This is part II of Ed Stacey’s interview with Dr Jacquelyn Schneider on cyber strategy for Strife’s Offensive Cyber Series. You can find part I here.
ES: You mentioned earlier your writing about this idea of a no first use policy with regards to strategic cyber attacks. I was wondering if you could speak a little to how that might help to limit escalation and maintain stability in cyberspace?
JS: One of the biggest hypocrisies, or logical inconsistencies, that is resident in US cyber strategy is this ambiguity about what they are willing to do offensively and yet they also say: do not dare attack our critical infrastructure or do not dare hurt our civilians. And so, if the US does not say that they are not going attack critical infrastructure, what are the incentives for other states to not attack critical infrastructure or how do they know that the US is not going to lump these attacks into defend forward?
So I use the term no first use, which I stole from the nuclear world and has its own connotations, but really what I am advocating for is declaratory restraint at the strategic level. States like the US, the UK and others can say: we do not think it is appropriate for states to attack critical infrastructure and create strategic effects against civilian populations. We have seen this type of attack in war and we know that it is ethically fraught and not usually very useful, so we are not going to do it. Now that does not mean that we are going to accept when other people do it to us, but we just want them to know that this is off the table for us.
Now if we are in a full-blown conflict and our opponent is intermingling their civilian infrastructure with their conventional or nuclear arsenal, then we might attack that. But as a rule if they are not entangling these things and we are not in a violent conflict, then we are going to say that those are off the table.
People worry that adopting this policy would handcuff the US, for example, or whichever state adopts it. But strategic cyber attacks are a really high threshold – these are attacks on critical infrastructure or nuclear infrastructure that cause significant violence to civilian populations. That is a pretty high bar. I am not talking about military infrastructures; it is a relatively defined group of targets that we are saying we are not going to attack.
But I think, in general, states like the US, the UK, France, Germany, Japan – typical allies of the US – are not the type of states that are going to attack critical infrastructure anyway. There is a sense that this is something that is not above board, that it is not viable or something that a liberal democratic state should do, especially prior to a conflict. I do not think that these states are going to do it anyway, so why not get credit for it? If you are already restraining yourself, why not get credit for it?
The other thing is that these types of attacks are actually relatively difficult to conduct and it is hard to see how strategically useful they are. This goes back to the idea that attacking civilian populations is going to decrease their desire to continue conflict. And the empirical evidence on this is mixed because sometimes you push too far, you escalate and get rally round the flag effects. So strategically this is not of great use to states like the US anyway.
That policy then allows the US to be more assertive and risk acceptant with lower level cyber attacks, where you are attacking other states’ offensive cyber infrastructure, with less worry about things escalating to a more violent conflict or a strategic cyber attack.
ES: This next question is from Amy Ertan, who I spoke to for part three of this series. She was wondering how best to educate decision-makers about the strategic implications of offensive cyber capabilities? And just to add to that if I can, there has been a lot pushback in the literature against comparisons between cyber and nuclear, but are there ways in which we can borrow ideas and concepts from the nuclear world – such as no first use – for educational purposes?
JS: In general, when issues emerge we have a tendency to analogise. Cyberspace has been rife with this: cyber is a bomb, cyber is an aeroplane, cyber is a nuclear weapon, cyber is – just recently in the Wall Street Journal – letters of marque, referencing naval operations historically. So there has been a problem with cyber operations in analogising too much to other points in history.
We actually have a lot of data now about how states interact in cyberspace. We have more big data analysis of things that have already occurred, so the work of people like Brandon Valeriano, Ryan Manness and Ben Jensen. Then we have people who are using other data generating mechanisms to create scenarios that have never existed, to see how people react. I do some of that work, but Nadia Kustyok also has some fantastic work here with experimental politics and Sarah Kreps.
So we have information to tell us when cyberspace is different to other domains. That evidence suggests that cyberspace is very different to the nuclear domains, but that does not mean that some of the concepts that we have applied to nuclear politics are not concepts that we can evaluate when it comes to cyberspace. For example, deterrence is not a nuclear concept – deterrence is a concept of how states have interacted going back thousands and thousands of years.
