On Wednesday 17th March, Strife Interviewer Ed Stacey sat down with Dr Jacquelyn Schneider to discuss the role of offensive cyber operations in cyber strategy. For the final part of Strife’s Offensive Cyber Series, Dr Jacquelyn Schneider outlines the origins of defend forward and persistent engagement as well as discussing the relationship between offence and defence in cyber strategy, the potential for a no first use policy with regards to strategic cyber-attacks and potential future trajectories in the US’ approach to cyber operations.
Ed Stacey: Jackie, if we could start back in 2018. How did the arrival of “defend forward” and “persistent engagement” alter the role and significance of offensive cyber operations within US cyber strategy?
Jacquelyn Schneider: I think the move towards persistent engagement and defend forward was a confluence of both US domestic factors, including organisational and bureaucratic politics, and the international situation.
From 2014 onwards, you see a pretty significant uptick in both the severity and amount of cyber activity, culminating in the 2016 elections with the Russian hack and release of Democratic National Committee information and cyber-enabled information operations. So there is this big change happening where the US is accepting and realising how important cyber operations are going to be both for domestic stability and international security. At the same time, you have these strange institutional politics going on within the Department of Defense (DoD) and particularly Cyber Command.
For those who are not followers of DoD internal politics, Cyber Command did not start off as its own command. It starts out as this task force and then as time goes by it becomes a sub-unified command, so it falls under Strategic Command. Now this is really important to the story of defend forward because Strategic Command is focussed on deterrence – this is the nuclear weapons command. And in their narrative about deterrence, they phrase offensive cyber as being strategic and special which translates to the Obama administration as: that sounds like it is potentially dangerous and escalatory, we should not do that very often.
So Cyber Command has this problem with narratives as they are sitting under Strategic Command and they are a little bit frustrated. I mean, imagine, here you have this huge command that is doing all of this important stuff but they are still a sub-unified command. They have to get Strategic Command to sign-off on almost everything because it has all the authorities for buying stuff, for manning, for almost any relevant doctrine or strategy – any important piece of information that comes out of Cyber Command has to go through and be approved by Strategic Command. This is happening right up until the election in 2016.
Now Admiral Rogers is running Cyber Command at the time and he has this group called the Commander’s Action Group, where you have a few scholars sitting – so Emily Goldman, Michael Warner and then a series of rotating fellows who end up having a really large role in this move towards persistent engagement, like Richard Harknett. These are the historical figures whose names are never attached to these documents but were really important in driving them.
Now these three individuals sitting in this Commander’s Action Group are frustrated with deterrence and think there has to be an alternative. This is when you see Richard Harknett start publishing pieces saying: we have to get rid of deterrence and deterrence is not a useful concept in cyberspace. And he starts talking about this idea of persistent engagement, which shows up in the Cyber Command strategic vision that comes out before any of the other strategy and around the same time that Cyber Command is pushing to move from a sub-unified command to a unified command.
So this move from deterrence to persistent engagement was just as much a response to the amount of cyber attacks that were happening in the international sphere as it was to organisational frustration within Cyber Command at how little they had been able to do, or how little they perceived they had been able to do, under Strategic Command.
You will remember that Trump then wins the election and takes over, Rogers is replaced by Nakasone, they also fend-off this big powerplay in domestic politics by the Director of National Intelligence to take the dual hat from Cyber Command and the National Security Agency, and Cyber Command elevates to a unified command. Now this is a really big moment in the institutional history of Cyber Command and you have this group of scholars who have been working really hard on creating the intellectual foundations for a strategy.
But persistent engagement in the DoD’s terms was not actually allowed to be a strategy. So Cyber Command has this idea where they want to be more active and forward leaning, but they are not allowed to call it a strategy. Shortly after, in 2018, the DoD comes out with their strategy – and this is being routed at the same that persistent engagement is coming up, so these two are slightly in competition with each other – and that strategy introduces the concept of defend forward. So defend forward gets published at a different level than Cyber Command, by the Office of the Secretary of Defense, and will for the next four years be consistently confused with persistent engagement.
