2018 has been a crucial year for defining global strategies in cyberspace, especially for the United States. According to the Command Vision for U.S. Cyber Command, called “Achieve and Maintain Cyber Superiority”, cyberspace is “already militarized”, and disruptive, AI-based technologies will accelerate the adversaries’ ability to impose costs.
The U.S. Cyber Command Vision draws attention to ongoing cyber campaigns under the threshold of using force that poses a “strategic, persistent threat to the vital interest of the United States”. It depicts that the reactive posture introduces “unacceptable risks to U.S. interests and must be updated by scaling the response to the magnitude of the threat, seeking greater freedom of action and pro-actively engaging US adversaries wherever and whenever they are found, to obtain tactical, operational and strategic advantage”.
In the past decade, cyber attacks during the international crisis and military operations have multiplied: the Stuxnet worm (2010), the cyberattack against the Ukrainian power grids (2015), the hacking of the Qatari news agency during the recent Gulf crisis (2017). Ensuring the highest level of protection of the Command, Control, Coordination & Communication (C4) networks established for international crisis management and national/collective defense has always been one of the highest priorities for the Armed Forces. Therefore, it is not a surprise that with the advent of the cyber age, they pursued a solid cyber defense capability. Moreover, virtually all weapons systems depend on secure, reliable, and resilient networks, and technological progress is only contributing to make cybersecurity a core enabler of military capabilities. However, cyber defense goes well beyond the protection of military networks: a cyber attack that disables civilian national critical infrastructures would almost certainly impair the correct conduct of military operations. But there is more: as the potential surface of cyberattacks expands into all sectors of modern societies, “cyberspace superiority” becomes crucial. Cyber superiority is the key in the theatre of future conflicts, in signaling about cyber capabilities for deterrence purposes, and in shaping international norms of states’ behaviors in cyberspace.
Six months after the U.S. Cyber Command Vision, U.S. Government published the new National Cyber Strategy, the first since 2003. This document points to China, Iran, North Korea, and Russia as the main international actors responsible for launching malicious cyberattacks and information warfare campaigns against Western interests and democratic processes. Washington made clear its intention of scaling the response to the magnitude of the threat while actively pursuing the goal of an “open, secure and global Internet”.
In October 2018, Josephine Wolff, assistant professor at the Rochester Institute of Technology, wrote in the New York Times that «the National Cyber Strategy represents an abrupt and reckless shift in how the United States government engages with adversaries online. Instead of focusing on strengthening defensive technologies and minimizing the impact of security breaches, the Trump administration plans to ramp up offensive cyberoperations. The new goal: deter adversaries through pre-emptive cyberattacks and make other nations fear our retaliatory powers».
The National Cyber Strategy outlines a broad vision of how the administration plans to approach online issues and emphasizes the importance of imposing «swift, costly and transparent consequences» on online attackers. But this document alone doesn’t tell us the full story: days before the New York Times article, the Department of Defense published its cyber strategy document, a more detailed plan for how the military will approach cybersecurity. It outlines the same plan with different words, saying that the intention is to “defend forward” by going after threats “before they reach their targets” and disrupting “malicious cyber activity at its source”.
The idea of using offensive cyberattacks for defensive purposes is not a new one — discussions about the potential risks and rewards of “hacking back,” especially in the private sector, go back more than five years. But for the American government to embrace this strategy is a sharp change from the cautious, defense-oriented approach of the past decade.
«The hard truth – said last year Renée DiResta, director of research at a cybersecurity company who was asked by the US Senate to investigate the full scope of “the recent multiyear Russian operation to influence American opinion executed by a company called the Internet Research Agency” – is that the problem of disinformation campaigns will never be fixed; it’s a constantly evolving arms race. But it can – and must – be managed. This will require that social media platforms, independent researchers, and the government work together as partners in the fight. We cannot rely on — nor should we place the full burden on — the social media platforms themselves».
In the “traditional warfare” domain we never really abandoned the “nuclear security paradigm”, that can be summarized in the motto “the only way to win is not to play”, but in the cyber domain we are moving toward a completely different approach, in which the only way to win is to “persistently engage the adversaries”. This persistent engagement’s ultimate goal is “to improve the security and stability of cyberspace” and avoid escalations in the conventional domain “by clarifying the distinction between acceptable and unacceptable behavior in cyberspace”.