Michael P. Fischerkeller,Emily O. Goldman, andRichard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace (Oxford University Press, 2022).
Predictions about cyber war have ranged from the apocalyptic to the reassuring over the past decade, and the current war in Ukraine beyond its horrific violence, dislocations, and criminality provides a test case for those theories.Do cyber operations provide decisive advantages in war? Are they more escalatory or de-escalatory than other weapons? Or is it more appropriate to consider cyber capabilities primarily as instruments of interstate competition short of war?
The Russo-Ukrainian War is the first case in which opponents with advanced cyber capabilities have used them to achieve material and cognitive effects in armed conflict. Firm conclusions must await the end of the war, but for now, cyber operations do not appear to have been decisive in destroying or disrupting military forces and economic wherewithal, or in affecting societal willpower and political cohesion.
Even the most revisionist states most of the time want to gain intelligence, enhance revenue through favorable trade, theft or sanctions evasion, and sabotage adversaries politically and economically, while avoiding shooting wars, especially with more powerful adversaries. Such states and their opponents are better off pursuing these aims through cyber operations if they can. Violent actions intended to take or hold territory or steal or disable assets are much more likely to provoke violent, costly, and irreversible responses. Once war is underway, it is thus far unclear whether roughly equivalent cyber capabilities would advantage an attacker or a defender.
The authors of a new book argue persuasively that the habitual U.S. approach of deterrence (primarily nuclear) and coercion (primarily threats of conventional attack) will not effectively dissuade adversaries cyber operations because they involve threats to inflict violence and damage disproportionate to the harm done unto us by those operations. Though written before the invasion, Cyber Persistence Theory does not flunk the Ukraine test thus far. Thanks to their pioneering diagnosis of the structure of the digital environment and the incentives it creates for competition, Michael Fischerkeller, Emily Goldman, and Richard Harknett posit that cyber warfare per se will be rare, and that most exertions will be below the violence and destruction of armed conflict. The authors are, respectively, a researcher at the Institute for Defense Analyses, a strategist at U.S. Cyber Command, and a professor at the University of Cincinnati.
If the great strength of the book is its structural analysis, its weakness is policy prescription. The authors propose an alternative approach of using persistent offensive and defensive competition with adversary cyber operators to establish customary legal boundaries between acceptable and unacceptable cyber espionage, economic and political competition, and warfighting. Unfortunately, the authors and the short span of cyber-age history do not provide detailed bases for thinking the United States and its friends will be able and willing to offer Russia, Iran, North Korea, and perhaps others sufficient threats and rewards to change their cyber behaviors.
The United States would prefer to extend its advantages in cyber-enabled precision warfare while minimizing adversary utilization of cyber to spy, steal, sabotage, and subvert below the level of armed conflict. But, if they can avoid war, adversaries have much to gain and little to lose from cyber competition with the United States, whereas the United States in toto government, businesses, and the public has more to lose from theft, sanctions evasion, and information warfare than its adversaries do. China could be an exception here, as discussed further below. Unlike the other adversaries, it is still a rising power in all relevant domains and could see benefit from negotiating rules on an equal footing. But the current political environment, with fault spread all around, precludes the authors and others from detailing sustainable experiments to this end. Absent a breakthrough on this front, the costs and anxieties of persistent exploitation of governmental, corporate, and personal computing and communications networks will continue.
The Long Shadow of Deterrence
Cyber Persistence Theory argues that the nature of information and communication technologies structures actors competition for relative gain: The global networked computing environment is a warehouse for and gateway to troves of sensitive, strategic assets that translate into wealth and power, and the capacity to organize for the pursuit of both. This environment is resilient at the macro-level its hard to crash the internet, and theres little gain from doing so. But billions of individual addresses in it are vulnerable, and it costs relatively little to acquire capabilities to exploit these vulnerabilities. So, every minute of every day some actor somewhere has both the capacity and will to [gain] access to ones national sources of power directly or indirectly.
It is impossible to completely defend against or deter capable adversaries from attempting intrusions. So, states must persistently compete for relative gains that, over time, could make them strategically better off than their adversaries. Each seeks to add to its power and wealth more than its competitors add to theirs, or especially in the case of Russia to detract more from its adversaries power and wealth than is detracted from its own.
