This article appeared in The National Review on July 29, 2021. Click here to view the original article.
By John Bolton
July 29, 2021
Cybersecurity is now a commonplace, much discussed topic. Strategic adversaries (China and Russia), proliferators and state sponsors of terrorism (Iran and North Korea), terrorist networks, and criminal enterprises all threaten us. Pundits importune us incessantly to safeguard our information technology, communications networks, power grids, financial and personal data, and, last but certainly not least, national-security information.
While we are making progress, especially in raising national awareness, Americans nonetheless remain uneasy about our overall cybersecurity.
With good reason. We face not an easily discernible, relatively quantifiable threat but a multiplicity of hidden, ever-changing threats. We are deep into what Donald Rumsfeld called “known unknowns” and “unknown unknowns.” And, although working furiously, we remain at risk by not fully thinking through the cybersecurity issue, both conceptually and operationally. Several steps are necessary to begin remedying these deficiencies.
First, we must jettison the idea that cyberspace is somehow different from other domains of human activity. It is not. Where mankind goes, war, treachery, theft, fraud, and all our other defects follow, along with, we pray, our virtues. For decades, however, we have treated the navigation of cyberspace as essentially cost- and even risk-free. It was all upside, no downside, the Garden of Eden rediscovered. While few today are as unaware or naïve as we were initially, traces of the Garden of Eden myth still infect our analysis and decision-making.
Indeed, it was the prevailing attitude under Barack Obama. His advisers feared that establishing deterrence in cyberspace through American offensive cyber operations was too dangerous. Rather than risk bringing “Death into the [cyber] World, and all our woe,” they worked almost solely on enhancing defenses, hoping for the best. To effect this approach, the National Security Council wrote decision-making rules for offensive cyber activities that induced government-wide paralysis. There was in Obama’s cyber policy little trace of what Alexander Hamilton called, in Federalist No. 70, “decision, activity, secrecy, and dispatch.”
The Trump administration eased Obama’s restrictions, but only after an enormous bureaucratic struggle. Nonetheless, these process changes allowed for effective measures before 2018’s congressional elections, preventing substantial Russian efforts to interfere, as U.S. officials publicly acknowledged. Even so, those who appreciate the full scope of potential cyberspace operations, and the speed and stealth by which hostile threats manifest themselves, agree that we need much greater capacity and flexibility.
Imposing cyber costs on our adversaries is useful not because we wish to increase the level of hostilities in cyberspace but for precisely the opposite reason. If we do not establish deterrence, as elsewhere in the human experience, attacks on America and its allies will increase, not decrease. By imposing substantially higher (i.e., greater than proportional) costs on potential adversaries than they inflict on us, we prove that they will ultimately suffer far more harm than they can levy. Deterrence works fully when their attacks never take place.
It is unclear whether Biden is following the Trump- or the Obama-administration approach. After the Colonial Pipeline ransomware attack, for example, Biden told Putin at their Geneva summit that he would hold Russia accountable for such attacks (for which Putin denied responsibility). Nonetheless, within weeks, REvil, another Kremlin cyber surrogate, struck again. Biden telephoned Putin, who once more demurred, although REvil then went dark. Was U.S. offensive cyber activity responsible? Or did Putin scrap the site to avoid an assertive response (thereby tacitly conceding that REvil was a Kremlin tool)? Did REvil simply fold its tent, to reopen somewhere else on the Web (perhaps even from within the U.S.)? The Republican National Committee was also attacked post-summit, likely by Russia’s hacking group “Cozy Bear,” which still seems to be prowling around.
Obviously, not all U.S. offensive cyber activity can or should be made public, to avoid revealing our capabilities to the very adversaries we are trying to deter. Some public disclosure, however, is critical to reassure the U.S. public and our allies that our cyber saber is working. A few cyber heads on pikes outside the Pentagon’s River Terrace entrance would be a public service.
America’s second major cyberspace problem is more profound. Partly because of the Garden of Eden myth and partly from laziness and lack of practice, we have done precious little original conceptual thinking about cyberspace hostilities. We urgently need the kind of rigorous analysis that took place during the Cold War on nuclear strategy.
