silos. The investment in public-private collaborative bodies is an important strategic move and will be a strength moving forward.”
Tiirmaa-Klaar: “The major weakness in the United States has been its laissez-faire approach to private sector cybersecurity that has resulted in recent well-known cyber operations. If SolarWinds had done better homework, it would have been more difficult for Sandworm to organize the supply chain attack. The Colonial Pipeline attack could have been avoided too with better security and prevention. At the same time, there is also a merit to step up the cyber deterrence strategy below the threshold of the armed conflict where most cyber operations take place. The likeminded Cyber Deterrence Initiative should be bolstered and a genuine international cyber coalition should be built that can take collective, coordinated measures to punish the perpetrators and call them to respect international law. It also applies to the fight with cybercrime. There should be more coordination and cooperation between different cyber communities internationally as the enemy often shifts identities as it pleases. A likeminded international cooperation framework against malicious state and non-state actors should be strengthened, and swift measures taken below the armed conflict (i.e., coordinated attributions, sanctions, etc.) to change their calculus of attacking.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security. He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.