Published by The Lawfare Institute
in Cooperation With
Last week, Lawfare published an article from Lyu Jinghua, a former colonel in the People’s Liberation Army, titled “A Chinese Perspective on the Pentagon’s Cyber Strategy: From ‘Active Cyber Defense’ to ‘Defending Forward.’” It raises some interesting and fair questions about the Department of Defense Cyber Strategy’s embrace of the “defense forward” concept, but it also offers a deeply unconvincing narrative in which that concept is an unjustified bolt-from-the-blue that threatens to destabilize international relations.
True, “defense forward” might increase escalation risk
Let’s start with the positives. It is perfectly fair game, for example, to point out that the Pentagon’s “defense forward” doctrine may increase escalation risk and to question whether that increased risk is worth the candle.
Lyu writes that “defending forward should be understood as something more proactive and potentially escalatory than active cyber defense,” adding that this appears to include activity below the threshold of armed conflict. All that is correct. As I argued in September, defense forward is best read to encompass
operations that are intended to have a disruptive or even destructive effect on an external network: either an adversary’s own system or, more likely, a midpoint system in a third country that the adversary has employed or is planning to employ for a hostile action.
I also noted that this follows the explicit intent of Congress as stated in Section 1642 of the John S. McCain National Defense Authorization Act for Fiscal 2018. That provision expressly authorizes cyber activities to “disrupt, defeat, and deter” cyber activity by Russia, China, Iran or North Korea if it amounts to “an active, systematic, and ongoing campaign of attacks against the Government or people of the United States.”
It seems clear from this account that defense forward entails enhanced escalation risk as compared to a status quo that has often been derided, with good reason, as excessively passive. So far so good, then. But that does not tell whether the increased risk is warranted. Unfortunately, Lyu’s article becomes problematic as it turns to that issue.
Failure to acknowledge the reasons for the defense forward approach
The next step in the policy critique should have been to examine the justifications that led the Pentagon to embrace defense forward, as a prelude to assessing how the benefits that might follow from defense forward might stack up against the cost associated with increased escalation risk or other downsides. Alas, there’s no serious effort to identify those justifications, let alone to balance them against offsetting concerns.
The article does make brief reference to the possibility that this change is a response to external threats, but Lyu gives such short shrift to the possibility that it is easy to miss the relevant passages. First, she notes—but quickly dismisses—the idea that China’s own malicious cyber activities impacting the United States might warrant such a change. In her view, America is inclined to “hype China up as a cyber threat,” without any justification. There is much talk in the article about China’s commitment to peace and stability both in general and as to cyberspace, but there’s not a word to be seen in that section of the article about the vast amount of espionage—including theft of American intellectual property on an extraordinary scale—that China has conducted and continues to conduct through the cyber domain. The topic only comes up indirectly, later, when the article closes by touting the 2015 Obama-Xi agreement as a model to be followed once America is persuaded to embrace the path of “self-restraint” instead of “aggression.”
At any rate, to focus on China is, in my opinion, to miss the immediate justification for the defense forward approach: The malicious cyber activities of Russia, Iran and North Korea, which concern far more than espionage. Unfortunately, Lyu’s article contains only the most-passing and dismissive reference to the possibility that the actions of other states might provide justification for a more-assertive American approach, as she writes without elaboration (but with skepticism) that “some Americans may understand the Defense Department as … responding to the aggressive postures of other states.” There is no mention of Russia’s 2016 hacking campaign or its wildly reckless release of ransomware. There is no mention of Iranian denial-of-service attacks on the financial sector or malware insertions in industrial control systems. There is no mention of North Korea’s attack on Sony and ongoing theft from various financial institutions. An uninformed reader is left with the impression that the Pentagon is chasing shadows, as opposed to struggling to find purchase against an array of foreign government hackers that are constantly operating against the full spectrum of private and public systems in the United States and elsewhere—that are themselves very much on the offense inside our networks, albeit below the threshold of armed conflict.
Perhaps the United States really should either continue to live with this level of malicious foreign cyber activity. Perhaps we should find some other new approach that do not involve Cyber Command operating outside its own systems to disrupt and preempt such activities. Perhaps the fact that the United States itself engages in various forms of cyber activity against the interests of other states somehow bars us from pushing back in this particular way. All of those topics are fair game for discussion. But no serious discussion of them is possible without acknowledging that some countries—plainly including China, Russia, Iran and North Korea—routinely engage in cyber activities outside their own systems and at considerable cost to America (and much of the rest of the world, too).
A misplaced security-dilemma critique
While the article does not dwell on American justifications for the defense-forward approach, it does expand upon the potential costs.