I stole no first use from the nuclear realm but that was actually to my detriment. I did that to kind of create a polemic but if I could go back I would not of said no first use, I would have said declaratory strategic restraint. Because it imbued a lot of conversations like: well, no first use and nuclear did not work. But cyber is not nuclear and I had to spend a lot of time in the article talking about why cyber is not nuclear. So maybe that was not a useful analogy for me to try and hook people in.
I think the nuclear analogy was used a lot in the US because cyber fell under Strategic Command and that was the natural analogy that institutionally existed. But as I talked about a little bit earlier, talking about cyber – especially offensive cyber – as strictly strategic really did not lead to an understanding of what the real impacts of cyber operations are.
If I am sitting down and talking to decision-makers about cyber operations and trying to educate them, I am trying to teach them about the nuances of it. Firstly, strategic cyber operations are really hard to do – they just are. Offensive cyber is much harder than it seems. If the US was a criminal ransomware actor, they would have it in the bag. But those are not our incentives and it is actually really difficult to do the kind of operations that fit the US’ strategic priorities. So you have to teach decision-makers not only about the dangers of cyber operations, but also the difficulties and the nuances.
I like to tell decision-makers: look, most of our evidence suggests that cyber operations do not lead to escalatory behaviours. In fact, what we find is that cyber operations very rarely change people’s behaviours – that is the puzzle. So what does that mean for you? That means that, yes, you can conduct offensive cyber operations and be less worried about escalation than you were previously. But that also means that you cannot say that you are going to use offensive cyber operations to coerce and deter and signal and all of these other things. You have got to choose one or the other – you cannot have it both ways.
We are onto a new generation, though, of cyber decision-makers who have a much more mature understanding of what works and what does not work in cyberspace. We see less of cyber as a magic pixie wand and less of cyber Armageddon, minus the public discourse. And I am not sure how you nuance the public discourse; there are a lot of incentives to overinflate the threat and the capabilities or the capacity of the US to do big things.
So in terms of educating, we need to get rid of analogies. We need to show people: this is what the data says. We need to invest in data-generating mechanisms that help us to understand the puzzles of cyberspace. I am not strictly an empiricist but I think that in cyberspace we can actually use data, as opposed to nuclear which we have not used very often, thank god, and therefore have very little data. We can actually generate good data and that can help us to understand when and why cyber operations might be more or less effective, escalatory or destabilising.
ES: And finally, does the increasing frequency and severity of cyber incidents in the US suggest that its more offensive cyber strategy is failing? Broadly, what lessons can we learn about the role of cyber operations from the US’ experimentation since 2018?
JS: You have to remember that these offensive cyber operations are actually pretty scoped. So when we see, for example, this increase in ransomware attacks from criminal organisations, nothing about US offensive cyber is geared towards criminal organisations and ransomware, at least in the current strategy. So those incidents are not an indicator of whether offence is working or not and more of an indicator that other elements of the strategy are off kilter – that we are not investing enough in information sharing, criminal prosecution or diplomatic measures that we can use to convince states to prosecute these criminals, which are basically functioning with zero sense of retribution in cyberspace.
I think the real question with things like defend forward is: are the Chinese, Russians, North Koreans, Iranians – so state actors – are they less able to use offensive cyber operations? Is it more expensive for them? Do they have to spend more time on defence? These are really hard things to measure and all of the strategies so far have punted on measurement. That is something I hope that the next strategy tackles because the problem with where the US is going when it comes to offensive cyber is that it is being organised in things called task forces. And when the US stands up a task force, there is never a clear plan about how you stand it down – it is like a perpetual cycle. So this question is really important: how do we figure out what is effective and what is not?
When you are thinking about SolarWinds and other espionage attacks, you do need to evaluate whether defend forward is doing anything against these activities to decrease the ability of those actors to even get in. That said, I think SolarWinds probably predates a lot of defend forward – that was kind of a long-standing issue. So we will see. The evidence is not there yet, but the US should try and think about how it would measure that to find out.
This is the final interview in Strife’s Offensive Cyber Series. You can find parts one, two and three with Dr Tim Stevens (Part I, Part II), Dr Daniel Moore (Part I, Part II) and Amy Ertan (Part I, Part II) here.