In the 1950s and 1960s, American policymakers tried to make sense of the rapid advance of nuclear weapons technology — from A-bombs to H-bombs, and long-range bombers to supersonic missiles — in order to maintain their strategic edge against the Soviet Union. What emerged, however, was a delicate balance of terror between the two countries that provoked several nuclear near-misses. That this consequence was unforeseen is understandable; when new technology transforms a sphere of conflict, military strategies must be developed in uncharted territory.
Today, this daunting task of developing strategy in an emerging arena has been assumed by the U.S Cyber Command, which is charged with protecting American superiority in cyberspace. The stakes are high: in recent months cyberattacks have paralyzed one of the nation’s key oil pipelines, stopped production at the world’s largest meat supplier, and forced hospitals to pay ransoms to keep patients alive. Like America’s Cold War nuclear strategy, the U.S Cyber Command relies on the idea that offensive advantage is the best form of defense. However, their assumption may be misguided. Instead of creating a more secure version of cyberspace, America’s current approach may very well be fomenting a more dangerous one. By neglecting considerations of how adversaries interpret its offense-dominant coercive strategy, the United States may fail in this vital mission.
According to the U.S Cyber Command’s “2018 Vision,” its ultimate goal is to “Defend Forward” by persistently engaging adversaries throughout cyberspace. This strategy has been analogized to Muhammad Ali’s famous phrase, “float like a butterfly, sting like a bee.” Defending forward means the United States will dodge opponents’ attempts to attack, while simultaneously and repeatedly striking back. This continuous engagement is intended to force adversaries to expend more resources on defense, and ultimately, over time, deter them from launching offensive assaults in the first place. Essentially, by persistently flexing its powerful cyber-muscles, and increasing costs to adversaries, the United States hopes to dominate cyberspace and establish stability on its own terms.
The key to the Defend Forward strategy is the concept of persistent engagement. Persistent engagement means being everywhere in cyberspace, all the time. Strategically speaking, persistent engagement is an iterative game in which the United States hopes to coercively define the rules as it plays. The Cyber Command’s logic works like this: There are two fighters in the ring. Fighter A kicks Fighter B, who responds by kicking Fighter A back. Fighter B sees their response kick as a signal to Fighter A that kicking is unacceptable in this fight. However, Fighter B fails to consider that Fighter A might interpret that kick as an invitation for more kicking. Indeed, cyberattacks against the United States have been on the rise — calling into question whether persistent engagement is getting the message across. It is one thing to float like a butterfly and sting like a bee in a game with established rules, but quite another to do so in order to establish them. If the United States is defining the rules of cyberspace as it engages, how does it know its opponents are understanding and acceding to American terms?
Crucially, what matters for coercion are the perceptions of the adversary whose behavior the United States is trying to shape. The Cyber Command’s one-size fits all cyber strategy operates on the assumption that its adversaries all interpret signals in the same way and exactly as the United States intends. Yet, cyber operations do not take place in a vacuum — they are intricately woven into the broader geopolitical environment and the core interests of each actor. Notably, Russia and China’s cyber strategies combine cyber and information warfare because both of these regimes are existentially threatened by an American commitment to a free and open internet. Both countries consider the dissemination of information that is detrimental to their regime to be on par with ransomware attacks. Indeed, they denounce all “information weapons” — a broader category which includes, but is not limited to, cyber weapons.
In contrast, the United States circumscribes its cyber-strategy to cyber espionage and attack— largely ignoring the larger information space. This means that the United States is attempting to establish war-fighting norms on only a segment of what Russia and China view as a much larger battleground. In so doing, the United States is throwing knockout punches and wondering why its opponents won’t stop kicking back. This frustrates the underlying rationale behind “Defend Forward” because misperceptions fill the space in which the United States is trying to lay down tacit cyber law.
During the Cold War, the United States had only one adversary as it developed its nuclear strategy. Cyber strategy, however, requires consideration of numerous actors that operate in a variety of contexts with diverging interests and perceptions. Though challenging, Washington must begin differentiating between these actors and determining how they perceive American cyber-behavior.
This necessitates two concrete steps: First, the United States must develop a mechanism to measure the efficacy of cyber coercion that can distinguish between actors. To date, no such tool exists. Second, it must incorporate information-space context into the cyber arenas it cares most about: cyberattacks and cyber-espionage. Until this occurs, America cannot expect its signaling to be accurately perceived and, therefore, should not be surprised if its cyber strategy has unintended and potentially dangerous consequences.