Stuxnet was a malicious computer worm that caused substantial damage to Iran’s nuclear program. It was likely deployed to prevent a conventional military strike against Iran’s nuclear facilities. The 2015 cyber attacks on Ukranian critical infrastructure caused loss of energy for hundreds of thousands citizens of Ukraine in December. It was likely staged to test cyber operations for the upcoming 2016 U.S. presidential election. Both cases offer interesting takeaways: (a) offensive cyber operations often empower rather than deter an adversary and (b) offensive cyber operations resulting in a devastating cyber attack to the integrity of the target may be responded via conventional military means. But where exactly is the threshold for escalating a cyber attack into conventional domains? How can policymakers rethink escalation guidelines without compromising international relations? This paper discusses achieving strategic stability in cyberspace by way of transferring the concept of a nuclear no-first-use policy into the current U.S. cyber strategy.
U.S. cyber strategy has a hypocrisy problem: it expects its cyberattacks to deter others (defend forward) without triggering escalatory responses outside cyberspace, while it is unclear about what it considers off-limits. A strategic cyber no-first-use declaration, like the one outlined in this article, could help solve risks of inadvertent instability while allowing cyber-operations to continue.
Make sure to read the full paper titled A Strategic Cyber No-First-Use Policy? Addressing the U.S. Cyber Strategy Problem by Jacquelyn Schneider at https://www.tandfonline.com/doi/full/10.1080/0163660X.2020.1770970
In 2018 the Trump administration adopted its progressive National Cyber Strategy. These sort of policy declarations are commonly filled with agreeable generalities, albeit this National Cyber Strategy read in conjunction with the 2018 Department of Defense Cyber Strategy introduced a new, rather reckless cyber posture of forward attack in cyberspace as a means of a preemptive cyber defense. Key themes, e.g.
- Using cyberspace to amplify military lethality and effectiveness;
- Defending forward, confronting threats before they reach U.S. networks;
- Proactively engaging in the day-to-day great power competition in cyberspace;
- Actively contesting the exfiltration of sensitive DoD information;
raise important questions of national security. Why does an industrial superpower like the United States feel a need to start a cyber conflict when it could redirect resources toward building effective cyber defense systems? How many cyber attacks against critical U.S. infrastructure are successful that it would justify a forward leaning cyber defense? What is the long-term impact of charging the military with cyber strategy when the private sector in Silicon Valley is in a much better position to create built-in-cybersecurity and why aren’t resources invested back into the economy to spur cyber innovation? Each of these questions is material for future dissertations. Until then, instead of a defend forward strategy in cyberspace, a cyber policy of no-first-use might complement securing critical infrastructure while ensuring allies that the U.S. cyber capabilities are unmatched in the world and merciless if tested.
No-first-use is a concept originating in the world of nuclear warfare. In essence, it means
“a state declares that although it has nuclear weapons, and will continue to develop and rely on these weapons to deter nuclear strikes, it will not use nuclear weapons first.”
Instead conventional (non-nuclear) warfare will be utilized to respond to attacks on its sovereignty. These policies are not treaties with legal ramifications if violated. They’re neither agreements to ban production of certain weapon systems nor intended as arms control measures. In fact, no-first-use policies often take shape in form of a public commitment signaling restraint to friends and foes. They are made for strategic stability in a given domain.
No-First-Use Cyber Policy
Taking the no-first-use concept to cyberspace may be a national security strategy at low cost and high impact. Cyberspace is by its configuration transient, hard to control, low cost of entry and actor-independent. For example, a web crawler is at times a spiderbot indexing websites for search engines to produce better search results. At another time the same web crawler is configured to recon adversary cyber infrastructure and collect intelligence. Yet another time, the tool may carry a malicious payload while scraping website data. This level of ambiguity introduces a wealth of cyber policy hurdles to overcome when drafting a no-first-use cyber policy. Schneider recommends starting with distinguishing the elements of cyber operations in its strategic context. As mentioned before some actions in cyberspace are permissible, even expected, other actions using the same technology, are not. Now, there is no precedence for a cyber operation to be so effective at scale that it would compromise its target (state) altogether. For example, no known cyber operation has ever irreparably corrupted the energy infrastructure of a state, destroyed social security and health data of its citizens and redirected all government funds, bonds and securities without a trace or leaving the state in a position unable to respond within conventional warfare domains. This means the escalation risk from a cyber operation against critical infrastructure is lower in cyberspace compared to an attack with conventional weaponry. Therefore a successful no-first-use cyber policy must focus on the cyber operation that produces the most violent results and is effectively disrupting a conventional defense (by disrupting critical infrastructure).
Another consideration for an effective no-first-use cyber policy is the rationale of continued development of cyber capabilities. A no-first-use cyber policy does not preclude its parties from actively testing adversaries’ cyber vulnerabilities; it only bars them from exploiting such weaknesses unless the adversary strikes first.
A strong argument against adopting a no-first-use cyber policy is diplomatic appearances. First, it might signal a weakness on part of U.S. cyber capabilities or indicate to allies that the U.S. will not commit to protecting them if under attack. Second, it may also result in hypocrisy if the U.S. launches a first strike in cyberspace after political changes but is still bound to a no-first-use policy. For Schneider a successful no-first-use cyber policy
“credibly convinces other states that the U.S. will restrain itself in cyberspace while it simultaneously conducts counter-cyber operations on a day-to-day basis.”
She also recommends strategic incentives through positive means: information sharing, foreign aid or exchange of cyber capabilities. The end goal then ought to be strategic deterrence through commitments in cyberspace to restraint high-severity cyber attacks.
I found the idea of a no-first-use cyber policy captivating, albeit inconceivable to be implemented at scale in cyberspace. First, even though cyber operations with the potential to blackout a state are currently reserved for professional militaries or organized cyber operators in service of a state-actor, I don’t believe that a lone non-state actor is not capable of producing malicious code with equal destructive powers. Second, I see attribution still as a roadblock despite improving cyber forensics. Any democracy would see the hypocrisy of mistakenly engaging a non-state actor or the risk of misidentifying a state-actor as perpetrator. Moreover, the current state of attribution research in cyberspace is considering humans with certain intent as foundation when future cyber conflict may be initiated by a rogue or faulty autonomous weapon system under substantial control of an artificial intelligence. Third, any policy without legal or economic ramifications isn’t worth considering. An effective deterrence is hard to achieve without “skin in the game”. Perhaps an alternative to a no-first-use cyber policy would be a first-invest-into-cyber defense policy. Emulate the Paris Climate Accord for cyberspace by creating a normative environment that obligates states to achieve and maintain a minimum of cybersecurity by investing into cyber defense. This way constant innovation within the private sector reduces vulnerabilities, which will lead to a self-sustaining deterrence.