In Cyberspace, No One Can Hear You Bluff

By Captain Tuan N. Pham, U.S. Navy

General Paul Nakasone – Commander, U.S. Cyber Command (USCC) and Director, National Security Agency (NSA) – asserts that “traditional military deterrence is binary in regard to conflict and a deterrence model…does not comport to cyberspace where much of the nefarious cyber activity plays out non-stop in an ambiguous strategic gray zone.” While this article is in agreement with the “futility of totally deterring adversaries from operating in cyberspace and instead actively disrupting those activities before they can inflict damage,” it takes the position of respectfully disagreeing that traditional deterrence is binary and the rules of traditional deterrence do not hold in cyberspace.

Deterrence centered around domain denial is neither desirable nor sustainable. Hindering access to cyberspace is not consistent with the enduring American values of individual liberty, free expression, and free markets. This encumbered access also runs counter to the U.S. national interest of protecting and promoting internet freedom to support the free flow of information that enhances international trade and commerce, fosters innovation, and strengthens both national and international security; and the universal right (global norm) of unfettered free access to and peaceful use of cyberspace for all. Restricting access to cyberspace is also not practical considering the cost to operate in cyberspace is modest, the barriers to entry low, and the ease of operating negligible. 

Deterrence, the “prevention of action by either the existence of a credible threat of unacceptable counteraction and/or belief that the costs of action outweigh the perceived benefits,” is more complicated and nuanced than a simple binary response of yes or no. Deterrence can create a delay or pause for transitory maneuvering space to mitigate the effects of the threat action, or better yet, take preemptive or preventive measures to disrupt (neutralize) the threat action. Deterrence, like warfighting (war), involves universal and immutable “human nature” that does not change over time or across nationality, demographic, culture, geography, and domain. Rational actors choose to act or not to act based on fundamental “fear, honor, and interest (Thucydides)” and are deterred to act or not to act by real or perceived “capability, intent, and credibility (deterrent triad).” Additionally, as Henry Kissinger once noted, “deterrence is a product of capability, intent, and credibility and not a sum…if any one of them is zero, deterrence fails.” Washington accordingly must do more and do better to ensure each factor succeeds as an aggregate deterrent triad for increased integrated deterrence, decreased strategic risk, greater strategic alignment, and lesser likelihood of conflict across all the interconnected and contested domains.

Deterrence works best when it is clear, coherent, uniform, and complementary across the fluid competition continuum (steady state to crisis to conflict); expansive instruments of national power (diplomatic, information, military, economic, financial, intelligence, and law enforcement – DIMEFIL); and interconnected and contested domains (physical and nonphysical) for strategic consistency, operational agility, and tactical flexibility. Last year in an article titled “In Space, No One Can Hear You Bluff,” this author made the policy case for a more active space deterrence to better manage the growing threats to the vulnerable U.S. high-value space assets. This article makes the same policy case now for a more active cyber deterrence to better address the exigent factors of time, space, and force in cyberspace. An attack in cyberspace can come from anyone, occur anywhere, and happen anytime with no warning to react and no opportunity to respond – an increasing real risk as the ongoing Russian invasion of Ukraine persists and President Putin becomes more impatient and desperate for victory while becoming at risk of dangerously perceiving a shift in U.S. policy from conflict containment (vertical and horizontal) to conflict escalation, or worse, regime change.

More Active Cyber Deterrence

Despite a considerable arsenal of sophisticated offensive and defensive cyber capabilities, American political and military systems still struggle at times with inconsistent strategic communications and a dogged credibility gap. The new deterrent framework in cyberspace must therefore focus more on communicating clear intent and building enduring credibility through redlines, deterrent language, and cross-domain options to impose further costs, deny added benefits, encourage greater restraints, and control more the narratives.

Redlines

Declaratory redlines make clear the unwanted risks, costs, and consequences of specific actions. They are an important way to influence an adversary’s risk perception and rational calculus, lower the likelihood of misunderstanding, and encourage restraint. They also outline the conditions of and willingness to inflict unacceptable retaliatory damage or destruction. U.S. policymakers should therefore “privately” reinforce to strategic competitors (and potential adversaries) the deterrent public statements contained therein the 2018 National Cyber Strategy (NCS), 2021 Interim National Security Strategic Guidance (INSSG), 2022 National Defense Strategy (NDS), and (anticipated) forthcoming National Security Strategy (NSS). U.S. law enforcement officials should likewise continue to “publicly” warn cyber criminals of egregious illicit cyber acts. In doing so, they should make it clear to both state and non-state threat actors that any cyber attack or cyber act that threatens U.S. national security interests, U.S. economic prosperity, and U.S. political stability is unacceptable and will be met with severe and disproportionate consequences for them. If they attack or act, they should not expect a proportionate response. They should expect prompt and devastating force that will cause retaliatory damages much greater than what they intended to inflict. This clear warning should have the effect of causing malicious cyber actors to think twice before acting and consider that the real costs may be much greater than any intended benefits.

