In recent years, U.S. thinking on a national cyber strategy has included, at least in part, a focus on the concept of cyber deterrence. The deterrence theme has been prevalent in civilian government and military leaders' speeches, as well as congressional hearings and scholarly literature. (See, for instance, Fifth Domain coverage
While many agree on the need for a U.S. national cyber strategy, few have challenged the premise of a strategy built largely around cyber deterrence. But one scholar has recently published a series of academic papers that do exactly that — question the very premise for and the effectiveness of a deterrence strategy in cyberspace.
Fifth Domain recently caught up with that scholar, Dr. Richard J. Harknett, professor and head of the political science department at the University of Cincinnati. Harknett is enjoying a busy and productive 2016 and 2017. From January to June of this year, he was a Fulbright Scholar in cybersecurity at the University of Oxford in the U.K. He was scholar in residence at U.S. Cyber Command through the end of 2016, with a continuing advisory role to the Combined Action Group, US CYBERCOM.
In Harknett's view, cyber deterrence hasn't worked to date and most likely won't work in the future. The flaw with deterrence isn't its goal, Harknett has argued, but rather with its application to the unique environment of cyberspace, which doesn't lend itself well to a deterrence strategy.
"Strategic frameworks must map to the realities of strategic environments; the reverse is not possible," Harknett wrote in a paper coauthored with Institute for Defense Analyses Researcher Michael Fischerkeller and published in May. So Harknett has set out to explain the unique characteristics of cyberspace, which he describes as an "offense-persistent strategic environment." (More on that in a moment.)
The origin of Harknett's skepticism about cyber deterrence predates the World Wide Web. He explained that his original frame of reference was the deterrence debate that arose in the late 1980s. At that time, some strategists and scholars pondered whether precision conventional weapons might replace nuclear weapons as an effective deterrent. Two thinkers, in particular — American Political Scientist John Mearsheimer and Security Policy Expert Jonathan (Yoni) Shimshoni — stood out to Harknett because of their focus on the distinct strategic environment/interaction entailed by conventional deterrence.
Harknett built on Mearsheimer's and Shimshoni's work by arguing that the core distinction between conventional and nuclear deterrence was not scale and scope of destructive potential. Rather, it's the fact that conventional weapons were ultimately contestable costs/threats (technically, tactically, operationally), whereas a small number of nuclear weapons essentially represented incontestable threats of unacceptable cost infliction. (Harknett noted, "Our metaphor of pushing a button was pretty accurate.") This contestable cost characteristic, Harknett argued, makes conventional deterrence inherently less stable than nuclear deterrence.
Soon after the advent of the World Wide Web, a defense department official asked Harknett what he thought about web browsers, from a deterrence perspective. Harknett told the official that what was being lumped into information warfare was even less stable, from a deterrence perspective, than conventional environments because of contestability.
Harknett also cites Bernard Brodie — often referred to as the "American Clausewitz" and the architect of U.S. nuclear deterrence strategy — and Thomas Schelling, a professor at the University of Maryland, College Park, who won the 2005 Nobel Prize in Economics for his work applying game theory to conflict and cooperation. Harknett said Brodie and Schelling were important thinkers because they recognized that nuclear weapons fundamentally changed then-current theories of deterrence, and therefore, leaders' thinking also had to change.
In this same manner, Harknett's recent work argues that cyber is fundamentally different from anything that has come before it. To dominate the cyber domain, Harknett argues the U.S. must first understand the environment's unique characteristics and then apply an effective strategy tailored to the environment.
Following the interview, Harknett and I had a brief email exchange. I mentioned the pervasiveness of the cyber deterrence concept, to which he replied, "Yes, I am fighting a paradigm. Not easy to do."
Below is a full transcript of the Fifth Domain interview with Harknett, which he gave earlier in July. The views Harknett expresses here are his own, and they do not represent the view of the U.S. government or any of its agencies.
Much U.S. cyber policy is/has been focused on the concept of deterrence, but in a paper coauthored with Fischerkeller and published in May, you argue "deterrence is not a credible strategy for cyberspace." Why not?