Persistent competition, the authors write, generally takes the form of cyber faits accomplis a limited unilateral gain at a targets expense. Examples of these include Chinas theft of aircraft designs or other intellectual property, North Koreas crypto heists, Russias theft and political manipulation of data from the Democratic National Committee, and the U.S./Israeli destruction of Iranian centrifuges. Once states discover they have been exploited, they try to reduce their vulnerabilities and perhaps increase their own capacities to penetrate their adversaries. Hence, persistent cycles of engagement. This mode of competition is less expensive and risky in every way than armed conflict. It reflects a tacitly produced mutual understanding of acceptable and unacceptable behaviors similar to what the United States and the Soviet Union developed during the Cold War, which Herman Kahn dubbed agreed battle.
The books basic argument is easy to follow, not least because the authors adeptly, if not eloquently, summarize its elements at each stage in their 157-page text. The reader feels in the presence of excellent teachers. After describing the nature of the networked computing environment and the proclivities it produces, the book pivots to a discussion of how the United States could compete more effectively with its adversaries and, over time, temper the costs and risks to international society.
The United States and its allies governments, businesses, and customers should be relieved that the damage from adversary cyber operations is below what would be done by armed conflict. But things would be even better if adversaries stole less information, intellectual property and money, stopped conducting influence operations to exacerbate political polarity and dysfunction, limited penetration of key civilian infrastructure, and so on. While the case of China is more complicated, the authors argue with evidence that sanctions and other coercive threats generally have not deterred or compelled Russian, North Korean, or Iranian behavior as American policymakers, imbued with nuclear deterrence strategy, long assumed or hoped it would.
But saying deterrence and compellence wont work is not a viable policy. Something still must be done to change adversaries hostile behavior. Here, the authors urge an approach that is laudable and worthwhile, but still problematic. They urge the United States and allies to evolve existing international law and establish customary law that defines responsible state behavior and wrongful acts in this domain. The aim would be, over time, to motivate states to limit the targets, effects, and collateral damage of operations. Such restraint, it is argued, would benefit everyone by containing risks of major instability and escalation.
A Law-Building Project
Building such a legal regime would require the United States to overcome its frequent aversion to invoking international law when it indicts Chinese and other hackers. As part of the recommended legal-power strategy, the United States would declare what information and communication systems it deems exclusively its sovereign affair and off-limits from foreign interference under its interpretations of existing principles and rules of international law.
The power of this legal strategy would come from a third element: conducting cyber campaigns against adversaries in ways that reinforce the legal framework the United States is proposing. That is, the flip side of defining international legal obligations is the legitimacy it gives to countermeasures when someone violates an asserted obligation. Cyber operations to counter violations would, iteratively, amount to tacit bargaining with competitors over the boundaries between acceptable and unacceptable behaviors around and about functions or infrastructure that have been declared off-limits.
Unfortunately, the authors cannot say why Russia, North Korea, and Iran would change their behavior to comport with customary international law as interpreted by the United States. These regimes use cyber operations to acquire intelligence, steal intellectual property, evade sanctions, and exacerbate political divisions in adversary societies in ways that they cannot by other means. These states remain isolated, economically hamstrung, and technologically underdeveloped, but they are better off than they would be without cyber operations against the United States and others.
China arguably should be understood and treated differently by the United States and other states. It seeks the capacity to sabotage the United States high-tech weaponry, reconnaissance, command and control, and logistics operations in warfare. Short of armed conflict, it has used cyber espionage to gain technological capability for military and civilian purposes, to enhance counter-intelligence to protect against U.S. spying, and to project favorable opinions about Chinas government and leaders into foreign countries. Unlike Russia, Iran, and North Korea, China is a rising technological and economic power with big equity stakes in the global trading system. It will want rules that others, including the United States, live by, to protect its wealth and intellectual property as well as its one-party political system, something especially problematic for the United States and its allies. And China wants to be central in writing those rules, not passively receiving them from U.S. policymakers. Yet, China does not have the experience and international following to take a leading role. The current all-encompassing antagonism between the two countries, epitomized by Speaker Pelosis visit to Taiwan, vitiates initiatives to create a modus vivendi in the cyber domain.
In conversations, officials and experts from Russia, Iran, and China typically assume the United States has better offensive cyber capabilities than they do to spy on them, to know how to sanction them and detect their evasions, to sabotage their infrastructure, to obtain and publicize damaging information on their leaders, and to precisely and speedily fight a conventional war. (Presumably, North Koreans would say the same, but I have not spoken with them). In their view, whatever measures the United States proposes will be meant to preserve U.S. advantages over them. And as far as international law goes, adversaries like Putin, Xi, Kim, and Khamenei assume the United States will interpret it unilaterally and use it to mobilize or justify punishing its adversaries, while ignoring or violating others interpretations of international law whenever it wants, without repercussions.
