The United States has seen a significant policy shift on cyber conflict, with profound implications for national security and the future of the Internet. According to a policy direction detailed in the March 2018 ‘Command Vision’ document, the US Cyber Command substantially increased both the scope and intensity of its offensive operations. In response to ongoing cyber attacks, the Cyber Command announced it would be taking the fight to the enemy and moving operations into its adversaries’ networks. Persistent engagement, or being constantly present within the IT infrastructure of their adversaries, will purportedly allow US forces to better intercept and halt cyber threats, as well as deter future attacks. This shift marks the end of restrictions imposed on offensive cyber operations during the Obama administration, and represents perhaps the single most important articulation of cyber policy in two decades.
Concretely, the US Cyber Command wants its operatives present within its adversaries’ systems to follow them as they access foreign systems. This would allow operatives to kick adversaries out of compromised machines or even take control of their malware. Increased agility in this context means maneuvering in and out of private networks owned by corporations and individuals, crossing national borders. Reducing the operational constraints on US Cyber Command could mean compromising core Internet infrastructure, as we use the same technologies as America’s adversaries in our private and professional lives. Pursuing adversaries into American and European infrastructure may also further erode the trust of US corporations and allies, a trust already impacted by the 2013 Snowden revelations.
The Cyber Command strategy, although coherent and compelling, severely downplays potential risks. One major concern is that the new policy invariably advocates for the intensification of US operations, regardless of the strategies chosen by its adversaries. Neither ‘escalate’ nor ‘escalation’ appear in the Command Vision document, a major omission which suggests its authors did not consider the full dynamics of conflict. Increased US cyber operations might exacerbate conflict instead of deterring attacks, as adversaries rise to the challenge of those actions rather than backing away. As cyberspace becomes increasingly important for more nations, it elevates the stakes and the risks along with them. Furthermore, persistent engagement as a strategy lacks any practical means of communication to deescalate cyber tensions, for instance to convince other nations that an intelligence operation is meant for conflict stabilization rather than warfighting.
The imperatives of the Command Vision could be right or wrong; the risks discussed here may or may not turn out to be major concerns. Regardless of the outcome, policymakers should insist that further support for persistent engagement is dependent on four conditions:
(1) A clear timeline and criteria for success: how will we know progress when we see it?
(2) Criteria for failure: what are the indicators of failure?
(3) Political throttle: cyber operations should develop in agreement with current diplomatic activities.
(4) A set expiration date: authorizations allowing more operational agility should expire and their renewal be subject to review.
The “persistent engagement” policy of the US Cyber Command could compromise core internet infrastructure and escalate tensions if not closely monitored.