For cyber powers like China and Russia, it should be made unequivocally clear that any cyber attack on critical military space systems – missile warning, command and control of nuclear forces, and positioning, navigation, and timing – is an act of war and will be dealt with accordingly. Doing so interlocks the 2020 National Space Policy with the 2018 NCS, both of which acknowledge the imperative of and calls for improvements to space cybersecurity. Like any other increasingly digitized and networked critical infrastructure, space-based and ground-based space systems and their communication links are vulnerable to cyber attacks. A future space conflict will undoubtedly involve cyber attacks, and conversely, a future cyber conflict may also involve space attacks.

Policymakers should also declare a more assertive and explicit redline [for cyberspace] consistent with the extant public redline in the interconnected and contested space domain. The 2018 National Space Strategy and 2020 National Space Policy unambiguously declared that “any harmful interference with or attack upon critical components of our space [cyberspace] architecture that directly affects this vital interest will be met with a deliberate response at a time, place, manner, and domain of our choosing.” The 2020 Defense Space Strategy forcefully reasserted the White House redline, stating that “the United States will deter aggression and attacks in space [cyberspace] and, if deterrence fails, be capable of winning wars that extend into space [cyberspace].”

Some may contend that redlines only work against rational state actors. Non-state actors are not always rational, confidently hiding behind their anonymities like some state actors hiding behind their notions of sovereignty, and consequently are not easily deterred by redlines. However, this article puts forth the argument that both actors are rational thinkers governed by rational thinking driven by varying nuances of elemental “fear, honor, and interest.” State actors are more impelled by power (statecraft), while non-state actors are more motivated by money (business). Both have pressure points (critical vulnerabilities) related to fear and interest that are predisposed to deterrent actions.

Others might argue that Chinese and Russian nefarious cyber activities below the threshold justifying a traditional military response persist unabated despite the best deterrent efforts by the United States and international community. So why and how would redlines deter these continued gray zone operations in cyberspace? The short answer is that redlines are not necessarily only intended to deter threat actors from operating in the gray zone but to also deter them from escalating beyond the gray zone. For now, Beijing and Moscow appear disinclined to escalate beyond the gray zone since they have perceived advantage in cyberspace and may not want to invite the increased strategic risk. Redlines help maintain the unsatisfying status quo.

Still others, like Secretary of Defense Lloyd Austin, argue that it is “never a good idea to publish destabilizing redlines because they inflame tensions, inadvertently provoke reactions, and back policymakers into corners.” While this article agrees that redlines should not be made if one is not able and willing to carry them out, it respectfully disagrees that they are inherently destabilizing. Instead, this author contends that “credible” redlines demonstrate stabilizing political will if the deterrent language is consistently followed up with deterrent action when called to do so as evidenced by contemporary history.

In 2012, the Obama Administration warned Syria that the use of chemical weapons would draw U.S. retaliation. A year later, Washington did not follow through when Damascus disregarded that warning and launched chemical attacks on Syrian civilians. Although the reasons for President Obama’s policy change are complex, the net result was a perception that the administration backed down, and in deterrence, perception is reality. The Syrian regime did not believe the U.S. red line credible, despite the United States having more than enough DIMEFIL capabilities to threaten and undermine Syria’s national interests. When Syria again conducted chemical attacks on its citizens in 2017, Damascus encountered a much different U.S. response from the Trump administration. A U.S.-led coalition promptly launched punitive missile strikes against Syrian military targets and expanded U.S. military presence and activities in Syria. By the end of that year, President Trump released a new NSS, announcing that the United States would place U.S. national interests first and would not hesitate to protect and advance them. Washington followed up the bold words with bold actions through the maximum pressure campaigns against Pyongyang and Tehran, a trade war with Beijing, sanctions against Moscow, and the killing of Iranian General Soleimani. All in all, the say-do mismatch should be eschewed in favor of consistent words and actions, both of which matter in deterrence.

Deterrent Language

In cyberspace just like in space, offensive dominance scales up, which means “a power that strikes aggressively should be, in theory, able to get the upper hand, or at least get the greatest possible use of whatever offensive space [cyber] capabilities it has invested in.” There is therefore deterrent value to explicitly stating the willingness to use tactical cyber preemption and active cyber defense to keep all deterrent options on the table against all state and non-state actors that threaten U.S. national interests in cyberspace. Tactical cyber preemption employs cyber power to deny a specific outcome, by attacking potential or imminent cyber threats before they can be employed or disrupting possible or looming illicit cyber acts before they can be initiated. Active cyber defense is the interception and disruption of an imminent cyber attack before it reaches its intended target or a looming cyber act before it actualizes. When combined with proven offensive and defensive cyber capabilities and credible redlines, the threat of tactical cyber preemption and active cyber defense can give additional pause to a state actor contemplating a first cyber strike or a cyber criminal considering an illicit cyber act.

