New Publication: “Mixed Signals: A Flawed Approach to Cyber Deterrence” by Dr. Alexander Klimburg, Director of the HCSS Cyber Policy and Resilience Program, in Survival, vol. 62 no. 1, February–March 2020, pp. 107–130.
The conduct and deployment of the United States Cyber Command’s (CYBERCOM) vision of ‘persistent engagement’ represents a radical departure from previous notions of conflict in cyberspace. It builds on a number of questionable assumptions about the international history and perception of cyber conflict, the role and strategic direction of information warfare, and the general dynamics of deterrence.
This article, commissioned in part as a White Paper for the US Cyberspace Solarium Commission, critiques the high-risk approach of persistent engagement to developing cyber deterrence. The destabilising effect of persistent engagement is likely not only to trigger new forms of retaliation but also accelerate the already rapid international proliferation of offensive cyber capabilities. In the worst-case scenario, it may even pose a risk to the internet as we know it.
The controversial U.S.’ doctrine of ‘active defence in cyberspace’ and strategy outlook to ‘defend forward’ represents a questionable turn in the development of cyber deterrence. Overall, CYBERCOM is being positioned less as a strategic-weapons carrier and a key element of an overall strategic-deterrence capability, and more as a special-operations command.
This article sequentially addresses the first, second and third order effects of persistent-engagement. Beginning with the first-order effects of ‘out of band’ and ‘diagonal’ retaliation, the author argues that the assessed impact of persistent-engagement via instances of cyber attacks is too simplistic. Alternative avenues of response by US adversaries through ‘conventional’ support for malign actors or cyber-enabled means which defy simple characterisations contest the myopic assessment of the efficacy of the current doctrine.
The latter section of the article delves into the second-order effects of persistent-engagement, particularly in respect to the strategic dilemma of asymmetry between large and small nation states within the fifth domain. The destructive potential of emerging cyber capabilities amongst smaller nation states may be orders of magnitude less than that of the United States or a near-peer cyber power, but still possess a minimal deterrence capability that, much like the small nuclear arsenals of France, the UK and China, could inflict an unacceptable level of retaliatory punishment on a potential aggressor, no matter their overwhelming technical superiority.
Finally, the article addresses the implications of weaponized information within the changing internet landscape. In this new environment, all information is likely to be treated as a potential weapon, and thus subject to government intervention and state negotiations. By effectively encouraging cyber conflict, the persistent-engagement vision greatly increases the appeal of the argument that a much stronger government role in achieving ‘cyber peace’ is needed, and that ultimately, this perilous domain needs an intergovernmental model to manage it.
The significant increase in all forms of offensive cyber behaviour against the US after 2013 has been described as a deterrence failure. Yet advocates of persistent engagement have been unable to explain why deterrence failed, or to express whether the failure was complete or only partial. Instead of publicly reinforcing its dominant posture and conflating transparency with propaganda, the United States might be better served by walking more softly in cyberspace even as it retains a big stick.