Published by The Lawfare Institute
in Cooperation With
In a useful thought experiment considering the implications of other cyber powers adopting the approach of “defend forward” and “persistent engagement,” Herb Lin focuses on the potential impact on cyber norms. He suggests that, to best support the U.S. Department of State effort to establish international cyber norms, U.S. Cyber Command’s (CYBERCOM’s) 2018 Command Vision should be explicit in how it does or, at least, does not violate those norms. This is a curious recommendation that seems to be rooted in a belief that “the USCC Command Vision articulates what the United States believes Cyber Command should be doing in cyberspace”—but that is not the purpose of the vision. Additionally, Lin’s post indirectly raises the far more important matter of the respective roles of the State Department and the U.S. Department of Defense in creating cyber norms of acceptable and unacceptable cyber behavior. Richard Harknett and I have argued elsewhere, and I will revisit and update the argument here, that although the State Department plays an indispensable role, the Department of Defense is far better positioned to play a more comprehensive, sustainable role.
What Does the Command Vision Represent?
The 2018 Command Vision is a description of what the commander of CYBERCOM believes is the appropriate operational approach for employing cyber forces in support of U.S. strategic guidance. In that way, it resembles recent vision statements offered by U.S. Strategic Command, U.S. Special Operations Command, U.S. Indo-Pacific Command, as well as other combatant commands. Importantly, how commanders choose to employ forces under their command in support of Defense Department or national strategic guidance is not equivalent to what the United States believes those forces “should be doing.” This conflation seems to be at the heart of Lin’s recommendation.
The documents that do articulate what the United States “should be doing” in cyberspace (and in theaters of operation and unique mission areas, that is, strategic deterrence and special operations) are Defense Department and national strategic guidance. CYBERCOM’s Command Vision, like the other visions cited, makes clear that it is in line with such guidance. To wit, it states that “[t]his document supports the 2018 National Defense Strategy.” Similarly, Gen. Paul Nakasone, commander of CYBERCOM, has made it clear that persistent engagement is CYBERCOM’s implementation of the Defense Department’s cyber strategy of defend forward.
Based on Lin’s interpretation of the purpose of the 2018 Command Vision, he argues that “the cyber authorities of the United States have yet to reconcile its norm promotion efforts and its vision for operating in cyberspace” and that the United States should consider “carve-outs to the strategy of persistent engagement and defend forward (or something else with equivalent effect)” that indicate that State Department efforts to establish cyber norms will be supported. This argument is sound given Lin’s interpretation, but his interpretation does not align with how combatant command visions are generally received. Introducing carve-outs would be an exercise in redundancy. There is no expectation of reiterated commitments to adhere to the law of armed conflict in Strategic Command and Indo-Pacific Command visions, because such statements appear in the Department of Defense and national strategic guidance that they support. Similarly, one should not expect to see a commitment to adhere to international norms (or international law) in cyberspace in CYBERCOM’s vision because such statements appear in the Defense Department and national strategic guidance that it supports. Lin does argue that carve-outs are not necessary if “something else with equivalent effect” exists. There is plenty of “something else.”
What follows is a list of authoritative strategic guidance documents issued by the past three administrations that make clear the United States will promote and abide by international cyber norms.
2011 Department of Defense Strategy for Operating in Cyberspace: “DoD will assist U.S. efforts to advance the development and promotion of international cyberspace norms and principles that promote openness, interoperability, security, and reliability. The Department will work with interagency and international partners to encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuade and deter malicious actors, and reserve the right to defend these vital national assets as necessary and appropriate.”
2011 International Strategy for Cyberspace: “The United States will work with like-minded states to establish an environment of expectations, or norms of behavior, that ground foreign and defense policies and guide international partnerships. … [W]e will work to build a consensus on what constitutes acceptable behavior, and a partnership among those who view the functioning of these systems as essential to the national and collective interest.”
2015 National Security Strategy: “Globally, cybersecurity requires that long-standing norms of international behavior—to include protection of intellectual property, online freedom, and respect for civilian infrastructure—be upheld, and the Internet be managed as a shared responsibility between states and the private sector with civil society and Internet users as key stakeholders.”
2015 Department of Defense Cyber Strategy: “[T]he Defense Department cooperates with agencies of the U.S government, with the private sector, and with our international partners to share information, build alliances and partnerships, and foster norms of responsible behavior to improve global strategic stability.”
2018 Department of Defense Cyber Strategy: “The Department will reinforce voluntary, non-binding norms of responsible State behavior in cyberspace during peacetime. The United States has endorsed the work done by the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) to develop a framework of responsible State behavior in cyberspace. The principles developed by the UNGGE include prohibitions against damaging civilian critical infrastructure during peacetime and against allowing national territory to be used for intentionally wrongful cyber activity.”
2018 National Cyber Strategy: “The United States will promote a framework of responsible state behavior in cyberspace built upon international law, adherence to voluntary non-binding norms of responsible state behavior that apply during peacetime, and the consideration of practical confidence building measures to reduce the risk of conflict stemming from malicious cyber activity. These principles should form a basis for cooperative responses to counter irresponsible state actions inconsistent with this framework.”
2021 Interim National Security Strategic Guidance: “We will renew our commitment to international engagement on cyber issues, working alongside our allies and partners to uphold existing and shape new global norms in cyberspace.”
Who Constructs Cyber Norms?