Although deterrence is an ancient concept, Cold War theorizing on the potential of nuclear conflict gave rise to history’s most comprehensive deterrence strategies. In cyberspace, therefore, we are not starting entirely from scratch. But where are cyberspace’s Thomas Schellings and Albert Wohlstetters? Where is today’s Herman Kahn, “thinking about the unthinkable”? Where are the contemporary counterparts of Charles Hitch and Roland McKean and their iconic work, The Economics of Defense in the Nuclear Age? We can hope they are beavering away somewhere on classified projects, but we also need public-level conceptual debate, and we need it now. “Debate” is key; legendary nuclear-era whiz kids, after all, brought us “mutual assured destruction,” which was indeed both “MAD” and dangerous. Nonetheless, the conceptual basics were critical to our surviving and indeed prevailing (so far) in nuclear matters. We need the cyber equivalent soonest.
Not all cyberattacks are equal. We can distinguish, for starters, four broad threat levels: vandalism (throwing rocks through cyber windows); criminal behavior (everything from stealing intellectual property or classified information to destroying it or replacing it with incorrect information, as well as our contemporary plague of ransomware attacks); espionage (including both the clandestine gathering of information and covert paramilitary activities and influence operations, which, like propaganda or other efforts intended to wreak political havoc, can occur in full public view, especially through social media); and, ultimately, war, in many varieties.
This is a starting point for devising countermeasures to help establish deterrence. Such retaliatory and other steps, of course, need not be confined to cyberspace merely because the offensive measures against us were cyberattacks. Cyber-strategizing must be integrated with other military and intelligence planning to maximize our options and effectively allocate limited resources. The key point is that we are still woefully unprepared conceptually for a cyber world that changes on a rapid, continuous basis. Remember, Kahn’s On Escalation had an escalation ladder for a generalized nuclear scenario with 44 steps. We have a long way to go.
While cyberspace is not unique among zones of human activity, and therefore not immune from inevitable conflict, cyber hostilities will have their own peculiarities. One of the most important may be the duration of cyberwar: perpetual and potentially ever-expanding even in times of “peace.” This paradigm would be more like contemporary terrorist threats, which, distressingly, Biden’s withdrawal from Afghanistan proves he does not understand. Espionage is similarly continuous and indefinite, although cyber conflict seems likely to be more lethal and destructive than clandestine intelligence activities have typically been. Thus, even though Fred Iklé’s classic work Every War Must End has an appealing title, cyberspace threats, like terrorists, may not be so agreeable.
From the perspectives of Moscow and Beijing, this is precisely the kind of reality that plays to their strengths and against ours. They are patient, we are not. They do not have (yet) the capability to match us in conventional warfare, but cyberspace can be a great leveler without having to risk unleashing the vast destructiveness of nuclear weapons. This is exactly what less powerful states seek to do broadly through “asymmetric warfare.” Obviously, the United States can handle these threats, but far more than other forms of asymmetric warfare, cybersecurity requires new thinking from our strategists and planners.
Cyberspace is also ideally suited to “hybrid warfare,” the marriage of direct political action with more-traditional military force, in a perpetual contest for influence. We have seen versions of hybrid warfare before, in the ideological, guerrilla-war struggles of the 20th century, for example, or in Ukraine today. Cyberspace, however, adds a vast new dimension, almost uniformly advantageous, at least initially, to the seemingly less powerful aggressor. Russian efforts to destabilize America’s political system are uniquely suited to cyber operations.
These and other cyberwarfare characteristics also demonstrate why calls for cyber “arms control” measures are even more futile and more dangerous than in other fields of weaponry. Our existing adversaries are just as likely to breach cyber commitments as they have been in previous arms-control agreements. Provisions for discovering or penalizing cyber breaches would alone require impossibly complex multilateral diplomacy. Even worse, the most dangerous cyber actors may not even exist yet. Tough to negotiate if you don’t know who your adversaries are.
After the chaos of Donald Trump, the Biden administration’s quietude has its refreshing aspects. But in cyberspace, intellectually and operationally, this is no time for overconfidence. In coming decades, America’s most important defense intellectuals will be those who penetrate the strategic realities of cyberspace and their interrelationships with the existing military and intelligence world. If Biden falters, this should be a prime political issue in 2022 and 2024.