China, a strategic competitor (national security imperative) and major cyber threat to U.S. national interests, serves as a deterrent exemplar. The People’s Liberation Army’s (PLA) warfighting doctrine favors surprise and deception when conditions warrant. Hence, the United States should take active steps to introduce elements of doubt and uncertainty into the Chinese Communist Party’s (CCP) decision-making and discourage the PLA from acting on real or perceived advantageous political-military conditions. The CCP and PLA should be reminded of Sun Tzu’s famous dictum: “If not in the interests of the state, do not act…If you cannot succeed, do not use force.” In essence, this means not risking initiating a cyber conflict that one cannot win or that may result in a pyrrhic victory.

Some contend that cyber criminals are not easily deterred by deterrent language. Cyber criminals stay anonymous and nondescript in cyberspace, assured that they can overcome any cybersecurity measures while staying below the radar of state actors and avoiding state actions. Instead, the U.S. should take away their assurance by strengthening cybersecurity and operating more and deeper in “white (neutral)” cyberspace (persistent engagement) to increase the likelihood of attribution, disruption, and if needed, retaliation. This also necessitates encouraging and supporting the private sector to do the same by promoting, for example, more corporate cyber activities from the likes of Microsoft. Microsoft seizes domain servers used by hackers in China and leads industry-wide efforts to disrupt Russian cyber attacks. 

Cross-Domain Options

Responses need not be limited to the same domain as the provocation. They can occur in another domain or across multiple ones. The dilemma for the United States is where, when, and how best to deter, and if deterrence fails, where, when, and how best to respond. U.S. policymakers and defense planners should prepare a broad set of flexible and dynamic cross-domain responses to the threat of cyber attack or the cyber attack itself in accordance with the 2018 NCS, 2021 INSSG, 2022 NDS, and (anticipated) forthcoming NSS.

Some might contend that cross-domain actions are destabilizing and will escalate a crisis. This argument diminishes as Washington fully commits and prepares to respond in kind or over-respond to make a deterrent point. Future conflicts will be transnational, multi-functional, and multi-domain. Cross-domain deterrence is therefore the best policy option for the interconnected and contested battlespaces now and into the future.

Other still argue that cross-domain actions risk pushing state actors (and cyber powers) like China and Russia over an invisible red line drawn by “fear, honor, and interest.” To mitigate this strategic risk, the United States must retain escalation dominance, freedom of movement, and strategic initiative to impose its will on Beijing and Moscow. As Sun Tzu said, “the clever combatant imposes his will on the enemy but does not allow the enemy’s will to be imposed on him.” Washington should therefore holistically impose costs, deny benefits, encourage restraints, and control the narrative so that the only acceptable strategic calculus for Beijing and Moscow is to not initiate or escalate conflict in cyberspace.

Selective Disclosure

Selectively disclosing cyber capabilities and intent amplifies the deterrent effects of redlines, deterrent language, and cross-domain options. Decisions about what, when, how, and for how long to reveal or conceal play an important role in active cyber deterrence. In certain circumstances, cyber capabilities should be disclosed to targeted audiences to sow doubt and uncertainty, encourage restraint, and reassure allies and partners. In other circumstances, strategic ambiguity may be more advantageous with regards to the exact nature, scope, and extent of intended cyber actions. An adversary does not need to know what, how, when, and where the United States would act, only that it can and would do so. Nevertheless, the question of how Washington can gain the deterrent benefits of selective disclosure while maintaining operational and information security is a crucial one moving forward. Similarly, it is also worth thinking about how to selectively reveal or conceal cyber capabilities to induce favorable threat responses, such as the expenditure of resources on U.S. defensive efforts or countermeasures in cyberspace.

Strategic Deterrent Alignment

Like space deterrence, the character of cyber deterrence may change over time, but the nature of cyber deterrence remains constant. The United States should therefore strengthen the deterrent triad of capability, intent, and credibility by defining redlines, declaring a willingness to fight in cyberspace preemptively or preventively, and threatening to respond (or responding) proportionately or disproportionately not just in cyberspace but in any or all domains for strategic deterrent alignment across the fluid competition continuum, expansive instruments of national power, and interconnected and contested domains.

Captain Pham served at NSA and USCC (plank owner), and completed a fellowship at JHU/APL working on cyber and space issues. The views expressed here are personal and do not reflect the positions of the U.S. Government or U.S. Navy.

Featured image by DKosig/Getty Images

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.