The authors of Cyber Persistence know this. They want to build up customary international law so the United States can internally and internationally justify more vigorous cyber operations against adversary networks and machines. Were adversary behaviors described in unsealed public indictments framed as internationally wrongful acts, they write, the extraordinary detail in the indictments should make policymakers comfortable with pursuing countermeasures, if the behavior identified in the indictment is ongoing. This is a very important sentence nine pages from the end of the book: The United States has been too self-deterred, too inhibited, in the authors view. Senior officials and presumably influential corporate leaders and shareholders need to be pushed to see that the best defense is a good offense, and that this can be legitimized.
Unfortunately, the wisdom of their bold prescription is difficult to assess because the authors do not describe the countermeasures they have in mind. Classification and the traditional covertness of cyber operations prevent more transparency. Assuming for many good reasons the authors do not recommend armed attacks in response to adversary cyber operations of the kind seen so far, countermeasures would likely be in the cyber domain. The often-understandable lack of clarity regarding how the United States would react to hostile cyber operations leaves room for adversaries and commentators in swing countries, perhaps fueled by cinema and memories of Edward Snowden, to assume that the United States is doing more in their computers and networks than Russia, North Korea, Iran, and China are. And this is a problem for the authors other recommendation: The United States is competing with Russia and China for the rest of the worlds support in developing international norms and potentially customary law. If it cannot say more about the legitimating rationale and effects of operations it conducts in other countries systems, and plausibly distinguish between the normal and arguably legitimate espionage and countermeasures that the United States and its partners conduct compared to the less defensible targets and tradecraft of adversaries, the law-building strategy will founder.
Of course, even if Russia and China confine themselves to acceptable data-collecting espionage and preparation to attack legitimate U.S. military and war-supporting industry targets in war, the United States is likely to counteract. The hope for stabilizing cyber competition rests on the possibility of reciprocally bounding the targeting and probable effects of operations, and on very careful tradecraft. This will require the sustained, high-level attention of senior leaders, especially from the United States and China, and a steady diplomatic effort to explicate to each side which targets and effects are intolerable and will cause one to take countermeasures, and to create processes for communicating about ambiguous cases. Tacit bargaining will be essential given the secrecy of action in the cyber domain and the deranged politics of relations between the United States and the countries of greatest concern. But, at some point progress will depend on the U.S. political system tolerating leaders having a sustained, public dialogue or negotiation with leaders of adversary countries. Tacit bargaining is too ambiguous to rely upon alone.
Cyber Persistence Theory is a must-read even if it is far from the last word. The authors invoke Thomas Kuhn and his famous concept of paradigm shift. They penetratingly describe the structural shift that the information revolution imposes on some aspects of interstate competition. But cyberspace, unlike the phenomena that Kuhns natural scientists sought to understand, is human-made. Contending groups compete against each other by altering and exploiting their creations in this environment. The challenge is not merely to understand these dynamics like scientists do, but to shape them in ways that avert massive harm and, ideally, facilitate the pursuit of well-being. Meeting this latter challenge will require additional volumes that build on this one.
George Perkovich is Kenneth Olivier and Angela Nomellini Chair, vice president for studies at the Carnegie Endowment for International Peace. He is co-editor of Understanding Cyber Conflict: 14 Analogies (Georgetown University Press, 2017) which can be downloaded free at 19029-Perkovich_Understanding.indd (carnegieendowment.org).
