The new strategic concept “persistent engagement” is here, and it doesn’t mean what you think it means. Notionally, this strategy suggests that the United States will consistently confront its adversaries in cyberspace rather than wait for them to attack US networks. The 2018 Cyber Strategy employs the concept of “defending forward,” a core component of “persistent engagement,” that would “intercept and halt cyber threats” before these attacks reach American networks. On June 15th, 2019 the New York Times revealed a different vision of “persistent engagement,” when they broke the news that the United States had inserted “potentially crippling malware” into the Russian electric grid.
This incident seems hard to reconcile with the vision of “security and stability of cyberspace” put forward by the 2018 US Cyber Command Vision unless its aim is deterrence. Cyber Command has consequently placed deterrence front and center in US cyber strategy — is this action also part of the US strategy of persistent engagement? Fisherkeller and Harknett in a 2018 Lawfare article describe deterrence and persistent engagement as separate Department of Defense (DoD) strategies that have yet to be aligned; however, the aforementioned Command Vision seems to subsume deterrence under persistent engagement. This article explores whether and how the Russian power grid hack demonstrates the strategic logic behind “persistent engagement.” If not, does this hack signal that the United States is preparing the battlefield?
Threatening the Russian Power Grid
David Sanger and Nicole Perlroth’s piece in the New York Times disclosed that, according to current and former government officials, Cyber Command used new authorities granted by the (classified) National Security Presidential Memoranda 13 and the 2019 National Defense Authorization Act last year to expand earlier surveillance operations into actual threats to Russian critical infrastructure. Although US destructive capabilities are well established, as the Aurora generator attack first demonstrated 12 years ago, the injection of destructive malware into what are presumably the control systems of the Russian electric grid is new. The revelation that Cyber Command is now in a position to cause power outages in a rival nation suggests a shift towards the more aggressive posture defined by persistent engagement.
How Does This Reflect Existing US Cyber Strategy?
There is tangible excitement in military circles about the expanded authorities and mission, which free Cyber Command to further their objective of achieving domain superiority. With the appointment of General Paul Nakasone in May of 2018, the DoD began to expand the scope of its offensive cyber operations. While offensive US operations are rarely disclosed, we can gather a sense of this shift from recent strategy documents:
- The 2017 National Security Strategy says that the United States will “impose swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyber activities.”
- The 2018 National Cyber Strategy states that the “The United States will develop swift and transparent consequences, which we will impose consistent with our obligations and commitments to deter future bad behavior.”
- The 2018 Command Vision for US Cyber Command is perhaps the most informative document in that it explicates that deterrence is a dimension of persistent engagement and that the consequences described above can take the form of offensive cyber operations: “Through persistent action and competing more effectively below the level of armed conflict, we can influence the calculations of our adversaries, deter aggression, and clarify the distinction between acceptable and unacceptable behavior in cyberspace. Our goal is to improve the security and stability of cyberspace.”
These policies envision Cyber Command targeting an opponent’s use of cyberspace, with language like actors who engage in “malicious cyber activity,” and bad or unacceptable behavior in cyberspace. This framing of cyber to cyber domain activity, ie. hackers targeting hackers is an example of specific deterrence, rather than the general or cross-domain deterrence that the United States has historically found objectionable. These documents also indicate a preference for tacit over explicit bargaining. That is, US Cyber Command seeks to set the rules for acceptable behavior in cyberspace through retaliation rather than formally discussing and negotiating with its adversaries. This is confirmed by historic US reluctance to sign onto a binding agreement that limits its own behavior in cyberspace.
A Calculated Disclosure?
This disclosure could fit the call by the 2018 Cyber Strategy for a “swift and transparent response […] to deter future bad behavior”. The disclosure to the New York Times, if intentional and strategic, would present an opportunity to fulfill this call for transparency by broadcasting US capabilities. However, Trump’s accusation that the paper’s publication of the story was treasonous, suggests that any transparency might be merely accidental. Further, the New York Times article hinted at an ambiguity as to whether this act was a deterrence-based signaling move. If so, what behavior was it designed to check? Speculation might suggest that as the United States first directly attributed hacks against the US power grid in 2018 to Russia, perhaps they’re direct equivalents, swiftly checking this behavior 15 months after attributing it.
A Calculated Strategic Move?
Fischerkeller and Harknett suggest that deterrence and persistent engagement are distinct strategies for managing the cyber competitive space. It seems apparent that the hack on the Russian power grid reaches well beyond the intra-domain conflict corresponding with “defending forward.” Rather, this incident fits clearly in the deterrent or compellent space, but to what end? Consistent with John Bolton’s brusque foreign policy style, targeting Russian critical infrastructure showcases how the United States might “preserve peace through strength.” Here, the presumed rationale is that Russia will respond to an assertive US presence by deciding it is in their own rational self-interest to back away from an aggressive cyber posture towards the United States. However, the deployment of this capability would be an act of war that could lead to civilian deaths and an inevitable retaliation. Thomas Shelling said in Arms and Influence that, to deter, one digs in, or lays a minefield, and waits — in the interest of inaction. To compel, one gets up enough momentum (figuratively, but sometimes literally) to make the other act to avoid the collision.
This incident has far more parallels to laying minefields, and no deadline seems to be at play. Consequently, this is an example of brinkmanship that harkens back to nuclear deterrence logic, the concept of mutually assured destruction would restrain both actors from engaging in total warfare.
The efficacy of deterrence comes from a credibly communicated threat that can be withdrawn upon an expected policy adjustment by the adversary. The United States hack on the Russian power grid communicates a direct threat. However, the ambiguity of the intent of the action suggests no clear description of what behavior would satisfy the US. What specific policy change could Russia implement, other than a comprehensive withdrawal from cyber operations, that would result in an end to these operations? Unless backchannel communications have been made and communicated clearly, this incident would demonstrate a situation of gross overreach.
Will This Strategy Work?
Is advancing the US national interest by achieving “superiority” in the cyber domain compatible with an open and secure internet? If so, how will Russia know the difference and would they even care? Are there ways to design or think about a cyber landscape where civilian infrastructure can be safeguarded against reckless nation-state behavior? At its worst, the United States operations against Russia’s power grid risk normalizing the behavior of “preparing the battlefield,” behavior that the United States has previously condemned when practiced by its adversaries. Unless tacit bargaining convinces these adversaries to change their behavior, the United States risks normalizing tripwires on civilian infrastructure. The assumption that the escalatory risks from cyberspace are minimal and that gray zone conflict can be maintained is based on historical precedent in cases of espionage and small scale conflict. Were the US to join the game of “preparing the battlefield” the landscape assumed by “persistent engagement” might change.