Published by The Lawfare Institute
in Cooperation With
The unique structural and operational characteristics of cyberspace, we wrote in May 2017, must drive U.S. strategy if we are to see cyberspace become more secure and stable. In the 18 months since, significant changes in U.S strategic guidance—the National Security Strategy, National Defense Strategy, and, on Sept. 18 the Department of Defense Cyber Strategy (released in summary form here)—now reflect this perspective. These developments support the view that a central challenge for the U.S. lies in strategic competition in cyberspace that doesn’t rise to the level of armed conflict and that deterrence strategy on its own is not an effective anchoring approach for ensuring security in this strategic competitive space.
In February, U.S. Cyber Command published its Command Vision, prescribing an approach for securing U.S. national interests in this strategic competitive space through a strategy of persistent engagement, designed to thwart adversary cyberspace campaigns by continuously anticipating and exploiting their vulnerabilities while denying their ability to exploit U.S. vulnerabilities through operations that support resiliency, defending forward, contesting and countering to achieve strategic advantage. Persistent engagement recognizes that cyberspace’s structural feature of interconnectedness and its core condition of constant contact creates a strategic necessity to operate continuously in cyberspace. The importance of persistent engagement was captured in guidance in the recently released Department of Defense Cyber Strategy, which argues that the Pentagon must preserve U.S. military advantages and defend U.S. national interests in, through and from cyberspace by contesting adversaries’ malicious cyber activity during day-to-day competition. Persistent engagement rests on recognizing the distinctive structural features of cyberspace and how adversaries have been exploiting them.
It is, thus, not a choice, but a structurally and strategically driven imperative to reorient U.S. cyber strategy around continuous action. The states that master persistent engagement will not only be more secure in cyberspace, they will also position themselves to enhance their national power relative to others. The emerging coherence across these U.S. strategy documents suggests that the United States is realigning its position toward cyberspace to map to its structural, operational, and strategic realities.
We are cautiously optimistic that strategic development will continue along a path more consistent with a persistent engagement strategic orientation. Greater clarity, however, is needed in distinguishing how deterrence can complement persistent engagement. A strategy of deterrence and strategic processes associated with deterrence continue to hold a strong place in the minds of U.S. policymakers and other senior leaders as the default pathway to security after playing a central role in U.S. security strategy for the last 70 years. But that tendency needs to be more critically examined and a more precise alignment of strategies needs to take root. Toward that end, the defense community must ensure that a strategy of deterrence and a strategy of persistent engagement are adopted as two complementary strategic approaches, grounded in and developed for different strategic environments and supported by equally distinct strategic processes. The United States will begin to regain initiative and strategic advantage in cyberspace if it’s strategic approach is aligned to the strategic environment; that is, deterrence aligned with managing the potential for armed conflict or armed attack-equivalence in, through, and from cyberspace and persistent engagement aligned with managing the cyber strategic competitive space below the threshold of armed conflict, where cyber operations and campaigns are occurring.
This shift in strategic orientation can be complemented further if another bedrock conceptual frame is also reoriented: Across the past four U.S. administrations, establishing cyber norms as an essential element of stabilizing cyberspace has become close to a dogma. The core idea is to find consensus among like-minded states about acceptable and unacceptable cyber behavior, articulate that standard, and then convince other states to abide by that “norm.” Unfortunately, just as deterrence is not aligned with the unique structural and operational characteristics comprising the cyber strategic competitive space, neither is this traditional process of explicit bargaining. If we are eventually to attain greater stability within cyberspace, we need a norm-generating mechanism better aligned to the behavioral realities within the environment. Norms around acceptable cyber operations can be constructed through behavioral interactions over time if the United States reorients its policy toward a process of tacit bargaining. Rather than emphasize explicit bargaining with like-minded states, we must reorient to prioritize intentional tacit bargaining with actors who hold different views on what is and is not acceptable behavior in cyberspace. The good news is that such an approach is reinforced by the structural features and strategic imperatives of cyberspace.
Explicit bargaining, involving international conference or bilateral diplomacy and treaty negotiations, is poorly suited to addressing the threats from strategic competition in modern cyberspace. We are not proposing the abandonment of traditional approaches (including, as we’ve argued before, deterrence) but rather an aligned application of them to the strategic realities the United States faces. The U.S. has achieved some progress on this front through explicit bargaining on agreements of principles of responsible state behavior in cyberspace, but only as pertains to armed conflict. The 2015 G20 Leaders’ Communique and 2017 G7 declaration on responsible state behavior are notable successes, but those non-binding agreements are with like-minded states, and so, by definition, are not recognized as legitimate by U.S. adversaries. The 2013 and 2015 United Nations Group of Governmental Experts (GGE) on Information Security Reports represented early international progress on recognizing appropriate bodies of law and suggesting voluntary norms, but progress stalled at the 2017 convention where the group deadlocked. Indeed, after the 2017 meeting, the U.S. posited that the realization of cyber norms may not be achievable through a United Nations effort and that it is time to consider other approaches.
To note the limited results of explicit bargaining is not to discourage negotiation efforts in pursuit of formal agreements on responsible behavior in the strategic space of armed conflict. But the U.S. must keep those limits in mind. Indeed, U.S. adversaries have routinely rejected any substantive agreements that approach the notion of cyber norms. Where agreements are reached, they are limited in scope and ineffective at addressing the matters they reach. Consider, for example, the 2015 agreement Presidents Obama and Xi, which committed that neither country would conduct or knowingly support cyber-enabled theft of intellectual property for commercial gain. Subsequent evidence, however, suggests that operatives based in China engaged in sustained cyber espionage campaigns exploiting the business secrets and intellectual property of American businesses, universities, and defense industries. This explicit agreement failed not because of any deficit in U.S. diplomatic bargaining skills, but because the bargaining process itself was not appropriate for the strategic competitive space to which it was applied.