Image: U.S. Cyber Command, photo by Josef Cole
See the rest here:
Prescribing a New Paradigm for Cyber Competition - War on the Rocks
- NSA surveillance exposed by Snowden ruled unlawful - BBC - May 25th, 2024
- Can Edward Snowden Become the Next CEO of Twitter? Elon Musk is Ready to Give Up - Analytics Insight - May 15th, 2024
- Edward Snowden Weighs In On Boeing Whistleblower's Death With Cryptic Message: 'If I Die, It Wasn't Suicide' - TradingView - March 21st, 2024
- Edward Snowden Calls Bitcoin 'Most Significant Monetary Advance Since the Creation of Coinage' Featured Bitcoin ... - Bitcoin.com News - February 25th, 2024
- Edward Snowden: Bitcoin 'Most Significant Monetary Advance Since the Creation of Coinage' - Decrypt - February 25th, 2024
- Edward Snowden's Ominous Warning to the World - Newsweek - January 15th, 2024
- Edward Snowden Says Institutions 'Burning The Public's Faith' At Time When AI Can Replace Them: 'A Revolu - Benzinga - January 15th, 2024
- Edward Snowden: Bitcoin Safeguard for Pensions and Retirement - CoinGape - January 15th, 2024
- Edward Snowden and Jack Dorsey Are Both Asking the Same Question: What Happened in 1971? - Foundation for Economic Education - December 11th, 2023
- Edward Snowden - Simple English Wikipedia, the free encyclopedia - October 27th, 2023
- Edward Snowden On The NSA, His Book 'Permanent Record' And Life In ... - April 17th, 2023
- 209-359-17.. located in Merced.. Find Info before it disappears... - April 17th, 2023
- Edward Snowden gets Russian passport after swearing oath of allegiance ... - April 8th, 2023
- Edward Snowden - Education, Movie & Documentary - Biography - March 5th, 2023
- Before sending a voice message, ask if you could say it in writing: How to stop the avalanche of WhatsApp audios - EL PAS USA - February 25th, 2023
- Entertainment News Roundup: Sean Penn film 'Superpower' catches Zelenskiy at moment of Russian invasion; And the winner is... London rolls out red... - February 25th, 2023
- Edward Snowden Reacts To Elon Musk's 'Pardon' Poll: 'That's A Very Big ... - January 6th, 2023
- NSA files decoded: Edward Snowden's surveillance revelations explained ... - December 20th, 2022
- Edward Snowden says he feels itch to scale back in to $16.5K Bitcoin - December 20th, 2022
- Edward Snowden Offers to Take Over as Twitter CEO for Salary in ... - Investing.com - December 20th, 2022
- Where is Edward Snowden? | The Sun - November 25th, 2022
- Edward Snowden, Elon Musk Optimistic About Bitcoin Despite FTX Collapse - Crypto Briefing - November 17th, 2022
- Snowden's newfound Russian citizenship reignites the debate of privacy versus safety in the US - Tufts Daily - October 15th, 2022
- Whistleblower behind Luanda Leaks, Malta Files and Football Leaks on trial - The Shift News - October 15th, 2022
- 'All The Beauty And The Bloodshed' Trailer: Laura Poitras' Golden Lion Winner Hits US Theaters Later This Fall - The Playlist - October 15th, 2022
- NYFF 2022: No Bears, R.M.N., All the Beauty and the Bloodshed | Festivals & Awards - Roger Ebert - October 15th, 2022
- From Bin Laden to Al Zawahiri: The evolution of Americas Targeted Killing Strategy - Indian Defence Review - October 15th, 2022
- Arundhati Roy on Things that Can and Cannot Be Said: The Dismantling of the World as We Know It - LiveWire - October 7th, 2022
- Billion Dollar Harvest: TikTok's Threat to National and Personal Security MARIST CIRCLE - Marist College The Circle - October 7th, 2022
- 'All the Beauty and the Bloodshed' Review: Politics of the Personal - slantmagazine - September 21st, 2022
- Congressional inquiry reveals secret Customs and Border Protection database of U.S. phone records - CyberScoop - September 21st, 2022
- The Most Controversial Biopics - IndieWire - September 21st, 2022
- VIDEO: Priyanka Chopra celebrated her husband Nick Jonas' birthday like this at the golf course, wrote - News84Media.com - September 21st, 2022
- From Bin Laden to Al Zawahiri: The evolution of Americas targeted killing strategy - MyVoice - September 21st, 2022
- At German artist Thomas Demands MOCA exhibit, finding the material in the ephemeral - Toronto Star - September 21st, 2022
- This is the jungle: Law enforcement slowly waking up to the threat of DeFi exploits - Fortune - September 13th, 2022
- Icarus: The Aftermath Review: A Tense and Affecting Real-Life Sequel - Hollywood Reporter - September 13th, 2022
- Fourth Amendment: The right to be left alone - Minot Daily News - September 13th, 2022