Defend forward is this idea that you are revaluating the risk matrix and combating adversary cyber operations, not after but before they take place. The language surrounding this is really vague but I interpret defend forward as being: we are going to use offensive operations to attack the adversary’s offensive operations. That is how I interpret it, but the language is super vague. Since 2016, we have had a lot of experimentation and if you follow how Nakasone talks about this and how the White House talks about this, there is a bit of confusion – they are still figuring out what this really means.
With four years of the Trump administration you see a lot of, in some ways, almost benign neglect of Cyber Command, yet at the same time they gave them new authorities to do offensive operations and they became a unified command. So you see a lot of operational experimentation that starts occurring with Cyber Command and, at the same time, the Cybersecurity and Infrastructure Security Agency, under Chris Krebs, is also experimenting. You start seeing, how far are we going to be offensive? What are we going to tell people? What are going to not tell people? What is off limits? What is not off limits? You see a bunch of leaks to David Sanger that seem to suggest that defend forward is actually attacking critical infrastructure, which they then walk back a bit in public comment.
So at this point moving into the Biden administration I think what we have seen, at least as it is publicly discussed, is defend forward being operationalised as: we are going to help our allies by sending cyber protection teams and cyber network defenders into their countries to help them defend forward on their networks, what they call the hunt forward mission. Defend forward is going to be about using both offensive cyber and information operations to actively dissuade and degrade places like the Russian Internet Research Agency (IRA) from conducting information operations. And we have seen a lot less discussion in the last few years about defend forward being, for example, offensive attacks against critical infrastructure – that seems to have completely paired down.
As we move into the Biden administration, I think we are going to see a bit more specificity about what the US thinks are appropriate offensive operations and what are not. At the same time, Cyber Command is a lot more confident in who it is now because it has been a unified command for four years. I think what you see is Cyber Command starting to look a lot more like Special Operations Command and a lot less like Strategic Command, you see them defining and creating their own identity.
That was a really long explanation for the evolution of these ideas, which are constantly conflated. But if people take nothing else: persistent engagement, think of that as like Cyber Command’s motto – we are going to lean forward, we are not going to wait to respond, we are going to be a doing command. And then defend forward is how the DoD thinks about offensive operations below the threshold of violent conflict. Theoretically, you should have a national strategy that pulls this all together. The current national strategy does not really talk to these two but in the future, hopefully under the Biden administration, the national cyber strategy will be leading and pulling all of these elements together.
ES: You touched there on experimentation and the need for a cohesive strategy. Do you think the US currently strikes the right balance between offence and defence, aggression and restraint or however you would like to frame that strategic choice?
JS: I think the US in the last few years has leaned heavily on strategic ambiguity when it comes to offence and this has perhaps unduly suggested that it is being more offensive than it really is. I mean, you are sitting in the UK. The UK is sometimes more risk acceptant in cyberspace than the US, partly because of its bureaucratic politics. A lot of the UK’s cyber capabilities are resident in its intelligence arm instead of being strictly militarised, which means that sometimes they are far more willing to do operations than the US that would wonder if they fit into some sort of military lens.
So the US actually does less offence than you might expect. But because of this strategic ambiguity and how they talk about offence, the way they cage it in these odd terms like defend forward – I mean, we all know this is just offence that they are calling defence – it just looks a bit hypocritical. I think the US can own the offensive measures that they are doing and what are they not doing too.
The reason why you do not see defence come up a lot in these conversations is because the US struggles with how it discusses defence in a strategy. If you look at the US’ broader military strategies, in general there is a proclivity towards offence within them. I do not know if that is the “American way” or just a general desire by militaries to have more control, and there is great work by Barry Posen on this about the role of offensive doctrines. But the US is actually very concerned about defence; they just struggle with the vocabulary of how to talk about it in a strategy and how to outlay those priorities.
