Defending Forward by Defending Norms

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

On Feb. 20, U.S. Secretary of State Mike Pompeo publicly condemned the Russian Federation for conducting a reckless cyberattack against Georgia in October 2019. In his statement, Pompeo admonished Russia for disrupting several thousand Georgian government and private websites and interrupting the broadcast of at least two major television stations.

A substantial list of countries, including the United Kingdom, Australia, Denmark, Norway, Sweden, the Netherlands, Poland, Lithuania, the Czech Republic, Estonia and Montenegro, joined the United States in the attribution and condemnation of Russia. The joint attribution and denunciation of malign cyber activity by such a large number of states reinforces global commitment to international norms of responsible behavior in cyberspace.

Coalitions like these are necessary to support a rules-based international order in cyberspace. To bolster such coalitions, the Cyberspace Solarium Commission recommends strengthening U.S. alliance-building efforts with like-minded states, as well as continuing to fund and support State Department efforts to engage nonaligned states and invest in cyber capacity building. However, these activities alone are not adequate to prevent attacks of significant consequence. Rather, this norms-based approach must be combined with a more proactive defense: defend forward. While this might create tensions with a norms-based strategy, we discuss below the compatibility between these two elements as part of a larger cybersecurity strategy, designed to lead to a stronger deterrence posture overall.

The Importance of Norms of Responsible State Behavior in Cyberspace

International norms are crucial to the stability of cyberspace. Given the frequency and heterogeneity of cyberattacks today, the prospect of a country’s unilaterally countering every threat, every time, in perpetuity is likely to be prohibitively costly, if not impossible. Rather, a system of norms, based on international engagement and the rule of law, is a sustainable and cost-effective means for reducing the likelihood and effectiveness of attacks of significant consequences in the long term. Shared expectations allow like-minded states to consistently incentivize and enable responsible behavior through law enforcement cooperation, capacity building and other benefits. These shared expectations also provide grounds for criticism and punishment, like indictments and sanctions, of malign actors.

Even under an effectively enforced system of norms, some actors—state adversaries, rogue states, terrorists and criminals—will pursue malign behavior no matter the costs. For these persistent actors who are not easily dissuaded, additional mechanisms must complement a system of norms and international engagement for defending U.S. networks and disrupting adversary attacks. In these cases, the U.S. must integrate this normative foundation into a larger, proactive strategy to disrupt and defeat ongoing campaigns.

Understanding the Relationship Between Norms and the Commission’s Concept of Defend Forward

The Cyberspace Solarium Commission proposes a strategy of layered cyber deterrence, which expands the Department of Defense’s defend forward approach to a whole-of-nation approach. The defend forward strategy focuses on the use of military instruments of power to impose costs to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The commission’s expanded concept of defend forward calls for the use of all instruments of power, both military and nonmilitary, to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns and reinforce favorable international norms of behavior in cyberspace.

There may appear to be tension between subsets of the commission’s defend forward concept, specifically between proactive military action and a norms-based international system. U.S. efforts to defend forward might lead to encounters with allies and partners on their networks. Moreover, partners and allies may feel that defending forward could result in unknown consequences. This creates tensions with a norms-based system because it runs the risk of eroding trust shared with our allies and partners and establishing a precedent that could lead to escalation. Transparency is our best means for mitigating these risks.

As part of a larger international engagement effort, clear communication of goals and intentions can help the United States minimize unintended escalation and maximize diplomatic trust. Publicly clarifying the way in which the U.S. applies agreed norms and international law to the Defense Department’s cyber operations in blue, gray and red spaces would strengthen efforts toward transparency and international engagement. To illustrate, if adversaries attempt to justify operations outside their networks to undermine elections, target critical infrastructure, or undertake other malign behaviors, U.S. cyber diplomacy could be employed to explain the difference between our use of defend forward and the adversary’s abuses. Accordingly, the application of cyber norms of responsible state behavior is an essential foundation for effective defend forward operations.

Drawing out further nuance helps to explain why defend forward relies on an effective framework of norms. Take, for example, a common authoritarian stance that destabilizing information—information that does not support or strengthen a government—is a danger to national security. Under this definition, a state adversary might operate on U.S. networks to disrupt the flow of so-called destabilizing information with the justification that the activity is fundamentally defensive, pointing to precedent set by defend forward. If the international community has no agreed stance on whether this constitutes acceptable defensive behavior, then it lacks a reasonable basis for punishment.

In the interdependent and interconnected cyber ecosystem, U.S. norms-based international engagement and military activities under defend forward don’t just serve the shared goal of deterrence; in fact, they complement one another. While engagement with allies and partners helps the United States to set and strengthen shared expectations of responsible behavior in cyberspace, military action serves as a tool through which the United States can counter malign actors unconstrained by norms. Together, norms and military action work in tandem to deter malicious cyber activity and reinforce a stable, secure cyberspace.