The challenge faced by the United States and its allies and partners, then, is to identity a strategic process through which it can develop a modus vivendi in the cyber strategic competitive space below armed conflict with those who either cannot or will not negotiate explicitly or, even if they did, none would trust the others with respect to any agreement explicitly reached.
In 1960, Thomas Schelling recognized that even in environments of uncertainty concerning new military technology and deep mutual distrust, states nonetheless have a common interest in avoiding the kind of false alarm, panic, misunderstanding, or loss of control that may lead to unintended or non-deliberate escalation. They also have a common interest in not getting drawn in, provoked or panicked into war by the actions of other parties (whether a party intends that result or not). And they may have an interest in saving some resources by not doing things that tend to cancel out. Importantly, these common interests do not depend on trust or good faith. “In fact,” he argued, “it seems likely that unless thoroughgoing distrust can be acknowledged on all sides, it may be hard to reach any real understanding on the subject.” The strategic realities Schelling saw motivated him to consider an alternative to the then-dominant model of explicit bargaining, leading him to introduce and develop the distinction between tacit and explicit bargaining to achieve strategic stability.
A tacit bargaining process diverges from explicit bargaining in that informal agreements are arrived at “not by verbal bargaining, but by maneuver, by actions, and by statements and declarations that are not direct communication to the enemy. Each side tends to act in some kind of recognizable pattern, so that any limits that it is actually observing can be appreciated by the enemy; and each tries to perceive what restraints the other is observing.” Stated differently, increased clarity and reduced uncertainty regarding boundaries or limits on behaviors, and the predictability and potential stability they engender, are a consequence of action and interaction.
While obviously not writing on modern cyberspace in his work, all of Schelling’s arguments regarding the military technology of the 1960s apply to the cyberspace strategic environment: It has compressed the time available to make decisions, induced concerns that an armed conflict either could be or would be limited in scope, and has greatly reduced the confidence of any actor that it could predict with confidence the capabilities any adversary had or would have in the future. Additionally, it is not a stretch to argue the significant distrust to which Schelling was referring in 1960 characterizes U.S. relations today with Russia, China, Iran and the Democratic People’s Republic of Korea (DPRK), to name a few of the acknowledged sources of Advanced Persistent Threats (APTs) challenging the United States in, through, and from cyberspace. Finally, it is equally defensible to argue that the mutual or common interests Schelling highlights are also present today in the cyberspace strategic environment. Though published at the dawn of the digital age, Schelling’s scholarship on tacit bargaining is strikingly relevant to today’s cyber strategic environment.
The strategic process of tacit bargaining, then, carries advantages in environments that facilitate action and interaction between adversaries. The interconnectedness of cyberspace demands action and interaction of any state seeking to secure its national interests in it. Thus, tacit bargaining is a process that is structurally aligned with and supported by the cyberspace strategic environment.
The prospect of tacit bargaining leading to more stabilized expectations of acceptable and unacceptable behavior is heightened by the fact that interaction in cyberspace is bounded by a strategic objective to advance national interests while avoiding war. The majority of cyber operations we are witnessing seem best understood as a tacitly “agreed competition” below the threshold of war. In efforts to arrive at tacit understandings of acceptable and unacceptable behavior in the cyber strategic competitive space, the tasks states face will be a function of the alignment of their national interests with mutual or common interests as manifested in cyberspace. Where those interests converge, we should anticipate states will engage in cyber operations around focal points that communicate shared interests and a willingness to collaborate on ranges of acceptable/unacceptable behavior about those interests. But where those interests are in conflict, states will communicate as much through cyber behaviors seeking to outmaneuver each other to achieve an advantage or at least avoid a disadvantage. Over time, this interactive process will result in tacit understandings among and between adversaries of what behaviors are acceptable/unacceptable in cyberspace. Also, many of these understandings may ultimately manifest as formal cooperative international agreements or, in the case of intense competitive interactions over priority national interests, may encourage formal, explicit bilateral or multilateral bargaining in efforts to head off potential escalation out of strategic competition and into armed conflict.
Persistent Engagement and Tacit Bargaining
By describing persistent engagement, operationally, as continuously engaging and contesting adversaries and maneuvering for advantage below the threshold of armed conflict, CYBERCOM’s “Command Vision” makes clear that persistent engagement’s operational design aligns directly with a fundamental feature of tacit bargaining—it is a strategy grounded in maneuver and action, and interaction with adversaries. Thus, it is reasonable to conclude that persistent engagement would support a strategic process of tacit bargaining adopted to develop mutual understandings with adversaries on acceptable/unacceptable behavior in agreed competition. In fact, the “Command Vision” proposes this very thing: that a strategy of persistent engagement will serve to clarify the distinction between acceptable and unacceptable behavior in cyberspace and, consequently, contribute to stability.
The success of a strategic framework for constructing cyber norms grounded in persistent engagement and tacit bargaining will depend, in part, on how well states communicate their national interests in cyberspace. Behavioral convergence around definable limitations is how sustainable cyber norms can be constructed. Schelling offers suggestions that policymakers should take note to increase the likelihood of success.
Adopting a strategy of persistent engagement for the cyber strategic competitive space below armed conflict marks a positive step toward regaining U.S. strategic advantage in the same. A related readjustment in prioritizing a different process through which the United States seeks to construct expectations around acceptable cyber operations (cyber norms) will serve as an additional complement to a growing coherency in national cyber strategy. An intentional adoption of a tacit bargaining approach to guide the type and timing of U.S. cyber operations should be pursued to enhance the prospect of a more stable and secure cyberspace.