I think what we are going to see with the Biden administration is a more sophisticated and mature discussion of what defence is. The word resiliency is going to come up a lot more and hopefully that means they are also going to operationalise resiliency – so what does that mean in terms of investments in technology, infrastructure, people and training. And I think we are going to see a lot more of that.
In general, that discussion has not been very mature. Even while sometimes I think – I hope –that the DoD is becoming more sophisticated in how it thinks about investing in those technologies. They are just struggling with: how do you operationalise that and how do you talk about that in a strategy? So I think the US does less offence than it talks about and that offence is not as big a part of the strategy as you would expect, at least not the day-to-day. Hopefully the next strategy is more explicit about this.
I am also hoping that the next strategy lays out what the US thinks are appropriate offensive measures within status quo conflict and what are not. I think there is a lot of room – I have talked and written about this – for this idea of declaratory restraint at the highest levels and that the US can gain a lot from being more declaratory about what it is not willing to do, and what it says is not appropriate for most actors to do, in cyberspace.
ES: Looking across the Atlantic, the UK has recently been accused of “cyber-rattling” in its foreign policy review, spotlighting its new offensive cyber force at the expense of things like cyber resilience. Are more aggressive, forward-leaning approaches to cyber operations compatible with the strategic goal of liberal democracies to maintain an open, reliable and secure cyberspace?
JS: There is concern that the more geared towards offensive operations that states become the more there will be a general rise in cyber activity – it becomes like, you know, the US Wild West where everyone is just shooting everyone and we do not develop norms of what is appropriate and what is not appropriate in cyberspace.
I think you can be more offensive without it being the Wild West. Because how did the Wild West turn into what California is now, which is actually super regulated? You introduce and you experiment with what is appropriate and what is not appropriate. What are laws? What are ways that we can bind each other’s behaviour? What are punishment mechanisms?
We find that actors sometimes think that cyberspace is the Wild West and they veer too far. With this Colonial Pipeline hack, the criminals put out a statement saying: well, you know, we never meant to sow mayhem… Well, okay. So they pushed too far. Unfortunately for them, they have now highlighted the role that ransomware plays in US critical infrastructure and all of these ransomware attacks, which may previously have not made the news, are making the news. And so now the public says: goodness, this ransomware thing is happening and it seems to matter – it is going to affect me getting my gas, it is going to affect me buying my hotdogs, it is going to affect the hospitals I go to. Then you find, if that is the case, that maybe the Department of Justice is going to get more money, resources or authorities to go after these criminal actors.
So this kind of tit-for-tat is going to happen as states interact and these thresholds are really being defined as they are acted out. But for a state like the US which has made some level of offensive operations part of its strategy, in order to be able to use those without turning cyberspace into the Wild West or escalating things, it needs to do three things.
Firstly, it needs to define what are appropriate actions and what are not appropriate actions. For example, the US is not going to target Russia’s pipeline. It would be helpful to say things like that: we are not going to target critical infrastructure. So they know: okay, we are going to conduct offensive operations but they are going to be at the Russian IRA, they are going to be at the SVR, they are going to be at the Chinese People’s Liberation Army – we are not going to be focussing on critical infrastructure. So I think that helps, number one.
The second thing is the more that states are able to show that these attacks are costly, the less often they are going to happen. So in the past that has been phrased as deterrence by denial but really it is just making defence and resiliency better. Companies are less likely to pay ransomware attackers when their networks and data are resilient, so have backups and make sure that you can recover very quickly. Now that is expensive, but states and companies can invest in resiliency to make offensive operations less likely to occur.
Thirdly, having a credible strategic deterrence when states overreach is really important. So, for example, if Russia or China were to target US critical infrastructure and cause civilian deaths, the US needs to be willing to punish them with conventional kinetic means. And that is, I think, really hard to do.
But having those three things is important to be able to say: yes, we are integrating offensive operations but we are going to do it in a responsible way. So I am more optimistic that states can integrate offensive cyber operations without it escalating into this everybody shooting at everybody Wild West scenario in cyberspace.
Part II of this interview will be published tomorrow on Friday 25th June 2021.