In addition to the underspecified escalation risk claim, Lyu moves to the system-wide level in order to assert that the American approach to cyber power is precipitating a digital arms race by dint of classic security-dilemma dynamics. On this view, China is a status-quo power, embracing a rules-based international order and aiming “to promote peace by mitigating crises and creating a stable environment …” China is powerful enough to defend itself, to be sure, but would only do so if attacked first. America, in contrast, is embracing “aggression” through the defense-forward model (and by the ongoing maturation of Cyber Command itself), and in this misguided quest for security, America will leave a reluctant China with no choice but to expand its own capabilities, with a dangerous arms spiral following.
As an initial matter, the actual status quo seems to me rather different. Many states—China, America, Russia, Iran, North Korea and others—already operate frequently in foreign networks, engaging in a wide variety of activities below the threshold of armed conflict. As noted above, the defense-forward concept is in no small part a reaction to this reality. More specifically, it’s a reaction to experience suggesting that passive defense and post-hoc imposition of consequences (using tools like indictments, diplomatic repercussions, and sternly-worded warnings) have not sufficed to tamp things down to a sustainable level. There’s an element of fighting fire with fire in this, and as conceded above, it entails risk and warrants debate. But that debate should be informed by a fair and thorough account of the status quo, and I’m doubtful that such an account supports the conclusion that the Pentagon’s move strongly implicates a new dimension to whatever security-dilemma dynamics already are in play.
Indeed, a different way to look at this situation is to see the United States as the responding party in an asymmetric security dynamic involving a peculiar domain in which U.S. capabilities are outstripped only by U.S. vulnerabilities. As Jack Goldsmith and Stuart Russell have written, America is asymmetrically vulnerable to hostile foreign activity in the cyber domain for a host of reasons (including the comparative openness of our system, the extent to which we possess valuable intellectual property, and other strength-as-weakness factors). Foreign rivals like China, Russia, Iran, and North Korea understand that the cyber domain thus is an attractive medium, vis-à-vis the United States, for espionage and covert-action operations as well as for the subtle-yet-critical military functions of holding valuable assets at risk and preparing the battlespace as a contingency matter. Put another way, the cyber domain is one in which America’s usual asymmetric advantages (conventional military power, diplomatic clout, and geographic distance to name a few) can be circumvented. On that view, rival states already have ample incentive to increase their cyber capabilities without regard to whether America is maximizing its own; indeed, a failure on America’s part to develop its cyber capabilities if anything might make the cyber domain still more attractive to rivals who lack other effective options for imposing costs and otherwise engaging in pro-deterrence activities.
Norms to the rescue?
I want to close with a few words about the punchline at the end of Lyu’s article: The piece concludes by arguing that the United States would do well to abandon defense forward in favor of “self-restraint” in the form of international norms, citing examples including the debate in recent years involving the UN Group of Governmental Experts (GGE), the 2015 Obama-Xi agreement, and various other proposals.
Nevermind that there is good reason to doubt that the 2015 Obama-Xi agreement genuinely restrained Chinese corporate-espionage practices, and nevermind too that the mechanisms both for monitoring and pressing for compliance with such agreements are far more likely to have bite in Washington than in Beijing. I want to close by noting that it is not obvious just what Lyu means for America to do by embracing “self-restraint” in the form of cyber norms. The existing norm-building efforts Lyu cites focus in no small part on efforts to protect certain targets—nuclear plant controls or the financial system—from hostile cyber activity. Those are worthy efforts, for sure. But the defense-forward concept does not implicate such concerns, so far as I can tell. To the extent we can guess what the Pentagon would target under the defense-forward heading, the point seems to be to access networks (and external command-and-control and staging servers) of foreign intelligence agencies and other foreign entities that are engaging in malicious cyber activity targeting U.S. entities, and to nip those activities in the bud either once underway or if possible before they can be implemented. The latter scenario raises interesting questions, but not of the sort that most of the international norm projects address.
What might that leave as a possibility? Since a primary theme of the article is to depict America as an aggressor insofar as it plans to engage in preemption in cyberspace, it seems to me the article would have been better served to focus on the question of whether preemptive action should be prohibited in cyberspace regardless of the target or system in question. But of course there already is a fierce and long-standing debate regarding preemption more generally (that is, without reference to the cyber domain in particular), thanks to U.N. Charter Articles 2(4) and 51 and a host of events and incidents in the kinetic space in the past. How best to map those debates on to the cyber domain is an important and much-debated topic (see Tallinn Manual 2.0 Rule 73 and the comments thereto on pp. 350-54, explaining a conventional Caroline doctrine approach but noting other complications). That, at least, is a discussion worth having.