Deterrence does not map to the realities of cyberspace as an operational environment. It is an environment of constant action, while the measure of effectiveness of deterrence is the absence of action. We have come to forget how radical a departure deterrence represented as the central organizing principle for national security.
For several millennia prior to 1945, the capacity to secure oneself territorially rested in your hands — offense versus defense. Bernard Brodie and others quickly realized that "one plane, one bomb, one city" meant that security could not be found in defense, so they introduced the radical idea that our security would rest in the minds of our opponents, and the purpose of possessing military capability, nukes, was to never actually use them.
We have become very comfortable with this framework because it worked in the nuclear environment and still does. But this was a specific strategic response to a specific strategic environment, and it does not hold that it will be universally effective across all weapon types. Just as nuclear weapons fundamentally precluded defense, cyber operations actually preclude deterrence.
In the same 2017 paper, you explain how U.S. global posture and a deterrence strategy, as classically understood, are a "strategic mismatch" for the cyber domain. This mismatch, you write, has led to a U.S. "strategic deficit" in cyber. What are the key elements that gave rise to this strategic mismatch?
It is the fundamental nature of cyberspace. Look, coming out of the Second World War, we did not apply the tactical, operational and strategic lessons of fighting that war to nuclear weapons. Instead we looked at the capability for its distinctiveness and realized we needed new concepts to manage the threat nuclear weapons posed.
Cyberspace is technically and operationally distinct in the threats it contains: It is structurally interconnected, creating a condition of constant contact on a terrain that is both the space in which one contests and the means with which one contests, and it is constantly shifting with every new version of software/hardware and system process. The strategy of deterrence simply does not match the reality that flows from this structure — which is persistent action.
The deficit has come from the fact that, while the U.S. has been wedded to a misapplied strategy that cannot work, others are operating much closer to the expectations of what I call offense persistence and gaining advantage.
Given the U.S.'s current strategic deficit, you write that cyber requires a "domain-specific strategy" that is reliant on "capabilities-based strategy for cyberspace rather than a threat-based strategy." What are the key differences between capabilities- and threat-based strategies?
Well, the first point is really important: Cyberspace is not a military domain in our thinking; it is an interconnected domain in which the military must operate.
We cannot use notions of segmentation in an interconnected space — areas of hostilities is not a helpful cyber concept — and we have struggled to date to develop a strategy of interconnectedness. Our solutions have been to segment, but if this is truly an interconnected space, then that is the operational problem we have to address.
My coauthor in the Orbis article, Michael Fischerkeller, hit on the critical difference in approaches in that, while all security environments have some degree of uncertainty built in, threat-based strategies assume that you have command of a lot more certainty about things like source, intent, sovereignty/borders, signaling, escalation dynamics — none of which we have much certainty or confidence about in cyberspace.
A capabilities-based approach is not divorced from specific actors, for example, but it is driven more with a focus on what vulnerabilities do we have that can be exploited and what vulnerabilities do others have that can be leveraged and aligning capabilities development and operational planning to addressing getting ahead of both sets of vulnerability. We assume there is inherent vulnerability in cyberspace, another factor that reinforces the tendency toward offense persistence.
In your paper, "The Search for Cyber Fundamentals," coauthored with US CYBERCOM's Dr. Emily O. Goldman and published in 2016, you characterize cyberspace as an "offense-persistent strategic environment" (OPSE). How do you define an OPSE?
An offense-persistent environment is one in which you can defend, but you defend only in the moment, and the cumulative effect of this defense has little impact on the overall scale and scope of adversarial capacity to act. You can't attrite.
The structural features of offense persistence support a continuous willingness and capacity to seek the initiative, so while it does not mean that every actor is acting to gain advantage over you all the time, it does mean — from a security planning standpoint — that you have to assume that someone, somewhere is in fact acting in such a manner. The structural features of offense persistence — interconnectedness, constant contact — not potential/imminent, but constant contact — and a continuously iterating terrain of space and means — reinforce this willingness and capacity.
The entry barriers to compete in this space are low. They are not barriers at all, in fact, and your capacity can be significantly amplified beyond traditional measures. Think recent global ransomware spread.