After citing my colleague and co-author Emily Goldman’s claim that “[b]y persistently engaging and contesting cyberspace aggression, the United States can draw parameters around what is acceptable, nuisance, unacceptable, and intolerable,” Lin asks what it would mean to assume that military cyber activity can and should be used to advance a particular set of norms. He succinctly answers this question through a rhetorical question: Why can’t any nation use persistent engagement and defend forward to advocate for its own set of preferred norms? In so doing, he indirectly raises a more important strategic question: What role should the State Department and the Defense Department play in constructing and maintaining cyber norms?
Goldman, Harknett and I argue that security is achieved in the cyber strategic environment through adopting the strategic principle of initiative persistence. Thus, the United States should expect other states to develop cyber strategies based on this principle. But that is not the same as saying that other states will adopt a defend forward/persistent engagement cyber strategy. The Defense Department’s cyber strategy and its operationalization is a manifestation, at a minimum, of its threat assessment, the resources that can be applied against the threat, the domestic and international legal environment in which the Defense Department operates, and lessons learned from operations against the Islamic State and others. Arguably, no other state shares the same context. It is certainly true that some states are pursuing their national interests persistently in and through cyberspace and, in fact, the United States has suffered strategic decline over the past decade relative to those states. As Lin highlights, China has a vastly different set of preferred cyber norms and the cyber ways and means to press for them (this holds true for Russia as well). But this should not be surprising, and recent State Department reports on China’s aggressiveness in and through cyberspace and plans for dominance suggest that a Chinese equivalent to the 2018 Command Vision would not be the least bit shocking—nor should it necessarily be viewed as alarming. There is precedent for military activity forming the basis of tacit understandings of acceptable and unacceptable behaviors in what was a more dangerous geostrategic environment: the early Cold War.
During the Cold War, the United States and the Soviet Union, holding very different values, interests and ideologies, constructed a set of tacit understandings over the course of two decades by observing how each did and did not employ military forces and capabilities. These included, for example, avoiding direct use of force against the other’s troops, restraining allies and clients from inflicting strategic defeat on the other’s allies and clients, refraining from arms transfers that would permit the recipient to acquire a locally dominant offensive capability, and refraining from unconventional warfare in the territory or against assets of the other. In addition, the United States and the Soviet Union both abstained from harassing actions targeting each other’s strategic forces. Further, history shows that many tacit understandings do not comprise “symmetric exchanges” because great power strategic cultures are often idiosyncratic in what they value. U.S. and Soviet scientists and scholars have concluded that even though such norms were “ambiguous, fuzzy at the edges, and evolving,” where they became embedded in interpretations of self-interest “they constrained behavior much more powerfully than would mere declarations of principle.” The self-interest in this context was, of course, avoiding nuclear war.
Harknett and I argue that core features of cyberspace—interconnectedness and its consequent condition of constant contact—facilitate the construction of tacit understandings of acceptable and unacceptable behaviors for states abiding by the principle of initiative persistence. Persistent cyber activity can serve to communicate a continuous message of what is acceptable and what is not. Today, the self-interest in engaging in cyber military activity to construct mutual understandings of acceptable and unacceptable behaviors is focused primarily on avoiding escalation to conventional war. If the lessons learned during the Cold War about forming tacit understandings are applicable in cyberspace, persistent cyber activity in support of norms construction will make a far more significant contribution to norms construction and stability than the “mere” statements of principles in recent U.N. group of governmental experts and open-ended working group declarations. Given that the Defense Department is best positioned to engage in persistent cyber activity at scale, it should have a key role in constructing and maintaining cyber norms. This approach makes even more sense if the United States hopes to eventually move beyond voluntary, nonbinding norms to a binding international regime, potentially through the emergence of a new rule of customary international law. New rules of customary international law emerge through opinio juris—expressions of how international law applies (in the cyber context, in this case)—coupled with “state practice”—meaning that it is sufficiently widespread and representative, as well as consistent with those expressions. Military activity is considered evidence of state practice.
This is not to dismiss the value of the State Department’s first committee or other diplomatic efforts. Indeed, where persistent cyber military interactions identify particularly salient, intransigent disagreements that are not being resolved through tacit bargaining, those matters can be elevated to the diplomatic corps for potential resolution. This process would be akin to that which led to the 1972 Incidents at Sea Agreement between the United States and the Soviet Union: Military activity at sea elevated the risk of inadvertent escalation (which would have violated the tacit norm of no direct use of force against the other’s troops) to the point that both countries considered it prudent to seek an explicit understanding of acceptable and unacceptable behaviors. This type of explicit clarification does not have to take the form of a negotiated agreement. For example, in 1982, after preparation for Soviet shipments of advanced MiGs to Nicaragua (which would have violated the tacit understanding on arms transfers), a warning from U.S. Secretary of State George Shultz to Soviet Foreign Minister Andrei Gromyko seems to have prompted the Soviet Union to exclude those armaments.
Initiative Persistence Is Here. Now What?
The United States should not be surprised if other states begin to espouse a cyber strategy or doctrine (or are engaging in behavior) that is centered on the strategic principle of initiative persistence, no matter its manifestation. In fact, it is likely more a matter of when than if, and in some instances it is already occurring. Cyber persistence theory argues that states have a strategic imperative to seize the initiative to set the conditions of security in cyberspace in their favor if they hope to achieve security in and through the cyber strategic environment. Lin asks an important question regarding the implications of this strategic imperative for cyber norms and the stability those norms might engender. Others have started to explore the implications of initiative persistence on inadvertent or accidental escalation to armed conflict. These are the right questions to be asking because they are premised on a proper understanding of the cyber strategic environment, an environment that rewards initiative persistence and punishes operational restraint. Policymakers should take note, especially since the forthcoming National Defense Strategy is expected to be centered on a strategy of integrated deterrence, which is a strategy of operational restraint.