Recently, the White House’s nominee to become the Assistant Secretary of Defense for Cyber Policy (ASD-CP) advocated for increased offensive cyber operations and using artificial intelligence (AI) as a means of bolstering the United States’ ability to deter hostile cyber threat actors.  The fairly new senior position serves as the principal cyber advisor to the Secretary of Defense and was generally viewed as a necessary development with how the United States was prioritizing the need to not only protect itself, but be able to operate in cyberspace seamlessly, while trying to degrade adversaries abilities to do so in return. According to the nominee, the ASD-CP’s challenge was to address “the ‘what’” of the Department’s strategic objectives, and transform them into the “how” with respect to plan creation and program and policy implementation.

Taking more initiative in cyberspace has been a focal point for the current Administration, starting in its first term, and now appears to be ramping up in its second.  The ASD-CP’s support of offensive cyber operations as a means of deterrence is one that is consistent with the National Security Council’s (NSC) position, and one that was articulated at the RSA Conference by an NSC official.  Furthermore, the Administration appears to want to normalize the use of offensive cyber operations, downplaying the aggression typically associated with them and advocating the need for their use as a “vital tool” in the government’s toolbox.  There has been support from several lawmakers who believe the United States is not doing enough to deter the actions of notable state cyber actors like China, Iran, North Korea, and Russia, further “socializing” the concept as a necessary and palatable option to just relying on robust defensive cybersecurity efforts.  Notably, Senator Angus King of Maine acknowledged that the United States needed to convey a clear cyber deterrence policy in much the same way as it has a nuclear deterrence policy.

While this ostensibly makes sense from a policy perspective, the devil would be in the details of how this framework is created, what it entails, and how it is implemented, and perhaps more importantly, what the role the government would play in responding to cyber attacks against both private and public sector organizations.  The same NSC official expressed concern about private sector entities’ current inability to answer cyber attacks against their networks beyond conventional cybersecurity practices, pointing out that the government rarely if ever responds to cyber attacks against the private sector, something that he believes the government should do particularly if is viewed as a “national security incident.”  Prior to embracing its “defend forward” operations, the U.S. government had been traditionally more judicious in engaging in cyber attacks against adversaries – especially those with known cyber capabilities – out of caution to avoid potential escalatory “tit-for-tat” responses.  Some believe that this hasn’t transpired in cyberspace, and that the more these operations were conducted, the more experienced and better positioned U.S. cyber forces would be ready to execute them with minimal blow back.

This may be true, but it does not mean that adversaries won’t look to copy what the United States is doing – against the United States.  For example, a consistent mimicker of U.S. cyber development, it has taken China this long to copy how the United States has leveraged its private sector via vendor reports to show the world how Beijing is persistent cyber threat actor.  If the U.S. starts defending-forward against Chinese targets, Beijing may see fit to do the same, depending on geopolitical environment between the two governments and its own strategic interests.  Russia and others may replicate that as well, particularly if it appears that the United States has fully embraced its strike first mentality in cyberspace.

Adding to these concerns is how AI emergence factors into offensive cyber operaitons and the estimations of how this technology will invariably revolutionize cyber attacks in the future, and not just from a content/social engineering perspective and disinformation propagation.  States racing to develop and implement AI weapons into their military only further weaponizes the cyber threat ecosystem.  Reporting indicates that nations have already leveraged AI to support cyber espionage against key critical infrastructure and defense systems, and no doubt have an eye to developing more automated disruptive/destructive attacks, a capability that could be used to respond to “defense forward” operations further reducing the improbability of escalatory responses in cyberspace.  This needs to be taken into consideration as the United States shapes its cyber deterrence policy.

Cyber deterrence has long been a problem without a solution.  And while it is good that the United States develop a formal policy as it has with nuclear and chemical/biological weapons, it should not rely on offensive operations as its cornerstone for deterring adversaries in cyberspace.  Just because there haven’t been notable escalatory actions resulting from a cyber attack does not mean that they won’t happen in the future. Defense forward operations have been viewed as successful especially as U.S. Cyber Command expands the number of teams operating globally.  

But how long that lasts before adversaries and other states get in the same game is likely dwindling.  Nations copying what the United States does in cyberspace will invariably develop their own cyber deterrence policies, much like they have with developing their own cyber commands and national cybersecurity strategies.  What’s more, such deterrence policies will give states their own justification for committing cyber attacks without the need of sharing proof on the global stage of an intent by adversarial state and nonstate cyber actors to execute attacks against them. Further complicating this scenario is that even those states that do not possess their own indigenous offensive cyber capability could still seek to implement an attack-first cyber deterrent policy by leveraging any number of private sector entities or hackers-for-hire to conduct the attacks.  This of course would even further muddy the waters of responsibility and accountability for these activities.

Cyber deterrence is more likely a goal that may never be fully realized but simply one for which states will continually reach. There is too much to be gained for both state and nonstate actors in cyberspace for them not to conduct hostile acts.  And while preemptive strikes to mitigate threats before they transpire would likely be reserved for the more serious threats, they will likely not improve the cyber resiliency of the United States as they it will be unlikely to alter behavior as much as to temporarily disrupt operations.  The more cyber capable foes may weather such events for a time before adjusting their tactics, one of which may be to engage in their own forms of first strikes, thereby putting cybersecurity efforts back to square one.  Chances are, if and when this occurs, it will signify yet another evolution in state activity in cyberspace.  Only at that point, it may be too late to hope to codify state norms to fix the situation.