Ultimately, it is an environment that perpetuates a continuous burden for defense and opportunity for offense.
In the same 2016 paper, you contrast OPSE with what you characterize as an "offense-dominant strategic environment" (ODSE). What are the key differences between an OPSE and an ODSE?
I argue that there are three, distinct, strategic security environments that have distinct dynamics and thus require distinct security solutions: Nuclear is offense dominant. It means what it says: The offense always wins. Conventional/kinetic ranges from offense- to defense-advantaged due to the combination of technical, tactical and operational means. And now we have a third: cyber, which is uniquely offense persistent.
Because of these structural features, nuclear security requires deterrence. Conventional security requires deciphering the right mix of offense versus defense; get it wrong, like in World War I, and you have devastating consequences. Cybersecurity requires persistence — the gaining and retention of initiative.
In the 2016 paper, you contrast traditional "dynamics" of conventional, nuclear and cyber (i.e., OPSE) warfare, such as the "measurement of a continuum of offense versus defense dominance." You write that OPSE creates a "new dynamic" that requires a "fundamentally new kind of reasoning" about the cyber domain. What are the key takeaways for policymakers and military leaders?
The first takeaway is we have to allow ourselves to engage in cyber thinking, if you will, just as we engaged in nuclear thinking.
If I had walked into a congressional hearing on the eve of D-Day and said, "We need to be thinking about how to secure ourselves in the future, and I have this idea: Let's spend trillions of dollars on weapons whose sole purpose is to be never used. That's how we will secure ourselves." I would have been ever-so-politely escorted to the door.
If we are to secure ourselves in cyberspace, we are going to have to understand that this is an operational space driven by distinct features. We need to think that security is ultimately enhanced by being able to anticipate how others might exploit our vulnerabilities and, simultaneously, how we can leverage others' vulnerability. You either have initiative in this space, or you do not, and those that do will have more freedom of maneuver and more security.
Skeptics and critics might hear the concept of cyber-persistent strategy and raise one or two major concerns:
- Cyber persistence sounds like it could accelerate the "weaponization" of the internet, which has led to unintentional damage to non-nation-state parties. For instance, this was illustrated recently by the global WannaCry cyberattack, which exploited a zero-day vulnerability stolen from the U.S. intelligence community and caused massive disruption and damage throughout the commercial sector worldwide.
- The U.S. which has the largest allocation of IPv4 addresses (approximately 1.6 billion) and the largest population of in-use IPv4 servers (approximately 37 million), most of which are privately owned, nonmilitary assets is arguably more vulnerable in cyberspace than any other nation-state. A U.S. cyber-persistent strategy might provoke adversaries to escalate cyberattacks against vulnerable, nonmilitary targets.
How do you reply to these two observations?
You have to bring about more security in the space as it is, not how we had hoped it might be. Cyberspace is currently an insecure environment in which that insecurity is increasing because we can't stop using it.
I understand how a strategy of cyber persistence can be misinterpreted as constant war. I do not see it that way. It is seeking to tamp down the worse insecurity through an active engagement with an active operational domain. Most of the activity that you need to do in anticipating vulnerability is resiliency, defense and active defense, and when necessary, countering and contesting.
Counterintuitively, the U.S. focus on cyber deterrence, I would argue, has been the most escalatory of all approaches, because the U.S. has sat back while more and more actors have engaged in increasingly aggressive cyber operations. Rather than being concerned about provoking adversaries, we should be more concerned about not encouraging them, which current policy appears to do.
This will be messy at times as we all figure out the parameters of acceptable and not-acceptable behavior. One thing we can't do is impose or establish norms. The convergence of expectations about behavior comes from behaving. Right now, there is an increasing degree of cyber aggression. That is becoming an unwanted norm, in my view.
A strategy of cyber persistence, in which security is sought through anticipatory behavior across the full range of operations — resiliency through countering — will better position the U.S. to shape cyberspace toward both more secure contexts and less aggressive behaviors. The form of normalization has a chance to stabilize over time.
Applying a legacy framework that defines success as the absence of action, deterrence, in an environment of constant action will never advance our cybersecurity, which ultimately has to be our goal.