Cyber Threats and Vulnerabilities to Conventional and Strategic Deterrence

Excerpt

Scholars and practitioners in the area of cyber strategy and conflict focus on two key strategic imperatives for the United States: first, to maintain and strengthen the current deterrence of cyberattacks of significant consequence; and second, to reverse the tide of malicious behavior that may not rise to a level of armed attack but nevertheless has cumulative strategic implications as part of adversary campaigns. The Department of Defense (DOD) strategic concept of defend forward and U.S. Cyber Command’s concept of persistent engagement are largely directed toward this latter challenge. While the United States has ostensibly deterred strategic cyberattacks above the threshold of armed conflict, it has failed to create sufficient costs for adversaries below that threshold in a way that would shape adversary behavior in a desired direction.¹ Effectively, this tide of malicious behavior represents a deterrence failure for strategic cyber campaigns below the use-of-force threshold; threat actors have not been dissuaded from these types of campaigns because they have not perceived that the costs or risks of conducting them outweigh the benefits.² This breakdown has led to systemic and pervasive efforts by adversaries to leverage U.S. vulnerabilities and its large attack surface in cyberspace to conduct intellectual property theft—including critical national security intellectual property—at scale, use cyberspace in support of information operations that undermine America’s democratic institutions, and hold at risk the critical infrastructure that sustains the U.S. economy, national security, and way of life.

U.S. strategy has simultaneously focused on the longstanding challenge of deterring significant cyberattacks that would cause loss of life, sustained disruption of essential functions and services, or critical economic impacts—those activities that may cross the threshold constituting a use of force or armed attack. Indeed, Congress chartered the U.S. Cyberspace Solarium Commission in the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”³ There is also a general acknowledgment of the link between U.S. cyber strategy below and above the threshold of armed conflict in cyberspace. Specifically, efforts to defend forward below the level of war—to observe and pursue adversaries as they maneuver in “gray” and “red” space, and to counter adversary operations, capabilities, and infrastructure when authorized—could yield positive cascading effects that support deterrence of strategic cyberattacks.⁴

Less attention, however, has been devoted to the cross-domain nexus between adversary cyber campaigns below the level of war and the implications for conventional or nuclear deterrence and warfighting capabilities.⁵ The most critical comparative warfighting advantage the United States enjoys relative to its adversaries is its technological edge in the conventional weapons realm—even as its hold may be weakening.⁶ Indeed, this is why adversaries prefer to contest the United States below the level of war, in the gray zone, and largely avoid direct military confrontation where they perceive a significant U.S. advantage. At the same time, adversaries are making substantial investments in technology and innovation to directly erode that edge, while also shielding themselves from it by developing offset, antiaccess/area-denial capabilities.⁷ Moreover, adversaries are engaging in cyber espionage to discern where key U.S. military capabilities and systems may be vulnerable and to potentially blind and paralyze the United States with cyber effects in a time of crisis or conflict.⁸

Mark Montgomery is Executive Director of the U.S. Cyberspace Solarium Commission and Senior Director of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation. Dr. Erica Borghard is a Resident Senior Fellow in the New American Engagement Initiative, Scowcroft Center for Strategy and Security, at the Atlantic Council. Follow Mark on Twitter @MarkCMontgomery. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy.

1. Summary: Department of Defense Cyber Strategy 2018 (Washington, DC: Department of Defense [DOD], 2018), available at <https://media.defense.gov/2018/ Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL. PDF>; Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command (Washington, DC: U.S. Cyber Command, 2018), available at <https://www. cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018. pdf?ver=2018-06-14-152556-010>; “An Interview with Paul M. Nakasone,” Joint Force Quarterly 92 (1st Quarter 2019), 6–7.
2. The United States has long maintained strategic ambiguity about how to define what constitutes a use of force in any domain, including cyberspace, and has taken a more flexible stance in terms of the difference between a use of force and armed attack as defined in the United Nations charter.
3. John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115–232—August 13, 2018, 132 Stat. 1636, available at <https://www.congress.gov/115/ plaws/publ232/PLAW-115publ232.pdf>.
4. As defined in Joint Publication 3-12, Cyberspace Operations (Washington, DC: The Joint Staff, June 8, 2018), “The term ‘blue cyberspace’ denotes areas in cyberspace protected by [the United States], its mission partners, and other areas DOD may be ordered to protect,” while “‘red cyberspace’ refers to those portions of cyberspace owned or controlled by an adversary or enemy.” Finally, “all cyberspace that does not meet the description of either ‘blue’ or ‘red’ is referred to as ‘gray’ cyberspace” (I-4, I-5). Prior to the 2018 strategy, defending its networks had been DOD’s primary focus; see The DOD Cyber Strategy (Washington, DC: DOD, April 2015), available at <https://archive.defense.gov/home/features/2015/0415_cyber-strategy/final_2015_ dod_cyber_strategy_for_web.pdf>.
5. For a notable exception, see Erik Gartzke and Jon R. Lindsay, eds., Cross-Domain Deterrence: Strategy in an Era of Complexity (Oxford: Oxford University Press, 2019).
6. Office of the Secretary of Defense, Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2020 (Washington, DC: DOD, 2020).
7. The spread of advanced air defenses, antisatellite, and cyberwarfare capabilities has given weaker actors the ability to threaten the United States and its allies. For example, China is the second-largest spender on research and development (R&D) after the United States, accounting for 21 percent of the world’s total R&D spending in 2015. Also, improvements in Russia’s military over the past decade have reduced the qualitative and technological gaps between Russia and the North Atlantic Treaty Organization. See National Science Board, “Overview of the State of the U.S. S&E Enterprise in a Global Context,” in Science and Engineering Indicators 2018 (Alexandria, VA: National Science Foundation, 2018), O-1; Scott Boston et al., Assessing the Conventional Force Imbalance in Europe: Implications for Countering Russian Local Superiority (Santa Monica, CA: RAND, 2018).
8. Gordon Lubold and Dustin Volz, “Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts,” Wall Street Journal, March 2019, available at <https://www.wsj.com/articles/navyindustry-partners-are-under-cyber-siege-reviewasserts-11552415553>; Zak Doffman, “Cyber Warfare: U.S. Military Admits Immediate Danger Is ‘Keeping Us Up at Night,’” Forbes, July 21, 2019, available at <https://www.forbes. com/sites/zakdoffman/2019/07/21/cyberwarfare-u-s-military-admits-immediate-dangeris-keeping-us-up-at-night/#7f48cd941061>.