- Opinion | It Is Time to Throw the Monarchies of the World Into the Dustbin of History - Common Dreams - September 13th, 2022
- Do the FBI monitor peoples social media activity and online posts? Is it legal? - AS USA - September 5th, 2022
- Is Trump the Rosenbergs? - JNS.org - JNS.org - September 5th, 2022
- The Patriot Act: Mass Surveillance Before and After 9/11 - Privacy News Online - September 5th, 2022
- Can code just be 'disappeared' from the internet? - POLITICO - August 28th, 2022
- The Tech Industry Is in Its Whistleblower Era - The Atlantic - August 28th, 2022
- History As It Happens: The Espionage Act's sordid origins - Washington Times - August 28th, 2022
- The inside story of the CIA vs Russia - Asia Times - August 28th, 2022
- 'The rebels were sent to a lunatic asylum': These films end differently in China - Euronews - August 28th, 2022
- Erik Prince wants to sell you a secure smartphone thats too good to be true - MIT Technology Review - August 20th, 2022
- Judge orders DoJ to produce redacted version of affidavit in state secrets investigation of Trump - WSWS - August 20th, 2022
- How to Use the Signal App: Tips & Tricks - Online Tech Tips - August 20th, 2022
- Ruling Class Turns On Conservative Americans - The American Conservative - August 20th, 2022
- Signal Reveals Over 1900 Users Were Affected in a Recent Phishing Attack - Appuals - August 20th, 2022
- Despite resistance, WikiLeaks continues its fight for the truth - Independent Australia - August 20th, 2022
- The Republican party has reason to fear the midterms - The Guardian - August 20th, 2022
- Government pays arms firm that spied on activists to snoop on all our internet records - The Canary - August 20th, 2022
- Why is Australia risking conflict with China? - Asia Times - August 20th, 2022
- Edward Snowden, Russia's 'Disinformation Campaign' Drive 'Downhill' Narrative, Says 'Black Swan' Author - Benzinga - August 12th, 2022
- What Does All This TV Talk on Big Ten Do for Big 12 and Oklahoma State? - Pokes Report - August 12th, 2022
- From Defending the Open Internet to Confronting the Reality of a Fragmented Cyberspace: Reflecting Upon Two CFR Reports on U.S. Goals in Cyberspace -... - August 12th, 2022
- US Vows To "aggressively Pursue" Cryptocurrency Mixers - Nation World News - August 12th, 2022
- After cryptos crash and NFTs collapse, Web3 idealists race to prove that the dream of decentralization isnt dead - Fortune - August 12th, 2022
- What is Monero (XMR) Crypto? Is Edward Snowden Behind This Project too? - CryptoTicker.io - Bitcoin Price, Ethereum Price & Crypto News - August 4th, 2022
- Russian hackers get the headlines. But China is the bigger threat to many US enterprises. - Protocol - August 4th, 2022
- Why Is July 30th National Whistleblower Day? - Privacy News Online - August 4th, 2022
- I may have to wait until I'm on my deathbed Panama Papers whistleblower - Namibian - August 4th, 2022
- Whatever Happened to the Transhumanists? - Gizmodo Australia - August 4th, 2022
- Julian Assange? Heres why I am not a fan of his - The Citizen - August 4th, 2022
- Who Is Edward Snowden, the Man Who Spilled the NSA's Secrets? - July 26th, 2022
- Why so silent? Edward Snowden has gone underground since Russia's ... - July 26th, 2022
- Kids spend the summer in STEM camp - Marketplace - July 26th, 2022
- Thomas Demand: The Stutter of History - Announcements - E-Flux - July 26th, 2022
- Empire of Hacking: U.S. is the Biggest Threat to Cyber Security - Xinhua - July 26th, 2022
- Edward Snowden Says 'We Are All Going To Be Billionaires' But... - Benzinga - Benzinga - July 18th, 2022
- Joshua Schulte convicted on all counts in second trial over 2017 leak of Vault 7 cyberwarfare trove published by WikiLeaks - WSWS - July 18th, 2022
- SMITHEREENS: Reflections on Bits & Pieces:SMITHERMATAZ. Category: Public Comment from The Berkeley Daily Planet - Berkeley Daily Planet - July 18th, 2022
- Full Text of All Articles The Berkeley Daily Planet - Berkeley Daily Planet - July 18th, 2022
- As Bear Market Turns All Eyes to Utility, Privacy Stands Poised To Lead Next Crypto Breakout - The Daily Hodl - July 18th, 2022
- Yes, data centers use a lot of water. But a Utah company shows it doesn't have to be that way. - Salt Lake Tribune - July 18th, 2022
- Edward Snowden - National Whistleblower Center - July 9th, 2022
- Commentary: The fight against excessive surveillance continues in Maine and across the country - Press Herald - July 9th, 2022