The “Russia story” is big news here in Washington, rightly consuming a lot of the oxygen around town, but there are also some important subtexts at work in the Russia plot line. Like, what should be the ground rules for any future confrontation in the cyber domain?
Three weeks ago, in front of the Senate Intelligence Committee, National Security Agency Director Mike Rogers easily joined consensus with the rest of America’s intelligence leadership that the Russians interfered in the 2016 election and were expected do so again this year and in 2020. The collective intelligence leadership also conceded that they had not been given specific presidential direction to do much about it.
Last week, Rogers pretty much repeated that, this time in his other role as commander of the U.S. Cyber Command, before the Senate Armed Services Committee. He then talked about why we are failing to change Russia’s (or any adversary’s) behavior: “If we don’t change the dynamic here, this is going to continue … This is something that will be sustained over time.” We haven’t “changed the calculus or the behavior,” he added, and our adversaries “haven’t paid a price … that’s sufficient to get them to change their behavior.”
Rogers is leaving NSA and Cyber Command shortly and, two days after this testimony, his successor, Army Lt. Gen. Paul Nakasone, was in front of the same Senate Armed Services Committee being asked many of the same questions and delivering many of the same answers. Talking about cyber adversaries like Russia, China, Iran and North Korea, Nakasone observed: “Right now, they do not think that much will happen. They don’t fear us. That is not good.”
“Our adversaries have not seen our response in sufficient detail to change their behavior,” he concluded, echoing Rogers. They each would have been able to further develop their concerns and potential responses in closed session with the committee but, even at the unclassified level, it’s pretty clear what they are getting at.
The Russian assault on America was a given, of course. Cyber espionage (the theft of the DNC’s and Clinton campaign chairman John Podesta’s emails) helped enable a covert influence campaign against the American election. Better cybersecurity to protect American information was needed, as were better responses to more diffuse threats like fake news, botnets and Russian manipulation of social media. And, obviously, the same could be said about defending industrial control systems and critical infrastructure.
With their strong cyber backgrounds, both Rogers and Nakasone know that the cyber domain gives near-crushing advantage to the offense. Last year the Defense Science Board predicted that this imbalance would last at least through the next decade despite the best efforts to bolster cyber defenses and to bake resiliency into important systems.
So, in their testimony, Rogers and Nakasone were suggesting something more than classic defense and better manning the perimeter (so to speak) to prevent penetrations. In one sense their comments echoed what, in the physical combat domains, is called “counter battery” or “suppressive” fires, which means using your weapons to make an adversary less capable of using his. In effect, using your offensive power to reduce his offensive capacity. In nuclear strategy, we called these “counter force strikes” and, here, one can picture disabling troll farms or botnets, although — given the ubiquity of cyber capability — counter force in the cyber domain could quickly resemble whack-a-mole when dealing with a determined enemy.
In the nuclear realm we also had “counter value strikes,” holding at risk not an enemy’s nuclear forces but other things he held dear. When Rogers talks about changing our adversaries’ calculus and their paying a price, and when Nakasone observes that they don’t fear us, the cyber commanders are squarely here in their thinking. Indeed, Rogers has been pushing a robust theory of cyber deterrence in his public commentary for several years now.
Thanks to great theoreticians like Hermann Kahn during the nuclear era, thoughts like these were woven into a complex doctrine of strategic deterrence, so effective that it remained theoretical and never had to be put to the test. Cyber conflict has been different. Legitimate state espionage remains an active and accepted international practice in this domain, and some states go even further to spy for raw commercial advantage. We have also seen uses beyond espionage that have included broad information warfare and even physical damage. The destructive North Korea attack on Sony Pictures in 2014 and various Iranian assaults against financial services come to mind.
Rather than just warn and help defend, Rogers and Nakasone now want the authority under a simple, agile command structure to “shoot back” to defend or deter, to either disable or punish an aggressor. They want to operate secretly and routinely in the cyber domain by creating a legal and policy zone that authorizes robust, sometimes destructive responses, well above normal peacetime competition but below what we would define as the threshold of conventional conflict and open interstate war.
That’s quite an ask, but other nations like Iran, North Korea, China and Russia seem to routinely operate in this band. Indeed, Russian doctrine assumes constant conflict there. And if we do not make a similar decision, much of America’s cyber combat power will remain in the barn and unused against threats like Vladimir Putin’s and others.
America has spent a fortune to have such capabilities at the ready. Now what is needed is will — and clear policy and guidance for folks like Rogers and Nakasone. That was the message that the new and the outgoing commanders were sending. And it had meaning and implications well beyond just today and the Russians.